By Geoffrey Nicoletti, Independent Research Analyst
Taking down power grids as the first priority in nation-state cyberwar is a myth. Actually, the first priority is taking down the adversary’s counter-strike capability. “Assets” and “timing” are critical here.
If you miss striking at some of the adversary’s assets (and you will because they are “hardened” or unknown to you) how much damage will the adversary still be able to do? The model of ICBMs is somewhat useful.
There is a limit to what an ICBM can do even with multiple warheads—it is not carrying 100 of them. But there is no limit to a Tao Group cyber asset: unleashing multiple attacks upon multiple targets a multiple numbers of times—the granddaddy of an APT. Furthermore, ICBM’s can be intercepted if it is all a mistake and human beings can be involved because of a seven-minute window, but not in cyberwar: the attack is measured out in milliseconds to nanoseconds.
I emphasized “timing” in my “Nanosecond Warfare” article (Jan. 2017 issue). To strike more quickly than your enemy, you engage in low-latency attacks and you rely on algorithms of automatic analysis of metadata.
This is risky (but unavoidable) because transactional memory concurrency programming is relatively new. In this article, I want to emphasize “targeting”.
The initial problem for those in the position of counter-striking is the attribution problem. Such a massive incoming attack upon them would seem to give away whether it is North Korea, Iran, China, or Russia hitting you.
But the attack will seem, at first, to be coming from inside one’s own systems and then it will seem to be coming from a certain country (but it will be the wrong one). Therefore (N. Korea, Iran, China, Russia, and our allies—like England) all are in a first-strike mode. IF there is ever a nation-state cyberwar, WE better be the ones firing first…
To avoid the above scenario, nations are learning to engage (offensively, not defensively) through the use of citizen hackers. Why? Because and despite attribution challenge… who shall we target? And what will your retaliation be?
John F. Kennedy in October of 1962 refused to go to war with the Soviet Union because ONE U-2 pilot over Cuba was shot down…do I need to say more? “Fancy Bear” of Russia comes to mind and we can imagine Unit 61398 of China has trained citizens also; we can imagine the NSA has done this via corporate Intelligence contractors.
Such an operation would be classified. Perhaps the NSA doesn’t do this because of legal matters. Either way, through citizens or the NSA, the Tao Group would not want to expose its best tools for cyberwar, tactics, etc.
On the other hand…Russia wants to project its power and works through “Fancy Bear.” This is just one of the names given to a Russian hacking group (this one by Dmitri Alperovitch of Crowdstrike) has a record of so many attacks, it does not appear that anyone is slowing them down or ending their threat. Microsoft, calling them STRONTIUM instead, has seen successful attacks (October 2016) against Adobe Flash and the Windows kernel—reports Wikipedia.
And Fancy Bear (in the same article) reports that FireEye watched “zero-day exploits” from the same group—calling them APT 28—two years before the Windows kernel attack. A list from the above two sources on Fancy Bear weapons: Xagent, Sofacy, Chopstick, Core-shell, Foozer, and Downrange to name a few.
Fancy Bear has shown it can erase firmware inside switches and routers, fake email servers, conduct spear-phishing and infect military operations.
One of the targets in cyberwar is the firmware of the BIOS. I received responses out on the HP WEB site dealing with the manipulation of firmware inside the BIOS. Usually, the bottom line to removing a digital infection is to re-install the operating system; desperate folks might even replace the hard disk drive.
Neither act, however, is a solution here. Tools are available to modify the UEFI (Unified Extensible Firmware Interface to reinstall this surveillance.) According to WIRED (March of 2015) Kovah and Kallenberg, when with Mitre, revealed it doesn’t take an NSA to initiate such an attack—shown at the CanSecWest conference.
It is an extraordinary tool to prevent a counter-strike by a nation-state to flash that adversary’s BIOS—the methods are too slow for the first-strike attack, but the vulnerabilities are so many and so universal inside a BIOS that non-military systems can be compromised in preparation for war.
According to the WIRED article, “LightEater” can go deeper than root-level privileges by infecting the BIOS. But my point is that this is a weapon a citizen cyber group can initiate. Thus, besides the attribution problem, you have the problem that your anti-malware application won’t even spot this BIOS attack.
In my March 11, 2013 report to Booz Allen Hamilton (“Containment of Digital/Physical Attacks”) I referenced Jonathon Littman’s book “The Fugitive Game” where he quotes physicist Brosl Hasslacher, “Tsutomu (Shimomura) has built software that can literally destroy an alien computer.
They are essentially viruses that can, for example, tell the computer to sit on one register until it literally melts the circuitry in the chip or commands the hard drive to hit the same track 33,000 times—until it destroys the drive.” Good, God! Hardware hacking not requiring the presence of machine and technician being together! Take out an adversary that is 6,000 miles away!
All of this targeting is designed to use the essential weakness of electronics: heat. I told a Grace Hopper technician one time (Sam Paul of UNIVAC) that Eckert and Mauchley (ENIAC) should not have had hundreds of light bulbs signaling the functioning of valves (vacuum tubes) but rather— to create less heat—light up only when a tube fails.
Seymour Cray (the famous designer of supercomputing machines) sank electronics in oil to lower heat and felt a continuous flow of current would save more vacuum tubes than constant shutting off and turning on the things, stressing them.
And the NSA had to rely on GCHQ when air-conditioning failed for more than two days to cool their supercomputers at Ft. Meade (Jan.24, 2000). No pun intended, but in the first few seconds of nation-state cyberwar things will really heat up! And fail. Unable to stock up on replacements and unable to engage in replacing parts quickly enough, the counter-strike capability goes down.
And now there is research into the dopant of the transistor in terms of changing the polarity so that random number generation effectively fails—see Infosec Inst. (Oct 13, 2015). This, like BIOS, is prepatory work for war. Even the engineering of the Internet itself: backbones, gateways, ICANN can be targeted.
But the strategy for all of these possible targets is to minimize the counter-strike. Once all of the above weapons are in place and are operating in the first few seconds of cyberwar, priorities other than preventing a counter-strike can be pursued—such as the power grids, water utilities, banking, local governments.
Even so, military institutions and Intelligence agencies of the adversary will be independent of the necessity of a power grid.
Two dangerous thoughts arise: citizen cyber gangs (like Fancy Bear) enable attacks that invite little or no retaliation but we may reach a point where their governments ARE attacked…second, and it can’t be discussed here, there remains the danger that if any nation-state is losing a cyberwar, it may force the situation to escalate. Nuclear war.
About the Author
Geoffrey Nicoletti is an independent research analyst. He is a former member of both the IEEE and NCMF; he is active with ICTTF. His work on the Y2K problem brought recognition from Sen. Robert Bennett of Utah; he produced a paper for Booz Allan Hamilton days before Mr. Snowden left the United States. Geoffrey can be reached at @Sigsaly1