- Research Programs
- Regions & Topics
- All Publications
A nation must think before it acts.
This week’s news brings us a new allegation that a hacker group “The Shadow Brokers” leaked files that supposedly belonged to “Equation Group,” which has widely been speculated to be an National Security Agency (NSA) front. While the leaked files are partial ones that present no actual danger, the Shadow Brokers have offered the entire set of exploits in return for a substantial BitCoin payment. Edward Snowden, tweeting from Moscow, speculates that someone at the NSA “got lazy” and left the files on a server that was used to launch attacks (a “staging server”). This incident shows again why cyberweapons are not like ordinary weapons, and why their development and use cannot be managed in the ordinary chain of military command.
The trail from this latest leak back to the NSA is tortuous, and a great deal of sleuthing was required, along with a leap of faith or two, but that is the fundamental nature of attribution in cyberspace. Without going into the clues, the sequence, structure and naming of certain parts of the disclosure line up quite well with earlier materials from the Snowden leaks that have been widely published and analyzed by cybersecurity experts. The leaked materials appear to be authentic.
Unlike conventional weapons such as missiles and bombs, which usually destroy themselves when used to attack an enemy, and which, even when they fall into enemy hands, may be too dangerous and large for the enemy to re-purpose, cyberweapons have a nasty habit of proliferating rapidly when (not if) they are captured. A case-in-point is the “Stuxnet” worm, deployed by the United States and Israel as part of the operation code named “Olympic Games”, and intended to slow Iran’s progress in the production of weapons grade uranium. Once Stuxnet escaped “into the wild” on the Internet, it was identified by a cybersecurity researcher, and rapidly dissected and analyzed. It took only a few months for the Stuxnet code to re-emerge on the Internet, as it was repurposed into a new set of cyberweapons by both criminals and government-sponsored hackers. This pattern is repeated every time a new attack is found, and hackers (both good guys and bad) often reuse computer code from a variety of sources. Security experts have found the best-documented versions of attack code written in the former Soviet Union by studying attack code used by the Chinese People’s Liberation Army, whose programmers are skilled at reusing the criminal methods of Bulgarian hackers to steal information from US defense contractors.
A recurring question about the use of hacking software is, “Why doesn’t the program just erase itself after it’s done its work?”
While, in theory, attacking code could cover its tracks, and many sophisticated programs try to do just that, the effort can never be completely successful. Computer programs must reside in memory in order to run, and computer hardware controls this memory, and may override software instructions at any time. Efforts dating back at least as far as the Apple ][ computer in 1978 tried to destroy code in memory before it could be “taken prisoner” and then, studied and defeated. Even then, a simple switch mounted on the top of my computer allowed physical memory to be switched out and saved, unbeknownst to the running program. That saved memory could then be stored to disk, and later reloaded, studied, and ultimately, defeated and reused. Computers have become faster, cheaper, and more sophisticated over the years, but the fundamentals remain the same – and attempts to both run, and obscure software run into the same barriers they did 40 years ago.
All of this should lead to an important policy conclusion: that the use of cyberweapons (as opposed to their development) should be undertaken only in circumstances where the need is critical, where counter-measures have been developed and either have been, or may be rapidly deployed to protect both friendly military and civilian systems, and where the expected gain far outweighs the risk that the code will be turned against not only the attacker, but the rest of the world. Until these considerations are made an essential part of the decision calculus of the relevant chain of command, each use of a cyberweapon will entail a substantial risk of “blowback” as our own code is turned against us and our allies. Welcome to the world of conflict in the “Fifth Domain”.