CyberWars, Governments and Internet Security

There's an 800-lb Gorilla in Internet Security that nobody discusses or acknowledges:
If Governments decide to apply their Technical and Military Intelligence skills to the Internet, not only won't we know, we won't be able to do anything about it.
Talking to a friend recently, off the top of my head I outlined 4 levels of Internet attackers/exploits (highest level/most competent at the top):
  • [4] National Military and Commercial Intelligence: surveillance, espionage, counter-espionage, targeted cyber-attack.
  • [3] Commercial Espionage and "Exploit as a business": Exploits and SPAM as a Service, botnets, Credit Card and Identity trading.
  • [2] small-scale, "hobbyist" and semi-professional technical creators. Some sales to level [3].
  • [1] script-kiddies, Internet "graffiti"/vanity attackers, customers of level [3].
These levels may or may not be "official" and may not be complete. But they are roughly right.

2004 was a watershed year: The Hackers turned Pro.

Prior to this, the motivation and execution of malware were mainly vanity, "graffiti" or ideological. Cybercrime has been around since the first PC viruses.
By the end of 2004, groups were doing it for the money. Especially, they were creating large resources (botnets), that could be quickly and efficiently tailored for specific "campaigns"  (as if this were marketing).

There is some noise in the media about "Terrorists" waging "Cyberwar". They are, and only ever will be, Level 1 and 2 players, the same as the activist group "anonymous". Not to say that they can't or won't recruit or become top-level experts - but the best teams are doing it for money or for a government.

 An expert piece on Cyberwar has a quote from Chairman Mao that points to this: "guerrilla warfare is not useful in the absence of a political agenda."

Anyone wanting to do any thing meaningful in Cyber-Security these days, on any side, has a very steep learning curve to master. They have to learn everything that's gone before...

Since 1996, when the Internet exploded into everyday use, the Attack/Defence (Weapon/Protection) cycle has operated to create very sophisticated tools and systems for both Cyber Attack and Detection/Protection, though nobody talks about retaliation. Bill Cheswick noted when he detected and countered the first "Denial of Service" attack, that by countering successive attempts, he helped the attacker both debug and improve his code. This is the inevitable weapon-defence refinement cycle guaranteed to end, if not in stalemate, but closely matched capability. Until someone comes up with some radical new technology that starts a whole new cycle...

The time has long gone that a single hacker playing in their bedroom can take down significant sites, unless they are "honeypots" (traps) or not "hardened" in any way.

What's more than a little sad is that every single worm or virus ever invented is still out there circulating in its original or a modified form.
Because anyone is allowed to buy and run a PC, they don't have to be maintained to any standard and ISP's don't have to care about what's connected to them or what traffic passes over the link. It's both laissez-faire and caveat emptor.
Script-kiddies and hobbyist-hackers can still have an impact, but only on low-value targets and should be able to be defeated easily.

Nowdays, to play at level 3 and 4, you need:
  • a team
  • of talented and capable
  • experts
  • with sufficient time, tools and resources (computers, storage and connection bandwidth).
All the Cybercrime rings are teams: there is too much involved, too much work to do and too many different areas of expertise/proficiency needed for just one person to execute.

Talent and ability are critical.
Just one or two outstanding people are all that are needed to "do the impossible". The core of successful teams may be very small.

In 1998, two Bell Labs researchers (Bill Cheswick and Hal Burch) produced a Map of the Internet, (1999 pic), something nobody had thought possible before.
It wasn't some big project with massive servers and super-firewalls taking months to mine all the data. It was one guy, 'Ches', with a very modest machine directly connected to a high-bandwidth link. In 1999, it took under an hour to scan the whole 'Net.

Ches needed Hal Burch to translate the raw data into a map. Whilst "graph theory" is well known, nobody had ever tried to place 10,000 nodes on a single map before. Getting this to work and finish within 24 hours was the second breakthrough piece of work in this project.

Ten years before, the son of another Bell Labs researcher, had constructed and released the world's first computer-worm, "the Morris worm".  It worked well, but 'escaped' into the wild before fully debugged and brought the entire Internet to a standstill, even though designed to be stealthy and low-impact. One person, two computers (VAX and SUN) a few days of work and a massive, if unintended, impact.

