Latest News / The Firm and the Infirm
The Firm and the Infirm
22 May 2017 |
The cyber sabotage attempt on the recent French Presidential election backfired spectacularly. Business Reporter's resident U.S. 'blogger Keil Hubert suggests that we all probably ought to thank the Macron campaign’s Legal team for being bold enough to approve such a risky gambit.
It’s a brilliant time to be involved in the Information Security field. A lot of the aphorisms that we take for granted about how security operations are supposed to be done are getting tossed out like old crisp packets. It’s exciting, although probably not for the reasons you might assume. This isn’t a matter of cool new tech; this is a story about … cutting-edge policy approval.
If that sounds unhinged, strap in while I put that statement in context. You might recall that the French had a presidential run-off election back on Saturday the 6th that had the potential to shake things up for the EU. Setting aside the politics of the election itself, it’s what happened the night before the election that concerns InfoSec. Per Christopher Dickey’s election day Daily Beast article:
‘In the last hours before midnight on Friday, just before a campaigning blackout imposed by French electoral law in anticipation of the crucial vote on Sunday, somebody dumped nine gigabytes of emails and documents supposedly purloined from the campaign of leading presidential candidate Emmanuel Macron.
‘It looked like, and almost certainly was, a last-minute bid to tip the scales in favor of the centrist Macron’s opponent … Literally at the 11th hour, before the blackout would silence it, the Macron campaign issued a statement saying it had been hacked and many of the documents that were dumped on the American 4Chan site and re-posted by Wikileaks were fakes.’
‘Now ask me how I know that.’
In and of itself, a data exfiltration attack doesn’t seem all that surprising, given what happened in the 2016 U.S. presidential election. Stealing and releasing sensitive documents to discredit a candidate has become almost normal in international affairs. No, what’s important and interesting about the attack on the Macron campaign is that the campaign staff weren’t caught off-guard by it. In fact, as Cymmetria CEO Gadi Evron wrote in his own post-attack analysis over on Medium:
‘Up until today I could only look up to Russia (whether I agree with them or not) for conducting advanced information operations in cyber. Now, I can look up to Macron and the anonymous security professionals behind him and admire them. Finally, someone uses cyber deception to beat attackers at their own game.’
Evon’s review of the Macron breach mirrors the attitude of a lot of InfoSec professionals: it appears that Macron’s security team anticipated that cyber criminals (state-sponsored or otherwise) were likely to try a ‘Podesta-breach’ attack on their campaign, and decided to take pre-emptive action to out-manoeuvre their adversaries. Specifically, it appears that Macron’s campaign initiated multiple active countermeasures to slow down, distract, and ambush their hackers. On 9th may, Macron’s Digital Director, Mr. Mounir Mahjoubi, told the New York Times: that they realized that the security team couldn’t guarantee that they’d defeat all possible professional attacks, so instead they:
‘… opted for a classic “cyber-blurring” strategy, … creating false email accounts and filled them with phony documents the way a bank teller keeps fake bills in the cash drawer in case of a robbery.
‘ “We created false accounts, with false content, as traps. We did this massively, to create the obligation for [the attackers] to verify, to determine whether [each account] was a real account,” Mr. Mahjoubi said.’
The end result was brilliant. Utterly brilliant. Yes, the hackers managed to compromise some accounts and breached what they thought were sensitive systems. They exfiltrated what they assumed were highly-sensitive documents that would embarrass the Macron campaign and released them publicly right before France’s mandatory ‘blackout period’ went into effect. When … someone’s … hackers deployed this attack against American voters, it caused a nontrivial effect on the U.S. election. The hackers likely assumed that it would work just as well against French voters.
It would be wise not to insinuate to this lady that you consider her to be as gullible as a stereotypical American. She might bludgeon you insensible … with a balloon.
