Blowing Sources and Public Intelligence Claims

By Paul Rosenzweig
Wednesday, January 25, 2017, 10:44 AM

The news today is shocking.  Russian authorities have arrested a top Kaspersky cybersecurity manager for espionage.  Kaspersky is a Russian-based cybersecurity company, widely regarded as having close ties to the Russian government.  Kaspersky himself has close connections to the KGB [as an aside, that is one reason why I personally do not use Kaspersky's products.]  According to English language reports: "Kaspersky Lab on Wednesday confirmed reports in Russia's respected Kommersant newspaper that Ruslan Stoyanov, head of its computer incidents investigations unit, was arrested in December. Kommersant said that Stoyanov was arrested along with a senior Russian FSB intelligence officer and that they both face charges of treason."  That's two people who, no doubt, will soon be convicted and, one suspects, thereafter executed.  [NOTE:  If anyone has a good translation of the original Russian report, I would welcome a link.]

I (and several others I've spoken to) strongly fear that their deaths are a result of American intelligence activity.  In other words, their blood may be on our hands. 

If you are finding Lawfare useful in these times, please consider making a contribution to support what we do.

As most will recall, the USG quite openly released a declassified report on Russian efforts to influence the American elections.  Though the public report is, rightly, characterized as long on conclusions and short on supporting facts, it nonetheless offers many striking conclusions and the Russians would, properly, surmise that there were underlying details in the classified version of the report supporting the conclusions.  What seems most notable, of course, is that the IC report (and accompanying press discussion) appeared to reveal some very deep penetration of Russian discussions.  Assertions that "we saw them celebrating" and "we saw Putin's directions" were signposts for any able counter-intelligence operation.  In particular, the level of detail would suggest to Russian CI that there were human sources involved.

Today we see the costs of the public discussion of intelligence.  I admit to speculating here (though with good reason, I think) but two of our sources (including one in Kaspersky) are now blown and the reason may well be that we felt the need to publicly disclose the information we gleaned from their efforts in order to publicly defend the IC against President Trump's unjustified and unjustifiable attacks.  To be fair, part of the reason for the need for the publication was also the Obama administration's remarkable reluctance to act earlier this year and the relatively laughable nature of the sanctions we imposed.  They had the tools but failed to use them.  And as a result, two men will, I think .... die.

The incident raises some questions that need consideration:

  • Much of our discussion about cybersecurity and deterrence has centered around the need for public disclosure and attribution.  The covert, unattributable nature of cyber operations has led many to doubt claims of responsibility and the result has been far greater transparency and openness about conclusions than we have seen in other intelligence areas.   We see now the likely costs of that sort of change in intelligence disclosure policies and we need to ask whether our instincts are right or not?  I certainly think that responding to Russian influence on our elections was essential -- but it is not at all clear to me that public disclosure was a good part of that response and I am even less certain of it now than I was before.
  • The ability of Russian CI to identify a Kaspersky employee as an American intelligence source suggests, again, that the Russian government has close operational ties with Kaspersky.  In light of that, should Kaspersky be publicly identified as a Russian-controlled system by the US government?
  • Do we need a risk assessment of the extent to which Kaspersky anti-virus products are used in critical American infrastructure?
  • Leaving aside President Trump's bromance with Vladimir Putin, even in an ideal world we have no strategy for response.  How do we develop one and what would it look like?  [On this I suspect we have less of a "cyber" problem than we have a "Russian" problem with cyber overtones.]

UPDATE:  Subsequent news reports make the point (which I did not see in the first news) that these arrests likely occurred in December.  Since the DNI report I referred to occurred in January, it cannot be the case that it was the direct cause of the arrests -- the timing just doesn't work.  That does not mean, however, that the earlier DNI statements (e.g. the one in October) were not part of the cause of the investigation.  But the speculation I offered here is weakened by the new data and this update should make that clear.]

[FURTHER UPDATE:  On Thursday Jan 26, another FSB officer was arrrested.  This may relate back to the December arrests, it may relate to the January DNI report, or to neither ... curiouser and curiouser.]