This series reflects contemplations and interviews by BBC’s Gordon Corera with executives and experts regarding the present-day state of the cyber threatscape.
I’m Gordon Corera, and for the BBC World Service I’ve been looking at the extent to which cyberspace is being used to steal, spy and wage war. The alarms are sounding:
Business leaders, politicians and the intelligence services are all warning that the Internet is being used for espionage, sabotage, subversion, even warfare. Governments hemorrhaging secrets, people losing their privacy, multinationals losing billions… So, what’s been going on? Let’s deal with economic espionage first.
Meet Brian. So desperate is Brian Shields to tell his story in person that he’s driven hundreds of miles to meet me in Washington, D.C. 10 years ago Brian was a technical security advisor for Nortel, a giant Canadian telecom company. At its peak Nortel employed nearly 100,000 people, and its shares made up 1/3rd of the value of the Toronto Stock Exchange. Without anyone realizing it, someone has gotten inside Nortel’s computer systems. No one in Brian’s security team in America realized there was a problem until they were contacted by an employee in Britain.
– When did you first start to think something was going wrong with Nortel?
– Nobody detected it. I say this to my friends: “You gotta love the guys in the UK because they look at stuff, you know.” And it happened that a UK employee saw that an executive over in Canada had downloaded some of his stuff.
Nothing unusual you’d think in a senior executive accessing his own company’s computers to download files. The British employee asked the American executive if he needed any help with the information he’d been looking at.
– Well, what happened was he sent him an email saying: “Do you have any questions about what you saw in my materials?” And then the executive responded back: “I don’t know what you’re talking about.”
– So, someone was downloading the documents in the executive’s name, but it wasn’t him.
– That’s correct. When we got to looking at that, we tracked the record and saw they didn’t match, so the employee ID that was used to download documents wasn’t the same as the employee that logged in to remote access. How could this be? Something was very wrong.
As Brian looked into the unusual downloads, he realized they were not one-off, and it went to the very top.
– We could see what was being taken. We had a total of 1500 documents, the largest number being taken under the CEO’s account.
– The chief executive of Nortel’s account?
– That’s right, the chief executive’s account. They used him and it was over 700 documents they took.
– So, someone had gotten into the account of the chief executive of the company?
– Yes, that’s correct. And we saw that their activity was originating over in China. Our remote access logs told us the originating IP address. And we knew he was up in Canada, so there was no way he was doing this.
– And what did he say when you told him?
– I don’t know if he was ever told, to be quite honest.
– Do you think this would cause panic in the company?
– Oh my gosh, yes, it should.
– He must have got frustrated.
– Yeah, I mean, think about it, this is terrible. What’s the value of the information that was stolen? I mean, when I looked at the log files, it wasn’t just going back 6 months ago, it was going back to full length of our log files that are retained, it was almost 4 years, 3,5 years that they were stealing from us. Think of it this way: if there was a bank to get robbed and they took $5000, you’d probably have half a dozen agents there working on the thing and trying to help to apprehend the guy that went to the bank and took $5000. But here you’ve got a multinational company, international company, and they’ve been stealing from the vaults, if you will, for untold years, and the value of the information is priceless, especially if you turn it over to the hands of a competitor, whether it’ll be your own ID information where you see your future sales opportunities, it could be your margins, it could be your customer information, their request for what they see as in features, maybe companies you’re planning on buying for… I mean, this is priceless, this is competitive information, and then untethered access to it all – there was no stopping them. I mean, they had the highest level accounts, so there was nothing they couldn’t get to.
– Do you believe it was China and the Chinese State who were behind this attack?
– That’s a great question. You know, I shouldn’t be pointing fingers, but the facts are though that the information, when it was being downloaded, was going over into Shanghai, in Beijing area. Somebody was really good. Are average hackers going to be that good? No, I don’t think so.
– What did it do to the company?
– I personally think that it ran the company into the ground, they ran them out of business.
In 2009 Nortel filed for bankruptcy. It’s impossible to know how far the company’s demise was due to cyber espionage; there were other factors involved. But losing your most confidential business secrets can’t help. Nortel is not an isolated case. The job of Britain’s security service MI5 is not just to defend Britain against terrorist threats, but also cyber attacks. At the headquarters MI5’s Head of Cyber, who asked not to be named, chooses his words carefully. This is the first time he’s talked about it in public.
