Las Vegas (CNN) — The former director of the CIA’s Counterterrorism Center raised concerns Wednesday about an impending “code war” in which hackers will tamper not just with the Internet but with technology that runs real-world infrastructure.
Somewhat fittingly, Cofer Black’s keynote talk at the Black Hat hacker conference at Caesars Palace in Las Vegas was interrupted by a literal alarm: flashing lights, sirens and the whole bit.
"Attention, please. Attention, please," a robotic woman’s voice said repeatedly as Black smiled, apparently confused. "We are currently investigating the alarm signal you are hearing. Please remain calm."
After a pause and some laughs from the audience, Black kept going.
"This is a very delicate window into our future," he told the hackers. "Cold war, global war on terrorism and now you have the code war — which is your war."
It’s unclear what caused the alarm — whether it was planned to help make Black’s point, was an accident or was the result of a hack. Black Hat is a computer security conference attended by thousands of hackers.
One Black Hat spokeswoman said that sort of thing happens every year at this event, and she’s not sure exactly what causes the alarms.
Another said it wasn’t a hack. “With over 6,500 people in here it’s hard to control who pulls the alarm!” Natalia Wodecki wrote in an e-mail.
In any event, Black’s siren-punctuated words carry weight, since he’s credited with warning the United States government about a September 11-type terrorist attack in August 2001. Black recalled the moment he told defense officials about the threat of al Qaeda, and he compared that moment to his Black Hat talk.
Officials should be more concerned about a cyberattack, he said.
"People say, ‘Were you surprised when 9/11 took place?’ and I can tell you neither myself nor my people in counterterrorism were surprised at all. Instead it was a strange validation of what we had anticipated had indeed taken place. …
"In the technology world, you may face similar issues in the future."
He referenced last year’s Stuxnet computer worm, which some researchers think was designed to attack Iran’s nuclear facilities.
"I’m here to tell ya … the Stuxnet attack is the Rubicon of our future," he said. "I don’t necessarily understand how this was executed, but the important points are (that) it was really expensive, so a nation-state had to be involved."
Hacking, once see as “college pranks,” has moved “into physical destruction of a national resource,” he said. “This is huge.”
He left the talk on an optimistic note, calling on security researchers in the audience to work to prevent such attacks.
"We’re all in this together, and we’re counting on you," he said.
Stuxnet is a Microsoft Windows computer worm discovered in July 2010 that targets industrial software and equipment. While it is not the first time that crackers have targeted industrial systems,it is the first discovered malware that spies on and subverts industrial systems,and the first to include a programmable logic controller (PLC) rootkit.
Stuxnet is designed to programmatically alter Programmable Logic Controllers (PLCs) used in those facilities. In an ICS environment, the PLCs automate industrial type tasks such as regulating flow rate to maintain pressure and temperature controls.
Stuxnet: Anatomy of a Computer Virus (by Patrick Clair)
An infographic dissecting the nature and ramifications of Stuxnet, the first weapon made entirely out of code. This was produced for Australian TV program HungryBeast on Australia’s ABC1
Direction and Motion Graphics: Patrick Clair patrickclair.com
Written by: Scott Mitchell
Production Company: Zapruder’s Other Films.
A German computer security expert said Thursday he believes the United States and Israel’s Mossad unleashed the malicious Stuxnet worm on Iran’s nuclear program.
"My opinion is that the Mossad is involved," Ralph Langner said while discussing his in-depth Stuxnet analysis at a prestigious TED conference in the Southern California city of Long Beach.
"But, the leading source is not Israel… There is only one leading source, and that is the United States."
There has been widespread speculation Israel was behind the Stuxnet worm that has attacked computers in Iran, and Tehran has blamed the Jewish state and the United States for the killing of two nuclear scientists in November and January.
"The idea behind Stuxnet computer worm is really quite simple," Langner said. "We don’t want Iran to get the bomb."
The malicious code was crafted to stealthily take control of valves and rotors at an Iranian nuclear plant, according to Langner.
"It was engineered by people who obviously had inside information," he explained. "They probably also knew the shoe size of the operator."
Stuxnet targets computer control systems made by German industrial giant Siemens and commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.
"The idea here is to circumvent digital data systems, so the human operator could not get there fast enough," Langner said.
"When digital safety systems are compromised, really bad things can happen — your plant can blow up.
Most Stuxnet infections have been discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there.
The New York Times reported in January that US and Israeli intelligence services collaborated to develop the computer worm to sabotage Iran’s efforts to make a nuclear bomb
By CHRIS BARTH
Houston, we have a problem. Or should I say, “Iran, we have your problem?” Last night, a member of hacker group Anonymous – a devious 4chan-spawned Internet coalition known for increasingly serious web-based attacks – announced on Twitter that the group was in possession of the Stuxnet virus.
