June 7, 2013 By Larry Karisny
Today, as in the beginning days of the Internet, people hack for power and money -- and for one other reason: simply because they can.
Early on, there were black hats and white hats, they were just much more reserved and secretive than today's headline-capturing hackers. The difference today is that there are massive amounts of information, intellectual property and money moving back and forth on information systems. Successful hacking attempts disclosed in just the last few weeks have demonstrated how millions of dollars in cash and trillions in state secrets can be stolen comparable to the amounts taken in past wars. With the seriousness of cyber war now upon us, let’s look in more depth at the reasons.
With personal portable storage capabilities in terabytes and global Internet access available to all, organizations such as the National Security Agency (NSA) got interested in gaining power and control over technologies that could access these information systems. This led to years of control of encryption algorithms, software back doors, wireless spectrum and increased control over the Internet.
The NSA's information gathering is now refined in a secretive unit known as Tailored Access Operations. TAO identifies, monitors, infiltrates and gathers intelligence on computer systems being used by entities hostile to the United States. The unit uses automated hacking software to harvest approximately 2 petabytes of data per hour, which is largely processed automatically. With this much technological power must come responsible restraint. The U.S. Department of Defense calls the use of offensive exploit hacking "computer network exploitation," but emphasized that it doesn’t target technology, trade or financial secrets.
There is, however, a thin line between the use of exploitation hacking technologies that can quickly change cybersecurity defense into cyber war offense. The first big example of cyber offense was the use of very sophisticated exploit malware called Stuxnet, which was used to attack the control system of an Iranian nuclear plant. Recently a state sponsored attack was disclosed in a Defense Science Board study as reported by The Washington Post. More than two dozen top U.S. weapons systems -- including the Patriot missile defense program, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship -- were compromised by a Chinese cyber espionage attack. This use of computer network exploitation is a clear example of just how powerful these cyber technologies are -- and how defenseless we are in stopping them.
In the past, as today, standards, compliance mandates and even secret government programs try to keep the potential use or abuse of both defensive and offensive information system security technologies in check. Big corporate and government involvement in these security technologies coordinated timely distribution of adequate security technologies while still controlling sophisticated methods of cracking security if needed. Today there is software that can find security back doors in minutes, and new exploit tools can be downloaded daily, making control of information security solutions much more difficult. We have reached a point in cybersecurity where we must focus on solutions that cannot be manipulated. We can't continue to think we can deploy cyber technologies that have hidden access or can develop exploit systems fast enough to stay ahead of a world of knowledgeable hackers. The true power in cybersecurity is just what it says it is: security. Nations that focus on financing defensive technologies will prove to have the real power in this cyber game.
Cybercrime is now believed to be the No. 1 form of crime, exceeding even illegal drug trade. Some figures within the last year give an idea of how much money we are talking about -- commercial and government projections count trillions of dollars lost in global intellectual property, with recent bank robberies of $45 million in cash.
Attacks on the Pentagon by China clearly show how financially devastating the cost of these attacks can be. The cost of the F-35 Joint Strike Fighter, for example -- the most expensive weapons system ever built -- is estimated at $1.4 trillion. This is the largest single dollar-value theft of intellectual property and could take generations of taxes to recover.
And this is just what is out in the open. Corporations have paid ransoms to keep their intellectual property, and some have even purchased stolen intellectual property. The stealing of IP has become so great that it is beginning to affect the backing of venture capital in start-up companies. Why pay for seed money for R&D if it can just be stolen? The protection of intellectual property and the dollar loss behind it has reached a threshold that demands immediate attention.
There are also legal beneficiaries of these cyberattacks, such as the people who sell security software, hardware and services. These companies clearly see new business on the horizon, such as smartphones, and are enjoying significant increases in profit. There are acquisitions and mergers of cybersecurity companies being made to strategically capture these profits. From penetration testing to consulting, things are pretty good for people in the cybersecurity business. Even hackers can make an honest buck. Experienced cybersecurity jobs now start at $100,000 per year for entry-level positions. Good hackers can just about write their own paycheck, and are offered jobs in U.S. government organizations such as Homeland Security, Department of Defense, NSA and even DARPA. Exploit hackers are now paid as speakers in national conventions as they demonstrate their new hacking capabilities to an applauding audience.
Yes there is money to be made in cybersecurity -- but there are also costs.
In the early days of the Internet, I worked for suppliers of fiber-optic networks and Internet services, and I shared information with the FBI on child pornography, money laundering, credit card theft and personal identification theft. This business has exploded to a multibillion dollar business, as seen by a recent Secret Service bust of a $6 billion money laundering scheme. In the past, the bad guys quickly found out who the best hackers were and offered them big bucks -- and sometimes threats -- to assure support of their organized crime endeavors. Back then, I was caught between the black hats and white hats, and found one reason that they both hacked: simply because they could.
Sometimes hackers honestly can't stop themselves from so easily hacking information systems -- it’s like leaving your house doors wide open, leaving for a year and wondering if someone will take something. In hacking, "the easy stuff first" still prevails, while the use of cybersecurity exploit technologies are just making things a lot easier. If we are to keep up, we must improve and move more quickly to stop targeted attacks. If you make it too easy, the likelihood of hackers attacking you is much greater, just because they can.
So if we have cybersecurity protection, then why are hackers hacking? Because they can. Secret back doors are even now affecting industrial control systems all over the world. Encryption algorithms classified for specific use and restricted transport have been stolen from encryption key repositories, and then used to access sensitive information such as government contractors. Virus protection companies have known limitations in stopping malware while they charge people to remove ones they missed. Sadly the legacy cybersecurity technologies being used today don't work very well -- and the hackers know it. Even new analytic technologies are showing their weaknesses requiring human intervention in analyzing the big data that is now overpowering current IT staff and systems. Why can hackers hack? Because we are using security technologies that have the appearance of security, but are not truly secure.
The trends and focus of obtaining new cyber offensive exploitation technologies vs.cybersecurity defensive technologies are troubling.
As a cybersecurity advisor and expert, I know of intrusion detection technologies that have been reviewed and tested at the highest levels and could, in fact, stop cyberattacks. When truly securing things, you sometimes have to give up capabilities like backdoor snooping or digital audit trails so accurate that no court would challenge the evidence -- things some aren't willing to part with. Our problem in the world today is that we have to resurrect things like honesty and moral character or minimally "trust but verify." If we expect our homes, or neighborhoods, cities, country and workplaces to be secure, then we must show ourselves deserving while still monitoring for adversarial attacks.
We are adding cost to everything because we can't seem to curtail everyone stealing from everyone. Yes, we can use the same technology to aggressively retaliate against those who attack us, but this is a slippery slope that can lead to complete moral and economic disaster -- even war.
So what's the difference between today’s hacking and deterring technologies that can stop it? Not much. Do you think we can survive without putting in working cyber security defense? Do you want to know the outcome is if we don't?
Read the first part in this three-part series here. The last article will cover the resolution of cyber attacks and the available technologies than can correct it.
Larry Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and municipal critical infrastructure
Photo by d70focus. Creative Commons Licence Attribution 2.0 Generic.