Cyberoorlog is een term die we regelmatig voorbij horen komen, maar hebben we het hier over sciencefiction of iets wat echt gebeurt? Moeten we bezorgd zijn over het mogelijke offensieve gebruik van cyberpower door de overheid? En wat is een cyberwapen precies? In aflevering 20 van Cyber Security Sauna verwelkomt Janne Mikko Hypponen, Chief Research Officer van F-Secure, om in gesprek te gaan over APT-actoren van de overheid, het belang van woorden als het op een cyberoorlog aankomt en waarom cyberwapens de perfecte wapens zijn. Luister hier of lees verder voor het engelse transcript. En vergeet je niet te abonneren of een review achter te laten!
Janne: Welcome to the show, Mikko.
Mikko: Thanks for having me back. It’s always good to come to sauna.
Absolutely. So let’s start with the definitions first. What do you consider it to be, cyber war? And have we seen any examples of it yet?
Well, first of all, almost every time when you see references to cyber war in mainstream media or newspapers or TV, it’s not about cyber war. The term is used awfully badly. It is a handy phrase, handy word to use, but it seems to be used quite often as a shorthand for governmental operations. And most of the offensive governmental operations that we analyze might be offensive, but are not war. Because most of them are things like espionage or spying, and espionage isn’t war. Espionage is espionage. Spying isn’t war. Spying is spying. And sure, both espionage and spying are more important during times of crisis and conflict and times of war, but that’s not war. So what I consider to be cyber war in its purest definition is offensive cyber operations which are done between two countries which are waging a war.
So there’s a real kinetic war going on at the same time.
Well, cyber is a new domain for war and we’ve seen new domains for war over and over again, over centuries. If you think back to the kind of wars we would be fighting hundreds of years ago when we only had swords and bow and arrow, we only had technology that could be used to fight land war. So we only had land war. But then when we got so good technology that we could actually build war ships and move the war from land to sea, sea war didn’t make land war disappear. Now we had war and conflict both at land, at sea. Then we got planes, air war, then we got satellites and s***, so space war. Now cyberspace war. It’s a domain for war. And I don’t believe in cyber war between two countries, which would only be fought in the online world. It is a conflict which happens across the domains.
That makes sense. We also said that media misuses or overuses the term. What’s the harm in that?
Words do matter. If we keep using strong words like war to define things which are not war, what are they going to call the things that really are war? And it does shape decisions. It does shape diplomacy, so we shouldn’t really be misusing these words. I think it’s going to be easier and easier for us to use these words correctly. Ten years ago when we saw the first mainstream governmental attacks, or let’s say 15 years ago, the first governmental case I worked with was in 2003, back then it was quite hard for the public and mainstream media to figure out what to call these things. But I think it’s getting easier as we see more examples of different kinds of offensive use of cyber power.
But you also wanted to make the separation between cyber war and espionage and other types of cyber attacks. So is it just the kinetic war component that makes cyber war different, or are there other distinctions? Do the attacks look different?
The idea of cyber being a new domain applies not just to war. It also applies to spying and espionage. I remember a couple of years ago I gave an interview for a newspaper after some big cyber spying incident. And the quote I gave to them was that spying has moved from the real world to the online world. And that’s what they printed in the newspaper, “Hypponen says spying has moved from the real world to the online world.” Then the next day my phone rings and it’s a friend of mine who works at an intelligence agency. He calls me up and he tells me that “Mikko, you’re wrong. It hasn’t moved from the real world to the online world. It has expanded from the real world to the online world.” And I totally believe him.
I mean, here at F-Secure, we’re a bunch of geeks and nerds. We monitor what’s happening in the online world, and to us it looked like it had moved from the old world to our world, but we don’t really see what the real world spooks and real world James Bonds are doing. And I totally believe him that they’ve gone nowhere, that they are still there in the real world. What has happened is that spying has expanded from the old world to the new world. But the old world still very much exists.
And in fact, it’s fairly easy for me to believe that powerful intelligence agencies are right now hard at work trying to get their moles to work inside critical companies. Companies like Amazon, Apple and Microsoft right now. In fact, intelligence agencies from China and Russia and many other countries wouldn’t be doing their job if they wouldn’t be trying to do this right now.
But that’s the thing. The Americans tend to call that battlespace preparation, and that sort of thing goes on all the time. So, to me the term cyber war would imply that there is such a thing as cyber peace, and that’s not the case, is it?
Yeah. Well, we would have to define what we mean by cyber peace or other complicated terms like cyber disarmament, or well, just the cyber arms race. And I do believe we are in a kind of arms race right now. But when you think about famous cases like Stuxnet, which has got to be one of the most famous cases in malware history, even though that was clearly a governmental case, clearly Stuxnet itself was a cyber weapon. Still, I don’t consider the 2009, 2010 attacks from United States and Israel against the nuclear enrichment systems of Iran to be cyber war for the simple reason that there was no war. If exactly the same attacks would have been done, and there would have been a war going on between USA, Israel and Iran, then in my book that would have been cyber war. Now I think it was cyber sabotage and yes, this gets pretty academic, like how do we define what was war and what wasn’t, but I still do think these definitions matter.
There’s also a lot of talk about cyber weapons and all these attempts to reach some sort of cyber Geneva Convention to sort of restrict what nations can and can’t do in the cyber space. Do you anticipate that those efforts are going to be successful to any meaningful degree?
I do believe we will need rules of law for conflict in the online world or conflict in cyberspace. Just like we have rules of law for traditional war. You are not supposed to bomb churches or hospitals. You’re not supposed to use chemical weapons. I think we do need those in the online world as well.
However, we are in the very beginning of this arms race. If you look at the previous arms race, the nuclear arms race that went on for decades, I do believe this new arms race will go on for decades and we are in the very beginning, which means the definitions and the rules are still being defined.
Some great work is being done in this space. The center of excellence for NATO at Tallinn in Estonia has published now several editions of the Tallinn Manual, which starts the work of defining the terms and the space and the basic rules. We’re still years away from actually putting any kind of convention around this, or any kind of agreement. But yet again, if we return to Stuxnet, I think it’s a great example of the kind of things we might be seeing in the future in rules of engagement for cyber attacks.
For example, Stuxnet had a preprogrammed kill date. It wouldn’t go on forever. It would actually self-destruct after a specific date, I believe it was in July of 2011. And the real world equivalent of that would be that you would have land mines which would automatically disarm after two years or something, so you wouldn’t have land mines floating around after the conflict and to me that makes perfect sense. I mean that’s exactly the kinds of things I do expect will eventually be something that all parties agree upon that yes, that’s a good idea. Let’s not create malware which is going to go headless around the world forever. Let’s have them expire and let’s make that a rule.
Exactly in the same way, I do believe cyber weapons might be tagged with cryptographically strong signatures, which could be used maybe not during the conflict, but after the conflict to prove whose weapon it was. Just like in the real world, when you’re fighting a war, you’re supposed to have your soldiers identify as your soldiers. They’re supposed to, you know, carry a flag. Exactly in the same way these pieces of malware could be carrying a flag. And of course in a malware case it could be done with public key cryptography and signature blocks. Once again, it doesn’t have to be something you would be able to identify during the conflict, but maybe afterwards.
That makes sense. And your comparison with nuclear arms makes sense also. But whereas nuclear antiproliferation treaties have been successful (we haven’t seen nuclear weapons in the hands of terrorists or criminals) we have seen governmental cyber weapons or components of cyber weapons leaking into the hands of criminals. So I guess what I’m asking is how, how could we have a Geneva Convention that would apply to all actors in this space?
The key difference between traditional weapons and cyber weapons…well, there’s two different categories here of the major differences. One major difference is deniability, the fact that it’s hard to prove who did what. The other major difference is linked to deterrence. What I mean by that is that traditional weapons, like nuclear weapons, their power historically is not in using them. Their power is in having them. And this is nicely illustrated by the fact that nuclear weapons have been used in war during mankind’s history two times. We have tens of thousands of nuclear warheads on this planet. They’ve only been used twice. So the power of those tens of thousands of warheads is not in using them, it’s in having them.
And even more importantly, in having them and then demonstrating to the rest of the world that you have them. This is why countries historically have been doing nuclear testing to show other countries that, hey, we have nuclear weapons. And deterrence is very simple. When you know which countries have nuclear weapons, and there’s only 11 countries on the planet which have nuclear weapons, then you know that those are the countries that you’re not supposed to screw with because they have nuclear weapons.
This is how deterrence works. Deterrence works because others know what you have. Same thing applies to aircraft carriers. Every country knows which other countries have aircraft carriers. We know this perfectly well. We know exactly how many tanks the Russians have. We know exactly how many F-14 fighter jets the Americans have, you can actually Google these figures. This is public information, and these all create deterrence. But the question is what kind of offensive cyber capability does Russia have or Germany or Sweden or New Zealand? You have any idea?
No, absolutely not.
Neither do I.
So there’s no deterrence, because we have no idea what they have. Sure, we know that, you know, the biggest countries are the best in this, but really there’s no show of power. There’s no public demonstrations of capabilities, which means you’ll get no deterrent.
I’m wondering, could there be a demonstration of cyber capability that would create a deterrent? Is there a cyber attack so terrifying, so awe-inspiring that it would be a deterrent to the level of the deterrence of nuclear weapons?
Well, you could argue that attacks like Not Petya were public demonstrations of power, in that case by the Russian government, the Russian military. However, that was most likely unintended demonstration of power. But I wouldn’t see it impossible that one day we would see, you know, public war games during some rehearsals by militaries where they would publicly show some of their capabilities in the online world in order to get deterrence power.
And this actually in my book would be a good development. Because right now the situation is that militaries are spending a lot of money, millions and millions in developing offensive cyber weapons, including, you know, new back doors and new exploits against unknown vulnerabilities, and different kinds of malware functionality. And the downside they have is that once they’ve done all this investment, those weapons will not work forever because systems change, operating systems get upgraded, vulnerabilities are found and patched. So all of this investment they put into creating these weapons, those weapons rot away. They don’t work forever. They have a best before date. And when you remember that they don’t get any deterrence power out of them either because nobody knows they have these weapons, that creates a very problematic scenario where it makes it more likely that these weapons are actually going to be used instead of just keeping them in the drawer and letting them expire. These parties invest a lot of money into these weapons and they get no return on their investment unless they use the weapons.
And that’s why I think the idea of publicly showing the kind of capabilities you have would be a good development, because then they would get some return on the investment without actually using them for real attacks. So I sort of like the idea of public demonstrations of cyber power, and we really haven’t seen that in the way that I’d like to see it.
But do you think, do you think it could even happen that we would see a nation demonstrate their cyber power to a degree where everybody else would be like, whoa, we don’t want to mess with those guys?
Yeah, I do believe it could happen. Exactly in the same way we see, you know, big militaries having these massively large marches where they show their missiles and stuff, exactly for the same reason, or have public demonstrations of power during rehearsals, or what have you. But there is the problematic truth that these are the kinds of weapons of mass destruction which are not only in the hands of militaries. Again, nuclear weapons, aircraft carriers, fighter jets – only armies, only militaries have them. Only militaries have aircraft carriers and fighter jets. Then when you look at the equivalent in the online world – yeah, militaries have botnets and exploits, but so do crime gangs. So can, basically, an individual have. And this makes these weapons different. They are not just in the hands of military. These massively large attacks can be launched by parties which are nongovernmental.
But let’s say a nation state develops cyber capabilities to a level where it would be a deterrent for other parties. We agreed cyber weapons don’t have a deterrence capability. They just have the power of you using them. So would that nation then sort of restrict themselves from using cyber weapons? Because you know, so far we’ve seen people using all the capabilities that they have.
Well, I’d like to think that’s the way it works. Plus, there is the added benefit from the point of view of cyber peace that when you show a new mechanic of an attack in a public demonstration of power, it instantly becomes easier to defend against it. If you show a nuclear weapon, it doesn’t change anything. You can’t defend against the nuclear weapon. If you show a new exploit against the LSASS servers of Windows 10 in 64-bit version, even though we don’t see exactly what you’re doing, we can start defending against it. And that changes the landscape.
So what I would expect in this hypothetical world where governments would show their cyber power to get deterrence, is that they would be showing off the kinds of things they anticipate would expire soon anyway. Just to show that, “Hey, by the way, the next Windows patch will fix this. We’ve had this for five years and we have tons of these so don’t come at us. We have these.” Something like that.
Okay, that makes sense. So what makes cyber weapons so appealing to nation states?
Cyber weapons are in a way the perfect weapons. They get the job done, they are cost-effective and they are deniable. And we don’t really have weapons like that or any other weapons like that except cyber weapons. And especially the deniability part is really, really powerful. If you use traditional weapons, you can’t deny them. Everybody knows you did it. If you send a B-52 bomber to drop bombs somewhere, it’s kind of hard to deny that it’s not your B-52. When you do exactly the same thing in the online world, you can keep denying it.
And once again, Stuxnet is the example. We all know – I told you, it’s the United States and Israel. And they still keep denying it. I mean, the Israel army has even used like, clip art mentioning Stuxnet in their anniversary promotion videos. But then when they get asked, “Hey, what was your involvement in Stuxnet?” they deny everything. And there’s nothing we can do it to prove it. And that’s a great example of just how valuable these things are.
And it also enables false flag attacks very effectively. The United States already announced, during Obama’s time almost 10 years ago, that they reserve the right to retaliate cyber attacks against United States of America with traditional kinetic weapons. Which sounds like pretty big words and a pretty important statement, but I think it’s bluffing. Because I mean, how on earth would they actually be able to be so certain who’s behind an attack that they would be ready to send missiles back to where the attack came from? And if that’s exactly what they would be ready to do, I mean, an attacker could just reroute their denial of service attacks through Canada and let’s see the USA attack Canada because they believe that’s where the attack came from.
So deniability and the possibility of framing other parties make cyber weapons so appealing to governments. That’s why we see them use them and invest money into offensive use of cyber power.
So yeah, it’s a different thing to go and bomb Canada than to bomb the ISIS cyber command, which has happened a couple of times.
True, true. And it is remarkable that we’ve seen multiple demonstrated cases now where the US army has used drone strikes in Syria to kill Islamic state hackers. And I think it’s a great example of how seriously they take this threat, not from governments, but from extremist and terrorist organizations. They clearly don’t want this problem to become any larger than what it is already today.
Absolutely. I guess one of the things about cyber weapons is also that as an attacker you can limit or control the damage they do, so you can sort of dial it up or down as the case may be.
True. And you can also target specific targets. We’ve seen this in multiple different governmental malware cases. They can use country codes or IP ranges or network topology to figure out where they are, and only activate when they are in the right place. Then again, it’s awfully easy to lose control of cyber weapons as well, and they can easily, you know, get out of hand.
And it’s interesting to think about the Petya or Not Petya incident of 2017 through the eye of all the collateral damage. I mean, the biggest headlines were not really about the massive amount of damage that happened inside Ukraine, which was the real target of Petya (and I do consider Petya to be an example of cyber war because Russia and Ukraine are at war). The headlines really were talking about collateral damage in the West. Companies in Europe, companies in North America, companies in Asia getting hit by the same attack just because they happened to be running a piece of software which was used to launch the attack.
And then the question becomes, was this an accident? Were these companies collateral damage really? Or was this a message from the Kremlin? And the message is don’t do business in Ukraine. If you do business in Ukraine, we will f*** you up. And we don’t really know which one it is, but we could argue either way.
