Cyber War 1.0 Heats Up

Way back in 2013 I was writing a lot about national security. It was a subject that I had to eventually set aside to focus more on managing money. I managed to interview the heads of ASIO (here) and the Australian Signals Directorate (ASD) here, the outgoing boss of the US National Security Agency (NSA) here, and the former head of both NSA and CIA here. All the focus was on China-US relations and the burgeoning cyber-warfare, as exemplified by the US-Israeli kinetic cyber-attacks on an Iranian nuclear facility, and record cyber-espionage. My first big interview was with the head of ASIO, David Irvine, who presciently outlined his concerns about the brewing cyber-war, which seem especially salient today given the recent cyber-attacks on Australian targets by a sophisticated state actor. I have enclosed this June 2013 interview below for your benefit, which is still uber-relevant in the current context.

It’s global cyber war out there

By Christopher Joye, Australian Financial Review, June 2013

Sitting in an office in the Australian Security Intelligence Organisation’s Soviet-style building, which mirrors the Orwellian bunker one might imagine, Australia’s most experienced spy master, David Irvine , has a lot on his mind as he gazes over Lake Burley Griffin.

Irvine, the director-general of ASIO, knows Australian business and the government are engaged in a new, and irreversible, “cold cyberwar", which the Americans have designated as the fifth and most uncertain defence domain.

And he believes the “target environment" is becoming richer by the day as our electricity, power, transport, and communications infrastructures are inexorably integrated into the internet.

These indispensable assets were never designed with digital vulnerabilities in mind. Yet with the privatisation of so many utilities over the past three decades, government has unwittingly delegated national security to business.

This is why ASIO believes national security reforms need to be made to the regulations governing essential infrastructure, including telecommunications.

“The more rocks we turn over in cyberspace, the more we find ... the internet and increased connectivity has expanded infinitely the opportunities for ", Irvine says.

Just as global banking systems were not sufficiently well-capitalised to absorb the losses that suddenly materialised in 2008, Australian spooks worry that business does not have enough insurance against major unexpected cyber events, either.

And Irvine understands that infrastructure represents merely one tactical vulnerability in the vast cyber-threat matrix, which includes state and non-state espionage, organised crime, and the new prospect of cyber terror.

Since 2003 the Chinese have executed advanced cyber-espionage operations against the West, including Australia, stealing hundreds of billions worth of business and military secrets in what United States officials say is “the greatest transfer of wealth in history".

The Chinese were fingered in the hacking of Barack Obama’s and John McCain’s computers in the 2008 US presidential election campaign. In 2011 they allegedly penetrated the parliamentary email systems of 10 Australian federal ministers, including Prime Minister Julia Gillard, and compromised emails belonging to the European Union President and his advisers.

The urbane and refreshingly open Irvine, who led the Australian Secret Intelligence Service before becoming ASIO’s boss, knows that after a diplomatic dispute in 2007, Russia launched a devastating cyber attack on Estonia, crashing networks in its Parliament, ministries, banks and broadcasters.

“An entire nation state was virtually brought to a standstill," says former attorney-general Robert McClelland.

A year later the Russians synchronised a similar offensive on the Republic of Georgia, with military strikes, knocking out news, radio, and TV websites, and replacing online content with Russian propaganda.

Since about 2010, Irvine has seen the Americans and Israelis launch the most sophisticated cyber weapons in history, to destroy parts of Iran’s nuclear program. He’s watched the Iranians retaliate by immobilising the websites of scores of US financial institutions, and unleashing powerful malware on US ally Saudi Arabia, which disabled 30,000 computers.

ASIO’s new cyber security unit has monitored with mounting alarm the emergence of avowedly anarchic, non-state actors like Anonymous, which have targeted Western nations and companies with disruptive attacks that foreshadow an apocalyptic fusion between cyber-capabilities and terrorism.

Finally, in December 2012 ASIO’s boss learnt that terabytes of classified secrets had been “exfiltrated" – removed – from Switzerland’s intelligence service by a disgruntled insider who then sought to sell them to foreign states.

Like the Swiss, ASIO and ASIS operate air gaps that physically separate classified and unclassified computer systems through a technology called Starlight. The user of a single workstation can flick a keyboard switch that lets them swap between the classified server, which is not exposed to the internet, and an unclassified one, which is.

Yet ASIO knows air gaps can be defeated by insiders who literally walk data out the door on mobile devices (a sneaker net). That is why visitors to ASIO’s headquarters are banned from bringing anything electronic inside.

Irvine believes the multiplicity of unprecedented and underappreciated risks is every bit as complex and consequential as those tackled by his predecessors.

“Electronic intelligence gathering is being used against Australia on a massive scale to extract confidential information from governments, the private sector and ordinary individuals," he says.

“It is used to steal intellectual property, all kinds of defence secrets, weapons designs, and commercially advantageous information. The security threat presented by the exploitation ... of the cyber world is both pervasive and insidious. It is ubiquitous and is enabled by what we would normally expect to be a great social and economic good – technological advance."

The head of Britain’s counter-intelligence agency, MI5, describes the extent to which online vulnerabilities are being “aggressively exploited" as “astonishing" and aided by “‘industrial-scale’ processes involving many thousands of people lying behind state-sponsored cyber espionage."

In 2012 US President Obama warned that the “cyber threat is one of the most serious economic and national security challenges we face".

US Secretary of Defence Leon Panetta characterises the cyber arena as the “battlefield of the future, where adversaries can seek to do harm to our country, our economy, and our citizens".

Panetta says the US reserves the right to pre-emptively cauterise cyber menaces with force and/or through its arsenal of digital weapons, which have been privately listed for the first time.

The founder of one of the world’s biggest computer security firms, Russian billionaire Eugene Kaspersky, says “more and more states are investing in a dangerous new cyber arms race". And he thinks in the next decade “cyber espionage, data theft, and targeted attacks will become standard problems for most private enterprises."

To help safeguard domestic assets against unremitting cyber-offensives, ASIO is championing data retention laws requiring communications suppliers to store basic information, such as the type, time, duration, and identifiers of parties to the exchange, for at least two years. ASIO’s concern is this data, which is the minimum it says it needs to adequately investigate threats, is being discarded by second-tier communications companies, like small ISPs.

Intelligence stakeholders also want telcos to abide by a set of agreed security standards. They argue this is analogous to the capital controls regulators mandate banks put in place to minimise community risks in return for receiving operating licences.

And this brings us to the nub of the cybersecurity conundrum. Historically the defence force focused on protecting physical borders from foreign foes. The advent of the unregulated internet, which unifies billions of otherwise discrete devices in an incorporeal universe of digital interactivity, enables those who would do us harm to transcend conventional boundaries and instantaneously project threats into every aspect of our lives.

Australia’s electronic spy agency, the Defence Signals Directorate, which set up its Cyber Security Operation Centre in 2010, identified 1260 “cyber incidents" in 2011. About 310 were serious enough to warrant a response from CSOC.

Defence Minister Stephen Smith says that in 2012 the number of serious cyber incidents leapt 52 per cent in the first nine months alone.

“It is the scale and reach that is a little surprising... the tip is visible to us... it is a matter of conjecture how big and far reaching the body of the problem is", says ASIO’s Irvine.

Intelligence agencies are so worried about cyberhazards, and the pervasive ignorance of business, that ASIO boss David Irvine and senior DSD officers have been personally calling on chief executives and boards to warn them of the risks. Irvine says that “the pre-condition for effective defence is achieved when directors are seized of the impact that malicious cyber attack can have on their bottom lines."

Since most penetrations go unnoticed, and the theft of digital assets is a “gun that does not smoke", damage is often underestimated. Intelligence sources say many chief information officers have few incentives to voluntarily highlight failings, assuming they are aware of them.

Just as traders never saw the global financial crisis coming, intelligence experts worry business is oblivious to the prospect of what Leon Panetta strikingly calls a “cyber Pearl Harbour".

One of the most troubling features of cyberspace, which DSD defines “as the internet and anything connected to it", is that it is not a tangible and localised peril, like nuclear weapons, that can be reconnoitered and mitigated.

Cyber “munitions" are divisible, ethereal and can be built by anyone, including a poorly-resourced teenager. Whereas delivering a bomb is a physically demanding, costly and geographically limited exercise, the cyberdomain empowers state and non-state enemies to launch offensives against millions of peoples located vast distances from one another.

In July 2012 General Keith Alexander, head of the US National Security Agency and the Pentagon’s Cyber Command, declared cyber-theft constituted the “the greatest transfer of wealth in history".

“The cost of IP theft to the US companies $US250 billion a year" with an additional $US1 trillion spent globally on remediation.

“That’s our future disappearing in front of us", Alexander said.

The Attorney General’s Department reports that in 2008, Australian computers were subject to “the fifth highest level of infections worldwide". And DSD cites a Symantec estimate that puts the Australian “cost of cybercrime at $4.5 billion – that’s more than burglary and assault combined".

But government cautions “given the tendency for much cybercrime to be under-reported, this could be a significant underestimate."

Former air vice marshal John Blackburn says “many Australian businesses are chronically under-prepared for the spectrum of cyberthreats they face. While government understands the gravity of the risks, the wider community and many in business do not."

“The dilemma is that the cyberthreats Australian business has to deal with are escalating much more quickly than their defences are evolving in response to them."

The ordinarily shadowy DSD has published a detailed study on its top 35 cyber “mitigation strategies". In research that won the 2011 National Cybersecurity Innovation Award in the US, DSD found that 85 per cent of intrusions were thwarted by its first four mitigants alone.

DSD’s Mike Burgess recalls that “a few years ago, one of my staff assisted ASIO in responding to a major incident on the network of one of Australia’s biggest companies. The first thing he was asked by techies from the affected company was ‘what can we do to stop this?’. “As legend has it, my staff member wrote down a list of things to do on the back of a cocktail napkin [which became DSD’s] flagship document."

Irvine would not look out of place in a casting for Q in a James Bond film. The younger man, Joe Franzi, who oversees DSD’s CSOC would fit into a Tom Clancy novel. When not in the field in Afghanistan or Iraq, he manages 50 to 100 hackers, or “cyber warriors", attired in T-shirts and sneakers.

DSD is Australia’s equivalent to America’s NSA and has no qualms advertising its twin missions: “One is collecting foreign intelligence by interception. The other is working to stop people doing the same to us," Burgess says.

While guarding Australia from digital enemies DSD also hacks into foreign sites. A final objective is preparing for “offensive" cyber warfare. Burgess puts it bluntly: “In the cyber safari, DSD is the poacher and the gamekeeper."

Although human espionage retains its role in a contested and multipolar world dominated by the US and China’s conflicting business models, the internet has become a “disruptive" new frontier where capabilities are more evenly distributed.

And the distinction between firing a cyber-weapon and declaring war is disconcertingly nebulous. What we do know is that in 2011 Australia and the US resolved to modify the ANZUS alliance to ensure a cyber-attack on either nation would trigger its provisions.

In 1981 and 2007, Israeli warplanes bombed nuclear reactors in Iraq and Syria to avert weaponisation. It has repeatedly threatened to do the same to Iran unless it halts its nuclear enrichment program.

To avoid deeper Middle Eastern conflicts, former president George Bush reportedly authorised the development of one of the first known “cyber weapons" under an operation code named “Olympic Games" in 2006.

This initiative, which involved Israeli input, was accelerated under President Obama and produced several generations of artificially-intelligent malicious software (or “malware") with the aim of derailing Iran’s nuclear ambitions.

The most infamous malware, Stuxnet, was discovered in June 2010. It exploited four previously unknown “zero-day" back-door vulnerabilities in Microsoft Windows to infiltrate Iranian networks. A single zero-day can be worth more than $1 million on the black market.

Stuxnet came equipped with multiple payloads, the most prominent of which was designed to surreptitiously command the supervisory control and data acquisition (SCADA) system that manages centrifuges at Iran’s Natanz nuclear plant.

One of the first known cyber-assaults on a SCADA industrial system was carried out in Australia in 2000 by a disgruntled contractor whose job application to a Queensland council was rejected. He wirelessly hacked into the water utility to leak up to 1 million litres of raw sewage into waterways and parks.

Raids on America’s SCADA systems have grown exponentially from just nine incidents in 2009 to 198 in 2011. In that year Chinese hackers broke into the Diablo Canyon nuclear reactor in California.

