Case StudyThe Looming Threat of Cyberwarfare
“Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
With these words in his 2013 State of the Union address, Barack Obama officially became the first U.S. cyberwarfare president. Obama was about to sign the Improving Critical Infrastructure Cybersecurity executive order, which allows companies associated with the supervision of electrical grids, dams, and financial institutions to voluntarily join a program to receive classified and other cyber security threat information previously available only to government contractors. The main drawback is that legislation can only enforce minimum security requirements for private sector companies, which operate most U.S. critical infrastructure. Unfortunately, Congress, in 2012, had failed to pass two cyber security bills that were much stronger, bowing to pressures from business worried about stepped-up security costs and concerns raised by privacy advocates.
Cyberwarfare is more complex than conventional warfare. Although many potential targets are military, a country’s power grids, financial systems, and communications networks can also be crippled. Non-state actors such as terrorists or criminal groups can mount attacks, and it is often difficult to tell who is responsible. Nations must constantly be on the alert for new malware and other technologies that could be used against them, and some of these technologies developed by skilled hacker groups are openly for sale to interested governments.
The scale and speed of cyber attacks has escalated in the United States and other parts of the world. From September 2012 through March 2013, at least twelve U.S. financial institutions—Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T, HSBC, J.P. Morgan Chase, and American Express—were targeted in attacks that slowed their servers to a crawl and then shut them down. The severity of the attacks dwarfed previous distributed denial of service (DDoS) attacks. The data centers of these organizations had been infected with a long-available malware agent named Itsoknoproblembro, which creates botnets of slave servers, dubbed bRobots because they are so difficult to trace back to a command and control (C&C) server. The bRobots inundated the bank Web sites with encrypted data. A flood of encryption requests immensely intensifies attack effectiveness, enabling the attackers to take down a site with fewer requests.
The goal of the attacks was to inflict an unprecedented level of strain on as many financial institutions as possible. No account information was stolen and no financial gain sought, leading experts to think it was a state-sponsored attack. The hacker group Izzad-Din al-Qassam Cyber Fighters claimed responsibility, stating that it was retaliating for an anti-Islam video. U.S government officials believe the perpetrator is actually Iran, retaliating for economic sanctions imposed to halt its nuclear program and for what it believes were U.S. cyber attacks.
In August 2012, the Shamoon virus infected 30,000 machines at Saudi Arabian oil company, Aramco. It destroyed workstations by overwriting the master boot record (MBR), which stores key information about a hard disk drive to help a computer system start up. Shamoon also deleted data on servers, and overwrote certain files with an image of a burning American flag. U.S. officials attributed the attack to Iran.
Less than two weeks later, Qatari natural gas company, Rasgas, was forced to shut down its Web site and e-mail systems in an attack initially also attributed to Shamoon. An investigative team concluded it was likely a copycat attack trying to look like the same perpetrator. U.S. government officials blamed Iranian hackers. Israeli officials attributed both attacks to Iran’s Cyber Corps, formed after Stuxnet.
Believed to have been developed by a secret joint United States-Israel operation, the Stuxnet worm was discovered in June 2010. It was designed to disable the software that controls Seimen centrifuges to enrich uranium, and it reportedly delayed Iran’s ability to make nuclear arms by as much as five years. Iran has also been the target of other malware. The Duqu worm, discovered in September 2011, steals digital certificates used for authentication to help future viruses appear as secure software. In April 2012, other espionage malware closely related to Stuxnet and Duqu called Flame was discovered when hard drives at the Iranian Oil Ministry and National Iranian Oil Company were wiped clean. Four months later, investigators found that the data deletion agent they had been looking for when they discovered Flame was a separate malware agent they named Wiper. Investigators believe that Wiper’s first objective is to eradicate the malware created by this group.
Cyber offensives come with a considerable downside. Previously released malware is recoverable and can be adapted and reused by both nation-state foes and unaffiliated cyber criminals. Stuxnet code has been adapted for use in financial cybercrime. Another drawback is uncontrollability. About 60 percent of known Stuxnet infections were in Iran, but 18 percent were in Indonesia, 8 percent in India, and the remaining 15 percent scattered around the world. In November 2012, Chevron admitted that its network had been infected with Stuxnet shortly after it spread beyond Iran.
To U.S. officials, these recent Iranian attacks signaled a shift in Iranian policy from cyber defense to cyber offense. After investing approximately $1 billion in its Cyber Corps in 2012 (still just a third of United States expenditures), Iran may have arrived as a first-tier cyber power.
China has been a first-tier cyber power for years. U.S. targets of suspected Chinese cyber attacks include federal departments (Homeland Security, State, Energy, Commerce); senior officials (Hillary Clinton, Adm. Mike Mullen); nuclear-weapons labs (Los Alamos, Oak Ridge); defense contractors (Northrup Grumman, Lockheed Martin); news organizations (the Wall Street Journal, the New York Times, Bloomberg), technology firms (Google, Adobe, Yahoo), multinationals (Coca-Cola, Dow Chemical), and just about every other node of American commerce, infrastructure or authority. Hackers have obtained sensitive information such as negotiation strategies of major corporations; designs of more than two dozen major U.S.weapons systems, including the advanced Patriot missile system, the Navy’s Aegis ballistic missile defense systems, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the F-35 Joint Strike Fighter; and the workings of America’s power grid, possibly laying groundwork for acts of sabotage. Cyberattacks from China and other nations have persisted because the U.S. has difficulty defending its information systems, cyberspace is not yet subject to international norms, and years of intrusions have provoked little American response.
Investigators believe that in September 2012, one of the elite hacking groups from China’s People’s Liberation Army (P.L.A.) attacked Telvent, a company that monitors utility companies, water treatment plants, and over half the oil and gas pipelines in North America. Six months later, Telvent and government investigators still didn’t know if the motive was espionage or sabotage. U.S. intelligence experts believe that China’s U.S. investments, particularly new, substantial investments in oil and gas, deter China from infrastructure attacks. China’s economy could not escape the negative consequences from a significant shutdown of U.S. transportation systems or financial markets. Iran, with no U.S. investments, is a much greater threat. Moreover, diplomatic channels are open with China.
Less than a week after Obama’s State of the Union address, security firm Mandiant released details on a group it dubbed “APT1.” Mandiant traced APT1 to a building in Shanghai that documents from China Telecom indicate was built at the same time as the General Staff Department’s 3rd Department, 2nd Bureau—the military hacking unit, P.L.A. Unit 61398.Outfitted with a high-tech fiber optic infrastructure, this 12-story white office tower was said to be the origin of a six year offensive that infiltrated 141 companies across 20 industries.
The Obama administration’s mounting concern with the economic and national security risks posed by cyber-intrusions has repeatedly been expressed to top Chinese officials. In May 2013, the Pentagon’s annual report to Congress for the first time directly accused the Chinese government and P.L.A. of attacking U.S. government and defense contractor networks. In May 2014, the U.S. charged five Chinese military officials with hacking into six U.S. steel, solar and nuclear companies and a labor organization for trade secrets and other information.
Two months earlier, however, North Korea, another budding cyberwarfare adversary, was accused of launching its most damaging attack to date. Despite obstacles limiting its ability to develop expertise, including sanctions, which restrict its access to technology, and a limited talent pool due to meager Internet penetration and restrictive access policies, North Korea is believed to have perpetrated attacks on both South Korean and American commercial, educational, governmental, and military institutions. In March 2013, 32,000 computers at three major South Korean banks and the two largest television broadcasters were affected. Internet banking sites were temporarily blocked, computer screens went blank, ATM machines failed, and commerce was disrupted.
The attackers used the Chinese-written Gondad exploit kit to infect PCs with a Trojan horse that provides an entryway for an attacker to take control of the machine, creating a bot or zombie computer. Once the digital backdoor is created, the controller can deposit a malware payload, in this case, a wiper agent named Dark Seoul. Like Shamoon, Dark Seoul overwrites the master boot record (MBR). There is no conclusive evidence implicating North Korea, but tensions had been escalating between the two countries. The Kim Jong-un administration had expressed fury in the days leading up to the attack over ongoing, routine joint Korea/United States military training exercises, exacerbated by South Korea’s participation in U.S.-spearheaded United Nations sanctions against North Korea for its nuclear test the month before. Seoul contends that Pyongyang has committed six previous cyber attacks since 2009.Security experts at South Korea’s newly formed cyber security command center believe that North Korea has been assembling and training a cyberwarrior team of thousands, and the United States agrees. For North Korea, the threat of cyber retaliation is negligible. Internet access is only now extending beyond a privileged few, businesses are just beginning to adopt online banking, and worthwhile targets are virtually nonexistent.
