Cyber slings and arrows
Malware hits the Mac but is it worth worrying about?
The concept of cyber war is a 'to and fro' subject for us in the media.
On the one hand, we hear stories of espionage, state-sponsored hacking and Stuxnet-style malware that allow us to write stories about ‘a new cold war'. On the other hand, there is research that debunks the concept of cyber war, and points out a lot of the flaws in the research. A good point of reference for this is the talk at last year's Brucon conference.
A new angle for this came about last month, when the US air force announced that it was designating some cyber tools to be ‘weapons'. The concept of this does give us evidence of government awareness of the concept of cyber war and is further proof that cyber attack and defence is a serious business for governments.
Considering this new angle, I turned to some industry spokespeople to see what the view of this decision was. Bob Ayers, a former cyber intelligence officer for the US Army and the Defense Intelligence Agency (DIA), who recently revealed the truth about the state of defence by the UK government to SC, referred me to a Washington Post article from 2003. This stated that President George W. Bush had "signed a secret directive ordering the government to develop, for the first time, national-level guidance for determining when and how the United States would launch cyber attacks against enemy computer networks, according to administration officials".
Ayers said: “What makes this so interesting is not that it said ‘go away and build cyber weapons', it said ‘come up with the rules on how we'll use them'. You don't worry about rules of engagement when you don't have any weapons to engage with.”
I also asked US-based security blogger Jeffrey Carr what he thought about the news. He told SC Magazine that you can take Lieutenant General John Hyten ‘at his word'.
Asked if he felt that this was a method to gain a slice of the government defence budget, Carr said: “I've heard this - that it's difficult to justify expenditures and this sounds like a reasonable approach by the air force.
“The armed forces of dozens of countries have been adding cyber as part of their war fighting since before 2010, and that is continuing. The reports from security companies marginally affect that, but aren't the drivers in my opinion.”
From a vendor perspective, Jason Mical, vice president of cyber security at AccessData, said that as cyber crime has overtaken terrorism as the top threat in the government's eyes, reclassifying cyber tools as weapons "was a necessary approach".
He said: “Cyber criminals will not wait for the government agencies to catch up. Unless budgets are allocated to arm the government with the technologies to detect the new threats, they will continue to fall victim to these attacks.
“But just detection of these new threats is not enough; agencies have to have solutions in place to respond efficiently. Identifying a breach is important but quickly determining breach scope and deploying remediation tactics is critical. It is imperative that the agencies spend the necessary dollars to implement true cyber intelligence and response technologies.”
So if this is a case of clambering for budget, then perhaps this is a situation that CISOs will be all too familiar with. The circumstances may be different, but could you justify targeted attack defence, DDoS protection and forensic and remediation investment to be a realistic investment in light of current threats?
If so, you may not be far off from what the US air force has done in this instance. Commenting, Ed Skoudis, founder of Counter Hack Challenges and a SANS Instructor, said that concept "makes a lot of sense", especially "given that computer action can have a significant kinetic impact on the real world".
He said: “Manipulating computers, electrical distribution, water supplies, manufacturing equipment and more can be impacted just as significantly as if someone attacks them using a traditional weapons system.
“These kind of weapons and their effects are still being explored and understood, but they are definitely real, as indicated by this move.”
Does this make cyber war more real? Of course not, but it is a move by government to acknowledge that this is a challenge that needs to be met and the US air force has stepped into this with vigour. Whether it gets that budget allocation and this effort works remains to be seen.