Absolutely. So how worried should we be as consumers or as companies about the potential for governmental offensive use of cyber power?
I guess the good news to consumers and to the people on the street is that there’s pretty much nothing they can do about this. So yeah, sure you can worry about it. But worrying isn’t really going to help you. These kinds of things are not really targeting the average consumer on the street directly. Indirectly they could be, with things like power cuts or attacks against infrastructure of nations. But the individual people on the street can’t do much about it. They can of course try to secure their own devices, but it’s unlikely their own devices would be the target.
When we see governmental attacks at play, if it’s espionage and spying, it’s very targeted, targeting very specific organizations, and most people are not going to be targeted by them ever. And if it’s cyber sabotage or cyber war, then typically the targets are infrastructure or very large companies. The average person on the street maybe needs to be aware of this, but you know, fighting cyber war on your own isn’t going to help.
I guess where it’s much more productive to educate the end users and consumers is in fighting information operations, and that’s a different ballgame. Information operations do work very well, and they work because today’s internet can be fairly easily used to shape opinions. And educating consumers and citizens about how information operations work actually works better than most education in this space. I always keep saying how education almost always fails and how people, no matter how many times they’re told, will always use poor passwords and double click on every attachment. But when you look at specific cases of information operations, like affecting people’s opinions during elections for example, once people are told what’s really going on, in many cases their eye is really open. And information operations for example, on Facebook, only work as long as the citizens don’t realize that it’s being done. When they are told – and by the way, these ads and news items which are pushed on your feed are there not by accident, they are on purpose right there, and they’re only shown to you based on your profile, and they are being sent by a foreign nation state. Once people get that, it no longer works. So this is one of the rare places where education seems to have very high chance of actually working. And that’s great.
So hardware controlled by nation states themselves is one thing. But could you imagine, for example, consumer IoT devices being used as bots in some sort of cyber war?
We’re definitely now far enough in the world of IoT that very effective botnets can already be created by not infecting a single computer, but instead just infecting connected devices. And I think security cameras are a perfect example. You go and buy any security camera today for your house or for your summer cottage. That security camera is most likely going to be a Linux server. And actually it’s a pretty powerful Linux server, because it has to be able to encode 4K or HD video in real time, and it has to have the bandwidth to stream 4K or HD video in real time. So when you take over a few thousand Linux servers like that, it’s actually a pretty powerful botnet. It can actually do a fairly large amount of damage. And yes, that kind of damage doesn’t have to be done by criminals or crime gangs. It can be done by government as well.
Do you think there is battlespace preparation going on, where nation states are sort of on the down low, they’re just infecting these machines for the day when they’re going to need it?
It could be going on, but we have very few examples of that. We do have quite clear suspicion though, that for example, the Russian government has used Russian cyber criminals to do some of the work for them, where the logic goes that they catch some Russian botmaster and then they give him an offer he can’t refuse, which is “Either go to jail for 40 years or give your botnet to us.” And if there’s a large botnet, it’s highly likely there are some interesting machines among the victims in the botnet.
So you can easily see them just going through a botnet with hundreds of thousands of infected machines around the world and extracting the ones which, you know, belonged to the US government, or specific defense contractor companies, or even specific individuals. It would be very powerful to mine an existing botnet to gain access to machines they couldn’t otherwise reach. And it gives them perfect plausibility and deniability. If the victim realizes that they have been infected, “Oh my God, is it governmental? No, it’s just some banking Trojan. Whew, that was a close call.” So that’s actually very beneficial from the point of view of the attackers, if they can use run-of-the-mill, typical malware to do governmental attacks.
There’s also concerns that nation states, like you mentioned, would not only be taking over criminal botnets but also legitimate businesses and using them to advance their intelligence purposes. Do you think that’s going on?
It’s quite interesting to look at the concern we have in the West against governmental spying from Russia and from China, because there’s a massive difference in visibility the Russian government and the Chinese government have on the rest of the internet. And this is quite peculiar when you think about it.
