CYBER INSECURITY
Copyright © 2017 Benoit Morel All rights reserved
First Edition
PAGE PUBLISHING, INC. New York, NY
First originally published by Page Publishing, Inc. 2017 ISBN 978-1-64027-568-3 (Paperback)
How come stealing from one book is plagiarism, but stealing from many is research?
PROLEGOMENA
This book is the product of fifteen years of courses in Carnegie Mellon University. If any of the many students who took that course over the years read the book, they will know that I realize how much I owe them. They were nothing less than magic by the mix of enthusiasm, interest, and computer savvy they brought to that course. In many cases, I learned more from them than they did from me.
Warnings
About the Use and Abuse of the word
Cyber
The word cyber has become ubiquitous to the point of discomfort. Tim Unwin, for example, said, “My preference is to abandon the use of this ‘cyber’ terminology altogether and to use clearer, more specific words for what we are talking about and seeking to implement.”1
Although one can only sympathize with that point of view, the meaning of words and, more generally, languages has something in common with politicians: they are easily corrupted. Still, everything seems to be “cyberized,” including human feelings. For example, one speaks now of cyber anxiety.2 Fighting the trend toward the cyberization of most English
words is a heroic but ultimately futile battle. And contrary to the assertion that there is always a “clearer, more specific word” to substitute for cyber, the opposite is true in most cases. Furthermore, the cost of having to find a new word for each instance where the word cyber captures the action concisely is far too great. Hence, purists reading this book are in serious danger of an overdose of cyber.
About Technical Terms
people are familiar with at least some of those words, and not necessarily the same. It is impossible to explain each technical term without making the reading seriously cumbersome to most. Hence, readers who want help can find it on the web. There is also a good source on where to locate some glossaries. It is the Congressional Research Service (CRS) report “Cybersecurity: Data, Statistics, and Glossaries,” written by Rita Tehan.3
1 https://unwin.wordpress.com/2014/01/15/on-cyber-and-the-dangers-of-elision/.
2 George R. Lucas, “Cyber Anxiety and Threat Inflation,” in The Ethics of Information Warfare, eds. Luciano Floridi and Mariarosaria Taddeo (Switzerland: Springer International Publishing, 2014). 3 Rita Tehan, “Cybersecurity: Data, Statistics, and Glossaries” (September 2015),
INTRODUCTION
Cybersecurity is arguably the most complex threat against modern societies. It is a 100 percent man-made phenomenon that outsmarts human beings.
Few have experienced a life-changing experience because of cybersecurity. Still, some surveys suggest that people are more afraid of cybersecurity than by North Korea, Iran nuclear weapons, or climate change.4
All are rather remote threats. But the fact that cyber anxiety has entered the vocabulary is reminiscent of what the legendary chess player Aron Nimzowitsch once said: “A threat is stronger than the execution.”5 He was
speaking about chess and chiding a referee who would not ask his opponent to put aside the unlit cigarette he had in his mouth in a tournament where it was forbidden to smoke. The referee tried to explain to Nimzowitsch that, technically, his opponent was not smoking. What he accomplished was drawing Nimzowitsch’s ire for his lack of knowledge of the psychology of chess.
When it comes to threat perception, cybersecurity may have something in common with chess, although it does not take much to instill panic and distress to users as soon as their computers show signs of not functioning correctly. Furthermore, average users seem often to behave irrationally. After having been warned about the dangers of doing certain actions, they purport to take the warning seriously and proceed to do exactly what they were advised not to do. That has happened repeatedly with heads of the CIA, for example.6
Few think that the present Wild West atmosphere of the Internet is sustainable. There is a need for some legal order. But it is the job of the US Congress to define the legal contours of that order. And the US Congress has not passed a serious law on that subject since 2002.8 Whatever it tried to pass
was either too contentious to make it through both chambers or worse than doing nothing, or both.9
Part of the complexity of the threat that cybersecurity represents to modern societies stems from the difficulty that governments in general have to adjust to its culture. The drivers of change in cybersecurity reside outside governments and outside their control. Too much of the expertise in cybersecurity also resides outside governments. This is a somewhat scary situation, which justifies our sense of cyber insecurity.
Another facet of the complexity of the cybersecurity as a threat is the fact that it potentially affects all aspects of the life in modern societies, from the smallest to the largest.
Another facet of the complexity of cybersecurity is its technical dimension. This is a fundamental feature of cybersecurity that can only be underestimated. Cybersecurity is rooted in the technical complexity of the computer and of the Internet technology. The most obvious feature of the Internet technology is the relentless pace of innovations. This is also its most attractive feature and the major reason for its success. But each innovation seems to bring with it new opportunities for cyber attacks. Cybersecurity today is very different than what it was a few years ago, and we do not know what it will look like a few years hence.
Cybersecurity is not a mature academic field. In fact, one contention of this book is that after a good beginning, academia managed to marginalize itself from the real action. Furthermore, there are many data in cybersecurity, but none are good data and reliable. As a result, there is tendency to rely on anecdotal evidences. Cybersecurity encompasses a lot of things, people tend to specialize, making cybersecurity a fragmented field of study, lacking a common thread. Words are used loosely, or more exactly, they often mean something different for different people. There is no solid conceptual framework.
the government while emphasizing the singular excellence of NSA. It tries to convey a sense of the vast and complex world of malware and web application security. It tries to convey the dynamic nature of the field, by speaking of the Internet of things, the revolutionary changes occurring in the security industry, and how artificial intelligence can turn out to be a game changer. Something this book does not do is come up with answers. This is partially based on the observation that for the most important questions in cybersecurity, there is no good answer. A question without a good answer should stay unanswered.
4 Peter Singer and Alan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford: Oxford University Press, 2014).
5 http://www.chess.com/blog/DENVERHIGH/quota-threat-is-stronger-than-the-executionquot-aron-numzowitsch.
6 http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/
7 Singer, Peter W.; Friedman, Allan Cybersecurity and Cyberwar: What Everyone Needs to Know. Oxford University Press, USA. 2013.
8 http://info.law.indiana.edu/faculty-publications/The-Emergence-of-Cybersecurity-Law.pdf.
CHAPTER 1
The Advanced Persistent Threat
Before software can be reusable it first has to be usable.
—Ralph Johnson, computer scientist10
As John Chambers, former head of Cisco, likes to say, “There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.”11
The advanced persistent threat, APT for short, has become a popular buzzword. Those who use that word seem to have a precise idea of what it means. The problem is that the word APT does not seem to mean exactly the same thing to everybody. This is representative of a problem with cybersecurity: it lacks conceptual precision and rigor. Still, APT refers to the fundamental fact that cyber attacks are taking place continuously and relentlessly.
