The Smoking keyboard...
Andy Jenkinson
CEO CIP. Fellow Cyber Theory Institute. Director Fintech & Cyber Security Alliance (FITCA) working with Governments. NAMED AN EXPERT IN INTERNET ASSET & DNS VULNERABILITIES AND THREAT INTELLIGENCE
How we got here and the launch of the digital arms race.
Attacks in regular warfare abide by strict International laws and conduct however, in cyber warfare conduct and law are completely overlooked when attribution is blurred.
On May 30th 2009 President Obama declared, ‘We meet today at a transformational moment, a moment in history when our connected world presents us, at once, with great promise but also great peril’: Within days Stuxnet was launched and was the first ever digital weapon having been perfected by the lessons learnt from Aurora, Flame and Duqu (part of the Olympic Games). A digital attack violated a foreign sovereign for the first time and without any consideration and by default, forwarded the intellectual property for future retaliation. Countries that were the most connected and therefore the most vulnerable were at the highest risk. Ultimately this was the US.
Kennette Benedict, the then executive director of the Bulletin of the Atomic Scientists noted several parallels between Stuxnet and the first atomic bombs. She stated the lack of foresight that went into developing both technologies out of fear that adversaries might develop them first and the long term consequences were neither thought of or considered sufficiently. Benedict also noted that the first acknowledged military use of cyber warfare is ‘ostensibly to prevent the spread of nuclear weapons’. We have yet to begin to understand how cyber warfare might destroy our way of life.
Both Atomic and Digital weapons were created and launched without public debate or consent, the stones were thrown by the nation living in a glass house and it’s general public put at risk of reprisal. Critical Infrastructure has always been a target in times of war, immaterial of variety, however, never before was every computer, workstation, server and device actually on the front line with so much at stake. Control of such a weapon was not tested and could affect a much wider grouping which is how Stuxnet was discovered.
Gen Mike McConell former director of national intelligence confirmed to a US Senate committee in 2011, ‘If the nation went to war today, in a cyberwar, we would lose. Transportation, communication and financial networks, food manufacturing and chemical plants: gas pipelines, water and electric utilities, even uranium enrichment plants. We now live in a world where industrial control systems can be easily attacked’. This position may still be the same.
Gen Michael Hayden said, ‘somebody had unleashed the Rubicon’ following the exposure of Stuxnet, that somebody was the US and where they led, others would follow.
If Stuxnet’s goal was the destruction of all the centrifuges at Natanz, then it had failed, however if the goal was to destroy a number of centrifuges and delay the production of uranium in the short term, it may have succeeded. Ivanka Barzashka at Kings College London however said, ‘Stuxnet had very limited effect on the Iranian program’.
The Digital Pandora's box was now unleashed and became readily available for every Nation State and cyber criminal gang. What once cost tens of $millions and used for covert ops, back doors, eavesdropping, mass digital surveillance and to plant malicious code such as Stuxnet, was now readily available and inexpensive.
The White House drew up an International strategy for cyberspace, it was a comprehensive document laying out the Presidents and the governments, vision for the internet, emphasising the governments responsibility to make networks and systems secure and resilient. Very strangely and rather telling was the fact the Review Board did not address the subverting the trust of digital certificates.
If a policy subverts Microsoft certificates, or any digital certificates that are able to spread malware, it is impossible to make cyberspace safe.
Due to the systemic misunderstanding and lack of knowledge of Public Key Infrastructure and the digital certificates that make it up, digital eavesdropping and espionage via stolen, fake and the plethora of compromised certificates, such attacks will go on undetected by all regular perimeter security and will continue unabated and accelerating. This capability has spread even wider and includes cyber-squatting, ransomware, malware, IP theft, Industrial espionage and much more all facilitated and hidden by digital certificates.
The Wild West will continue to grow and the unlawful theft and the largest shift of financial power continue until PKI is properly controlled and managed.