We have all seen any number of stories about governments using cyber warfare to pursue their political and economic objectives. We know that countries have developed sophisticated cyber systems to influence elections, steal secrets and even attack the film industry.
What is less well known is that the equipment and techniques previously only associated with governments are increasingly available and are today being used by organised criminals to profit from our increasing dependence on the internet in every aspect of our daily lives.
Once governments realised the potential of cyber warfare to damage their enemies, at a fraction of the cost of conventional weapons, they poured significant resources into recruitment, training and the development of materials and techniques aimed at disrupting and degrading computer networks. They recruited “bedroom hackers” and provided them with undreamed of resources, developed original new software and used their control of computer manufacturing to produce rogue hardware.
Almost every spy story turns on the theft of secret government information. The theft of computer information might target highly sophisticated defence plans or the details of critical national infrastructure. The same process in the hands of criminals might reveal the passwords that open up our bank accounts.
Both situations result from the abuse of credentials; someone gaining access to a computer system by appearing to have the necessary authority. The same programme that might make a spy look like a trusted insider can be used to make a criminal look like us when accessing our bank accounts.
In the past, it was only governments that had the time and resources to develop and execute sophisticated targeted attacks. This involves detailed preparation and planning, probably by a large team with a range of diverse skills; and not only computer skills. The cyber attackers begin with a specific target in mind—in the past perhaps the Pentagon or the MOD—and first of all spend time working out what they need to know to gain access. This might involve a general list of names and email addresses or insider information on likely vulnerabilities.
With the relevant information, the project is then passed to a specialist team charged with gaining access to the network and infecting it with malicious software. Finally, a third team will be responsible for extracting the information as quickly and stealthily as possible—ideally, without the victim noticing until it’s far too late.
This brief description of a series of processes which are complex and time-consuming, taking months or even years to execute, shows the level of effort and cost involved. Previously only governments would have the patience and resources to mount such attacks. Now cybercriminals are doing so. A single individual or a small group can readily copy an idea or programme that it might have taken a government years, and huge resources, to develop. In turn, that malware will be sold on to criminals anxious to exploit the latest and most advanced means of attacking networks.
Organised criminal gangs, especially those associated with drugs or human trafficking, have human resources, money and the required organisational skills to launch large-scale attacks. Their target, however, is not the Pentagon—it is us: our identities, our bank accounts and the companies we use.
The programme “EternalBlue” used by a mysterious “hacker group” calling themselves the Shadow Brokers, is suspected to have been developed by the US National Security Agency as part of its efforts to identify vulnerabilities in proprietary software such as Windows. It was an integral part of the WannaCry ransomware attack in May 2017. This attack cost the NHS £100 million; within one day, it had infected 230,000 computers in more than 150 countries. A month later the same software was used in the NotPetya ransomware attack that severely impacted numbers of international businesses including Merck, Reckitt Benckiser, Maersk and DLA Piper. It is reported to have caused losses of hundreds of millions of dollars, with a total easily exceeding $1billion.
These attacks are both thought to have been initiated by nation-states—and the businesses affected were probably “collateral damage.” But these same powerful software weapons are available on the internet and are part of a “trickle-down” cyber-economy that is empowering organised crime.
Of equal concern is the increasing availability of rogue hardware, deliberately manufactured to contain malware capable of reporting back every keystroke on a computer to a remote controller or infecting an entire network. It has been known for some time that governments could oversee the production of computer peripherals such as keyboards, mice or USB sticks that would be “fixed” in order to control, report back or infect the host computer network.
The first successful use of a cyber weapon—Stuxnet, a malicious computer worm—was targeted to degrade and damage nuclear centrifuges engaged in uranium enrichment for use in Iran’s nuclear programme. The worm was delivered in USB sticks specially prepared for the purpose, thereby by-passing defensive “air gap” measures built into the Iranian system. Now such rogue hardware can easily be purchased on the internet for a modest cost.
The results of this proliferation are clear. It has been estimated that in the first half of 2018 more records detailing individuals’ names, addresses, age, sex and banking and credit card details were breached than in the whole of 2017. The increasing number, range and sophistication of cyber attacks means that ever more complex and expensive defensive measures will have to be taken.
Cybersecurity software is usually aimed at known threats, with regular updates as new threats emerge. Computer networks are like a batsman at the crease. No-one is quite sure what the bowler’s next delivery will be like. It seems to be generally accepted that organisations spend far more time protecting themselves against day-to-day relatively routine cyber problems that affect all computer users, rather than thinking about the bigger threats posed by innovative malware or rogue hardware.
Cybersecurity has to go beyond the known threats and find ways of protecting against the unknown unknowns. We need sophisticated protection and detection techniques for businesses to deploy. The time for businesses and governments to work in loose partnership tackling cyber threats is over.
Better coordination and information sharing regarding threats, techniques and technologies across industries will provide benefits. But it is perhaps time for these virtues to be reinforced by stronger legal obligations.