BBC World Service
Operation Locked Shields, an international military exercise held last month, was not exactly your usual game of soldiers. It involves no loud bangs or bullets, no tanks, aircraft or camouflage face-paint. Its troops rarely even left their control room, deep within a high security military base in Estonia.
These people represent a new kind of combatant – the cyber warrior.
One team of IT specialists taking part in Locked Shields, were detailed to attack nine other teams, located all over Europe. At their terminals in the Nato Co-operative Cyber Defence Centre of Excellence, they cooked up viruses, worms, Trojan Horses and other internet attacks, to hijack and extract data from the computers of their pretend enemies.
Cyberwar glossary I
- Botnet: Geographically-dispersed network of infected computers which can be controlled remotely without their owners’ knowledge, and used to attack other computers or networks
- Distributed Denial of Service attack (DDOS): A means of knocking websites offline by overwhelming them with bogus traffic
- Trojan Horse: Malicious software masquerading as something legitimate. Some Trojans even appear to be anti-virus software
- Virus: Malicious computer programme designed to make a computer or network malfunction
- Worm: A type of virus that can replicate itself. Worms can multiply sufficiently to consume a computer’s available memory or hard disk
The idea was to learn valuable lessons in how to forestall such attacks on military and commercial networks. The cyber threat is one that the Western alliance is taking seriously.
It’s no coincidence that Nato established its defence centre in Estonia. In 2007, the country’s banking, media and government websites were bombarded with Distributed Denial of Service (DDOS) attacks over a three week period, in what’s since become known as Web War I. The culprits are thought to have been pro-Russian hacktivists, angered by the removal of a Soviet-era statue from the centre of the capital, Tallinn.
DDOS attacks are quite straightforward. Networks of thousands of infected computers, known as botnets, simultaneously access the target website, which is overwhelmed by the volume of traffic, and so temporarily disabled. However, DDOS attacks are a mere blunderbuss by comparison with the latest digital weapons. Today, the fear is that Web War II – if and when it comes – could inflict physical damage, leading to massive disruption and even death.
“Sophisticated cyber attackers could do things like derail trains across the country,” says Richard A Clarke, an adviser on counter-terrorism and cyber-security to presidents Clinton and Bush.
“They could cause power blackouts – not just by shutting off the power but by permanently damaging generators that would take months to replace. They could do things like cause [oil or gas] pipelines to explode. They could ground aircraft.”
Clarke’s worries are fuelled by the current tendency to put more of our lives online, and indeed, they appear to be borne out by experiments carried out in the United States.
A power station might have less anti-virus protection than the average laptop”
At the heart of the problem are the interfaces between the digital and physical worlds known as Scada – or Supervisory Control And Data Acquisition – systems.
Today, these computerised controllers have taken over a myriad jobs once performed manually. They do everything from opening the valves on pipelines to monitoring traffic signals. Soon, they’ll become commonplace in the home, controlling smart appliances like central heating.
And crucially, they use cyberspace to communicate with their masters, taking commands on what to do next, and reporting any problems back. Hack into these networks, and in theory you have control of national electricity grids, water supplies, distribution systems for manufacturers or supermarkets, and other critical infrastructure.
In 2007, the United States Department of Homeland Security (DHS) demonstrated the potential vulnerability of Scada systems. Using malicious software to feed in the wrong commands, they attacked a large diesel generator. Film of the experiment shows the machine shaking violently before black smoke engulfs the screen.
Cyberwar glossary II
• IP address: The unique numerical identification which every device online needs to have
• Scada: Computer system used to control physical processes such as in industry, and to collect diagnostic information such as machinery performance data
• Software errors: Glitches within the computer code of software which render it vulnerable to hacking. Undiscovered errors, known as Zero Day Exploits, are invisible to anti-virus programmes and therefore especially prized by hackers
• Software patch: Short programme published by a software producer to repair malfunctions or otherwise to improve existing software
Although this took place under laboratory conditions, with the attackers given free rein to do their worst, the fear is that, one day, a belligerent state, terrorists, or even recreational hackers, might do the same in the real world.
“Over the past several months we’ve seen a variety of things,” says Jenny Mena of the DHS. “There are now search engines that make it possible to find those devices that are vulnerable to an attack through the internet. In addition we’ve seen an increased interest in this area in the hacker and hacktivist community.”
One reason why Scada systems may be prone to hacking is that engineers, rather than specialist programmers, are often likely to have designed their software. They are expert in their field, says German security consultant Ralph Langner, but not in cyber defence. “At some point they learned how to develop software,” he adds, “but you can’t compare them to professional software developers who probably spent a decade learning.”
Moreover, critical infrastructure software can be surprisingly exposed. A power station, for example, might have less anti-virus protection than the average laptop. And when vulnerabilities are detected, it can be impossible to repair them immediately with a software patch. “It requires you to re-boot,” Langner points out. “And a power plant has to run 24-7, with only a yearly power-down for maintenance.” So until the power station has its annual stoppage, new software cannot be installed.
