At the RSA Conference in San Francisco last week (Feb. 13-17), a security panel discussed an evolving set of problems in a seminar called Beyond Stuxnet: State of the Art in Cyberwarfare and Weapons. Their most alarming conclusions had to do with the blurring of lines between cyberwarfare and ordinary street crime, and the muddle emerging at those points where advances in hacking techniques are creating conflicts with nation-state policies and strategies.
Begun in 1991, the RSA Conference was originally called “Cryptography, Standards & Public Policy.” The RSA LLC is the originator of one of the first public-key encryption systems, which was authored by Ron Rivest, Adi Shamir, Leonard Adelmanj (hence the RSA acronym). This year’s panel consisted of Oren Falkowitz (CEO of Area 1 Security), Roy Katmor (CEO of enSilo), Gary Brown (professor at the Marine Corps University), and the moderator Kim Zetter (journalist best known for her reporting in Wired News). Frequently, over the course of the seminar, they disagreed.
WHAT’S A WEAPON?
The conversation began with an attempt to define cyberwarfare and cyber weapons. Neither was easy to pin down. The definition of warfare has changed, and we now face the prospect that future wars might only involve information (data) and wealth, not troops and captured territory. The traditional definition of a weapon—a thing designed or used for inflicting bodily harm or physical damage—doesn’t quite encompass cyber weapons. Most don’t blow up anything.
The computer worm Stuxnet, agreed by the panel to be the first cyber weapon, needed to be defined both by what it did and what it was intended to do. If the design was to simply interrupt the Iranian nuclear effort, then it worked by disabling centrifuge motors. If it was meant to be undiscoverable, it failed. It disrupted the Iranian centrifuges, but then went a little wild after that, and there was lateral movement as it jumped to other machines. In a “CBS 60 Minutes” report, Michael Hayden, former director of the CIA and the NSA, said Stuxnet was probably “a good idea” but that it had a serious down side. “There are those out there who can take a look at this. . .and maybe even attempt to turn it to their own purposes.” In that same televised report, a former head of the Department of Homeland Security said that the Stuxnet code was now available online to be downloaded and modified by anyone for other targets anywhere.
Along with the targeted Iranian programmable logic controllers, Stuxnet exposed everyone to what one of the RSA panelist called the imaginative power of the weapon. There was collateral psychological damage as people realized what mere written code could do. And that was due to one of the mistakes made by Stuxnet—it was detectable. One panelist added that at the time Stuxnet was state of the art, but today it’s old school.
Today, the “cyber kill chain” (the stages of a cyberattack) are more sophisticated and more insidious. The capacities of these weapons can include the ability to reach anywhere, anyplace. They can be made to silently reside within a target, waiting for the most opportunistic moment to be remotely activated. They can be designed to have cross-platform capacity and even have the ability to recognize which platforms to avoid without exposure. Computer system privileges are better compromised now, with vulnerabilities in programs like MS Office enlisted to enable embedding and activation. State operatives have learned to address problems like no open “air gaps” (ways into a target network) with full-spectrum approaches, seeing and using vulnerabilities that weren’t acknowledged before. For instance, they use radio frequencies to open air gaps using devices as innocuous as smartwatches and home-security cameras. All these efforts are broadening the spectrum.
When the participants turned to the question of what would make an ideal digital weapon, the one quality repeatedly suggested was stealth.
The proliferating weapon systems, from the highly technical programs developed for very specific targets to the simple hacks like phishing, are causing problems as some nation-states struggle with how these weapons comport with their policies, strategies, and values. This political dimension entangles not only the question of how a nation responds to a cyberattack but also what weapons can or shouldn’t be developed. There are international conventions that prohibit chemical and germ warfare, but what about worms and viruses that can spread throughout an economy creating vast collateral, civilian damage?
And then there’s the complicating issue of open source crime. Contemporary cyberwarfare now frequently employs the same weapons used by independent hackers. State operatives in Russia will use the same toolkits from their daytime employment at night when they freelance in their own criminal exploits for personal gain.
THE IDEAL DIGITAL WEAPON
The conversation then turned to the ideal digital weapon. It would, they agreed, not fit the classical definition of a weapon—that is, it wouldn’t blow up or destroy something. It would reside in the opponent’s systems, in place, waiting to be activated.
Ransomware is an ideal kind of weapon. You plant the silent ability on another system, and when it’s a good time, you lock down the entire system by encrypting the computer’s information. Only you have the key, so the information or capabilities of that machine haven’t been destroyed, at least not from your side of the monitor. You have control of both the machine and its information.
The ideal weapon would operate under the radar, and it would achieve its desired outcome without conventional weapons and perhaps complete all phases of its kill chain before the other side even became aware that an assault had begun.
The panel moderator, Kim Zetter asked whether the weapon should be able to be recalled or remotely disabled if conditions change? In other words, should there be a fail-safe system? One response was a simple no—that’s not important to the aggressor. Another said recall might be unrealistic. Both notions are a little disturbing when you consider the rippling damage caused by the first cyber weapon, Stuxnet.
UNDECLARED, UNENDING WARS
Next, they addressed where all of this might be going. The discussion began with soft attacks, not those as in a military war but those that have been ongoing for a while now. These include regular, periodic thefts from financial institutions and espionage on varying levels—attacks on our economy and governance. These are perhaps “soft” today but could escalate in the future. Banks are being hit and money is stolen from the depositors and other customers, but as long as the institutions are able to keep the breaches quiet and replace the money, most are unaware of these attacks. What happens when the costs are too onerous for the board and officers? Could another nation unleash directed waves of these soft attacks in order to undermine sectors of the economy?
And what happens when the ongoing international espionage takes the next step above information theft and attempts to disrupt processes of government, or even the foundations of the government. The hacking of the Democratic National Committee looked like the traditional information warfare until questions arose about a possible attempt to disrupt the process of a free election with the recruitment of Wikileaks as the sluice to release the stolen information.
Then a question arose about whether cyber weapons would be able to modify or even incapacitate convention weapon systems corrupting those heavy armaments that we have depended on for the unsteady status quo among the superpowers. There wasn’t a consensus on whether it’s possible to hack the software systems that control ICBM arsenals, but a warning was raised about the kind of intrusions that could interrupt the development of these weapons, creating the need to build in protections at that early stage of the weapon’s existence.
There’s another level of concern involving government policy makers and military strategists. The rules don’t exist for many of these potential weapons. Anyone can build these tools, and now the authority to deploy them becomes critical. If the decision to deploy becomes decentralized, as it has in the online hacker community, the state’s moral authority would shatter.
Incidentally, on the second day of the RSA Conference, Brad Smith, president and chief legal officer of Microsoft, asked governments to take cyber threats more seriously and he suggested a Geneva Convention for cyberwarfare:
“Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace. And just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies.”
When asked about the chances for a reasonably negotiated international treaty, one participant said “Zero”; a second said it’s possible but would be imperfect and would take a lot of time; and another just repeated Smith, insisting there’s an absolute need to get international norms in a binding treaty.
The uneasy conclusion of the talk counseled that since the Iraq and Afghanistan wars, we should expect the future of warfare to involve a merger of capture/kill and intelligence/control missions. It was pointed out that there are currently 16 agencies in the U.S. intelligence community, and the overwhelming majority of them are part of the Department of Defense. Another sign of the times is that the largest employer of mathematicians in the U.S. is not Wall Street or Google, but the National Security Agency whose primary mission is: “[To] lead the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.”
The state of the art of cyberwarfare has never been more unstable, and the conflict, for the first time since the Civil War, will be fought here on our own soil. Some operations, according to the RSA panelists, have apparently already begun.