Cyber Security: From Defence to Offence

Mar 06, 2018 | Peter Donaldson بيتر دونالدسون

Much of the coverage of cyber security focuses on defending networks – private, public, commercial and military – from attack by hacktivists, criminals and various non-state actors. However, the presumed US Stuxnet attack, Russian hybrid war efforts from Georgia and Ukraine to accusations that won't go away over the US presidential election have all made it abundantly clear that state intelligence agencies and military organisations are fully engaged in a range of cyber battles against each other and against terrorist organisations such as IS.

The US and the UK have declared programmes, but don't talk much about weapon specifics, while Israel, China, Iran and North Korea are also believed to rank high on the list of nation states with significant offensive cyber capabilities. Australia has declared its intention to develop such capabilities and announced a recruitment drive last summer.

UK Investment

During 2016, the UK government announced a £1.9 billion investment across government in cyber security, which includes the development of a new Cyber Operation Centre at the Ministry of Defence, the purpose of which is to concentrate defensive cyber activities to protect military networks and systems. This was followed by the launch of the new National Cyber Security Centre to bring together government and private sector expertise in the defence of cyber infrastructure. Then in October, Defence Secretary Michael Fallon announced £265 million in funding for what he called a pioneering approach to rooting out vulnerabilities in current military platforms and new ones such as the Queen Elizabeth class carriers, plus what he called wider cyber-dependent systems.

Regarding offensive capabilities, Hammond said: “It is important that our adversaries know there is a price to pay if they use cyber weapons against us, and that we have the capability to project power in cyberspace as in other domains.

“We must exploit the opportunities that cyber presents to deliver military effects.”

The National Offensive Cyber Programme, in which the MoD and the Government  Communications Headquarter (GCHQ) are said to work in close partnership, was announced in 2015, while the most recent Strategic Defence & Security Review (SDSR) expressed the intention to ensure that UK armed forces will increasingly be able to operate as effectively in cyberspace as they do by land, sea or air.

“Since then, we have begun to integrate Offensive Cyber into our military planning alongside the full range of military effects.”

As with most such statements, that gives very little detail of potential offensive cyber operations or specific technologies, although industry has provided some general insights.

To The Battlefield

BAE Systems, for example, talks about the Decide, Detect, Deliver and Assess (D3A) decision pattern as the leading approach to offensive cyber operations.

For the US Army, for example, the company builds executable system of systems models using the cyber modelling language CyberML. These models abstract complex cyberspace constraints, technologies and actions and then applies machine-based reasoning to augment human decisions and provide real-time response.

Cyber weapons are broad in definition and intended effects from spying and stealing information to denial of service and information destruction, and from countering propaganda used to recruit terrorists to destruction of infrastructure and industry and disabling of weapon systems.

US Army experimenters have shown a cyber rifle made from a wifi router and a directional antenna coupled to a tiny Raspberry Pi (check) computer and packaged onto an M4 rifle stock and trigger group that has shown its ability to make hobbyist drones crash. This followed an earlier proof-of-principle demonstration against a door lock connected to an unsecured wireless network attacked from across a river to allow access to an entry team during a cyber-physical exercise.


Growing ttack Surface

What's more, the attack surface against which such weapons can be deployed is growing daily as more and more systems are interconnected and the Internet of Things (IoT) injects weaknesses into networks through poor security practises, often with trivial laughable products.

These internet-enabled gadgets range from big ticket items such as cars, through domestic appliances including fridges, dishwashers, washing machines, central heating systems and toilets, down to light bulbs, toothbrushes and shoes.

Most require users to reset passwords from guessable factory standards, download frequent software updates and potentially provide an easy way into any network to which they are connected.

Similar offensive cyber capabilities are being industrialised in a rash of new counter-drone systems from major defence companies. These combine detection and location capabilities with communications jamming and, in some cases, malware injection capabilities.


Familiar Weapons

For all the potential damage they can cause – making uranium enrichment centrifuges spin out of control and jump their bearings in Iran, possibly, causing ballistic missile launches in North Korea to fail, and, allegedly, hacking voting machines in US elections – actual cyber weapons, as opposed to the devices used to deliver them – are likely to be the kinds of malware from which we have all had to protect ourselves for decades: viruses, trojans, and root kits in addition to increasingly sophisticated purpose-designed hacking tools and new “zero-day” exploits that target specific weaknesses identified in targeted computers.

