Starting in late 2014, the Russian-backed rebels in eastern Ukraine seemed to be uncannily able to locate and destroy opposing Ukrainian artillery. The Ukrainians were taking huge losses -- over 50% of their artillery and 80% of their D-30 howitzers.
Why? As the war was getting started a Ukrainian wrote an Android app to speed up targeting for the D-30; it reduced targeting time from several minutes to a few seconds. Unknown to the Ukrainians, the Russians placed a piece of malware, called a Trojan, inside the app for targeting the Howitzers. The trojan was distributed with the app to Ukrainian forces and widely used for nearly two years. It took that long before the Ukrainians discovered that the embedded malware was also communicating location information to Russia.
The cyber security firm, CrowdStrike, found the trojan and later released an intelligence report detailing how cyber malware contributed to these battlefield losses. When the news of the Howitzer exploit reached him, Richard Stiennon, author of There Will Be Cyberwar, tweeted, “This my friends is cyber war.”
Think about the role of software developers, coders, in the military on both the Ukrainian and Russian sides: One group created an app to speed up targeting and another wrote a Trojan to communicate location data. Both pro-active cyber measures were successful. What was not successful was Ukrainian cybersecurity. The malware was inserted into the app, distributed throughout the forces, and remained undiscovered and operated for nearly two years. The Russian code used in this battlefield application was written for only one purpose. It could not have been discovered by ordinary virus scanners. It was persistent.
I like this story probably because I can understand it; I can imagine just how this could happen. I know how I click a button and download software to update my pc; when I think about the gazillion weapons systems used by the military, how most of them have an electronic component and how they might be compromised, it makes me a wee bit nervous.
We know about the D-30 howitzer exploit because it was uncovered and the story told by a private company, CrowdStrike, the same security firm that identified the Russian hack of the Democratic National Committee. Crowdstrike identified the Russian entity infiltrating the app as FANCY BEAR, the same entity that hacked the Democratic National Committee in 2016.
The involvement of Crowdstrike and FANCY BEAR illustrates how lines of responsibility for cybersecurity have become blurred between public and private, between civilian and military, between government and corporate.
Crowdstrike is a private cybersecurity firm. FANCY BEAR is what is known as an APT, or Advanced Persistent Threat. Far from being a 400 # guy sitting on a bed in his mother’s basement, an APT is like a standing army of cyber soldiers.
The term APT was coined in 2006. An APT is generally funded by a nation-state, in this case, Russia, and consists of programmers working full time to burrow into other countries' systems. Once in, they lay in wait and spy on their target, often exfiltrating industrial or military secrets. The primary advanced persistent threats to the U.S. come from China, Russia, North Korea, and Iran. Other APT groups are funded by Israel and Saudi Arabia and no doubt many more.
APT1, the first named as such, is Chinese unit 61398, identified to the public by the private firm Mandiant after it attacked the New York Times. The satellite footprint of unit 61398 showed it to probably be staffed by more than a thousand programmers. Mandiant discovered that APT1 had had access to the NYT system for 356 days and downloaded roughly 3 billion pages before it was discovered. APT1 had been in another company’s system for nearly 5 years. Furthermore, APT1 is just one of several APT groups deployed by China. At the time of its report, in 2013, Mandiant was tracking 20 distinct Chinese APTs. You may remember one of them hacked the Federal Office of Personnel Management, getting the complete HR files on 21.5 million military and civilian employees, files known to even contain fingerprints. Imagine having a rolodex of every soldier and spy in your enemy’s army.
In fact, the Chinese have stolen just about every industrial secret worth stealing over the last few decades. They don’t even attempt to hide it. I remember when they promised to buy ATM software from ACI when I was working there in the 1990s. ACI’s BASE24 was the only software able to manage atm transactions at that time.
But before they would buy, they said they had to see it run in China on their hardware. I asked our directors not to send it; I said they will steal it. But Dale took tapes to China, installed the system (a process they could never have done themselves) and ran it. Dale came home with his install tapes. We never heard from the Chinese again.
Considering that the heart of any cyber operation is in a team of human beings, the advantage in cyber development goes to the nation with the largest and best educated population. This points to China and India. Considering that the attack surface in cyberwar is electronic, the U.S., with the most dense electronic environment is most at risk.
Richard Clarke, former national coordinator for counterterrorism and assistant secretary of state for Political Military affairs wrote
“While it may appear to give America some sort of advantage, in fact cyber war places this country at greater jeopardy than it does any other nation. Nor is this new kind of war a game or a figment of our imaginations. ... If we could put this genie back in the bottle, we should, but we can't. Therefore, we need to embark on a complex series of tasks: to understand what cyberwar is, to learn how and why it works, to analyze its risks, to prepare for it, and to think about how to control it.
One serious weakness of cyber weapons is that once used they may be discovered and disarmed. Think about how many times you are asked to enter your username and password, as I do for our Bank. The system determines whether I am an authorized user and what I am authorized to see. Managing authentication to allow approved users in and keep hackers out is a never-ending challenge.
Sometimes a vulnerability is discovered, a hole which allows unseen entry to a system. Normally when a new hole is discovered the owner of the software is notified privately, and we count the days this exploit has been “in the wild” without being stopped. Thousands, perhaps millions, of vulnerabilities are known, classified and the hole has been plugged with a software update, or guarded against by a virus scanner. But if the hole is unknown, it is called a zero-day exploit.
The NSA, our strongest APT, was known to keep zero-days under wraps if they discovered it. If the hole was in Microsoft Office, for example, they might not tell MS. They might keep it as a zero-day exploit, so they could use it to burrow into enemy systems.
As a policy matter, the use of offensive cyber-attacks is expensive. Trump recently ordered a cyber-attack against Iran to stop them harassing tankers in the Gulf. We don’t know what Iran now knows about our cyber capabilities inside Iran. We don’t know what trojans they found, what zero-day exploits they uncovered and expunged as a result, but we know that offensive attacks run at great risk and should be used with care.
How many of you have heard about Stuxnet? Stuxnet was reputedly created by the U.S. and Israel and it was used to physically destroy centrifuges used to refine uranium in Iran. This hugely successful effort required one or more zero-day exploits to carry out. This attack however delayed Iran’s development of weapons grade uranium for over a year and may have paved the way for the nuclear deal with Iran.
The Stuxnet story illustrates another characteristic of cyber conflict. Cyberwar can blur the line between physical and virtual attacks. Electronic interfaces for industrial systems use SCADAs, Supervisory Control and Data Acquisition modules. By manipulating the SCADAs inside Iran’s uranium refining centrifuges, Stuxnet, a piece of software, made some centrifuge hardware wobble unpredictably, and break. The Iranian engineers thought the problem was physical and it continued for months undetected. Cyberwarfare can affect our physical as well as virtual world.
John P. Carlin, former assistant attorney general who initiated prosecution of China for cybercrimes and wrote, Dawn of the Code War, identifies six fundamental issues when dealing with Cyber conflict. Distinctions blurred by cyber conflict include,
We know when we have been attacked by traditional means, like 9/11, Americans respond by pulling together and going after the enemy. But cyber conflict has been kept under cover. Companies that have been attacked rarely publicize the fact. Our government has also been quiet about it as well.
Consider the distinction between Domestic and International blurred lines. In 2013, North Korea launched a hellacious attack on SONY pictures in the U.S. SONY had developed a film, called The Interview, which made fun of the N.K. leader. In turn, N.K. launched an attack that entered each and every one of over 50 SONY systems in the U.S. and Europe; then it connected to every user machine logged into that system. It wiped clean every hard drive, and deleted the master boot record behind it. The attack caused over $40 million in actual costs and more in lost productivity. Further, the threat to attack theaters where the movie would be shown, caused SONY to withdraw the film from normal circulation; SONY did not even recoup production costs.
How are ordinary companies supposed to secure their systems from nation-state actors like N.K.? According to a U.N. report, N.K. has funded its nuclear program through ransomware attacks, leaching over $2 billion in profits from over 17 countries
Blurred distinctions, between peace and war, public and private, virtual and physical, make it difficult if not impossible to answer a question posed by the Foreign Policy Association: “Is the U.S. a net winner or a net loser as a result of the struggle in cyberspace?” But we know the truth of Richard B. Andres' suggestion that Americans' “assumption of permanent preeminence on the geopolitical stage” is not assured when we are facing a world with cyber threats.
Our defense department budget will drop to $700 billion in 2020. Of this the cybersecurity portion will be 9.6 billion, with an additional 7.8 billion on cyber related activities in the rest of the federal budget for 2020. Much of the DOD money is used for new weapons, but you may have noticed that our geopolitical problems of late tend no longer to yield to ships, planes, and bombs, the way they did in WWII. If the purpose of waging war is to change behavior, contrast our military stalemates with the staggering success of Russia’s cyber and information campaign against the U.S. in the 2016 election and against Britain in the Brexit vote.