Cyber response and protection: Some thoughts on recent hacks
Dr Dave Sloggett explores the wider implications of the alleged cyber-attack on the Sony Film Studios in Hollywood.
All the elements of a great Hollywood blockbuster movie came together in the episode surrounding the initial decision by Sony studios to cancel the release of the film The Interview. This was a case where the dividing line between fact and fiction became very blurred. Whereas in most Hollywood productions the identity of the bad guy becomes self-evident, in this case – as is the situation in the murky world of cyber-space, the question of who did what, and to who, is not so clear.
The depiction of a story that involved a plot to assassinate the leader of North Korea, while perceived as funny by some in the West, was read in an entirely different way in Pyongyang. North Korea’s alleged response involving a cyberattack on the film studio’s information technology infrastructure and subsequent threats to any cinemas screening the film were initially seen to be simply too risky for Sony’s lawyers.
The reaction to the decision was inevitably going to be profound. President Obama expressed regret that the studio did not: “Give him a call.” Hollywood A-listers lined up to rebuke the studio for appearing to kowtow to the threats, implying it was ‘un-American’ to be intimidated in this way. Within days, Sony had reversed the decision, the film was released and was played to packed houses, despite tepid reviews from critics.
Commentators across the world also jumped on the bandwagon, trying to stereotype the cyberattack against the studio as an ‘act of war’. President Obama was quick to refute this, preferring to describe the intrusion into Sony’s computer systems as an act of “cyber vandalism”.
Whether or not North Korea did launch a cyberattack against the studio will be disputed by both sides, but reporting emerging from Washington suggests that the Americans have clear evidence of North Korea’s culpability, even if they will not share that with the media. The science of cyber forensics is simply too classified for anyone to wish to demonstrate the veracity of their claims publicly.
While Hollywood can hardly be described as critical national infrastructure, the events surrounding this story provide a timely warning to the public and private sectors about the reality of the threat posed in cyberspace. The simple fact of the matter is that today many information technology systems that run key parts of the critical national infrastructure are vulnerable to malicious attacks. If any of these vulnerabilities were to be exploited, such as turning off electrical systems in the middle of winter, a potentially catastrophic situation could quickly unfold. How then might the potential of such attacks be reduced? What existing models exist from which lessons might be drawn?
So far much of what has gone on in cyberspace in areas such as cyber-espionage and cyber-sabotage has lived in a grey and ill-defined world little understood by the public. The development of what is known as the Advance Persistent Threat is not something widely appreciated. This is a specific form of malware that can be placed inside computer systems and activated when required.
The relative anonymity of cyberspace affords some protection to those carrying out attacks. Plausible deniability provides a good cover for nation states or non-state actors. Events like the Stuxnet attack on the Iranian nuclear programme served to shine a brief light on developments in the area, with widespread media coverage before interest inevitably waned. What Stuxnet did show, graphically, was the degree to which industrial control systems – typical of those being used in many parts of the critical national infrastructure – could be compromised with sufficient effort.
The lack of coverage of the reality of what goes on every day in areas such as cyber-espionage (where some groups exploiting this space have stolen intellectual property worth billions of dollars) creates a situation where the public and private sector appreciation of the cyber threat is low.
Few public and private sector organisations have yet made senior board appointments linked to the threat to their business model from cyber-pace. To date, aside from one or two high profile cases in countries like Saudi Arabia and South Korea, the reality of the potential of cyberattacks to cause widespread harm to society has not been fully appreciated. It still remains off the radar of many senior corporate executives.
Part of the problem has been that the terminology originally used to cover such use of cyberspace has been used without due precision, hence President Obama’s labelling of the attack on Sony as cyber-vandalism. The use of terminology such as cyber-warfare is simply too naïve. The military and civilian establishment are both grappling with what kind of cyber incursion constitutes an act of war.
Suggestions emerging from the Pentagon that any attempt to switch off the lights through disabling electrical power generation would trigger a massive retaliation against the perpetrator, have not yet been developed into doctrine. No-one knows the precise boundary that a state or non-state actor could cross in cyber-space that would be accurately labelled as an act of war.
In this highly uncertain environment some state actors are clearly preparing for what they see as the inevitable day when a major cyberattack occurs. As with the development of nuclear weapons, states chose to develop capability in case they are ever attacked. The concept of mutual assured destruction, which served the international community throughout the Cold War, is being applied in cyberspace.
Numerous states are researching and developing cyber-capabilities that allow reciprocal action in the event they are attacked. Historically similar arguments have surrounded the state development of biological and chemical weapons. It would seem that cyber-warfare has been added to the list of things which can be regarded as weapons of mass destruction.
Few who have researched the issues around the malicious use of cyberspace doubt the capability for harmful, society-defining attacks to take place. There are too many case studies that show the ease with which professional cyber-warriors (whatever their motivation or desired outcome) can conduct intrusions into critical national infrastructure.
The question is what might trigger such an event? Would a nation state unleash cyberattacks upon another’s critical national infrastructure in a build up to war? What would be the first targets a nation state would wish to cripple in the event of war? Would small attacks be conducted to show the scale of the penetration of information systems as part of an attempt to coerce another country into backing down before hostilities commenced?
During the Cold War the talk was of the first-strike option, seeking to disrupt the potential adversary’s ability to retaliate in kind. Resilience to that scenario was found by creating a triad of nuclear forces, launched by mobile missile systems based in the air, at sea or on the land. These were more difficult to find, ensuring that even in a first strike scenario, the capability to retaliate would survive a first-strike.
Given the obvious parallels with the use of nuclear weapons, do similar options exist in cyberspace? Does mobility have a similar parallel in cyberspace? Can elements of the critical national infrastructure be completely protected from a first-strike option?
Given the ubiquity of systems supplied from a relatively small number of major suppliers, based upon millions of lines of code, any part of which might contain vulnerabilities, the answer to the question is clearly no. As Stuxnet showed, there are simply too many ways in which cyberattacks can be conducted. What is needed is a risk-based approach that analyses and understands all the potential risks and then systematically seeks to minimise each one in turn. Unusual combinations of risks also have to be addressed in case they expose novel ways in which systems can be attacked.
Conducting such risk appraisals however requires organisations to become fully aware of the risks to their own operations. While the focus is often placed upon the vulnerabilities of energy utility companies, other elements of the critical national infrastructure are also at risk. The world’s trading system and the movement of goods on the basis of the ‘just in time’ model mean that any disruption to major ports could have a catastrophic knock-on effect on national economies.
With ports focused on physical security, questions on their cyber vulnerabilities are often overlooked. What would be the implications for the American economy of the port of New Jersey being off-line for a few days in the event of a cyber-attack on its information systems?
While for some this may appear to be a highly unlikely scenario for those versed in the way in which Stuxnet was introduced into the Iranian nuclear programme, the potential is all too real. With ports also under pressure to make more of their information open to their users to help them operate efficiently, it will not be long before the relative protection of just using systems not connected to the Internet will disappear.
In this case the issue of mobility to ease the access to port information systems by users will be something that increases the risk of a first strike being successful rather than diminish it. As the line between fact and fiction becomes increasingly blurred, the cyber-attack on Sony should serve as a sharp reminder of the importance of their work to all those working on the protection of computer systems associated with critical national infrastructure.
Dr Dave Sloggett