The Complex

What keeps Eugene Kaspersky up at night?

One of the most worrisome threats in cyber security are independent hackers reverse-engineering potent high-end cyber weapons and espionage tools like Stuxnet, Flame and Gauss, and then unleashing them into the global ecosystem, according to IT security expert Eugene Kaspersky, founder of Kaspersky Lab.

While sophisticated cyberweapons like Stuxnet -- designed to pass benignly through computers until it reached its exact target, the industrial-control systems at Iran's Natanz uranium enrichment facility -- likely cost millions to produce at the hands of state-backed software engineers aided by sophisticated intelligence networks, they are relatively easy to copy once in the wild.

(Flame and Gauss are more recent cyber espionage tools capable of gleaning a host of information off a victim's computer, such as screenshots, keystrokes, passwords and location information. Both worms infected thousands of computers in the Middle East in the last year.)

Kaspersky worries that the clones these copycat hackers produce won't be nearly as accurate as guided cybermissles like Stuxnet, meaning that they could infect and damage facilities far beyond their targets.

Speaking at a cybersecurity conference in Washington Thursday, Kaspersky noted that cyberweapons have certain unique attributes that make them dangerous. "The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," he said. "Cyber weapons are different" because the victims "can learn from" weapons used against them.

A cyberattack aimed at Saudi Arabian oil giant Saudi Aramco in August bore a striking resemblance to attacks against Iranian oil interests in April, Kaspersky said. Although he cautioned that he had no proof, he said it strongly appeared as if "hacktivists" had reverse-engineered the weapons that hit Iran -- possibly with the help of the Iranian government.

"There could be very random victims," he said, noting that "IT systems are everywhere."

"Stuxnet infected thousands of computer systems all around the globe, I know there were power plants infected by Stuxnet very far away from Iran," Kaspersky said.

A copy of a worm designed to wreak havoc on power stations or other facilities controlled by SCADA systems -- as Stuxnet did -- built by amateurs could wrongly infect the control systems of a nuclear power plant.

"Stuxnet was made by very professional people and Stuxnet hit only the station that was the exact target," Kaspersky said. "What about mistakes? What about engineers that are not so professional developing [copied] malware which is not able to recognize an exact target [the way Stuxnet did]?"

Kaspersky told Killer Apps after his talk that it would be easy to "hijack" new cyberespionage tools like Flame and Gauss and put virtual "warheads" on them, turning them from the most potent cyberspying tools ever seen into actual weapons capable of causing damage in the physical world, in the same vein as Stuxnet.

Making matters worse is the burgeoning market for sophisticated software exploits that are sold among hacker networks, known colloquially as "zero-days."

"There's a growing black market for zero-day attacks, which is the exact type of thing you need to inflict major damage on the networks," Eric Rosenbach, deputy assistant secretary of defense for cyber policy told Killer Apps earlier this month. "Because there's an active black market for it, it's likely to expand, so it's something we need to get our arms around as a country."

"That would be a whole of government effort" with the "heavy involvement" of the FBI and the Department of Homeland Security, Rosenbach added.

New, more secure operating systems for critical infrastructure such as power plants could bolster U.S. defense against cyberattacks. But such an approach would be costly, and there will always be someone somewhere who is devising a way around new defenses, analysts say.

Kaspersky argues that the best way to combat the threat of increasingly sophisticated hackers is international agreements on the use of cyberweapons and cooperation in hunting down cyber criminals.

"Governments can talk to each other. Governments can agree not to use" certain cyberweapons, Kaspersky said.

"In the future ... will be a very big demand for international [cooperation] to recognize who is behind attacks, to find the Internet terrorists before they do action," Kaspersky said. "This is a place for intelligence [agencies], it's a place for international [cooperation], and a place for IT contractors to assist."

Easier said than done, says Rosenbach.

"There are several countries right now that are very aggressive in cyberspace and are likely trying to create norms [of cyberspace behavior] that would be unstable for the international community because they are so aggressive," Rosenbach said. "It's still not completely clear what's acceptable and what's not acceptable and several nations different than the United States have very aggressive notions of what's acceptable."

The Pentagon is pushing for the international community to adopt cyber norms based on the rule of armed conflict; this is where the United States is meeting resistance, especially from Russia and China, according to Rosenbach.

"We look at cyber just like you would look at any other form of warfare or military operations," Rosenbach said. "So the law of armed conflict applies, and within that you can already interpret what would be acceptable in cyberspace. We don't have a lot of case history to back up the customary aspect of it in international law, but we think that the framework is already there."

Russia and China are focused more on controlling citizens' activities on the internet rather than limiting attacks on nations' critical infrastructure, he said.

"There are other countries, the Chinese and Russians in particular, that don't think the law of armed conflict is the best framework to view these things through and they focus much more heavily on control of information than they do on the security of crucial infrastructure or preventing the destruction of networks."

