Cyber Cold War Predictions

(This article was originally published on the Findings From the Field blog.) Kevin Haley at Symantec has just published his predictions for computer security in 2011. He mentions Stuxnet many times and mentions “cyber warfare” in passing. Many others have heralded 2010 as the beginning of a new era of cyber warfare. I think that if the 2009 Ghostnet and Aurora attacks and the 2010 Stuxnet attack represent a new “cyber warfare” then such warfare has more in common with the cold war era than with a conventional conflict. My own predictions for 2011 and 2012 follow. In summary, all I’m really saying is that “the cold war will continue.” That seems a pretty safe bet given how long the first cold war lasted. Thinking of the events of 2009-2010 as a cold war, though, does help to answer key questions like: When will we see new, sophisticated attacks? Who will be targeted? And how do we protect important civilian infrastructure from these kinds of attacks? Cold War I regard the most sophisticated attacks of 2009-2010 as a cold war because of type of attack and because of the agencies presumed to be responsible. The Ghostnet attack targeted embassies and foreign ministries of a number of governments, and was widely, but not conclusively, attributed to the Chinese government. The Aurora attack targeted large technology firms, apparently stealing source code and other intellectual property, and was widely, but not conclusively, attributed to the Chinese government. The Stuxnet attack appears to have targeted Iranian uranium enrichment facilities, and is thought to have originated with a western government, most likely the USA or Israel. In all cases governments are thought to be responsible. In all cases the attacks were specifically targeted and controlled – public safety was never at risk. The apparent motive was in two cases information theft or “intelligence gathering,” and in the third, damage to a militarily-sensitive installation. All of these tactics and motives are more reminiscent of cold war tactics than of some full-scale modern warfare. The cold war was characterized by only indirect conventional conflicts between the three cold war powers, by continuous and aggressive intelligence-gathering, and by occasional sabotage. Predictions for 2011 In predicting events in 2011 and beyond, bear in mind: many governments have announced they are developing “cyber warfare” capability, and many others are suspected of developing such capabilities unannounced, all of the three most sophisticated attacks of the last two years are presumed to have succeeded at least partially, and none of the authors of those attacks appear to have suffered significant consequences as a result of launching the attacks. This suggests that in the years ahead we will see more of the same, from a greater variety of actors. That said, I should mention criminal organizations. Such organizations continue to account for a continuous stream of new malware of steadily increasing sophistication. However, the step changes we have observed in the sophistication of malware in the last two years have all been attributed to governments, not criminals. Prediction: At Least One Large Intelligence Gathering Attack I predict that 2011 will see at least one large, new, sophisticated intelligence-gathering attack attack attributed to a national government. This prediction needs little defense though, since whoever launched Ghostnet and Aurora appears to have had some success and appears to have suffered no consequences. What worked before will work again. That said, intelligence gathering attacks will be focused more on “enterprise” computing systems than on control systems. Stealing information from control systems and programmable logic controllers is usually harder than stealing the original diagrams, plans and documentation from other repositories in an enterprise. Prediction: At Least One New Sabotage-Type Attack I predict that 2011 will yield at least one new, sophisticated and highly-targeted attack which sabotages a militarily-sensitive physical process of some sort. I think the most likely target for that attack is in the middle east. Again, the agents responsible for the Stuxnet attack are thought to have had some success with the worm, and there do not appear to have been any repercussions for them. What worked before should work again. I suspect that 2011 will yield attacks against militarily-significant sites in western democracies as well, but it is unclear how effective those attacks will be. I have the impression that such sites are better protected than the average civilian control system, even when civilian systems are regulated by NERC-CIP and CFATS. Iran and North Korea are both said to have made significant “cyber warfare” investments, but it is not clear how accurate those reports are, or how effective those organizations are. If western military sites are attacked in 2011 though, we may never know. Such attacks are likely to become state secrets. What I have trouble predicting is whether we will see a credible sabotage-type malware attack on western civilian infrastructure in 2011. On one hand, an attack with a large number of civilian casualties seems likely to trigger a direct, multi-national response like the response to the World Trade Center attack. A cold war is focused on intelligence gathering and military sabotage, not direct conflict. On the other hand, militaries, intelligence agencies, and governments have made some questionable decisions in the past. Anything is possible. I do not think we will see any credible attacks arise out of a manipulation of the Stuxnet worm itself. There are reports of researchers and others experimenting with the Stuxnet worm, substituting different parts of the payload and re-packaging the worm. However, any such “bragging rights” experiments, even if one escapes or is deliberately released into the wild, will have limited impact. Patches are available for four of the five Microsoft vulnerabilities the worm exploited. This means the worm will have a very hard time spreading on enterprise networks any more. I do not think we will see sophisticated sabotage-type attacks launched by terrorist organizations any time soon. The Symantec analysis suggests at least 6 very well trained people spent at least 6 months on the artifact that is the Stuxnet worm. From the decades I spent developing many kinds of software, my own guess is that the worm easily cost three times that much when you count the thoroughness and complexity of the QA effort. That means a large, well-trained, well-funded team, likely supported by an intelligence agency, working for a long time in a stable working environment with good computer hardware and software support. In my understanding, terrorist groups tend not to have those resources available and unlikely to develop them in the foreseeable future. Defenses Against Sophisticated Attacks To defend civilian control systems from sophisticated attacks like the Stuxnet worm takes a much stronger defense-in-depth posture than is the current, regulated best practice. The most urgently-needed improvements in best practices are greater use of whitelisting/HIPS technologies, greater network segmentation and stronger programs controlling the use of removable media. All defenses have costs to implement, but it seems to me that the “greater network segmentation” defense may face the greatest resistance. Truly secure sites, like most nuclear and military sites, have serious restrictions as to what kind of information can be exchanged across security perimeters. Enterprise integration and the widespread commercial exploitation of valuable control system data has been taken for granted for years now. Reducing the amount and kind of information that flows between security zones in civilian control systems will be difficult and costly. It seems clear that a new kind of international conflict is developing. Even if we suspect that civilian control systems will not be targeted for the next year or two, it would be prudent for civilian sites which represent the greatest threat to public safety to use the next year or two to invest in protections sufficient to ward off sophisticated attacks by foreign governments.