SAN JUAN, Puerto Rico – The term “cyberwar” is the “zero day” of security jargon; it’s getting so that every bug is a zero day and every attack is hash-tagged cyberwar.
This serves only to distract smart people from making smart decisions.
Too much brainpower and bandwidth is being wasted on labels, while networks run at the whim of hackers, regardless of whether they live in Atlanta or Asia—and it’s forcing the cyberwar discourse down some nerve-racking paths.
Some argue that without blood and physical destruction, you don’t have war. Malware used to steal data or to cause manufacturing equipment to malfunction are not kinetic weapons, therefore you don’t have war. Without accurate attribution of who is behind an attack, you don’t have an adversary. Without an adversary, you don’t have war. You may have victims, but these are victims of cybercrime or cyberespionage, and not victims of acts of war.
“Cyberwar is not the appropriate term for what we’re seeing,” said Lee Vorthman, CISO at NetApp US Public Sector, and a speaker on a panel discussion during the Kaspersky Security Analyst Summit.
While Stuxnet, Duqu, Gauss, Flame and Red October have been inconclusively linked to nation states, they are definitely a 21-century extension of the old spy game: Get intel on the other guy before he gets intel on you. The dangerous part is that some of this malware, experts say, was meant to be contained to particular target networks. As we know, Stuxnet, in particular, escaped beyond its intended boundaries infecting tens of thousands of computers worldwide. While Flame et al hit fewer targets, it’s fairly safe to the victim demographics weren’t limited to ambassadors, nuclear researchers and military decision makers.
And there you have the rub: collateral damage.
“We’ve been seeing collateral damage for a while,” said Steve Adegbite, director of cyber security strategies at Lockheed Martin. “You could use malware to take out a radar station, but could it boomerang back to me and harm me? Once you launch that type of weapon, it’s out there. You can’t always protect yourself. It can be enhanced and sent back to you.”
Noboru Nakatani, executive director of INTERPOL’s new Digital Crime Center, said it is a challenge to discern collateral or intended damage unless a claim of responsibility is made.
“Tracking an IP address and getting to the computers used in attacks doesn’t lead to meaning,” Nakatani said.
Eugene Kaspersky, chief executive of Kaspersky Lab, equates data loss with physical damage, arguing that data is as physical as radioactive fallout from a nuclear attack. Neither can be seen, but effects are felt.
“Don’t just think about [an attacker’s] intention, think about worst-case scenarios,” Kaspersky said during the panel discussion. “And not just with Stuxnet and attacks on SCADA systems, but things like Slammer that caused an Internet blackout in South Korea in 2003. It wasn’t designed to do that; it was a small piece of malware. But it generated enough traffic that South Korea was disconnected for a weekend.”
Kaspersky added additional examples of collateral damage, including an attack carried out by Russian hackers targeting the government websites of the Estonian government, only to disconnect the entire country from the Net.
“Attribution is extremely tricky,” Kaspersky said. “It’s easy to point the finger at the wrong source. Cyberweapons are extremely dangerous and governments must agree not to use them.”
Lockheed Martin’s Adegbite said international organizations, including the United Nations, are beginning to construct frameworks, both on policy and legal fronts, to address the issue on an international scale. While discourse is fine, it serves to underscore that rules of engagement don’t exist for offensive capabilities in cyberspace.
“It takes time to get to the point where we say we’re not going to point these things at each other,” Adegbite said. “Even the UN isn’t set up for this. These problems didn’t exist when these organizations were created. You have to fast-forward your thinking and structure to deal with stuff that could be 10 years down the line.”
Until there is a wide-ranging solution of some kind, we’ll doubtless see more APTs in the coming months, more versions of Flame, and maybe even the next Red October. Data will be lost, companies may endure downtime, productivity will suffer and money will be spent to fix the problem. But without physical destruction and/or loss of life, the cyberwar name game is a dangerous and irresponsible play.