Langner is well-qualified to comment. In 2010 he, along with two employees, took it upon himself to investigate a mystery computer worm known as Stuxnet, that was puzzling the big anti-virus companies. What he discovered took his breath away.
Stuxnet appeared to target a specific type of Scada system doing a specific job, and it did little damage to any other applications it infected. It was clever enough to find its way from computer to computer, searching out its prey. And, containing over 15,000 lines of computer code, it exploited no fewer than four previously undiscovered software errors in Microsoft Windows. Such errors are extremely rare, suggesting that Stuxnet’s creators were highly expert and very well-resourced.
The attack vectors and exploits used by Stuxnet can be copied and re-used – the technology is out there on the internet”
Ralph LangnerSecurity consultant
It took Langner some six months to probe just a quarter of the virus. “If I’d wanted to do all of it I might have gone bust!” he jokes. But his research had already drawn startling results.
Stuxnet’s target, it turned out, was the system controlling uranium centrifuges at Iran’s Natanz nuclear facility. There is now widespread speculation that the attack was the work of American or Israeli agents, or both. Whatever the truth, Langner estimates that it delayed Iran’s nuclear project by around two years – no less than any air strike was expected to achieve – at a relatively small cost of around $10 million. This success, he says, means cyber weapons are here to stay.
Optimists say Stuxnet does at least suggest a scrap of reassurance. Professor Peter Sommer, an international expert in cyber crime, points out that the amount of research and highly skilled programming it involved would put weapons of this calibre beyond anyone but an advanced nation state. And states, he point out, usually behave rationally, thus ruling out indiscriminate attacks on civilian targets.
“You don’t necessarily want to cause total disruption. Because the results are likely to be unforeseen and uncontrollable. In other words, although one can conceive of attacks that might bring down the world financial system or bring down the internet, why would one want to do that? You would end up with something not that different from a nuclear winter.”
Find out more
- Danger in the Download is a three-part documentary presented by Ed Butler on the BBC World Service
- The first episode will be broadcast on 1 May at 00:06GMT, and will be available afterwards on i-player
- But even this crumb of comfort is denied by Langner, who argues that, having now infected computers worldwide, Stuxnet’s code is available to anyone clever enough to adapt it, including terrorists.
“The attack vectors and exploits used by Stuxnet – they can be copied and re-used reliably against completely different targets. Until a year ago no one was aware of such an aggressive and sophisticated threat. With Stuxnet that has changed. It is on the table. The technology is out there on the internet.”
One thing is for sure, he adds: If cyber weapons do become widespread, their targets will lie mostly in the west, rather than in countries like Iran, which have relatively little internet dependence. This means that the old rules of military deterrence which favoured powerful, technologically advanced countries like the United States do not apply: Responding in kind to a cyber attack could be effectively impossible.
This asymmetry is likely to grow, as developed countries become ever more internet-dependent. So far, the Internet Protocol format allows only 4.3 billion IP addresses, most of which have now been used. But this year, a new version is rolling out, providing an inexhaustible supply of addresses and so allowing exponential growth in connectivity. Expect to see far more machines than people online in the future.
In the home, fridges will automatically replenish themselves by talking to food suppliers; ovens and heating systems will respond to commands from your smartphone. Cars may even drive themselves, sharing GPS data to find the best routes. For industry, commerce and infrastructure, there will be even more reliance on cyber networks that critics claim are potentially vulnerable to intrusion.
“The US military ran headlong into the cyber age and we became very dependent on cyber devices without thinking it through”
Richard ClarkeFormer US security adviser
“There will be practically infinite number of IP addresses,” says former hacker Jason Moon. “Everything can have an IP address. And everything will have one. Now, that’s great. But think what that’s going to do for the hacker!”
In fact, it has already become a challenge for even sensitive installations, let alone households, to remain offline. Although military and other critical networks are supposedly isolated from the public internet, attackers can target their contractors and suppliers, who plug into the “air-gapped” system at various times. Somewhere down the food chain, a vulnerable website or a rogue email will provide a way in.
According to Richard Clarke, the mighty American armed forces themselves are not immune, since their command & control, supplies, and even some weapons systems, also rely on digital systems.
“The US military ran headlong into the cyber age,” he says. “And we became very dependent on cyber devices without thinking it through. Without thinking that if someone got control of our software, what would we be able to do? Do we have backup systems? Can we go back to the old days?”
The answer it seems is no. A new form of weapon appears to be emerging. And the world may have to learn to adapt.
The first episode of the three part documentary series Danger in the Download presented by Ed Butler will be broadcast on BBC World Service on Tuesday 1 May at 00:06GMT and will be available afterwards on i-player.