February 28, 2015
Part IV: Solving the mystery of shadow hacker organization The Equation Group
In Shane Harris’ @War: The Rise of the Military-Internet Complex, a former hacker turned security executive tells the author, “There is no concept of deterrence today in cyber. It’s a global free fire zone.”
Today, the collateral damage is purely financial and easily written off as “business as usual” on the internet. Financially, this makes sense. Cyberwarfare is asymmetric. A defender has to have a perfect defense to every attack; fail just once, and the attacker wins. From a strictly cost-benefit analysis, it makes sense for the U.S. to invest heavily in cyber-attack capabilities and adopt a “best defense is a good offense” strategy.
However, in a world without cyber-defense, proactive opsec, and deterrence measures put in place, it won’t be long before malevolent interests gain enough minimal sophistication to penetrate a critical U.S. network and cause real damage and even threaten U.S. lives. The United States is putting a heavy gambit on its attack capabilities neutralizing all threats before they occur. Miss only one, and a hacker with an agenda against the United States will have the motive and opportunity to take action against Uncle Sam, which has left its digital flanks wide open to attack.
Worse yet, while cyberwarfare may be asymmetric from an attack and defense standpoint, it is highly symmetric from a resource deployment standpoint. Equation Group demonstrates just how effective a heavily funded, highly skilled, probably state-sponsored group can be in cyberwarfare. However, that does not diminish what one or just a handful of dedicated hackers can do to inflict damage on an unprepared digital asset.
Take, for example, the Sony Pictures Entertainment hack, perpetrated by the self-titled Guardians of Peace. Comparatively unsophisticated, the hacker group was inflicted what Sony estimates to be $15 million in damages. While some FBI officials claim North Korea was behind the hack (which is not exactly a ringing endorsement of the technical sophistication behind the hacking group), other respected security experts have presented credible analyses that the hacker group may be an independent body.
Simply put, the Internet is a place where no one is really sure whether the entity attacking you is a military cyber command of a foreign nation-state or a few kids in a basement looking for “the lulz.” It is, in fact, the digital equivalent of the modern day war on terror, where the detonator to the IED may be held by a state-sponsored terrorist, an Al Qaeda operative, or just a murderous civilian wanting U.S. troops gone. Only, in this case, it’s not just the troops who are in danger but U.S. companies and civilians who share the same Internet connectivity – from bank transactions to power grids to pacemakers, all ripe targets for cyberterrorism.
While it may sound like a Live Free or Die Hard fantasy scenario, Equation Group capabilities were also the stuff of Hollywood movies and conspiracy theories until just last week. It may be that in a few years we look back from atop the digital hill of the Internet of Things and find the dystopian cyber-thrillers of today as prescient about cybersecurity as Enemy of the State was in 1998 regarding privacy in the post-9/11 technology age.
A new arms race
Undoubtedly, cyber-assault capabilities have their place in today’s day and age. Determining what that place is, however, is still being played out. Like all tools and weapons, APT malware is better in the hands of people who fight for you than against you – although some critics question whether the NSA actually fights to benefit the United States citizenry and its ideals. While an offensive-focused strategy may make sense at the onset by utilizing U.S. technical and financial leverage against potential known threats, it also arguably a one-trick pony that invites the development of new threats that may fight back against American digital imperialism and takes resources away from building digital defense systems.
Like the nuclear bomb, the discovery of advanced, state-sponsored malware may have kicked off a new arms race, one unbound by international treaty and open to anyone with a computer and programming skills. The rules that will govern cyberwarfare have yet to be imagined, much less negotiated and implemented. That is, if the rules could even be enforced. Cyberspace, if not the Internet, has been a world without rules and controls, without borders or boundaries – a world where anything is possible.
Where we go from here is a choice left up to us.