In his explosive new book, Enemies, acclaimed investigative reporter Bill Gertz uncovers the truth about this grave threat to our national security and America's harrowing failures to address the danger. Gertz's unrivaled access to the US intelligence and defense communities allows him to tell the whole shocking story, taking us deep inside the dark world of intelligence and counterintelligence--a world filled with lies, betrayal, and moles burrowing within the FBI, the CIA, the Pentagon, and even the White House.
Apolo Anton Ohno. Journey to a Straw Bale House. Williams : Business of Grand Prix Racing. Building Services Engineering. Perhaps one of the most unexpected twists recently has been the use of weaponised ransomware to destroy data. The US, UK and a number of other governments blamed Russia for the NotPetya ransomware outbreak which caused havoc in mid, with the White House describing the incident as 'the most destructive and costly cyberattack in history.
Zero-day vulnerabilities are bugs or flaws in code that can give attackers access to or control over systems, but which have not yet been discovered and fixed by software companies. These flaws are particularly prized because there will likely be no way to stop hackers exploiting them. There is a thriving trade in zero-day exploits that allow hackers to sidestep security: very handy for nations looking to build unstoppable cyber weapons.
It is believed that many nations have stock piles of zero day exploits to use for either cyber espionage or as part of elaborate cyber weapons. Zero day exploits formed a key part of the Stuxnet cyberweapon see below. One issue with cyber weapons, particularly those using zero-day exploits is that -- unlike a conventional bomb or missile -- a cyber weapon can be analysed and even potentially repurposed and re-used by the country or group it was used against.
Denialism: what drives people to reject the truth
One good example of this is shown by the WannaCry ransomware attack , which caused chaos in May The ransomware proved so virulent because it was supercharged with a zero-day vulnerability that had been stockpiled by the NSA, presumably to use in cyber espionage. But the tool was somehow acquired by the Shadow Brokers hacking group quite how is extremely unclear which then leaked it online.
Once this happened other ransomware writers incorporated it into their software, making it vastly more powerful. This risk of unexpected consequences mean that cyber weapons and tools have to be handled -- and deployed -- with great care. There is also the further risk that thanks to the hyper-connected world we live in that these weapons can spread and also cause much greater chaos than planned, which is what may have happened in the case of the Ukrainian NotPetya ransomware attack.
Stuxnet is a computer worm that targets industrial control systems , but is most famous for most likely being the first genuine cyber weapon, in that it was designed to inflict physical damage. It was developed by the US and Israel although they have never confirmed this to target the Iranian nuclear programme. The worm, first spotted in , targeted specific Siemens industrial control systems, and seemed to be targeting the systems controlling the centrifuges in the Iranian uranium enrichment project -- apparently damaging 1, of these centrifuges and delaying the project, although the overall impact on the programme is not clear.
Stuxnet was a complicated worm, using four different zero-day exploits and likely took millions of dollars of research and months or years of work to create. There is a definite risk that we are at the early stages of a cyberwar arms race: as countries realise that having a cyberwarfare strategy is necessary they will increase spending and start to stockpile weapons, just like any other arms race. That means there could be more nations stockpiling zero-day attacks, which means more holes in software not being patched, which makes us all less secure. And countries with stockpiles of cyber weapons may mean cyber conflicts are able to escalate quicker.
John F. Kennedy
One of the big problems is that these programmes tend to be developed in secret with very little oversight and accountability and with mirky rules of engagement. Military systems are an obvious target: preventing commanders from communicating with their troops or seeing where the enemy is would give an attacker a major advantage. Special report: Cyberwar and future of cybersecurity. You can download our full special report as a PDF in magazine format.
However, because most developed economies rely on computerised systems for everything from power to food and transport, many governments are very worried that rival states may target critical national infrastructure. Supervisory control and data acquisition SCADA systems, or industrial control systems -- which run factories, power stations and other industrial processes -- are a big target, as Stuxnet showed.
These systems can be decades old and were rarely designed with security as a priority, but are increasingly being connected to the internet to make them more efficient or easy to monitor. But this also makes these systems more vulnerable to attack, and security is rarely upgraded because the organisations operating them do not consider themselves to be a target. When the government of the eastern European state of Estonia announced plans to move a Soviet war memorial, it found itself under a furious digital bombardment that knocked banks and government services offline the attack is generally considered to have been Russian hackers; Russian authorities denied any knowledge.