It didn’t. It seems that the Macron campaign ‘seeded’ their decoy hacking targets with realistic-looking but known-false documents. Since timing was crucial for the election sabotage hack to work, the attackers didn’t have time to validate the authenticity of the documents that they stole. In a rush, they dumped everything … only to be immediately discredited by Macron’s Public Relations team. It appears that the PR folks already had a perfectly-crafted denouncement release written, approved, and primed to fire the moment that the ‘leak’ was announced. It took less than an hour from the time the hackers released their supposedly-damming material to have all of it dismissed with some select verifiable evidence as fabricated content. There wasn’t enough time before the polls closed for anyone to reasonably find any real embarrassing nuggets in the pile, which effectively negated the attack. Macron went on to win by a comfortable 2:1 ratio.
There’s a ton of really interesting stuff to unpack here from an InfoSec perspective. The use of advanced ‘honeypot’ decoy systems, artfully-crafted realistic-looking documents with a Trojan-style payload of incriminating attributional evidence, active counter-phishing techniques, adversary profiling … If you’re in the business, this has been the number-one topic of coffee machine conversation since the election.  For me, though, there’s only been two burning issues that I can’t let go of. First, How the *£&$ did Mr. Mahjoubi convince his lawyers to let him employ those wonderful countermeasures? and second, How the *£&$ can I steal the aforementioned lawyers for my own company?
Oh, yes. Lawyers! More importantly, lawyers who have the guts to approve potentially dangerous operations! That’s the part of the story that struck me the first time I read Mr. Evon’s article. I was mesmerized by how the campaign’s legal team (and HR, PR, et al) agreed to greenlight an active cyber counter-offensive that involved both deliberately creating forgeries and allowing them to cross national borders as part of an elaborate sting. That it was absolutely the right thing to do is beside the point; approving the operation meant accepting quite a bit of legal risk … and accepting risk, in my experience, is the absolute last thing that a corporate lawyer will agree to do. It’s not their way.
Seems strange, doesn’t it? If U.S. popular culture has taught us anything about lawyers, it’s that they’re all suave, articulate, and debonair. Lawyers come complete with a closet full of bespoke suits and a genius IQ, like the characters from John Grisham’s hit novel The Firm. We expect the folks in the Legal department to be men and women possessing vision, ambition, decisiveness, and a burning hunger for righteous action – both the naïve good ones and the cynical, sinister ones. 
It’s natural to hate him for foreclosing on the orphanage, but you have to admire the passion that he brings to villainy.
As cool as his characters often are, Grisham’s books are fiction. His lawyers’ characteristics are exaggerated: they’re all smarter, better-educated, wittier, and bolder than most people. Audiences love them. The thing is, real people don’t measure up to fictional ones. Actual lawyers are a highly-varied lot, just like people in all other professions. They vary in education, intellect, wit, taste, and personality; not all lawyers are Perry Mason, just like not all technologists are Marc Zuckerberg (thankfully). That being said, there often seems to be one significant attribute that all corporate lawyers seem to share: a curiously fervent desire to avoid being associated with any sort of risk …
I suspect that this is because companies  often task their legal department to be an administrative obstacle rather than a support centre. CEOs insist that every decision, policy, plan, and contract has to be routed through legal for endorsement before it comes to the boss for final approval. Legal becomes the company’s bottleneck. In such companies, Legal’s arbitrary and capricious denials can’t be appealed and don’t have to be justified to anyone. The lawyers start to resemble nothing so much as cadre of beleaguered fanatics holed up in a bunker, determined to block everyone else’s progress to their last tortured breath. It’s like a chronic, self-defeating condition, predisposed to inaction.
If all you ever encountered were corporate staff lawyers, you’d start to wonder if their the-answer-is-always-no attitude was instilled in them during law school like some sort of operant conditioning. They all seem afflicted by it. In fact, this is the single most common complaint that I’ve heard from professionals in the InfoSec policy writers’ community: that their bloody lawyers are impossible to live with because they seem determined to reject everything, won’t listen to experts, and feel no obligation to help craft practical compromises.
I know a lot of effective lawyers and a few foolhardy ones. Still, these examples don’t’ disprove the trend. I find myself having to explain that the risk-averse mentality isn’t a function of law school programming; it’s more a function of the untenable position that company lawyers are put in by virtue of their function. Put bluntly, the CEO wants someone else to jump on the metaphorical grenade if or when the company winds up getting sued. By making the lawyers sign off that a proposal, policy, or purchase was legal, if gives the CEO a convenient scapegoat.
‘Right, then! While you-all throw Jenkins to the angry mob, I’ll take the company helicopter to rendezvous with my private jet. Go team!’
This isn’t much of a threat when you’re talking about purchase mundane commodity services. It’s a huge threat, on the other hand, when proposing cutting edge technical solutions that have a terrifyingly high probability of going off the rails and catching the attention of law enforcement agencies. The potential consequences of a decision that provokes an angry response from multiple nation states’ judicial systems is enough to make any rational person paranoid. That’s why most of the lawyers I’ve known have been reflexively squeamish when it came to accepting risk, especially when in regards to technology. Doubly so with InfoSec work, where the potential downside includes criminal prosecution. ‘No’ is always a safe answer; ‘yes’ is potentially much more than career-ending.
That, then, is why I find the Macron campaign countermeasures case so bloody fascinating. Their InfoSec boffins came up with an audacious and insidious plan – one that probably ventured deep into the blurry no-man’s-land of both domestic and international legal codes. While the operation was (in retrospect, obviously) technically feasible, its legal basis had to be … let’s say ‘challenging.’ They also had very little time between the first round of voting and the run-off election to craft, approve, and implement their deception plan. To accomplish all that and to secure Legal’s approval … Wow! I really want to buy these people a round or three and hear how they did it. What arguments did they pitch to convince their bosses that the reward was worth the potential backlash?
This is why I think this operation will become a case study for future InfoSec textbooks. Candidate (now President) Macron’s InfoSec team set a precedent for other governments and for international businesses. Now, the idea of countermeasures, active network deception tactics, and toxic treasure crafting will start to become routinely accepted in InfoSec’s Tactics, Techniques, and Procedures toolbox. That on its own is highly exciting.
Macron’s Legal team also set an encouraging precedent of their own. They demonstrated that Legal can be counted on to be a trusted team player for complex InfoSec operations, not just a surly administrative obstacle that everyone else resents. I’d hope that this example inspires lawyers all over the world to get more interested in IT, to feel welcome participating in InfoSec operations planning, and to feel like it’s okay to accept a bit more risk than their traditional default value of ‘none.’ That would be most welcome. We might just be allowed to make a positive, lasting difference.
A basic firewall may be ‘sufficient’ to satisfy a regulator, but it isn’t nearly enough to repel modern cyber criminals. Perimeters have to be watched … and breach attempts need to be addressed with more … active countermeasures.
If you think about it, that’s the way that it ought to be. As a crucial advisor to upper management, a company’s legal department is (by default) the conservative voice of restraint that should be heard and considered before the company decides to do something rash. Just as the head of InfoSec is the natural foil to the production-obsessed head of IT operations, the company lawyer is the natural foil to the adventurous line-of-business executives who want to gamble on unproven new technologies. Someone should argue against potentially dangerous ideas in order to ensure that all reasonable security controls are put in place to reduce unnecessary risk in the pursuit of desired operational objectives. It makes sense that Legal performs that necessary function.
Sometimes, when the circumstances are make-or-break, the team’s lawyers should stand resolutely shoulder-to-shoulder with their InfoSec colleagues and argue (as I suspect Macron’s team must have): ‘La fortune sourit aux audacieux.’ Sometimes, as the Macron gambit suggests, it’s safer to be bold and embrace risk than it is to follow the traditionally safe route.
 Action lawyer comes complete with everything you see here (conscience and sense of decency sold separately).
 I’ve worked in lots of companies that do this
Images under licence from thinkstockphotos.co.uk copyright: arc de triomphe, Rubens Alarcon; happy businessman, chabybucko; eiffel tower, encrier; sinister businessman, Minerva Studio; scapegoat, nd3000; canon, ejesposito
POC is Keil Hubert, email@example.com
Follow him on Twitter at @keilhubert.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.