– It covers all sectors. There are now three certainties in life: there’s death, there’s taxes, and there’s a foreign intelligence service on your system.
– Britain’s under attack in that sense?
– I don’t think it’s just the UK. This is a global widespread problem. There are hostile foreign states out there who are interested in a company’s mergers and acquisitions activity, their joint venture intentions, their strategic direction over the next few years. And that information would be valuable to that country’s state owned enterprises.
– So, we’re talking about foreign intelligence activities, not foreign companies, not individual hackers, but foreign intelligence services?
– Foreign intelligence services.
– Are you able to say which countries?
On the outskirts of Cheltenham in South West England sits GCHQ. For decades it’s been Britain’s global eavesdropper, listening in to communications. In the modern world that means spying on others and defending the UK in cyberspace.
– Hello, I’m from the BBC. Here’s my passport and the driving license.
We pass high fences topped with razor wire under the gaze of surveillance cameras, and through the gates into GCHQ’s heavily secured headquarters. Obviously it was just days before revelations from an American whistleblower raising questions about its activities.
I’m now heading into the CDO, the Cyber Defense Operations area of GCHQ. A sign on the door reads: “Defending the UK one bit at a time”, I think that’s a reference to computer bits. There’s also a sign on the door saying: “Caution. BBC recording here. Keep all conversations to unclassified.” This is the place where information comes in from classified sources, and also from unclassified sources, and where GCHQ tries to take a rounded picture of what threats the UK is facing in cyber space, and to try and work out what to do about them.
Diligent workers, some remarkably young, sit in front of computer screens. Numbers in green scroll across the face of one monitor. Larger, wall-mounted screens have been blanked out for our visit. So, from this unique vantage point, what does GCHQ see happening to Britain?
– The area that’s of particular current interest is the nation state activity against businesses. This is, if you like, a game changer. This is industrial espionage on an industrial scale.
Sir Iain Lobban is GCHQ’s director. In many cases companies don’t even know they’ve been breached until GCHQ tells them.
– We have seen a couple of companies which have been penetrated over a period of 12-18-24 months.
– So the bad guys have been inside their networks for up to two years, moving around, potentially stealing information?
– That’s right.
– What kind of secrets are being stolen?
– Across the range, I think we started a couple of years ago thinking that this was going to be about the defense sector, but really, it’s any intellectual property that can be harvested, if you like, and put out there.
– And this is being done by other states?
– This is being sponsored by some other states.
– The finger is often pointed at China for this.
– So I’ve heard.
– The Americans say it’s China, they’re quite public about this. Do you know who it is?
– I see where this discussion is taking place. Yes, we know who it is.
– And you’re sure you know who it is?
– Yes, we’re sure we know who it is. I want to say something about attribution. Attribution can be very hard, and it’s very difficult to do attribution in real time but over a period you can build up a pretty strong idea of where the attribution is.
– So you are confident that you know who it is, but you don’t feel you can say who it is at this point?
– I can’t say who it is to you.
– But you do know and you are confident about that?
– Yes, I do.
So, Britain’s intelligence services aren’t saying. But there are clues. Some of the top targets are defense companies, several of which have been involved in building America’s state of the art stealth fighter, the F-35. Washington is spending a staggering one and a half trillion dollars on the project. But what if another country got hold of the designs?
Nigel Inkster, a former deputy head of Britain’s intelligence agency MI6, now works at the International Institute for Strategic Studies in London.
– A lot of material, a lot of intellectual property has been extracted from the databases of the US and other western countries. What we don’t know, of course, is how effectively this has been utilized. There are some areas where there are grounds for thinking that it has been, a case in point being China’s very rapid development of stealth technology in aircraft, which may well be the product of cyber espionage. They have been producing prototypes of aircraft that look suspiciously like the F-35.
Efforts to steal the designs of the F-35 date back to at least 2007. The attacks have been increasingly ingenious, looking for the weakest link in the supply chain. Recently the defense contractors are thought to have been targeted through RSA, the makers of a device that allows their employees to log on to their company networks remotely from home or a hotel. Art Coviello, the RSA’s chief executive:
– In our case they were looking to exploit information from us to attack others. The way they got to us was they attacked a company in our supply chain, and they took over their email server and sent our employees legitimate-looking emails from legitimate people within that supplier organization. So, naturally, our employees opened it, and inside was a malware payload that was then able to fan out across our infrastructure.
