In an October speech to business executives in New York, U.S. Defense Secretary Leon Panetta described an ominous series of recent events in cyberspace: a wave of Distributed Denial of Service (DDos) attacks bringing down U.S. banks' customer websites, the Shamoon virus infecting 20,000 computers in the Saudi Arabian oil company Aramco, and a similar virus attack on RasGas of Qatar. In the attack on Aramco, Shamoon replaced system files with an image of a burning U.S. flag.
Foreign cyberattackers are targeting U.S. critical infrastructure networks -- the computer systems that operate chemical, electricity and water plants and run transportation systems -- and in some instances, have breached those systems, Panetta said. He warned of the potential for nation states to use cybertools to derail trains, contaminate water supplies or shut down power grids. The result could be a "cyber Pearl Harbor," he said.
The digital world -- while truly powerful in the most useful of ways -- has a dark side that can profoundly hamper, or even end, our lives. As the world continues to evolve, so do the threats. Terms such as "DDoS," "botnets" and "SQL injection" have entered the popular lexicon and new ones emerge all the time.
Early in the digital age, most of the bad guys merely wanted to see where they might penetrate. Next, they were after money. But as their weapons and organizational skills continued to develop, new military options emerged for nation states while many of those same capabilities have become available to a wide range of hacktivists, terrorists or freedom fighters, depending on your point of view.
This brave new world has now yielded terms such as "cybercrime," "cyberterrorism" and even "cyberwar." The meanings of the words are somehow both self-explanatory, yet undefinable. To a certain extent, the proper definition of any given act depends on the perpetrator and the target. If it's an individual stealing money, that's probably cybercrime. If it's a non-governmental activist group trying to make a headline splash with a high-profile exploit, that might be cyberterrorism. If it's a government attacking the assets of another government, then that could easily be considered an act of cyberwar.
"The whole notion of cyberwar is hard to define," said Roel Schowenberg, senior antivirus researcher at Kaspersky Lab, a Russian-based security company that frequently investigates high-profile malware and breaches. "Some people argue that espionage is part of cyberwar, and we definitely know that cyberespionage is absolutely rampant nowadays. For others, cyberwar is more about tangible damage. But you always have to look at who might be attacking you, what they are trying to accomplish, and why they are trying to accomplish it."
GLOBAL CONFLICT IN CYBERSPACE
Cyberattacks that could be considered the realm of cyberwar are becoming disturbingly commonplace with weaponized malware such as Stuxnet, Flame and Duqu, all of which can extract information from industrial control systems, or even support attacks against those systems or other types of networks. Stuxnet was used to attack Iranian nuclear centrifuges, starting in 2010. Targeting equipment that relies heavily on automation, Stuxnet attacks program logic controllers that serve as the brains behind industrial systems in factories, power plants, airports, etc. While no one has claimed responsibility for damage to the Iranian nuclear equipment, most fingers point to the U.S. and Israel.
Earlier examples go back to 1982 when a massive explosion tore through the Trans-Siberian pipeline in the former Soviet Union. Brought on by a presumed Soviet attempt to steal oil pipeline system control designs, some government insiders allege that the CIA worked with a Canadian firm involved in the pipeline project to substitute genuine designs with flawed ones that could facilitate sabotage. The resulting blast was so huge, it was detected by the U.S. military's early warning satellites.
"If Russia had known the U.S. was involved, they probably would have considered it an act of war," said Jody Westby, CEO and founder of Global Cyber Risk, LLC, a Washington, D.C.-based consultancy. "That whole program was credited with helping to end the Cold War because the Soviets no longer trusted their own infrastructure. But in this day and age, we also have to understand there is trade-off that impacts our public safety and economic security. It's no longer just a game of military targets because very often civilian infrastructure becomes involved."
Westby added that current treaties fall substantially short of establishing multinational agreement on how such activities should, or should not, be carried out.
"Cyberconflicts typically do not fit into the laws of armed conflict," she said. "We would need to amend the Hague Convention, the NATO treaty, the UN Charter and the Geneva Convention. We also need an agreement specifying that countries will assist in cybercrime investigations.
"If you bring an army across a neutral country to attack a third country, international law requires you to have permission from the neutral country that your army passes through," she continued. "But what about a cyberattack in which the transmissions are traveling through the neutral country? Do you need permission for that? We are totally unprepared for these types of questions."
Attacking public infrastructure -- or even private infrastructure used widely by the public -- is not the exclusive domain of governments. Such activities are well within reach of a wide range of organizations, or even private individuals with an ax to grind; herein lies the almost equally undefinable realm of cyberterrorism.
"While cyberwar is about nations conducting systematically destructive operations, cyberterrorism can be used to cause temporary disruption and or panic," explained Harry Sverdlove, CTO of Bit9, a Waltham, Mass.-based company focused on defense against advanced persistent threats. "Cyberterrorism tends to be a one-off attack for a very specific purpose. From a practical perspective, we have to assume these things will one day happen. What saved us in the Cold War was the threat of mutually assured destruction. But I don't think we have that same form of protection in the cyber context, which tends to make them even more likely. In addition, there is almost a sense of anonymity and isolation in cyberattacks. They can be done from the safety of distance or even by third parties."
THREATS TO EMERGING AIRCRAFT SYSTEMS
One of the underpinnings of U.S. military strategy is to maintain highly sophisticated and incredibly effective weapons systems that enemies lack the resources to duplicate. Continuing at the cutting edge, defense contractors are currently working on developing warplanes that will fly without pilots. This is because human beings can only handle a limited number of G-forces before losing consciousness. Even contemporary aircraft, such as the F-22 Raptor, are intentionally harnessed to prevent maneuvers that their airframes and systems could handle but their frail human pilots could not. An empty cockpit would enable the aircraft to further "push the envelope," in aviation terms.
But that means the plane would be controlled from the ground -- and anything remotely controlled could, at least theoretically, be hacked. The net result could be these amazingly deadly weapons systems being turned against their own people by foreign governments or even terrorists.
"We are living in an increasingly interconnected world," said Sverdlove. "Even if the systems are air-gapped, they tend to be controlled from somewhere else. And anything that can be controlled from somewhere else can be controlled by someone else."
Security for such systems would no doubt be impressive. But every security expert knows the maxim that as complexity increases, so does the vulnerability. Defense engineers would need to predict every exploit. Enemies and terrorists would only need to find a single vulnerability that slipped through the cracks. And if experience is any guide, we can expect they will work together to find the perfect hack.
"I think that the criminals are weaponized a lot more than people realize," added Sverdlove. "As a security specialist, this is the part that frightens me. Years ago, hacking was a very specialized skill, but now it has become highly commoditized. Moore's Law almost applies to cyberattacks, in a way. Every 24 months we see the level of sophistication double because they're sharing techniques, and even packaging those techniques into kits for those who have limited expertise. Every time we see a new sophisticated attack, the bar is raised for everyone. There is no patent protection on malware."
Commercial aviation is by no means immune to similar threats. New technology to support air traffic control is currently being developed for the U.S. and other countries. The good news is that it's less expensive and enables planes to be more densely packed into crowded skies. The bad news, according to independent security researcher Andrei Costin, is that anyone with a few hundred dollars could hack the system and cause it to see large numbers of images that represent planes, some of which are there, and many of which are false representations of air traffic. Described as something close to a DDoS attack on aviation, the number of ghost images could be high enough to bring the system to its knees and thoroughly confuse any humans that might choose to assume control during such an emergency.
At last summer's Black Hat Briefings conference in Las Vegas, Costin outlined a number of other potential exploits and errors that could have similar consequences. "The system would be vulnerable to pilots with bad intentions, pranksters, abusive users, criminals, terrorists and even military actions," he said.
Costin said the $1 billion system could be made far more secure through the use of encryption, but added that this option gets little support because such a strategy would utilize far more bandwidth which, in effect, would reduce the effectiveness of the technology transition. The solution to this problem remains undetermined. On the other hand, federal officials, as well as the company developing the technology, maintain it is safe.
SCADA FRAILTIES
Perhaps our most vulnerable systems are the oldest ones; the ones that were designed and implemented before the dangers of cyberwar emerged. These would include the systems that control power grids, water treatment facilities, and a host of similar things that may be either publicly owned or privately owned but profoundly impact public health and safety in either event. They are generally classified into a category known as SCADA (Supervisory Control And Data Acquisition). Most are designed to run for long periods of time with only minimal amounts of human intervention.
The majority of them were designed before threats such as cyberterrorism and cyberwar even existed, so cybersecurity was, therefore, not a primary concern. In more recent times, many of them have also been connected to external networks, or even the Internet. The net result could be an attack that causes catastrophic loss of service, or even poisoned consumables, such as water.
"I spent 18 years dealing with SCADA systems before I moved into network security," said Paul Henry, security and forensic analyst with Lumension, a Scottsdale, Ariz.-based endpoint security company. "As we moved from analog into digital technologies, nobody thought this infrastructure was ever going to be connected to what became the Internet. We saw them as isolated islands, so security was never built into the underlying protocols. But then, people began connecting their SCADA systems to the enterprise network so they could run more efficiently and interface with back-end programs. Over time, many of them even became connected to the public Internet.
"Many of the standard attacks that you would use against the Internet are very effective against SCADA," Henry continued. "We've seen that many times over, such as with SQL Slammer. Somebody could create a UDP flood within the network environment. The SCADA systems could not handle the UDP flood because they did not have the error correction capability built into the stacks. So they crashed."
It's frightening to consider that, in many cases, the malicious software may already be loaded into the SCADA systems and are merely waiting for the activation command for their controllers to occur at some point when the attack could have the desired political consequences.
"Most of the energy companies have already been compromised in one form or another," said HD Moore, chief security officer of Rapid 7, and creator of the Metasploit pen testing software. "When a government or hacktivist group gets unhappy enough with the U.S., they could very well decide to use this emerging cyber capability. To say it won't happen because it hasn't happened yet is fairly naive. That's an ostrichlike approach to a very real problem."
"Every utility company realizes that they are very much a target, either from foreign nations or from people acting on their own," Kaspersky's Schouwenberg said. "Keep in mind that there are very limited numbers of players in traditional warfare, but in cyberwarfare even small countries can be a major player if they invest in it the right way. It is very easy, and it doesn't cost much at all, compared to traditional warfare. So the playing field is completely different. It's going to be very interesting to see how that works out over the near term and longer."
Sverdlove from Bit9 points out that while cyberwar has not yet happened -- at least not formally -- there have been very aggressive patterns of cyberespionage that could lead to much higher stakes.
"I'm fairly certain that the SCADA systems have already been probed at this point," he said. "Maybe not persistently, but I think those networks are frequently attacked, and I believe that some of those attacks were successful. We sometimes discover programs on those systems that the administrators did not know were there."
At this point, China -- for example -- probably has no interest in taking out the U.S. power grid but that doesn't mean it wouldn't be looking at how to do that if it ever wanted to, Sverdlove said.
''If they can get into the network, it would not be a big leap for them to change their actions," he said. "Taking out a power grid or communications network without dropping a single bomb can have a very profound impact on the ability to wage war. This is only sci-fi because it has not yet happened. But the threat is actually very real."
PUBLISHED NOV. 12, 2012