There is now solid proof of Level 4 activity: Stuxnet.
In June 2010, a set of malware was found specifically targeted against Iranian Uranium centrifuges, essential in making both reactor fuel-rods (low enriched) and weapons grade material.

The Sutxnet malware is unique and atypical in its field:
  • there are multiple layers needed to deliver, install, configure, run, control, replicate, hide the virus/worm and also mislead monitoring programs,
  • it exploits multiple vulnerabilities (means of entry to systems),
  • it uses multiple attack vectors (USB memory, RPC over the network, ...),
  • it took great care to limit its impact, to only affect targeted systems,
  • it required access to specific, scarce (expensive?) hardware and its documentation,
  • it required intimate and detailed knowledge of the operation of the centrifuges and their controlling hardware, systems and software to know just how to break them,
  • it worked first time in the field, so was well designed and very well tested, and
  • there was no money made from the target of the attack.
From an early press piece:
... and must have been developed by a team with expertise in and access to industrial control systems over several weeks, at a minimum.
Altogether an expensive and tricky project with no obvious financial return, factors suggest the malware was developed with either the direct involvement of support of intelligence agencies or nation-states and designed for sabotage.
In 2011, The New York Times claimed "The US and Israel jointly developed the infamous Stuxnet worm".

Government Intelligence Agencies bring a wealth of experience, training, people, "resources" and funding to their endeavours. Their successes are secret and hidden, their failures very public, and all too numerous - though real Professionals do learn from their errors, faults and failures.

What Intelligence Agencies can bring to the table is:
  • combined Computing, Signals Interception and Physical Intelligence gathering,
  • deep experience is "stealth" operations, electronic and physical,
  • patience and the funds to back long-term projects,
  • highly-specific "surgical" strikes against small targets,
  • access to the the best in many fields,
  • in-depth, detailed tactical and strategic planning and scenario testing, and
  • the ability to disguise their operations within seemingly unrelated events.
This is just another round in the last 2-3 centuries of National Intelligence and Espionage activities.

What they can do is many small attacks (think US 'drone' attacks) or once-only large-scale attacks.
What they cannot do is prevent Cybercrime and the operation of botnets, Identity Theft rings etc. Partly because that's a different job, partly because they can either recruit them as needed or use them as smoke-screens.

And there is another layer: deliberate or covert "hooks" being placed in major pieces of public software. Like Microsoft's "Windows" and Apple's "OS/X" operating systems and libraries/tools.

Marcus Ranum  (company)  once proposed a 'hypothetical':
Here we are visiting the Microsoft Kernel team, there's the CIA agent,  The KGB, the Mossad agent and ..., all busily inserting their own backdoors and special code.
Does this happen? We don't know.
Could it happen? Absolutely - because there is no requirement for code audits and public reporting.

But there's a problem in the non-physical Cyber world that doesn't exist with weapons in the physical world.
Once anyone develops an attack and releases it "into the wild", everyone can copy. modify and extend it... It may not be simple or easy, but is possible without extraordinary effort.

So now there is "Son of Stuxnet", the legacy of whatever Agency wanted to slow or stop the Iranian Nuclear programme.

But these derivatives won't be "limited" or "constrained". The Cybercrime syndicates are interested in maximising their revenues/profits - just like any good business.

This Genie, Stuxnet, is out of the box and will live for as long as there are unprotected Windows machines on the Internet. It's creators can't recall it, nor disable it now.

Would any Government-backed operation be as bold or foolish to launch a major attack on other Nations? Such as steal large sums of money or shutdown financial systems.

Not likely - they know the consequences.
For around 50 years the Cold War raged and a number of times the world was within minutes of a Nuclear exchange (courtesy of the "Mutually Assured Destruction" doctrine) - but despite the 10,000's of players, real hostility and a genuine desire to obliterate the opposition, both sides kept things under control. An amazing and inspiring feat.

The real challenge and concern is the Cybercrime syndicates, the Layer 3 players.
They are 'guns for hire', regardless of the consequences.

We need co-operative and collective action from the Layer 4 players to either constrain them, or permanently shut them down.

No comments: