As far as Mikko Hyppönen is concerned, the story of nation-state cyber attacks begins with Stuxnet. It is, he says, the moment when computer scientists lost their innocence by using malware for offensive purposes. As reported last June, Stuxnet was part of a collaborative intelligence operation between the United States and Israel that deployed the worm beginning in 2008 and engaged it for the next two years to destroy centrifuges at Iran's Natanz uranium enrichment plant.
Hyppönen (left), the widely respected chief research officer at Sweden's F-Secure, says what is often missing in this story is whether Stuxnet actually killed people. It could have, as scientists might have been in the control room when the centrifuges spinning at high speed with uranium exploded.
“The countries launching these attacks, they must have known at least the possibility of killing people with this malware was there, and they went ahead and did it anyway,” he says. “And when they did that, I think we crossed an important line.”
Crossing that threshold was discussed in the White House's Situation Room once Stuxnet escaped into the world on the internet in 2010, according to David E. Sanger of the New York Times, to whom the White House leaked the story. It was the first time the United States had repeatedly used cyber weapons to cripple another country's infrastructure.
Consequently, Stuxnet triggered an unregulated cyber arms races in which nation-states are the big players, developing malware to use against other nations or their own citizens. Though short of cyber war, Hyppönen expects this activity to intensify in 2013 – and with more leaks to confirm the attacks, and from countries which haven't been active so far.
“It's quite clear that we have entered a new era of cyber arms race,” says Hyppönen. “And it's only going to get more and more active.”
There is presently no international treaty or agreement restricting the use of cyber weapons, which can be used for anything from espionage to disrupting a country's infrastructure or banking sector. Each government argues that it must join the race or lose, but the issue raises serious questions regarding attack versus defense, most notably in the United States, which, according to experts, has the best cyber offensive capabilities, followed closely by Russia, with China a remote third.
President Obama has said that the United States takes nothing off the table in responding to a cyber attack, meaning not only cyber. But, apart from defense, U.S. actions have followed the model of pre-emptive war previously articulated by President Bush.
Given this cyber arms race, the critical infrastructure for many nations is at stake, says Hyppönen. “In fact, the United States is actually the one with the most to lose,” he says. “It is much more dependent on computers than probably anywhere in the world.”
“I don't think we've really understood what it means when our own governments are using trojans against us.”
Hyppönen and others divide cyber attacks into three sources: criminals, hacktivists and governments. Focusing on governments, he draws three divisions: espionage between nation-states, so-called advanced persistent threats; governments creating malware and using it against their own citizens; and offensive cyber attacks, like Stuxnet.
Spying too has gone online, which is where information moved – from paper to data. There have been several reports of Russia and China sponsoring cyber espionage to ransack Western intellectual property. In 2009, for instance, hackers from an unnamed foreign intelligence agency made off with 24,000 confidential files from aerospace company Lockheed Martin. Investigators reportedly eventually traced the theft with a “high level of certainty” to known Chinese IP addresses. Less than two years after the hack, China unveiled its first stealth fighter, the J-20.
Espionage typically is carried out by both sides and not considered an act of war, but its online explosion is new and economically worrying, experts say.
The United States, for one, has its hands tied, says Martin Libicki, a senior management scientist at the RAND Corp., a think-tank in Washington, D.C. “What do you do to a China that is stealing our data?” Libicki asks. “Change policies in the trade realm?”
This state-led cyber espionage is not only sent across the world, but sometimes turned inward. Anti-virus software companies, like Hyppönen 's F-Secure, have found totalitarian regimes – such as Syria, Iran, Mubarak's Egypt, Bahrain – using malware against dissidents. These firms have also seen democratic governments doing the same
Germany's federal police agency, the Bundeskriminalamt, or BKA, recently solicited on its website for coders to write trojans for use in criminal investigations. The United States too has gone public in its solicitaions. Near the end of December, the Defense Intelligence Agency posted a request seeking a few qualified contractors to help design hacking and digital-intelligence technology to exploit mobile devices, among other platforms.
“I don't think we've really understood what it means when our own governments are using trojans against us,” Hyppönen says.
Further, nations have unlimited resources for designing malware, and they are hard to detect, Hyppönen says. Stuxnet went undiscovered for two years. Too, there have been other viruses since Stuxnet, all believed to be part of the so-called “Olympic Games” operation – which includes Duqu, Flame, Gauss, and Miniflame – commissioned in 2006 by President Bush.
Russia's Kaspersky Lab found Gauss while analyzing Flame in June, and the more surgical Miniflame in October. Gauss targeted the computers of Lebanon's largest banks, which may have been connected to Hezbollah or Iran. Flame, which evaded detection on the web for at least four years, was designed to infect computers in Iran's oil ministry and targets in the West Bank, Syria and Sudan.
Researchers at Kaspersky believe that while Flame and Gauss were coded by the same hands, and Duqu and Stuxnet by another writer, all were commissioned by the same state-sponsored entity.
These attacks seem to be ongoing, and the United States sees retaliation as possible. In October, the so-called Shamoon virus struck Saudi Aramco, the largest company in the world, wiping out 30,000 computers overnight – 75 percent of its total – and replacing all the files with an image of a burning U.S. flag. The source hasn't been proven, but two articles in the New York Times blamed Iran.
Soon after, Defense Secretary Leon Panetta warned of a cyber attack by a nation-state – a “cyber Pearl Harbor” – and said some of America's critical control systems have already been infiltrated. Yet what Panetta left out of his speech is the fact that the U.S. already fired the first shot.
Meanwhile, the National Security Agency (NSA) has its own program, dubbed Perfect Citizen. Documents released last month from the NSA to the Electronic Privacy Information Center, a privacy group, showed that the espionage agency is nearly finished developing technology that could protect the power grid from attack. The NSA says the technology will not monitor citizens, but given the agency's track record, privacy groups are concerned.
The U.S. posture is clear, but is there an alarmist nature to all this? “By and large there haven't been even small attacks on the critical infrastructure,” says RAND's Libicki. Who has the desire and capabilities to do such a thing – to shut out the lights on America?, he asks.
Al-Qaeda doesn't have the ability to accomplish that, he says. Russia and China do, but lack the desire. Iran or trans-national criminal organizations might have the capability, although that seems unlikely, because they wouldn't want the U.S. Army in their country.
In other words, cyber attacks don't exist in a bubble. With its actions since 2008, the U.S. government has pointedly shown that it has enough cyber and conventional weapons to make any attacker think twice.