How companies meddle in cyberwar.
- By Tim Maurer <p> Tim Maurer is a research associate in the technology and public policy program at the Center for Strategic and International Studies and a non-resident fellow at the Global Public Policy Institute in Berlin. David Weinstein is a graduate student at Georgetown University's School of Foreign Service in its Security Studies Program. </p>
On October 11, Defense Secretary Leon Panetta gave a speech on cyber threats — "an issue at the very nexus of business and national security," he said. "Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure, and resilient global digital infrastructure." He’s right: Businesses are interested and engaged — but some in a different way he meant. A new front is emerging in cyber-warfare: Multinational corporations are standing up to governments that use the Internet for military purposes.
Last month, in an unprecedented move, the U.S.-based company Symantec, Russia-based Kaspersky Lab, the German CERT-Bund/BSI, and ITU-IMPACT published the results of their joint analysis of the cyber-espionage tool Flame that infected primarily computer systems in the Middle East. They show that parts of Flame had been active as early as 2006, collecting data in more than a dozen countries, and that it was likely produced by a government. According to Kaspersky Lab, "in June, we definitely confirmed that Flame developers communicated with the Stuxnet development team, which was another convincing fact that Flame was developed with nation-state backing," whereas Symantec more cautiously states that "this is the work of a highly organized and sophisticated group."
"For us to know that a malware campaign lasted this long and was flying under the radar for everyone in the community, it’s a little concerning…. It’s a very targeted attack, but it’s a very large-scale attack," Vikram Thakur at Symantec points out. The discoveries over the last two years of Stuxnet, Duqu, Flame, and Gauss — computer malware designed to spy and destroy — provided a glimpse of how far states have advanced in using cyberspace for military purposes, shedding light on a cyber campaign that seems to have been waged largely unnoticed for years. Perhaps the embarrassment was a wake-up call — some members of the industry now seem determined to step up their game.
It’s clear that governments across the world are bolstering their cyberwarfare capabilities. "What we’re looking at is a global cyber arms race," said Rear Admiral Samuel Cox, director of intelligence at U.S. Cyber Command. Earlier this year, Forbes reported that governments are buying key components of cyber-weapons from hackers on a shadow market. The New York Times reporting on Operation Olympic Games shed light on Stuxnet, the most sophisticated cyber-attack known to date, and fueled the debate about potential backlashes.
But there is a counterforce to the global cyber arms race: an entire industry built on identifying and neutralizing malware. In fact, two races are taking place simultaneously — an arms and a disarmament race.
This disarmament race is driven by the Symantecs, McAfees, and Kasperskys of the world. These companies work day in and day out to identify malware and vulnerabilities in computer systems in order to develop solutions that they can sell. Once private security vendors expose a vulnerability, they issue a "patch" to disarm the cyber weapon. Microsoft, for example, patched its operating system after it was revealed that Stuxnet exploited a weakness in its software. (For a recent analysis of how Stuxnet worked, watch this excellent video of a presentation by Symantec Vice President Carey Nachenberg.) Stuxnet could have done a lot more damage had it not escaped the Natanz facility and continuing its destructive business undetected. This gives cyber-weapons a very short — but also a very unpredictable — half-life.
That is why these companies can be thought of as mine sweepers: They first identify a piece of malware lying dormant in a system, waiting to unleash its payload, and then work to defuse it. The analogy to mines is limited, of course. Stuxnet was not a mine waiting for someone to step on it: When it was discovered, it was actively in the process of causing damage. So unlike traditional mine sweepers, which usually only clean up the mess after militaries leave the battlefield, cyber mine sweepers are active in an ongoing conflict.
Originally, malware was mainly used by hacktivists and criminal hackers. Anti-virus companies emerged to protect companies and individual consumers against such threats. The software and patches they developed make the Internet more secure as a whole, whether the threat emanated from a criminal network or lone hacker. As more and more people accessed the Internet, their businesses grew beyond national borders, turning Symantec, McAfee, and Kaspersky into multinational companies. While the latter is in private hands, the former two are publicly traded companies with a fiduciary responsibility to their shareholders.
Yet, the discovery of Flame, whose approach according to Symantec "fits the profile of military and intelligence operations," demonstrates the headache this anti-malware industry can also cause militaries and intelligence agencies. When Kaspersky went public with its knowledge of Flame on May 28, Flame’s operators tried to shut the virus down — sending a "kill module" with instructions to wipe systems clean of any trace of the malware. Yet, when "the domains went dark about an hour after news of the operation broke worldwide last Monday, suggesting the attackers were shutting down the mission, at least three infected machines in Iran, Iraq, and Lebanon were upgraded by the attackers with new versions of the malware after this occurred," according to Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab.
