The exposure by a Moscow cyber security company of widespread U.S. cyber espionage takes the debate about cyber warfare to a new level. Especially given the fact that the U.S. intelligence community is warning that Russia poses a cyber threat to the U.S.
A specialist works at the National Cybersecurity and Communications Integration Center in Arlington, Va. Photo: AP
U.S. Director of National Intelligence James Clapper’s recent statement that Russia could pose a cyber threat to the U.S. and can undermine its facilities with malware programs indicates that the cyber arms race between countries appears to be gaining momentum. This is a warning sign, especially given the mid-February exposure by Kaspersky Lab, the Moscow-based security software company, of the activities of the U.S.-based Equation Group, which has apparently been conducting unprecedented cyber espionage activities around the globe – including in Russia.
Surprisingly, despite the attention this cyber espionage has received in tech circles, it has received so far little attention from governments and other parties across the world. In fact, the discovery is so groundbreaking and important for non-technical community in many ways that it takes the debates launched by the revelations of National Security Agency’s former agent Edward Snowden to a whole new level. The full range of potential implications seems hard to grasp at this stage but there are a few immediate points worth making.
What we know – and what we don’t – about American cyber espionage
According to Kaspersky Lab researchers, the Equation Group’s malware capacities could prove to be the most sophisticated ever revealed and the full scope of their outreach is still under assessment. This is essentially a cluster of spying programs that have been in operation for some 14 years, affecting over 500 victims’ personal computers in about 30 countries with most infections detected in Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.
Various worms targeted government and military institutions, telecommunication companies, critical infrastructure objects including banks, energy companies, nuclear researchers, media and Islamic activists. The companies whose disk drives have been affected reportedly include Western Digital, Seagate Technology, Toshiba, IBM, Micron Technology and Samsung Electronics.
The researchers seem to be as impressed by the discovery as the rest of the world: Kaspersky gave a highly professional live evidence of laboratory proven cases of the possibility to infect the hard drive’s firmware, the very heart of the computer, in such a way that after the intrusion the malware can’t be read back or removed. In fact, it resurrects itself repeatedly even after the reinstallation of firmware, physical destruction being the only way to beat it. The malware can wipe out the hard drive, or reformat it, or create a hidden space on the hard drive to store data necessary to capture the password and crack encryption – the capacities which are especially threatening to any critical infrastructure objects.
One of the programs in the group called ‘Fanny’ has been in action roughly since 2008 according to Kaspersky Lab’s Director of Global Research and Analysis Team (GReAT) Costin Raiu, and its aim has been to find out and infiltrate air-gapped networks and then infect them via USB-based command. One of the early manifestations of the infection appeared after a scientific conference in Houston, where the CDs later distributed among the participants were infected with the malware.
Researchers believe that some of the tested Fanny exploits were adopted later in 2010 for the Stuxnet and Flame programs. Therefore, even though Kaspersky Lab “doesn’t have hard proof to attribute the Equation Group or speak of its origin,” saying it’s very hard to attribute a cyber attack fully, it admits the technical signs of similarity with such malware as Stuxnet and Flame, widely recognized to be U.S. and Israeli programs activated against the Iran nuclear program in 2010.
This was also confirmed to Reuters by former NSA officials. In addition, the Equation Group’s launch roughly coincides with the U.S. Patriot Act adoption in the aftermath of the 9/11 attacks and related special services capacities expansion to fight terrorism.
Where is the US headed with its cybersecurity strategy?
The recent timeline of cyber-related initiatives in the U.S. offers some clues. On Feb. 10 the White House announced the planned launch of a new cybersecurity agency – the Cyber Threat Intelligence Integration Center– set up to deal with challenges such as the North Korean attack on Sony Pictures. (CTIIC was signed into existence on Feb. 25. – Editor’s note) In particular, this recent cyber attack from North Korea is widely seen as a “game changer.”
Seen by some as a redundant structure, the CTIIC agency is meant to fill in the cyber gaps where the rest of the special agencies lack expertise or capacities, according to Lisa Monaco, President Obama's homeland security and counterterrorism adviser. It would take care of focused intelligence, analyze cyber breaches by both state and non-state actors and feed them to other relevant agencies.
