Cyber War Is Hell
Think cyber war is bad now? It is only going to get worse – much worse -- says security expert Bruce Schneier.
Cyber attacks like the one inflicted by the North Korean government on Sony are just the opening skirmishes before the outbreak of a hugely dangerous cyber war that is inevitable. Security expert Bruce Schneier issued this stark warning in his address at the recent InfoSec Europe security conference in London.
"We are in the early years of a cyber war arms race," he said. "We have seen China attack Github, we have seen countries attacking companies, and I think we are going to see much more of that in the future."
Countries like North Korea have a natural advantage in this type of cyber warfare, he warned, because of the basic level of technical infrastructure that they possess. "North Korea has natural cyber-defenses in that it only has about 1,000 IP addresses, and it has only very few computers so its 'terrain' is very defensible. By contrast the U.S. is extremely vulnerable because it has lots of computers and Internet infrastructure."
Cyber Attacks and Why Attribution Matters
In addition, some cyber warfare attacks may be carried out by groups (such as terrorist organizations) rather than countries. Just as it is hard to fight an unknown guerrilla enemy in real life, it is hard to react to unknown attackers. That's important because of what Schneier terms the "democratization of tactics."
"We are living in a world now where we can be attacked and not know if the attacker is a foreign government or just a couple of guys, and that is freaky," Schneier said. "Technology is spreading capabilities, and the same weapons and tactics are available to everyone."
That's not the case in the real world, where an invasion by a brigade of tanks indicates that your attacker is a government because "only governments can afford tanks."
As an illustration of this point, Schneier said that when Israeli war planes attacked and destroyed a nuclear facility in the Middle East 10 years ago, it was immediately recognized that the plant had been destroyed, that the attack had come from the air, and that it had been carried out by the Israelis.
"Four years later the Israelis and the U.S. attacked an Iranian uranium enrichment facility plant (at Natanz) using a cyber-weapon (Stuxnet). But the Iranians didn't know that they had been attacked, let alone who did it," he said. "Attribution can take weeks or months."
This difficulty with attribution is valuable for attackers, because without attribution it is impossible to retaliate. The ability to carry out attribution is therefore a deterrent to would-be attackers.
4 Types of Cyber Attacks
Schneier believes there are four types of threat profiles, with differing levels of focus and skill.
- Low focus, low skill attacks. These are generally carried out by script kiddies, and organizations should be able to keep them out without too much difficulty
- Low focus, high skill attacks. These involve identity theft and credit card breaches, which require good security to defend against
- Low skill, high focus attacks. These targeted attacks can be beaten by good security measures which are too effective for the attacker to overcome
- High focus, high skilled attacks. These are the advanced persistent threats that present the biggest danger to every organization
"To defend against low focus attacks you just need to be more secure than the guy next to you," said Schneier. "With highly focused attacks this relative security is irrelevant; your security has to beat the attacker's skill. With a high focus, high skill attack, a sufficiently skilled attacker will always get in. We are all vulnerable."
Without the ability to attribute attacks, Schneier pointed out that it is also impossible to distinguish between computer network exploitation, a classic data breach where an attacker exploits vulnerabilities to steal things, and computer network attacks, where the attacker's motivation is to cause damage. It's the difference between copy *.* and delete *.*, in other words, he said.
Why is it important to be able to distinguish between the two? Although the attacks may be the same technically, they demand a different response. Exploitation is a cybercrime that needs to be investigated by law enforcement, while an attack designed to cause damage is a job for the NSA, he said.
Going back to the warfare theme, Schneier warned that he is not exaggerating the danger that many enterprises are going to find themselves in. Cyber warfare doesn't mean that attackers will only be targeting critical infrastructure such as energy and transport, he said.
"With the Sony hack the motive wasn't theft. They weren't after money or intellectual property, The objective was embarrassment, and that is not a threat that we usually worry about," he said. "But don't forget that we are all vulnerable to this kind of attack."
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.