The Obama administration has begun helping Asian and Middle Eastern allies build up their computer network defenses against Iran and North Korea, including supplying advanced hardware and software and training programs. Future joint war games would include simulated cyber attacks. But deterring cyber attacks is a far more complex problem than conventional warfare, and U.S. officials concede that this effort is an experiment.
While increased diplomatic pressure and the intertwined nature of the worlds’ two largest economies may yield a practicable agreement between China and the United States, how to deal with the so-called “irrational actors,” Iran and North Korea, is thornier. Since China is North Korea’s biggest trading partner and most important ally, hammering out an agreement with China may be the first step towards managing North Korea. While Iran is diplomatically isolated, China depends on it to meet its energy needs. China walks a tightrope between exploiting the sanctioned Iranian economy and following the U.N. sanctions for which it voted. It just may be that the road to agreements with both Pyongyang and Tehran runs through Beijing. Meanwhile, the military command responsible for most U.S. cyber war efforts, U.S. Cyber Command (CYBERCOM), is slated for a 500 percent manpower increase between 2014 and 2016 and all of the major combat commands in the United States military will share dedicated forces to conduct cyberattacks alongside their air, naval and ground capabilities.
Sources: Devlin Barrett and Siobhan Gorman, “U.S. Charges Five in Chinese Army With Hacking,” Wall Street Journal, May 19, 2014; John Torrisi, “Cyberwarfare: Protecting ‘Soft Underbelly’ of USA,” CNBC.com, May 15, 2014; Matthew L. Wald, “Report Calls for Better Backstops to Protect Power Grid From Cyberattacks,” New York Times, March 2, 2014; David E. Sanger, “N.S.A. Nominee Promotes Cyberwar Units,” New York Times, March 11, 2014; Julian E. Barnes, Siobhan Gorman, and Jeremy Page, “U.S., China Ties Tested in Cyberspace,” Wall Street Journal, February 19, 2013; Thom Shanker and David E. Sanger, “ U.S. Helps Allies Trying to Battle Iranian Hackers,” New York Times, June 8, 2013; Mark Clayton , “New Clue in South Korea cyberattack reveals link to Chinese criminals,” Christian Science Monitor, March 21, 2013; Siobhan Gorman and Siobhan Hughes, “U.S. Steps Up Alarm Over Cyberattacks,” Wall Street Journal, March 12, 2013; Siobhan Gorman and Julian E. Barnes, “Iran Blamed for Cyberattacks: U.S. Officials Say Iranian Hackers Behind Electronic Assaults on U.S. Banks, Foreign Energy Firms, Wall Street Journal, October 12, 2012; Choe Sang-Hun, “Computer Networks in South Korea Are Paralyzed in Cyberattacks,” New York Times, March 20, 2013; Rachael King, “Stuxnet Infected Chevron’s IT Network,” Wall Street Journal, November 8, 2012; Mark Landler and David E. Sanger, “U.S. Demands China Block Cyberattacks and Agree to Rules,” New York Times, March 11, 2013; Nicole Perlroth, David E. Sanger and Michael S. Schmidt, “As Hacking Against U.S. Rises, Experts Try to Pin Down Motive,” New York Times, March 3, 2013; Nicole Perlroth and Quentin Hardy, “Bank Hacking Was the Work of Iranians, Officials Say,” New York Times, January 8, 2013; Nicole Perlroth and David E. Sanger, “Cyberattacks Seem Meant to Destroy, Not Just Disrupt,” New York Times, March 28, 2013; David E. Sanger, David Barboza and Nicole Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,” New York Times, February 18, 2013; and David E. Sanger and Nicole Perlroth, “Cyberattacks Against U.S. Corporations Are on the Rise,” New York Times, May 12, 2013.
EVALUATION: Apply the concepts from the appropriate chapter. Hint: The appropriate chapter is the same number as your case. Be sure to use specific terms and models directly from the textbook in analyzing this case and include the page in the citation. (15 points)