– What was that like, as the head of the company, to be attacked like that and have to disclose? I mean for you personally.
– Well, since I was around from almost the start of the company, it’s almost like having a baby just pulled from your arms, and it was very personal.
– What was the damage for you as a company?
– Well, our corporate parent took a charge of 66 million dollars in the second quarter of the calendar year of the breach. I think we recovered some of that eventually. But make no mistake about it: it slowed us down for a good 6-9 months.
Art Coviello is unusual in admitting to being a victim of a cyber attack. I’ve approached dozens of companies, including some who I’ve been told have been breached, but none wants to talk. They only offered bland statements about taking cybersecurity seriously. Owning up can be hugely damaging to your reputation and your share price. Defense companies like Lockheed Martin, the US arm of kinetic, and Britain’s BAE have all been reported to have been attacked. They won’t talk about those claims. But BAE itself does help protect companies through its subsidiary called Detica; Martin Sutherland is Managing Director.
– I work within BAE Systems. BAE Systems is a defense firm that earns over approximately 20 billion pounds a year. The thing that underpins the economic value of BAE Systems as a firm is that it has leading edge, often national security level intellectual property. The design of the Typhoon aircraft, the design of some of the marine capabilities that we have, and so on, are highly protected and highly valuable.
– And people want those?
– And people want those. So, BAE Systems is under constant attack. In terms of events on our network it runs into billions. But last year, 2012, there were 92,000 attempts at attacks, of those 339 were what we saw as very sophisticated attacks.
Cyber attacks may be launched through computer networks, but they’re still about people. Attackers research employees in a target company, learning about their professional and personal lives. They’re looking for a way to pique someone’s interest and persuade them to click on an email under the mistaken impression that it’s from their boss or a friend. For the defenders it’s all about understanding your opponent. Detica’s Dave Garfield has gleaned a pretty good idea of who they are from watching numerous attacks unfold.
– I think it’s like any aspect of intelligence: the more monitoring you do, the more research you do into these groups, the more you’ll find out. We have a very clear understanding of the working hours of the attack groups. Many attack groups work Monday to Friday, they typically work from 9am to 5pm, they have a two-hour lunch break. We know that when they’re attacking Western organizations, particularly in America, they’ll then work the hours of the American corporations to try and hide in the noise of their networks, which means that they are often doing a second shift. So, once the first shift is going home, the second shift comes in. We can look at the hours and translate it to understanding roughly where in the world they might be.
– And what do you find in terms of where these groups are largely based, because it’s often said to be China?
– So, we’ve got strong indicators that there are a large number of groups emanating from China. However, we are seeing an increasing number of attack groups from Eastern Europe, from parts of the Middle East, so there’s an increasing globalization of this problem.
Although it’s relatively easy to see where a conventional missile might have been launched from, it’s much harder to be sure about the source of a cyber attack. Attackers can disguise what they do by going through computers in another country. But earlier this year an American cyber security company called Mandiant published a report that was something of a game changer. It traced attacks against 140 Western companies to the doorstep of a single building in Shanghai, a building which Mandiant said also housed Unit 61398 of China’s People’s Liberation Army. Mandiant chairman, David DeWalt:
– We studied the activity into exact building with the exact people involved. Not only did we know the exact individuals involved, we had pictures of the people, we tracked what information they were stealing, where they were going with it. So the evidence became so obvious that this was what was happening, and of course it’s been happening over years.
Never before had the finger been pointed so directly and so publicly at not just China, but the Chinese State. The Mandiant report helped Washington push the subject to the top of the political and diplomatic agenda. Its conclusions though came as no surprise to General Michael Hayden. For 6 years he presided over the National Security Agency, or NSA, America’s electronic intelligence agency.
– I had someone from the press call me and say: “This is really big news!” And my response was: “Well, it’s big, but it’s not news.”
– How big is the scale of Chinese espionage, do you think?
– I actually state publicly that I stand back in awe, as a professional, at the breadth, depth, sophistication and persistence of the Chinese espionage effort against the USA. As a professional, it’s awesome. I don’t know how they handle all the data they steal.
– It’s on a different scale, you mean?
– Yes, it is, and I’ve got to be careful about going too far in terms of classified information, but yes, the Chinese are very candid. We steal secrets too. But we steal only as does GCHQ. We steal only those things that keep British or American subjects safe and free. We don’t steal things to make Americans, or in GCHQ’s case, British subjects rich. The Chinese do, and they do it on a massive scale. That’s the difference between what free peoples do in terms of signals intelligence and what the Chinese are doing. And what makes that so pernicious is that they are a powerful nation state not attacking a nation state’s telecommunications or IT infrastructure, but attacking private industry’s IT infrastructure. That’s an incredibly uneven playing field, when the resources of a nation state are massed against even a sophisticated company, like Google or RSA.
Gathering intelligence on other states for reasons of national security has always taken place. The western objection to China is that it targets Western companies for commercial gain. For Beijing though, economic growth is a national security issue, key to its social and political stability. At a recent conference a Chinese military official is said to have got up and told his American counterparts: “In the US economic espionage is a crime and military espionage is heroic. But in China that line is not so clear.”
– Everywhere you look in Beijing there are signs of China’s enormous economic growth in recent years: huge skyscrapers reaching for the sky, new ones being built, fancy cars driving along the streets. But one question is how far that amazing economic growth has been built on economic espionage?
– I personally have lived through more than three decades of Chinese development.
Victor Gould is emblematic of China’s success, a former official turned international businessman.
– I was fortunate and privileged enough to be an interpreter in the 1980s, and I’ve known many Chinese leaders at the very top level. My fundamental belief is that the Chinese economic development and the political reform are real, and they are based on back-breaking hard work. Now, if anyone believes that by committing commercial espionage you can really gain an upper hand in manufactory, in R&D, in economic development, etc., you are dreaming about building a castle of cards. It’s impossible. The real foundation of the Chinese economic miracle is hard work.
Perhaps weary of the tide of accusations from the West, China has begun to respond in public. We’re invited through the gates and pass the stiff-back soldiers into the foreign ministry in Central Beijing for a rare interview with Dr. Huang Huikang, the country’s lead negotiator on cyber issues. He begins with a statement setting out China’s position.
– We try to not only protect Internet freedom, but also safeguard social order, public and national security.
– America has accused China though of supporting hackers and of the government supporting hackers attacking American companies. What does China think about it?
– It is not true. China is one of those countries suffering most hacker attacks.
– So, other countries are saying that your state is sponsoring these attacks, but you’re saying you’re the victim of hacker attacks?
– Do you think China gets singled out though for particular attention? Sometimes people say: China, China, China…
– It is not fair, because some people, I think… First, they are misunderstanding what happened in China. And sometimes we think this is a political game. It’s not true and not fair.
The view from Beijing, it seems, is that America and its allies are using the charge of economic espionage to distract from their own aggressive cyber activities. Leaked documents from the former US intelligence contractor Edward Snowden suggest the US has been spying on Chinese computers and sweeping up communications on a huge scale. A former general in the People’s Liberation Army says:
– Countries are always attempting to obtain intelligence from each other by all kinds of means. There was no need to make more of this than we need to. Getting hold of technological secrets so that you can learn from another country is nothing new. It happened well before cyber space came along. The main thing is that control of cyber space is too concentrated in the hands of the US.
Everyone says they’re under attack in cyberspace. But they all have different ideas of what that means. Part of this is about nations finding their feet in this new world which has transformed our way of life, including how we conduct spying and warfare.
Now about our dependency on the Internet, the battle over the control of cyberspace, and how vulnerable we’ve all become and about the extent to which cyberspace is now being used to spy, steal and to wage war.
It is easy to lose sight of how much our daily lives are dependent on the Internet, leaving us vulnerable to those who wish to do us harm. But every now and again there is a reminder.
– Hello, this is Breakfast with Bill Turnbull and Sian Williams.
– The Games are about to begin. Welcome to our first special program from here, the Olympic Park, as London prepares for the spectacular opening ceremony happening right here in just a few hours time.
On July 27th 2012 the world was preparing to watch the opening ceremony of the London Olympics. But what the world did not know was that behind the scenes those involved in securing in the Games had a fear. What if half way through the ceremony everything went dark? Oliver Hoare in charge of cybersecurity for the Games was tucked up in bed when he was woken early.
– I had a foreign call at 4.45, which is always disturbing, particularly on your day off, but more disturbing was the fact that the foreign call was from GCHQ and there was a suggestion that there was a credible attack on the electricity infrastructure supporting the Games. First reaction to that is: goodness, I must get a strong cup of coffee and get into the office.
– After 7 years of planning and waiting, the moment is here: we are just hours away now from the opening ceremony of London’s Olympics.
– We have a bird’s eye view here, so let’s…
The Olympics were a showcase to the world, designed to display Britain at its best. The damage to the country’s reputation if a hacker turned the lights off would be enormous. This is the first time anyone’s talked about those fears.
– My first response actually was: “Is it credible?” It was my day off, and I was looking forward to enjoying the opening ceremony, and so on. Luckily, not luckily, I think by design, we had tested and exercised ad nauseum. We had also tested no less than 5 times the possibility of an attack, a cyber attack on the electricity infrastructure, or the power infrastructure. In a sense, I think we felt pretty well prepared. But there’s always an amount of concern, particularly when you’ve only got 8 or 9 hours before the opening ceremony.
– The clock was ticking, wasn’t it?
– The clock was absolutely ticking, so it was a fast moving a) investigation, but b) how do we put the mitigations in place? And I distinctly remember about an hour or so before the opening ceremony a conversation: “So, what’s the situation?” And you know, good news is that if the lights go down, we can get them up and running, regardless, within 30 seconds. Now, on the surface you might say: “Wow, that’s great.” 30 seconds at the opening ceremony with the lights going down would have been catastrophic in terms of reputational hit. So I watched the opening ceremony with a great deal of trepidation.
– Where did you watch the opening ceremony?
– I did actually watch it from home, but at that stage, you get to a stage where there’s only so much you can do.
– Were you biting your nails?
– I was very much on the edge of my seat and, being a good government official, had not said anything to my wife and children about this event. So we’re sitting there sort of being very nervous, but thankfully it went through…
– Every time the lights must have dimmed in Danny Boyle’s opening ceremony, you must have thought it was a cyber attack.
– There was always a twitch.
The attack never materialized. A false alarm this time, but the risk was real. A country relies on its critical infrastructure for everyday life: power, water, financial services, telecoms, government, services which are increasingly controlled and accessible through the Internet. 50 years ago espionage or even sabotage might have involved someone sneaking into a power station and perhaps planting a backpack full of explosives. Today it could simply involve sitting at a computer thousands of miles away. President Clinton woke up to the danger in America during the mid-1990s, appointing Richard Clarke as the country’s first cyber czar.
– The President had appointed a commission in 1996 to look at the protection of critical infrastructure. We were thinking bridges, dams. The commission took a year or more and came back and said: “Critical infrastructure is increasingly being controlled by software and on the Internet.” And there are threats on the Internet of hackers, therefore the commission said the government needs a policy and needs to start thinking about the threats to critical infrastructure through cyber attack. That all sounded nice; it didn’t seem to have anything to do with me until President Clinton said: “We need someone to worry about this, and since you worry about other forms of protection and other threats, you get to worry about this as well.”
– And how worried were you about what you found at that stage?
– I was shocked, frankly, because I knew so very little about it, but most people knew little about it. And when I learned how vulnerable these things were, how vulnerable the software was, how vulnerable the hardware was, and how easy it was to hack into very important systems.
That was more than 15 years ago. Since then more and more systems have gone online, everything from power stations to banks are now hooked up to the Internet.
Here at the White House cybersecurity has moved to the very top of the political and policy agenda. This is the country where the Internet was born. But there is a sense that perhaps something has been unleashed, which America can’t control and which poses real threats. Those fears were articulated in President Obama’s State of the Union address earlier this year.
– Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
So, who is probing America’s infrastructure and why? Richard Clarke:
– Well, if you think about the air traffic control system and the electric power grid, there’s very little intelligence value in getting into those. You don’t learn anything that you can then apply in China or Russia. The only real point of getting into the power grid control system or the air traffic control system is to have a cheap deterrent – it’s a lot cheaper than nuclear weapons. It’s not very credible that you would ever use nuclear weapons. It’s slightly more credible to suggest that you might one day under a crisis situation destroy parts of the electric power grid.
– The Chinese would probably say: “We’ve seen the Americans in our infrastructure.”
– They’ll probably be right.
The first signs that one state might be prepared to use the cyber realm to attack another came in Europe in 2007. The conflict began with a monument, a memorial to an old war. But this time the battle would be fought using new technology.
6 years ago, when the Estonian authorities moved this huge statue of a Soviet soldier I’m standing next to, from the center of their capital Tallinn to the outskirts here in the military cemetery, it caused a huge diplomatic row with Russia. There were protests on the street, but also a sustained cyber attack on Estonian institutions, which made headlines around the world.
The large ethnic Russian community in Estonia was furious at the moving of the statue, which they saw as a provocation. And they took to the streets. Our next guest was a student back in 2007:
– For me what was going on was riots in the streets, which was something completely unseen for a Northern European country. You don’t see them often, I think it was pretty much the only occasion when something like that has happened. Windows were smashed and you saw some small fires in the streets.
People flooded the streets, but something else happened. Estonia is a small country, and also unusually Internet dependent, and its websites were flooded too. Millions of computers tried to access them simultaneously, a bit like too many people trying to get through the front of the shop at sales time with the result that no one gets in. This type of attack, which takes websites offline, has a name – DDoS, a distributed denial-of-service attack. As well as the media, the attack struck a heart of the country’s financial system. In 2007 Yan Prislaw was head of IT security for one of the country’s largest banks.
– Usually we have some kind of warning. But then there was no warning, you simply see that your customers are not reaching you for some reason. Maybe you have some overloads in some places in your infrastructure, but basically you’re seeing that the number of customers who are actually reaching your systems is dropping.
– And you could see that at the time?
– Something was going wrong.
Estonia has always been convinced that Russia was behind the attacks because of the diplomatic crisis over the statue at the time. Although proving definitively it was the Russian state, and not just patriotic activists, is hard. Toomas Ilves had just become President of Estonia the year before the attacks.
– If you are a country that already then was as dependent upon information communication technology, it can be quite distressing. I mean, banks could not operate for a while; briefly, even the emergency number 112 was under attack. This could have had major implications for people’s lives.
The attack on Estonia largely involved taking websites offline. In 2010 came the game changer. The target was Iran’s nuclear facility at Natanz, which Western countries fear is being used to make material for nuclear weapons. The method of attack, a virus called Stuxnet, broke through from the digital into the real world with destructive effect. John Bumgarner has worked in US special operations and intelligence:
– The person behind these attacks had to make the decision: should they use a bomber or some type of strategic airstrike to destroy the facility or use a piece of cyber weapon, a piece of code? And they made a logical decision to use the code, because the code could be stealthy, it had very little attribution to it, and it could do destruction, but at a slower pace. If they were to pick the bomb to do a military strike, that would have potentially led to some type of conflict, a war, and it would have cost nearly a trillion dollars to deal with that. And Stuxnet was a very cost effective way to deal with the Iranian problem.
Stuxnet caused the centrifuges at Natanz, which enrich Uranium, to spin out of control whilst telling the operators that everything was fine. The machines crashed into each other, setting back Iran’s nuclear program, although only by a matter of months. The virus was carefully engineered to only damage Iran. But it escaped into the wider world, where it was analyzed by hackers and computer experts. Among them Eugene Kaspersky in Russia:
– We were waiting for something like this. That was the first time we had the cyber missile in our hands, and that was really scare.
– Do you believe it has to be in a state then?
– I don’t know who is behind these projects like Stuxnet, but I’m pretty sure that’s not criminal gangs, because these software projects are expensive, and they estimate Stuxnet like 10 million dollars budget to develop this kind of software.
So, who was responsible? Behind me is a huge black building. It’s home to America’s largest and most secret intelligence organization, the National Security Agency. For decades its job has been to spy on the world’s communications to break their codes. Now this place is also home to the US military’s Cyber Command.
Cyber Command became operational alongside the NSA the same year Iran was hit, 2010. America, perhaps with Israel, is accused of being behind Stuxnet. Neither will confirm it, but they certainly have the capability. General Michael Hayden, a former director of the NSA, proudly describes its headquarters as home to the greatest concentration of cyber power on the planet.
– It will be irresponsible for someone with my background to even speculate as to who was involved with Stuxnet. But it’s not speculation to know that someone just used a cyber weapon to effect damage not in the cyber domain, but in the physical domain. That’s the first significant crossover that we’ve seen. Now look, I tell audiences that crashing a thousand centrifuges at Natanz is almost an unalloyed good. When you describe what just happened there in several different ways: someone just used a cyber weapon during a time of peace to effect physical destruction, and what another nation would only describe as their own critical infrastructure. You’ve got to realize that although it was a good deal, it was also a really big deal. It does have second and third order effects.
– I think you recently described it as an August ’45?
– I did. It’s far different destructive power. But it just has the worth of August 1945; a new class of weapon has been used. Go deeper into history and, say, somebody’s crossed the Rubicon. We’ve got to lead you on the different side of the river now.
America was the first to use the atom bomb. The debates over the morality of that decision reverberate to this day. In the same way some question whether the release of Stuxnet will be judged worthwhile. Richard Clarke, former White House cyber coordinator:
– I think there are people in the Obama administration who think Stuxnet was not well done: a) we got caught, b) it went too early, and c), most importantly, it escaped onto the Internet, which it was not supposed to do. And people downloaded it all around the world. And they decompiled it and learned how it works.
Over at the State Department in the office of Chris Painter, lead negotiator on cyber issues, the walls are filled with posters of films over the years in which hackers or computers feature: I, Robot; The Girl with the Dragon Tattoo; WarGames; Terminator; Sneakers. The posters reflect the hopes and fears going back over decades that computers are taking over.
– The oldest one I have is a movie called Desk Set: Katharine Hepburn, Spencer Tracy. She plays a research librarian who’s replaced by a thinking machine in 1958. There’s a long history of movies doing this.
– Do you have a favorite?
– I think they’re all favorites in different ways. That’s a great movie, it’s a classic movie, obviously Colossus is very hard to find, but it gave the seeds for WarGames, Terminator and for all these different movies that came afterwards.
– As President of the USA, I can now tell you, the people of the entire world, that as of 3am Eastern Standard Time the defense of this nation, and with it the defense of the free world, has been the responsibility of a machine, a system we call Colossus.
Hollywood has long imagined the dystopian future in which technology takes over, disrupting our daily lives. We’re still a long way from that, but customers of some American banks are getting a small taste of it. For months now banks have been hit by DDoS attacks, taking them offline for hundreds of hours so that people can’t bank online. The motive is not criminal gain, but disruption. The attacks are coming from computers around the world that have been compromised or hijacked without their users knowing it. Chris Painter has been seeking the help of other countries in order to stop it.
– We’ve asked them for technical help. We said: “Can you help us mitigate this?” And we’ve done that both on the technical level, but we’ve also reached out on the diplomatic level and said: “Look, this is an important thing for us. We also reciprocate, if you need help, we’ll help you too.”
– A hundred countries involved in the attacks on the America’s banking system?
– A hundred countries. So, the DDoS, or botnets, are, by their nature, distributed. They are all over the place, and they can involve compromised servers all over the world.
– Do you think that’s Iran behind those attacks?
– I’m not going to comment on that, but what I will say is that it’s certainly an indication of a significant development in cyberspace and one that we need to work with other countries around the world to make sure it gets mitigated.
Which company manages today’s largest petroleum reserves, but continues to seek out resources for the world of tomorrow? Which company produces its oil and gas in a single country, but supplies energy to the four corners of the globe? Which company? Saudi Aramco: energy to the world.
In August 2012 workers at the offices of the oil giant Saudi Aramco logged on to their computers and were greeted with a surprise. All the data and files had been overwritten and replaced with an image of a burning US flag. An extraordinary 30,000 computers were rendered useless – effectively destroyed. This attack on one of America’s close allies and a bitter enemy of Iran was a wakeup call to Washington. There’s no definitive proof about who was behind the attack, but Richard Clarke, former White House cyber coordinator, seems convinced.
– I think the US two years ago would have told you that the Iranians don’t have much in the way of cyber war capability. And they would have been wrong, because within a year we’ve seen the Iranians do a very sophisticated wipe out attack, wiping out 30,000 end points on Saudi Aramco, and doing the largest DDoS attack, flood attack that we’ve ever seen. It was larger than everything we’ve ever seen by a factor of 10.
