Raoul Chiesa gives us his view on the current cyber threat landscape, from Snowden’s case to the links between cyber crime and state-sponsored hacking.
Next week the forth Cybercrime Conference will be held in Rome (http://www.tecnaeditrice.com/eventi/cyber_crime_conference_2014/presentazione), two days in which top experts in the field will analyze high-profile cyber attacks discussing also about legal issues, privacy, and cyber strategies implemented by different kind of attackers.
I took the opportunity to interview one of the foremost experts in the world of cyber security, Raoul Chiesa. Finding a definition for Raoul is impossible, someone called him a hacker, others expert, but my only certainty is that Raoul is one of those characters that “makes security”.
Following my short interview to Raoul:
Which is the impact of Snowden‘s case on the state-sponsored hacking? Starting from the consideration that International law framework on hacking must be reviewed, do you think that governments will be more interested to promote a regulatory for hacking campaigns or they will try to improve their cyber capabilities or continuing to conduct even more complex cyber operations?
Raoul Chiesa : Snowden‘s revelations definitely ran a huge impact on the Intelligence world. My feeling is that we still have to wait in order to fully realize how much those leaks will impact on the whole world. Also, I don’t really think we will have a legal framework on hacking, since right now each country is acting in their own way (see USA, India, UK, and the Netherlands, from different perspectives, i.e. Intelligence VS Law Enforcement).
On the other hand, just as you said, each Government will improve its own cyber capabilities. It’s much alike the time of the Cold War, don’t you think so?
Mikko Hypponen during the recent TrustyCon conference declared that there is the risk that a Government-built malware and cyber weapons will run out of control. What’s your opinion on the topic? Which is the most feasible scenario in the next couple of years?
Raoul Chiesa : Well, this already happened, if you think about Stuxnet: it ran out different of control, infecting targets in different countries, not just the target one. Cyberweapons – while not regulated at this time, by no one – are an extremely critical asset to deal with.
Often, when speaking at public and private events, rather than train different MoDs, I highlight something which is very important in my opinion: those tools, techniques and approaches used by the Information Warfare and Black Ops scenarios, are basically coming from the Cybercrime, more or less. This means that, just as it happens with Cybercrime tools, the infection vectors (i.e. Malware) will impact on a target which will be different from the one originally planned.
The most feasible scenario I do see in the next couple of years is a “Far West” one. The only way we can avoid this, is through regulations, and international agreements. Here I think the United Nations should play a strong role, and the NATO as well, just as it happens when dealing with the “standard” peacekeeping and weapons proliferation control.
What I think it’s kind of weird, though, is that just a few security experts, such as Mikko, Marcus Ranum, myself and a few others, are public speaking about this. And, the silence of the EU is definitely embarrassing.
Is the availability of Government-built malware in the wild impacting the offer in the underground? (e.g. Cyber criminal gangs that are able to make reverse engineering of malicious code to resell it to other governments)
Raoul Chiesa : Here we are speaking about something which is really weird as well. The main customers of the Cybercrime, when speaking i.e. about 0-days, C&C centers, malware writing, are Governments. No matter if it’s about Intelligence agencies rather than MoDs, that’s a true fact. Once again, this is something which is already happening. It happened with Stuxnet, as far as I know: I learned from different colleagues that two different Ukraine-based malware factories were behind the coding of Stuxnet, acting just like “sub-contractors” for the US and Israel Governments.
Also, whenever we’re speaking about “State-Trojans” and Lawful Interception, well…. Governments (Intelligence Agencies, MoDs, and Law Enforcement Agencies) are doing business with private companies – think about the “Spy Files” leak – which are buying 0days and vulnerabilities from the so-called hacking underground and, sometimes, from the Cybercrime market itself. Even if they will never admit this last point.
Is it possible a convergence between cybercrime and state-sponsored hacking? Which scenarios do you consider most plausible?
Raoul Chiesa : Just as I mentioned above, this scenario is already ongoing. Well, we should then also give a better definition, and insights, about what you name under the umbrella of “cybercrime”.
Today’s hacking world is composed by a plethora of different actors (think about the Hacker’s Profiling Project I started along with great colleagues at UNICRI back in 2004), which interact in different ways, while “coming from” and “belonging” to very different worlds. Also, think about what happened – and is still happening – in Ukraine, from a state-sponsored hacking perspective, plus what happened back in Estonia and Georgia. Gleb from UISG (Ukraine Information Security Group) released a great presentation, with very critical insights, back at a APWG.EU event a few weeks ago: Governments should read that presentation, analyze those facts and data, and learn from the lesson.
Do you consider realistic the possibility of a major cyber attack against a western critical infrastructure in the medium term? Which will be means and motivations?
Raoul Chiesa : I do consider this possible: from a technical perspective, it can already be done, now. The means would be standard vulnerabilities, both public or private ones. Entry points and attack scenarios could vary, depending on the target itself, and on the resources of the attackers (time, budget).
Speaking about motivations, what do I see right now are economic ones. I don’t believe that much in what the media and propaganda is telling us about the so-called cyberterrorism and so on. What I mean is that, luckily, the very bad guys (terrorists) haven’t yet well understood the possibilities and plausible attack scenarios that IT and TLC would allow them to abuse with. This is a good thing, tough, and it’s up to the security communities to be able to speak with, educate, aware, and teach to the decision makers in different areas, what’s the real status nowadays, and what may happen.
Does common people have a concrete means to protect their own privacy? In the name of security is really necessary to give up the privacy?
Raoul Chiesa : First of all, the concept of “privacy” vary a lot among countries and areas of the world. All of us, we know that the concept of privacy is much different between US and EU, for example.
I’ve really enjoyed Mikko Hypponen’s talk at TED Bruxelles some months ago, especially the last part. He said that privacy is one of the basics when speaking about democracy, while referring to the NSA affair. People are users, and users look like they really don’t understand yet what the privacy is all about. They post personal information and data on social media, thet connect to every kind of “free” access point and wifi hotspots, they do not encrypt critical data such as their PIN and credit card number, when storing them on their PCs and Smartphones.
We need the people to get educated. I think that, on this topic, we do have a lot of associations and projects which are doing a great job: I think about APWG, ENISA, CLUSIT in Italy (and, CLUSIF in France, CLUSIS in Switzerland, etc), many EU-funded research projects such as ACDC and Cyberoad, and a lot of so-called “underground” conferences, such as Hack in the Box AMS, CONFidence, St.Hack, ATHCon, just to mention some of the biggest and smallest we have in Europe.
On the other hand, security needs sacrifices, it isn’t an easy mission to accomplish. We must give up on something, if we want to rise up the security level around us. But it should be different from, let me say, the justification of “terrorism”: in the name of that threat, indeed, we gave up a lot of privacy, possibly too much. This approach is not working, all of us have been able to see this. We should rethink a better approach, and Governments must be more transparent when dealing with our personal data, behaviors, likes, ideas, and dreams.