The cyberwar discussion is mired in confusion.
What defines an act of cyberwar? Is it a sophisticated hack from China or Russia that shuts down the US power grid? Is it a rogue group like Anonymous breaking into government sites? Is it all the spying China has been doing for several years now? And what about Stuxnet and Duqu? Were those creations an act of war by the US and Israel against Iran? Does a cyberwar involve government and military sites only or does it include the networks of private enterprise as well?
The debate will continue to limp along in 2012. Don't expect a clearer definition, because you probably won't get one. Still, on a much smaller, targeted scale, we have plenty of evidence that online battlefields between nations isn't beyond reality. Instead of waiting for the perfect metrics and verbiage, we may as well accept that the tools and know-how exist for cyberwar and plan our defenses accordingly.
Spy vs. spy
Clearly, governments have been using hackers to spy on other countries via weaknesses in computing infrastructure for years now. Back in 2009, colleague Grant Gross wrote about cyberspies from China, Russia and elsewhere gaining access to the US electrical grid and installing malware tools designed to terminate service. One could interpret those actions as an act of war, though it's difficult to know for certain what the motives are.
Just a couple weeks ago, colleague Jeremy Kirk wrote about a report in which the Office of the National Counterintelligence Executive warned of more aggressive spying in the coming months. Specifically, he wrote, the US can expect more aggressive efforts from countries such as Russia and China to collect information through cyberespionage in areas such as pharmaceuticals, defense and manufacturing
"Chinese actors are the world's most active and persistent perpetrators of economic espionage," the report said. "Russia's intelligence services are conducting a range of activities to collect economic information and technology from US targets."
Lack of preparation
George V. Hulme has spent a lot of time researching the issue this past year. He once asked, "If Stuxnet was an act of cyberwar, is the US ready for a response?"
The short answer from security experts was no.
"The biggest challenge we face isn't that we're not ready for a Stuxnet. The biggest problem we face is that we're not really ready for anything. If you were to do a pen test - and there's plenty of research out there to support this - most utility companies are extremely vulnerable," says Eric Knapp, director of critical infrastructure markets at NitroSecurity.
We got a reminder of that reality last week, when hackers reportedly launched a digital attack that destroyed a water pump in Springfield, Illinois, then took aim at the SCADA system of Houston's water supply network.
What to do?
Fortunately, there are already steps we can take to harden our defences. David Marcus, director of security research at McAfee, wrote about the incidents in his blog, saying it's no more difficult to attack a SCADA network or system than it is to attack any other system. It's always just a matter of time, he writes, adding:
"Certainly we may see more SCADA-based or SCADA-focused attacks in the future. Attackers tend to target systems that can be successfully compromised, and recent history has shown that these systems are at least as vulnerable as other types of networked systems." But that isnt really the point, he said. "In my mind, the second question often morphs into 'How do we know they are not already compromised and actively under attack now?'"
Assuming we are, he suggested a few things individual SCADA admins can do:
- Include "cyber" in all risk management
- Set up extensive penetration testing
- Set up extensive counter-social engineering training
- Put a SCADA-specific CERT plan and team in place
- Network with law enforcement at all levels
- Expect to get attacked and take appropriate countermeasures
Though this advice was offered to SCADA admins, the advice is applicable to the wider challenges that go into protecting network infrastructure.
Know what you're talking about
The greatest challenge, perhaps, is getting our definition of cyberwar straight. I'm one of the first to admit that I don't have my own act together on this yet. But as I work on that, I have plenty of good resources to draw from. One is a column Brian Krebs wrote around this time last year called "The cyberwar will not be streamed."
In it, he warned against the careless use of cyberwar terminology in the wake of Wikileaks. He wrote:
I hope the media will exercise a bit more restraint in tossing around volatile terms like cyberwar, particularly to describe the antics of a group that has a well-earned reputation for attention-grabbing stunts and lampooning just about everything. At best, such flattery may only encourage copycat attacks; at worst, it trivialises the far more serious issues raised by the Wikileaks scandal.
One thing is certain about the coming year. Whether or not we can see things that are easily defined as cyberwarfare, things will no doubt be getting more interesting. Hopefully, we're better prepared than this time last year.