Three days later at the “cyber summit” with industry and government leaders at Stanford University in California (snubbed by Google, Yahoo and Facebook leaders), President Barack Obama called on the tech industry and community to consider privacy vs. security trade-offs and collaborate more actively with the government over encryption sharing data on existing cyber vulnerabilities.
On Feb. 15, President Obama said in an interview to Re/Code that the cyber summit was about “making sure that we have mechanisms for government/private sector cooperation, increased consumer awareness of how they can reduce their vulnerabilities, how we can build better defenses, how we can respond better and more resiliently.”
And then in the same context, President Obama admits that, “This is more like basketball than football, in the sense that there’s no clear line between offense and defense,” and “you develop sufficient defenses, the same sophistication you need for defenses means that potentially you can engage in offense.”
The point of this very thin difference between cyber offense and cyber defense is crucially important here, and not just because the U.S. possesses state-of-the-art capacities in both fields. The difference has been succinctly pointed out by Wired: “It’s a truism that the cyber battlefield is asymmetric—a defender has to get it right every time, while an attacker only has to succeed once.”
In other words, the U.S. (assuming that NSA stands behind the Equation Group) got it right, having invested in its cyber warfare for a long time. It has achieved groundbreaking results hardly matched by any other country cited as a cyber power at present.
It has explicably caused admiration in the tech community, and Bruce Schneier has even suggested that, “It's the sort of thing we want the NSA to do. It's targeted. It's exploiting existing vulnerabilities.”
“On the other hand, the NSA's definition of ‘targeted’ can be pretty broad,” Schneier added.
The Equation Group targeted spying capacity at firmware level is relatively modest for now and must have been run with extreme caution but complemented with the already known dragnet communications surveillance capacity draws a picture of almighty system of information control and manipulation.
In this sense, the Equation Group has achieved “the nuclear deterrence” in cyber: You need an R&D breakthrough at such a level to get into an unreachable bargaining position. While defense is costly and means constant catch-up, offense in this context sets one far ahead of potential rivals.
Do we need international protocols on cyber?
This, then, allows room to deliberate on the need, as Obama said in an interview with Re/Code, “to find some international protocols that, in the same way we did with nuclear arms, set some clear limits and guidelines, understanding that everybody’s vulnerable and everybody’s better off if we abide by certain behaviors,” set up institutions and engage the private sector to “have sufficient capability to defend ourselves” as defense tools – useful but complimentary in essence. Exercising collective restraints measures might not sound like a fair deal anymore in this context to the others.
In other words, the gauntlet was thrown unnoticed fifteen years ago, and certainly, the countries of the world will have to try to give some response now about how to amend and upgrade their cybersecurity strategies. However, there is little hope that it can be anywhere close to symmetrical at least present.
While eventually only a technical solution could possibly remedy a technical vulnerability, most probably, any short-term retaliation we can expect will be primarily political and diplomatic rather than policy-driven in a truly meaningful way. And it remains an open question for many which path to choose – the defense or the offense one.
Reportedly, Russian authorities are planning a review of the national information security doctrine in early March to meet the new geopolitical and cyber war challenges. However, Snowden’s revelations, cited publicly among the motivations behind the move, are just the tip of the iceberg and miss the point at this stage.
Preparing for the next wave of offensive cyber capabilities
It is hard to blame policy makers for inaction as they are by definition lagging behind technologists. However, the problem that has emerged with the revelations around the Equation Group is an almost existential one for cyberspace. The proven and widely publicised case of successful firmware infection with such functionality poses uncomfortable questions about the reliability of existing cybersecurity models especially in the context of critical infrastructure objects. This trust vacuum has not yet been fully grasped by the tech community, it seems, and it will take some time to see an articulated policy response.
But why would the Kaspersky Lab researchers, who have done a meticulous job filtering through hackers’ forums, analyzing hundreds of samples, reveal their knowledge of the malware now? The easiest interpretation would be to identify the move as politically motivated. However, Costin Raiu admits that Kaspersky Lab hasn’t seen new samples of the Equation Group’s infected firmware for about a year. This means that either the project has been shut down (which is highly improbable as the identified capacities are too powerful to waste) or the creators have switched to a new – yet unknown - set of tools. Which is even worse news.