– The Saudi Aramco attack was very unusual, wasn’t it, to actually destroy those computers?
– I cannot think of another case in history where a large network, 30,000 end points or anything like that, have been attacked and everything wiped out, all the hard drives wiped out. I don’t think I’ve seen an example of that ever.
– It’s pretty scary, isn’t it?
– It’s very scary. If you step back and think: the US destroyed the Natanz centrifuges with a cyber attack – what did the Iranians do? I think they have come back and sent us a message. “We can do destruction of networks as we did to Aramco. We can do DDoS attacks on US banks.” The implicit message to America from Tehran I think is: “What if we did a wipeout attack on the American banks? We can do real damage to the American financial institution. And therefore, America, stop hacking into our networks, because we can do it too.” I think the Iranians have sent a very sophisticated message, and I think the American government has heard it.
– You think so?
– I do.
– Because, of course, the Iranians would say the US started this in terms of militarizing cyberspace, in terms of attacking them with Stuxnet.
– And the Iranians would be right about that.
One of the movie posters in Chris Painter’s office at the State Department was the 1983 classic WarGames, in which a teenager hacks into a Pentagon computer. The Pentagon mistakenly believes the Soviet Union is launching a nuclear missile strike. Washington’s convinced it’s under attack, and not realizing it’s being fooled, prepares to retaliate. So, will the Hollywood nightmare of cyber war become real?
More than 30 countries are believed to be currently developing their own offensive cyber weapons, including Britain. The US may have been vocal about Chinese cyber espionage, stealing industrial secrets from American companies, but China sees America as the more aggressive party in the way it’s been preparing for cyber war. China’s been closely following reports that US Cyber Command is growing to nearly 5000 personnel. A former General in the People’s Liberation Army:
– Do you think the US has militarized cyber space?
– It has already militarized it with its own commander and an army. It has got three branches: one mainly based in the Pentagon with offensive and defensive abilities; one focusing on infrastructure, such as the electricity network, and one focusing on all the network-based stations. They have plans and even exercises. China is falling far behind America in this area.
In the Chinese Foreign Ministry in Beijing Doctor Huang Huikang provides a carefully worded statement reflecting concerns over the direction in which cyber space is moving. America is unnamed, but the focuses of his concerns are clear.
– Some major powers with their technology advantages seem keen on developing cyber weapons, establishing the cyber force and enhancing cyber attack capacities. Some countries are attempting to extend the right of self-defense applicable to cyberspace. It seems to us this approach is very dangerous. China believes that peace of cyber space is in the interest of every country and the humankind as a whole.
Back in Estonia, subject to a major cyber attack in 2007, the country is perhaps surprisingly leading the way globally in putting services for citizens online. I’m given a demonstration of their e-services project, in which the positive benefits of the Internet are being emphasized.
– Everything’s connected to your housing to see what you own, how you manage it…
Anna and Raul provide me with a demonstration of the range of information citizens can now access and the things they can do online.
– It will take 3 minutes for us to vote.
– What’s interesting is that because of what happened in 2007 you would think you’d be a country that would be more nervous about putting so much online, but actually it’s the opposite.
– I think that you cannot actually avoid it. So the only way to go ahead is to invest more to the security.
Toomas Ilves, President of Estonia, perhaps the most cyber savvy nation in the world, is all too aware of the risks and benefits the Internet has brought. He, like others, believes we need to urgently establish rules of behavior between states, lords of cyber war, if you like. It is a period a bit like the early Cold War, in which new weapons risk escalated tensions, even leading to conflict. Some countries are already talking of responding to cyber attacks with real weapons.
– If a missile lands on an electrical power plant, where you basically know where it came from, and then you know what to do. But if you shut down the same electrical power plant with the same effect within society with a cyber attack, you don’t know who did it. And what is the appropriate response? There have been some answers. I mean, the US Department of Defense said 2 years ago that we don’t care, which basically means if you attack us digitally, we might just come and get you with a bomb.
Espionage, sabotage, warfare – all these things have been around a long time. But in the same way the Internet has transformed and enriched our everyday lives, it’s also transformed these darker acts. We can’t put the cyber genie back in the bottle, but we’re only just beginning to think about how we might tame it.