Mikko Hypponen on the concept of cyber war

Chief Research Officer at F-Secure Mikko Hypponen expresses his viewpoint on the definition of cyber war and speaks about recent infamous cyber attacks.

There is a lot of talk around cyber war. And that definition is kind of murky, it’s better to make distinctions between cyber attacks, cyber espionage, cyber war.

Now, almost everything gets labeled cyber war. And that’s not really the right way to do it, because we eventually will end up seeing what I call – real cyber war.

Already when we today label things like denial of service attacks, or hacking into services as cyber war, what are we gonna call it then, when we see a real attack, when countries are at war and use armies to attack computer systems of another country?

We’ve seen certain examples that come close to it, but have never actually seen what you define as cyber war, which is one country’s cyber arsenal attacking another one’s.

Well, for real cyber war, you would first have to have a war. We have seen cases, for example Stuxnet is a good example. Yes, it’s very important, it is ground breaking, it is the first case of cyber sabotage. But it’s hard to characterize it as a war, because there is no war, and if there would be war, which countries would be fighting it?

There are obviously groups of people who’d like to make this sound as serious and as threatening as possible already. That’s lots of money at stake. Armies and defense forces around the world are researching cyber defense and most likely, we are guessing, cyber attacks. And the more threatening the situation looks like, the more money there is to be made by private sector working with development like that.

And what we saw in Estonia 2007, what we’ve seen with the Anonymous attacks – I wouldn’t call it cyber war. Cyber gang war is a much better description. Because it is individual groups, this hive mind that takes the life of its own. But it really isn’t warfare. And gang war, which we see in cities around the world, is a much closer definition of what we are seeing here in the online world.

As to Stuxnet, there were comments that it wasn’t as advanced as it could have been because it didn’t try to antidebug, or use antidebug features against security programs. It wasn’t really encrypted very effectively, unlike much more complicated malware which we’ve seen before.

And I think that this was on purpose. What Stuxnet accomplished with this is that it didn’t look like malware, and most antivirus labs around the world detect most of the malware today with automation. And to automation, Stuxnet looked like some sort of installer, creating registry keys and dropping signed drivers. And through most automation systems, that would actually pass with fine colors and it didn’t get flagged. So if you look at it from that point of view, it was a success.

It wasn’t a wild spread, but it certainly spread, and it was a bit of failing of antivirus firms to not catch it sooner. It is embarrassing to us in the antivirus industry that it was spreading for so long before we actually found it.

Seems we might anticipate another Stuxnet forming, as sophisticated, with lot of money behind it. I wish it wouldn’t happen, but I think it will happen, we will see more attacks like this – maybe from the same source, maybe we will see copycats.

Obviously, modifying Stuxnet isn’t trivial although it’s easy to find Stuxnet itself, but taking the ideas, taking just the concept that – yes, you can infect PLC devices, you can affect the real world automation devices. And these devices are everywhere. Every single factory, every single power plant, the elevators in this building are running those PLC boxes. And if you can affect their operation – yes, you can affect the real world.

A lot of the stuff in critical infrastructure is hooked up to the public Internet or at least a PC, where one could inject a USB stick and infect it that way. It’s sometimes scary when you see how everything is running on computers, and in many cases running with off-the-shelf operating systems, Windows XP operating missiles. Windows NT which is 15 years old was in use at Deep Water Horizon – that’s the platform that exploded, which just makes you wonder…