Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet
There's a war going on, and it's raging here at home -- not in the streets or the fields, but on the Internet. You can think of it as a war on the digital homeland. If you work for a power company, bank, defense contractor, transportation provider, or other critical infrastructure type of operation, your organization might be in the direct line of fire. And everyone can become collateral damage.
A cyber war has been brewing for at least the past year, and although you might view this battle as governments going head to head in a shadow fight, security experts say the battleground is shifting from government entities to the private sector, to civilian targets that provide many essential services to US citizens.
The cyber war has seen various attacks around the world, with incidents such as Stuxnet, Flame, and Red October garnering attention. Some attacks have been against government systems, but increasingly likely to attack civilian entities. US banks and utilities have already been hit.
"The cyber war has been under way in the private sector for the past year," says Israel Martinez, a board member of the US National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.
"We're finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it's ever detected," Martinez says. He says U.S. entities are being targeted on multiple fronts by China and Iran for espionage and intellectual property theft, by interests in Russia and Eastern Europe for syndicated crime such stealing cash and identities, by social-agenda "hacktivist" groups such as Anonymous, and by increasingly skilled individual criminal hackers.
The cyber war now raging in the digital homeland
Such attacks have been going on for years, but what's new is the cyber war brewing between the United States and Israel on one side and Iran in the other, says Emilian Papadopoulos, chief of staff at Good Harbor Security Risk Management, a consulting firm focused on cyber threats.
Stuxnet, for example, was developed by Israel with US support to hobble Iranian nuclear facilities, according to the New York Times and several security experts who spoke to InfoWorld off the record. Iran also accuses the United States and Israel of the cyber attacks that took Iran's Oil Ministry and a major oil terminal offline, Papadopolous says.
Iran or its proxies has apparently hit back with cyber attacks on U.S. banks, government officials say. Iran may have also been behind the Shamoon virus that wiped 30,000 hard drives and took computer networks offline for weeks at the oil producer Saudi Aramco, Papadopoulos says.
A 2011 attack on European certificate authority DigiNotar compromised the certificate system that underlies the Internet and enables users to trust in the identity of websites they visit and the source of communications they receive, Papadopoulos says.
"We have seen cyber attacks evolve from espionage attacks that steal intellectual property or monitor communications to disruptive or destructive attacks. ... Destructive and disruptive cyber attacks are relatively uncharted -- and troubling -- territory," he says.
The private sector owns and operates the infrastructure and systems that form the backbone of the Internet, and attacks on that system could break down trust in the Internet, with major economic and operational impact, Papadopolous says.
"In the past six months, we've seen foreign attacks on oil and gas companies in the Middle East and on U.S. banks, including Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC, and SunTrust. How will we react if the next attack is against the electric grid, or our food and water supply?" he asks.
In recent months, cyber attacks have become much more sophisticated, says the Cyber Security Council's Martinez. In some cases, overseas attackers have taken over servers in the United States that they then used to launch secondary attacks, making it appear as if one U.S. company was attacking another.
"The good news is [security] teams in most Fortune 500 companies are able to detect this and reverse it, but this type of threat is going to be a very big problem for us over the next 12 months," Martinez says.
Another battleground in the cyber war is the software industry. Much as we saw with the APT attack against Adobe Systems' software last year and with the attacks using weaknesses in Oracle's client-side Java over the last several years, we can expect to see more attacks against trusted software providers such as antivirus vendors, says Pat Clawson, CEO of security products vendor Lumension. "The attackers want to get to the unparalleled access they have to their customers," he says. "Once the antivirus vendors' payloads are compromised, the devastation could be staggering." Such fears explain why the feds recently advised all Americans to disable the compromised Java in their browsers.
Such cyber attacks on US companies and their overseas partners, as well as on the Internet infrastructure, could be as devastating as the 9/11 attacks on the World Trade Center and the Pentagon, warned Leon Panetta, the US Secretary of Defense. And Janet Napolitano, the Secretary of Homeland Security, warned just last week that a cyber 9/11 attack could happen at any time.
Cyber attacks and counterattacks are escalating
With the digital homeland now a cyber battlefield, "the paradigm in the US must shift from defense to offense - within internationally appropriate rules of engagement, of course. But offense will be necessary because a pure defensive strategy is not sustainable," says the Cyber Security Council's Martinez.
The US/Israeli cyber attacks on Iran are an example of such an offensive. But they likely unleashed attacks on the digital homeland in response. "It is nearly impossible for us to really know cause and effect here, but there has definitely been an escalating pattern of attacks," Papadopoulos says.
The escalation of attacks against private-sector targets is extremely troubling, he says. "If the attacks keep escalating and happening with more frequency and against more private-sector companies, we are putting at risk the stability and security of cyber space."
Nations have been testing each other's armor for long time, more quietly than not, Lumension's Clawson. Knowing your opponents' weaknesses is an important part of any defensive strategy, he says. That drives some of the offensive actions. Stuxnet, for example, "is a heavy engineering exercise that crossed never-seen-before-boundaries ... malware that could do new things."
But such offensive tests can also help the governments attacked respond more effectively, Clawson says. "That massive engineering effort is now being reengineered against us." Martinez concurs: "In the case of Stuxnet, an offensive maneuver engendered an offensive cyber response." As another example, Clawson notes that the apparently Iranian attack on Saudi Aramco had elements of the allegedly Israeli/US Flame in its architecture.
Breaking the cycle of attacks and counterattacks
Ultimately, the solution to the cycle of cyber violence must be political, Martinez notes. Such attacks "are symptoms of a larger problem that must be resolved between ideologies of two very different cultures and people. ... In some cyber incidents, it's about the perceived or maybe true imbalance between corrupt power and common people. Balancing between these parties, toward the best interest and security of the common people, is a difficult task."
Until the conflicts are resolved, "almost everyone becomes a victim of unintended consequences during war, even cyber war," Martinez says. "Cyber war may be digital, but it is still a form of war."
Because cyber conflict is relatively new, interested parties need to focus more energy and attention on developing international norms that will say what is acceptable behavior and what is not, advises Good Harbor's Papadopolous. That is crucial for maintaining a stable, secure, and trusted Internet, he says.
Although some experts are trying to apply international law to curtail cyber war, these efforts are advancing slowly, and each new attack and counterattack implicitly establishes norms about what is acceptable, he says.
Clearly, the private sector has a vested interest in a stable, secure cyber space and needs to advocate for international norms that will rein in cyber conflict and attacks on critical infrastructure and other companies, Papadopolous says.
Playing defense at home until the cyber war ends
In the meantime, government policymakers and corporate CEOs alike need to think about and plan for escalating cyber conflicts and for disruptive and destructive attacks, not just espionage or intellectual property theft - the major focus undertaken against advanced persistent threats and hack in recent years. After all, more countries and groups will gain the ability to launch sophisticated attacks, Papadopoulos says.
Policies such as the 2012 Securities and Exchange Commission's Guidance on Cyber Disclosure now require many Fortune 500 companies to report any type of meaningful cyber threats in their organisations, Martinez says. This is leading to an "age of transparency - whether we like it or not -- which is a good thing because we now share more information about attacks, which allows us to more easily target bad actors," he says.
Still, Papadopolous says the cyber attacks on the private sector raise difficult questions: "What kinds of companies are fair targets? What kinds of attacks are acceptable?" Also, are companies liable when their services are disrupted by foreign attack? And who pays for clean-up, repairs, and compensation to affected customers?
Another key question: What is the government's role in protecting critical companies? In October 2012, Secretary of Defense Panetta said it was not the DoD's mission to provide for the day-to-day security of private and commercial networks, although he acknowledged the Pentagon had a role in the event of a "crippling cyber attack," Papadopoulos says.
Recently, there were reports of banks seeking help from the National Security Agency, Papadopoulos says. "How will the government's role change if we see more and more attacks against companies and they are more and more disruptive or destructive?" he says. That's a question many more people may ask if the world cyber war indeed escalates.
One thing is clear: The era of cyber warfare is here, and it's happening on the homefront.