What gets overviewed herein is the modeling of a cyber war if it were to break out, and the various nuances of attacker attribution in the present-day world.
So here’s what the common perception of what a cyber war would look like. There will be, basically, targeted efforts and pervasive cultural efforts to launch war. And there will be all the time large-scale denial-of-service. And critical infrastructure and finances will constantly get hit. And there will be secrets being stolen. Maybe, at that point stealing secrets doesn’t matter, unless you’re stealing intelligence secrets. But there would likely be large-scale sabotage, and it would likely be combined with kinetic actions, because if you cause that many things to go wrong, you’ve obviously provoked whoever you’re attacking into actual war.And that’s what everyone’s looking for. They’re looking for the actual Pearl Harbor, that rank of war setting. Why? If I were going to be launching a cyber war against a country, the worst outcome will be to provoke you. I could happily steal everything I wanted and rob you blind. Why would I want to trigger an actual war? I can beat you on the world stage if I can steal all your secrets, if I can sabotage your financial secrets and lower your GDP. I can just naturally economically overcome you if I steal everything you do. Such a war has yet to be seen – really, I guess until the recent debate now, where Michael Hayden’s coming out and saying: “Yes, we all hack each other, but you guys are doing it for economic advantage, and we’re not”. Whether or not that’s trustworthy – you guys decide.
So, this long-term attrition-based cyber warfare was actually seen during the Cold War with KGB’s Line X initiative to steal all this intellectual property from us to catch up on the decades of technology that they’re behind on. And so, in such a setting it would be interesting to see whether or not there’s targeted effort from a small set of actors or there’s pervasive cultural effort. Surely, that’s going to depend on what part of the world you are in and the culture there.
And so, large-scale sabotage causing things to go wrong, causing things to pull up here, in a long-term attrition-based cyber war it’s actually unlikely. There will likely be large-scale espionage, those secrets, IP, perhaps, finance will be targeted much more than critical infrastructure. The goal is to attack yet avoid provocations, and essentially to shift super power status over time, or some sort of status over time.Since we’re talking about war at that level, it’s interesting to kind of ponder the possibility of collateral damage and ponder the question of when a virus or an exploit can be a war crime. Because as we’ve seen in these APT efforts that caused explosions in various places and perhaps trapped the people underground, we know that cyber-triggered kinetic actions can kill people. And so, even in the instance where they don’t kill people; Chevron actually had its systems massively hit by Stuxnet in 2010. Who’s responsible for that? Is whoever wrote that responsible to pay them in damages caused? And also in document leaking talk, we’ve talked about how the informants revealed in the WikiLeaks dumps were rounded up and assassinated. And the instance that DigiNotar was actually used as a stepping stone in an attack against the Dutch government, which I guess is pretty unlikely. The result of that is that they actually went bankrupt, and they’re a civilian company. Imagine all the collateral damage that will be caused by hacking cyber physical systems: it will bring down air traffic control systems, traffic lights, rail road, the power grid, manufacturing sector, perhaps in terms of economic collateral damage, and so on (see right-hand image). And here it’s really important to know that if you’re dealing with security here, 0days and cyber physical systems terminology is equivalent to forever-days, because these things never get patched. So if you happen to have these systems connected perhaps to Internet at a lab of manufacturing plant, and the virus gets in on the systems, this is going to get attacked, perhaps.
So, in the instance that your systems are never patched: if a 0day is weaponized, it gets out there and gets used, it can be basically reused by anyone else forever. If you’re in that room and you decided to pull the trigger on this plant or that plant, for every decision you have to ponder the real possibility of it being used anywhere else at any time. I think it’s crazy.So let’s stop talking about that and switch gears to the problem of attribution (see left-hand image). It is almost impossible to accurately identify attackers, because they can be spoofing all their IP addresses and some settings. They can be behind proxies, they can be using TOR, and really, for real attribution you need hard evidence. There’s many services that allow any sort of activity on their networks as long as it’s not child porn. For instance, I have a list here of anonymous VPN services that actually do take your anonymity completely seriously, and in a few years you can’t be tracked whatsoever. They don’t keep any logs; even if the government was to subpoena them, they would simply reply: “We have no logs, come see yourself”.
Say, you got some dumb attackers, and they don’t use these services, or perhaps services that they’re using get hacked and they start video recording exactly what they’re doing, like in the case of Mandiant report. And, say, they’re identified. Now we have to think about the case of what if it’s a civilian group inside the country doing the attack? Is it affiliated with the government? Is it sanctioned by the government? Is it covert and the government doesn’t know about it? Attribution here is very much affected by those possibilities.
Say, we get hacked by a civilian group from another country and it causes the next 9/11 – thousands of people die, everything goes wrong, but it’s a civilian group. Can that be considered an act of war? And if they legitimately were sanctioned by their government? If it is, how do we prevent our people from doing it? How do we prevent our citizens from doing it? This is a really difficult problem. And what about the case of multinational groups that spend multiple borders perpetrating such attacks? And then what about groups that are simply, perhaps, in one country, that are utilizing the safe haven nature of other countries to launch their attacks against you?And then this brings us to black flag operations (see right-hand image). Perpetrating attacking, impersonating as person B, some other team; or perhaps using your weaponized 0day and leaving comments in Chinese or Greek or Turkish to obviously throw off the investigation and make them think that other people did that.
And then in the instance that you’d really want some people down the rabbit hole, doing this is basically like a double cross or triple cross, a double black flag or a triple black flag, and then using botnets to do this. That spans all countries. You have to hunt down the C2 network, you have to trace where the bot masters are actually logging in, and even then it gets crazier.And now we’re approaching an era where UAV drones are going to be everywhere. What happens if one gets hacked and is used for some malicious action? Attributing and finding out the hack – the data to do that may not be in the black box for that drone if it gets crashed. So, that’s a real rabbit hole of possibilities. And then, dealing with repurposed Stuxnets (see left-hand image) and things like that…