Pierluigi Paganini,
David Pace,
Publishers of mainstream ICT news are ablaze with articles on the evolution of the “Flame” malware targeting the Middle East region for cyber espionage purposes, and new menaces such as Gauss or Shamoon. No longer the province of deviant black-hat hackers or transnational organised crime groups, malware is now being actively developed and deployed by Nation States.
Governments publicly claiming to be champions of liberty and civil rights, and Governments accused by the same of being oppressive regimes, are throwing buckets of their respective tax-payers money into aggressively developing similar “offensive” signal intelligence and cyber war capabilities to monitor, infiltrate, analyze, deceive, subvert, and to destroy in the name of “defence” (National Interest).
Governments like Iran, the U.S., North Korea, Russia, the UK, and China are all making large investments into developing general-purpose offensive capabilities that can be used in war and for law enforcement purpose. In fact, estimates indicate that more that 140 states all over the world are working on creating cyber weapons. Governments, like Australia, are considering use of many of these offensive cyber techniques as part of their day-to-day civilian law enforcement activities.
Governments assert that our personal security can only be assured by those in positions of privileged authority (having the capability) to aim kinetic and non-kinetic weapons at every human on earth, including at you and your children.
Within this context, a classic feature of military doctrine is to protect and disguise, the true and total extent of national capabilities in areas related directly to the conduct of security-related activities. This doctrine is now leaking into civilian legal systems. Governments are increasingly asserting that they require less (inadequate) oversight by the civilian community, in order to ensure their ability to threaten violence against civilians, to ensure our individual and collective security…
It is hardly surprisingly in this anarchistic international system of control, through the threat of violence, that mainstream articles in the popular media abound on claims and counter-claims of various cyber operations conducted by nation state sponsored hackers to infiltrate other nation state (and civilian) networks for cyber espionage or cyber offensive purposes. Unfortunately, there is plenty of credible data to back up these accusations.
In 2010, William J. Lynn, U.S. Deputy Secretary of Defense, states that: “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.”
Stated differently, the Internet, just like your school and corner shop, is an exciting new domain in warfare. And they are putting our collective money where their mouth is. In 2010-2011, the United States spent $80 BILLION on signals intelligence (spying activities), of which $53.1 BILLION was spent on NON-military intelligence programmes. Last financial year (2011-2012), the US spent another $75 BILLION on spying. This spending includes investments like the USD $2 BILLION U.S. National Security Agency Data Center being built in Utah (code-breaking, 100+ year data-storage). Building on these solid foundations, the U.S. is now increasingly focusing on the full exploitation of cyber vulnerabilities.
The most public U.S. cyber-war projects are: Plan X, a DARPA project for the development cyber warfare technologies that reputable sources claim seeks to track exploitable vulnerabilities of every (civilian, commercial, …) device connected to the Internet, and ACT (Agile Cyber Technologies), a project developed by Air Force Research Laboratory (AFRL).
In 2009, U.S. National Journal published an article asserting that U.S. Forces employed cyber-warfare in Iraq in 2003. In 2012 we now have official statements from Marine Lieutenant General Richard P. Mills who declared that the U.S. military has been launching cyber attacks against its opponents in Afghanistan. This senior officer explained, that the U.S. considers oversight of cyber space as highly strategic, giving great importance to the study and implementation of new cyber weapons as the new *way to fight*. Mills declared:
“I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” … “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”
Not surprisingly, the Pentagon spokesman Lt. Col. Damien Pickart refused to give more information on Mills’s statements, claiming reasons of security:
“we do not provide specific information regarding our intentions, plans, capabilities or operations.” In short, don’t ask us to be accountable to you civilians for the means we use to protect you.
But this raises the question, why a high-ranking U.S. officer made these public revelations in the first place?
Between 1970 and 2000, individuals and organizations concerned with protecting their personal privacy and corporate secrets were engaged in heated discussions with governments around the world for the response-ability to employ high assurance security techniques and technologies to safeguard their legitimate interests, and those of their stakeholders. Most Governments refused this ability to their civilian population, in the name of National Security, preventing them from building genuinely secure systems, leading to today’s “insecure” ICT ecosystem.
With so many Governments now investing in cyber warfare, and with our Government and Civilian cyber systems so insecure, it’s easy to understand the strategic importance of a sound cyber strategy.
