We Are in Early Years of International Cyber War Arms Race, Says Security Expert Bruce Schneier
Countries are not attacking each other but striking at the IT infrastructure of enterprises in rival states, says security pundit Bruce Schneier
Cyber attacks—such as that on Sony Pictures in 2014—suggest the world is in the early stages of a cyber war arms race.
So said Bruce Schneier, chief technology officer of Resilient Systems: "We are in the early years of a cyber war arms race.
"There is a lot of nation state rhetoric, and we are seeing a lot of nation state attacks against non nation states," he told Infosecurity Europe 2015 in London.
Schneier cited North Korea's attack on Sony Pictures, China's attack on Github and Iran's attack on Saudi Aramco as examples.
"There is a lot of this back and forth, where countries are not attacking each other, but attacking companies in those countries—and I think we are going to see more of that," he said.
Schneier warned that, as nations build up for cyber war, commercial companies need to prepare for raids on their IT because they are within the "blast radius".
He said there needs to be more policy discussions around the issue and, while the US is having some "pretty impressive" discussions in Congress about surveillance, there is not enough discussion about vulnerabilities, resilience, defence and how to maintain a military cyber option.
Schneier said the cyber attack on Sony Pictures illustrates a lot of the problems and themes that affect incident response, and he delved into what he called a "good story" in some detail.
Anatomy of a state cyber attack
Although he was among those who initially cast doubt on US claims that North Korea was behind the attack, Schneier said he now believed the US gleaned the information needed for attribution from spying on the South Koreans—who were spying on the North Koreans—and a source in the North Korean government.
The first thing to note about the attack, he said, is that the initial strike was made through a spearphishing attack in September 2014 that went "completely undetected" by Sony. This enabled the attackers to obtain administrative credentials "pretty quickly" and spend a lot of time mapping the corporate network and planning their attack.
Schneier said the attack began only about two months later in November 2014, with the destruction of hard drives and servers in the Sony network. "As soon as the skull and crossbones started appearing on screens, savvy employees pulled the plug and that ended up saving data," he said.
The first major leaks began on 1 December 2014, proving that the attack was much more than a destructive campaign. "The data is actually being picked at this point to provide fodder for headlines," said Schneier.
"Executives' salaries is a big deal—especially when you pay your female executives less than the male executives."
Cyber assault aftermath
On 3 December 2014, more data was leaked, including passwords and accounting information. "Another security tip—do not put your passwords in a clear text file marked ?passwords'. You just look stupid," said Schneier.
"On 19 December—three weeks after the attack—finally we have official US government attribution," he said. "And on 22 December, North Korea was the victim of a denial of service attack.
"The US denied that it was behind this attack. We just know that North Korea fell off the internet for two days—it could have been coincidence. Nobody knows."
The next development was the US imposing fresh sanctions against North Korea in retaliation for the cyber attack on Sony Pictures.
"A February Sony earnings statement said the cost of the investigation and clean-up was $15m," said Schneier.
"I actually don't believe that. It's impossible it was that cheap."
A guide to 21st century conflict
This incident, he said, encapsulates a lot of the themes and some of the surprises of cyber conflict in the 21st century.
Schneier said there was a lot of "sabre rattling" in the US and "scary" talk of "cyber warfare"—despite the fact that the target was not critical national infrastructure.
"Who actually thought that the first major cyber attack in the US would be against a movie company. Not on our list of critical infrastructure," he said.
Schneier noted that, unlike most cyber attacks, the objective was not theft, but "coercion, embarrassment or just pure damage".
"Not the sort of threat we tend to worry about. But we are all vulnerable to this sort of thing. I don't believe that any of us could have withstood this sort of attack by this sort of adversary," he said.
He described the attack as a highly skilled, highly focused attack. "Against that sort of attack, it does not matter if your security is relatively better than anybody else's. What matters is if your security is better than the attackers' skills," he said.
"But we all know that a sufficiently skilled, funded, motivated attacker will never fail to get in. The challenge is how to deal with it."
The spread of cyber incursion tactics
Schneier said another important point what he called the "democratisation" of tactics.
"It's not that we are fighting a cyber war. It is that we are increasingly seeing war-like tactics in broader cyber conflicts," he said.
"We are living in a world where you can be attacked, and not know if it is a nuclear-powered government with a $20bn military budget or a couple of guys in a basement somewhere, and that's freaky. Technology is broadly spreading capability, and the same tactics and weaponry are used by everybody."
Schneier said this had given rise to threats from groups such hacker collective Anonymous against the likes of Isis and Nato. "This politically motivated attacking is real and very important. We are seeing it against governments, corporations, institutions and individuals, for all sorts of reasons," he said.
Schneier said attribution is always difficult. "It took the US government three weeks to announce that North Korea attacked Sony. When you are being attacked, you have milliseconds to respond," he said.
"Three weeks is not going to cut it."
Cyber defence without attribution
Schneier said it is typically not clear who is attacking and why, which makes defence difficult. "This means we need good defence without attribution. We need good incident response without knowing who did it. Fast, flexible, effective, technical and non-technical," he said.
In this regard, Schneier said a lot of failures were exposed inside Sony's organisation. "They had no incident response plan. Team cohesiveness fell apart immediately because there was no team response," he said.
"What we want is resilience in our networks, resilience in our systems, resilience in our institutions—and you don't get that without some co-ordination."