I mean, Russia is a massively large country. It’s the biggest country on the planet. They have, you know, a huge amount of great minds and great programmers and coders and hackers and mathematicians and physicists, and some of the best universities. Yet they seem to be unable to create and export any technology that we in the West would be interested in using or buying. There’s very few Russian-made devices which are being exported, and very few services. When was the last time you used a Russian website or a Russian cloud service or a Russian search engine? It really doesn’t happen.
But then when you look at China, well, we could all immediately name like five Chinese technology companies which are global success stories, like Lenovo or Huawei or ZTE, or OnePlus, or Xiaomi. And we all have Chinese chips in our pockets right now or inside of our computers. So the potential visibility on the rest of the internet is completely different between China and Russia. And it’s quite remarkable how this is so different between these two massively large countries.
Absolutely. So which countries are investing the most heavily in cyber weapons?
It’s quite clear the USA is number one. The United States has been researching and investing massive amounts of money into internet operations, or cyber operations for years and years. Much longer than anyone else. So it’s quite clear they are number one.
In my book, it’s as clear who’s number two. That would be Israel. Israel has been very, very effective in doing what they do, most of it together with help from their big friend the United States. And that’s quite remarkable because Israel isn’t that big. I mean, a couple of million people, but they are very, very effective in this space. And it’s also nicely illustrated by the large amount of cyber security startup companies coming out of Israel. And when you talk to these people, they all have a background in the military, at least the mandatory service, but typically even beyond the mandatory service.
Then after those two, then we get into the Russian capabilities, into the Chinese capabilities, and then to countries like Iran, to North Korea, and then everyone else. I mean today any technically capable nation is building not just cyber defense but cyber offense as well. And this applies to, you know, very peaceful, neutral countries, countries like Finland. Finland is developing offensive use of cyber power as well. Absolutely it is, because today, to have credible defense, you have to have capabilities in this space as well. And developing offensive cyber power of course doesn’t mean that you would go around using it blindly. Just like the military in Finland is building capability on how to shoot, you know, with tanks. And that doesn’t mean we would go around on our border shooting tanks just because we could. Exactly the same thing applies to cyber.
Yeah. So what’s going to be the thing that’s going to bring cyber warfare to the average people, sort of top of mind? So Stuxnet happened, we in the industry felt that that was a big deal, but the man on the street doesn’t maybe care so much or even remember. What’s going to be a thing that brings cyber warfare to the coffee table conversations? Is it going to be power grids being knocked out or something?
Go talk to people who were living in Estonia in 2007, and they will remember the massively large denial of service attacks, which were going around and shutting down banks and grocery stores and all kinds of infrastructure. Go talk to people who were living in Kiev on Christmas Eve’s Eve 2016 when the power went out. So these kind of attacks, attacks against critical infrastructure and even things like payment systems are very effective. If banks don’t work, if your credit card doesn’t work, people on the street will very quickly realize just how fragile we are.
I was following discussions on Facebook on one particular bank’s Facebook page three years ago, when we saw a large amount of denial of service attacks on New Year’s Eve targeting that one particular bank. And it was filled with comments from frustrated fathers and mothers who are telling the stories that they were buying groceries for New Year’s Eve dinner, and they are at the cashier desk at the supermarket and their card doesn’t work. And of course they don’t have cash because nobody carries cash anymore, and they can’t pay with the card, and they don’t have another card. And they go and try to get money from the ATM and the ATM doesn’t work at all. Then they have to leave the food in the shop. That’s pretty concrete. Like, we’re not going to have a nice dinner tonight because the internet is down. And that’s how people learn. That’s how we get the wakeup call that we most likely need to understand what’s at stake.
So when you’re talking about governmental cyber weapons, you’re also talking about zero day exploits. How common are those? Are nation states usually able to accomplish what they want without zero day exploits, or do they actually need those?