However, the DDoS attacks on Estonia did not create physical damage and, while a significant event, were not considered to have risen to the level of actual cyberwarfare. Another cyberwarfare milestone was hit the same year, however, when the Idaho National Laboratory proved, via the Aurora Generator Test , that a digital attack could be used to destroy physical objects -- in this case a generator. The Stuxnet malware attack took place in , which proved that malware could impact the physical world. Since then there has been a steady stream of stories: in , the NSA said it had stopped a plot by an unnamed nation -- believed to be China -- to attack the BIOS chip in PCs, rendering them unusable.
In , there was the attack on Sony Pictures Entertainment, blamed by many on North Korea, which showed that it was not just government systems and data that could be targeted by state-backed hackers.
Perhaps most seriously, just before Christmas in , hackers managed to disrupt the power supply in parts of Ukraine , by using a well-known Trojan called BlackEnergy. In March , seven Iranian hackers were accused of trying to shut down a New York dam in a federal grand jury indictment. Nations are rapidly building cyber defence and offence capabilities and NATO in took the important step of confirming that a cyberattack on one of its members would be enough to allow them to invoke Article 5 , the collective defence mechanism at the heart of the alliance.
In , it then defined cyberspace as an "operational domain" -- an area in which conflict can occur: the internet had officially become a battlefield. Big industrial control systems or military networks are often considered the main targets in cyberwarfare but one consequence of the rise of the Internet of Things may be to bring the battlefield into our homes. Connected thermostats, cameras, and cookers could all be used either to spy on citizens of another country, or to cause havoc if they were hacked. Not all IoT devices are in homes; hospitals and factories and smart cities are now filled with sensors and other devices which means that the real-world impact of an IoT outage could be widely felt.
The same cybersecurity practices that will protect against everyday hackers and cyber crooks will provide some protection against state-backed cyberattackers, who use many of the same techniques. That means covering the basics: changing default passwords and making passwords hard to crack, not using the same password for different systems, making sure that all systems are patched and up-to-date including the use of antivirus software , ensuring that systems are only connected to the internet if necessary and making sure that essential data is backed up securely.
This may be enough to stop some attackers or at least give them enough extra work to do that they switch to an easier target. Recognising that your organisation can be a target is an important step: even if your organisation is not an obvious target for hackers motivated by greed who would hack a sewage works for money? However, for particularly high-value targets this is unlikely to be enough: these attacks are called 'advanced and persistent'. In this case it may be hard to stop them at the boundary and additional cybersecurity investments will be needed: strong encryption, multi-factor authentication, and advanced network monitoring.
It may well be that you cannot stop them penetrating your network, but you may be able to stop them doing any damage. At a higher level, nations and groups of states are developing their own cyber defence strategies. The European Union recently announced plans to work on a cyber defence plan which it will invoke if it faces a major, cross-border cyberattack, and plans to work with NATO on cyber defence exercises. However, not all nations consider such planning to be a particularly high priority.
More broadly, to prevent cyberwar incidents, countries need to talk more: to understand where the boundaries lie and which kinds of behaviour are acceptable. Until that is done there is always the risk of misunderstanding and escalation. Just as nations attempt to deter rivals from attacking in conventional weapons, so countries are developing the concept of cyber deterrence to help to prevent digital attacks from occurring in the first place -- by making the cost of the attack too high for any potential assailant.
One way of doing that is securing and hardening their own computer systems so that is becomes very hard -- and very expensive -- for any attacker to find weaknesses. Thanks to the swiss-cheese nature of so many computer systems the attackers will still have the advantage here. The other option is to impose costs on the attackers through sanctions, criminal investigations or even the threat of striking back.
Most recently the US in particular has been attempting to create deterrence through a policy of naming-and-shaming, in particular using indictments to name particular individuals it believes are responsible for carrying out state-backed cyber attacks.
