Viktor Zhora, the public face of Ukraine’s success against Russian cyber attacks, received a hero’s welcome earlier this month on stage at Black Hat, the world’s biggest cyber security gathering, in Las Vegas.
“The adversary has trained us a lot since 2014,” the year that Russia annexed Crimea, said the deputy chair at Ukraine’s special communication and information protection service. “We evolved by the time of the full-scale invasion [in February last year] when cyber became a major component of hybrid warfare.”
At an event where IT professionals asked for selfies and one man cried on his shoulder, Zhora also shared a fist-bump with Jen Easterly, the director of the US Cybersecurity and Infrastructure Agency. “We take a huge page out of Ukraine’s playbook,” she said. “We’ve probably learned as much from you as you are learning from us.”
But away from the spotlight, the event’s delegates argued that the US and its allies that have helped to fund Ukraine’s cyber-defences have failed to reflect on Kyiv’s experience.
Cyber executives told the Financial Times that the west is struggling to replicate the collaborative methods that had proved successful in the conflict, complaining they are instead mired in regulatory and legal roadblocks that thwart fast-moving responses that require open sharing of often sensitive or embarrassing information.
“There is a reality that exists in Ukraine that I don’t think most of the west can really put themselves in,” said Matt Olney, director of threat intelligence and interdiction for Cisco Systems.
Olney recounted a time when Cisco, which has been involved in Ukraine for more than a decade, sparked confusion and outrage from US authorities with a proposal for a radical security upgrade to a state’s election system.
“This is war,” Olney’s Ukrainian colleague explained to the state official when asked how Kyiv would respond to such demands. “I say do it, and they do it.”
The US and its allies in Europe and Asia are already engaged in low-level cyber aggression and espionage against Russia, China, Iran and North Korea. Despite attempts to block them, Russian and Chinese government-backed hackers regularly break into western systems, carrying out disinformation and spying campaigns.
Last month when the State Department discovered that emails of officials focused on China had been hacked, authorities claimed they had received inadequate information. This prompted Oregon Senator Ron Wyden to request federal probes to push Microsoft, which runs the State Department’s emails, to share more technical data behind the breach.
Similarly, authorities in the UK took 10 months to inform millions of its citizens on the electoral register that their data had been exposed to a group of as-yet unidentified hackers that could have been working on behalf of another country.
Olney and others say that, when these breaches are uncovered, the targeted businesses and government agencies are slow to share that information, including critical technical data that would unmask similar hacking attempts elsewhere.
“I’m in favor of radical transparency,” said John Shier, a senior executive at Sophos, the UK-based cyber security company. “That’s when we can be more proactive. That’s when we can make sure we know somebody else is going through the same thing that you’re going through, and you can band together and make sure that you both get through as unscathed as possible.”
One stumbling block is the US government’s categorisation of certain details as classified. Robert Lee, who runs cyber security company Dragos, said he has been involved in cases that were not immediately disclosed because the information was classified.
“There’s some truth,” he added, in the “idea that asset owners and operators are just keeping it quiet.”
Another problem is the reluctance of listed companies to disclose potentially damaging information for fear of the impact on their share price, which has prompted the US to work on legislation to deal with the issue. The Chamber of Commerce is disputing new rules from the Stock Exchange Commission that will require publicly traded firms to disclose material breaches within four days.
Several agencies meanwhile have overlapping authority, “creating chaos” rather than being disciplined, said Lee.
“You’ve got the FBI and DHS and CISA tripping over each other yelling at each other,” said Lee. “And the inter-agency [fights] behind the scenes [are] about 10,000 times worse than whatever gets made public.”
At a bar at the conference, an official from the US defense department pulled up a chair to a group of cyber security professionals and asked why the US has not been hit with complex, simultaneous attacks.
The official replied to his own question: “Deterrence as defense. They know we are in their systems too and, if they hit us here, we turn the lights off in Moscow.”
Easterly, the CISA director, acknowledged that progress on transparency was still under way but the fear of tit-for-tat attacks had held some chaos at bay.
“There is some fear of escalation,” she said. “Are there still people who are going to their lawyers first and foremost? Yes. But we’re starting to break through on the understanding of a threat to one is a threat to all.”