Zero days are valuable. They are valuable for criminals and they’re as valuable for governments. And when you use your zero days, you always run the risk of losing your zero days, burning your zero days, getting caught, and then they become useless or worthless once they become known. Because now the vendors can patch the vulnerabilities and you can no longer, well, your zero days become one days, and then two days, and three days, and then everything changes. So they don’t use them if they don’t have to.
And if you think about governmental attacks, trying to target a specific organization, one term we’ve used for these attacks is APT. And I don’t really much like the term APT, but I think it’s important to understand what makes it important, and that’s the P. Persistent. These attacks are persistent. They don’t give up. Why don’t they give up? Because the attackers have been given an order. They are on a mission, and the mission is: Find a way into this organization.
So they will try getting in and if they fail, they’re not going to give up. They will try again. If that doesn’t work, they will try again. If that doesn’t work, they bring in more troops and try again. They’ll figure out new ways, they’ll try getting in through email. If that fails, they try the web. If that fails, they try the VPN endpoint. If that fails, they start dropping USB thumb drives on the parking lot. If that fails, they’ll dress up as the cleaner and walk in. If that fails, they will get a mole to be hired by your company. They don’t give up. That’s persistence. That’s The P. Persistence. And that’s a very hard attacker to fight, because they will keep at it. They don’t suddenly change their mind and realize, or say to themselves, “We can’t get into this organization, let’s go and hack someone else.” I mean, they’re not going to do that, because they’ve been given an order.
Criminals do that. Criminals are not after you, criminals are after money, and if it’s too hard to get into your network, they will change their mind and will go after an easier target. But governmental attackers will not. And if they need to use zero days to get in, then they will use zero days to get in. But pretty much as a last resource because these things are valuable. They’re hard to come by. They’re expensive. So they do use them if needed, but only if needed.
Well, that’s the thing. I mean, there’s also been discussion about governments like the USA stockpiling zero days for use on a rainy day. Do you think that makes any kind of sense? Do you think there’s anything to this conversation?
Clearly, governments that have the capability to do this (stockpile exploits and most likely have a range of different kinds of exploits including zero days at their disposal), larger governments can do this kind of research by themselves. Smaller governments most likely don’t have the resources, which means they have to buy them. And if you want to have credible, offensive cyber power capability, you have to have a fresh set of exploits at your disposal at any given time. And exploits eventually go bad. So you need a constant supply of these, and they are expensive. But if you are stockpiling exploits, then you really have to take care of them. Because the worst thing that can happen to you is that you create unknown exploits against unknown vulnerabilities, and then you somehow lose them and they end up being used against you. And we have examples of this, most famously the vulnerability which was used inside WannaCry, which was an attack launched by the government of North Korea, pretty much targeting the whole rest of the world.
The reason why WannaCry was so effective and so devastating was that it was using a vulnerability against which an exploit was developed by the US government. And this particular vulnerability was in Microsoft Windows, practically in all versions of Microsoft Windows. And you could sort of imagine the thought work that has gone inside the National Security Agency when they discovered this, this particular vulnerability, that “Hey, we found this vulnerability which affects every user of Windows all the way from Windows XP to Windows 10, what should we do with this? We have two choices. We can call Microsoft right now. We can tell them and they will fix it. And then we’ll have everybody safe against this particular vulnerability.” And that’s sort of their mission because their mission is to make American people safe. 200 million American people run Windows. So they would make 200 million American people more safe.
But then there’s the other option, which is, “Let’s not call Microsoft, let’s keep this a secret. In fact, let’s hope Microsoft never finds this. So they will never fix this. So we can use this to target bad people, and then we can figure out what bad people are up to, and we can use that information to keep American people safe.”
And now, I’m not making any judgment calls here. Which one of these two is the right choice? I’m just pointing out that these are the choices and if these are the two choices, if you choose option number two, if you do not call Redmond and tell them that you found this vulnerability, then make g***amn sure you’re not going to lose the vulnerability, because then you are making everybody vulnerable. And this is the nightmare scenario, and this is exactly what happened with the WannaCry vulnerability. We don’t know how they lost it, whether it was stolen from the NSA or leaked, or taken by an employee or was taken by an outsider attacker. It doesn’t matter. They lost it. And it ended up in the hands of the North Korean government. And it was used in one of the most devastating malware attacks around the world, including tons of victims inside the United States as well. So instead of making the American people safe, they did exactly the opposite.
