Q&A of the week: 'The current state of the cyber warfare threat' featuring Jeffrey Carr
In this week's Q&A, I chat with Jeffrey Carr, the founder and CEO of Taia Global, and the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld', on the current state of the cyber-warfare threat.
ZDNet's Zero Day begins a new weekly feature called 'Q&A of the Week' which aims to bring you invaluable insights from industry leaders and internationally recognized experts in the areas of cybersecurity, cybercrime and cyber warfare.
Jeffrey Carr, the founder and CEO of Taia Global, is the author of “Inside Cyber Warfare: Mapping the Cyber Underworld” (O’Reilly Media 2009 and 2011 (2nd edition)). His book has been endorsed by General Chilton, former Commander USSTRATCOM and the Forward to the Second Edition was written by former Homeland Secretary Michael Chertoff. Jeffrey has had the privilege of speaking at the US Army War College, Air Force Institute of Technology, Chief of Naval Operations Strategic Study Group, the Defense Intelligence Agency, the CIA’s Open Source Center and at over 60 other conferences and seminars.
Now that you know more about Jeffrey, here's the actual conversation.
Dancho: Nowadays, the mainstream media often portrays cyber attacks using the term "Digital Pearl Harbor"? Do you believe that a devastating attack on U.S infrastructure must take place for policy makers and the general public to start paying more attention to the ongoing cyber-warfare arms race? Also, do you believe that the focus on a devastating attack has shifted the attention from the current threat landscape where cyber spies from multiple governments systematically penetrate and steal intellectual property from Fortune 500 companies?
Jeffrey: No, I don't think a major catastrophe is necessary. We're already at a point where cyber security is being taken more seriously due to the vast amount of IP theft. That's not to say that we're doing the right things because we aren't. But the awareness of the problem and the desire to do something about it both currently exist sans any type of digital Pearl Harbor.
Dancho: How significant is the role of mainstream media to raise awareness on the current situation, and do you believe it has the knowledge and understanding of the problem to do so?
Jeffrey: Media is critical in raising awareness but 99% of journalists don't have the requisite knowledge to report the story accurately.
Dancho: How would you describe Iran's current understanding of information warfare operations, and overall cyber-warfare ambitions? Do you believe Iran is a threat, based on the relatively modest hacking activities we've seen by pro-Iranian hacktivists, or are they on purposely not revealing the true state of their cyber warfare capabilities in order to misinform the public and U.S policy makers?
Jeffrey: I believe that Iran should be taken seriously as a State with aggressively developed cyber-warfare capabilities. Iran's Islamic Revolutionary Guard Corps set up its first official cyber-warfare division in 2010 with an estimated budget of US$76 million. There is also an Iranian cyber militia that is supposed to number about one million persons. Some of their hacker crews have demonstrated a high degree of skill in past attacks against Israeli government sites and China's Baidu.com - and at least one crew is known to be connected with the Iranian government.
Dancho: Can you compare Russia vs China in terms of operational capabilities and intent to launch cyber attacks, which of these countries is more persistent, and what is the overall difference in their cyber-warfare doctrines, if any?
Jeffrey: Yes, both Russia and China are spending a lot of money on encouraging foreign investment within their borders which in turn allows their security services to capture a vast amount of proprietary information in three ways: (1) via normal communication channels (satellite, landline, mobile, VPN, etc.); (2) through technology transfer which occurs when Russian and Chinese engineers are hired to work at foreign companies for 1-2 years and then transfer to State-owned companies - +taking the knowledge that they learned with them; and (3) by their respective security services, approaching foreign companies and demanding copies of their source code for national security reasons. All three of these strategies are perfectly legal and don't require hacking into a network. Having said that, both countries also acquire stolen IP from professional hacker crews of mixed nationalities.
And both countries have stood up information warfare units (neither country uses officially uses the term "cyber") but only Russia has combined kinetic attacks against foreign countries with a cyber component (i.e., Georgia, Kyrgyzstan, and Chechnya). China has not used its cyber capabilities in an offensive way - at least not as far as I've seen.