Intelligence agencies and police forces have risen to the challenge, calling for greater surveillance capabilities to identify people online and monitor all communications activity (which could potentially include cyber-attacks or criminal activities). However, for surveillance technologies to be cost effective, today’s ICT systems have to transmit data in the clear and/or be insecure in practice. Furthermore, for “defensive” cyber-ATTACKS by authorities to work, our ICT systems must have exploitable security flaws in their implementation. In short, for these Agencies to defend our vulnerable ICT systems based on this strategy, they would require our ICT systems to remain insecure and vulnerable to surveillance and exploitation… The formula being:
“For greater security engage in deeper privacy invasion, accelerate sharing of intelligence, and ensure all civilian ICT systems are/remain insecure, so we can employ more surveillance and cyber attacks in the name of your defence…”
However this is an outright flawed formula due to the cyber attribution problem. As the UK Cyber Strategy states: “with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred.” For example, in September 2012, Estonia’s State Prosecutor’s Office announced that it was bringing the investigation of the country’s 2007 cyber attack to a close. The decision to shut down the investigation came after prosecutors failed to pin down the IP addresses, and computers used, during the digital barrage in April and May 2007. In short, the Estonian Government could not find out who the attacker was.
So, how can anybody distinguish between a state-sponsored attack, and an attack by mere cyber criminals who are opportunistically exploiting the weaknesses in our systems that Governments allow?
Unfortunately, due to this cyber attribution problem, it is very hard to distinguish state-sponsored attacks from opportunistic cyber criminal offensives. “Good” and “Bad” Governments, and cyber-criminals all use similar techniques, and exploit the same vulnerabilities. According to the results of a study by Leyla Bilge and Tudor Dumitras from Symantec Research Labs, titled: “Before We Knew It … An Empirical Study of Zero-Day Attacks In The Real World”, a zero-day attack has an average duration of 312 days, and once publicly disclosed, increases of 5 orders of magnitude of the volume of attacks can be observed. The experts explained how knowledge of this type of vulnerability gives governments, hackers and cyber criminals “a free pass” to exploit every target whilst remaining undetected.
While today’s statistics appear to indicate that the majority of cyber attacks seem connected to hacktivism and cybercrime activities, this is arguably because a) many Nation States are relatively new entrants, b) only a few attacks are indisputably state sponsored. e.g. How many white-collar criminals spend their days dreaming up the destruction of centrifugal systems in Iran?
Phil Lin, director of product marketing at FireEye, noted:
“Cybercriminals from one country can easily set up ‘command and control (C&C)’ servers used to store exfiltrated data in a different country leading to incorrect attribution of the nationality of the threat actors, not to mention their ultimate nation-state ties.” Furthermore, according to UK Cyber Strategy: “Some states regard cyberspace as providing a way to commit hostile acts ‘deniably’.”
The fact is: Cyber War is increasingly indistinguishable from Cyber Crime.
According to Scott Camil, a former sergeant in the U.S. Marine Corps who served four years in Vietnam (his decorations include two Purple Hearts, a Combat Action Ribbon, two Presidential Unit Citations and Good Conduct Medal): “The No.1 War crime is starting a war, because all other war crimes emanate from that first crime.” In like spirit, it can be argued that the decision to develop and maintain the capability for engaging in cyber war is the first crime, engaging in cyber war being the second.
In the short term, the number of cyber operations is expected to have rapid growth. It is “extremely unlikely” that, in the absence of international regulation in cyber warfare, a country will openly admit sponsoring operations.
It is essential that Governments all over the world begin working on the definition of an international cyber regulation, because in absence of strict rules and limitations, technical capabilities of the states will evolve in an unpredictable manner and it will become impossible to qualify the nature of malicious code and to discover the identity of its creators, resulting in serious negative consequences to the stability and well being of the global community.
Likewise, as cyber attacks rely on the existence of exploitable cyber vulnerabilities, Are Governments going to continue investing in the ability to inflict pain, or will they invest in advancing the collective protection of the global community by promoting and ensuring civilian ICT systems are actually secure in practice?
About the Authors:
Pierluigi Paganini, Deep web expert and Security Specialist CISO Bit4ID Srl, a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs ( securityaffairs.co ). Pierluigi Paganini is a co-author (with Richard Amores) of the book – “The Deep Dark Web: The hidden world”.
David Pace is a freelance IT Consultant. www.paceit.net/ [email protected] +356 7963 0221.