Curiously, this kill module also included instructions to delete itself afterward, which failed due to erroneous code. Similarly, another script to delete temporary files failed because of "a typo in the file path." As one astute blogger remarked, "The ‘clean up and coding gaffes’ sound like misinformation or the coders were really in a hurry. One run of the LogWiper script in a test environment would’ve quickly exposed the typos as the script would’ve barfed immediately." Perhaps the sloppiness was a result of the hide-and-seek game once Kaspersky Lab had uncovered the stealthy attackers.
Analysts also discovered that Flame seems to have been only one part of a set of four or five tools, but do not know details about the others. They were able to analyze Flame due to a simple mistake by the attackers: They "played with the server settings and managed to lock themselves out of it," says Costin Raiu, senior security researcher for Kaspersky. This is how researchers discovered the intruders had registered domains for the operation, which infected systems in several countries — focusing on Iran and Sudan — and collected a massive amount of data in the process.
But there are differences in the industry. The way the cyber-protection industry usually works is that companies try to identify threats first to gain a competitive advantage, and offer their solutions to anyone who pays: individual users, companies, and governments. They do this work without getting involved in politics — but Eugene Kaspersky is taking a different stand. According to the New York Times, his lab is "using [its] integral role in exposing or decrypting three computer viruses apparently intended to slow or halt Iran’s nuclear program to argue for an international treaty banning computer warfare."
Kaspersky’s lab could prove to be a powerful tool to support his political agenda: It is one of the leading firms in the field, and also uses innovative techniques such as crowdsourcing to analyze malware. Thanks to the help of outside computer experts, for example, Kaspersky Lab eventually succeeded in analyzing a coding language used to program the computer virus Duqu.
The identification of Flame highlights how the world of computer virus detection is changing. Other organizations are starting to show an interest in this business: Flame was discovered after Kaspersky Lab had been asked by the ITU, a specialized agency of the United Nations, to find another piece of malware — an approach the ITU has also pursued for the Gauss malware. According to ITU’s staff, the two organizations "have a long-standing relationship, during which we’ve been actively collaborating on several cyber security projects and initiatives. For instance, Kaspersky is one of the key partners, together with companies such as Symantec, Microsoft, Trend Micro, F-secure, among others on the ITU-IMPACT initiative, a public private partnership comprising 142 countries, academia, industry and international organizations."
The industry is becoming smarter, too. Kaspersky Lab has actively used crowd-sourcing to analyze code that its research team could not decipher. Kaspersky and Symantec use honeypots — a trap to gain information about an attacker and the malware. In Flame’s case, Kaspersky worked with the domain registrar GoDaddy and OpenDNS to redirect traffic to a honeypot. The international cooperation is therefore only the most recent effort to catch up with governments. It also includes collaboration with computer emergency response teams (CERT) such as the German CERT-Bund involved in the examination of Flame. CERT-Bund’s staff commenting on the recent joint analysis highlights that, "the cooperation is more on an individual rather than institutional basis."
There are obvious limitations to the industry’s impact. It took months after Stuxnet had escaped from Natanz to be discovered by VirusBlokAda, a small firm in Belarus. In the case of Flame, Mikko Hypponen, chief research officer at the anti-virus company F-Secure, points out "all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general."
Interestingly, Hypponen’s company did have samples of Flame’s code in its possession before its identification, but they did not trigger any alarms. The virus was designed to be so stealthy that it avoided detection even by the industry’s leaders. This shows that certain states are ahead in the race against the disarmament players: They can still outsmart the systems built by private industry. At the same time, Stuxnet and Flame have also shown that once the code is discovered, the industry will invest its resources to take it apart and analyze its various components.
Governments can use this process to their advantage by tipping the industry off to the existence of malware. States that might be subject to an attack — but lacking in the capability to defend themselves — could thereby tap into the resources of security firms to identify the cyber weapon. States that are not directly affected by a virus, but have a political interest to intervene as a third party, could also play a role.
It remains unclear what the unanticipated and unintended consequences of the military use of the Internet will be in the long run. Will other actors be able to copy the design of sophisticated malware such as Stuxnet or Flame? To what degree will the general trust in the Internet ecosystem be undermined by such activity?
Time will tell. In the meantime, these companies constitute a new actor in international security to be reckoned with. As governments around the world are setting up military cyber-commands, drafting cyber-doctrines, and developing cyber-weapons, private security firms are standing ready to disarm them. The race is on: A few governments seem to be in the lead, but industry members are working hard to catch up. Buckle up.