Join my exclusive Dead Drop Digest with the most popular spy stories, tips, & tricks.

  • Print
close
Breaking news

The US and Russia are in the midst of a boondoggle when it comes to bilateral r...read more A Russia-linked cyber-espionage group has hacked into the controls of electricit...read more

The war for Cyberspace

Cyberspace is your space. We all share a part of it. When one area is affected, like a bad apple, it can spread to affect many others. So far, most have been been lucky to only read the stories and see the news about outside activity affecting government and corporations. The devastation of cyber war hasn’t penetrated, but neither has the idea that it can.

Leading cyber security expert warns that the Web could one day darken due to international conflict, turning a boon to mankind into a tool for political and ideological control and domination. Stephen Budiansky reviews ‘The Darkening Web’ by Alexander Klimburg.

Alexan­der Klim­burg thinks we are not nearly as wor­ried as we should be about in­ter­net-borne may­hem in our in­creas­ingly in­ter­con­nected world. His tim­ing couldn’t be bet­ter. “The In­ter­net, a fab­u­lous ar­ti­fice of hu­man civ­i­liza­tion largely per­ceived to­day as a do­main for ad­vanc­ing free­doms and pros­per­ity,” he writes in the in­tro­duc­tion to “The Dark­en­ing Web,” “could be­come in­stead a dark web of sub­ju­ga­tion.” He fore­sees a not too dis­tant fu­ture in which cy­ber­space is pri­mar­ily “a do­main of con­flict . . . threat­en­ing the over­all sta­bil­ity and se­cu­rity not only of the In­ter­net but also of our very so­ci­eties.”

The cy­ber at­tacks in May and June that shut down hos­pi­tals in Britain and the United States, ATMs in Ukraine, rail­ways in Ger­many, and tens of thou­sands of other tar­gets around the globe were vivid il­lus­tra-tions of a con­cern that Mr. Klim­burg, a cy­ber­se­cu­rity re­searcher and se­nior fel­low at the At­lantic Coun­cil, em­pha­sizes through­out: that the United States gov­ern­ment, in fo­cus­ing sin­gle-mind­edly on de­vel­op­ing its own of­fen­sive cy­ber ca­pa­bil­ity, has set off an “in-ternational arms race in cy­ber.” The re­cent at­tacks in fact used ma­li­cious com­puter code orig­i­nally de­vel­oped by the U.S. Na­tional Se­cu­rity Agency; the mal­ware fell into the hands of rogue hack­ers when it was stolen and openly pub­lished last year un­der cir­cum­stances that are still un­clear.

Like the Stuxnet virus that the NSA, CIA and Is­rael re­port­edly em­ployed to sab­o­tage cen­trifuges in Iran’s nu­clear en­rich­ment fa­cil­ity, the weapons used in re­cent at­tacks were crafted to pen­e­trate the Win­dows op­er­at­ing sys­tem and ex­ploit se­cu­rity flaws un­known to Mi­crosoft at the time they were de­vel­oped. Once in­side a sys­tem, they can be com­manded to steal data, mon­i­tor com­mu­ni­ca­tions or en­gage in more dis­rup­tive at­tacks by dis­abling key func­tions.

In a world where these kinds of de­struc­tive at­tacks be­come the norm, Mr. Klim­burg ar­gues, it is the U.S. that has the most to lose. Or, as he more sweep­ingly as­serts, the U.S. ef­fort “to achieve to­tal dom­i­nance” in of­fen­sive cy­ber ca­pa­bil­ity “can be safely said to have to­tally back­fired.”

Mr. Klim­burg is par­tic­u­larly dis­mayed by the two-handed game that the NSA has been play­ing: out­wardly work­ing with tech­nol­ogy com­pa­nies to im­prove se­cu­rity for all, while se­cretly with­hold­ing knowl­edge of key weak­nesses in the in­ter­net and com­puter soft­ware that the agency wants to ex­ploit for its own in­tel­li­gence or cy­ber op­er­a­tions. And he warns that the West’s re­sponses to grow­ing cy­ber threats run the risk of play­ing right into the “am­bi­tions of au­thor­i­tar-ian states,” which have long sought to con­trol the flow of in­for­ma­tion through pro­pa­ganda and cen­sor-ship. An­other re­cent front-page story of­fers a case in point: the dis­cov­ery that hack­ing tools sold to the Mex­i­can gov­ern­ment by an Is­raeli se­cu­rity firm—and sup­pos-edly re­stricted to use against ter­ror­ists and crim­i­nals—had been used by the gov­ern­ment in­stead to ha­rass and spy on do­mes­tic crit­ics.

