A student project totally worthy of an up and coming Russian spy. Geesh, I mean really, she was allowed to be a part of this?
A U.S. university trained a Russian in the intracacies of domestic non-profit’s cybersecurity systems. Hmmm. Is MIT tutoring Iranians in how to mask the development of nuclear weapons?
she was a graduate student […] Butina’s college assignment […]
Contradiction.
The U.S. runs multiple programs aimed at strengthening democracy and boosting pro-Western sentiment
Contradiction.
We’re a free and open society so some of this is going to fall between the cracks as it did here. Once we identify the problem though, we need to fix it so it doesn’t happen again.
But this isn’t remotely as bad as Kushner getting highly classified, top secret intelligence material without a security clearance, then sharing that information with foreign entities for his personal gain.
Foreign students in our universities do a great deal of research, virtually all of it unclassified (as in this case).
Those who cannot be trusted should either (1) not be given entry visas or (2) be monitored closely once they’re in the country.
Yes. The country runs on the backs of grad students, interns, and teaching assistants.
Part of this article seems very overblown, but another part seems more serious.
First, she was given publicly-available information about various organizations, and she was apparently asked to evaluate their security:
“We have verified that all documents Internews provided to its students were publicly available, and we remain confident in the integrity of the State Department’s programs with Internews,” he said…
Internews said the students were never given access to the group’s work or systems…
One of Novotny’s AU courses was called “Cyber Warfare, Terrorism,
Espionage, and Crime.” The project was aimed at helping Internews
identify ways that it could help U.S.-based nonprofits improve their
cybersecurity.
To me, this sounds like, “We gave our graduate students public information about several non-profits, and asked them to look for ways to improve those non-profits’ security.” This does not sound like a big deal; Butina could have accessed the same information in Moscow. As could any intelligent agency, script kiddie, criminal, etc., anywhere in the world. Russian intelligence can do a Google search and they presumably know quite a bit about computer security.
This part however is more concerning:
In the email, addressed to cybersecurity director Eva Galperin, she
wrote: “My name is Maria Butina and I’m the captain of an American
University student group doing research on U.S (civil society
organizations) and their cyber security challenges. We have several
questions about cyber security concerns facing human rights
organizations and your expertise would be very beneficial.”Novotny, who was later interviewed by the FBI about Butina, learned his
instructions about not reaching out to partners had been ignored when
the cybersecurity adviser of one nonprofit called him after becoming
suspicious that a Russian student was asking about cyber
vulnerabilities. He sternly warned the students not to ignore the
protocol.
It sounds like the real problem is that she might have been leveraging her institutional affiliation to get more information about the organizations in question. This is a classic “social engineering” attack, and it can be pretty devastating. It’s the equivalent of wearing a hi-vis vest to bypass security.
It also looks like the university fell down on the job here:
Novotny told the AP that even after press reports about Butina raised
questions about her connections to the Russian government, he was
obligated to treat her like any other student.“I have always observed university policies and rules during my entire academic career,” he said.
The university declined comment, citing federal privacy rules.
Also, if you work for a human rights organization, there should be an important lesson here: If somebody contacts you about your security infrastructure, you need to vet that person, and not assume that a university, etc., has done it for you.
Please add volunteers to the mix.
Gathering information not only for vulnerabilities but also for spearphishing attacks. (that’s when someone opens malware-containing email that appears to be from someone they know and trust.)