Saturday, June 8, 2013

A Dangerous New Era of Cyber War

In November 2012, Barack Obama signed into effect "Presidential Policy Directive/ PPD-20". The name makes the document sound bland. Its contents are anything but. Through PPD-20, President Obama tasked a host of US government agencies to be prepared to hack into other countries' computer systems and defend the US from the same.

The breadth of operations defined in PPD-20 is breathtaking. Sample this passage from the document leaked to the Guardian:
"The Secretary of Defense, the [Director of National Intelligence], and the Director of the CIA in coordination with the [Attorney General], the Secretaries of State and Homeland Security, and relevant [intelligence community] and sector-specific agencies shall prepare for approval by the President through the National Security Advisor a plan that identifies potential systems, processes, and infrastructure against which the United States should establish and maintain [Offensive Cyber Effect Operations] capabilities; proposes circumstances under which OCEO might be used, and proposes necessary resources and steps that would be needed for implementation, review, and updates as U.S. national security needs change."
President Obama had ordered his team to draw up a hit-list of cyber targets in foreign countries and develop tools to hack into them, manipulate them, steal their data or destroy them.

This plan has already been put into action. In fact, PPD-20 even required the principals mentioned above to provide an update of their work six months after the directive was approved. Here's what we know has happened since November 2012.

This April, Reuters reported that the US Air Force had designated six cyber tools as 'weapons'. The report quotes Lt. Gen. John Hyten, vice commander of the US's Space Command, which oversees satellite and cyberspace operations. Hyten says the decision to designate certain cyber tools as weapons would help ensure funding. "It's very, very hard to compete for resources ... You have to be able to make that case," he said.

One month later, Reuters (again) reported that the US government had become the world's largest buyer of particularly dangerous cyber tools known as 'Zero Days'. Zero Days help hackers infiltrate a target system by exploiting flaws even the system's developer doesn't know exist. Such an attack gives the victim 'zero days' time to fix the flaw, hence the term. The reason Zero Days are particularly dangerous is they can even get past fully-updated anti-virus software and operating systems, since the flaw that allows them to get in is unknown to everyone except the attacker.

Not surprisingly, hackers who specialise in finding 'Zero Days' are highly skilled and their work does not come cheap. Reuters estimates that the starting rate to buy a zero-day is around $50,000. It adds that the price depends on how widely installed the targeted software is and how long the zero-day is expected to remain exclusive. One former executive at a defense contractor that bought 'Zero Days' from independent hackers and turned them into exploits for government use told Reuters his "job was to have 25 zero-days on a USB stick, ready to go".

If I were to summarise the Guardian and Reuters stories, here's what I'd say. In November, the US President ordered his administration to create hit-lists of foreign cyber assets that will be targeted, should the need arise. By April, the US Air Force, had identified six cyber tools as weapons. This would give it the necessary funds for their development or to purchase them from independent developers. One of the tools is very likely the aforementioned 'Zero Day', which the US is stockpiling in the event it needs to infiltrate a virus on an enemy computer system.

Other tools could include viruses that turn on your PC's microphone and camera to record what is going on and send it back to the attackers. Or viruses that steal information of your hard drive. Or, as was the case with the Stuxnet virus, destroy centrifuges at an Iranian nuclear facility. Unfortunately, Stuxnet also spread to 100,000 computers around the world thanks to a programming flaw (Thankfully, it would only work if it found the highly specific configuration, located only at Natanz).

Imagine if Stuxnet worked on every computer it infiltrated. There would be global chaos. And this where it gets really worrying. We now know that the Obama Administration had ordered the deployment of Stuxnet without a policy framework such as PPD-20 in place. PPD-20 lists several safeguards, including the prescription to hold back if there are "significant consequences" to a US-initiated cyber attack.

Still, it muddies the waters ahead of this weekend's "informal" summit between President Obama and his Chinese counterpart Xi Jingping in California. The US has been a voluble critic of China, whose military it accuses of rampant hacks against US systems. China has accused the US of the same. That's why cybersecurity is one of the main focuses of the Obama-Xi meeting.

The interconnectedness of the Internet means a virus directed against one system could potentially take down 5 others if its coding is not precise. That is why we need an agreement between governments about limits to cyber offensives. Perhaps we may not end up with a treaty on the lines of the ban on Chemical Weapons. At the very least, we need a gentleman's agreement.

Certainly purely civilian infrastructure should be off limits. This includes health and emergency services and food and water supplies. It may even be worthwhile to consider exchanging information about such networks and infrastructure (such as satellites) that enable these services so they can be specifically excluded from cyber attacks.

Perhaps the conversation will shift away from the usual trading of accusations to something far more useful. Thankfully, both the United States and China seem eager to hold such a dialogue. But they shouldn't be the only ones at the table.

Last year, the Indian Prime Minister, much like President Obama, designated two agencies to carry out offensive cyber operations. A team of international researchers believes they uncovered one such Indian operation recently. While the researchers did not specifically blame the Indian government, it is not known whether India has a policy framework to guide its cyber offensive actions, like PPD-20.

At least half a dozen other countries have the resources and talent to launch debilitating cyber operations abroad. This pool is expanding rapidly. That's why every country needs to be at the table when it comes to limiting the fallout of a cyber war.

But state-sponsored hacking isn't the only threat. Independent hackers, the non-state actors of the cyber world, can sit anywhere. Most operate within or on behalf of criminal syndicates. But nothing prevents them from selling their work to terrorist groups.

Identifying such individuals is notoriously hard because they bounce their traffic off multiple servers around the world. Tracing these signals to their origin goes through a minefield of legal jurisdictions. Here, it is extremely important to have a global framework to quickly identify and prosecute such individuals and limit their harm.

The time for all these discussions is now. 

No comments:

Post a Comment

Be respectful to others here or your comment will be deleted.