14 February 2018

Cybersecurity can't be seen in isolation, it has to be a concerted international effort, says ex-DHS cybersec chief Sean McGurk

Karan Pradhan

"It first came to our attention on the morning of 10 July, 2010, when soon after my daily director’s briefing, the Industrial Control Systems Cyber Emergency Response Team watch officer informed me about a call we received from our partner agency in Germany about a malware sample they received that had some very unique characteristics,” recalls Seán McGurk — then director, Control Systems Security at the US Department of Homeland Security — about his first run-in with Stuxnet.

A couple of years after a 28- year-long stint with the US Navy, McGurk was in the role that put him in the eye of the Stuxnet storm. He would later be appointed director, National Cybersecurity and Communications Integration Centre (NCCIC) at the DHS, before moving to the private sector. Now, over seven years since his run-in with Stuxnet, McGurk serves as a senior policy advisor at the Industrial Control System Information Sharing and Analysis Centre.


While Iran bore the greatest brunt of Stuxnet in losing nearly 1,000 of its 6,000 centrifugesin its Natanz power plant, such countries as Indonesia, India, Azerbaijan, the US, Pakistan and a handful of others also felt its wrath. Stuxnet’s emergence — as a worm that targeted Supervisory Control and Data Acquisition (SCADA for short) systems — marked a watershed moment in global security.

Stuxnet

“With the release of malware specifically targeting industrial control systems, we moved into a new domain of cyber-risk,” explains McGurk, adding, “Before Stuxnet, the main focus of information security was on enterprise networks and business and personal information. Most of the concern was on theft and fraud and not on destroying physical systems through cyber means.” The situation changed markedly in the era in the post-Stuxnet world, where he notes an increase in physical attacks not only for the purposes of government-sponsored activity but also for commercial purposes and financial gain. The part about ‘physical attacks’ is important because it’s worth keeping in mind, Stuxnet wasn’t simply stealing information or manipulating data in the cyber-realm; it had jumped out into the real world where it was actually causing physical harm to systems.

But let’s get back to 10 July, 2010.

After the call with the German partner agency, it began to send McGurk’s team a sample with some initial analysis. “I asked why the malware team of the US Computer Emergency Readiness Team (US-CERT) was not taking the lead. That’s when I was informed that the malware in question appeared to be infecting control systems, so the Industrial Control Systems (ICS) CERT had the lead,” he notes, “I left directions to notify me when the sample was received, and work was started on the analysis. And we began our tracking process to document the activity.”

Having shared samples with partners, domestic and international, both ICS-CERT and US-CERT personnel started malware analysis. “Once the work began, we forwarded a sample of the code to our Control Systems Security Lab for additional analysis and review. I received a call from the malware team at approximately 4 pm that day that this was a very sophisticated piece of malware that appeared to be targeting a specific manufacturer of industrial control systems,” says McGurk. As it would later transpire, the manufacturer was Siemens.

“Unfortunately,” he adds, “Progress was delayed due to the use of enhanced encryption in the code that would require further analysis. By midday on 12 July, we began to understand the extent and possible impact of this type of malware attacking control system networks.” It was five days later, that ICS-CERT published the first public notification on the malware and its potential impact.” From this point on, internal briefings with government, industry and international partners commenced with daily updates on the status of analysis.

Former Iranian President Mahmoud Ahmadinejad visits the Natanz nuclear enrichment facility. Image: Reuters

Whodunnit?

Over the years, reports have emerged indicating that the US and Israel were responsible for the creation of Stuxnet, that it was a weapon that emerged from a cyber strategy devised by George W Bush and accelerated by his successor Barack Obama and so on.

Comments? “Although there is much speculation as far as the origin and the intent of the malware there has never been any indicators in the code to attribute it to a specific group, groups or nation-state,” the former US Navy command master chief told Firstpost, adding, “Keep in mind, Stuxnet was one of the most sophisticated and advanced pieces of malware discovered at that time.”

McGurk puts the sophistication of Stuxnet into perspective in five points:

First, Stuxnet made use of four significant zero-day vulnerabilities. Most malware uses existing vulnerabilities or may exploit a single zero-day vulnerability.

Second, two Stuxnet variants each used a different digital certificate ‘taken’ from technology companies located at the Hsinchu Technology Park (Taiwan). These were ‘valid’ software certificates attesting to the authentication of the code.

Third, with over 4,000 functions, Stuxnet contains as much code as some commercial software products.

Fourth, Stuxnet used many advanced programming techniques that demonstrate advanced knowledge in many areas including anti-virus and network communications protocols.

And fifth, it used a sophisticated infection and data exfiltration method previous not identified in other malware samples.

Cyberweapons of today

If all of this sounds frightening, it’s worth bearing in mind that Stuxnet happened a whole seven-plus years ago. Offensive cyber capabilities globally have come a long way since then. “Today, as a result of Stuxnet, we see not only the capability to disrupt business but the desire to do so. There are numerous examples of malware campaigns such as Shamoon, Mahdi,Duqu, Flame, Skywiper, Black Energy and Petya/Notpetya that are designed to deny, disrupt and destroy your ability to conduct business and deliver goods and services,” points out McGurk.

