A call to cyber-arms
The idea of hackers bringing the world to the brink of catastrophe used to be a Hollywood plotline. Now, with cyberattacks on the rise, NATO computer experts have set up shop in Estonia to figure out how to strike back
By Bobbie Johnson
THE GUARDIAN , TALLINN
Monday, Apr 20, 2009, Page 9
Back in 1983, the world was a simpler place. The economy looked healthy, there were only four channels on British TV — and, if you believed Hollywood at least, the biggest threat to world security was a pimply teenager with a computer.
Matthew Broderick’s turn in the film WarGames, as a nerdy kid who accidentally blunders into a highly classified computer system that controls the US nuclear arsenal and proceeds to take the world to the brink of nuclear war, didn’t win many awards. But it made its mark on millions of people around the world — and introduced us to the stereotype of the precocious young hacker.
The film plugged into every paranoid Star Wars fantasy from the Reagan era, but now it is unlikely to elicit more than a snigger. The prospect of a cyberwar launched by someone too young to drink is, frankly, ridiculous. Isn’t it?
In the worst-case scenario, what might start slowly — a few propaganda messages here, a hacked Web site there — could quickly spread. The already hammered British economy might soon be crippled as the nation’s bank accounts are drained of their funds — stripping billions out of people’s hands in seconds — and major online shops including eBay and Amazon fail.
Elsewhere, communications networks could come under fire, with telephone, Internet and mobile systems quickly collapsing. The transport network might fail, too, causing air-traffic control computers to go haywire, rail systems to break down, traffic light systems to be reprogrammed.
The ensuing chaos would create panic around the country, with airports from Heathrow to Glasgow on high alert, facing the horrifying prospect of midair collisions as the aircraft above them are fed wrong information. While emergency services struggle to cope with the confusion, they could fall victim to attacks themselves. A stream of fake messages and alerts might send fire engines to the wrong locations and ambulances to hospitals already filled with patients.
And the coup de grace? Hidden programs inside the country’s electricity grid might then jump to life, shutting down power supplies, creating targeted blackouts — even sending nuclear reactors into freefall.
Such a doomsday scenario might sound drastic — more of a cyber-apocalypse than a cyberattack — but it is one that has been outlined many times by the London Metropolitan Police, the security service MI5 and the Joint Intelligence Committee.
US Navy investigator and cybercrime specialist Kenneth Geers characterizes the typical response of powerful individuals as they hear this doomsday scenario outlined as a sort of unbridled terror inspired by technology.
“More than one senior official said they’ve had so many cyber-briefings now that they don’t want to turn their computers on any more,” he says.
Geers identifies a number of potential weak spots in the system, including Web sites of “pure economic value” (such as banks and online shops) as well as telecommunications systems and the electricity grid.
“In the worst case? [Someone] invading your own infrastructure and using your own tools against you,” he says. “Tell your troops to move in the wrong direction, or your missiles to fire on your own cities … anything in your imagination.”
Hidden in the shadow of crumbling Soviet tower blocks on the outskirts of the Estonian capital Tallinn sits a compact military post that looks pretty much like any other. The base carries the official name of Cooperative Cyber Defence Centre of Excellence, but is usually referred to by the code name K5. Soldiers march across the small parade ground, passing a selection of camouflaged vehicles as they troop to and fro. Heavy weaponry is dotted around the buildings, while on one side of the plot a discreet armory holds a stock of emergency weapons.
Behind the security gates and razor wire, however, this is a different kind of military operation — the unlikely frontline in NATO’s attempt to prevent a global cyberwar.
K5 is where the alliance’s top computer experts — high-ranking researchers, academics and security specialists — work in teams to analyze potential cyberthreats and predict exactly how NATO will fight virtual wars in the future.
Since the center opened last year, few people have been granted a glimpse inside — but I am being given the chance to see exactly what takes place here.
I find myself standing opposite Rain Ottis, a stout, serious-looking Estonian computer scientist who speaks flawless English, in the corner of K5’s mess room. It would be easy to forget that this is a military station were it not for the fact he is wearing fatigues. I’m holding a cup of weak coffee in a NATO mug, and watching as a light rain starts falling on the barracks next door.
Ottis speaks with a calm voice, but is forceful about how we might need to respond to a future cyberstrike.
His solution? Overwhelming response: a single, gigantic counterstrike that cripples the target and warns anyone else off launching a future cyberwar.
He isn’t sure what it would look like, but the show of force he envisages is so severe that the only thing he can compare it to is a nuclear attack — meaning, of course, that K5 could be the virtual equivalent of the Manhattan Project, the US-led secret program to develop the atomic bomb.
“Obviously nuclear weapons do a lot more damage than a cyberweapon would do in a physical sense — but a single cyberweapon could have global consequences,” he says.
It feels as if we have come full circle from the contrived Hollywood paranoia of WarGames.
Fears over computerized warfare stretch back many years, but it was only in the early 1990s — when the Internet started to become a more widely accepted technology — that researchers at Rand, the Pentagon think tank, first coined the term “cyberwar.” In a prescient 1993 paper, “Cyberwar is Coming!”, analysts John Arquilla and David Ronfeldt argued that an online battle waged between two nations was almost inevitable — but that at least it would be less destructive than full-blown conflict.
Many of the cyberattacks that have been identified in recent years have been linked back to China, which now has more Internet users than anywhere in the world, and Russia. The growing animosity surrounding these reported strikes is developing into a new sort of Cold War, played out by teams of cyberspies sitting at computers in opposite corners of the globe.
Recent examples that have raised tensions include a high-tech spy group known as Titan Rain, which successfully infected government computers in Britain, the US and Germany, and GhostNet, a cyber-espionage network that targeted supporters of a free Tibet. Both were said to come from China, and possibly be directly linked to the People’s Liberation Army — though researchers couldn’t agree on the evidence. University of Cambridge researchers claim it was definitely the product of “agents of the Chinese government,” while their colleagues at the University of Toronto say that it is too easy to presume guilt.
“Certainly Chinese cyber-espionage is a major global concern,” the Canadian experts wrote in a report on GhostNet. “But attributing all Chinese malware to deliberate or targeted intelligence-gathering operations by the Chinese state is wrong and misleading.”
Then, last week, it was widely reported that the US’s power grid had succumbed to hackers. Given that the US’ security services are scrabbling for the attention of their new president, there’s plenty of reason to be skeptical about these unsubstantiated and largely anonymous reports (security whiz Kevin Poulsen says the timing of this uncheckable story is “unusually opportune”). Regardless, such stories are enough to convince the powers-that-be to take action: Last week it emerged that the US Congress is considering legislation to massively increase the country’s cyberdefenses — including, potentially, a single official in charge of keeping civil systems, military networks and public utilities safe.
Inside NATO’s own cyberdefense headquarters in Estonia, the day-to-day business at K5 largely involves people staring at computer screens. Those expecting a vast, high-tech control center worthy of NASA would probably be disappointed by the austere surroundings, which look more like they were lifted from a university hall than MI5 headquarters.
Essentially, the center is a hybrid of a global listening post and a think tank. The 30 experts stationed here are tasked with gathering and processing intelligence and information, then giving scientists the information to simulate possible responses to cyberattack.
The group is drawn from a range of NATO countries, and they spend their days analyzing data that streams in from around the Internet. One of those stationed at K5 is Geers, the author of the book Cyber Jihad and the Globalization of Warfare. Tall, slim, dark-haired and wearing civilian clothes, he tells me that we are paying the price for a headlong rush into using technologies without thinking through the potential consequences.
“In certain ways, this is a golden age for attackers,” he says, in a careful voice. “Over the past 15 years, the world has rushed to connect networks together because they want to use their power. But the rush to connect everything to the Internet was ahead of security.”
With so much of the world now connected to the Internet — billions of computers and mobile phones across a multitude of homes, banks, schools, shops and elsewhere — it is ripe for attackers to exploit the gaps in security. “It’s a very big challenge for us to be able to leverage networks and the power of computers, while at the same time securing them.”
In a side room, Geers’ colleague Ottis tells me: “Espionage is something that countries and governments accept — it’s always been there, and always will. But if we see attacks that target the citizen? That’s different.”