Stuxnet is one of the more powerful viruses to ever spread across the internet. As Bruce Schneier detailed for Forbes, the worm crippled Iran’s nuclear facility by infiltrating a Siemen’s control system for industrial centrifuges. As I wrote late last year, the Stuxnet virus is a stark example of how cyber attacks can affect brick and mortar institutions.
“Anonymous is now in possession of Stuxnet – problem, officer?” tweeted user by the name of Topiary. Topiary’s profile describes the user as an online activist and a “Supporter of Anonymous Operations, WikiLeaks, and maintaining freedom on the Internet.”
To me, two huge questions arise from Anonymous’ claim:
- Are they actually in possession of Stuxnet?
- Can they do anything with it?
The answer to both questions, of course, is maybe. But let’s dive a little deeper.
Recently, Anonymous has been in the news for its high profile attacks on software security firm HBGary, after Aaron Barr, the CEO of HBGary’s sister firm HBGary Federal, claimed to have acquired the names of senior Anonymous members and threatened to release them to the public. Forbes’ Parmy Olson has done a fantastic job covering that affair.
This is where the possibility for Anonymous getting its hands on Stuxnet increases. In a post this morning, Olson quotes a source from Anonymous who briefly rattles off the contents of a slew of emails uncovered during the HBGary takedown. “Three different malware archives, two bots, an offer to sell a botnet, a genuine stuxnet copy, and various malware lists,” are supposedly among the contents.
Could this be pure posturing? Sure. But it doesn’t seem out of the question that a security firm would have high level information on one of the most threatening viruses out there.
So let’s pretend that Anonymous does, in fact, have a copy of the Stuxnet worm in their possession. Can they do anything with it? We’ve already seen Stuxnet’s efficacy in attacking Siemens Supervisory Control And Data Acquisition (SCADA) systems attached to very specific industrial machinery. The complexity of the worm allowed it to infiltrate deep into Iran’s nuclear facilities before unleashing its payload. A report by Symantec today updated their September dossier on the virus and revealed that the attacks started in June of 2009 and ended in May 2010, around a month before the attacks were even noticed.
The worm’s complexity, however, could also render it mostly useless in Anonymous’ hands. I’ll let Schneier get into the weeds on some of the details, since he does a great job of explaining:
Here’s what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four “zero-day exploits”: vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)
Stuxnet doesn’t actually do anything on those infected Windows computers, because they’re not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines–and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.
If it doesn’t find one, it does nothing.
So, unless the Anonymous hackers want to control industrial centrifuges, we should be alright? Not so fast. Theoretically, it would be possible to dismantle the virus and implant a separate payload, effectively piggy-backing another virus on the Windows-based attack code. This is no walk in the park coding exercise, to be sure, but Anonymous has proven their impressive abilities in the past. If such a deconstruction and reconstruction were to be pulled off, it could have wide-reaching consequences. In August 2010, the Stuxnet virus was reportedly infecting over 60,000 computers in Iran, not causing any harm but eager to spread until it found a place to release its payload.
For now, we’re largely dealing in hypotheticals. Since Stuxnet has been discovered, efforts are being put against it at high levels to prevent such attacks in the future. But if Anonymous does, in fact, have possession of the worm, it could have massive repercussions for both online and offline security. As Mort Zuckerman said late last year, though, “Malicious programmers are always able to find weaknesses and challenge security measures. The defender is always lagging behind the attacker.”
Cyberwarfare and EMP (electromagnetic pulse) blameshifting
Today we’re going to talk about cyberwarfare in regional terms everyone can understand and we’re going to use two well publicized disasters – Hurricane Katrina and the 1992 riots in Los Angeles after the police beating of Rodney King as a scalable reference model. We’ll also compare the hot topic of 2009 – EMP – to the even hotter hot topic of 2010 – cyberwarfare.
To recap EMP’s threat to the CIO or IT manager it’s seen as a showstopper:
EMP and high powered microwave (HMP) weapons offer a significant capability against electronic equipment susceptible to damage by transient power surges. This weapon generates a very short, intense energy pulse producing a transient surge of thousands of volts that kills semiconductor devices.
The conventional EMP and HMP weapons can disable non-shielded electronic devices including practically any modern electronic device within the effective range of the weapon.
Cyberwarfare is different and potentially much more dangerous than EMP due to the ease of delivery. Instead of physically delivering EMP ordnance, which can fry electronics, the actual SCADA architecture is used like Stuxnet proved feasible: program the machinery to tear itself apart from anywhere in the world.
Yet EMP and cyberwarfare share one common bond. Both are seen as nonlethal methods of warfare.
Would that change? Some sources say yes, considering the scale of the attack.
EMP weapons do not rely on in-depth knowledge of the systems they strike, attacking all electronic systems without prejudice. Second, they are effective in all weather. Third, they are area weapons, with scalable footprints. One weapon can kill electronic systems in an area the size of a tennis court or throughout the entire United States. [original house.gov source]
Cyberwarfare has a similar nonlethal comparison: where a single fighter jet’s avionics get zapped by a targeted cyber attack (and this is a reality right now) it would be seen as a “soft kill” since the fighter jet can still fly, but can no longer attack. Extend the nonlethal cyber attack up to collapsing critical infrastructure, such as banking, transportation and the power grid, and the same nonlethal tactics will contribute to the deaths of many.
As for cyberwarfare compared to EMP – most sources asked specifically about cyberwarfare stated their damage assessments ran the gamut – merely knocking out the payment systems of banking for example, wouldn’t hurt much until people ran out of food and couldn’t pay for more food. In that instance the equivalent of a regional April 1992 Rodney King Riot was given – 10 of which would equate the Hurricane Katrina level of mayhem and destruction.
Los Angeles riots of 1992. By the time the police, the U.S. Army, the Marines and the National Guard restored order, the casualties included 53 deaths, 2,383 injuries, more than 7,000 fires, damages to 3,100 businesses, and nearly $1 billion in financial losses. Smaller riots occurred in other cities, such as Las Vegas in neighboring Nevada, and as far east as Atlanta.
EMP and power grids: Nonlethal – at least right away
We’ll compare this nonlethal extension of EMP to one sources’ first-hand knowledge of a 2010 Army War College event and the damage estimates their group presented.
As some sources who recently attended the 2010 Army War College think tank on EMP related to me, an extensive EMP attack could collapse 80 percent of the existing power and communication networks. This would result in an estimated minimum 10 percent fatality in the first six months, potentially upwards of 40 percent after 18 months. Those percentages equal 30 million to 120 million Americans, but a solution exists.
Right now sources relate that the United States has a $200 million solution at their fingertips which can’t quite become enacted. The proposed solution – fix all the custom-built transformers, just like Canada has done, and move on knowing that the risk of losing 10 to 40 percent of the nation’s population has been mitigated tenfold. The solution would probably mean the difference between total grid collapse and smaller [Hurricane Katrina-sized] regional grid collapses, which could be recoverable over a period of weeks and months, not years.
Yet this threat – and the solution – remain bogged down due to blameshifting. The buck doesn’t stop anywhere. Therefore, unless the executive branch makes an executive order mandating action, EMP power grid and communication vulnerability, which could easily be preventable, will continue.
Special note: If you’re an IT manager or CIO who has the unfortunately tough task of analyzing backup storage facilities and needs an explanation of EMP defensive strategy, try this site as a primer. Or this Air Force paper. Press on with your RFP details enlightened!
2010: Year of cyberwarfare and Stuxnet
In the same vein, coordinated cyber attacks on the power grid will likely result in Katrina-sized regional issues rather than nationwide – but how many of these could we sustain without economic collapse?
Let’s look at why we’re not acting on cybersecurity policy from several perspectives – military, corporate and judicial.
Military: That’s crime, not war, unless we prove intent
As the military states – there are laws like Posse Comitatus which prevent an over-reach of authority in cyberwarfare or cybersecurity provisions.
The Act prohibits most members of the federal uniformed services (today the Marine Corps, Army, Navy, Air Force, and State National Guard forces when such are called into federal service) from exercising nominally state law enforcement, police, or peace officer powers that maintain “law and order” on non-federal property (states and their counties and municipal divisions) within the United States.
Although it is a military force, the U.S. Coast Guard, which operates under the Department of Homeland Security, is not covered by the Posse Comitatus Act. The Coast Guard enforces U.S. laws, even when operating as a service for the U.S. Navy.
One has to wonder how big a cyberattack gets until it is declared an act of war. Fortunately, the Constitution provides a framework; if Congress declares war, it’s war. If the president authorizes action by the military against a non-nation state entity, it’s legal. Think “Shores of Tripoli” and Google Barbary Pirates and Marine Corps for one example.
Since Katrina, there is increased participation for the military for action within our borders:
On Oct, 1, 2008, the U.S. Army announced that the 3rd Infantry Division’s 1st Brigade Combat Team (BCT) will be under the day-to-day control of U.S. Army North, the Army service component of Northern Command (NORTHCOM), as an on-call federal response force for natural or man-made emergencies and disasters, including terrorist attacks.
USNORTHCOM’s area of responsibility (AOR) includes air, land and sea approaches and encompasses the contiguous United States, Alaska, Canada, Mexico and the surrounding water out to approximately 500 nautical miles (930 km).
This gets a little interesting Constitutionally to say the least, but it does provide damage control support for 21st Century warfare like EMP and cyber. However, two other limitations handcuff the military from proactive response and limit it to reactive response – proportionality and collateral damage. Under these provisions, response from the military is limited and reactionary with few exceptions.
Proportionality is the rule, which limits the military’s response to an act. Defined in a single sentence: If I ran over your dog or cat, under proportionality you couldn’t respond by blowing up my house.
Collateral damage is something easier to understand. Anyone watching the news knows when a bomb goes off target, something else gets blown up. If a bomb is too big for the target, other non-targets are affected.
For the first time since the Cold War, collateral damage from threats such as EMP or cyberwarfare could very well affect a large number of civilian corporations and, in turn, affect us all.
Judicial: Stand back or the Constitution gets it!
Malware and botnet traffic could be filtered through the ISP infrastructure of the internet, but it is not. As the judiciary currently states, the power of the federal government may not infringe on ISPs to secure themselves. These ISPs must internally take responsibility for the malware and botnet related traffic yet there is no incentive for them.
2010’s FCC v. Comcast ruling is one recent example of a hand slap for the feds trying to overstep their Constitutional power and regulate components of internet delivery.
Instead of being compelled by oversight and regulations, couldn’t the ISPs simply “Just Do It”? It’s not that simple. Let’s examine motivation for inaction.
Corporate: No money in it
The benefits of doing nothing for a company usually outweigh the risk of involvement on a balance sheet.
Corporations are under attack constantly, yet they silo critical attack-related information, which could help to coordinate defense on a regional or corporate sector level. Additionally, the whole global economy shivers when stateside economic indicators move. Read any annual report from IBM to Adobe and discover that the majority of purchases financing these global corporations are derived from United States clients.
As the commercial/corporate sector often states – we’re not the ones to blame for policies our global corporations make, the decision-makers in our company are overseas and [apparently] not subject to United States law for actions which may not be in this nation’s best interest – or even for actions which don’t support executive orders of the United States.
One theoretical example of how corporate responsibility from ISPs would work is to screen out botnet channels and quickly restrict the influence of established malware from self-propagating. However, that action probably wouldn’t be considered net neutral.
Solutions: It takes a village to prevent idiocy
Communities are strong. Online communities are even stronger, and with the force multiplier of technology they move faster than government or corporate communication channels. Consider researching these recent and successful online movements:
- The success of Wikipedia’s model as compared to MSFT Encarta.
- The current campaign by Anonymous called Operation Payback.
- Russian army vs. Georgia.
- Russian citizens vs. Estonia.
Consider the positive side of the matter: Where Russian cyber militias sowed confusion in Estonia a defensive security force leveraging skills of the best cybersecurity folks would have a reverse effect and harden the target.
Recommendation: Get involved early
On the longer side of things, critical infrastructure has long been tightly bound to federal guidelines – NERC is an example, yet even this level still seems too reactive given the EMP example and the lack of capital outlay for cyberwarfare solutions.
Nobody wants to pay, yet everyone suffers should it go unaddressed.
While the military has at least 20,000 troops currently deployable, should a massive cyberwar event occur this is barely enough to contain a single Katrina-sized event with kinetic world consequences, such as food shortages and communication outages, let alone multiple ones sure to occur in a persistent cyberwarfare attack on SCADA and electrical grid.
In a not-quite related post, one blogger laid the ultimate responsibility for the nation’s failure right at the feet of the electorate – all of us little people:
In a Republic we, its citizens, bear the final responsibility. We’re the problem. The American people today want reform, but not the cost and work it requires. Anger might be a precondition or result of that self-insight. After that comes the real work.
A profound revulsion at what we have become is a necessary, perhaps even sufficient, first step to reform.
The persistent threats to corporations, individuals and infrastructure may not be attributable, yet they must become addressable. Threats don’t go away because of inattention, instead they grow larger and larger.
By using a public-private partnership as an umbrella to shelter the necessary dialogue between corporations, volunteers and government, fear, uncertainty and doubt (FUD) can be dispelled. The rapid communication of the value proposition of Wikipedia-like voluntary cyber defenders to their employers will then become easier and our defensive structure will become enhanced.
Full Disclosure: As I related in previous articles, my grandfather worked for Sandia for 30 years after his duties in the Manhattan Project. Sandia is Shawn Carpenter’s former company. Shawn Carpenter and I also served in the same branch of military service, and although we both lived in New Mexico I have never met him.