To have a useful meaning, APT should refer to a subset of cyber attacks. But there is no consensus on how to define precisely that subset. Should it involve only threats coming from governments, large groups? Should refer to situations where the victims are large organizations or belonging to governments? Or does the pilfering of money through cyber means, whatever form it takes, also belong to APT? Or else?
APT may be poorly defined. Perhaps, the most useful thing that the acronym APT is accomplishing is characterizing appropriately what cybersecurity is more and more about: a threat continuously growing in size, complexity, and diversity. Cybersecurity is not a problem about to be solved; it is a growing problem we will have to live with for the foreseeable future.
challenging law enforcement at all levels. An underground economy has emerged. Classical security tools like antivirus (AV) programs and firewalls provide increasingly limited cyber protection. Security companies have to redefine themselves continuously to adjust to a fast-changing world. The approach to cyber defense and the cybersecurity industry altogether is going through a severe midlife crisis.
This is a context where computers are progressively invading every aspect of daily life. Cars, airplanes, medical devices, appliances—all are progressively becoming targets for cyber attacks. Databases, where the family jewels of most organizations and the financial of most individuals are stored, are regularly compromised. And the list goes on.
Among all these, what belongs to APT? Or is APT the sum of all them? Does the answer to that question matter?
CHAPTER 2
Repository of Cybersecurity Knowledge and
Expertise
There is a lot of knowledge in cybersecurity, but it is scattered and difficult to pinpoint. There is no centralized repository of knowledge, a place to go to to get reliable answers and total information. Cybersecurity is totally man-made. Still, nobody understands it fully. Somehow cybersecurity has become too complex for human beings to comprehend fully. Who are the “experts” quoted by the media? There are knowledgeable people, but no “experts” who know everything. Some know more or have more to offer than others, although most “experts” do not know as much as they profess to. And there are the charlatans who take advantage of the present confusion to try to make money by selling the cyber equivalent of snake oil: “Your computer may be infected, call…”
The Hackers
General Keith Alexander, when he was head of NSA (2005–2014), made a point to attend personally to the most important hackers’ meetings, i.e., Black Hat Briefings and DEF CON, because, as he told the attendees, “[they] are the best experts.”
Hackers basically started and made cybersecurity what it is today and still drive its evolution. Hackers were the ones who showed how buffer overflows could be exploited. This is not trivial12 and requires quite a bit of knowledge
on how computers work. Their tutorials13 are better than what often is taught
scholarly events. The best talks look more like demos than academic contributions. There is a lot of banter and beer.
Hackers made cybersecurity what it is today. Many of the best security tools were hacking tools originally. They were not originally made to protect, but to attack. Any new innovation or technological advance is perceived collectively by the hackers as an invitation to use their imagination to prove that it is “hackable,” i.e., it is possible to make it do things it was not supposed to. So far, they never failed to succeed.
The community of hackers is not homogeneous. Many are not that good. But those who are good are the best experts in cybersecurity. As the famous hacker Mudge said in a hackers’ conference, they are researchers.14 Hackers,
on the other hand, are not always the best teachers. They develop their skill far away from academia, and their goal is not to immortalize themselves in publications in peer-reviewed journals. Still, some of their publications are considered among the best sources. Some articles, like the Mudge tutorial15 or
“Smashing the Stack for Fun and Profit” (Phrack 49),16 are classic. Phrack,
for decades (1985–2006), was a prominent e-zine, the articles of which were written by hackers for hackers (and anybody else interested in cybersecurity). It was a very good source of information on the technical dimension of cybersecurity.
How and Where to Get Informed about the Latest in
Cybersecurity
The amount of cyber activity going on continuously in the Internet is humongous. A lot of good information is circulating in cybersecurity, but most of it stays confined to a limited community. Getting the full picture of what goes on is not possible, and getting a partial picture is time-consuming. A lot is happening under the radar. Some groups, like Team Cymru,17 go out
of their way to systematically roam the web and select the best articles of the day and distribute them to their readers. Even reading all those preselected articles takes a lot of time.
There is a whole ecosystem of blogs where one can find high-quality information. Some like Bruce Schneier,18 Brian Krebs,19 or Dancho
Danchev,20 to name a few, are well-known and read widely. But there are
Magazines, like SC magazine,23 Hacker News,24 Wired,25
Hackmageddon,26 Threatpost,27 Securelist28 (the last two are related to
Kaspersky29), to name a few, provide higher-quality coverage, but they tend
to focus on the aspect of cybersecurity most relevant for their readership, which tends to be rather specialized. That contributes to the impression of fragmentation that cybersecurity sometimes projects.
Large security companies like Kaspersky, Sophos, Symantec, or FireEye, to name a few, have their own publications, reports, or blogs. Unfortunately (and this is to be emphasized), the numbers they produce have to be taken with a pinch of salt or as mere orders of magnitude. In cybersecurity, there is no such a thing as “good and reliable” numbers. This is not specific to cybersecurity, but this is particularly acute in that field, and that contributes to the difficulty of getting a high degree of situational awareness.
Some companies provide real-time information and maps. Noteworthy are the Attack Maps of Arbor Networks,30 the McAfee Global Virus Map,31 the
SANS Internet Storm Center,32 the Symantec DeepSight Intelligence,33among
others. They convey a sense of the global nature of the cyber attacks as well as their dynamic nature. The fact that companies like Symantec or Kaspersky have customers all over the world allows them to deploy sensors all over the world. In a sense, they have a larger information base than a national agency, which tends to be more limited in where it can deploy sensors. Obviously, the attacks targeted against specific networks do not show in those data or maps.
The media cover only “big events,” and in general, they do not cover them very well. Few journalists have technical depth. Too often, when they describe an attack, their description is only superficially correct. But there are subtle mistakes or imprecision scattered around that most of the public does not realize. That contributes to explain why those who get informed mostly, if not only by the media, have such a poor grasp of the technical reality of cybersecurity.
The (Marginal) Role of Academia
have progressively become less important. Rarely does an important contribution get aired there.
One reason is that apart from cryptography,34 cybersecurity is not a natural
academic field. Cryptography is very mathematically intensive and, as a result, favors academia. But most of the rest of cybersecurity has not found the same degree of legitimacy as an academic field. It deals too much with the minutiae of protocols and engineering details.
Another area where academia can make a difference in cybersecurity is in the development of tools that use, much more aggressively, artificial intelligence. Many cyber-espionage incidents were made worse because the detection of the intrusion took weeks or months. When an intrusion is suspected, it does not take long for companies like Kaspersky or Mandiant to identify it and analyze it.
