Cyberweapons Power Up

In you haven’t heard of Project Aurora, this is a wonderful segment from 60 Minutes on this cyberwar project.

Faced with some of the worst case scenarios for cybergeddon, Idaho National Labs set out in 2007 to test what would happen to a 27-ton power generator if the researchers hacked into it from a mere laptop.

The turbine was sent instructions that would essentially tear itself apart–and in the video you can see what happened–it shudders, shakes, smokes, and ultimately destroys itself.

The test was a grand success demonstrating our capabilities to conduct cyberwar operations against an adversary.

Interestingly, Reuters reported the Symantec researchers “uncovered a version of Stuxnet from the end of 2007 that was used to destroy two years later about 1,000 Iranian centrifuges used in their Natanz nuclear uranium enrichment facility for alleged development of weapons of mass destruction.

The flip side of this cyberwar test is the realization of the potential blowback risk of cyberweapons–where adversaries can use similar technology over the Internet against our critical infrastructure–such as SCADA industrial control systems for the power grid, water treatment, manufacturing, and more–and cause potentially catastrophic events.

As stated toward the end of the video, this is a type of “pre 9/11 moment” where we identify a serious threat and our vulnerability and we need to act to prevent it–the question is will we?

Cyberwar, You’re On

Cyber_warfare

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities.

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations’ “increasingly sophisticated [cyber] attacks on the computer systems that run Iran’s main nuclear enrichment facilities”–sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand.

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States’ National Security Agency and Israel’s advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian’s sinister nuclear program while economic sanctions have a chance to bite.

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east.

At the same time, the use of cyber weapons is a double-edged sword–if we use it on others, this may encourage cyber proliferation and it’s eventual use on us–and as the NYT writes, “no country’s infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States.”

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon’s Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X–“ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation.”

“If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”
The “five-year $110 million research program” is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace–create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks.

2) Building A Survivable O/S–Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) “capable of launching attacks and surviving counterattacks.”

3) Develop (Semi-)Autonomous Cyber Weapons–so cyber commanders can engage in “speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code.”

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers–and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

Cyberwar could be more humane than pulverizing [targets]…with bombs,” but I doubt it will be.

Imagine, virtually everything you know coming to a complete halt–utter disruption and pandemonium–as well as the physical effects of that which would ensue–that’s what cyber war is all about–and it is already on the way.

So as, Richard M. George, a former NSA cyberdefense official stated: “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

It is good to see us getting out in front of this cyber security monster–let’s hope, pray, and do everything we can to stay on top as the cyberspace superpower.

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)

A Cyber Security House Of Cards

House_of_cards

Yesterday there were reports of a new “massive cyber attack” called the Flame.

A U.N. Spokespersoncalled it “the most powerful [cyber] espionage tool ever.”

The Flame ups the cyber warfare ante and is “one of the most complex threats ever discovered”–20 times larger than Stuxnet–and essentially an “industrial vacuum cleaner for sensitive information.”

Unlike prior cyber attacks that targeted computers to delete data (“Wiper”), steal data (“Duqu”), or to disrupt infrastructure (“Stuxnet”), this malware collects sensitive information.

The malware can record audio, take screenshots of items of interest, log keyboard strokes, sniff the network, and even add-on additional malware modules as needed.

Kaspersky Labs discovered the Flame visus, and there have been greater than 600 targets infected in more than 7 countries over the last 2 years with the greatest concentration in Iran.

This is reminiscent of the Operation Shady Ratthat was a 5-year cyber espionage attack discovered by McAfee in 2011–involving malware that affected more than 72 institutions in 14 countries.

Separately, an attack on the U.S. Federal government’s retirement investments–the Thrift Saving Plan–impacted the privacy and account information of 123,000 participants and “unathroized access”–and was reported just last week after being discovered as far back as July 2011.

Regardless of where the particular cyber attacks are initiating from, given the scale and potential impact of these, it is time to take cyber security seriously and adopt a more proactive rather than a reactive mode to it.

One can only wonder how many other cyber attacks are occuring that we don’t yet know about, and perhaps never will.

We can’t afford to fumble the countermeasures to the extraordinary risk we face in the playing fields of cyber warfare.

We have to significantly strengthen our cyber defenses (and offenses) — or else risk this “cyber house of cards” come crashing down.

It’s time for a massive infusion of funds, talent, tools, and leadership to turn this around and secure our nation’s cyber infrastructure.

(Source Photo: herewith attribution to Dave Rogers)

SCADA Beware!

In case you thought hacking of our critical infrastructure and SCADA systems only happens in the movies, like with Bruce Willis in Live Free or Die Hard, watch these unbelievable videos of what Max Corne seemingly does to the energy, maritime infrastructure, and highway transportation systems.Max apparently is able turn off (and on) the lights in entire office towers–one and then another, control a drawbridge (up and down)–and has people and cars waiting and backed up, and even changes traffic signals–from speeds of 50 to 5 as well the message boards to motorists.

While I understand some have questioned the validity of these videos and have called them hoaxes, the point that I come away with is not so much whether this guy is or is not actually hacking into these computer and control systems as much as that the people and organizations with the right skills coulddo these things.

And rest assured that there those out there that can perform these hack attacks–reference the Stuxnet worm that attacks Siemen industrial control systems such as those used in the nuclear industry (June 2010).

I also heard a story that I don’t know whether it is true or not, about how a cyber expert personally dealt with a very loud and unruly neighbor who was playing Xbox 360 at 3 AM and keeping him awake. So the cyber expert simply hacked into his neighbor’s Xbox game over the Internet and set off a program that whenever his neighbor tried to play it, a timer would automatically turn the Xbox back off again (neighbor turns it on again, hack turns it off again….), until at one point, the cyber expert heard the neighbor pick something up (presumably the Xbox) and throw it against the wall.

In this story, the damage was limited, in other cases as the Max Corne videos demonstrate (in terms of the realm of the possible), when hackers attack our critical infrastructure and control systems, the results can truly be life threatening, majorly disruptive, and can cause widespread chaos.

Every day, there are digital natives (in terms of their advanced computer skills) that are proving what they can do to bypass our firewalls, antivirus protection, intrusion detection systems, and more.

While in the case of the hack attack on the Xbox, that was the end of the problem for the loud playing neighbor keeping this other guy up at night, but in general, the unbelievable ability of some hackers to break into major systems and manipulate controls systems and disrupt critical infrastructure is certainly no game, no laughing matter, and something that should keeps us up at night (Xbox playing or not).

The takeaway is that rather than demonize and discourage those who have the skills to figure this “stuff” out, we should actually encourage them to become the best white hat hackers they can be with it, and then recruit them into “ethical hacking” positions, so that they work for the good guys to defeat those who would do us all harm.