The United States and Russia are enemies of old, and that this hostility has continued into the cyber age should surprise nobody. That Russia should be quite so blatant in its attempts to influence the 2016 presidential election, with the hacking of Democratic National Committee (DNC) e-mails and their consequent publication on the WikiLeaks website, perhaps more so.
But the surprises don’t stop there. The US government has taken the unusual step of formally accusing the Russians of hacking the Democratic Party servers and Moscow of attempting to interfere with the election process. The White House press secretary even went as far as promising there would be a proportional response in retaliation.
“The president has talked before about the significant capabilities that the US government has to both defend our systems in the United States, but also carry out offensive operations in other countries,” Josh Earnest told reporters on Air Force One in October. The future of conflict increasingly looks like it sits squarely in cyberspace, and the increasingly open hostility between Russia and the United States has exposed the fact that a cyber arms race has begun.
The “silent” war
Carl Herberger, vice president of security solutions at Radware, began his career working at the Pentagon evaluating computer security events affecting daily air force operations. “The cyber arms race is often incredibly clandestine and inherently silent,” says Mr Herberger.
Compare the cyber arms race to the nuclear arms race which preceded it. That was all about the power of deterrent and ownership; this is all about strike and denial. Nuclear weapons were tested in the public eye; cyber weapons are tested in secret. The value of a so-called zero-day attack that exploits a vulnerability known only to the attacker and so very difficult, if not actually impossible, to defend against can easily run into six or seven figures in the dark markets where such things are brokered.
Yet while ownership of nuclear weapons was loudly exclaimed, even by those who often didn’t have them, ownership of cyber weapons is far more likely to be denied. This unpredictability makes it hard to say with any certainty which countries are capable of what strikes. Or, for that matter, to attribute attacks already carried out.
The increasingly open hostility between Russia and the United States has exposed the fact that a cyber arms race has begun
That said, while there can be little doubt some nation states are far more advanced than others, it doesn’t take a cyber stockpile to wreak havoc. We don’t know who was behind the recent Dyn DDoS (distributed denial of service) attack that brought many US East Coast-based internet services to their knees on October 21. We do know that pretty much any nation would have had the wherewithal to launch such an attack. It could also be a game-changer.
Even before the attack struck, world-renowned security expert Bruce Schneier had warned that someone was using DDoS attacks to learn how to take down the internet. It seems he might have been right. It certainly demonstrated the internet is far from bulletproof and that paying lip-service to the internet of things (IoT) has created a genie that cannot be put back in the bottle.
The DDoS attack was launched using a network of digital CCTV cameras, video recorders and the like all under the control of the mirai botnet. This control system has been released into the public domain, so any cyber criminal can make use of it. However, researchers digging deep into the code it’s made with have found traces of Russian language strings. This suggests it was created by Russian coders or someone wants us to think so. Which brings us full circle to the denial of ownership problem, courtesy of potential false flags.
False-flag operations enable cyber warfare to take place under the cloak of a third-party adversary and could be very commonplace indeed. The so-called Cyber Caliphate, claiming to be the Islamic State hacking division, successfully disrupted the US Central Command’s social media feeds and hacked a US military database after which it posted exfiltrated data on 1,400 personnel online.
The US Cyber Command response was to launch attacks against cyber communication channels and drone-strikes against human targets in Syria thought to be linked with the group. It’s now known that the Cyber Caliphate was a false-flag operation run by APT 28, a Russian state-sponsored hacking group.
“Once an organisation’s techniques and fingerprint are known, it’s relatively trivial for other organisations to emulate it,” says David Venable, former US National Security Agency intelligence officer and now vice president of cyber security at Masergy. It’s a huge danger, Mr Venable insists as “the use of this information to impact the foreign policies of other states is extremely likely, especially with regards to states with sophisticated cyber operations”.
Where to lay the blame
Decoys and distraction are common enough parts of the military strategy puzzle and so it’s no surprise they are evident in the cyber sphere as well. Cases of attributing an attack to China might be based upon little more than political will and some handily placed Mandarin dialect in the source code, for example.