But we’re also talking about how attackers don’t want to burn capability when they don’t have to. And typically when talking about cyber weapons, we think about these highly sophisticated tools like Stuxnet, millions of dollars of resources behind it, but the attacks are not always super sophisticated, are they?
No. Many of them are using existing vulnerabilities, sometimes years old vulnerabilities. Many of them are simple social engineering attacks. It doesn’t have to be cutting edge. And it isn’t cutting edge if it doesn’t have to be cutting edge. They will try easier attacks first and then they will up the ante if needed.
And around a year ago, there was this one particular defense contractor in the United States which was being targeted by a series of governmental attacks. It was one of those persistent attackers who doesn’t give up. They tried various ways of gaining access to their network and they couldn’t find a way. They tried over and over again. Eventually they resorted to social engineering, like sending key employees different kinds of emails, and maybe calling them up to try to make them click on links on those emails which would take them to exploit sites.
But that wasn’t working too well either. The company had very strong filters and they had educated their key people very well. They weren’t falling for these scams…until the attackers figured out a way, and the way was to send them, these victims, a very simple email, which was just a thank you email, thanking the people for signing up to their mailing list. “Thanks for signing up to our mailing list. From now on, we will send you an exciting email every day. Best regards, YouPorn.” And you can sort of imagine yourself sitting at your work laptop, getting an email from YouPorn, announcing that you’re now on their mailing list –
Where’s that unsubscribe?!
Where’s the unsubscribe link? Like, did somebody see this? Oh my God. And the unsubscribe link was the link to the exploit kit. So, you know, when the attackers can’t use technical mechanisms, then they will resort to social mechanisms. And some of these just work too well.
We also know that cyber criminals sell breaches. They sell access that they’ve gained through criminal means. Do you think governments are buying?
There might be governments out there which are willing to resort to buying this kind of capability from the dark web or from crime gangs. But I think most governments would rather develop these themselves, or if they can’t do that, they go to boutique exploit companies which do exist, which specialize in creating exploits and selling them to governments and militaries and which do it legally and follow the regulations. There are regulations in this space about creation and sales and export of exploits.
So we’ve already touched on a couple of different cyber weapons. We’ve mentioned Petya, we mentioned Stuxnet. Let’s talk about some of these examples of cyber weapons that the world has seen so far.
Yeah, I think cyber weapons are much more common than cyber war. And like we discussed, Stuxnet was a cyber weapon but I don’t believe it was part of cyber war. Petya was. Because when you have two countries at war and one of those countries launches cyber attacks targeting the other country, what else do you call that? That clearly is cyber war. I think everybody would agree that that has to be cyber war. When there is real war and then there is a cyber attack between the parties. That clearly is the new domain for engaging in war. But we haven’t really seen that many examples of this.
We have tons and tons of examples of cyber espionage, and cyber spying happens all the time, but actual offensive use with cyber weapons to wage war is much, much rarer. And it’s quite clear why espionage is where most of the action is. Spying and espionage is about collecting information, and information today is data. Spies years ago used to go around stealing paper or photographing plans, because they had to physically go to the information. There was no other way of reaching it. And today, information is on our computers, it’s in our networks, and you can reach it in theory from anywhere on the planet without ever leaving your chair.
Is it likely that we’ll ever see a war being fought using purely digital weapons?
I don’t think we will see a war between two countries, which would only be fought in cyberspace, like a real pure cyber war. However, if that’s going to happen, I think I would prefer that over traditional war. I think there’s less blood in cyber war.
There you have it, guys. Thanks, Mikko, for joining us.
Thank you. I’ll be back anytime.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.