Part of the dif­fi­culty that West­ern gov­ern­ments face in re­spond­ing to these chal­lenges is that a num­ber of very dif­fer­ent kinds of threats are lumped to­gether un­der the catchall terms “cy­ber at­tack” or “cy­ber war.” Broadly speak­ing, Mr. Klim­burg ex­plains, there are at least three types of cy­ber at­tacks, each quite dis­tinct.

 

The at­tacks that most re­sem-ble true war­fare are those that aim to achieve the re­sults that were once the sole busi­ness of bombers or com­mando teams armed with “ki­netic” weapons: tak­ing out an air-de­fense sys­tem or de­stroy­ing a strate­gic tar­get such as a power sta­tion, dam or com­mand post.

A sec­ond type of at­tack is the nat­ural out­growth of the NSA’s long­stand­ing ef­forts to pen­e­trate global com­mu­ni­ca­tions. What in the old days was done by mon­i­tor-ing ra­dio trans­mis­sions and code­break­ing is to­day a game of pen­e­trat­ing com­put­ers and swip­ing in­for­ma­tion at the source—a skill at which the Chi­nese and Rus­sians have proved as adept as the NSA.

And then there is the neb­u­lous but bur­geon­ing field of pro­pa­ganda and in­for­ma­tion war­fare, alarm-

ingly on dis­play dur­ing the 2016 elec­tion. An army of Rus­sia-based hu­man and au­to­mated at­tack­ers (“robo-trolls”) del­uged the United States with pro-Trump dis­in­for­ma-tion, while Russ­ian-gov­ern­ment con­trolled or spon­sored groups hacked the De­mo­c­ra­tic Na­tional Com­mit­tee and other U.S. tar­gets in search of po­ten­tially em­bar­rass­ing or dam­ag­ing in­for­ma­tion to in­flu­ence the out­come.

The more dis­ap­point­ing de­fi­ciency in “The Dark­en­ing Web” is the fail­ure to en­gage the in-escapable trade-offs that all of these chal­lenges pose. Mr. Klim­burg as­serts that “to keep the In­ter­net free, we need to keep In­ter­net gov­er­nance free” and in­sists that any move to­ward gov­ern­ment reg­u­la­tion falls into a “trap” that Rus­sia and China will ea­gerly ex­ploit to clamp down fur­ther on their own cit­i­zens’ free use of the in­ter­net. Yet as the se­cu­rity ex­pert Bruce Schneier has ar­gued, only by set­ting reg­u­la­tory stan­dards for soft­ware se­cu­rity is there now a prayer of keep­ing up with the threat. Large com­pa­nies like Apple and Mi­crosoft have done a cred­itable job de­ploy­ing quick patches as new threats emerge: Mi­crosoft is­sued a patch as soon as the NSA hack­ing tools were pub-lished, and the com­put­ers af­fected in re­cent at­tacks were ones whose users hadn’t both­ered to in­stall the up­date.

But the ex­plo­sion of the “In­ter­net of Things”—every­thing from cam­corders to cars to ther-mostats—has led to a del­uge of shoddy and vul­ner­a­ble code from com­pa­nies too small to af­ford in­vest­ing in se­cu­rity up­dates, or even to care. Ac­cord­ing to one re­cent es­ti­mate Mr. Klim­burg cites, there are al­ready 25 bil­lion de­vices con­nected to the in­ter­net, more than three for every hu­man be­ing on the planet. This ever-ex­pand­ing vul­ner­a­bil­ity, Mr. Schneier has ar­gued, can only be ad­dressed through a reg­u­la­tory body that deals with se­cu­rity across the en­tire in­ter­net.

