NEWS FROM THE LAB - Saturday, July 14, 2012

Cyber Armament Posted by Mikko @ 14:58 GMT

Over the last 25 years we've seen a massive change in how we think about information.

In the 1980s, information was mostly still analogue. It was stored on paper, in binders, on shelves and in safes.

Today, of course, almost all information is digital. It's created and stored on computers and transmitted over computer networks.

From a security viewpoint, this means that secret information can now potentially be reached from anywhere in the world; you no longer have to physically be where the information is.

This means that espionage has also gone digital - and while we've seen several cases of nation-state espionage done with backdoors and trojans, we've seen only one documented case of a nation-state doing cyber sabotage with malware. That case is Stuxnet.

During my years in this industry I've seen multiple mysteries, but few of them have been as interesting as the case of Stuxnet.

F-Secure Labs estimates that it took more than 10 man-years of work to develop Stuxnet. Related attacks like Duqu and Flame might have taken even more.

Stuxnet had a "kill date" of 24 June 2012, which means the worm has now stopped spreading. But that has little significance, as the operation had already been active for years and reached most of its targets already by 2010.

Stuxnet is a good example of the thinking behind these new kinds of offensive attacks: If you want to disrupt the secret nuclear programme of a foreign nation, what can you do?

Well, you have a couple of options. You can try international pressure and boycotts. But if that doesn't work, then what? You can try a conventional military attack and bomb their facilities. However, attribution back to you as an attacker is a problem. So is the fact that you can attack only the facilities you know about.

Using a digital attack like Stuxnet has several advantages. Especially, it provides deniability.

Stuxnet was obviously a game changer. But what does it mean in the long term? I think we are now seeing the very first steps of a new arms race: The cyber arms race.

Just like modern hi-tech research revolutionised military operations over the last 50 years, we are going to see a new revolution, focusing on information operations and cyber warfare. This revolution is underway and it's happening right now.

We haven't seen real online warfare yet, of course. This is because thankfully we haven't lately seen wars between technically advanced nations. But any future crisis is likely to have a cyber component as well.

It's important to understand that cyber warfare does not necessarily have anything to do with the internet. Many of the more devastating cyberattacks can not be launched remotely, as the most critical networks are not connected to the public network.

Think along the lines of a special forces unit going deep into enemy territory with embedded geeks in the team, to dig up fibre-optic cable to be able to reach the systems that were supposed to be unreachable.

The main point of any arms race is to let your adversaries know about your capabilities so they don't even think about starting a fight. We're not yet at this stage in the cyber arms race. Almost all of the development in this area is secret and classified.

However, eventually it will become as public as any other defence technology. Maybe we'll eventually see public cyberwar exercises where a country will demonstrate their attack capabilities. Maybe we'll eventually see cyber disarmament programmes.

Defending against military strength malware is a real challenge for the computer security industry.

Furthermore, the security industry is not global - it's highly focused in just a handful of countries. The rest of the world relies on foreign security labs to provide their everyday digital security for them. For example, there are only around 10 virus labs in all of Europe, and the vast majority of the countries have no labs of their own.

On the internet, borders don't really matter. But in time of crisis, they do.

Mikko Hypponen
This column was originally published on BBC.