It’s easy to attribute attacks to groups, less so to attribute nationality with any degree of certainty. So how sure can we be that Russian state actors were behind the US presidential election e-mail hacks?
Laura Galante is currently director of intelligence at FireEye, but previously was contracted to lead a cyber-security portfolio covering Russian threats at the US Department of Defense. FireEye has worked on many of the high-profile breaches in the current US election cycle, including tracking the two state-sponsored groups behind the DNC e-mail attack, APT 28 and APT 29.
“We’ve seen a variety of different forensic artefacts that indicate Russia-sponsored groups are behind the DNC hack and a variety of other leaks that occurred this summer,” says Ms Galante. “We’ve been following these groups for years, tracking their activities and profiling their infrastructure.”
Unlike Chinese-based threat actors, these groups focus purely on military and political targets, and do not appear to conduct widespread intellectual property theft for economic gain. As far as APT 28, also known as Fancy Bear, is concerned, for example, the group compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities.
“It collects intelligence on defence and geopolitical issues, intelligence that would only be useful to a government,” says Ms Galante.
Cyber arms budgets
So what about Guccifer 2.0, the so-called Romanian hackers who have claimed responsibility for the DNC e-mail hacks and the consequent uploading of them to WikiLeaks? “The Guccifer 2.0 persona is likely a Russian denial and deception effort to undermine the narrative of Russian responsibility for the leaks,” says Toni Gidwani, director of research operations at ThreatConnect
“They are a shiny object designed not to fight these accusations, but to distract the public by leaking sensitive information. That they’ve been this successful is a real cause for concern.”
Using so-called “faketivists” such as this to intimidate, discredit and gather intelligence on its opponents affords the Kremlin a layer of anonymity with which to advance its interests and distract from its activities.
So what investments are being made in developing, buying or just stealing cyber arms? When it comes to financing this cyber arms race, statistical data is unsurprisingly hard to find. In the UK, chancellor Philip Hammond has spoken about a £1.9-billion investment in cyber, but the strategic breakdown is vague to say the least. There’s money for educating the next generation of security researchers, for helping businesses to protect themselves against the ongoing cyber-crime wave and money to protect critical national infrastructure from cyber attack.
What there isn’t, nor would you expect there to be, is an itemised budget for cyber weaponry as part of the “defend, deter and develop” strategy.
“We know of the GCHQ budget for cyber due to the openness of former chancellor George Osborne,” says Peter Barbour, head of response with Context Information Security. “Similar figures can possibly be found for US military and intelligence spend on cyber, and potentially even China and Russia.”
What that means in terms of development of specific cyber arms is anyone’s guess and anyway the ability to inflict the most damage is not as simple as who invests the most money. “A small team that is highly motivated and equipped with the right set of tools and access can achieve huge amounts without the multi-million-dollar investment figures that are suggested,” says Mr Barbour. “Equally a heavily funded, well-organised effort can achieve phenomenal success too.” So maybe the question should be who’s spending the most on national cyber defence efforts? It’s not, after all, just about attacking with “arms” in this domain.
After the G20 conference in China earlier this year, President Obama told reporters the US has more capacity than anybody, both offensively and defensively when it comes to cyber weaponry.
So how much emphasis is being put on the defensive capability of cyber weapons by nation states? “Traditionally, almost all the focus has been on defensive capability, by all factions within the cyber warfare arena,” says Jonathan Couch, senior vice president of strategy at ThreatQuotient. “But it was defence in the blind.” In other words, everyone focused on generic defence-in-depth, layered security without understanding the threat.
Over the past few decades, Western governments and the military have been trying to learn from their offensive capabilities. That is, says Mr Couch “leveraging what we know about breaking in to others to defend ourselves better”. Additionally, there is cyber-threat intelligence gained on the offensive side that has traditionally been very close held information, which we are now finding ways to share with the defensive mission to do it better.