Existing tools are not good at autonomous intrusion detection. What is needed is a tool able to make context-dependent determination, i.e., displaying the cognitive ability of human beings, a kind of instantiation of a Turing machine. Clearly, what is needed is artificial intelligence with high degree of sophistication. Developing that level of artificial intelligence requires a long and protracted research effort. Private companies (the drivers of innovation in cybersecurity) cannot easily stomach such research; hence, academia is the natural place to develop such capabilities. But academic research along those lines is, at best, anemic. Why?
This is probably because of the natural inertia of the field seen as a community of researchers. The US National Science Foundation (NSF) has been struggling for years to develop programs in cybersecurity that make academic sense. So far, they’ve mostly failed. NSF has consistently funded researches that did not have the potential to make a difference. But paraphrasing what Churchill said about the Americans, NSF always ends up doing the right thing, but only after having exhausted all other possibilities.
A Hacking Industry?
The Italian company the Hacking Team, for example, sells tools and expertise to governments. Although it tries to project a sense of rectitude by stating a policy whereby it refuses to deal with governments that violate human rights,35 the reality is different. Citizen Lab (a watchdog group located
within the University of Toronto) has accumulated evidences that the Hacking Team had, in fact, sold its tools to unsavory governments, such as Sudan, or it helped other governments (like the Ethiopian government) in its censorship policy against journalists. “On February 12, 2014, Citizen Lab published a report36 documenting how journalists at the Ethiopian Satellite
Television Service (ESAT) were targeted by a governmental attacker in December 2013, with what appeared to be Hacking Team’s Remote Control System (RCS) spyware. The governmental attacker may be the Ethiopian Information Network Security Agency (INSA).”
More damning and embarrassing for the Hacking Team was the fact that they were “hacked,” and courtesy of WikiLeaks, its list of customers became public.37 One effect of these revelations was to inspire one member of the
European Parliament, Marietje Schaake, to ask whether the Hacking Team had not violated some European laws prohibiting export of sensitive technology to countries with poor human rights record. For its defense, Hacking Team argued that they were not selling weapons, just software, and that they should be treated like “sellers of sandwiches.” Critics point out that spying and surveillance tools are not the same thing as sandwiches.38
The hack also exposed two zero-day39 vulnerabilities that Hacking Team
was keeping in reserve. Zero days can fetch tens of thousands of dollars in some markets. “Hacking Team, ironically, published a blog post on Wednesday claiming that the hacker had put everyone at risk by leaking the company’s exploits and the source code for its surveillance tools.”40
Vupen,41 which stands for “vulnerability research and penetration testing,”
is a French information security company created in 2004 and based in Montpellier, France. Its founder, Chaouki Bekrar, and his researchers initially worked with some software vendors to patch their bugs. “But after taking $1.5 million in venture capital from 360 Capital Partners and Gant & Partners, Bekrar found that the firm could earn far more by keeping its findings under wraps and selling them at a premium.”42 Now, Vupen offers
offensive cyber operations.”43 A Freedom of Information (FOI) request by
government transparency site MuckRock revealed that NSA has been one of the clients of Vupen. And the German magazine Der Spiegel International
reported that German authorities were clients of Vupen until September 2014.44
Vupen distinguished itself in an ambiguous way at a competition organized by Google to find security holes in its browser, Chrome, in 2012. The hackers from Vupen “declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.”45
“We wouldn’t share this with Google for even $1 million,” added Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Vupen and, in particular, its head have inspired negative comments of the kind: “Vupen is the Snooki of this industry,” says Soghoian. “They seek out publicity, and they don’t even realize that they lack all class. They’re the
Jersey Shore of the exploit trade.” Google has called Bekrar an “ethically challenged opportunist.”46
Companies like Netragard, Endgame, Northrop Grumman, or Raytheon also sell services in cybersecurity to governments, but they do not get the same press as Vupen.
Hackers for Hire
HackerOne48 represents a notable attempt to make good use of the talent of
hackers. HackerOne aims at connecting hackers with companies. “We want to make it easy and rewarding for that next group of skilled hackers to have a viable career staying in defense,” said Katie Moussouris, HackerOne’s chief policy officer. “Right now, we’re on the fence.”49
“In the last year, HackerOne has persuaded some of the biggest names in tech—including Yahoo, Square, and Twitter—and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service. About 1,500 hackers are on HackerOne’s platform. They have fixed around 9,000 bugs and received more than $3 million in bounties.”
HackerOne competes with Bugcrowd, another start-up that charges companies an annual fee to manage their bounty programs.
Facebook, Microsoft, and Google have bounty programs that, in some cases, had been run by members of HackerOne. The companies offer a bounty to whoever finds a bug or vulnerability in their software. United Airlines started offering hackers free frequent-flyer miles50 after a security
researcher tweeted about vulnerabilities in the plane’s in-flight Wi-Fi system and told the FBI that he had hijacked the plane while in flight.51
There is another kind of demand for “hackers for hire.” For example, “a man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if he is cheating on her.”52
Finding a suitable hacker for specific jobs is getting easier. Hacker’s List,53 which opened for business in November 2014, matches hackers with
members of the general public who wish to hire one.54 Anonymity, privacy,
confidentiality, discretion, security, protection against scam and fraud are guaranteed, as well as the talents and honesty of the hackers.
Everything is offered “as a service”: platform as a service (PaaS), software as a service (SaaS) (not to be confused with storage as a service [SaaS]), infrastructure as a service (IaaS), communication as a service (CaaS), network as a service (NaaS), etc. All are put together under the umbrella XaaS (anything as a service).55
Malware as a service (MaaS) is not yet officially in the XaaS list, but it has real prospects as a business model. If sending malware at competitors becomes fair game, MaaS may turn out to be a game changer in the life of business.
“Speaking at the recent InfoSec Security Conference in London, US Federal Bureau of Investigation (FBI) agent Michael Driscoll said that the potential effects of selling ‘malware as a service’ could be ‘devastating.’ Cyber attacks on corporate IT systems may start to escalate severely.”56
12 http://insecure.org/stf/smashstack.html.
13 http://insecure.org/stf/mudge_buffer_overflow_tutorial.html.
14 Mudge (Peiter Satko): Analytic framework for Cyber security, Shmoocon presentation, 2011, https://www.youtube.com/watch?v=rDP6A5NMeA4.
38 http://www.lemonde.fr/pixels/article/2015/07/10/les-logiciels-espions-sont-ils-des-armes_4678993_4408996.html#R41tIMWW0QuUxx9w.99.
39 “Zero days” are software vulnerabilities, which after being discovered were kept secret and against which security tools like Antivirus (AV) do not provide any protection.
40 http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploits/. 41 https://wikileaks.org/spyfiles/files/0/279_VUPEN-THREAD-EXPLOITS.pdf.
42 Andy Greenberg, Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees), Forbes Magazine, April 9, 2012,
http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/.
43 Charlie Osborne, NSA purchased zero-day exploits from French security firm Vupen, ZDnet, September 18, 2013, http://www.zdnet.com/article/nsa-purchased-zero-day-exploits-from-french-security-firm-vupen/.
44 “BND will Informationen über Software-Sicherheitslücken einkaufen”, der Spiegel, September 11, 2014,
http://www.spiegel.de/spiegel/vorab/bnd-will-informationen-ueber-software-sicherheitsluecken-einkaufen-a-1001771.html.
45 Andy Greenberg, “Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees),” Forbes Magazine (April 9, 2012),
http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/.
46 http://www.forbes.com/fdc/welcome_mjx.shtml.
47 http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/. 48 https://hackerone.com/.
49 Nicole Perloth: HackerOne connects hackers to companies and hopes for a win-win, The NYT, June 7 2015, http://www.nytimes.com/2015/06/08/technology/hackerone-connects-hackers-with-companies-and-hopes-for-a-win-win.html.
50 Kim Zetter, “United Airlines pays a man a million miles for reporting bug”, Wired, 07/14/2015 http://www.wired.com/2015/07/united-airlines-pays-man-million-miles-reporting-bug/. 51 http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/ see also:
https://grahamcluley.com/2015/05/security-researcher-hijacked-plane/.
52 http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/. 53 https://hackerslist.com/.
54 http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/. 55
http://www.computerworlduk.com/galleries/infrastructure/9-everything-as-service-xaas-companies-watch-3376134/, and http://searchcloudcomputing.techtarget.com/definition/XaaS-anything-as-a-service.
CHAPTER 3
International Dimension
For better or worse, the Internet connects literally everybody on the planet. Although originally an American invention, it is the most international structure ever built. Nobody fully controls the Internet or has the power to regulate it. It disrupts the life within nations and the relations between states in ways that nobody has anticipated and even understands fully.
Espionage is the oldest profession in international relations, but with the Internet, it has reached a new level and almost changed in nature. It is difficult to imagine that there is still a network belonging to a government or embassy that has not been compromised. But it is a documented fact that the personnel involved in these networks do not realize it and are surprised or horrified when evidence of a breach in their network emerges.
Conflicts, like the different wars in the Middle East or the disputes between India and Pakistan, generate cybersecurity activity. So far, they have not significantly affected the dynamic of those conflicts, but that may change if cyberspace becomes a more active battlefield in the future. Cyberspace is often referred to as the fifth domain of warfare, after land, sea, air, and space.57
No nation has yet officially recognized being behind a cyber attack, although the malware Stuxnet, for example, which sabotaged the uranium-enrichment program of Iran, has clearly been developed at the state level (the United State and Israel),58 even if this has not been officially acknowledged.
Malaysia and Denmark; they have since been redirected to prevent the attackers from controlling any compromised computers.” In the process, they “sinkholed” the C2 servers, which presumably were used by NSA and/or Israel. Apparently, Symantec did not imagine that the “attackers” could be the US government. After interviewing the people in Symantec charged with investigating Stuxnet, in her book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, Kim Zetter wrote, “By Intercepting data the attackers were expecting to receive from infected machines in Iran, [the Symantec people] had possibly landed themselves smack in the middle of an international incident and also may have helped sabotage a classified mission.”60
China’s Hacking: A Major Subject of International Debate
61Every nation is clearly engaged in some level of cyber espionage, but China has the dubious distinction of being singled out as being the nation doing it the most aggressively.62 It would be more appropriate to say that China is the
nation that does it the most blatantly.
The US government, which has at least sixteen different intelligence agencies,63 complains about Chinese cyber espionage.64 One could be
surprised that the country, which has, in NSA, the gold standard in spying, utters such complaint. Thanks to NSA, it is safe to assume that by now China probably does not have any secret to the United States. Though this is not limited to China. It is common knowledge that when a US president meets any foreign chief of state, he is given in advance his or her talking points. China is demanding that the United States halt its “unscrupulous cyber spying.”65
The Chinese Foreign Ministry says China opposes hacking attacks and is itself a victim.66 It protests its innocence67 by explaining that “[it] has never
sanctioned” such activity, although the opposite is documented beyond any reasonable doubt. We even know which buildings in China68 some attacks
originate from and even sometimes the name of the people behind thus.69 The
The problem is with industrial espionage. There is an etiquette in espionage: state secrets are fair games, but industrial espionage is not. And importantly, there is one asymmetry the US government cannot do much about: there is far more to learn in technology and otherwise from the United States than there is from China.
Who can stop Chinese hackers from pilfering technological information from the cyber-hapless US military industrial complex? What are the odds that China will voluntarily refrain from doing something that serves its interests?
There is a controversial idea that is sometimes mentioned: granting US companies official green light to “hack back.”71 But what would that
accomplish if there is not much to learn? At that game, their technological inferiority confers the Chinese with a strategic advantage.
Level of Sophistication of the Attacks
One conspicuous feature of China’s espionage is that the level of sophistication of the attacks varies considerably. They can be quite sophisticated, but they can be quite the opposite as well. One implication seems to be that those who do the attacks on behalf of the government of China have very different levels of skills (i.e., China is drawing from a large pool of talents). Another observation is that the level of sophistication does not necessarily need to be high for the attack to be quite successful.
GhostNet72 is a good example of a very successful cyberspying campaign
done with not-so-sophisticated means. An old malware (called GhostRat) was used. It was introduced in targeted networks using social engineering means (i.e., by inducing somebody to open an e-mail attachment). When in the network, the malware would spy on e-mail, communication, logging keystrokes and triggering webcam, exfiltrate documents, etc. The malware would send its loot to servers scattered in the world, but clearly under Chinese control.
GhostRat had been around years before (GhostNet was discovered in 2008, while GhostRat was exploiting a vulnerability recorded in 2006, CVE-2006-2492). The reason GhostNet was not detected earlier was that the malware GhostRat had been slightly modified to avoid detection by the major antivirus software.
compromised. He was put in contact with a group of researchers at the Munk Centre for International Studies at the University of Toronto.73 They came to
Dharamsala, and using a honeypot, they gathered information on the traffic for analysis back home in Toronto.
They established that the malware GhostRat was present. GhostRat was sending information to a variety of servers, and that information was eventually sent to China. By monitoring the traffic of the servers to which GhostRat was programmed to speak, they discovered that a large numbers of high-value networks scattered in 103 countries had also been compromised. That included embassies, economic and financial institutions, etc. Apparently, none of them had realized that their networks had been compromised. They learned it (the hard way?) by reading the report entitled GhostNet,74 where the compromise networks were listed.
Red October
If the GhostNet campaign did not impress by its sophistication, the also-Chinese Red October Campaign discovered by the security company Kaspersky left a different impression.
Both attacks had a lot in common. In both cases, the goal was cyber espionage. In both cases, the victims had a wide geographical distribution. In both cases, the attack started with some form of social engineering. In the case of Red October, it was “spear phishing.”75
One impressive feature of Red October was “a module [in the malware], which is essentially created to be embedded into Adobe Reader and Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system [in case the attack is detected and the malware eradicated].”76
It took a long time before Red October was detected in 2012. It is estimated that the campaign started in 2007.77 And Red October changed with
time. In particular, it gathers information about the compromised networks, like security checks, which could be used in future attacks. That illustrates an additional danger of not detecting attacks early.
channels. The structure of the C&C system reminded Kaspersky Lab of the Flame malware.
Flame is one of the most sophisticated pieces of malware ever produced.78
It infected computers mostly in the Middle East. Its target set (Iran, Saudi Arabia, and other Middle Eastern countries), and its similarity with the malware Stuxnet or Duqu points to NSA as the probable author of Flame.
The similarity between the Flame C&C and the Red October C&C is intriguing. Flame started being active in February 2010 and was discovered in 2012.79 If the Flame C&C system was designed by authors different than
Red October, and considering that Red October was discovered in the fall 2012 after five years of activity, that suggests that the Red October people had analyzed how Flame works years before its official discovery in spring 2012 and modified the architecture of their C&C system accordingly. In other words, somehow they knew about that malware years before the rest of the world did. The assumed authors of Red October are Chinese, but according to Kaspersky, China was not a target of Flame. So how did the Chinese learn about Flame?
China and Cyber War
Another conspicuous feature about China’s cyber posture is its relative openness on subjects like cyber war. China is not known for its openness when it comes to the Internet. It tries to control the traffic in and out of its network with the so-called Great Firewall of China. But the military use of cyberspace has been a subject of public strategic debate since 1999, when a couple of colonels of the People’s Liberation Army, Qiao Liang and Wang Xiangsui, wrote an essay entitled “Unrestricted Warfare.”80
Similarly, China does not make it a secret that it is building a cyber army.81 Combined with all the allegations of Chinese spying and stealing
information on secret projects like the fighters F-35,82 China managed to
project the image of a nation aggressively engaged in understanding how cyberspace changes the security equation to the point of inspiring fears.
Russia
strategy83 says something similar: “Russian actors are stealthy in their cyber
tradecraft, and their intentions are sometimes difficult to discern, especially compared with China, Iran, or North Korea.”
On paper, Russia is a leader in cybersecurity. Probably more malware has come from Russia than the rest of the world combined. The proportion of hackers in Russia who are cyber criminals is larger than in the United States.84 A prerequisite to make an investigation in the underground economy
is to read and understand Russian.85 The best security company in the world
(Kaspersky) is headquartered in Russia.
The common explanation for that state of affair is that the Soviet system may have been an economic failure, but it produced first-class computer scientists. Many of them found in cybersecurity a way to make a living after the fall of the Soviet regime.
With that kind of pedigree, Russia could be a giant in cybersecurity. But concretely, what has Russia as a nation done with all these cyber resources?
There was the distributed denial-of-service (DDoS) attack on Estonia in May 2007, which lasted several weeks. It was in reprisal of the fact that the statue of a Russian soldier had been removed from a prominent public place to be relocated somewhere less prestigious. The attack was only a mere DDoS, but that kind of attack was unprecedented. The DDoS attack was perceived as a state-sponsored cyber attack on the integrity of Estonia as a nation. The then-speaker of the Estonian parliament, Ene Ergma, said, “When I look at a nuclear explosion, and [what] happened in our country in May, I see the same thing.”86
Estonia happens to be the country on earth relying the most on the Internet, including for voting. Russia denied any involvement in the attack. Attribution is problematic in cyber, but NATO, then completely unprepared for any serious cyber contingency, reacted strongly and made Tallinn (the capital of Estonia) its center for cyber warfare.
Russia also resorted to a DDoS attack against Georgia when it intervened militarily during the South Ossetia war in August 2008. And again, the Russian government claimed it had nothing to do with the DDoS attack, which targeted websites of the Georgian government.87
In parallel, Russia has been engaged in information warfare on the web. The infamous web brigades88 are individuals engaged in a campaign of
security agencies (FSB and KGB). They attack dissidents.89 They hide their
identity to penetrate forums. The web brigades became very active just before the Iraq War. They represented the Iraq War not as a war to liberate the Iraqi from Saddam Hussein but as “an attack on Russia, [as if the United States] was [actually] marching on the Kremlin.” When “Putin announced that Russia was not opposed to the victory of the coalition forces in Iraq,” the web brigades suddenly fell silent. They have absolute loyalty to Putin and his government. According to an ex-contributor to the web brigades, who defected, “[their] goal was to cause dissension and unrest inside the US and anti-American feelings abroad.”
DDoS information warfare does not represent existential threats to societies in the same way as targeting their power grid or their financial sectors. Furthermore, there is no evidence that Russia is engaged in building a cyber army90 to the same extent as China.
Instead, Russia indulges in symbolic agreements with China and the United States on the need to maintain cyberspace safe.91 Those agreements
speak of confidence-building measures and are basically expressions of good intentions (pledging not to hack again each other) without pledging anything more concrete than interactions between national CERTs (computer emergency response teams), which do not have the potential to make a big difference. CERTs are not where cyber attacks are planned or originate. The US-Russian disagreement over Ukraine was enough to derail the work of a bilateral working group. In the same way, China pulled out of a similar group when the United States indicted five Chinese military people for hacking.
These agreements or discussions are part of a more general diplomatic effort by nations to address a growing threat they understand is potentially serious, partially because nobody understands it fully. In April 2015, the fourth Global Conference on Cyberspace (GCCS)92 ended as usual, i.e.,
inconclusively.93 The GCCS cycle of conferences is referred to as the London
process. Each conference offers a new opportunity to realize how difficult it is to codify something we do not understand well.
North Korea
cost, is naturally attractive for a country lacking resources to the point of not being able to feed all its population. However, North Korea has clearly invested far more in nuclear weapons than it did in cybersecurity. Still, it has a significant interest in this form of conflict,94 in which it has some strategic
advantages against the United States because of the asymmetry of situation: North Korea is far less vulnerable to attacks since it has much fewer assets vulnerable to cyber attacks than the United States.
For North Korea, there is a barrier to entry to be effective in cyber. There is hardly any Internet culture. North Korea has been assigned what in the jargon is referred to as /22, i.e., 210=1024 IP addresses altogether! This means
that the whole country of North Korea has fewer IP addresses than one block in New York City.95
Furthermore, the already-small North Korean national network is weakly connected to the rest of the world (through one exchange point in China). It would be impossible to wage any large-scale cyber attack from North Korea itself. North Korea has the option (and uses it) to wage attacks from outside the country.
Still, it has been alleged that the November 24, 2014, attack on Sony Pictures Entertainment originated from North Korea. In that attack, personal documents and e-mails of the employees were made public, as well as proprietary information on future films. A curious debate began to rage in the United States about the validity of the claim by the US government that the attack originated in North Korea. The evidences offered by the US government failed to convince a core number of experts in cybersecurity.
The US government took pretext of that episode to create a serious diplomatic incident with North Korea.96 “The attack on Sony is particularly
alarming because it raises the possibility that North Korea, aware that sending troops into South Korea or unleashing a nuclear weapon will bring crushing retaliation from the United States, has found a more devious weapon against its adversaries.”97 There were talks of inflicting new sanctions on North
Korea or putting that country back on the list of the states sponsoring terrorism (it was taken off that list in 2008).98 The pretext for the attack was
—quite the opposite. It alienated further the “experts” from the government and increased the credibility gap that the government suffers from in cybersecurity.
The lasting impact of that incident on Sony was not so much the publicity for the movie The Interview, widely considered as a flop, but what the content of some e-mails revealed about the culture in the company. That led to resignations and major reshuffling of responsibilities. Whether North Korea was behind this incident or not, nobody claims that having that kind of impact could have been their purpose.
The Sony attack is not the only cyber attack attributed to North Korea. There have been (inflated?) claims of attacks from North Korea against US military assets.99 There are also inflated claims on North Korean
cybersecurity capabilities as stated in an interesting report by Hewlet Packard.100 “South Korean reports also claim that North Korea’s premier
hacking unit, Unit 121, trails Russia and the US as the world’s third largest cyber unit. While this claim may be exaggerated, in 2012, South Korean reports estimated North Korea’s hacker forces at around 3000 personnel. In a July 2014 report from South Korea’s Yonhap News Agency, that figure was upgraded to 5900 hacker elite. We must stress that although these claims have not been corroborated, South Korea has taken the regime’s cyber threats very seriously and is reportedly training 5000 personnel to defend against North Korean cyber attacks.”
Attacks on South Korean banks101 and other companies102 are routinely
“traced back” to North Korea. Unlike what happens in South Korea, it does not seem that North Korea routinely targets US companies. If North Korea has anything to do with the attack on Sony, as far as we know, this would be a first. But tracing back attacks is problematic, and attacks can easily be mistakenly attributed to other sources. In that logic, it is therefore possible that we failed to trace back other attacks to North Korea. Whatever the US government claims about the Sony attack, it is probable that North Korea does not launch its attacks from its own territory (this would be too conspicuous and easy to stop since there is only one connection to the rest of the world), and it is also very possible that it outsources some of its cybersecurity activity.
communications, North Korea is not in a complete backwater. A tablet computer using the Android operating system developed in North Korea, the Samjiyon tablet, was presented at the Pyongyang International Trade Fair in 2012.103 There are more than 2.5 million subscribers to the mobile telephone
network for a population of a bit less than thirty million (for comparison, the African country of Nigeria has more than 165 million mobile phones for a population of 180 million). Still, 2.5 million mobile phones mean than about 10 percent of the North Korean population has a mobile phone. In 2015, North Korea launched an e-commerce site (called [Okryu]) on its nationwide intranet. The site, which sells a variety of consumer goods, is accessible by personal computers and mobile phones. The payments are made with an e-money card.104
One major uncertainty is the actual level of technical expertise and capabilities that exists in North Korea. In a CSIS report,105 one can read thus:
“North Korea maintains a fairly competent computer technology base including the Korea Computing Center (KCC) and the Pyongyang Informatics Center (PIC) as well as several universities such as Kim Chaek University of Technology and Kim Il Sung University’s School of Computer Science. They allegedly have additional military-related institutions to specifically train individuals for cyber operations. … The central point is not whether their cyber operations capabilities are as sophisticated as that of US, Russia, or China, but rather whether they are ‘good enough’ to inflict intended amount of damage to the targets they select.”
Israel
When it comes to cybersecurity, Israel is one of the most active countries with the highest degree of expertise in the world. Despite its small size, it has more start-ups in that field than most other countries. The fact that Google “acquhired” (i.e., Google acquired start-up and hired their employees) one of them (SlickLogin) after having bought another one in 2013 for $1 billion is telling.106 SlickLogin has developed a revolutionary technology of log-ins for
mobile phone, which makes the safe use of mobile phones for bank transfers and other confidential activities as user-friendly as possible.
electronic Pearl Harbor is a much more realistic threat against Israel than against a much larger country like the United States. And Israel has real enemies.
But Israel has no scarcity of talents. Many developed their skill while in the military. Although not much is known publicly, Israel seems to have developed cyber-offensive capabilities. That was on display on September 6, 2007, when in an attack called Operation Orchard, Israel bombed a Syrian nuclear facility. What was impressive, although never publicly explained, was the way the Syrian defenses were neutralized. “Not a single Syrian air defense missile was launched,” according to the Israeli Air Force.107
According to SIGINT satellites, the Syrian radars went silent for the duration of the operation, as if Israel had found a way to block the whole Syrian Air Defense system through cyber means.108 It is also possible that the Israeli
used a variant of the Suter computer program developed by BAE, which fools radars.
Israel is accused by its enemies to be “[preparing] for cyber wars.”109 It
would be irresponsible for Israel, a country under constant cyber attack, to fail to do that. “For the past several years, groups of extremist hackers have targeted Israeli government domains and companies. This year, in Operation-Israel 2015, they are threatening Operation-Israeli banks and military websites promising to carry out an ‘electronic’ Holocaust.”110
The details of Israeli cybersecurity policy are not public knowledge.111 The
existence of Unit 8200 is not a secret. Unit 8200 is the Israeli equivalent of NSA. When it became more or less publicly acknowledged that Stuxnet was the result of collaboration between Israel and the United States, the natural assumption was that Unit 8200 was the Israeli partner.
Iran
Iran developed its cybersecurity capabilities in a hostile environment. “Iran has been severely impacted by debilitating and extremely advanced malware campaigns since at least 2009. Famous examples of these efforts include industrial sabotage via Stuxnet (2009–2010), and espionage with Duqu (2009–2011), as well as Flame (2012). These campaigns have targeted Iran’s nuclear program and oil and gas operations. Stuxnet was an eye-opening event for Iranian authorities, exposing them to the world of physical destruction via electronic means.”113
Stuxnet was a very successful malware114 that significantly set back Iran
nuclear-enrichment program. Apparently, the Iranian authorities did not realize that a malware was behind the malfunction of their cascades of centrifuges. That was revealed when the security specialist, Ralph Langner, after weeks of investigation, finally understood what the purpose of Stuxnet was.115
Stuxnet was discovered accidentally because it began to affect computers outside the enrichment facility in Natanz. They alerted the small security firm in charge of their security. The firm was a little-known company, VirusBlokAda, based in Minsk, Belarus.116 The man, who isolated the
malware and was working for that firm, was Sergey Ulasen. He had difficulty at first to interest the security community about the malware. Brian Krebs was one of the first to pick on the incident.117 One can only underestimate the
importance of freelance experts like Brian Krebs in cyber. Then the malware was circulated among security experts up until Langner finally understood its purpose. It has since been reverse-engineered ad nauseam.
For Iran, Stuxnet was a watershed event. “Iran has improved its hacker training since 2010 after the Stuxnet worm sabotaged its nuclear facilities. Iran’s hackers have also been sharpening their skills to the point that the FBI warns they may be aiming to damage US energy and defense companies, perhaps even educational groups.”118
Also, with $19.8 million, it is probably possible to do much more in Iran than in the United States.
Thirty thousand of the computers of the Saudi State oil company Aramco, which controls most of the oil extraction and production in Saudi Arabia, were wiped out in August 2012 by a malware called Shamoon. There is a consensus that such a large-scale coordinated attack could only come from a state, and that state is Iran.119
In a secret NSA report120 dated April 2013, which went public, thanks to
E. Snowden, one can read, “Iran’s destructive cyber attacks against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary. Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others. While NSA has no indications at this time that Iran plans to conduct such an attack against a US or UK target, we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.”121
Among other things, the secret report from NSA revealed that a couple of months before, Iran oil industry had been victim of a similar attack. The observation that Iran imitates the Western cyber attacks targeted on them122
suggests that the West was behind the attack on Iran oil industry of April 2012.
Iranian hackers were also accused of attacking the Qatari natural gas firm RasGas and US banks in 2012 and the Sands Casino of Las Vegas in 2014. On February 10, 2014, suddenly, “the offices of the world’s largest gaming company [the Sands Casino] were gripped by chaos. Computers were flatlining, e-mail was down, most phones didn’t work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt. … Executives suspected almost immediately the assault was coming from Iran.”123 The motivation for the attack was that the owner of the casino,
the billionaire Adelson, was also one of Israel’s most hawkish supporters in the United States.
Council’s South Asia Center. “Iran’s response to Stuxnet cost millions of dollars to our financial sector, and presumably, they could wreak worse havoc if provoked.”124
Cylance has produced a report entitled “Operation Cleaver.”125 The report
reveals that “since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.”
In addition to the report by Cylance detailing Iran activities on foreign infrastructure, another report by Norse has been issued on the “increasing sophistication and frequency of cyber attacks” originating from Iran.126
Some see Iran as a bigger cyber threat than China. “While China pursues aggressive cyber-espionage campaigns against major US companies and news sources, Iranian-backed hackers are more overtly hostile—targeting critical infrastructure vulnerable to sabotage or engaging in disruptive economic actions, like when Iranian-backed hackers leveraged data centers to wage a massive distributed denial-of-service (DDoS) attack against financial institutions.”127
“Security experts now describe [Iran] as a top-five world cyber power. A late-2014 report revealed that Tehran has infiltrated the critical infrastructure networks in over a dozen countries worldwide, including in the US.”128
Africa
Africa is by far the continent where the penetration of the Internet is the lowest (26.5 percent in 2014).129 It is also the continent where the speed at
which this penetration grows is the fastest (6,498.6 percent in the period 2000–2014). For comparison, North America has a penetration of 87.7 percent and a 2000–2014 growth rate of 187.1 percent. Asia’s corresponding numbers are 34.7 percent and 1112.7 percent. The whole world has a penetration of 42.3 percent.
infrastructure is brittle. The increasing reliance on that infrastructure for all forms of communications may eventually put more stress on this infrastructure than it can withstand in its present form.
From a cybersecurity point of view, the expansion of the Internet means, among other things, that cyber attacks can come from new places and have new forms. The Nigerians were quick to invent what was then a new form of social engineering: enticing people to help them transfer money in a variety of scams, which invariably resulted in financial losses for the victims. What the Nigerians refer to as 419 (for the name of a Nigerian law supposed to outlaw this practice but which is hardly enforced) has become a common international form of scams.
African and many Asian countries operate at a different economic level from the United States. In those countries, a lot of the software and operating systems used have been pirated, i.e., distributed illegally. They are not maintained by the vendor and, therefore, not patched when vulnerabilities are disclosed. As a result, pockets of infections are created in those countries, which later can be the basis of new infections, which can spread in the rest of the world. We saw that with Conficker, for example.
In Kenya, a system of money using mobile devices was introduced. It is called M-Pesa. In countries where access to financial institutions in rural areas is difficult, such a system helps a lot. It is perceived as so useful that it has been introduced in other countries, in neighboring Tanzania and not-so-close countries like Afghanistan, South Africa, India, or even Eastern Europe. But it also breeds cybersecurity issues as the integrity of those transfers has to be protected.130 This is not so easy. The cybersecurity of mobile devices is far
from being fully understood.131
The digitalization of African economies is lagging behind, but it is growing fast because most African governments invest in ICT (information and communications technology). Cybersecurity tends to be an afterthought. Few countries have a functional national CERT (computer emergency response team) or any CERT or CSIRT (computer security incident response team). African governments are slow at investing their limited resources in something that looks like a distant or virtual threat. That may come back to haunt them.
June 1st 2010
http://www.economist.com/node/16478792.
58 David Sanger: Obama order sped up wave of cyber attacks against Iran, New York Times, June 1st 2012,
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html. 59 Symantec Stuxnet dossier, 2010, p.21.
http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-044.pdf
60 Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, https://www.goodreads.com/book/show/18465875-countdown-to-zero-day.
75 Spear phishing is a personalized phishing attack.
76 https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-84 Data not shown for those two last assertions.
85
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf. 86 http://www.wired.com/2007/08/cyber-war-and-e/.
88 http://3dblogger.typepad.com/wired_state/2014/02/the-web-brigades-original-version.html.
100 HP Security Briefing Episode 16, August 2014: “Profiling an Enigma: The Mystery of North Korea’s Cyber Threat Landscape,” HP Security Research,
http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-105 Jenny Jun, Scott LaFoy, and Ethan Sohn: “What do we know about Past North Korean Cyber
Attacks and their Capabilities?” CSIS report, December 12, 2014
strategy-april-may-2013-b2cc/55-2-08-bronk-and-tikk-ringas-e272.
122 http://www.wired.com/2015/02/nsa-acknowledges-feared-iran-learns-us-cyberattacks/.
123 http://www.bloomberg.com/bw/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas.
124 http://www.atlanticcouncil.org/images/publications/iran_third_tier_cyber_power.pdf.
125 Cylance report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf. 126
http://www.nytimes.com/2015/04/16/world/middleeast/iran-is-raising-sophistication-and-frequency-of-cyberattacks-study-says.html?_r=0.
127 http://thinkprogress.org/security/2013/05/24/2058261/iran-china-cybersecurity-risk/.
128 http://thehill.com/policy/cybersecurity/236627-iranian-leader-has-boosted-cyber-spending-12-fold. 129 Internet world Statistics: http://www.internetworldstats.com/stats.htm.
130 http://softkenya.com/m-pesa/m-pesa-fraud-tips/.
CHAPTER 4
Cyber Warfare and Cyberterrorism
If, as some claim, we are in the midst of a cyber war, cyber warfare is not that bad. More probably, we ain’t see anything yet.
Cyberterrorism
We hear a lot about cyberterrorism, but we are not sure of what that is. When ISIS defaced nineteen thousand French websites in January 2015, in the aftermath of the deadly attack on the Charlie Hebdo magazine in France, was that a cyberterrorist act? It was hardly noticed. The murder of the eleven journalists of Charlie Hebdo had a much greater terror effect. Does that say that we have not yet experienced a real cyberterrorist act? Crashing an airplane with cyber means will probably qualify to be a cyberterrorist act. We are not yet there, but we are on our way.
There are, in principle, many points of entry for cyberterrorism in modern societies. On the high end, it may soon be possible to create outages of electricity or crash airplanes using cyber means. It has been shown that it is possible to exploit the lack of security in the design of medical devices, such as pacemakers or insulin pumps, to remotely kill patients.132 Cars are
becoming targets of remote cyber attacks as well.133 It is theoretically
possible for somebody to exploit the fact the manufacturing of drugs is controlled by computers, i.e., hackable, to change their composition. It is possible to reprogram the control of traffic lights in cities to create conditions for chaos and crashes.
Cyberterrorism may not have a spectacular past, but it seems to have a promising future.
Interface between Cyber and Terrorism
Terrorists use cyber for recruiting, communication, planning attacks, and the like. However, so far they have, by and large, not carried out real cyberterrorist acts. It may be that they are not yet familiar enough with cybersecurity and what opportunities it can offer them. Or they may not know yet how to instill terror with cyber means.
But there is no reason to believe that terrorists will not perfect the art of using cyber means to spread terror. Cyber is already making its way in the culture of modern terrorism. ISIS speaks of “cyber jihad” and of establishing a “cyber caliphate.”134 The term cyber caliphate is used sometimes to refer to
a group of hackers working for ISIS.135 In that version, cyber caliphate is the
cyber version of the kind of war ISIS wants to wage on us. Then cyber caliphate is, at best, a misnomer. It would be an instantiation of cyberterrorism targeted at advanced economies. Then it would not be very different from cyber jihad.
Cyber Warfare and the US Military
Cyber redefines many aspects of the mission and role of the military. Today, the protection of the nation against cyber threats is not officially part of the mission of the military. They are busy protecting themselves and developing means to make best use of what cyber has to offer in their operations. The scope of their cyber engagement may have to be broadened to also address threats against aspects of the civilian sector critical to national security.
After land, sea, air, and space, cyber is the fifth domain. There is some synergy between land, air, naval, and space operations, but cyber changes the way the different domains are coupled together. It forces higher levels of integration in military operations. In addition, cyber, because it plays such a critical role, will be a target that will not be easy to protect. On the battlefield, the degradation of the cyber component will have disproportionate debilitating effect on the rest.
complexity in the way wars are waged, in particular at the operational and tactical level. The US military is engaged in an effort to clarify how cyber warfare fits in the intellectual construct used to theorize about warfare.136
Thomas Kuhn, in his famous book, The Structure of Scientific Revolutions,137
introduced the concept of paradigm as a way to represent the state of knowledge at a given time. A scientific revolution leads to a paradigm shift.
In the context of the kind of revolutionary changes cyber imposes on warfare, one obstacle is the difficulty to identify new paradigms. When there is no alternative paradigm, it is natural to cling to the existing one, even if it is obsolete and inadequate. The result is that one ends up wrestling with concepts that do not apply well to cyber warfare, such as deterrence, prevention, interdiction, retaliation, etc.
Military planners know how to assess the value of weapon systems and how to use them best in actual engagements. The cyber equivalent of that does not exist. The strategic or tactical value of cyber weapons is poorly understood. The cyber-offensive capabilities of the US military today are limited. This is partially due to the challenges of building such capabilities.138
Furthermore, there is little that cyber attacks can accomplish in most of the contingencies the US military is facing today, as most of its activity takes place in poorly computerized environments.
But this will change over time. The fact that, unlike nuclear weapons or advanced fighters, cyber attack capabilities do not require huge resources implies that the cyberstrategic landscape in a world where nations have perfected the art of cyber attacks will be seriously different than anything we have seen. Cyber dominance (the cyber equivalent of air dominance) may turn out to be seriously difficult, if not impossible, to achieve. The foundations of the military posture of the United States, which tends to be based on technological superiority, may have to be revisited fundamentally.
When it comes to cyber warfare, we are backing into the future.
132 http://www.rt.com/usa/hacker-pacemaker-barnaby-jack-639/ See also:
http://resources.infosecinstitute.com/hcking-implantable-medical-devices/ and
http://go.bloomberg.com/tech-blog/2012-02-29-hacker-shows-off-lethal-attack-by-controlling-wireless-medical-device/ and http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022 and:
http://www.reuters.com/article/2013/07/27/us-hacker-death-idUSBRE96P0K120130727. 133 Chrysler recalls 1.5 M hackable cars, CNN, july 24, 2015,
