The Russians have come, and Colorado Springs is a bit shaken after learning that a Putin-directed military intelligence operation purloined data from a local nonprofit.
For decades, Colorado Springs was on the lookout for Soviet spies. But when the Cold War ended, locals lightened up. With federal indictments this month against Russian hackers who targeted the Springs-based U.S. Anti-Doping Agency, leaders say it may be time for a new Red Scare.
“This is a real wake-up call,” Colorado Springs Mayor John Suthers warned after speaking at the National Cyber Symposium at the Broadmoor last week. “Just think of all the information there is to steal in Colorado Springs.”
The mayor is right about Colorado Springs being a ripe target. With some of the nation’s most prominent nonprofits, 200 aerospace and defense firms, five military bases along with America’s leading commands for space, continental defense and missile defense, a well-planned hack here could cause national chaos.
It’s alarming enough that Colorado Gov. John Hickenlooper and his National Guard boss, Maj. Gen. Michael Loh, are taking notice.
“It brought it closer to home here in Colorado,” explained retired Air Force Maj. Gen. Jay Lindell, who heads military programs for Colorado’s Office of Economic Development and International Trade, of the Russian hack.
Russian hackers started work on the anti-doping agency after Russian athletes were banned from the 2016 games after accusations of a state-sponsored campaign to gain an illegal edge in competition.
The attack on the anti-doping agency, outlined in a grand jury indictment, sought to gain emails and other data that Russia could use against American athletes and agencies along with the International Olympic Committee to sow chaos and build sympathy for its cause.
“In many instances, the stolen information was publicized … as part of a related ‘influence and disinformation campaign designed to undermine the legitimate interests of the victims, further Russian interests, retaliate against Russian detractors and sway public opinion in Russia’s favor,” federal prosecutors wrote.
Hack no surprise
While the Russian hack on the Colorado Springs nonprofit may be new to most in the Pikes Peak region, it is no surprise to intelligence experts.
The former CIA and National Security Agency boss, retired Air Force Gen. Michael Hayden said in an exclusive interview with The Gazette that hacking is an outgrowth of Russian tactics that have been on display for a decade or more.
The Russians, he said, are hacking their way back to the superpower status they lost at the end of the Cold War.
“For Russia, this is particularly important because they don’t have many tools of influence,” he said.
Building fleets of ships, clouds of military jets and massive armies is tremendously expensive.
With $69 billion in annual defense spending, Russia has just a tenth of America’s Pentagon budget to flex its military muscles, but hacking is cheap. Just seven hackers pulled off the anti-doping agency hack, and federal prosecutors say they’re the same bunch that stole emails from the Democratic National Committee to influence the 2016 election.
Hayden said the Russians have shown they can use a handful of troops to pull off what an army could not accomplish.
“The Russians have used that as an arm of their military services,” he said.
Russia’s use of cyberattacks on enemies and rivals goes back at least to a 2007 strike on Estonia amid a diplomatic spat. Estonian officials say the Russians took down financial and government systems while also hitting their country’s media.
Russian neighbor Georgia saw the use of cyberwarfare alongside ground troops during a brief 2008 conflict. Hackers disrupted Georgian communications networks and took down government and media servers. It was the first recorded instance of a cyberwar accompanying ground troops in battle.
The most notorious Russian operation, though, may be the attacks on the 2016 American election that combined email hacking, online propaganda and targeted use of social media to sow discord and damage the campaign of Democratic presidential candidate Hillary Clinton.
But Colorado has long been in the crosshairs for Russia. Their military intelligence arm was tied to a 1996 hacking operation called “Baby Doe” that hit the Colorado School of Mines.
Becoming tough target
The attack on the U.S. Anti- Doping Agency in Colorado Springs also came in 2016, just as Colorado took an unprecedented step to protect the state’s businesses, nonprofits and government agencies from cyber threats.
