June 12, 2012

Cyber Warfare, the 0-Day Exploit Market, and the Rest of Us: Part 3

The last few posts probably sound like something out of a Kurt Vonnegut novel more than anything else. Piecemeal descriptions of some sort of dystopian world in which everyday people are surrounded by the violence of war that they can't see.  Until the news of Stuxnet started to trickle forth, I would not have believed it, but the recent revelations that compound that news are still slow to sink in.  Mikko Hypponen shares my sense of surprise here.The other thing that Mikko and I share on this topic is the worry that there will be a lot of regret going around in the very near future.  Looking back at some of the points I've just tried to pick out in the last few articles (and probably should have gone into more depth on), there are several very clear problems with the direction we as a global community are headed.First, we are at war.  We may not be hearing about American soldiers dying as a result, but that obfuscation of the fact we are at war is part of the problem.  In a traditional sense, the US government has a process we are required to follow before we engage in war with another nation-state.  This obviously excludes all of the clandestine activities our government undertakes, but in my mind there is a very low threshold to cross before a one-off, small, clandestine, cyber incursion morphs into something that falls into the category of an act of war against a foreign power.  Just because we will never institute the draft in a cyber war is irrelevant.  I don't see any prospect that the American people will ever have any real say in whether the US engages in war partly because of the fact that this new paradigm is beyond the understanding of most people who do not deal with cyber security on a daily basis.  I'm not putting anyone down here, but the reason people can have a strong opinion of traditional war is because we can see images of dead and dying people clearly linked to the act of dropping a bomb or firing a gun.  Cyber warfare will uncouple the actions from the consequences enough for it to go on full swing in society's periphery.Second, just as with traditional warfare, there will be "collateral damage" with cyber warfare.  However, what does that mean in this new context.  Primarily, private sector organizations may face a wave of attacks from foreign governments aimed at:

  • Stealing intellectual property;
  • Sabotaging elements of the US economy; and
  • Implementing attacks which impact large groups of citizens in what amount to cyber terrorism campaigns.

These attacks against private sector organizations will necessarily impact the customers of those organizations.  The impacts can range from annoyance to severe and widespread consequences.  Operation Aurora and other examples that have already been covered show that the private sector and private citizens are highly likely to feel direct and significant consequences of attacks.

There is a related third point here, which is that when government's are engaged in these activities, potentially even against their own citizens, don't expect corporations, other private groups, and even individuals to toe the line.  The US government has been confirmed to have killed citizens.  We need not rehash the story of HB Gary.  However, some aspects of the story provide almost a too-perfect supposition of what could happen.It is highly likely that the work to develop Stuxnet, Duqu, and Flame were supported by private companies working in the security and software development fields.  Regardless, there were individuals working on those efforts.  While the code and the design documents and everything else related to the Olympic Games program are classified and locked away, there is no way to erase the basic ideas and concepts from the bank of intellectual property within the firms or individuals supporting the work.  Therefore, turning around and carrying out the same exact sort of operation on behalf of another client, against US citizens (or even private citizens of other nations) is simply a matter of loose ethics and/or some form of mental illness.Fourth, I would like to reserve the right to be wrong here, but we may very well be outmatched.  The information I've seen on the topic seems to indicate that China is a growing powerhouse in terms of its cyber security talent.  More importantly though, the almost all of the basic components of computers and other devices with some sort of processing capability are manufactured in China.  The most difficult part of these attacks which involve using a piece of malware or some sort of backdoor on an adversary's system is the initial deployment.  When you manufacture the elemental chips in your adversary's computer though, you can deploy the backdoor to thousands of systems a day and have your adversary pay to get it shipped to them.Fifth, since cyber warfare doesn't require combatants to meet up on a battlefield, there is a very real possibility that some level of "shadow war" for lack of a better word may become more of an issue to us than the campaign between nation-states themselves.  For a minute, imagine something as crazy as this- that someone in Iran has the following 3 characteristics:

  1. They love their country;
  2. They feel the US is essentially picking on Iran; and
  3. They have some moderate to advanced level of computer security skill.

They do not need to be a member of whatever cyber assault team Iran may have assembled to carry out attacks against the US.  They simply need ample motivation and some skill.  They also have a multitude of options for what to do with their wrath.  They can obviously attack elements of the US government or military since those are the specific organizations involved in attacks against their homeland.  However, they can also target US businesses, organizations, or even private citizens.

Ahh, but what do Iranians know about computers anyway?  What harm could they do?  Whoops, maybe we have some reading to do.  An Iranian (or perhaps a state-sponsored group) carried out the attacks last year which had everyone asking if the Internet's most basic security component (PKI) was trustworthy anymore.

So, when a Western government decides that it is time to put some sort of cyber offensive in place against a foreign power that's one thing.  However, one of the biggest differences between cyber warfare and real warfare is the ability to deny involvement in attacks.  So when that government then leaks information about its efforts and capabilities in this area it should make you cringe . . . or at least reflect for a bit on what that really means.

It is likely that there are already steady waves of attacks going on between foreign powers.  There are also probably non-nation groups which are state-sponsored carrying out attacks.  And while Stuxnet was a unique weapon for a unique target, the focus of governments on 0-day exploits for common technology products such as iOS, Adobe Acrobat, Java, Windows, and others means that the next time a cyber weapon escapes into the wild it is very likely to impact huge numbers of consumer-devices.

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!