The Biggest Hack Ever, or How I Learned To Live With Asymmetric Cold War
Posted by Graham_Webster on Thursday, Aug 04, 2011
Cybersecurity geeks without security clearance are spending today thinking about the biggest-ever cyber attacks. That we know of, that is.
Dubbed Operation Shady RAT, the series of victims include “the governments of the United States, Taiwan, India, South Korea, Vietnam and Canada; the Association of Southeast Asian Nations (ASEAN); the International Olympic Committee (IOC); the World Anti-Doping Agency; and an array of companies, from defense contractors to high-tech enterprises.”
Meanwhile, in a breathless article in Vanity Fair that claims to have first revealed the attacks, Michael Joseph Gross hails the arrival of the “cyber-dragon,” also known as the People’s Republic of China. Though McAfee, the firm that publicized the attacks, refuses to point fingers, experts are keen to suspect China in the case of the Shady RAT (it stands for “remote access tool,” a piece of malware that lets the “Adversary” into your computer and its local network.)
If we assume this is a Chinese state-directed effort to exfiltrate enormous amounts of valuable intellectual property while gathering information about security vulnerabilities along the way, an assumption supported by experts like James Lewis at the Center for Strategic and International Studies in Washington, then we have a classic cybersecurity puzzle. What can the United States and other governments do in return?
This brings us to what cybersecurity experts call the “attribution problem.” In the old Cold War, it was pretty clear who would have launched a missile. Even if a machine did the launching, as with Kubrick’s “doomsday device,” you knew which machines to obliterate. Destruction mutually assured was our insurance. Online, the true origin of an attack is very difficult to determine. Because signals are routed through third-, fourth-, and fifth-party servers, the attacker is obscured.
But let’s assume one step further, that we can attribute these attacks with confidence to an originating terminal in China. Maybe we even have old-fashioned intelligence—photographs, fingerprints, etc.—that shows a particular person in Shanghai or Hainan directing the attack. How do we know that these efforts are government-directed? In that old Cold War, your crazy uncle may have wanted to nuke the Russians, but he couldn’t do it on his own, or even with his crazy friends.
As likely as it is that China is behind at least a significant portion of these large-scale attacks, what portion and precisely who in China is simply unknown, at least outside of the classified world. Gross notes that at times the FBI has had trouble informing businesses that they were under attack, because the Bureau only knows about the attacks from classified sources. Unless someone in the office has clearance, your business might not find out until unclassified evidence is found.
So, Gross tells us a vivid story based on interviews with a ton of unnamed security figures. In addition to the Operation Shadow rat revelation, the most interesting story is probably an inside retelling of Google’s frantic efforts to fight an ongoing infiltration that Google later publicly attributed to China (and diplomatic cables attributed to a senior official who "didn’t like his Google results).
Three people who visited Google’s Mountain View, California, headquarters while the attacks were in progress describe dramatic scenes of a company under siege. Google “built a physically separate area for the security team,” one of them says. Sergey Brin, one of the company’s co-founders, was deeply involved in the cyber-defense. “He moved his desk to go sit with the Aurora responders every day. Because he grew up in the Soviet Union, he personally has a real hard-on for the Chinese now. He is pissed.” Caught unawares and shorthanded, the company made a list of the world’s top security professionals, and Brin personally called to offer them jobs—with $100,000 signing bonuses for some, according to one person who received such an offer—and quickly built Google’s small, pre-Aurora security operation into a group of more than 200.
The Cold War parallel is never far below the surface, but the dilemma for targets of attacks is how to face the “Adversary.” As a practical matter, creating unbreakable security is impossible; you can only make things better. But practical concerns make it hard to levy direct, public pressure on governments in China, Russia, and other hacker-heavy states. The result is something like asymmetrical cold war, with no mutually assured destruction and with destruction defined in terms of potential attacks during a hot war, or loss of financially valuable intellectual property. And there’s a lot of it, experts fear. Says one Senate staffer: "But terrorism is not the best analogy here. Who could have imagined that people would have flown airplanes into buildings?The difference with cyber is there are people trying to fly planes into buildings every day now.”
In his book Cyber War, former U.S. terrorism official Richard Clarke raises the alarm about U.S. vulnerability to cyber attack. Despite a generally beltway-based worldview, Clarke points out the absurd language the Pentagon and other U.S. groups often use to talk about cyberspace. The online world, to these military planners, is a “domain” to be “dominated.” Only through “superiority” can the United States be safe.
Meanwhile, under their noses, information is stolen, intellectual property is siphoned away, systems are compromised, all to an end that we can’t see but should be worried about. Many are aware of this, but the political rhetoric is stuck in the old Cold War, and heads remain stuck in the sand. You know, the stuff that’s used to build the silicon computer chips that power the world’s newest, and maybe most powerful weapons.
Connections
Filed under:
