Cyber war is real and likely in our lifetime, according to Richard Clarke, chief executive of Good Harbor Security Risk Management.
“Nuclear war is less likely because of international arms control agreements but, as yet, there are no such agreements on limiting cyber weapons,” he told the RSA Conference 2015 in Abu Dhabi.
The recent pact between the US and China promising no cyber espionage is really all there is, said Clarke, a former special advisor on cyberspace to three US presidents, but he said there are already indications that China is not keeping that promise.
“There is the Budapest Convention on cyber crime, but that does not really have any teeth,” he said.
Clarke said it was appropriate to have a cyber security conference in the Arabian Gulf, because it was in that region that the first real battle of cyber war took place.
Just five years ago, it was considered by many to be science fiction that nation states could use bits and bytes to create the same sort of destruction as bullets and bombs, he said.
But Stuxnet changed all that, said Clarke. “The US government still won’t admit it, but everyone else seems to understand that the US fired the first shot, that engaged in destructive cyber war.”
The target of the physical destruction was the centrifuges in use at the Iranian uranium enrichment site. Instead of a bomber or missile attack, he said the US decided to attack with software.
“Despite the plant being disconnected from the internet, the US still managed to get a huge piece of code into the plant without being detected,” said Clarke.
The sole purpose of the Stuxnet malware, he said, was to make subtle changes to the operation of the centrifuges that over time would destroy 800 without raising any computer systems’ alarms.
Although Stuxnet was designed to self-destruct and cover its tracks, Clarke said it somehow escaped into the wild, with the result that the code of the first known cyber weapon became publically available.
“Governments and hackers throughout the world were able to download it and learn from it,” he said.
But Clarke said that was not the end of the first battle in cyber war; shortly afterwards Saudi Aramco was targeted by an attacked now believed to have been ordered by the Iranian government.
While the attack on Aramco was not a sophisticated piece of software, he said it nonetheless had a very impressive result, wiping all software from 30,000 endpoints, including routers, servers, printers, laptops and desktops – halting the, normal business operation of the company for weeks.
“But still it wasn’t over, because just weeks later the eight largest banks in the US – some of which spend up to $250m a year on cyber security – suddenly found they were being targeted by an Iranian-inspired DDoS (distributed denial of service) attack that they couldn’t deal with because it was eight times larger than any DDoS attack seen previously,” said Clarke.
The important thing to note, he said, is that even though the banks’ online banking systems collapsed under the attack, the US government was unwilling to step in and help
“Iran was sending a message. Their message was: We can attack the US, and we can attack the most important part of the US economy: the banking industry.”
According to Clarke, the banks asked the government for help, but the government decided that it was the banks’ problem. The banks then turned to their internet service providers who tried and failed to stop the DDoS attacks.
Imbalance in cyber defence capability
Finally the attacks stopped, he said, but not because of action by the government or the ISPs – but because the Iranians had made their point and demonstrated their capability.
The lesson to be learned, said Clarke, is that, while the US had created an offensive cyber capability, it had not created and equal ability to defend the US from cyber attack.
“When most governments around the world – not just the US – think about cyber war, they tend to put their money into offensive capability,” he said.
The lesson for the US banks was that, when they come under cyber attack, they are on their own. “When you go back to your companies, remind them of that lesson,” he told conference attendees.
“At the CEO level of large companies, at the board level, in the UK, Germany, Japan and in the UAE, they assume that if their company should every come under cyber attack by a foreign government, that their own government will defend them. But the lesson from that first battle in cyber space is that you can’t count on that,” said Clarke.
He said that investing only in an offensive cyber capability is risky, because that will be of little use to the average citizen or company when a nation’s critical national infrastructure has been crippled by a cyber attack and there is no electricity, water, gas, banking or telecommunication services.
A cyber attack in which the power grid is attacked and the physical infrastructure is destroyed, he said, is not science fiction. It is also something that would take weeks and even months to fix.
No backup for medieval roll-back
“A cyber attack – without firing a single bullet, without a single bomb going off and without aircraft or missiles – can reduce a modern society to medieval times, and there is in almost no society the ability to roll back to a pre-cyber existence. There are no backup systems. Try to find anything that operates after a massive cyber attack. That’s the reality,” said Clarke.
The fact that the world has not yet seen a massive cyber attack of this kind does not mean that it cannot happen, he said. It just means no nation has had the cause to use this capability yet.
“But when nations that possess these cyber weapons do decide to go to war, they will use them,” said Clarke.
“The result will be that the society attacked is rendered useless. Unable to function for weeks or months on end, and that’s going to happen in your lifetime so cyber security and cyber war are not some marginal issue in your government or in your company. They could be the most important issue of your generation,” he said.
Need for international diplomacy
For this reason, Clarke said governments need to begin serious negotiations to reach international agreements on arms control in cyber space, in the same way they did on nuclear arms control.
He called on information security professionals who understand cyber security to help diplomats construct proposals on how to control arms in cyberspace.
“The other thing we can do is to have governments force companies – particularly those that run critical national infrastructure – to have better cyber security. Instead of concentrating all of their efforts on offensive cyber war, governments should think about how they protect their own countries, and that can be through regulation,” said Clarke.
But he said most governments are reluctant to tell private companies what to do. As a result, most companies that run oil, gas, water, electricity and banking systems are still “extraordinarily vulnerable to cyber attack”.
Clarke said while 100% security is impossible to guarantee, most of the data breaches that have become public in recent months could have been prevented by existing technologies.
“There are technologies today that can stop most attacks which, if deployed properly and in the right combination, would make it very difficult for attackers to achieve their goals – and yet they are not being used,” he said.
Regulatory role for governments
These include technologies for continuous monitoring, network segmentation and network resilience.
“Governments could require companies to do that, and in industries in countries where some countries have, we have seen vast improvement in security. But without government regulation, companies will not do it voluntarily,” said Clarke.
He said no organisation will be as secure as it could be with existing technologies, unless they are forced to do it through regulations.
“The only companies that really pay attention, are companies that have had massive and devastating attacks that have become known publically and several executives have been dismissed.”
Clarke called on information security professionals to advocate their governments test the cyber security of companies, and mandate what they need to do to become secure.
“In the absence of that, we will continue to have a very good offensive capability, which will eventually be developed by every nation and dribble down to individual hackers and terrorist groups,” he said.
According to Clarke, a former US national co-ordinator for security and counter-terrorism, once terror groups have the acquired the capability to carry out major cyber attacks against infrastructure, they will not hesitate to do so.
Cyber risk from terror groups
“The history of cyber war so far has been that capability that at one point could be done only by one or two nations, dribbles down, expands, proliferates and spreads to many more, and eventually it will leak out to individual hackers and terrorist groups,” he said.
Clarke said terror groups such as Al Qaeda have vast amounts of money that can be used to hire and train hackers.
“So in addition to the nation state threat, the next threat that we haven’t seen yet, but will happen, is sophisticated terrorist cyber attacks,” he said.
Clarke said this is the message that information security professionals need to take to business and political leaders.
“If this fails to resonate with your leaders, tell them they are already in a cyber war because it includes cyber espionage and cyber crime, which go on every day, costing companies billions.
“As cyber security professionals, you have an obligation to not only secure your own network, but to also take the message to your leaders, who don’t know how much damage can be done,” he said.
Security professionals, he said, can help company and political leaders to understand the risks as well as what can be done minimise that risk and make attacks less damaging when they happen.
“We are running huge risks, we haven’t yet seen the full extent of the damage that can occur through cyber attack, and we need to do more on the defensive side because having a great offensive capability won’t turn the lights back on.”