The Cipher Brief spoke with Dr. Paulo Shakarian, the author of Introduction to Cyber-Warfare, about the future of cyber war. Dr. Shakarain runs Arizona State University’s Cyber-Socio Intelligent Systems lab, which specializes in cyber security and social media.
The Cipher Brief: What are your thoughts on the role of cyber weapons in war? Do they have a role?
Paulo Shakarian: They definitely do. We’re looking at kits that hackers have devised to take advantage of certain vulnerabilities in software as well as pieces of malware that are designed to carry out certain tasks. Once a vulnerability within a piece of software is taken advantage of, the malware can then be used on that system to do things like gather information or take control of the system, and both things need to be incredibly stealthy and they need to be current.
This is kind of a fundamental thing that you need to understand if you want to be a player in cyber security and, particularly at the high end - the so called “weapons systems” do have a life span. When the other side figures out what an adversary is doing, they can, without too much difficulty most of the time, take efforts to block that style of attack from occurring again.
TCB: Is there any deterrent value in demonstrating a cyber weapons capability or would it show your hand prematurely?
PS: That’s an interesting question. I think the deterrence value from demonstrating a cyber attack would be to show that a given party is capable of certain activities with a certain level of technical sophistication. So, let’s say that I’m a government, and I have people working on a piece of malware, and that malware has been running on systems for 2-3 years. Maybe I have one of my guys leak to some security company that this malware is out there.
Now, once they know what to look for, they find it and they see that the malware has been on the system for many years. Meanwhile, I could have already gone ahead and deployed my latest and greatest, which does something very different. No one knows what I am collecting information with now, but in the meantime it’s now exposed that I’ve been operating freely for years.
TCB: What is your sense of what a cyber war would look like?
PS: I think, just like with kinetic warfare, there is a spectrum of operations.
What we see normally in the news are things at one end of the spectrum that deal with activities like intelligence gathering, theft of intellectual property, and the occasional massive denial of service attack that has some political aim to it. This is one end of the spectrum, but I think there are other activities that are ongoing, but more stealthily, dealing with international actors trying to map out and gain access to infrastructure systems.
I think attacks against an infrastructure system, like a power grid or a water system— these attacks are definitely possible. And in a very heated war, I could easily envision an actor resorting to a massive attack on infrastructure of this sort. I think that’s possible in the future. I think also, within the context of a military operation, that there are more specialized attacks that deal with affecting military hardware or software. One example of this would be the theft of predator video feeds during the Iraq War by insurgents. That is clearly a cyber attack in my book. But this isn’t something that is really going to occur too often outside of a military scenario. Other things related to this would be hacking of missile defense systems, radar systems, and so forth.
The scenario here is a little different – it deals with denial and launching attacks quickly as opposed to developing persistence, where you want to remain on a system for a long period of time. My number one thing, though, of what cyber war would look like, is that it’s a spectrum, and how much things escalate along that spectrum will really depend on the scenario. But I’m pretty sure that these capabilities are being developed by several different countries.
TCB: Knowing that infrastructure is a high-value target, what do you think can be done to mitigate the threat?
PS: I think that for infrastructure, one of the main problems is that there are a lot of proprietary information technology systems still out there that run parts of our electrical grid, water utilities, and those kinds of things. So that’s a key vulnerability right there.
I think another thing too is the Internet of Things. If connectivity to the larger internet or any network structure increases, firms need to be more security-conscious or they’re just going to open a Pandora’s box of vulnerabilities that will just create a more target-rich environment for an adversary.
If we have a lot of things connected to the Internet constantly, as a society, this becomes a soft underbelly. Even if it’s civilian, in times of war, that would be considered a military option by an adversary.
TCB: Why haven’t we seen any demonstrated use of cyber weapons during declared war so far? There’s a lot of discussion about hacking and attacks against the commercial space and the government, but it seems like we haven’t seen a lot of use of cyber weapons during conflict.
PS: I don’t know if I totally agree with that. We could view Stuxnet as one part of a battle in a long-running cold war with Iran, for instance. Another example of cyber attacks in conflict would be the massive denial of service attacks against Georgia in 2008. Many people believe that there were Kremlin connections to those attacks.
I think it’s going on and the missing element is that when attacks do occur in tandem with conflict, many actors either do so extremely covertly where they can avoid having to attribute themselves at all or they use proxies like criminal organizations or hacking groups which allow them to maintain an arms length distance from the cyber operations. With some of the aftermath of the Sony hack, we did see some activity that followed it, and statements by the President that came close to really showing off our capabilities. They also leaked the attribution information that the NSA had about the fact that North Korea was behind the Sony hack.
That might be the start of something a little bit newer, where maybe nation states will just admit to some of this stuff. Or maybe not, maybe everyone will just keep denying things and it will be harder to track. (laughs)
TCB: In the wake of Sony and OPM, how does U.S. policy need to change to address this growing threat?
PS: I think that OPM might be indicative of some of the unevenness of how seriously cyber security is taken within government organizations. There needs to be a much stronger culture of cyber security awareness permeating throughout government organizations and businesses at all levels, whether it be a small business or a large corporation. I think what causes trouble is when you have a government agency or a small or medium-sized business that doesn’t take cyber security seriously. They think, “We’ll never get hit.”
That is just the wrong attitude because there are all kinds of reasons to hit these more minor players. They can be used as launching pads for future attacks. They can be compromised and used as part of a botnet for a large-scale attack. Information that these organizations hold could be potentially valuable to an adversary, as we saw with OPM.
There really needs to be a change in the culture of many organizations where cyber security becomes something that is more important, and they need to understand that it goes beyond the IT shop. I think that organizations and companies that say cyber security is an IT problem are not handling it right. It involves training of personnel, it involves leadership setting an example, and it must be tackled in a much more holistic way in pretty much every organization that uses IT.