In the middle of the afternoon on Dec. 23, at least 80,000 Ukrainians suddenly lost access to electricity. It was, U.S. officials and other analysts believe, the most dramatic escalation in several years of the quietly growing international confrontation in cyberspace.
Power was restored relatively easily — once Ukrainian engineers realized they had lost computerized control of up to 30 electricity substations, they were able to use hand cranks and switches to regain access and bring the systems back online.
Still, U.S. officials and other cyber security experts say the Ukraine attack represented something they had long believed possible but had never yet seen demonstrated — a deliberate external cyber attack that shut down critical national infrastructure on which large numbers of civilians depend.
“It’s a real wake-up call,” Suzanne Spauldino, a former CIA official now under-secretary for the National Protection and Programs Directorate at the Department of Homeland Security told a cyber security conference in Washington in early March.
The U.S. government has moved quickly to brief both its own utility companies, and those of its allies, on the attack, she said. She stressed the importance of having physical systems such as hand-cranked controls that cannot be over-ridden by external attackers.
Particularly in the last half decade, protecting against cyber attacks has been an increasingly significant priority for corporations and governments alike. Attacks with a real physical impact such as the one that affected Ukraine remain remarkably rare. Attacks aimed at data theft and disruption, however, are now commonplace. Barely a week goes by without a major data breach at a company or government department — prompting firms and officials to consider new techniques to secure their systems.
Just as a physical switch can stop a hacker from taking control of an industrial process, keeping the most sensitive information “air gapped” on a system separate to the Internet makes it harder to steal. So, of course, does only using handwritten notes. When data needs to be accessed quickly and seamlessly, however, such solutions are relatively useless.
One emerging strategy was outlined at the same Washington conference by Valencia Haclin, director for homeland security and skill systems at defense firm Raytheon. Such was the speed and complexity of many attacks, she said, that it might no longer be possible for human computer security experts to keep track of systems or stay ahead of attacks. Basic artificial intelligence systems might ultimately prove more effective than human security specialists. Such programming could include “self-killing” systems that automatically shut themselves down or delete data once they realize they have been penetrated.
Behind such technical approaches and fixes, however, lies a much more awkward truth. Both the sophistication of such attacks and our dependence on these systems continues to rise at an exponential rate. And more than a decade and a half into the 21st century, we are still seriously struggling to come up with intellectual and policy frameworks to even begin to manage these challenges.
As well as providing evermore sophisticated tools for defense, complex algorithms and artificial intelligence programs could also be used to attack. According to researchers in Silicon Valley, the years to come could see multiple breakthroughs on this front. Already, some programs are able to teach themselves relatively complex games like “space invaders” without being given any prior information about them, deducing the operating principles and then learning to play them in a matter of hours.
It is probably only a matter of time before such technologies are weaponized. Many experts believe the answer may lie in the kind of international agreements used to control genetic engineering and biological warfare. But such agreements, even if they are ever achievable, are years away. For now, few countries trust each other enough to even consider disclosing what cyber weapons they genuinely have in their arsenals.
Already, cyberspace is a remarkably murky place. In the case of the Ukraine cyber attack, authorities in Kiev were relatively quick to point the finger at Russia — and given the geopolitical situation in the neighborhood, few Western experts or officials question that conclusion.
To what extent the attackers were under direct Kremlin control, however, is far less clear. They were certainly sophisticated — the malware they used, dubbed BlackEnergy, took advantage of several vulnerabilities in the Ukrainian electricity system’s Industrial Control System industrial control systems. These systems are used to control a wide range of industrial processes — indeed, BlackEnergy also seems to have been used against a Ukrainian mining firm last year, causing similar minor problems.
Western intelligence experts acknowledge that Russia, like China, has world-class cyber specialists within its military and spy services. Both countries, however, also have a reputation for using private sector or criminal hackers, sometimes turning a blind eye to their criminal activities provided they remain focused outside the country and are willing to occasionally freelance in support of government priorities.
Such an approach, Western experts believe, has given Moscow in particular the ability to dramatically step up its sovereignty misuse when it wishes to do so — for example conducting the 2007 cyber attacks on Estonia or on Georgia during the 2008 war. In a conflict as messy as Ukraine, multiple approaches are likely in play at once. As this private sector computer security report makes clear, multiple pieces of malware beyond BlackEnergy are now circulating within Ukraine from apparently multiple sources.
The United States has little moral high ground when it comes to this kind of warfare. Together with Israel, it is almost universally suspected of being behind the Stuxnet computer worm identified in 2010 and credited with causing multiple problems in Iran’s nuclear program. That attack — which appeared to be part of a much wider program of covert action by Israel in particular — seemingly prompted Tehran to retaliate in kind with cyber attacks on computers at Saudi energy firm Aramco and on some U.S. financial institutions.
None of these campaigns appear to be particularly well-controlled. According to the documentary Zero Days, which premiered this year at the Berlin Film Festival, several U.S. officials said Israel unilaterally chose to modify the Stuxnet worm to make it more aggressive, one of the reasons for its eventual discovery. According to their anonymous sources, Washington was furious — but some senior State Department and National Security Agency sources had been worrying all along about the ethics and wisdom of the action.
Getting to the bottom of incidents like this may never be possible. So far, however, the impact of such attacks has actually been very limited. Iran’s nuclear program, most experts believe, recovered relatively quickly from Stuxnet. An attempt to attack North Korea’s nuclear program in a similar manner failed outright, two sources familiar with the matter told Reuters in 2013. In December’s Ukraine example, engineers noticed the problem immediately, despite what appears to have been a simultaneous attempt to paralyze the telephone call centers to which customers would have reported the outage.
As ever more devices and systems are connected to the Internet, however, that may not remain the case. Finding a unified international approach on such issues, however, has never seemed so far away.
Source: Reuters