Jeffrey: I believe that Estonia is organizing a cyber militia and they're a democratic society. I think the U.S. would have some success at that as well if the DOD ever agreed to set it up. Many countries, including the U.S., Israel, Russia and China, engage in information warfare and influence operations which include a cyber component. However, Russia won't hesitate to use an iron fist where China will find ways to exert pressure in more subtle ways.
Jeffrey: The Pentagon is certainly aware of those foreign cyber militias. It's not as if it's a secret. I just don't think that the DOD wants such a civilian militia set up in the U.S. unless it's part of the National Guard.
Dancho: Are you aware of the existence of the so called "People's Information Warfare" concept, originally pioneered by China, as well as the rise of opt-in botnets where average Internet users knowingly donate their bandwidth and network connectivity for use in ongoing cyber attacks?
Jeffrey: Yes, I think it's a testament to the fierce nationality and patriotism found in many foreign countries. Many citizens naturally want to support their government in times of crisis. For example, most of the cyber attacks done by Chinese hackers against foreign targets were performed after an attack against China (i.e., the Kosovo bombing of China's embassy, the downing of a Chinese military jet, the attack against Baidu, etc.). The Russian cyber attacks against Estonia were launched after the perceived insult of Estonia moving a Russian statue. I'm not siding with either government. I'm simply making the observation that civilians typically involve themselves in group cyber attacks when they believe that they're defending their country.
Dancho: For years China has been developing and promoting the use of its own hardened secure Operating Systems, such as Kylin OS and Red Flag Linux. Europe followed this example with its secure OS Minix, and Russia is also showing interest in the concept or a nation-sponsored secure OS. Taking into consideration the fact that the U.S military has spent years developing offensive cyber warfare weapons affecting Microsoft's Windows, the most widely distributed operating system globally, does this put the U.S at a strategic disadvantage, or is China actually undermining the security of its own infrastructure by introducing a new, largely untested Operating System for public and military use?
Jeffrey: Well, I'd call it an inconvenience at most. We should have the resources to obtain the source code for those new operating systems in much the same way that our own source code is obtained by foreign agents or hackers. Interestingly, a lot of coding is out-sourced to other countries so the opportunities to "intercept" it are certainly there.
Dancho: Microsoft recently kicked out a Chinese company from its Microsoft Active Protections Program (MAPP) program. However, through its Microsoft’s Government Security Program (GSP), the company is sharing source code with Russia's FSB and the Chinese government. Do you believe this poses a risk to U.S national security, and are the financial benefits out of the deal worth the possible national security implications in the age of Microsoft's mono-cultural dominance?
Jeffrey: Yes, I do see it as a national security threat. In fact, any foreign company that wants to do business in Russia, China, or even India, must surrender their source code upon request of the security services or face the possibility of having their license to do business in that country pulled.
Dancho: It's fairly logical to assume that nations involved in defensive cyber-warfare activities, are also busy pursuing the developing of offensive cyber-warfare weapons. In fact, in the past on numerous occasions the Pentagon has expressed its intentions to use kinetic force against sources of cyber attacks somehow endangering the CIA's (Confidentiality, Integrity and Availability) networks. Are you a firm believer in the applicability of "virtual shock and awe" campaigns in today's interconnected world? How would you comment on the possibility of an adversary using compromised legitimate infrastructure as a "virtual human shield" in an attempt to undermine the offensive cyber warfare capabilities of a particular nation, the U.S for instance?
Jeffrey: I can only speculate, of course, but I think you pose a reasonable strategy that many nation states are worried about; hence the frequent discussion of drafting treaties that dictate certain Rules of Engagement. Most want to prevent cyber attacks against critical infrastructure or other civilian targets that could cause mass disruption.
Dancho: Government tolerated vs government sponsored cyber attacks? Do you make a difference between the two and just how important is it at the end of the day?
Jeffrey: Both Russia and China "tolerate" certain illegal actions by organized crime groups in exchange for future cooperation from those same groups in matters related to national security. This could certainly include cyber criminals who are affiliated with organized crime. A "sponsored" attack might mean one performed by one of those protected gangs or one done by a patriotic organization such as the official state-run youth associations in Russia or large patriotic hacker organizations like the Red Hacker Alliance in China. I think it's important to understand that these states have multiple resources to draw from before they get to the third option - using their in-house capabilities; i.e., their foreign intelligence services.
Dancho: The Russia vs Estonia cyber attacks are often described as "World Web War I"? Do you believe this is the case, why and why not?
Jeffrey: No, not at all. It certainly wasn't the first time that Russia mounted cyber attacks against another State. They did it at least twice before in 2002 (Chechnya) and 2005 (Kyrgyzstan). Chinese hackers mounted thousands of attacks against U.S. government websites in 1999 after the accidental NATO bombing of the Chinese embassy in Kosovo.
Dancho: In Russia vs Georgia cyber attacks we saw an example of Russia's understanding of information warfare operations . Do you believe the attackers were government sponsored, or were they basically government tolerated given the lack of prosecution for any of the involved hacktivists and botnet masters? Is it important to make the difference between the two cases in the context of cyber attack attribution? Why and why not?
Jeffrey: I believe that there was government direction involved in the cyber attacks mounted against Georgia, and that this direction was funneled through the State office that runs the Nashi. I'm confident that Nashi leadership received their instructions from highly placed Russian officials and passed it to their membership who in turn organized their attacks via online forums like StopGeorgia.ru. Most of the research that I've done on the cyber component of the 2008 Russia Georgia war can be found in my book "Inside Cyber Warfare" and in the Project Grey Goose reports (Phase I and II).
Dancho: The discovery of Stuxnet also dubbed the "Nuclear Worm" changed everything. Do you believe this was the first time the security community successfully intercepted a nation-to-nation cyber black ops operation?
Jeffrey: Yes, Stuxnet was certainly a game-changer in terms of known cyber attacks. There may have been more sophisticated worms out there but Stuxnet was the first of its kind that was made public.
Dancho: Could Stuxnet be described as the revenge of the pro-Western Ph.Ds, or do you believe it had to be a pro-Western government-funded operation to begin with? Also, do you need a Ph.D to launch a cyber operation similar to Stuxnet, or not so technically sophisticated attackers could have achieved the same effect if they wanted to?
Jeffrey: You certainly don't need a Ph.D. to create a worm like Stuxnet. Ralph Langner, who has done much of the heavy lifting around analyzing Stuxnet, doesn't even have an engineering degree. He has a degree in Psychology, I believe, and taught himself engineering later in life. You do need to have a knowledge of industrial control software and an engineering degree would certainly help, but that's about it.
Dancho: In the latest edition of Richard Clarke's book 'Cyber War', he argues that Stuxnet is a virtual boomerang that will eventually hit back the U.S, a country he believes is among the countries that sponsored and actually executed the attacks. How would you comment?
Jeffrey: Richard Clarke should stick to something he knows about like counter-terrorism and avoid speaking about things which he knows nothing about like cyber warfare or cyber security. I doubt that he can make any kind of case that the U.S. was responsible beyond a wink and a smile. No one wants Iran to have nuclear weapons and that includes Russia and China. The fact that neither country wants Iran to be enriching uranium and that fact that both countries haven't supported sanctions suggests to me that Stuxnet could have come from either of those two countries just as easily as from a Western nation. After all, if not sanctions, why not a worm designed to cause havoc and hopefully dissuade Iran from further enrichment activities?
Jeffrey: I agree with you. I've also pointed out that cybercrime finances the development of cyber "weapons" which can be used in acts of espionage or geo-political actions like Estonia, Georgia, etc.
Dancho: Malware infected hosts has been used as stepping stones for launching more cyber attacks, and hiding the physical location of the attacker for years. Burkina Faso could easily impersonate Russia, China or Iran online, a scenario we've already seen in Tom Clancy's 'The Sum of all Fears'. Locked in between all the current cyber warfare tensions, do you think we're missing the possibility of an ingenious anti-Western oriented mastermind or a regime located in a Third World country, pulling the strings behind such campaigns? How realistic do you believe is the potential that developing nation states could be launching false-flag cyber operations in an attempt to engineer cyber-warfare tensions between developed nations?
