Cyber Guerrilla

Note:   I really dislike the word “cyber” but I’m not sure what else to use, so it will have to do.      

    Something interesting has been popping up in security-oriented newsletters lately. From Wired to SANS and The Register, there seems to be a rising interest in cyber warfare and the soldiers that will participate in it. We have come a long way from the days of Stuxnet. Sophisticated cyber attacks are now an everyday occurrence, with many global powers (and other not-so-powers) taking part. At what point do we draw the line between national security or state-sponsored attacks and  blatant criminal activity? In some cases, state employees may act of their own accord or combine crime syndicates with government agencies.

    All three sources mentioned earlier specifically focus on the United States and its cyber-division in an existing military force, even going as far as suggesting a military draft for those skilled in the desired areas of attack and defense (likely networks exploitation experts and some malware/firmware reverse engineers - giving the benefit of the doubt for the presence and training of malware developers). In the details provided by the Wired article, we are shown a glimpse into the already existing part of the United States program through the eyes of a couple of young soldiers. However, these sources are missing the other parts of the story. If the United States is starting to focus its efforts on cyber warfare, what are its triggers?   On one hand, we have the ‘legal’ state actors. It isn’t only the United States that has decided to focus on the development of ‘cyber-soldiers’ and respective training programs. Other countries like Argentina and China are developing their own forces.

   About two centuries ago, we saw the ability to develop firearms in correlation to successful attacks. It was a time of mixed warfare where a melee weapon could still be seen alongside firearms. Of course, those with greater or more advanced firearms usually found themselves on the winning side, but we have to recognize that a time of universal adoption does not mark the birth of an attack method. Firepower had been in use for centuries before that in individual battles. For example, the Battle of Cerignola is considered to be the first battle won by gunpowder. The battle finished in early april of 1503, quite a while before the widespread use of firearms found in later wars and battles (like the American Civil War, for example). 

    In this sense, we can treat situations like those caused by Stuxnet as the early use of firearms in the battlefield. The world moves at a faster rate, however, and an adoption that might have taken centuries in the past might now take only a few decades.  According to a three year old article by the Wall Street Journal, 29 countries had a formal and established cyber division at the time of publication. From Bulgaria’s surveillance oriented off-the-shelf software programs to China’s private and military divisions who write and deploy custom in-house malware, we see interested parties striving as far as their resources allow. Although a government comment states that:

China advocates the building of a peaceful, secure, open and cooperative cyberspace, opposes militarization of cyberspace or cyber arms race. The Chinese government staunchly upholds cybersecurity, firmly opposes and combats all forms of cyber attacks in accordance with law.

                                                  -Government comment for The Wall Street Journal

The country’s actions would point towards the opposite, given that -according to the article - it is suspected of the following (at the time of the writing):

• 2009: Theft of data from Google Inc. and other tech companies.
• 2009: Discovery of theft of plans for U.S. Joint Strike Fighter project.
• 2010: Attacks on British executives.
• 2011: Attack on South Korean Internet portal.
• 2013: Major U.S. media companies hacked.
• 2015: “Great Cannon” directs massive amounts of traffic to take anti-censorship websites offline.
• 2015: Hack of U.S. Office of Personnel Management.

That is not to say other countries are innocent or strictly focused domestic surveillance like the supposed status of Bulgaria or Colombia. For example: The UK's defence secretary Philip Hammond has made no secret of the country's interest in the field, telling a newspaper late last year, “We will build in Britain a cyber strike capability so we can strike back in cyberspace against enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity.” -Steve Ranger for Tech RepublicIn the case of the United States, the same article (8) comments on the country’s plan: 

General Alexander revealed the NSA was building 13 teams to strike back in the event of an attack on the US. "I would like to be clear that this team, this defend-the-nation team, is not a defensive team," he said told the Senate Armed Services Committee last year.

                                           -Steve Ranger for Tech Republic

    Everyone is racing to avoid being left behind. The cost of physical war can be high, and countries with less expense allowance are at a constant disadvantage. Although the impact of resource availability does not necessarily disappear, the playing field is slightly more even in this arena. A fair example of this is North Korea, which - while perhaps not presenting itself in the best light - has managed to produce more work than other countries with more resources. The Wall Street Journal article credits the country with the 2013 discovery of “Kimsuky” espionage attacks on South Korean targets and the 2014 destruction and leaking of data of Sony Pictures Entertainment, while the larger community at least holds belief in probably accountability for numerous others. North Korea does present some margins of error when it comes to legal and illegal actors. Are they really organized or not? What can qualify them as such? We must first consider the other half of the equation in order to find a possible place for organizations such as this.

   On the other hand, we have the ‘illegal’ or unofficial state actors and crime syndicates. A few days ago, the FBI and Europol collaborated to capture an important member of a Russian crime syndicate who managed to collectively steal over $1 billion from various banks using only two pieces of malware. The attack was highly sophisticated, and - although of Russian origin - unlikely to be state sponsored. The goals of crime syndicates are usually pretty straightforward: make money. Whether this be through ransomware, phishing, data sales, or identity theft, the goal is hardly different.

   Then there are other groups that are not so clear. North Korea in particular blurs the lines between official and unofficial state actors. Surveillance and espionage for a state seems clear enough, but “making money by any means necessary” sounds more like a criminal activity than anything else. Of course, we do see a similar pattern in China and Mexico, where there are “unaffiliated” hacking groups that do work that benefits the country or spies on its behalf.   Where are we heading as a society? As with the development and adoption of firearms, we might see a world riddled with invisible weapons. One could argue that we are at that stage already, but the development is accelerating and attack tactics by even the most novice of actors are becoming increasingly more advanced. Attacks that are ransomware or botnet based are evolving rapidly to meet countermeasures and further blurring the lines of what is considered “sophisticated” enough to be accredited to a state force. As Liska states:

WannaCry and NotPetya were not criminal campaigns. They were, at best, distraction campaigns, and at worst, destruction campaigns. They both appear to have been launched by nation-state actors using what had traditionally been cybercriminal tools … On the other hand, Bad Rabbit appears to have been carried out by a cybercriminal, using techniques learned studying the WannaCry and NotPetya campaigns. This doesn’t just apply to ransomware — it is happening across all types of cyber attacks. Cyber criminals are learning from nation-state actors, while nation-state actors are learning from, and using the tools of, traditional cyber criminal activity.

                            -  Liska on the line between cyber criminals and nation-states for Recorded Future

We had guerillas rise up to almost become the ruling power of a country or region partially because of their firepower. Are we going to see the same confrontation between criminals and states in a technical context?