Cyber Lessons from Mueller

Over the past month, I’ve lugged the Mueller Report around in my backpack. Every spare moment has been spent squinting at footnotes, pondering the terse legalese, and cursing at the endless blacked-out sentences. My copy was accidentally dropped into a hotel pool and was lost for two wonderful days (uh, next to the toilet, ahem). I was also late sending out an RFP response, because I was overly-distracted with my reading. I hate this report.

But I’ve gotten through the damn thing. And I can say that from a cyber perspective, it offers actionable lessons, three of which I will share with you below. But I doubt my points will resonate with you, because I know you didn't read the report. I am as determined a reader as I know, and the thing nearly killed me. Oh – and by the way: I could only finish Volume 1. That’s how hard it is to get through this report.

Many other Mueller Report summaries tick you through the findings, so I will spare you that tedious exercise. Instead, I laser-focus my comments here on three issues directly relevant to cyber security. But first, we must all agree on a basic fact: One year ago, in July 2018, a grand jury indicted twelve Russian military staff on charges of hacking the US election: The evidence is overwhelming. The incident happened.

If you flip through the report, you will sense the spirit of Kevin Mandia’s APT1 report, which outlined similar actions by the Chinese, albeit with more technical detail. I’d grade Mueller about a B+ on his technical writing. Here’s a sample: “Certain Apple operating systems used a setting that left a downloaded file’s creation date the same as the creation date shown on the host computer.” It has lots of fuzzy statements like that.

I’ve boiled down my hours of reading into a few management actions that enterprise teams can consider taking. My original list had twenty items, and then I whittled it down to eight, and then settled on three. (I sure wish Mueller had done similar self-editing.) Nevertheless, below are three specific items, all security policy-related, that I recommend you consider adopting immediately. All come from the Mueller report:

Item 1: Employee Reposting: Employees of any campaign, business, agency, or other group should be prohibited from reposting or redistributing anything on social media that relates to the organizational mission. This is a major departure (in fact, a 180 degree turn) from the way most businesses operate today on social media. But the Mueller Report teaches us that this practice can get you into deep trouble. Here is a verbatim from the report:

“The investigation identified two different forms of connections between the IRA and members of the Trump Campaign . . . on multiple occasions, members and surrogates of the Trump Campaign promoted – typically by linking, retweeting, or similar methods of reposting – pro-Trump or anti-Clinton content published by the IRA through IRA-controlled social media accounts.”

Whether you think such actions were intentional or inadvertent is irrelevant from the perspective of cyber security. Enterprise teams know that it is the potential bad action, regardless of the user’s intent, that must be addressed and controlled. This is the basis for all modern data leakage and user behavioral controls. To that end, I recommend you consider adding the following policy rule statement to your acceptable-use documents:

Requirement 1 – Employee Reposting: Employees are forbidden from using any on-line account, personal or otherwise, to repost or redistribute company-related material found on the Internet or social media, unless the source of that material has been approved and communicated to employees by company officials using trusted means.

If you ignore this policy and allow employees to use either business or personal accounts to repost any type of information about the company found on-line or in social media, then you run the risk of cascading nonsensical, incorrect, unethical, or even illegal content. The Trump Campaign fell into this well-conceived trap set by the IRA both during and after the 2016 campaign. It should never have happened.

Remember – even if you add this requirement to your policies, employees can continue to use Facebook, Instagram, LinkedIn, and other services to share and exchange personal content. But they should understand that it is their new responsibility to avoid company-related reposting, however innocent it might seem. Exceptions can be explained clearly to employees via a trusted corporate network or internal communication website.

Item 2: Employee Coordination. Employees of any campaign, business, or agency should also be prohibited from the following: They must not being enticed, cajoled, or encouraged to take action on behalf of their organization from any source on the Internet that has not been explicitly vetted. I’ll let you stew on how this cascades through social media activity, and you’ll see that the implications are non-trivial. Social media works by cajoling.

Here is a verbatim from the Mueller Report that outlines how the Trump campaign team fell directly into this IRA-planted assistance and coordination trap as well: “Additionally, in a few instances, IRA employees represented themselves as US persons to communicate with members of the Trump Campaign in an effort to seek assistance and coordination on IRA-organized political rallies inside the United States.”

Obviously, if your team wants to coordinate folks to help a local soup kitchen, then you must not prohibit such action. But remember – you are prohibiting this from being organized anonymously on the Internet. Your team can still help the soup kitchen, but must be careful about how it’s organized. Information must come from vetted sources through trusted means (not Facebook). Here’s the policy language I recommend:

Requirement 2 – Employee Coordination: Employees are forbidden from initiating, participating in, or coordinating with any business-related activity that is requested or encouraged by any individuals or groups on the Internet, unless the source of that request or encouragement has been vetted, approved, and communicated to employees by company officials through trusted means.

Remind your employees: If they use business or personal accounts to coordinate company-related activity requested by unknown individuals or groups on the Internet, then the possibility emerges that such request might be completely bogus or even malicious. The Trump Campaign fell into this trap from the Russian IRA multiple times during and after the 2016 election – and again, this should never have happened.

Item 3: Employee Retweeting. Employees must understand the power of a retweet. They must know that a retweet by a member of any organization is construed as an approval by that organization. No one is trying to restrict the personal freedom of an employee to enjoy and use Twitter (or other social media platforms such as LinkedIn). But bad things can happen when a retweet is done for an unvetted source. Here’s the verbatim from Mueller:

“On September 19, 2017, President Trump’s personal account @realDonaldTrump responded to a tweet from the IRA-controlled account @10_gop. The tweet read: “We love you, Mr. President.” @realDonaldTrump 9/19/17 (7:33pm) Tweet: “THANK YOU for your support Miami! My team just shared photos from your TRUMP SIGN WAVING DAY, yesterday! I love you – and there is no question – TOGETHER, WE WILL MAKE AMERICA GREAT AGAIN!””

From a security perspective, you are asking your employees to refrain from retweeting items that are company-related, but from an unvetted source. Even if the tweet seems nice and friendly, it could be coming from a malicious source that you’d never want your organization associated with in a million years. And yes – this matters, because your brand can suffer big time with sloppy retweets. Here’s the policy language I recommend:

Requirement 3 – Employee Retweeting: Employees are forbidden from using Twitter accounts, personal or otherwise, to respond to tweets, or to initiate a retweet, about any company-related issues, unless the source of the original tweet has been approved and communicated to employees by company officials through trusted means.

This one seems so obvious, and yet the Twitter behavior of the US President has made retweeting seem so common and pedestrian, that many have let their guard down. Please recognize that retweeting can lead to embarrassing results for your organization. You are not restricting employees from using Twitter, but you can improve your policy language to guide them away from organization-related tweets that are not vetted.

Post-Script: I hope these policy requirements help your organization avoid the type of hacking we saw in 2016 and that we will likely see in subsequent elections. I am not a government official, so I cannot take action to fix this problem in our public sector. But hopefully, my article will help you derive enterprise security benefit from that enormous Mueller Report (which I should have left at the bottom of the hotel pool).

So, let’s hear what you think. Let me know if you cut and paste the three requirements in this note into your organizational policies. I sure hope you take such action, but regardless of your decision, I hope this work has been helpful to you and your team. It took a lot of time.