I’ll never forget Oktoberfest 2010 for as long as I live. Yes, I like beer, especially the German stuff, and especially at Oktoberfest. But I don’t even remember the beer, and that’s not because I had too much of it :) It was at that time we received the first news of a very unpleasant trend, which I had feared for a number of years. That’s right, it was the first time Stuxnet reared its ugly head – the first malware created with state backing and designed to fulfill a specific military mission. This is exactly what we had talked about at our Oktoberfest press conference: “Welcome to the age of cyber warfare!” It was already obvious then that Stuxnet was just the beginning.
Indeed, little has changed since that September right up to the present day. Everybody had a pretty good idea where Stuxnet came from and who was behind it, although not a single state took responsibility; in fact, they distanced themselves from authorship as much as possible. The “breakthrough” came at the end of May when we discovered new malware which also left little doubt as to its military origins and aims.
Yes, I’m talking about Flame.
Leaving the technical details to one side: what is the historic significance of Flame? Why all the fuss about this particular malware? To what extent is it dangerous and what type of danger does it pose? Are cyber weapons capable of becoming part of state military doctrine and triggering a new arms race? These questions may sound strange, even alarming – it’s just a virus, no big deal! After all, it’s not going to stop me from eating my fresh croissant in the morning (or my dim sum :), is it? Well, if the development of military malware continues to spiral out of control, then the lack of a croissant or dim sum in the morning will be the least of the worries around.
The week after Flame was detected we saw several sudden newsflashes. The news basically “upgraded” the current perception of military strategy and demonstrated that states have already been successfully applying offensive cyber weapons for several years now.
On June 1st, The New York Times published a landmark article where the finger of responsibility for Stuxnet was pointed firmly at the USA – and there was no denial from Washington. Quite the opposite – the White House expressed its anger at information leaks and called for an investigation. At the same time, Israel also shed its inhibitions and, without going as far as acknowledging its participation in these incident(s), it finally admitted its interest in the development and implementation of cyber weapons.
Now let’s look at the potential repercussions of this news.
Firstly, Stuxnet, Duqu and Flame have proved that cyber weapons are: a) effective; b) much cheaper than traditional weapons; c) difficult to detect; d) difficult to attribute to a particular attacker (rendering proactive protective measures virtually useless); e) difficult to protect against, given all the unknown software vulnerabilities; f) can be replicated at no extra cost. What’s more, the seemingly harmless nature of these weapons means their owners have few qualms about unleashing them, with little thought for the consequences. And there will be consequences – to such an extent that the Die Hard 4 scenario will come to pass. Details below.
Secondly, the recent examples have justified the use of cyber weapons both ethically and legally. I’m sure other countries have also made use of such technologies, but before it simply wasn’t discussed and everything was done on the quiet, little by little and secretly. Now, nobody is going to hold back. And those countries which do not have cyber weapons will be considered backward by “decent military society”. As a consequence, in the short term, cyber military budgets will be increased many times over and we will see an arms race in the cyber dimension. As we know all too well, guns are made for firing.
Thirdly, the lack of any sort of international convention (i.e. an agreement on the “rules of the game”) on the development, implementation and distribution of cyber weapons and no court of arbitration give rise to several very real threats:
- The emergence of especially dangerous malware which deliberately, accidentally or by some “boomerang” effect strikes critical infrastructure objects, capable of triggering regional/global social, economic or ecological disasters.
- The use of conventional weapons in response to attacks involving cyber weapons. Last year the USA announced that they reserved the right to respond to a cyber attack with traditional military means.
- An imitation, provocation or misinterpretation of a cyber attack in order to justify a military attack on another state. A kind of cyber Pearl Harbor.
There aren’t many people who currently understand the danger of cyber weapons. It’s hard to believe that some virus, a few kilo/megabytes of code can suddenly cause, say, an accident at a nuclear station, a fire on an oil pipeline or a plane crash, isn’t it? But mankind has for some time now become increasing and imperceptibly dependent on information technologies.
For example, let’s return to the croissant thing.
It’s made at a bakery, where computers are used in the accounting department, in the warehouse and for the systems responsible for mixing the dough and controlling the ovens. Ingredients are supplied to the bakery from other, similarly automated factories. All logistics between them involves computers and networks. Electricity, water, sewage and the other municipal services are also supplied by computerized enterprises. Even the elevator which delivers your croissant to a trendy café is managed by a dedicated IT system. Finally, there’s the credit card we use to pay for the croissant…well, need I say anymore?
All these are potential targets of a cyber attack. And then we have Stuxnet which put centrifuges at nuclear facilities in Iran out of action. A bakery or water treatment plant is unlikely to have better protection. In fact, everything is much worse – industrial and critical infrastructure facilities operate on vulnerable SCADA systems which, on top of everything, are frequently connected to the Internet. And the sluggishness of the developers of these systems when it comes to fixing vulnerabilities (which can be exploited to conduct a cyber attack), has given rise to the new term “forever days”.
In terms of their destructive potential, cyber weapons are by no means inferior to nuclear, biological or chemical weapons. But, unlike these weapons of mass destruction, cyber weapons are not subject to any sort of control and have the glamour of being invisible, ubiquitous and “precise” (some “experts” even went so far as to claim that cyber weapons actually contribute to the world peace) which makes their use all the more tempting.
By developing cyber weapons, we are sawing the branch that we sit on. As a result the developed countries, being one of the most computerized entities in the world, will suffer most.
To be honest, I am pessimistic. I hope I am mistaken. I don’t think it will now be possible for countries to agree upon cyber warfare rules. We are currently providing technical expertise to the UN’s International Telecommunication Unit (ITU). They are trying to create at least some sort of system for governing cyberspace along the lines of the IAEA. But even articles in the media show that some countries are resisting these efforts. Indeed, who needs regulations for such promising and “harmless” weapons? I reckon that governments will only fully understand the real danger of cyber warfare after we are hit hard, as was the case in 2003 along the north-east coast of the USA – there should be no doubts about the real cause of that particular incident. The barn doors won’t be closed until the horse has bolted. I just wonder if we can be smarter than this in the 21st century?
- The international community has to try to reach an agreement governing the development, application and proliferation of cyber weapons. This will not solve all the problems, but at least it will help establish the rules of the game, integrating the new military technologies into the structure of international relations, preventing uncontrolled development and careless use.
- Infrastructure and industrial facilities, financial and transport systems, utilities and other critically important objects should reappraise their approach to information security, first and foremost, in terms of isolating them from the Internet, seeking out software alternatives that meet the new challenges to industrial control systems.
- Although the security industry has been focusing on combating mass epidemics for many years, its arsenal includes protection technologies which are most probably capable of preventing targeted attacks by cyber weapons. However, this will require users to rethink the security paradigm and introduce a multi-level protection system.
- Stuxnet, Duqu and Flame are just the tip of the iceberg. We can only guess what other cyber weapons are circulating around the world. I’m sure we will have more discoveries soon. I just hope it doesn’t get too scary.
- Being a global company with a primary mission to care about our customers’ security, we state officially that we will fight any cyber weapons irrespective of the country of origin and any attempts to force us to “collaborate”. We consider any compromise on this score to be incompatible with our ethical and professional principles.
State-backed cyber warfare is a real threat that is just making its first steps towards mass adoption. The earlier governments understand the possible consequences the safer our lives will be. I just can’t agree more with Bruce Schneier:
Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.
Can you imagine the world order without international treaties for nuclear/chemical/biological weapons deterrence? IAEA didn’t stop India, Israel, North Korea and Pakistan from developing their own nuclear weapons. However, these treaties clearly signal what is good and what is bad establishing the rules of the game!