Kevin Mandia: We’re braced for the impact of Russian cyber attacks

Mandiant, the cyber security company founded by Kevin Mandia, has become one of the world’s best-known providers of intelligence on online threats to companies and governments.

It has spent years tracking the cyber campaigns of nation-state actors such as Russia, Iran, China and North Korea, as well as criminal groups. And now, as Russia’s invasion of Ukraine escalates, its understanding of the types of attack that Russian intelligence could mount has taken on greater importance.

Here, Mandia talks exclusively to the FT’s tech correspondent Hannah Murphy about western governments’ cyber warfare defences, the risk of indiscriminate attacks, and how his company’s $5.4bn takeover by Google may enhance its capabilities.

Hannah Murphy: What is the current state of the cyber conflict between nations? Do you think of this as actual warfare?

Kevin Mandia: I’m careful about using the term warfare. I don’t know if we’ve defined what war looks like in the cyber domain. We’ll probably know it when we see it. And I don’t know if we’ve crossed that line just yet.

But right now, the current state is: braced for impact. That’s what it feels like. You’ve got an operation “Shields Up” by the Cybersecurity and Infrastructure Security Agency, all of the private sector and the public sector in the US and Western Europe, and NATO . . . we’re all watching the cyber domain waiting for what happens. I think the conflict in Ukraine is an opportunity for us to figure out what is the new normal because we’re used to conflict being air, land, sea, maybe a little bit of space . . . but a cyber domain is part of that conflict, too.

And I’m not sure everyone’s got fully fleshed-out strategies for how to do warfare in the cyber domain, and when to bring it to bear . . . Some say, if you want to do a reciprocal attack against the US, in regards to financial sanctions or an embargo on Russian oil, a cyber attack is probably the first tool that might be chosen to combat that, or to reciprocate those sanctions.

HM: Is it like other fields of conflict, where there are rules of engagement that have been agreed? Or are these in flux now?

KM: I don’t think there are any agreed upon rules of engagement. I don’t think anyone’s really codified a red line in cyber space to say: hey, here’s the definition and, if this is met, that’s war.

If you want to do a reciprocal attack against the US, in regards to financial sanctions or an embargo on Russian oil, a cyber attack is probably the first tool that might be chosen

I think it’s hard to define it. There’s a lot of collateral damage in cyber; there’s a lot of what I call the butterfly effect. As an example, if you take down, or do a destructive attack on, a utility, which closes schools, then when you close the schools, you impact military preparedness in the region. And an impact on military preparedness leads to some mess. It’s real hard to tell what is on the table as permissible and what is a proportional response to it.

HM: Russia, China, Iran and North Korea are often cited as the most active nation states in the cyber arena. Are there other countries that you have seen emerging recently that are bolder in this space? And, as a US company, working with the US government, how do you think about the US as a player?

KM: We work with a lot of governments and . . . what I observe is this: when you do security, security aligns with economic alignments, which actually align with geopolitical alignments. That’s the way it works.

When you look at cyber security, what do we defend against? We defend against criminals; that’s universal — you can do that everywhere. We also defend against espionage — wait a minute, do you have to start picking sides now, on who you defend?

Once you recognise you do security, you’re slightly different to a software company. You can sell software anywhere. But, when you do security, whether you know it or not, you’re picking sides — based on ideological alignments to political alignments, economic alignments

HM: You mentioned that you have to pick sides based on geopolitics and ideology. I wondered whether you think of yourselves as having an ideology?

KM: I don’t pick sides — that’s the reality. But if you are buying software, no matter where you are — whether you’re the Russian government, Chinese government, US government — you have to believe that the company . . . wherever that company’s headquarters is, you’ve got to trust their leadership.

Not every country may be abiding by rules that merit them to be successful in a global economy, And that’s why you see the challenges with buying Kaspersky [software] and Russia. It comes down to [the fact that] Kaspersky is manufactured in Russia. If there’s an intent by the Russian government to do something in the cyber domain, they compel their private sector to do things, probably. So it comes down to a matter of trust.

There are different countries with different laws . . . that are probably just trusted more broadly. For example, South Korea will trust a US company to defend it. So will Japan. So will Australia. It’s not Mandiant picking where we do the work. It’s [the fact] we’re headquartered in the US. And for those countries that have companies that trust the US . . . we’re trusted.

HM: Turning to Russia’s invasion of Ukraine, what’s been happening in the cybersphere so far?

KM: In cyber, we’ve seen just destructive attacks — a dozen or so places in Ukraine. Some were in January but the majority of them were in February, pre-invasion: kind of, “break in and shut things down”, or do a distributed-denial-of-service attack. So that’s what we’re seeing.

What we haven’t seen, quite frankly, is some of their better groups — there’s a group some call Energetic Bear, or Berserk Bear, we call it Isotope, somebody calls it Dragonfly. Who cares about the name? This is a group that targets nuclear facilities, energy utilities.

We haven’t seen Isotope; we haven’t seen a group we call Sandworm. And when I say we haven’t seen them, we haven’t seen them out of their ordinary operation. And we haven’t seen the SVR [Russia’s Foreign Intelligence Service] doing anything different than what they normally do.

There might have been, prior to the destructive aspect, some sort of espionage component to the intrusions in Ukraine. But we haven’t seen an escalation outside of Ukraine, necessarily, in regards to the conflict.

That’s why . . . it’s like we’re bracing for impact. Everybody’s on high alert, looking to see what might happen, what action — whether it be economic sanction, or kinetic — what action might trigger Russia to expand its rules of engagement, and we start seeing Isotope, start seeing Sandworm, start seeing the SVR change behaviours and show up on the radar.

HM: You have the White House coming out and warning of the risk of cyber attacks and retaliation for sanctions. How serious is this risk? What type of damage might Russia look to cause?

KM: That’s like the hardest question to answer because it requires: what they could do, and what they choose to do. And they are two different things. So the zone of potential outcomes is pretty vast. And I’m not even convinced Russia would know if they decided to take the gloves off, what the genuine impact is. Because so many of the things they may target have fault tolerance, redundancy, can operate off the grid. Being able to do a cyber attack against a utility, and actually shutting it down, are two very different things. And there’s a smart precision way to do it. Or there’s a blunt force trauma way to do it.

So [that said,] here’s what’s on the menu for Russia. A whole bunch of indiscriminate attacks — just hack and destroy, whatever it is, every industry carte blanche, just hit the button every time you can compromise something, and destroy, destroy, destroy. The impacts of that are almost impossible to guess. And it would just be indiscriminate: all industries targeted. If you can be compromised, you are. If you are already compromised, you are now dealing with encrypted systems or destroyed systems. And we’d be cleaning up on aisle nine all over the place, that’s one spectrum. Indiscriminate fraud.

Here’s what’s on the menu for Russia. A whole bunch of indiscriminate attacks — just hack and destroy, whatever it is, every industry carte blanche, just hit the button every time you can compromise something, and destroy, destroy, destroy . . . it would just be indiscriminate: all industries targeted

Then you have precision and narrow . . . and the precision and narrow might be just the shot across the bow, saying “this is what we can do on offence” from Russia and the US. That would be something more like a precision strike on a utility where they shut it down in a way that’s not blunt force. It’s, wow, they actually knew how that utility functioned and issued commands that shut it down, arguably, gracefully.

So that’s the zone of potential outcomes. Everybody’s wondering what strategy do they have in Russia . . . maybe they continue to show restraint and do nothing.

So we’re on high alert. If it’s indiscriminate, it’s gonna be super loud. We’re all gonna see it and we’re gonna be like: “You’ve got to be kidding me!” You know, that’s mass pain everywhere right now.

If it’s precision, that will also be noticed. So, regardless of which tactic the Russians may choose to ultimately execute, we’re gonna see it.

HM: Since the pandemic, companies have had to deal with the SolarWinds cyber attack, Microsoft Exchange hacks, ransomware hacks . . . how prepared would you say western companies are for the outcomes that you’ve described? Are some sectors more vulnerable than others?

KM: There’s always some more vulnerable than others — because there’s limited resources to secure your networks, limited knowledge, not enough people. But, looking at the US, where we’ve spent a lot of our efforts, and in the UK, Australia, the private and public sectors have never worked more hand-in-hand than now. There’s never been more communication about threats, about tools, tactics and procedures.

There’s daily calls, there’s weekly calls. A lot of different private sector companies are having weekly calls with the government. There’s daily open channels.

If anything happens, I think every private sector security company, and the public organisations, are going to know about it the same day. So, first and foremost, [there’s] never [been] better co-ordination.

In regards to defence, I think it’s never been better, either. It’ll always be imperfect. You’re never going to pitch a perfect game in cyber security every single day. But many private sector companies and the government have issued, “hey, here are all the things you can do”.

We set it up months before the invasion. We set up a “How do you prepare for a Russian escalation?” You have to secure your external-facing assets. You have to secure and back-up your critical assets . . . We’ve created a 44-page document, and made it free, you can just download it and execute.

We’re doing that, Palo Alto is doing that. Microsoft’s doing that, the government’s doing that. And so there’s tons of proactive and free advice that’s actually as good as you can get . . .

[In my] 28 years of cyber security, this is the most prepared we’ve been. That doesn’t mean something bad won’t happen. To me, it’s kind of like boxing. If there’s a cyber attack, you’re gonna take some hits in the face as a nation. You can’t expect that everything holds on defence. That’s OK. We’ll be more resilient than ever before. But, certainly, if the gloves come off in cyber space, there’s going to be things that happen that we just go “Oof, that’s going to be interesting to deal with.”

You are seeing a snapshot of an interactive graphic. This is most likely due to being offline or JavaScript being disabled in your browser.

HM: Ukraine has galvanised its own army of hacktivists to attack Russia . . . What are your thoughts on whether hacking back is acceptable for a country that is being invaded? Can offensive attacks be justified?

KM: It’s real hard. My comment on that is, it is difficult to control. Maybe if you’re the attacked nation, and you have nothing to lose, it just doesn’t matter. But, in general, my principle on hacking back is: you impact doctrine. And that’s a confusing thing for nations to interpret.

I’ve got eight reasons why hacking back is a dangerous thing, especially during times of peace — because all you’re going to do is escalate. And you’ll escalate with the private sector. Private sector hack-backs are just individuals sitting in [say] Missouri hacking back into China or Russia. And they’re going to change the relationship between nations, while they do that. They can escalate tensions.

So my opinion is, offence and cyber is best monitored, controlled by a government because it will impact the response and it impacts diplomacy and negotiations. If you’re going to see an escalation in cyber, if I ran a nation, I would want to control that escalation.

That being said, in Ukraine, maybe they have nothing to lose and the decision is “Hey, Ukrainian hackers, go all out.” The challenge with that will be that they may have unintended consequences in the retaliation.

HM: To what extent do you think western nations like the US should be supporting Ukraine and its cyber defence?

KM: That’s the whole reason why you have alliances. So there’s Nato, and the Nato nations are going to combine and try to co-operate on cyber. There’s no question that’s just a part of diplomacy, now. If you consider a nation an ally, you’re going to help them defend themselves, and there’s a lot of ways to do that: air, land and sea, you have weapons systems, people, training. And, in the cyber domain, you have lots of tools, techniques, both on defence or offence, that you can share.

The bottom line is it’s normal now for the US to help allies in the cyber domain. And, on defence, it’s: Here’s what works; here’s what doesn’t work; here’s how to train your people; here’s how to set things up. I’ve been aware for multiple decades of US efforts abroad in training people and helping people understand cyber security.

HM: I’ve spoken to a couple of experts who are warning that the west should expect an explosion of cyber crime as sanctions in Russia bite. Are you already seeing any indicators that this is happening?

KM: I can’t tell if it’s happening yet. But it’s been ongoing. Every day of our lives, we wake up and someone’s getting extorted — and the actor behind the extortion is Russia.

They’ve been sucker punching the west in cyber space for decades now, when it comes to criminal elements having a safe harbour to make money.

Whether at war or not, whenever the economy declines in Russia, it’s more likely than not that people need to find another way to make money. And one of those ways is to compromise western organisations and extort them. And with digital currency, that’s do-able now. It’s a lot easier today to move currency than it was in the past.

HM: To what extent might Russia deliberately wield its criminal hacking underground as part of its cyber operations? Is there direct communication . . . between the Kremlin and hacking groups?

KM: It’s real hard to tell, all I can tell you is this. It doesn’t stretch credulity to think: if I’m working during the day, chartered with doing attacks for the military or the government and I want to make a couple million extra dollars at night, and I’m really good at it, maybe you do it.

I believe that, for the most part, there’s a couple of ways governments can support criminal offence and work with criminal offence. One is just condone it, do nothing about it. And the other is to actively contribute to it. I don’t know if you need to actively contribute to it when the criminal element might be meeting the nation’s objectives in the first place. Condoning might be good enough.

HM: I want to talk specifically about ransomware. Have the perpetrators basically been shielded by Russia or Russian-affiliated countries? And can ransomware criminals ever really be stopped?

KM: That’s the same question as: will crime ever be stopped? And there seems to always be a need for law enforcement throughout every society, every millennium. So I believe there always will be a criminal element. Wherever money goes crime follows, and money goes on the internet. Wherever information and communications go, espionage follows.

The challenge we have now . . . is that it’s not just ransomware that encrypts drives and you pay for a key to decrypt it. What’s probably more compelling is the extortion when somebody breaks in and steals information and then extorts a company to pay, or they release the information.

Nobody wants to pay but you want to protect your customers and protect citizens from those kinds of data leaks. Will it ever go to zero? I doubt it . . . the cyber domain will have a criminal element operating in it forever. And, right now, the way to monetise it is ransomware and extortion.

It’s just the perfect storm [with] digital currencies [but] we’re going to get better at defending even that, too. It used to be you’d follow the cyber trail and follow the money trail. And then for a while, we got bad at following the money trail. But, as we get more and more used to cryptocurrencies, we’re gonna get better at finding that trail and having anti-money laundering rules being more proactively adopted by all the crypto exchanges.

So, the bottom line is: the ransomware and extortion will continue forever, probably. That doesn’t mean [we are] defeatist. They’re already less effective than they were.

HM: Returning to nation state dynamics, there’s an argument that despite the latest White House warnings, the west should be more concerned about Chinese state hackers than Russian hackers. Is that fair? To what extent should Chinese espionage and trade-secret theft continue to be a concern for companies?

KM: . . . I would worry more about Russia, because China’s still following the patterns we’re used to. And so we can predict . . . there is a rule of engagement by Chinese government hackers. I haven’t seen them change data, delete data, destroy things.

The vast majority of cyber security professionals today are more worried about Russia, because the gloves may come off. And that’ll be a tough day for us if the gloves come off

[But] I don’t know what Russian offence is going to bring to bear. So I’m more worried about that . . . the vast majority of cyber security professionals today are more worried about Russia, because the gloves may come off. And that’ll be a tough day for us if the gloves come off.

HM: It feels like the Biden administration is taking cyber more seriously than the previous administration . . . Are there other areas that you think are not being tackled, where there needs to be more regulation?

KM: As a public company CEO, I’m almost always for not regulating and not legislating things. And cyber security is not a divisive issue between political parties. Nobody, whether Republican or Democrat, wants to see companies compromised . . . so it’s not a divisive issue to secure the nation and secure organisations in cyber space.

I think the biggest evolution I’ve seen is that the people in charge now, folks in the White House, folks at the NSA . . . they all know each other. And that . . . kind of greases the skids a bit and gets more done. There’s definitely a will to get it done.

I was impressed with the policies coming out of Anne Neuburger in the White House — let’s sprint, let’s go. You look at Jen Easterly at the Cybersecurity and Infrastructure Security Agency — let’s just get it done, let’s go. We’re not looking for perfect. We’re looking for action, and we’re getting that right now. And I think it’s working.

HM: I wanted to ask . . . about the tie-up with Google, how that will impact the work that you can do. Will it allow you — with more data — to do more than you could previously?

KM: There was just a lot of industrial logic behind the acquisition by Google of Mandiant . . . It was primarily, “Mandiant, be Mandiant.” Google has a vendor-agnostic approach . . . they want to have a security group that secures their customers — whether they’re in Google’s cloud, Amazon’s cloud, Microsoft’s cloud, on prem. They’re authentic and genuine about that. And, at Mandiant, we just want to be the best in the world at what we do. We really want to respond to the breaches that matter; learn the new and novel.

You look at the capabilities of Google, in AI, in big data. Mandiant has been on this journey to automate our security expertise for two decades. And we just feel teaming with Google accelerates our ability to automate our frontline responders that are finding the needle in the haystack all the time.

HM: What does automating the frontline Mandiant consultants mean?

KM: . . . You have self driving cars, we’ve automated the human driver. We’ve automated the airline pilot. At some point, maybe you can — and I’m not saying you can get perfect — but maybe you can automate many of the security tasks that we do. Software has always been the automation of human process — that’s what software has always done. And why not start to automate the best security minds? . . . We’ve always been chasing that dream.

The above transcript has been edited for brevity and clarity