April 23, 2016
DARK TERRITORY - THE SECRET HISTORY OF CYBER WAR
Author: Fred Kaplan
Waiting to kick off a television discussion on banking technology a year ago, I was privy to the discussion between two chief technology officers (CTOs) of large Indian banks on an "incident" they had just faced.
From what I could gather, both banks had just faced massive Distributed Denial of Service (DDoS) attacks, virtually shutting down their systems. Somehow they managed to reduce the impact of the attack - being closer to a weekend helped, apparently. Better still, as I understood, they had kept the lid on it.
Where did that DDoS attack (in which a multitude of comprised systems attack a single target causing a denial of service for users of the system, in this case internet banking) come from? The two CTOs were not willing to speculate with me, except to say that "organised hackers" were behind it. The grim message I took away was that this was not the first such attack nor would it be the last.
Cyber-attacks are not new but evidently they are getting worse and far more organised. Nor is it only about geeky teenagers staring at large monitors in tucked away basements - more on this in a bit - but entire armies of highly-trained staff, which defend and attack as they would in regular war.
Dark Territory: The Secret History of Cyber War by Fred Kaplan, Pulitzer Prize winning reporter of Boston Globe and author of War Stories for Slate, is a useful guide to understanding the genesis of cyber warfare as we know it and its frightening evolution to, in US President Barack Obama's words, something similar to a baseball game: "Sometimes we are playing offensive, sometimes defensive."
The story begins with US President Ronald Reagan watching the movie WarGames in June 1983. The movie starred Matthew Broderick (Godzilla in 1998) as a "tech-wiz" teenager who unwittingly hacks into the main computer at NORAD, the North American Aerospace Defense Command. Broderick thinks he's playing a new computer game and nearly starts World War III.
The film stuck in Reagan's mind. The next week, at a meeting on defence-related matters, he asked around the room if folks had seen it and if they had, could something like WarGames happen?
Many had not, since the movie had just hit the screens. But the chairman of the Joint Chiefs, the top man in the US military, returned a week later with the answer. "The movie wasn't at all far-fetched," he said. Actually, the problem was much worse than what the President had thought.
Thus started a race to find the people and skills to fight this new menace. Amazingly, the scriptwriters for WarGames got their plotlines sorted out for authenticity by an engineer called Willis Ware, who had designed the software program at NORAD - and happily pointed out the gaping security holes in it.
Much of Kaplan's narrative is about the early barriers and painful bureaucratic hurdles in getting America to focus on cyber-warfare. It is also about the more current debate on trade-off between privacy and security. Equally well described are the efforts that went into marshalling the teams and resources to dedicate to cyber- war.
For instance, a big early challenge in cyber-warfare - before the National Security Agency or NSA came into the picture - identifying who should be in charge of fighting it.
Indeed, for most old-world soldiers and generals, a war meant bombs going off, people getting injured or killed and territorial advances. Nothing of the sort happens in cyber-war (at least so far) but considerable damage can be wreaked nevertheless.
Fighting these battles does not just take new teams but also new talent, the kind that did not spend its best days of youth doing push-ups under the blazing sun or crashing through dense forests with assault rifles.
On the contrary, this new bunch operated right in the heart of America, as Bill Clinton's counterterrorism advisor Richard Alan (Dick) Clarke found out. A chance meeting with a hacker he sought out wore jeans, a T-shirt, one earring, a goatee and had long blonde hair. He was subsequently co-opted into the government's cyber-warfare effort.
Imagine discovering one day that some 80 per cent of global internet traffic was passing through America until 2007. And in the late 1990s, this 80 per cent passed through just two buildings, one in San Jose, California and the other in Tysons Corner, Virginia.
Things have moved rapidly since then.
While the world was still talking about America attacking Iran some day, Kaplan points out the strike already happened, actually more than once. American hackers fiddled with programming at Iran's nuclear reactor in Natanz, causing centrifuges to spin beyond control and damage themselves.
This was an alternative to bombing the reactor, a move favoured by the hawks but perhaps equally destructive. The software controlling the centrifuges was designed by Siemens, which made programmable logic controllers or PLCs for industrial systems worldwide. The challenge was to devise a "worm" that would penetrate the Siemens system. Which it did - and set Iran's nuclear programme back by years.
Iran retaliated not so much against the federal government but against Sheldon Adelson, owner of casino giant Las Vegas Sands, for suggesting publicly that a nuclear bomb be dropped in the desert in the context of US-Iran nuclear negotiations. In 2014, attackers not only wiped out some 20,000 computers but caused millions of dollars in damage. And importantly, as Kaplan points out, not a single dime was stolen.
There are other, equally worrying examples, including the North Korean attack on Sony Pictures for releasing a film that showed their leader in a comic light. And more worryingly, how Sony capitulated and did not release the film in theatres because of the attacks.
Kaplan's book can get a little tedious for someone who is reading it outside of America but anyone in the armed forces or charged with cyber-safety would identify with the structural challenges and hopefully take away lessons.
Two years ago, ahead of a panel discussion I was moderating, I heard an interesting talk on Supervisory Control & Data Systems (SCADA) which connects utility companies, waterworks and so on by Zia Saquib of the government-owned Centre For Development of Advanced Computing or C-DAC.
Titled "Protection and security of critical national infrastructure," Saquib's scary presentation ran through the nuts and bolts of how traditional control systems, for instance in a power plant, were linked to the internet making it prone to attacks. The slides are available online.
As the Las Vegas Sands or the Indian bank CTOs' example showed, keeping computer systems safe is not just the job of the government, it is the responsibility of every organisation that holds anything of value in its digital vaults.
No comments:
Post a Comment