Stuxnet was arguably the child of a 1982 CIA operation intended to outwit the Russians by embedding a “logic bomb" into the code of a Canadian SCADA system used to control pipelines.

When this technology was stolen by the KGB and introduced into the Trans-Siberian gas pipeline, it caused the “most monumental non-nuclear explosion ever seen from space" according to a US national security official.

Stuxnet instructed Natanz’s SCADA system to transmit normal operating signals to its scientists while violently adjusting centrifuge spinning speeds.

It is believed to have destroyed up to 1000 centrifuges and stopped uranium enrichment altogether on several occasions in 2009 and 2010.

At the same time, officials leading Iran’s nuclear program were being assassinated. In 2010 three car bombs killed two Iranian nuclear scientists and seriously injured another. The head of Natanz was subsequently slain in a fourth bomb.

Kaspersky Labs believes four other malwares, which they call Duqu, Flame, Gauss, and MiniFlame, were developed by the same US “cyber-weapons factory".

Duqu and Flame were built to reconnoiter the battlespace before releasing Stuxnet, while Gauss was designed to steal bank account data from Middle Eastern targets.

The sophisticated malware Flame evolves itself to defeat antivirus systems. Once it has infiltrated a personal computer, it can record all key strokes, take “screen shots" every 15 seconds, use the PC’s microphone to tape conversations, tap into Skype calls, and employ blue-tooth technology to download address books from phones.

Flame can either exfiltrate its treasure trove to remote “command and control" websites or hide the data on USB sticks that allow it to defeat air-gapped networks. Once the USB is re-inserted into an internet-connected computer, Flame transmits its heist.

Most remarkably, Flame spreads to other computers by disguising itself as a Microsoft Windows security patch. It uses a scientifically novel cryptographic attack that allows it to decode Microsoft’s encryption security.

A cryptography professor at Johns Hopkins University, Matthew Green, says the novelist “Dan Brown couldn’t hold a candle to this".

Other academics believe Flame could only have only been created by a supercomputer and reflected world-class cryptanalysis.

Eugene Kaspersky says Flame and its siblings are “the most sophisticated and dangerous state-sponsored malicious programs discovered to date".

In response to these attacks, Iran commissioned an A-grade cyber game. In September last year, Iran was allegedly responsible for “denial of service" operations that disabled the websites of Bank of America, Citigroup, JP Morgan Chase, Capital One, and Wells Fargo. The New York Stock Exchange and Nasdaq were also hit.

Leon Panetta says although the method was not new, “the scale and speed with which it happened was unprecedented".

A month earlier the Iranians penetrated Saudi Arabia’s state-owned oil company, Aramco, and Qatari liquefied natural gas group, RasGas, with what Panetta says was a “very sophisticated virus called Shamoon".

“More than 30,000 computers that it infected had to be replaced. probably the most destructive attack that the private sector has seen to date."

There are a range of cyber-menaces that keep Australia’s spooks awake at night. The first is the usual state-on-state espionage. When officials refer to the “big C", they are not talking about cancer.

Notwithstanding rhetoric from businesses keen to promote prosperous relations with the Middle Kingdom, the national security community says China is responsible for cyberthefts of Australian assets at every imaginable level.

Former attorney-general McClelland publicly referred to Ghostnet, which was a sweeping Chinese spying operation that breached government computers in 103 countries and “the private office of the Dalai Lama". Ghostnet gave its masters real-time, remote-access control over victims’ computers and could record key-strokes, audio and video.

The Canadian researchers who discovered Ghostnet watched it in action.

After the Dalai Lama’s office sent an email to a foreign diplomat, the Chinese government promptly called him to discourage further communication.

ASIO’s Irvine says that “cyber espionage has emerged as a serious and widespread concern. Enormous volumes of data are being taken from vulnerable, internet-linked computer networks. Cyber-espionage by state actors is the new growth industry."

Sovereign rivals are also eagerly breaking into more susceptible private networks. John Blackburn, who has published an analysis of the cyber challenge, says that “many Australian businesses do not comprehend the sheer scale of the rising cyber threat or its impact on their financial wellbeing".

Kaspersky agrees that businesses underestimate the risks. But he adds that it’s not just Australia’s problem: “Most governments around the world, including Australia’s, probably believe they are safe. Yet the internet knows no borders. There is nothing to stop malware from traversing the planet in a matter of seconds."