Even as Russian hackers gained access to thousands of anti-doping agency emails and records, leaders were setting up the National Cybersecurity Center in Colorado Springs. The goal of the center is to raise awareness of cyber dangers and to share tactics and techniques to thwart hackers across the public and private sectors.
“This isn’t something that’s going to get solved by one branch of the military or one agency of government,” Colorado Gov. John Hickenlooper said Monday during a stop at the center’s annual Cyber Symposium, that drew hundreds of security experts from around the country.
Vance Brown, who heads the center, said the only way hackers can be stopped is if entire communities take steps to defend themselves.
“That’s what we have here,” he said.
Another factor that makes the Pikes Peak region more prepared to take on hackers is a Pentagon mandate. The Pentagon pumps more than $18 billion into the local economy each year, feeding those 200 aerospace and defense contractors that call the area home.
And, as of Dec. 31, each of those contractors was required to have “adequate security” on its computer systems according to a new Pentagon rule. They are also required to report hacking attempts to the Defense Department, which shares the information so contractors have the latest intelligence on threats.
Colorado Secretary of State Wayne Williams, whose agency just earned top national honors for election security, said incidents including the Russian military hack targeting Colorado Springs, have local governments, businesses and nonprofits on the lookout for hackers.
“The things you saw with the election and the anti-doping agency show that you have to have the skills and be prepared to respond,” Williams said.
No national plan vs. hacking
While businesses and nonprofits may be ready to repel hordes of Russian hackers, the federal government is apparently still weighing how to respond.
For years, politicians, generals, experts and activists have argued about how the military, intelligence agencies and other national interests should react to hacking.
Getting a federal response plan in place is crucial, Hayden said, because no matter how well-prepared an entity may be to defend its computer networks, it will never have the resources that Russia’s military hacking arm can deploy, Hayden said.
“The U.S. Anti-Doping Agency shouldn’t have to square off against a nation-state,” he said.
The Russians unleashed a litany of hacking techniques against the anti-doping agency, court papers show. Malware-laden emails, called “spear-fishing,” were sent. Phony websites were established to target the agency’s workers. Hackers prowled the network with sophisticated surveillance and spies stalked anti-doping agency officials in Brazil with a phony Wi-Fi system in a bid to penetrate their computers.
While the United States has issued sanctions and criminal charges against hackers and issued calls for better cyber defense, America has yet to turn loose its own tremendous hacking power in response to an attack.
At the Heritage Foundation, a Washington think-tank, cybersecurity expert Klon Kitchen said America hasn’t figured out how its computer powers should be used.
“It is not a matter of whether the United States has the capacity, we can effect our will in cyberspace,” he said. “What this comes down to is a question of political will and coherent strategy and doctrine.”
In 2010, the U.S. reportedly carried out one of the most audacious operations in the history of hacking to slow the Iranian nuclear program. Using a virus called “Stuxnet,” agents from the National Security Agency were able to destroy uranium refining equipment with just a few lines of programming code.
Hayden, who served as head of the National Security Agency and later led the CIA under President George W. Bush, would neither confirm nor deny the American role in Stuxnet.
“All I can say is, whoever did it, they were very good,” Hayden said with a smile.
But despite several Russian provocations, U.S. leaders haven’t unleashed internet warfare. Hayden said while the Trump administration has pondered counterattacks, those plans have been quickly shelved.
“I thought their automatic rejection was a bit too automatic,” he said.
Instead, the administration has relied on sanctions and other diplomatic tools.
In Colorado, National Guard boss Loh said deterrence could be a key tool in fending off future attacks.
“We need to do whatever we have to hold them accountable,” he said.
But triggering an online fight could be worse for the United States than its enemies, Kitchen warned. America has become a nation with a smartphone in every pocket. No other nation is so tied to life online.
“We are vulnerable,” he explained.
But in the absence of a stronger response, Russia shows no signs of slowing its military hacking programs.
“It is reasonable to conclude that Russia feels emboldened to take these kinds of actions,” Kitchen said. “If we want to change that calculus, then we have to change the calculus.”
Contact Tom Roeder: 636-0240