While in­sist­ing that the U.S. ought to de­vote far more re­sources to cy­ber de­fense and deem­pha­size what he sees as its no-win pur­suit of an of­fen­sive dom­i­nance that has ac­cel­er­ated the “mil­i­ta­riza­tion” of cy­ber­space, Mr. Klim­burg ac­knowl-edges a fun­da­men­tal asym­me­try at work. The U.S. is es­pe­cially vul­ner­a­ble to hack­ers given its ubiq­ui­tous em­brace of tech­nol­ogy. And the na­ture of the game vir­tu­ally en­sures that of­fense will al­ways dom­i­nate: it is sim­ply much eas­ier and cheaper to cre­ate ma­li­cious code than to de­velop ef­fec­tive coun­ters to it. He quotes Chris In­glis, the for­mer NSA deputy di­rec­tor, who wryly ob­served that if cy­ber war were soc­cer, the score would be 462 to 456 af­ter the first 20 min­utes. He also quotes two “tru­isms” of cy­ber se­cu­rity: “that the ma­jor­ity of at­tacks could be avoided by tak­ing ba­sic de­fense mea­sures,” no­tably by up­dat­ing soft­ware im­me­di­ately, but “that a ded­i­cated at­tacker will al­ways get in, no mat­ter what.”

In places, Mr. Klim­burg con-cedes the moral am­bi­gu­i­ties of the sit­u­a­tion, not­ing for ex­am­ple that the best hack­ers make the best se­cu­rity pro­fes­sion­als. But he never comes to grips with the fun­da­men­tal ques­tion of whether there is any prac­ti­cal al­ter­na­tive to the U.S. main­tain­ing an over­whelm­ing of­fen­sive cy­ber ca­pa­bil­ity—at least when it comes to de­ter­ring state ac­tors from car­ry­ing out the most threat­en­ing at­tacks, those aim­ing to wreak phys­i­cal havoc on fac­to­ries, pipe­lines, elec­tric grids and other vi­tal in­frastructure. If “a ded­i­cated at­tacker will al­ways get in,” the sit­u­a­tion is very anal­o­gous to nu­clear war­fare: Only the threat of mas­sive re­tal­i­a­tion can de­ter an at­tack in the first place. Of course, that as­sumes that one knows who the at­tacker is, and the au­thor is skep­ti­cal of re­cent NSA hints that it has solved the prob­lem of “at­tri­bu­tion,” trac­ing an at­tack to its source.

tightrope of com­pet­ing goals more as­tutely rec­og­nize that every­thing is a mat­ter of de­gree. Michael Hay­den, the for­mer NSA di­rec­tor, has sug­gested that Amer­i­can pol­icy must bal­ance de­fense and of­fense on a case-by-case ba­sis and has hinted that the NSA is keep­ing to it­self knowl­edge of only the small num­ber of soft­ware vul­ner­a-bil­i­ties that it is con­fi­dent are be­yond the means of any­one but the United States gov­ern­ment to ex­ploit. In that, the sit­u­a­tion is no dif­fer­ent from the chal­lenge that NSA cryp­tol­o­gists faced through-out the Cold War, when they strug­gled to fine-tune the bal­ance be­tween code­mak­ing and code-break­ing in the hope that Amer­i-ca’s al­lies would be equipped with codes se­cure enough to keep every­one in the world from crack­ing them—ex­cept for the NSA.

Mr. Klim­burg ef­fec­tively out­lines the dan­gers we face but, when it comes to so­lu­tions, of­fers lit­tle more than ab­strac­tions about in­ternational gov­er­nance mech­a-nisms. And he does not even men­tion what Mr. Schneier posits as, ul­ti­mately, the only real way out: If we truly wish to keep our de­vices safe from at­tack­ers out to take over what is be­com­ing a sin­gle world-wide ro­bot, we need to start un­plug­ging things from the far-too-ubiq­ui­tous web.

Mr. Bu­di­an­sky’s lat­est book is “Code War­riors: NSA’s Code­break­ers and the Se­cret In­tel­li­gence War Against the So­viet Union.”

Tags: , , , , , ,

No Comments

Leave a reply

Story Page