Tens of billions of dollars are being spent on this growing threat, but so far no one can define it.
Cyberwarfare is emerging as the most sophisticated battleground of the 21st century. In fact, the military in all major countries make it a priority. Collectively they are spending tens of billions of dollars on education and building a knowledgebase of how attacks can be perpetrated and what defenses are needed.
The entire effort is based on technology, both legacy and new, starting on the defensive side with semiconductors, hardware IP, memories, and a full stack of software, and building outward from there across an ever-expanding knot of interconnected networks that are the basis of the Internet of Everything. From the offensive side, the most advanced technology is used to analyze where the flaws are, to crack the uncrackable code, and to reverse engineer or engineer entry points and strategies. Everyone agrees this is the basis of cyberwarfare. So why is it so hard to define?
“Currently, cyberwarfare is generally defined as nation states going against nation states,” says Michela Menting ABI Research’s director for digital security. “But it is not well defined under international law.”
Is cyberwarfare really warfare? Is it something like Stuxnet [see reference 1 at bottom of story], which has been called the world’s first digital weapon? Or is it just any type of espionage? Or is it simply a catch-all phrase for any type of computerized espionage against companies, political or ideological extremist groups, hacktivists, transnational criminal organizations, or other collectives?
“Internationally, people are not really sure what cyberwarfare is,” according to Menting. “Some say it is anything that is perpetrated by nation states. Others say it has to cause damage, or violence against people.” In that sense, it can be any of the above.
There have been incidents that are suspected cyberwarfare, but there is too little information to determine exactly how they were perpetrated. Tools to track intruders are still in their infancy. Crypto processors are still not deployed everywhere. Software remains buggy and bloated. Multi-authentication biometrics are still rare. And networks often provide entry points in places that were never considered.
One example is the case of the German steel foundry that exploded in 2014. No one knows if it was a deliberate attack by a nation state, or simply a malicious actor poking around who mistakenly, or perhaps deliberately, changed some code that made the plant explode.
So if it was a nation state, then it would certainly be called a cyberwarfare attack. But if it was an extremist group would it still be called cyberwarfare? At this point there are no clear answers.
Regardless, cyberwarfare is the easiest way to accomplish clandestine operations because one can hide behind any number of shields — the Web, the dark Web, activist groups (not necessarily malicious ones), and proxies, and carry out all types of malicious activities. That reaches well beyond just governments to financial, medical, records, and much more. This has been labeled the next threat to national and other types of security.
The new arms race
If nations are in a state of war, then cyber weapons become just another weapon in their arsenal. As one nation strives to develop and deploy the best conventional weapons, they also are working to deploy the top cyber weapon. “If you are in a state of armed conflict with another country and you are using conventional weapons, then cyberwarfare can be used for both destructive capabilities, as well as compromising the enemy’s defenses,” says Menting.
One thing about cyberwarfare is that it may not always be as obvious as one thinks. Several years ago, according to insiders, there was a theft at a Silicon Valley startup that seemed as if it was a typical low-value crime. It proved to be something more than that, however. The burglar knew exactly what he was looking for—next-generation networking technology the military was considering.
This is a classic example of how the cyber arms race is escalating. In the past few years, code leaders such as Google, Lockheed Martin, Intel, and RSA have been the victims of cyber-attacks and code thefts.
“In most cases, countries have significantly increased their capabilities,” says Paul Kocher, president and chief scientist of Rambus’ Cryptography Research Division. “I’m avoiding the term cyberweapon, although that’s what a lot of the military people will call them. The question is how and when will those things start getting used. We haven’t seen many examples so far, but the number of countries that had those was limited. When there is a regional conflict, the question is how you respond. Do you use conventional military or do you use these other tools? It’s very attractive to use something that doesn’t draw blood, that isn’t necessarily attributable to you, and which will work in places that conventional military gear like mortars and troops can’t operate. If you’re a relatively small country, you can easily find a dozen smart scientists to go find bugs in critical systems, but you can’t launch a military attack. In many ways, the giant question mark is what happens as these investments turn into usable capabilities and how will they get used. In many ways that’s an area where industrialized countries are vastly greater targets than others. Yet the offensive capabilities are well within the range of every single adversary we have.”
Cyberwarfare attackers have distinct goals. They are after the ever-changing digital tools that are used for both spying and destruction. The primary purpose is to be able to undermine, disable, or destroy the adversary’s digital infrastructure. If one can bring down the adversary’s network, it renders them digitally blind, as well as incapacitating much of the conventional weaponry. To paraphrase former UCLA Bruins football coach Henry Russell (Red) Sanders, “having the best code isn’t everything, it’s the only thing.” And all sides will stop at nothing to have the top code in the game.
“Cyberwarfare can also be used to enhance conventional warfare,” Menting notes. That’s especially true if water, sewer, electricity and other infrastructure can be hijacked, crippling communication and basic services.
To accomplish this requires an avant-garde toolbox. Today, the two top offensive tools within the arsenal are exploits and botnets. Exploits are programs that exploit vulnerabilities in software — both general availability, such as Windows or Unix, or specialized network control code. Generally, the hacker finds an entry point into a system, a backdoor perhaps or a hole in the code that allows entry. Then the attacker simply alters the code, or inserts a worm or other destructive instructions and sabotages the system.
Botnets are robotic networks (hence the term botnet) that are groups of computers designed to do very repetitive tasks without much intervention. But in the wrong hands they are a very dangerous threat because they are quite pervasive, both in network numbers and individual computers. Botnets are groups, numbering as few as dozens to hundreds of thousands, but most are in the hundreds or thousands.
The danger is that if botnets are hijacked, the entire group becomes compromised almost instantly. On the nefarious side, attackers will hijack these computers, and the owners haven’t a clue. Hijacked botnets can lie dormant for years while attackers collect and assemble these computers, load them with dormant code where it can lie undetected until the time come to fire the code. When that happens, the entire network is brought down, with disastrous results. Botnets also can be created by hijackers from any number of computers or networks. Recent success of that have been in the financial and retail industries.
Exploits are fairly well known and understood and encompass any number of avenues. They take advantage of vulnerabilities that include backdoors, poor coding, malevolent coding from the inside, Trojans, worms, or anything that can be used to invade code and alter it. The hacker simply uses the vulnerability to insert some sort of destructive payload. It can instantaneous, or lie dormant for any give amount of time, and activate under any designed set of conditions. Finding the hole and patching it is often relatively easy, but by then the damage has been done. And applying the patch can take months or even years if the receptor code is widespread, such as Unix or Windows.
But of all the exploits, one worth mentioning, and considered most dangerous are what are called the zero-day, and now zero-hour exploits. These are the ones that activate as soon as they are discovered. And there are a lot of other tools in the arsenal. Certainly there will be new ones by the time this article goes up. Most, however, aren’t new. They are improvements, or tangents on things like bots and exploits, viruses and malware.
Cyberwarfare and the IoE
There are two upcoming metrics that are going to change the game when it comes to cyberwarfare, namely the Internet of Everything and social media. The IoE, just by its nature, will create a sea of potential vulnerably points, devices and code. “When we are talking about the IoE, we have a very large attack surface,” says Zachary Crockett, CTO and co-founder of Particle IO, an IoE enablement company.
And much of the code and the devices that will populate that attack surface isn’t even designed, much less deployed, yet. True, what is out there now will be part of the IoE, but it is a still a small count of the overall devices that will be connected via it, and many of those are vulnerable. “Much of the medium will be vulnerable,” says Crockett. “It typically doesn’t have strong encryption, and the devices are often designed with ad-hoc protocols.” If this isn’t addressed, there will be a lot of open ports that can be used for exploits, and gateways into the sea of networks that will soon exist.
The private, bounded networks are disappearing, along with the ability to restrict what and who is on the network. New code models are being developed along with interconnects to to devices that were once standalone. And every one of these can be a vulnerability, especially until the formerly unconnected industry understands the implications of being wired in. “All the more reason, as we design IoE products, they will need to have encryption and strong security measures built in from the ground up,” adds Crockett.
Cyberwarfare and social media
How the full potential of social media will play in the cyberwarfare game is yet to be realized. The world has become a ubiquitous sea of interconnected people, places and things. This new order of social interaction has far-reaching implications and will shape conflicts worldwide. This new order has the ability to revolutionize social and political evolution via a platform unlike any in history.
The boundary-less nature of the information age is transforming warfare. It has enabled an age of “cyber-mobilization.” Just look how able terrorist organizations such as ISIL, the Taliban and others use social media to reach people globally and convince them to join their cause – without ever touching shores outside their domain. It has shown the capability to reach vulnerable individuals, and catalyze changes in behavior.
Is there a solution? The short answer is no. Like conventional, it is simply a game of one-upmanship. Today nation A has the best defense and nation B has the best offense. Tomorrow that may reverse or nations C, D, and E enter the game at the top.
The one thing that has to be recognized is that attackers generally go after high-value targets. “The high value is the ubiquitous attack surface,” says Crockett. With nations it is the various infrastructures. But regardless, the defensive position is the same – plug holes and encrypt and secure any and all potential attack vectors.
While there are many potential solutions, one of interest is “trap-ware.” This is kind of like putting a mouse trap out there and waiting for the mouse to show up and snatch the bait. It is a preemptive type of approach. “You put some type of malware, or other tracing code on the network or site, and when the attackers come in, you can booby-trap them by attaching some sort of malware to them,” he says. “Then follow them back to their command and control (C&C) center to spy on them.”
Microsoft uses a technique called “sinkholing” to find and track bots and and spyware hitting its servers. The company has successfully thwarted Citadel botnets and Zeus malware servers with this approach.
Once a C&C server is discovered, the attacked site will redirect traffic from its original destination to a specific destination specified by the sinkhole application. It is simply a faked C&C server. At that altered destination, the data disappears (hence the term sinkhole) and is traced back to the originator without their knowledge. This provides information to the source about the nature of attacker.
So there really are many solutions. None is entirely foolproof and often the solution, or in some cases solutions, is problem-specific. While there are no one-size-fits-all solution, there are many sizes of solutions that can be knitted to develop the best defense strategy, both military and civilian.
And finally, of course is cryptography. (See related articles here and here.)
A Blitzkrieg with a bitskrieg
There has been talk, that the U.S. or other western countries could face what can be called a “Blitzkrieg with a bitskrieg.” This is referenced as the equivalent of a nationwide, digital Pearl Harbor, either militarily (communications, for example), or infrastructure-ally (financial or utilities), causing pandemic chaos brought on by cyber disruption. But the chances of that happening are slim in modern nations.
The IoE, however, is another matter. There is concern that once it reaches an omnipresent scale, it has such a broad attack surface that it cannot be successfully protected, at least with current technology.
Ever since the first caveman clubbed his rival for the prime cave location, warfare has become more destructive, deadly and horrendous. Cyberwar will certainly follow those footsteps. Cyberwarfare isn’t just about code. It is about what the code controls—a wide range of technology, some of which was never meant to be connected to the outside world.
Certainly, disabling the eyes and ears of the military, or bringing down the stock market for a day, or taking over the servers that control utility systems is a concern. However, it isn’t all that likely unless someone, somewhere develops some methodology that is orders of magnitude more advanced than what exists today. So far, that isn’t happening.
But the real concern is with the IoE. Because it is still a moving target, and because security is still lacking in many segments of embedded devices, how all this is going to shake out is a bit concerting. If there is a digital Pearl Harbor somewhere, it will give us a wake-up call. If not, let’s hope the IoE doesn’t become the wake-up call.
Reference 1: Stuxnet is malware, a worm. According to SAP, which did a comprehensive study of the worm, it works by infecting project files in the Siemens WinCC/PC S7 SCADA control software and intercepts communication between the WinCC in Windows and the attached devices when they are connected together. SAP noted that the original infection of a Windows computer can be done by plugging in a flash drive, or it can be spread from one infected machine. What was particularly noteworthy is that it used a network that was not connected to the Internet to update itself once a copy was discovered, so an infected machine with a newer version would upgrade all machines to that version. All actions occurred in memory, as well, so there was no evidence of any files.