Subscribe
About

The right to bear (electronic) arms

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 22 Mar 2012

Cyber warfare is taking place as we speak, from the most clandestine international level to everyday computing. Governments are at war with the Internet.

A few years ago, cyber warfare and cyber terrorism started popping up as topics at information security conferences. The speakers were greeted with much eye-rolling and suggestions that the notion was vastly over-exaggerated, possibly as an excuse to drum up government funding or market security products.

Today, international cyber warfare is very much a reality, and the same electronic weapons and tactics are being deployed domestically to enforce policy and crush dissent - civil wars are playing out in parallel on the Web and in the streets, while citizens take to the Net as online guerrillas.

Kenneth Geers, cyber subject matter expert at NCIS (Naval Criminal Investigation Service), says the proliferation of state-of-the-art security tools (for both defence and offence) means that even the most humble netizen has the ability to take on engines of state, and is increasingly willing to do so, while governments themselves are actively engaged in an electronic Cold War, with the online equivalents of WMD.

Geers is a headline speaker at the ITWeb Security Summit, where he will address the real-world issues of cyber warfare.

The cyber warfare battlefields are many and varied. At the high end, the scenarios play out like a spy thriller as governments engage one another in espionage and sabotage, with many details shrouded in mystery. The Stuxnet worm successfully targeted and damaged the Iranian nuclear enrichment programme. Stuxnet is widely believed to be the work of government agencies, with the top candidates the Israelis and Americans. Duqu, the successor to Stuxnet, is more widely distributed. Its purpose is as yet unknown, but it is equally advanced and mysterious.

The role of human intelligence is making a comeback.

Kenneth Geers, cyber subject matter expert, NCIS

It is no secret that militaries around the world have been developing cyber war capabilities for years, with divisions assigned to target foreign networks, and to defend domestic infrastructure from attack. For the moment, offensive capability is vastly easier than defence: so much of a nation's infrastructure is in private hands, with systems frequently exposed to Internet connections, either directly or via side-channels (as exploited by Stuxnet, which was installed via infected USB flash drives).

Those highlights demonstrate just how good some agencies are at cyber warfare, Geers says, even if we can't positively identify who they really are. “There's a lot of anguish over Iran acquiring nuclear weapons, and governments are willing to stop it at all costs. Nuclear weapons are in a league of their own, and that's probably why we saw Stuxnet, a cyber weapon in a league of its own, applied against it.”

Guerrilla warfare: censorship versus Internet

ITWeb Security Summit

Dr Miller is one of the headline speakers at the ITWeb Security Summit and Awards, which takes place from 15 to 17 May. For more information and to reserve your seat, please click here.

In the domestic arena, governments around the world are grappling with the free flow of information. Censorship and the control of state secrets are motivated by the need for state security, but are almost laughably ineffectual against a determined, tech-savvy citizenry. Uprisings and civil wars are playing out in parallel on the Web and in the streets.

States have tried to control the flow of information for centuries. As the samizdat movement proved in Russia in the last century, widespread access to technology (printing equipment at that time) can defeat all but the most determined censorship.

In the modern age, governments are proving almost universally powerless against a determined, technologically advanced citizenry. That doesn't stop them from trying - Egypt was one of several countries which have disabled or crippled telecom networks and Internet connectivity in attempts to contain the spread of dissent or restrict the media, but most have failed. The institutional restrictions on the Internet in countries like Saudi Arabia and China are routinely bypassed by tech-savvy residents and the media.

“When it comes to the role between citizen and state, especially in countries with poor human rights records, all of us with an Internet-connected computer have a printing press and a radio transmitter in our own home,” says Geers. “If you have a picture to show or a story to tell, you can put it in everyone's living room today. The smallest person on the planet can ruin the day of the president of a powerful country, just by stating a fact which runs counter to their narrative.”

Can governments really break encryption?

Although much research is still conducted in secret, government-approved encryption ciphers like AES are now normally published.
There will always be suspicion that the NSA has inside knowledge of a backdoor, but the combined might of the private-sector cryptanalysis community may well identify artificial weaknesses.
Or it may not - the NSA recommended IBM make changes to DES. Those changes that were not fully understood until many years later, when differential cryptanalysis showed that the amended version was much more resistant to attack than it would have been otherwise. Cryptographer Bruce Schneier wrote:
"It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."
However, the agency has been accused of deliberately weakening cryptography by including a potential backdoor in a random number generator for use in producing encryption keys, leading to speculation that similar weakness may be hidden in other algorithms.

That is a sharp double-edged sword. The Western governments which cheer on the free flow of information from oppressed citizens abroad, have been equally troubled by WikiLeaks, Anonymous and similar organisations.

Governments need to man up and get used to the new reality, Geers says. “The lifetime of a secret is fairly short compared to what it was historically when you could hope that no one would ever find out. The numbers of data points to work with are so many. If a government commits human rights violations or war crimes, they have to assume it's going to rebound on them much quicker than it ever would have. There are now so many more ways to gather information and to pass it on.

“I think these are great developments. I have to constantly remind people in government who are worried about cyber attacks that these are, I think and I hope, wonderful trends for the world.”

The thin blue electronic line

Law enforcement agencies are also finding themselves on the front lines, often pursuing international criminal syndicates with plenty of funding and the latest in technology. On the back foot, agencies continuously seek broader powers to investigate communications and electronic evidence, amid public concerns about unwarranted wiretapping and interception. The same techniques for waging electronic warfare abroad are being deployed domestically.

It's not all plain sailing for the authorities. Although it varies by country, privacy laws are being strengthened and precedents are starting to appear which strengthen the public's position. In the US, the FBI was stymied recently when, unable to decrypt a suspect's hard drive, an appeal judge overturned a ruling that the suspect had to surrender his password.

Faced with defensive technology like strong encryption, the feds turn, inevitably, to other weapons, such as Trojan horses to deliver key-stroke loggers, which in turn capture passwords, and demanding assistance from ISPs and telecom network operators.

Unfortunately, every country covers the spectrum of good and bad. Restricting access to technology in the name of civil rights can hinder legitimate law enforcement, Geers says. For every corrupt official, there is an honest cop doing his best for the community. “Even in Zimbabwe, in Ethiopia, in Belarus, in Russia, you still have a lot of real crime that needs to be policed. Law enforcement there needs powers to follow real criminals. What we need is responsible government, and unfortunately that's not always the case.”

Humint is fashionable again

Early cyber warfare

Computers in warfare dates back many decades.
Alan Turing, working at Bletchley Park in the UK, pioneered the use of massive computation to break the German Enigma codes, changing the course of World War II.
In 1982, a Siberian pipeline exploded dramatically, allegedly the result of a CIA project. Having received advance warning that the Soviets planned to steal sophisticated control software from a Canadian firm, the agency allegedly worked with the developers to plant Trojan horse code which would damage the pipeline.

Used correctly, cutting-edge technology in the hands of a capable criminal is a daunting prospect for law enforcement, says Geers. That has meant a resurgence of the role of human intelligence (“humint”, as opposed to “elint” - electronic intelligence), and more traditional intelligence-gathering activities.

LulzSec, a hacking group loosely affiliated with Anonymous and responsible for a number of high-profile Web attacks, was rocked to its core when it was revealed that Hector Monsegur, the group's leader known as “Sabu”, had been operating as an FBI informant for months, and co-ordinating LulzSec activity under the agency's watchful eye all along.

Expecting technical attacks, the group was completely vulnerable to (and outmatched by) the co-ordinated efforts of a modern intelligence agency. Even so, the paranoia and tradecraft of some LulzSec members helped reduce the damage, but the group was badly hurt by the revelations. “The Sabu case was brilliantly exploited,” Geers agrees. “It was just extraordinary. When you combine two disciplines well like humint and computer network operations, you have a very powerful tool on your hands.”

Right now, a precarious balance exists in the cyber arms race, with several active fronts and steadily improving weaponry. Stuxnet and Duqu may be anomalies, but the level of sophistication showed by the private sector (though often with a government background) at events like Pwn2Own are also impressive.

Is South Africa lagging in the cyber warfare arena? The National Cyber Security Policy Framework for SA has only just been approved, but is still at a very early stage. “Governments who haven't had the opportunity to think much about cyber security and cyber war will be at a disadvantage,” warns Geers.

Share