“A hacker group can target a company on the other side of the planet just as easily as they can in their home country."

One respected Australian security expert, who asked not to be named, says “It’s relatively easy to link the bulk of attacks on our clients to businesses that are working with China as a customer, or competing against them."

In his experience, the most popular targets are resources companies, defence contractors, lawyers serving as clearing-houses for confidential information and technology firms.

DSD’s Burgess says that “state-sponsored intrusions are the biggest threat to networks, which makes sense when you think about resources.

In practice, a least 65 per cent of cyber intrusions... have an economic focus. Actors are looking for information on Australia’s business dealings, its intellectual property, its scientific data."

One common penetration method is “spear phishing" by socially-engineered emails. DSD’s Burgess says that “hackers are researching our profiles, professions, personal interests and families to see what sort of information we are interested in. They will then tailor content to entice us to open a malicious attachment".

National security sources cite examples of foreign states that have blocked Australian companies from boosting their shares of markets.

When BHP Billiton tried to merge with Rio Tinto to create the world’s largest iron ore exporter, the China Mining Association’s deputy secretary-general reportedly responded, “it’s terrible. If completed, would create a mining giant enjoying a monopoly in many mineral resources".

BHP and Rio’s networks were infiltrated by Chinese hackers. The campaign also expanded to both companies’ advisers.

A state-backed enterprise, Chinalco, then entered the fray as a blocking bidder for Rio.

A similar situation occurred when BHP tried to buy the world’s largest potash producer. Chinese-based hackers infiltrated seven law firms involved in the Canadian deal, according to Bloomberg.

“Sinochem Group, China’s formerly state-owned chemical giant, hired Deutsche Bank and Citigroup to evaluate moves to disrupt BHP’s bid, a hostile tactic approved directly by the Chinese government," Bloomberg reported.

The Wikileaks cables revealed that BHP boss Marius Kloppers told a US consul-general in Melbourne that he was so fearful of Chinese spying that he shifted his export contracts to market prices because arms-length negotiations were impossible.

In 2011 Australia’s former attorney-general highlighted a McAfee report that had unearthed “covert, systematic and coordinated cyber-attacks called ‘Night Dragon’... aimed at global oil, energy, and petrochemical companies to collect sensitive information on proprietary operations." What Robert McClelland did not mention was that McAfee concluded the “attackers were of Chinese origin".

Another threat that exercises national security authorities is the looming prospect of cyber-terrorism.

“A single malicious algorithm might be able to turn off the lights, stop airplanes flying, or disrupt national financial transaction networks or the electricity grid," Irvine says.

In October, Leon Panetta warned that “a cyber-attack perpetrated by... violent extremists groups could be as destructive as 9/11 virtually paralyse the nation".

The cyber-terrorism risk is not confined to religious zealots either.

In 2008, a 14 year old child hijacked the tram system in a Polish city using a TV remote control. The assault derailed four trams and injured 12 people.

A final cyber-risk that worries agencies is the emergence of anarchic non-state organisations motivated to dislocate our way of life to express dissent about public decisions. The most high-profile example is Anonymous, a cellular and leaderless group of hactivists.

Under Operation Australia, which has protested new data retention proposals, Anonymous shut down more than 10 Australian government sites, including ASIO’s, in July last year using denial of service attacks.

It also executed a devastating hack of AAPT’s servers, which resulted in 236,000 phone numbers, email addresses, dates of birth, user names and passwords being stolen.

This affected the Reserve Bank of Australia, the Australian Federal Police, the Australian Securities and Investments Commission and the Australian Crime Commission.

Two months ago, Anonymous penetrated Australian Defence Force Academy databases and released the names, rank, dates of birth, and passwords of up to 1900 ADFA staff and 10,000 students. “The danger is that such attacks by malicious individuals could have significant impacts if our telecommunications networks are impeded leading to failures in other areas of essential services" Irvine says.

Get investment ideas from industry insiders

Liked this wire? Hit the follow button below to get notified every time I post a wire. Not a Livewire Member? Sign up for free today to get inside access to investment ideas and strategies from Australia’s leading investors.