As a people, we aren’t naïve enough to imagine this sort of thing only belongs in the world of sci-fi anymore. However, like most of the best sci-fi, there’s plenty of room for things to be much worse. “With the recent identification of the Hatman/Trisis/Triton malware that targets safety systems, we have moved into a new era of risk to critical infrastructure and life and safety,” explains McGurk somewhat ominously.

According to the NCCIC, the job of safety systems in critical infrastructure is to “provide a way for a process to safely shut down when it has encountered unsafe operating conditions, and provide a high degree of safety and reliability with important monitoring capabilities for process engineers”. Take that away and what you’re left with is an immensely dangerous scenario. The key aspect of safety systems is that they are designed in a manner that even if they were to fail, the manner of failure would be entirely predictable. Worst-case scenarios are usually known and importantly, predictable. Take away the safety net of the ability to anticipate and what you’re left with is an immensely dangerous situation.

On cyberwar

Swindling a few million dollars from a major multinational is one thing, but sabotaging the safety systems of critical infrastructure like a power plant or air traffic control — and putting the lives of potentially millions of innocent people — is another altogether. It’s here that a crucial question needs to be asked: How do you draw the line between an act of cybercrime and cyberwar?

“It is difficult to distinguish between the two but perhaps a distinguishing factor may be for financial gain as opposed to a national or economic advantage,” offers McGurk, “Nation-states or nation-state-sponsored criminal activity may utilise the same tools, techniques and procedures (TTPS) but for different purposes or outcomes.”

He continues, “I support a global approach to cyber activity, however, lacking clear definitions on what constitutes a cyber act of war makes developing a protocol or convention difficult.”

In ‘Laws of War: Opening of hostilities’ under the Hague Convention of 1909, war must be declared — “The contracting powers recognise that hostilities between themselves must not commence without previous and explicit warning, in the form either of a reasoned declaration of war or of an ultimatum with conditional declaration of war,” as per Article 1 — and other nation-states must be made aware of the state of war — “The existence of a state of war must be notified to the neutral powers without delay, and shall not take effect in regard to them until after the receipt of a notification,” as per Article 2. When at war, the Geneva Convention and International Humanitarian Law governs all the acts contained within the said state of war, including the idea that non-combatants and civilians may not be targeted.

But how on earth do you govern something like cyber war, that by its nature is covert, unspoken and largely targets non-combatants? Bear in mind, cyber weapons work best when they are unleashed without warning and attribution (ie pinpointing the source of an attack) is still far from accurate. Does this mean then that we need to assume we are permanently in a state of war with one and all in cyberspace?

“The Geneva Convention addresses conduct during wartime actions,” acknowledges McGurk and offers, “We require a more comprehensive approach that extends to normal online activity. There is a place for a digital Geneva Convention to address wartime activity, however, we need something that applies day-to-day.”

As of the time of writing, there is neither consensus nor a clear idea of what that will look like and there isn’t reason to be optimistic that there’s such a document on the horizon, what with nation-states rarely even acknowledging their own offensive cyber capabilities, leave alone discussing them with other nation-states.

What nation-states should do

“In order to move forward, a directed public/private partnership is necessary,” says McGurk. It’s no secret that private players are far more proactive than the public sector in most countries and that government red tape frequently slows down the speed of development. “Governments, internationally, must develop a framework for cyber systems, communications, connectivity and security. The private sector must work with the framework to develop ‘secure by design’ systems and mitigate the risk associated with legacy-based systems,” he adds. This, it is believed, will provide a way to address gaps and close vulnerabilities within critical infrastructure.

The world learned its collective lesson about the perils of atomic bombs after the 1945 bombing of Hiroshima and Nagasaki. As of 2018, while countries have built and strengthened nuclear capabilities, not one nuclear weapon has been used by one nation-state against another in the 73 intervening years. Could the same happen with cyberweapons?

“I do not believe we need a digital major disaster in order for governments and industries to understand and address the threats that cyber warfare may pose. We are all raising the level of awareness within our respective areas,” says McGurk. It’s worth recalling at this point, a statement made by the former DHS man back at a Senate hearing in April 2011. He had said, “No single agency has sole responsibility for securing cyberspace, and the success of our cybersecurity mission relies on effective communication and critical partnerships.”

Globally, it stands to reason that this should apply to governments across the world when it comes to securing cyberspace. Needless to say, that isn’t something that’s happening. “My concern is that we are taking a limited national approach as opposed to a global approach. No one government agency or private sector company will be able to solve the problem. It will take the coordinated effort of the global community in order to properly address the risk,” says McGurk and offers a sliver of encouragement, “Simply because of the installed base and infrastructure investments India has made, it is in a position to lead that effort on a scale that other nations cannot match.”

He elaborates, “Numerous reports cite India as the largest connected country globally. From digital identity, digital banking and data usage, India is ideally positioned to provide worldwide leadership in the digital era.”

No comments: