Anti-hack cooperation won’t thaw suspicions
Implicit in federal agents’ expression of gratitude to tech giants Yahoo and Google for helping them tie two Russian spies and a pair of hackers to a massive email breach in 2014 was an overture to the rest of Silicon Valley:
If you work with us, federal agents seemed to say, we can better defend against foreign attacks.
But those niceties, which accompanied the indictments of four alleged cyberspies Wednesday, may fall on deaf ears. The longstanding tension between the federal government and American technology companies has reached new heights in recent months, security experts said, and it will take more than one successful
investigation to mend it.
Bay Area tech firms are still reeling from several revelations that show Russia may not be the only government hacking into their products. Just last week, a cache of stolen CIA documents leaked by activist group WikiLeaks revealed espionage tactics that U.S. agents may have used to hack into numerous Silicon Valley consumer products, including the iPhone and Google’s Android software.
Companies from small startups to multimillion-dollar venture capital firms have denounced several policies put forth by the Trump administration. President Trump himself has been a vocal critic of the Bay Area tech scene, calling for heightened pressure on tech firms to comply with government investigations and build back doors to allow agents to crack into personal devices protected by passwords.
Meanwhile the threat from other nations and hackers continues to mount. Russia’s involvement in the Yahoo hack that affected at least 500 million accounts was not terribly surprising to many cybersecurity experts, who noted that nation states increasingly are targeting private companies, seeking personal and corporate secrets.
Caught in the middle are consumers, both American and international, whose personal lives, data and information may not be as secure as it could be as long as the trust and information-sharing between the private and public sector continues to erode.
“They can do a better job together than they can do at each other’s throats,” said Robert Cattanach, a partner at law firm Dorsey & Whitney and a former attorney with the Department of Justice. “But tech companies don’t trust that the government — especially after what they learned from the CIA documents — won’t turn around and use the information they provide against their users. They’re going to need to take small steps to rebuild some of that trust.”
On Wednesday, Department of Justice officials announced they had charged four people — two officers of the Russian Federal Security Service and two hackers the Russian government employed — in connection with the 2014 Yahoo security breach.
The incident, which the company disclosed last year, is believed to be the nation’s secondlargest security breach, topped only by another Yahoo hack that affected more than 1 billion users in 2013. Officials have not yet determined who was behind that that attack.
Dmitry Dokuchaev and Igor Sushchin, two operatives with the Kremlin’s Federal Security Service, targeted the accounts of diplomats, journalists, Russian officials and critics of the Kremlin in their digital raid, according to the court documents. They employed the help of known cybercriminals Alexsey Belan of Russia and Karim Baratov, a Canadian resident, to steal information from computers of American email service companies.
Belan also used his access to search and take gift card and credit card numbers from email accounts and redirected traffic on Yahoo’s search engine, officials said.
The hackers also used information they acquired to access a number of Google Gmail accounts, including those of high-ranking Russian officials, according to the indictment.
Baratov was arrested in Canada Tuesday. The department has issued arrest warrants for Dokuchaev, Sushchin and Belan, all of whom are unlikely to be arrested given Russia’s lack of an extradition agreement with the United States. The cyberspying charges, the first ever brought against Russian security operatives, are largely symbolic, officials conceded.
“With these charges, the Department of Justice is continuing to send the powerful message that we will not allow individuals, groups, nation states or a combination of them to compromise the privacy of our citizens, the economic interests of our companies or the security of our country,” said Mary McCord, acting assistant attorney general.
The government’s willingness to bring its investigation to court also means it is confident in the evidence, said Joseph Lorenzo Hall, chief technologist for the Center on Democracy and Technology. It is evidence that cybersecurity experts said they’d like to see but probably won’t, said Adam M. Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.
“For cybersecurity insiders to trust what they’re saying, they want to see all the evidence ... and the government is not going to do that,” said Segal. “We do reach a point where the U.S. government says we can’t reveal any more info and you’ll have to take our word on it.
“The problem with that, for Silicon Valley and international audiences, is do we want to set a standard that the Russians and Chinese can say the same thing? ‘Oh yes, we have the evidence. Just trust us.’ I do think the government is trying to address this by releasing more information.”
Wednesday’s charges, which were handed down by a San Francisco grand jury, are not related to accusations of Russian interference in the U.S. election or the hacking of the Democratic National Committee’s emails, though national security experts have said Russia’s Federal Security Service seems to have been involved in those attacks as well.
The Democratic National Convention’s emails were breached last year by Russian hackers, allowing them to gain access to messages and chats, including opposition research on President Donald Trump. John Podesta, who served a campaign manager for Hillary Clinton, also had his personal email breached.
“It is very important for corporations around the country to know that when you are going against the resources and backing of a nation state, it is not a fair fight, and it is not a fight you are likely to win alone,” McCord said. “But you do not have to go it alone. We can put the full capabilities of the United States behind you to make cases like this, but we cannot do it without your help.”
Yahoo said it was “committed” to keeping its users’ data safe and would “continue to engage with law enforcement.” No other tech companies immediately responded to the Department of Justice’s overtures.
Bennett of the FBI called Yahoo “great partners” over the two-year investigation, specifically citing CEO Marissa Mayer, who he said demonstrated “leadership and courage while under pressure from many entities.”
San Francisco FBI agents led the investigation, according to Justice Department officials. That, Cattanach said, may serve as a stepping stone to bettering relationships with tech companies.
“You have people at the FBI who have been working with folks at Yahoo and Google. And it’s all about personal relationships,” he said. “There may not be institutional trust, but I think on occasion you’ll have some individual trust. And that might be the only way to make progress here.”
San Francisco Chronicle staff writer Evan Sernoffsky
contributed to this report.