Jeffrey: I'm not much for "masterminds" but a false-flag operation is a real threat and, in my opinion, it's standard operating procedure to launch an attack from servers that are not in the same geographical region as the attacker.
Dancho: Access to thousands of geolocated malware-infected hosts could be easily purchased, thanks to the increasing number of underground market propositions offering access to such hosts. With each and every Fortune 500 company reporting a successful cyber intrusion or that they're permanently under attack, just how prevalent do you believe is the collection of valuable OSINT data through these easy to purchase botnets?
Jeffrey: My view based on incident response work that my company has done for DIB members and other Fortune 500 companies is that most attacks are done by mercenary hacker crews who in turn sell the valuable data that they've stolen to governments or other interested parties. Those hacker crews most likely utilize cheap botnets whenever they can since it would help obscure any attempt to identify who they are.
Dancho: North Korea is well known to have developed its own cyber-warfare units, for instance, the infamous "Unit 121". How would you describe North Korea's current understanding of information warfare operations, its capabilities and intent to launch cyber attacks against the U.S and South Korea?
Jeffrey: North Korea has spent a great deal of money on its IW capabilities. It sends its soldiers to excellent schools in India and China for technical training. If you can believe South Korea, it suffers from multiple successful attacks originating from the North. I haven't seen any evidence of North Korea launching what I would call serious attacks. They seem to be mostly nuisance DDoS or defacement strikes. South Korea has cried "wolf" a bit too much for me to believe everything they say about being the victim of cyber attacks from Unit 121.
Dancho: With its well known ally China, North Korea could easily adopt China's information warfare model in an attempt to gain strategic advantage in future cyber-warfare conflicts. With cybercrime-as-a-service underground market propositions increasing, just how feasible do you believe is a situation where North Korea starts outsourcing all of its cyber warfare needs to Russian or Chinese cyber criminals?
Jeffrey: I doubt that's ever going to happen. The North Korean government is too unstable, too irrational, for either Russia or China to tolerate that situation.
Dancho: North Korea is often given a relatively low score on the infamous Cyber Threat Matrix estimating the cyber warfare capabilities of multiple nations. However, the same doesn't apply to Russia or China. Do you believe in the relevance of Cyber Threat Matrixes? Do you think that North Korea could easily occupy one of the top positions on these by simply outsourcing its cyber-warfare needs to its ally China, or perhaps even Russia? Should we fear North Korea's in-house cyber-warfare doctrine, or should we feel the day it starts outsourcing in an attempt to catch up with the rest of the world?
Jeffrey: I haven't seen a cyber threat matrix that I have any confidence in. North Korean IW soldiers are well-trained as I said in my answer to one of your previous questions. I wouldn't put them at the top of any list but neither would I put them at the bottom. I think they hold a solid mid-level position.
Dancho: From Eligible Receiver, to Silent Horizon and Cyber Storm, how would you describe the practical relevance of cyber exercises performed by the U.S in today's fast changing cyber threat landscape? Moreover, how would you describe the OPSEC leak when Cyber Storm's Power Point presentation containing details on the actual cyber warfare scenarios leaked on Cryptome.org in 2006? Do you believe this leak allowed foreign adversaries a peek into the U.S's understanding of cyber warfare, or did it have a minimal impact on the OPSEC of the exercise?
Jeffrey: Leaks are never good from an OPSEC point of view. And other governments closely monitor everything that the U.S. Dept of Defense is doing in cyberspace.
Dancho: From Solar Sunrise, Moonlight Maze, Titan Rain, Operation Shady RAT, the the Night Dragon campaigns, the rise of the so called advanced persistent threats (APTs) is pretty evident. Do you believe that publicly sharing details on successful cyber-espionage campaigns undermines the confidence of the U.S's allies in the U.S's ability to protect its critical networks, potentially giving its enemies the blueprint to launch similar attacks in the long term?
Jeffrey: Our allies are sometimes the ones responsible for those attacks, Dancho! France, Germany, and Israel are all very active in terms of conducting cyber-espionage operations against corporations. Overall I'm in favor of information sharing as long as the names of the victims are kept confidential. I see no risk to the U.S. in publishing facts about network breaches. No country is safe from those types of attacks.