Rosenbach went on to call this a "nonstarter."

"To say that your model of an international law for cybersecurity is based on controlling media content or what people can say about the government isn't something we're interested in at all," he said. "There are other areas -- in particular, the theft of intellectual property -- because that's a major problem for the United States right now, where there are very different ideas about what's acceptable and what's not."

Wikimedia Commons

National Security

Pentagon expanding public-private cyber information sharing program

Rather than wait for Congress to pass legislation enabling private companies to send information about cyber attacks to the U.S. government, the Pentagon is expanding a little-known program allowing defense contractors to share information with the government about cyber espionage and attacks against them.

In recent years, U.S. defense contractors have famously been hit by cyber attacks compromising information on high-profile weapons systems, such as the $1.5 trillion F-35 Joint Strike Fighter program. In the case of the F-35, the attacks have led to costly software redesigns and production delays.

To remedy this, the Defense Industrial Base Cybersecurity and Information Assurance (DIBCIA) program was established several years ago as a voluntary partnership between defense contractors with security clearances and the government, aimed at sharing information on cyber threats and even providing companies with assistance from U.S. intelligence agencies in defending against cyber threats.

Now, the Pentagon is opening up DIBCIA to a broader swath of companies.

"If you're a Defense Department contractor with a facility clearance, we want to share classified threat information with you," said Richard Hale, the Pentagon's deputy chief information officer for cyber during a Sept. 27 cybersecurity conference in Washington. "It's a voluntary program. We'll share with you, you share with us. We also have a second part of that program that allows you to get security services from a service provider that's getting classified information and using it to protect you."

DoD is now working with the Department of Homeland Security to develop a similar program that would allow companies responsible for maintaining critical infrastructure -- banks, utilities, Internet service providers, etc. -- the ability to share information on cyber threats with DHS.

"We're teamed closely with [the Department of Homeland Security] to see if DHS can expand this model out to other critical infrastructure," said Hale.

This comes as Pentagon officials revealed that they plan to work with private companies to develop incentives to meet high standards to defend against cyber attacks via counterfeit or compromised electronic parts in their supply chain (this is either a major threat or completely overblown, depending on who you ask).

So far, these efforts between DoD and defense contractors to share information and defend against cyber threats have been "enormously successful," Eric Rosenbach, deputy assistant secretary of defense for cyber policy told Killer Apps earlier this month.

Rosenbach went on to describe the part of the information-sharing subset of DIBCIA whereby U.S. intelligence agencies analyze cyber threats on behalf of defense contractors via something called the Defense Enhanced Cybersecurity Service, (DECS).

"We wanted to create a new model for trying to protect information, so we are using specialized [threat] signatures [known to] the intelligence community, giving them to Internet service providers, who then screen the Internet service traffic" to protect defense companies who subscribe to the service, said Rosenbach.

He insisted that the intelligence community does not see the actual web traffic -- and therefore private citizens' information -- running across the networks of Internet service providers (ISPs); it merely gives information and analysis about malicious signatures to the providers who can be on the lookout for them.

"The part that's unique is the intelligence community involvement, just giving them the signatures. The intelligence community does not scan the traffic, see the traffic, see any of the results of scanning, so they're completely separate. They just give the special sauce, so to speak," said Rosenbach, referring to the information on advanced cyber threats given by intelligence agencies to the ISPs.

Defense contractors pay for this service and "the only thing that the government provides [is the analysis of] these specialized signatures and the ISPs are responsible for making sure it all runs," added Rosenbach.

Those signatures are "basically a string of numbers in hexadecimal format that's mostly unintelligible unless it's read by a machine or an antivirus program," said Rosenbach. "That type of information, technical information, is what's most valuable to information sharing. It's not the personally identifiable information that we're interested; it's the type of information that could help you stop an attack if you know what you're looking for."

DECS, the part of the program aimed at sharing the threat signatures with intelligence agencies, "ran in pilot mode" for several years and was finally cleared to expand in the spring of this year, DoD Chief Information Officer Teri Takai told Killer Apps during the same interview as Rosenbach.

"It's something we think could be expanded to possibly work for protecting critical infrastructure and other parts of the federal government," said Rosenbach.

"We've got a queue of companies that are interested in joining, we've got other federal agencies that are interested in coming aboard, and we've got other federal agencies that are interested in either using our program or creating a similar program," added Takai.

Congress has repeatedly tried and failed to pass legislation that would allow and encourage private companies to share information about cyber security threats with the U.S. government. Many of these bills have been met with strong opposition from civil liberties groups -- and in some cases the White House -- who claim that companies could unnecessarily gather and share private information about U.S. citizens with the government, in the name of cybersecurity. Supporters of these bills argue that real-time information sharing between critical infrastructure providers and the government is required to defend against advanced cyber threats.

Wikimedia Commons, Camila Ferreira & Mario Duran