22 February 2015

Surprise! America Already Has a Manhattan Project for Developing Cyber Attacks

02.18.15 

Getty Images “What we really need is a Manhattan Project for cybersecurity.” It’s a sentiment that swells up every few years in the wake of some huge computer intrusion—most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America’s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible.

A Google search on “cyber Manhattan Project” brings up results from as far back as 1997—it’s second only to “electronic Pearl Harbor” in computer-themed World War II allusions. In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. “This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,” Goodman writes. “Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.” 

These arguments have so far not swayed a sitting American president. Sure, President Obama mentioned cybersecurity at the State of the Union, but his proposal not only doesn’t boost security research and development, it potentially criminalizes it. At the White House’s cybersecurity summit last week, Obama told Silicon Valley bigwigs that he understood the hacking problem well—“We all know what we need to do. We have to build stronger defenses and disrupt more attacks”—but his prescription this time was a tepid executive order aimed at improving information sharing between the government and industry. Those hoping for something more Rooseveltian must have been disappointed. 

On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We’ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn’t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America’s cyber Manhattan Project is purely offensive. 

This revelation came by way of the Russia-based anti-virus company Kaspersky. At a conference in Cancun this week, Kaspersky researchers detailed the activities of a computer espionage outfit it calls the “Equation Group,” which, we can fairly surmise from previous leaks, is actually the NSA’s Tailored Access Operations unit. NSA’s cyber capabilities have been broadly known since the German news magazineDer Spiegel published a leaked 50-page catalog of NSA spy gear and malware in late 2013. But the one-page catalog descriptions didn’t convey the full flavor of the NSA’s technology. For that, somebody had to actually get their hands on that technology—capture it in the wild—and take it apart piece by piece, which is what Kaspersky did.

The result is impressive. The company has linked six different families of malware—“implants,” as the NSA calls them—to the Equation Group, the oldest of which has been kicking around since 2001. The malware has stayed below the radar in part because the NSA deploys it in limited, cautious stages. In the first stage, the agency might compromise a web forum or an ad network and use it to serve a simple “validator” backdoor to potential targets. That validator checks every newly infected computer to see if it’s of interest to the NSA. If not, it quietly removes itself, and nobody is the wiser. 

Only if the computer is a target of interest to the NSA does the validator take the next step and load a more sophisticated implant from a stealth NSA website like suddenplot.com or technicalconsumerreports.com. That’s where it gets interesting. The top tier of NSA malware discovered by Kaspersky is a generation ahead of anything previously reported in the wild. It uses a well-engineered piece of software called a bootkit to control the operating system from the ground up. It hides itself encrypted in the Windows registry, so that anti-virus software can’t find it on the computer’s disk. It carves out its own virtual file system on your machine to store data for exfiltration. 

There are update mechanisms, dozens of plug-ins, a self-destruct function, massive code obfuscation, hundreds of fake websites to serve as command-and-control. One of the NSA’s malware plug-ins can even reprogram your hard drive’s firmware, allowing the implant to survive a complete disk wipe—a feat that’s been demonstrated by computer scientists under laboratory conditions but never before seen in the wild. “The group is unique almost in every aspect of their activities,” Kaspersky concludes. “They use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data, and hide activity in an outstandingly professional way.” 

If you combine Kaspersky’s malware analysis with the Snowden revelations, you start to see just how strong a position the US has on the chess board of cyber espionage, and how hard it has worked to get there. Other countries use computer intrusion for spying, but not with the NSA’s $10 billion budget, and no public analysis of Chinese or Russian attacks has ever found a capability comparable to the Equation Group’s. 

The US has made the strategic choice to put its resources into engineering better attack tools and an infrastructure to support them. In a way it’s a smart choice. It’s a truism that the cyber battlefield is asymmetric—a defender has to get it right every time, while an attacker only has to succeed once. If the US spends a billion dollars in cyber defense, it will still be vulnerable. But spend it on cyber attack, and you get the most advanced computer espionage and sabotage tools that history has ever seen. It all makes sense in a 1970s Rand-Corporation-nuclear-game-theory kind of way. 

But we can stop pretending now that the government is ever going to have a “Manhattan Project” that improves the state of the art in computer defense. That would undermine the very attack system it has spent billions of dollars and a decade-and-a-half building. Despite the popular can-do appeal, a defensive Manhattan Project isn’t just unlikely. It’s a moon shot.

No comments: