At the end of the Cold War, the US computer-security firm Symantec bought a bunker from the UK’s Ministry of Defence. It was perfectly suited to its work: secure, cheap, in an isolated part of southern England and built to withstand a nuclear attack. The company has since moved out, but it might have been a shrewd move to keep it. Because lately, the information-security cold war has turned hot.
In the 25 years since researchers first identified them, computer viruses have for the most part been little more than a nuisance for businesses. The computer-security industry, led by firms such as Symantec and McAfee (now owned by Intel) did a pretty good job of dealing with the problem and made handsome profits as a result. But towards the end of 2010, something changed that put the shadowy world of IT security in a whole new light.
When Julian Assange, founder of the whistleblowing website WikiLeaks, announced he had obtained confidential US diplomatic cables, few people in the IT-security industry paid much attention. It was, after all, not the first time Assange’s website had courted controversy. But within months they were caught up in a conflict between WikiLeaks’ online backers, known as Anonymous, and companies that had severed their relationships with the site after its release of the cables. Amazon, PayPal, MasterCard and Visa all came under attack from online activists – or hacktivists – using viruses and other malware to disrupt businesses’ websites in a campaign known as Operation Payback.
“The Anonymous attacks are making firms think carefully about what they are doing,” says Ed Savage, a security specialist at PA Consulting Group. “The world is becoming more dangerous day by day. Techniques that were once the preserve only of the very well-resourced [cyber attacker] are now available to anyone, and you don’t need technical knowledge to use them.”
But if the swift reaction to ‘Cablegate’ and the subsequent commercial fallout surprised some, including many businesses’ IT teams, it was only the most visible manifestation of a longer- term trend. Experts talk of cybercrime, carried out by organised gangs, of cyber attacks and even of cyber terrorism and cyber war. Cybercrime is driven by simple financial greed, but cyber attacks usually have more complex motives. The Irish political party Fine Gael, for example, was targeted in January.
Evidence of cyber terrorism is hard to obtain, as governments and commercial organisations are unwilling to admit that they have been victims, but it is by no means a new phenomenon. Criminal investigations in the West suggest that terrorist groups are using hacking and computer-virus tools. US authorities, for their part, have been tracking cyber-terrorist organisations, including some with links to al-Qaeda, since 2001.
A paper written in 2006 by Dorothy Denning, a researcher at the US Naval Postgraduate School’s Center on Terrorism and Irregular Warfare, points out that the Slammer worm, although not connected directly to any terrorist group, disabled 911 emergency phone systems in the United States and, more frightening still, shut down safety systems at a nuclear reactor.
In Europe, the British government’s Strategic Defence Review elevated cyber terrorism to the tier-one category – that is, incidents considered most likely to happen – and led to an extra £500m (€600m) of funds being committed to cyber defence.
Authorities overseeing the 2012 Olympic Games are making cyber security a priority – indeed, the organising committee in London has described a cyber attack as “inevitable”. Even if there are no human casualties, such an attack could cause massive disruption. At the Beijing Games, 400 ‘events’ aimed at disrupting the competition were blocked each day.
But it is cyber warfare, rather than cyber terrorism or hacktivism, that is causing growing concern among politicians, as well as among businesses that rely on the internet and the security experts who advise them. One such expert is Illias Chantzos. As Symantec’s main liaison officer with governments and the military outside the US, a key part of his work is understanding the new dimensions of cyber attacks and how governments and security forces should react to them.
A barrister by training and a keen student of military history, Chantzos is certainly no geek. Speaking as he returns from a round of meetings in Brussels, his references range from the 19th-century German military strategist Carl von Clausewitz to Sir Francis Drake. “I am literally just out of a meeting with the military,” he says. “In the last two weeks, I have talked to the military more than I usually do.”
His thinking – like that of many of his colleagues – is concerned less with the raw technicalities of computer science and more with motivations, balances of power and the use of weapons for strategic advantage. The language of computer security is changing into the language of cyber defence. As such, Chantzos’s themes would not be out of place in a lecture at an army staff college. It is just that the weapons he talks about are not field guns or tanks but pieces of data or code, which are potentially just as deadly.
“It is very possible that there are links between criminal activity and areas where [attacks] need state sponsorship,” he warns. He cites the cyber attacks on Estonia in 2007, and on Georgia the following year, as evidence that such attacks are being used for political, rather than simply criminal, ends. “There is the specific case of Georgia, where cyber incidents were followed by a shooting war afterwards,” he says. “In Estonia it was the culmination of a political crisis. In Georgia, can you connect those attacks to military intentions and demonstrate that the attacks were as much a country’s intent as crossing the border? The official Russian position is that [the attacks] were not by their government.”
Chantzos cautions against jumping to conclusions about who is carrying out cyber attacks, whether they are directed at large companies such as Google or at specific parts of a country’s national infrastructure. A problem for those in Western nations tasked with mounting a defence against cyber attacks is that much of that infrastructure is in private hands. An attack could be driven by military or terrorist goals, but equally it could be the result of commercial rivalries. “Even when we come to military operations, cyber attacks could be focused on military intelligence or signals intelligence,” he points out. “They could be stealing industrial designs, as much as causing disruption.”