However, as hackers from all nations continue to poke and pry at the computer systems of their rivals, it would seem that cyber deterrence is at best a work in progress. Closely related but separate to cyberwarfare is cyber espionage, whereby hackers infiltrate computer systems and networks to steal data and often intellectual property. There have been plenty of examples of this in recent years: for example the hack on the US Office of Personnel Management, which saw the records of 21 million US citizens stolen , including five million sets of fingerprints, was most likely carried out by Chinese state-backed hackers.
Perhaps even more infamous: the hacking attacks in the run up to the US Presidential elections and the theft of emails from the Democratic National Committee: US intelligence said that Russia was behind the attacks. The aim of cyber espionage is to steal, not to do damage, but it's arguable that such attacks can also have a bigger impact. Law scholars are, for example, split on whether the hacks on the DNC and the subsequent leaking of the emails could be illegal under international law.
Some argue that it mounts up to meddling in the affairs of another state and therefore some kind of response, such as hacking back, would have been justified; others argue that it was just below the threshold required. As such the line between cyberwarfare and cyber espionage is a blurred one: certainly the behaviour necessary is similar for both -- sneaking into networks, looking for flaws in software -- but only the outcome is different; stealing rather than destroying. For defenders it's especially hard to tell the difference between an enemy probing a network looking for flaws to exploit and an enemy probing a network to find secrets.
- What is cyberwar? Everything you need to know about the frightening future of digital conflict?
- Neither Victim nor Survivor: Thinking toward a New Humanity.
- A Secret in Her Kiss;
- Computer-Based Testing: Building the Foundation for Future Assessments;
- The Dynamics of Heat: A Unified Approach to Thermodynamics and Heat Transfer!
- The Derivational Residue in Phonological Optimality Theory (Linguistik Aktuell Linguistics Today);
- Secondary Navigation.
Closely related to cyberwarfare is the concept of information warfare; that is, the use of disinformation and propaganda in order to influence others -- like the citizens of another state. This disinformation might use documents stolen by hackers and published -- either complete or modified by the attackers to suit their purpose. It may also see the use of social media and broader media to share incorrect stories. While Western strategists tend to see cyberwarfare and hybrid information warfare as separate entities, some analysts say that Chinese and Russia military theorists see the two as closely linked.
Indeed it is possible that Western military strategists have been planning for the wrong type of cyberwar as a result. One of the ways countries are preparing to defend against cyberwarfare is with giant cyber defence wargames, which pit a 'red team' of attackers against a 'blue team' of defenders.
Some of biggest international cyber defence exercises, like the NATO-backed Locked Shields event , can see as many as cybersecurity experts sharpening their skills. In Locked Shields, the defending teams have to protect small, fictional, NATO member state Berylia from mounting cyberattacks by rival nation Crimsonia. It's not just the technical aspects of cyberwarfare that are tested out; in September European Union defence ministers also took place in a table-top exercise called EU Cybrid , designed to test their strategy and decision making in the face of a major cyberattack on the European Union military organisations.
The game aimed to help develop guidelines to be used in such a real-life crisis, and was the first exercise to involve politicians at such a senior level. Some argue cyberwar will never take place; others argue cyberwar is taking place right now. The truth is of course somewhere in the middle. Beyond the famous example of Stuxnet pure cyberwar operations will remain extremely rare, but already the concept has become absorbed into the broader set of military options that exist, just like other new technologies, such as submarines and aircraft, in the past.
Please review our terms of service to complete your newsletter subscription.
It's possible that cyber weapons may also become a more common feature of low intensity skirmishes between nations because they are capable of causing confusion and chaos but not too much damage. But it's unlikely that a war would ever be fought purely with digital weapons because they are too expensive and hard to control and of limited impact.
That doesn't mean cyberwarfare is irrelevant -- rather that some kind of cyberwarfare capability will be part of pretty much every military engagement from now on. Apple neutered ad blockers in Safari, but unlike Chrome, users didn't say a thing. Facebook suspended tens of thousands of apps from developers. Exclusive: TalkTalk hacker also breached EtherDelta cryptocurrency exchange.
The ultimate guide to finding and killing spyware and stalkerware on your smartphone. Special Feature Inside this Special Feature. Disorganized crime and state-backed hackers: The cybercrime landscape is changing Steve Ranger discusses how criminal groups and hackers backed by nation sates are working together to make money and cause significant trouble.