In part two we will discuss the “Armageddon tiptoe” and how the threat we are now facing has been a long time in the making, the emergence of the nation state attacker and the emergence of offensive cyber weapons.
See also part 1: Introducing Cyberterrorism and Cyberweaponry by Mike Gillespie & Ellie Hurst
In many ways the current cyber landscape is the new cold war, but there isn’t one nation behind this, the whole world is in a standoff. We are in a situation that could best be likened to an international Cuban missile crisis and we are all waiting to see who blinks first. EternalBlue, a piece of cyber offensive software developed by the US National Security Agency (NSA), has made its presence felt since appearing in the wild after being leaked by the Shadow Brokers hacking group. It has been used as part of ransomware attacks that have caused huge global disruption in a variety of guises, such as WannaCry and NotPetya. It has also been used as part of the Retefe banking trojan. Recently, in Baltimore (US), a vulnerability that EternalBlue exploited, was reported to have been used to blackmail Baltimore’s local government. The attack worked by using ransomware which blocked use of platforms to pay parking tickets, taxes, utility bills and other online payments. For any organisation this is devastating but as we all know, local government is very vulnerable because it could affect its ability to supply vital infrastructure to residents.
Bad Good Guys or Good Bad Guys?
Put in real life terms, how many nation states are researching and developing diseases that they might decide to use for attacks themselves? And if they are, and are inhibiting the effective development of a vaccine, what does that mean from a legal and an ethical standpoint?
The vulnerability that EternalBlue exploited was based upon a bug in the code of the Microsoft Windows operating system, and the NSA kept the discovery of this vulnerability secret for more than five years, essentially preventing the development of an effective patch (i.e. vaccine). During this time, it has seen businesses and organisations worldwide, such as our own NHS, devastated by criminal variants of this exploit. The NSA has never revealed how it lost control of its own tool. In fact, the NSA have said virtually nothing on the topic. Baltimore is naturally demanding answers. Meanwhile, the progress of EternalBlue and its illegitimate offspring continues to provide the rest of the world with a taste of the power of weaponised software, regardless of its initial intent, when in the wrong hands. (It should be noted; we have not yet settled upon whose hands constitute the right hands.)
That is why we call them offensive cyber weapons, when a tool has the power to effectively disable a city in the way we have seen EternalBlue do…and it was developed by a government agency.
Outsourcing the unpalatable or difficult tasks
Governments have always outsourced difficult work. This is standard practice and to pretend it doesn’t happen is naïve. Hollywood whilst being a warped mirror in many ways (think of the ludicrous portrayal of MI6 in the James Bond films) does reflect some aspects of war, cyber war and military operations and so phrases such as, non attributable black op, using mercenaries, plausible deniability etc. are now part of our ‘civvy street’ lexicon as much as they are a fact of life. Cyber warfare is no different. In the Second World War, Bletchley Park drafted in experts from the private sector to run the projects. The nuclear bomb was developed by scientists co-opted to Government research and our iconic and beloved Spitfire was borne of private sector development, thanks to RJ Mitchell. Offensive cyber weapons and tools are the same. The appearance of ‘legitimate’ or government produced cyber weapons, in the wild and being used by criminal gangs, has for some, proved the association between governments and cyber ‘black ops’. Because it’s not just development but the use of criminal networks to fulfil attacks too, attacks that the checks and balances provided by oversight bodies, would not allow. It may be as a result of a criminal gang being coerced after being identified…Back to Hollywood and remember The Dirty Dozen, or the Wild Geese; jail or you can go on this mission…. Governments ‘determined to bring to justice’ criminal gangs are actually using them to perpetuate their aims. Twas ever so, but we need to accept that evidence suggests cyberspace is not immune from this relationship and activity.
So, place the cyber lens on this and we have the situation where some nations have signed up to a convention on cyber weapons, but not all. Abstaining are America, China, Russia and North Korea (in short, ask your cyber security team where your hostile web traffic comes from and they are probably not part of the agreement). The Paris Call for Trust and Security in Cyberspace of 2018 aka the Digital Geneva Convention (more of agreements, protocols and conventions in part three) has the same Achilles heel as the 1925 Protocol; the nations we need to sign up, won’t. However, their weapons may still impact all of us, as we saw with EternalBlue. Let’s not be naïve and believe that having nation states in control of cyber weapons will act as a deterrent, as it did with conventional weapons of mass destruction, because sooner or later a nation that doesn’t care about the consequences, will own these weapons too and as we discussed earlier, they are also in the hands of criminals. We have seen with Sarin and more recently with plutonium and Novichok, it’s only too clear that criminals and Governments are capable of using these weapons despite them being illegal (imagine that, a criminal who doesn’t mind breaking the law…..). A Kalashnikov or semi-automatic weapon used to be just for military usage, now crime gangs have them and send rocket propelled grenades to take planes out of the sky with them. Criminals don’t sign conventions.
In the final part we look deeper at the ‘Digital Geneva Convention’ of 2018 and how global political tensions are shaping citizens’ security in ways we could never have predicted.
MD of Advent IM, C3i Group on cyber security, cybercrime and cyber intelligence, Mike is also cyber spokesperson for the International Institute of Risk and Safety Management (IIRSM) and the Cyber Security lead adviser for UK Government’s, Surveillance Camera Commissioner.
Head of MarComms & Media for Advent IM, Ellie is also an Associate of the Security Institute and Institute of Information Security Professionals.