There is a particular reason for Ottis and his fellow Estonians to be concerned about the threat of cyberwar: in 2007, Estonia itself was the target of a massive Internet assault, allegedly sparked by a political disagreement with Russia. Over the course of several weeks, Estonia’s government, banking and commercial sectors endured a sustained barrage of online attacks that brought parts of the system — one of the most advanced and Internet-friendly in the world — grinding to a halt.
Although the Estonians imply that the campaign was sponsored by the Kremlin, K5 officials admit they can offer no proof. But whoever was ultimately responsible, the strikes highlighted fears that technology is the weapon at the forefront of a new sort of Cold War.
“This is definitely not science fiction any more,” Ottis says. “We have plenty of examples where nation-states have actually been involved — both on the offensive and the defensive side. Cyberattacks are very efficient. You don’t have to fly to the country you’re attacking, you don’t need a cell somewhere. All you need is a connection. What happens if your country gets targeted by 25,000 well-equipped, well-trained people who work to achieve the same goal? No country is ready for that.”
The first step toward a proper cyberdefense is understanding who the actors behind a potential attack might be. But doing that requires information that, for the most part, is impossible to find.
“Defense against cyberwarfare is extremely difficult,” explains Peter Sommer, a computer security specialist and visiting professor at the London School of Economics. “Only the very unskilled leave pointers to their identities and locations.”
Skilled hackers can implant targeted viruses inside their victim’s computers and leave them to gestate for weeks, months or even years before activating them at a later date.
There are numerous examples of such vast, destructive virus strikes — most notably the Conficker worm, which has infected more than 9 million PCs worldwide in recent months. Right now nobody knows who created Conficker, or what its target might be. It has yet to fully activate, leaving security groups and anti-virus companies on high alert. Some have suggested it is part of a criminal plan to steal identities by the million, or a dangerous cyberweapon, or that it could simply be a gigantic prank. But even if the worm does prove the spark that ignites a full-blown cyber-conflict, its author would remain almost untraceable.
Just as any hard evidence to suggest the Russian military approved the Estonian cyberattack in 2007 is largely missing, so proving that China or Russia are directly responsible for other attacks is almost impossible. And, experts admit, it would be politically smart for a truly destructive organization to mask their attacks and make them seem like they originated from a country already under scrutiny.
In truth, it could be almost anybody, almost anywhere. Rudimentary hacker toolkits are available to buy cheaply online, while an illicit black-market trade in more complex tools takes would-be attackers out of the reach of the authorities on the so-called “darknet.” And while a highly intelligent virus such as Conficker may have required some skill to program, other hackers may succeed simply by having the time to experiment rather than any great raw ability. (Gary McKinnon, the Briton accused of hacking into Pentagon computers, bumbled his way into supposedly secure networks by guessing that the password had not been changed from the default “password”).
There is also an increasingly blurred line between what action the state sponsors (which would qualify as full-blown international conflict) and what is being done in the name of the state — a sort of guerrilla warfare played out on virtual battlefields. With China’s growing power leading to widespread suspicion and criticism in the Western media, these groups — a mixture of roguish hackers, disaffected teens and intellectuals frustrated by stereotypes about their culture — see part of their job as defending the homeland, even while they reserve the right to criticize it from the inside.
Rebecca MacKinnon, a Hong Kong-based journalist and academic, has identified this burgeoning ideology as “cyber-tarianism” — where highly connected citizens are critical of government repression but fiercely nationalistic at the same time.
“A lot of people don’t want a Western-style democracy,” she told a conference in California last month. “Before the Olympics last year, Chinese students protested all over the world at what they saw as biased Western media accounts.”
These protests included a series of large-scale hacking attacks — on large targets such as the news channel CNN, and small ones such as pro-Tibet Web sites, which temporarily disabled them.
In China and Russia, this cyberforce is reckoned to be becoming more powerful — and more destructive. Dissident Russian nationalists have also been blamed for the Estonia attacks, while similar groups are appearing in other countries around the globe as Internet connectivity spreads. Armed with technical know-how and a passionate cause, these ad hoc groups of individuals would seem increasingly important in the way these conflicts are playing out.
But it’s still difficult to imagine what would actually happen if a full-blown cyberwar ever did take place. After all, movies like WarGames — stuffed with Hollywood exaggerations — surely stretch the limits of what can happen. Don’t they?