Governments prepare for 'cyber cold war'

Security experts have warned that governments are regularly monitoring and attacking the critical national infrastructures of other nations

There has been a sea change over the past year in the amount of government-sanctioned cyber-espionage, according to some security experts. They warn that a "cyber cold war" is developing, in which governments are using technology not only for the immediate benefit of gaining intelligence from stolen data but also to probe critical national infrastructures for possible weak points that could be exploited in the event of conflict.

Countries are currently testing the water to gauge the threat and potential for damage posed by their cyber-assaults, according to the 2007 Virtual Criminology Report produced by security firm McAfee.

The use of networks of compromised computers, or botnets, for data theft and intelligence gathering has increased this year, according to Peter Sommer, an expert in information systems and innovation at the London School of Economics. "There are signs that intelligence agencies around the world are constantly probing other governments' networks, looking for strengths and weaknesses, and developing new ways to gather intelligence," said Sommer. "Government agencies are doubtless conducting research on how botnets can be turned into offensive weapons but, before launching a weapon, you need to be sure what the outcome will be — you don't want attacks to spill over to your own allies by mistake."

However, attacks are not limited to any particular countries, or by alliances between countries, according to cyberwarfare watchers. In the McAfee report, Johannes Ullrich, chief technology officer for research organisation the Sans Internet Storm Center, said that most countries hack each other regardless of any supposed allegiances.

Alan Paller, director of research at security training organisation the Sans Institute, concurred. "All nations are doing it to each other. I don't know of any country not doing it," he said. "If it's not for normal espionage, it's for economic espionage. It's a very broad set of countries [involved]."

Paller said attacks against the US military this year — reportedly made by China, although the Chinese have denied responsibility — resulted in the loss of large amounts of data. The data had, in part, been stolen from the NIPRNet, a US military network which is open to the internet and used for the transmission of non-classified documents.

Quoting Major General William Lord, a director of information, services and integration for the US Air Force, Paller said: "China is stealing identities and stealing sensitive terabytes of information from the NIPRNet."

While the NIPRNet itself does not carry sensitive information, Paller argued that the ultimate aim of such attacks is to "own" the opponent's computer. Probing systems for weaknesses also gives intelligence gains, he said.

As in the Cold War, it is the countries with access to the most resources that are seen to be flexing their muscles. Paller said that, while he had no data on any US attacks on rivals, both China and Russia had launched attacks this year.

"The US Department of Commerce admitted that its computers had been penetrated and had information stolen by China this summer," said Paller, who added that it was difficult to say whether it had been the government or "hybrid groups" of government and other organisations within China that had been responsible for the attack.

Mikhel Tammet, director of the Estonian communication and information technology department, said he believes forces within the Russian government may have initiated and sponsored attacks against his country's critical national infrastructure earlier this year. "It was a political campaign induced by the Russians; a political campaign designed to destroy our security and destroy our society," said Tammet. "The attacks had hierarchy and co-ordination."

While the attacks on Estonia sought to knock out parts of the country's critical national infrastructure by brute force, with both government sites and internet-banking systems targeted, most attacks against other nations are conducted by stealth.

Social-engineering attacks, in which intelligence-gathering organisations target either an individual or group of individuals, can be highly successful.

Nato analysts, quoted in the McAfee report, said that some governments are leaving themselves open to attack. "Many government offices don't even know yet that they are leaking information," said one analyst, who...

...was not named. "Attackers are using Trojan horse software targeted at specific government offices. Because they are custom-written, these Trojans are not amenable to signature detection and they can slip past antiviral technologies, so this is a big problem. Hackers have dedicated quality-assurance capabilities that they run on all of their malware to make sure that their malware doesn't get detected."

Circuitous routes are sometimes used by hackers to acquire information. According to a source close to the situation, the chief information security officer of the US Department of Commerce learned this summer that his home computer was being used to send data to computers in China. He found his family had been the victim of a spear-phishing attack, in which his child had been encouraged by an email to unwittingly download malware onto the family's home computer. Once it was compromised, the attackers used the security officer's personal computer as a tunnel into the Department of Commerce's systems.

Spear-phishing attacks — where one specific individual is targeted with a malicious URL — are very hard for governments and companies to counter, according to the Sans Institute. Senior civil servants and business executives simply do not appreciate IT departments sending them spear-phishing emails for education purposes.

"One inoculation is to provide benign versions of spear-phishing attacks, but this is hard because senior executives don't like to be fooled by IT people," said Paller. Another possible solution is to establish monitoring and forensics systems that constantly search network traffic and systems for evidence of deep penetration and persistent presence.

Systems can also be targeted through web applications, which is an area of major concern for the Sans Institute. This year, hundreds of senior federal officials and business executives visited a political thinktank website that had been compromised, allowing their computers to become infected via a cross-site scripting attack. Keystroke loggers, placed on their computers by the unknown assailants, captured their usernames and passwords when they signed into their personal bank accounts, their stock trading accounts and their employers' computers, and sent the data to computers in different countries. Bank balances were depleted, stock accounts lost money, servers inside the organisations were compromised and sensitive data was copied and sent to outsiders. Back doors were placed on some of those computers and are still there, according to the Sans Institute.

A short-term workaround for the problem of having insecure web applications is to diligently patch security software, said Paller, who indicated that IT professionals must ensure that patches are applied on users' machines. "It's absolute 100 percent patching, rather than a patch-and-hope plan. Hope is not a strategy," said Paller. "If you let users turn off security updates because they're inconvenient, their machines become a back door for everything."

Web-application firewalls can also help, while testing and patching custom-built applications is essential. "One quarter of custom-built apps have critical or bad vulnerabilities in them," said Paller. A longer-term solution would be for all organisations to insist on secure coding practices, he added.

As technology becomes more ubiquitous, permeating every level of global society, it seems cyber-espionage and cyberwarfare are set to increase dramatically. Nation states have traditionally gathered information on friends and foes from every source possible — regardless of political or trade alliances — as well as monitoring their own populations. It seems technology is providing another means to do this. Attacks on government systems and network probing can only increase.

But is it accurate to call this escalation a "cyber cold war"? Not necessarily. The Cold War was, at base, a battle of ideologies, which is seemingly at odds with the practical, hard-nosed, free-market economics currently practised by businesses in all of the world's major powers, including China.

However, those powers all still have their own agendas, as well as access to nuclear weapons, so a Dr Strangelove situation cannot be ruled out.