But there is one very serious incident that shows the power of cyber warfare – and for once, the finger of blame is being pointed at the West. Stuxnet was a computer worm that first came to light in July 2010. Even when anti-virus researchers first came across the code, it seemed unusual. Most computer viruses or worms go after sensitive data on computers, such as passwords, to help with identity theft or online crime. Or else they hide themselves, turning the computer into a bot, an unwitting vehicle for launching future attacks against websites or another part of the internet infrastructure.
Stuxnet, however, appeared to do very little to the host PC. And anti-virus researchers found a further, unusual trait. The worm was very simple, but contained a far more specialist piece of software, known as a payload. This only attacks devices called Programmable Logic Controllers, designed to run industrial equipment made by Siemens. Not only that, but the payload and the Stuxnet worm showed signs of being the work of two separate teams of malware writers. The high quality of the Stuxnet payload and its specialist nature led researchers to suspect that governments, or at least very well-resourced agencies with government connections, had developed it. The target: Iran’s nuclear programme.
“There is evidence that Stuxnet was built to target Iran’s facilities,” explains Mikko Hypponen, chief research officer at F-Secure, a computer-security firm. “Most of the devices it targeted are in elevators, pumps or centrifuges. But even then, Stuxnet does nothing unless it finds specific, high-frequency drives from two manufacturers, one Finnish and one Iranian. That company does not export, so these drives are not used outside Iran. They are used in high-pressure systems, or centrifuges.”
Last November, the Iranian government admitted that some of the centrifuges in its nuclear programme were shut down by Stuxnet; UN inspectors confirmed that the Iranian nuclear-fuel enrichment programme had suffered a shutdown. “I believe the reason was Stuxnet,” says Hypponen.
Researchers are wary of saying who they think is behind Stuxnet, although there are plenty of rumours online. Equally, experts are divided on whether Stuxnet represents the first salvo in a cyber war or forms part of a low-level, but no less dangerous, conflict being waged in cyberspace. Stuxnet could be an example of sabotage – of the type carried out by secret agents against foreign powers for hundreds of years – only this time, using the internet.
“For something to be cyber war, you would need to know which countries are fighting it,” says Hypponen. “If the army of country A attacks the army of country B [in cyberspace], then that is cyber war. And there are mechanisms being developed by the military for that.”
One reason we might only witness a full-scale cyber war at the same time as a conventional shooting war is that the stakes of cyber war are so high.
A cyber attack could be so damaging that an influential security body, the New York- based EastWest Institute, has called for an equivalent of the Geneva Convention for cyber warfare. This would provide for rules of war, along with demilitarised zones to protect vital humanitarian services such as hospitals.
Politicians and military strategists are going further still and considering circumstances when a cyber attack might justify a physical, military retaliation. But identifying who is behind an attack makes retaliation, and also deterrence, difficult.
Instead of all-out war online, countries might instead embark on a series of tit-for-tat cyber attacks, sabotage attempts or spying using arms-length groups of deniable agents or even criminal gangs. “There may be evidence of potential funding, or encouragement, of people to hack countries that [their governments] are not so friendly with,” says Paul Hanley, director of information security at KPMG, the professional services firm. “And from a war perspective, if you can disrupt someone’s supply chains, it shows what power you have.” The result could be an ongoing, low-intensity conflict similar to the proxy wars waged in parts of Africa and Central America during the Cold War, when the threat of nuclear armageddon prevented US and Soviet troops from facing each other directly.
“I won’t comment on the modus operandi of any government,” says Symantec’s Chantzos. “But the notion of a cyber militia, a group of people with a specific objective in mind, has existed for a while. And the capabilities of social networks to coordinate them make the emergence of a cyber militia or cyber army more likely.”
For businesses, this presents a particular problem. In the event of an all- out conflict, in cyberspace or otherwise, emergency plans are activated and governments take control of defence. In a low-intensity conflict, private- sector organisations are in the line of fire, especially in industries such as power, water, transport, banks and telecommunications. They will need to take additional steps to protect themselves (see box, p65).
“Society has become ever more dependent on cyber technology,” says Graeme Matthews, a security partner at the consulting firm Deloitte. “But often there is an asymmetry between the interests of government and those of a private company. Governments might want higher degrees of IT security than companies feel able to provide, so either the state has to pay for that protection or it has to enforce it through regulation.”
Governments in Western countries are making efforts to improve the advice they give to businesses, and to use data on cyber attacks generated by businesses to improve public safety. Businesses, as well as the commercial IT security companies, gather thousands of terabytes of data on cyber attacks every day which could be a vital early-warning sign that a group, or even a state, is gearing up for a large-scale assault across the internet.
But alerting businesses and governments to such an attack is one thing; preventing it is another. Now that cyber weapons have been developed – and quite possibly, used in anger – it might already be too late to disarm cyberspace. “In a combat situation, once you pull out a weapon you have to use it,” says Chantzos. “If you don’t, your opponent will. If you pull out the weapon, you have to be prepared to go all the way.”
For many people around the world, the internet has been a force for peace. But cyberspace looks set to be the next theatre of war.
FOR YOUR SECURITY
How to protect a business online
The online world looks increasingly hostile. Not only are cyber-crime gangs using the internet to obtain intellectual property or sensitive customer data, such as bank- account details or social-security numbers, but hacktivist groups are prepared to attack commercial companies to further their aims. So, it seems, are governments.
Most companies cannot respond simply by spending more money, and there are few guarantees that doing so would be effective. “Companies have to decide if building ever higher walls around their operations is affordable,” says Graeme Matthews, a security partner at Deloitte. “Th ey might have to change the business model, and protect some areas more than others.”
Businesses should review their security procedures and make sure they are carrying out their current counter-measures as well as they can. In particular, IT heads need to check that protection systems still work properly if there has been a business change, such as a merger, outsourcing or a switch of technology.
Sharing information with other similar businesses, even if they are competitors, improves protection for everyone, suggests KPMG’s Paul Hanley, and it is a move governments are looking to encourage.
Staff should also be aware of security threats: a common scam, for example, is for criminals to loiter outside office buildings posing as market researchers and ask employees to take part in a competition. The questions are designed to reveal the employees’ IT usernames and passwords.
“The mistake many companies make is thinking security is a technical problem,” says PA Consulting’s Ed Savage, “but often it is social-engineering attacks or phishing scams. Even if you have data-loss prevention and anti-virus software, that won’t stop someone who can obtain a valid username and password.” Whether the aim is to stop cyber criminals or foreign agents, the best approach is to make sure physical and online security are joined up.
How Europe muscled in on the security-software market
US companies such as Microsoft and Oracle dominate most of the global software industry. But security is an exception. Specialist companies in the EU, Russia and Israel account for an increasing share of this important market.
“The European security- software market is highly fragmented and there are many, many players,” explains Eric Domage, an IT-security specialist at research firm IDC. “Organisations tend to buy different solutions and don’t want to have all their eggs in one basket. So there are many vendors, but also some leaders. In the last year or two, there has been a key change. Th e European ‘native players’ have been able to gain market share in Europe… and will now try to gain market share in the US, Asia Pacific and Japan.” Th ose are ambitions that 10 years ago would have appeared optimistic.
During the Cold War, Eastern Europe’s IT industry was closely associated with hacking, usually to gain intelligence from the West. Today, experts have gone from poachers to gamekeepers, producing companies such as Russia’s Kaspersky Labs and AVG of the Czech Republic.
Since Intel bought US anti- virus vendor McAfee last year, Kaspersky has moved up to be the second-largest ‘pure play’ anti-virus company in the world, after Japan’s Trend Micro. Kaspersky’s most recent full-year results saw a turnover of $540m (₣400m), just over half the $1.029bn posted by its Japanese competitor Trend.
Kaspersky’s CEO, Eugene Kaspersky, studied at Russia’s Institute of Cryptography, Telecommunications and Computer Science. He then joined a research institute, where his computer was infected by a virus, Cascade. Kaspersky analysed the malware and wrote an application to remove it from his PC, laying the foundations for Kaspersky Labs. He leads the company’s anti-virus research and became CEO in 2007.
Security researchers are also making their mark at F-Secure in Finland. As befits a company that counts Nokia among its neighbours, F-Secure was one of the first to highlight the dangers of malware and viruses on smartphones. Today it has revenues of €130m and makes around half its sales through telecoms companies. Those in turn use F–Secure’s software internally or provide it as a service to their customers. Chief research officer Mikko Hypponen was one of the first European computer-security specialists to warn of the dangers of cyber warfare.
The UK, meanwhile, is home to security vendor Sophos. Since last May, it has been majority owned by venture capitalists Apax Partners; its most recent annual revenues, posted before the Apax deal, reached $260m (₣193m).
Sophos, which is based near Oxford, counts some big names among its clients, including Cisco, Marks & Spencer and the US aerospace and defence company Lockheed Martin.
Its most public face is the UK-based senior technology consultant Graham Cluley, who also writes for the company’s Naked Security blog. Cluley beat actor/writer Stephen Fry to the title of ‘Twitter user of the year’ and is often among the first to alert the online community to new cyber attacks.
Other noteworthy security companies include Panda Security, which is headquartered in Spain but also earns substantial revenues from South America.
Israel also boasts a large number of world-class IT security companies, often highly specialist firms whose founders gained their early knowledge in the military. Th ese include firewall-monitoring company Tufin; and Trusteer, which provides security technologies primarily for online banking. Meanwhile companies such as Check Point Software, which designs firewalls, and Imperva, which secures data, have operations in Tel Aviv.
One reason smaller, more localised security companies are gaining ground is because of concerns about the growing instability of cyberspace, suggests F-Secure’s Hypponen.
“When you are not at war, or in a crisis, borders don’t really matter so security vendors can come from any market,” he says. “But in a crisis, borders start to matter. You don’t want your security manufacturer to be in a country you might be at war with.”