There has been a lot of buzz and chatter, not to mention heavy press coverage of the US government's desire to fund research into and acquire "cyber weapons" - presumably for use against our enemies. While there are probably more questions than answers at this point what is becoming increasingly clear is the Pentagon and by extension the United States government has noticed that hacking isn't just for script kiddies anymore.
Cyber weapons acquisition isn't limited to the United States government, in fact, the Japanese have been reportedly quietly working on a defensive cyber weapon since about 2008, as reported by ZDNet. In this post I'll attempt to break down the issues at hand, and discuss some of the ramifications of digital weapons and put into context just what this means for your enterprise security strategy as your organization continues its onward march towards cloud/utility computing, mobility, and a larger presence on the Internet.
Background on Cyber Weapons
Before we dive into discussion, let's just quickly go over what a cyber weapon is.
Deconstructing the term "cyber weapon" may give us clues as to what exactly we're after, so let's do that. From the Wikipedia definition, a weapon is a "tool or implement used to inflict damage or harm..." which makes sense. Now looking up the prefix "cyber" in the Wikipedia tells us that it is a common prefix "...coined for "electronic" or computer-related counterparts" again making perfect sense. So smashing the prefix and our word together we get "an electronic or computer-related tool or implement used to inflict damage or harm".
First there should be a discussion on whether these cyber weapons are being developed to be offensive, or defensive in nature. Developing first-strike capabilities isn't anything new to the military complex, as we all know that every nation-state would prefer to strike first rather than be on the receiving end of an attack. Furthermore, no nation wants to fall behind in capabilities - we call this the arms race. We've had several rounds of this, the most notable one was between the US and the former Soviet Union over the accumulation of nuclear weapons. Effectively at that time the idea was to see who would blink first ...or go bankrupt.
Whether you're developing offensive capabilities, or claiming you're on the defensive - the name "cyber weapon" seems to imply a strike capability which implies its use as an offensive tool. Let's add to this the never-ending slew of reporting around state-sponsored espionage, crippling attacks against infrastructure and state secrets and this all gets very, very interesting. It also becomes very difficult to see a cyber weapon as a defensive capability, but I'll believe what they tell me... or not.
War in hexadecimal?
The reality is a cyber weapon will in all likelihood not the the only deployed solution to a conflict. In fact, I'm fairly sure of that. In order to 'win' a conflict you generally need boots on the ground, guns drawn, and other components which I'd rather not go into. There are several authorities on "cyber war" if you're into that sort of thing... let's stay on the track of the cyber weapon and its capabilities, and usage.
What do we expect an offensive cyber-capability to have? What, if anything, should be the limitations of such a weapon? Those are some very difficult questions to answer, so let's take a try shall we?
The capabilities of a cyber weapon can be whatever your imagination can cook up, but in order to be effective it will have to follow a formula with some basic components. A cyber-weapon will need to have a solid combination of stealth, flexibility, portability and scale. All of these are needed in equal parts to ensure the weapon is both effective and efficient while not exposing the user. Think about how much care snipers put into their equipment to ensure they're not easily discovered by a flash of light, or a muzzle flare ...the 'cyber' world is much the same only with slightly different parameters.
- Stealth - Any weapon, especially an offensive capability for cyberspace, must have stealth in spades. Being able to attack then disappear into the bitstream is critical, and any such tool must not only create very little additional noise but must also leave minimal trace for forensic discovery. The stealth of an attack on the modern Internet landscape is directly proportional to how effective it is - a tool that launches attacks that have a low stealth are generally picked up and if not detected immediately, flagged for further analysis relatively quickly. A noisy and obvious intruder rarely gets to cause much damage before walking away silently ... unless of course your intent isn't silent exfiltration. If you're planning on simply crashing a truck full of explosives (or the cyber-equivalent) through the front gate then stealth may just not be something you care bout.
- Flexibility - Flexibility is important because there are a million billion trillion possible ways to configure everything on any given network, and adapt those to localized languages and customs and forget about it. You're going to need a weapon that can be flexible to the environment that it's working in, and being launched from. You'll want your cyber-weapon to have plug-ins, configuration options to the 9's, and a simple interface which will mask the complex array of configuration knobs behind it.
- Portability - Portability is absolutely key. Your cyber weapon must be able to be used from all manner of devices, platforms, operating systems and networks. You can't just assume that a cyber weapon is something that gets loaded onto a server, or maybe even a cloud platform to be used and never moved. The platform (weapon) itself must be able to move ...quickly ... in order to not be discovered and reversed so as not to fall into the enemy's hands. Portability also implies that you'll be able to take it from tablet to mobile handset, to web browser to fixed system without issues, so it can't be bulky or else it will suffer the same fate as those giant cannons in World War II which packed a wallop but took forever to configure for firing, and couldn't get out of the way of an oncoming attack and were thus sitting ducks for the enemy.
- Scale - Scale refers to the size of the output and the size of the weapon itself. A cyber weapon that turns out to be a 10Gb installable platform which takes a week to set up and configure doesn't scale well when you need to deploy a dozen or several dozens of them in a flexible (think cloud) environment for immediate use... the other end of the scale question is the capability of the attack. Sometimes you want to be a tiny ant crawling into the inner-workings of a monstrous mechanism to carry out critical information undetected, while other times you want to be the charging rhino aimed at demolition and destruction. Scale is important to give an understanding of capabilities.
Speaking of capabilities - the cyber weapon must obviously be capable. I omitted this from the 4 components above simply because I think it goes without saying that a spear with no point is just a blunt stick, and a cyber weapon without critical capabilities (think undisclosed 0-days as a start) is just as lame as a DDoS tool being leveraged against a website - ineffective in most cases unless your goal is to annoy. If the requirement for capability in a cyber weapon is high you're going to need smart people... lots of smart people. To acquire smart people, or at least their talents, you're going to need the thing that makes the world spin - money. Luckily the world governments are all printing it at spectacular rates.
So what happens if we all have one of these cyber weapons?
The beauty of cyber capabilities like this is that you don't actually have to tip your hand until something really bad happens and you're discovered. China has been rumored to have cyber strike capabilities for a long, long time and various forensics agencies have almost been able to prove it in the aftermath of some big breaches... but those are just the ones we know about.
Cyber weapons, at least really good ones, will be developed and used against nation states, enterprises, and even individuals without most of us knowing what's going on. That's the nature of this type of shadow operation. You don't physically leave a trail, or step on a tree branch... and if you're good no one out there ever has to know you exist. The other fantastic thing about hiding in cyber space is the notion of false-flag operations where you can breach a system in China then attack a nuclear facility in South Korea causing a massive catastrophic issue and no one would have to know you're sitting in Rio. This is the way of the new warriors... and as cheesy as it sounds, it's the reality we're all waking up to.
I can see it now, "cyber peace treaties" which are virtually impossible to uphold, or verify if someone broke - because unlike that secret agent you can get information out of, packets lie all the time. This makes the whole landscape of information security and technology that much more interesting. Does your organization have a vested interest in security? Soon the answer will be absolutely - for the sake of national security. Until then we'll just have to keep hoping we can at least keep our users from re-using their FaceBook password to access the corporate R&D network.