The term cyberwar has become a catch-all used by politicians, talking heads and others to encompass just about any online threat, regardless of the attacker or the target. Among security professionals, however, the word has a specific connotation–an attack by one nation against another nation’s infrastructure. Aside from the semantic issues, one of the major challenges for government agencies and security teams dealing with his problem is attribution and recognizing what constitutes an actual act of cyberwar. Stuxnet, Flame and their cousins may qualify, but more discussion is needed to help define the terms of these new conflicts, experts say.
One of the key problems is that virtually any attack tool could be defined as a cyberweapon, depending upon the context, the target and the attacker. Certainly tools such as Duqu fall into that category, but so might simple remote-access Trojans under certain circumstances. Who makes that call? Right now, it’s mainly made by either the victim or a security researcher on the outside.
“There’s no definition of cyberweapons. What’s the difference between cyberweapons and traditional ones?” said Eugene Kaspersky, CEO of Kaspersky Lab, in a discussion on Tuesday. “One difference is software is software. People can make a copy, disassemble it, learn its tricks.”
This is one of the points that security researchers have made about the use of tools such as Stuxnet and Flame: Once the tool is discovered, experts on the victim’s end have the chance to tear it apart and see what tactics and methods the attackers used. In the same way that enemy armed forces can take apart a downed fighter or helicopter and learn from what the other side is doing, engineers can pore over lines of code in attack tools and look for ways to improve their own creations.
Another problem that crops up in discussions around the use of cyberweapons is the issue of attribution. Discovering who is behind a given attack is a notoriously difficult problem, even when there are seemingly obvious clues in the code such as idiomatic phrases in a specific language or a traceable path that leads to servers in a hostile country. Those things can be faked easily and there don’t seem to be many countries standing up to take credit for any of the known attacks. That leads to speculation and guesswork.
“It’s very difficult to find out who is behind an attack. It’s easy to point a finger at the wrong source,” Kaspersky said. “There’s no such thing as true attribution for cyberweapons. It’s very easy to cheat.”
As the Stuxnet attack in particular showed, it’s also quite easy for cyberweapons intended for one specific target to get a little feisty and end up on neighboring systems or networks. Stuxnet was designed to attack the systems controlling the centrifuges at the Natanz nuclear facility in Iran, systems that ran on software from Siemens that is not widely understood. However, the worm ended up making a leap to some desktop machines and eventually made its way out of the facility entirely. The mistakes by the Stuxnet attackers led to the worm’s eventual discovery. Even years later, the effects are still being felt. Officials at Chevron said this week that their corporate network had been infected by Stuxnet, but that no damage was done.
Despite those unintended consequences, like Stuxnet, most cyberweapons are written with a specific target or set of targets in mind, often a small number of systems in a particular organization or industry that contain valuable data. But when they make their way out of those targeted environments, there can be wide-ranging consequences. This, Kaspersky said, is one of the things that concerns him most about the way these tools are being used.
“The damage for cyberweapons won’t just happen to the target,” he said. “There will be random victims if the software isn’t able to recognize its targets. There could be many victims, especially when you realize the Internet doesn’t have borders.”
Government officials have begun making noises about the need for international discussions regarding the use of cyberweapons, either during a conventional war or as standalone attacks. But without a clear definition of what constitutes a cyberweapon or a good way to identify the people or nation behind an attack, any discussions could end up being fruitless.