We are used to scale being the telltale characteristic of state involvement in warfare. Individuals can go on shooting sprees, and terrorist cells can put bombs, but only states can engage in large-scale warfare. But, as most metaphors of the ‘cyber-’ kind, this intuition breaks down with so-called cyberwarfare.
When last week a number of US and South Korean government and business sites suffered attacks by a botnet (an ‘army’ of thousands, tens or hundreds of thousands of remotely controlled hacked computers), the first analysis by some media and politicians was to consider the attacks as coming from the government of North Korea. As the days went by, this was shifted to ‘North Korean agents’ and then ‘sympathizers’ in South Korea, and the latest analysis suggests sources in the Western World, including the UK and the US itself.
The fundamental analytical misconception behind this is the confusion between the scale of an attack and the scale of the resources necessary to launch it. When it comes to physical weapons, it’s true that launching twice the number of missiles, or employing twice the number of soldiers, requires significantly more resources. But the same isn’t necessarily true when it comes to recruiting botnets.
This kind of hacking does not generally involve a hacker skillfully gaining entry into a specific computer. Rather, the hacker creates a program that automatically takes advantage of vulnerabilities present in a large number of computers (for example, known problems in widely deployed operating systems or browsers). It’s this program which systematically attempts to gain control of vulnerable computers and, furthermore, then uses these computers to help itself gain access to more computers. The difference between a hacker controlling a botnet of tens of computers, and one controlling thousands or more, doesn’t have to do with hardware resources, but rather with how widely distributed are the vulnerabilities targeted, how well written is the code to exploit them, and how well does the hacker or hackers manage the network.
A single patient and skillful individual can then mount what seems like a ‘massive’ attack, but with the size of the attack not being related to the resources behind the hacker. This reality is sometimes difficult to accept to corporate and government security experts who have been trained to focus on large adversaries. The idea that a lone individual can potentially cause a large-scale serious disruption flies against the basic assumptions of many security models.
It’s important to remark that this is a basic feature of computer technology. The existence of computer networks magnifies any particular weakness. Even a small security vulnerability in a widely deployed program can make it easy for an attacker to gain control of a large number of computers. There’s no solution but more robust programs and savvier users.
What can differentiate a government-sponsored attack is the sophistication and, paradoxically, the stealth of an attack. It’s relatively easy for hackers to temporarily shut down a company’s web site by overtaxing it with requests from remotely controlled computers, or to gain access to certain parts of a network and expose proprietary or classified information. It’s technically and operationally much harder to infiltrate a network during a long period of time, with consistent access to information, in a way that can be exploited in the long term for specific commercial or strategic advantages. This is the sort of attack that can go unexposed for a long time, and is generally the hallmark of an insider, a well-funded organization, or, more rarely, the truly dangerous professional.
It’s a given that corporations and states are engaged in systematic hacking attacks and counter-attacks — it’s just a natural extension of intelligence activities. But they aren’t defacing websites or taking down networks. They might tacitly support (or might not even approve of) the skilled individuals doing so out of their own political motivation, but the real business is going on beyond the newspapers headlines and, more worryingly, beyond the declarations of many of the people in charge of that elusive and ill-defined concept, cyber-security.
IEET Blog