As part of our Black Hat programming this year, we had the distinct honor of hosting journalists Irina Borogan and Andrei Soldatov for an evening of discussion on security, surveillance, and the state of the internet within Putin’s Russia. Borogan and Soldatov joined us to talk about their most recent book, The Red Web, which documents the development of the Russian surveillance state from the early days of telephone communications through to the permeation of the internet and social media in Russian society.
Borogan and Soldatov spoke with Terbium Labs CEO Danny Rogers about their work and the ongoing developments in Russia’s state-run surveillance system. The conversation shifted easily between the surveillance and misinformation campaigns run by the Russian government to the security and privacy issues impacting daily life for Russian citizens (to say nothing of the threats and concerns for Russian journalists publishing critical media). The Russian government has been quick to poison the information environment when faced with anything short of compliance—or, as Soldatov shared, “[The Russian government] started treating information as a war, and journalists as weapons.”
Two core themes in security emerged as part of the evening’s discussion.
First, Borogan and Soldatov reminded us that the internet is a vehicle for the activities, criminal or otherwise, that have existed for centuries. The internet is an amplifier, a platform for collective advancement, designed to propel forward the best of humanity’s innovations. The internet allows for free and open communications, tearing down the physical and psychological barriers that limited earlier generations. The internet provided a platform for the color revolutions of the late 2000’s, and it continues to offer a distribution channel for the free exchange of ideas, including critical media and unapproved messaging.
At the same time, these technological advancements create a breeding ground for newer, faster, more complex schemes designed to harm, hamper, or harass. Fraud may predate the technologies we rely on today, but it can now happen at a greater speed with greater consequences. The internet is a tool, a vector for bad actors—including the Russian government—to manipulate media, gather data from mass surveillance, and build an empire from the proceeds of cybercrime.
Second, the authors reminded us that data is, and will continue to be, the new currency. Data has power and intrinsic value, and states have begun to recognize data for the resource it is. In The Red Web, the authors recount the mass data collection efforts Russia undertook in the lead up to the Sochi Olympics in 2014. In order to purchase tickets for any of the Olympic events, spectators were first required to undergo a screening process by the Russian government. Spectators needed to first submit their photograph and passport data to a website for approval, and await a sign-off by Russian security services. The pretext of a major international sporting event provided all the groundwork necessary to strengthen Russian data collection processes through “legitimate” channels—data that will unquestionably be later used in misinformation campaigns, targeted surveillance measures, and censorship crackdowns.
Governments and corporations alike are finding newer and more creative ways to solicit personal information—not just data, but preferences, political affiliations, and lifestyle factors—from citizens and customers. Telecommunications companies are offering bonuses and incentives for consumers who provide access to device activities and social media. Under the guise of more targeted ad campaigns and a seamless internet experience, consumers link social media accounts to news accounts, retail shops, and banking services. Even in states with less overt surveillance mandates, consumers have daily activities and sensitive data woven through a suite of shared services—all of which are ripe for compromise.
The Exactis breach, which made headlines earlier this summer, is a prime example of the data at stake: the marketing firm leaked data from hundreds of millions of consumers and a host of businesses, exposing not just contact information and personal data, but interests, shopping patterns, medical details, family dynamics—the list goes on. This data is damaging enough in the short term, as fraudsters use and abuse the data for profit, but there is a bigger issue at stake: this data, in the hand of states and stakeholders, mined and manipulated over time, is a means of surveillance and control, a method for strategic operations to misinform and misdirect.
Borogan’s and Soldatov’s message is core to the issues in security and privacy that undergird our work at Terbium Labs: the proliferation of data, particularly the proliferation in data collection, has created a market for sensitive information and an environment ripe for exploitation – whether between government stakeholders in authoritarian regimes or between casual fraudsters looking for new payment cards.