Zero-day exploits are unlike other weapons because they rely on exploiting very specific weaknesses in target systems, so the exact nature of each such weapon in the cyber inventory is and will likely remain a closely guarded secret until is used, after which adversaries will scramble to work out what happened and then patch their code – or change their passwords! – to prevent that particular exploit from working again.

Discovered vulnerabilities in all kinds of systems will also become the subject of some delicate calculations among allies as they work out what to share, with whom and when. They will have to balance the desire to help allies to protect their systems against the desire to preserve the implied capability against potential adversaries who might operate some of the same systems that these same vulnerabilities represent.


Offensive Cyber Suites

Offensive cyber suites are commercially available from companies such as Hacking Team, which offers Remote Control System (RCS) Galileo as a hacking suite for governmental interception. RCS Galileo is marketed as a means of hacking criminal and terrorist targets who use encrypted communication systems. Hacking Team claims to enable customers to look through their targets' eyes while they are browsing the web, exchanging documents, receiving SMS and crossing borders. This, says the company, involves hacking many different computing platforms such as Windows, OSX, Linux, Android, iOS, Blackberry, Windows Phone and Symbian, for example.

The task involves “overcoming” encryption (although the company does not specifically claim to be able to crack it), intercept and capture Skype video and voice calls, social media interactions, determine target location, hack messaging  applications, reveal relationships etc, all in a stealthy and untraceable manner.

With Galileo RCS deployed all over a customer country, it can be used against thousands of targets and managed from a single location, says the company.

Even organisations that are primarily concerned with protecting their own networks will, if they take the subject as seriously as they should, become familiar with the offensive aspect of defensive security that is penetration testing, a discipline practised by many companies offering either basic standardised services or closely tailored reports from specialist consultancies such as Offensive Security.

While penetration testing is a service designed to reveal vulnerabilities in client system so that they can be corrected, the skills and techniques used can obviously also be used in real cyber attacks. These techniques from scanning active ports, working out the structure of target networks, exploiting unpatched vulnerabilities to bypass authentication mechanisms and escalate permissions can be used to steal data, change it and execute malicious code designed to bring the target system down.


Political Cyber Warfare

There has always been a political element to many cyber attacks, but in its 2017 threat report Symantec reports a complex mix of international bank heists, disrupted elections and state-sponsored attacks along with what it called seismic shifts in their focus.

“Zero-day vulnerabilities and sophisticated malware were used less as nation states devolved from espionage to straight sabotage.”

These activities amounted to targeted attacks designed to shape governments, the company said, marking a shift from economic espionage to politically motivated sabotage and subversion.

“Cyber attacks against the U.S. Democratic Party and the subsequent leak of stolen information reflect a trend towards highly-publicized, overt campaigns designed to destabilize and disrupt organizations and countries.”

The distinction between cyber criminal gangs and some state-sponsored and government employed hackers has long been blurred, and Symantec reported further blurring as states join criminal gangs to target banks in other countries.

“Symantec uncovered evidence of North Korea attacking banks in Bangladesh, Vietnam, Ecuador and Poland, stealing at least US $94 million.”

With capabilities like this clearly achieving major political and financial goals, some might conclude that war as a kinetic activity involving soldiers and military platforms could be relegated to a lower priority among nations determined to impose their will on others and encourage planners to take their eye off the ball when it comes to the security of their strategic and tactical military systems.

This would be a mistake, however, as the software that controls weapon systems and military C4I  systems, especially those with significant COTS content, meaning almost everything, is developed by organisations and companies with exposure to the internet at some level. Therefore it will have to be more heavily and cleverly protected than ever. Right from the start of its development, it is likely to be targeted by adversaries who want to learn as much about it as possible and, ideally, program sneaky back doors and other vulnerabilities into them, ready to be exploited at key moments in battle.

Back Doors Wanted?

Mirroring the desire expressed by some governments to try to force software developers to build back doors into publicly available encrypted communications software such as WhatsApp and its growing host of rivals, there may be behind the scenes pressure to build similar vulnerabilities into weapon systems sold to export customers, particularly those that might conceivably end up on the “wrong” side in some future conflict.

Today, offensive cyber capabilities in the military are still overwhelmingly with specialists such as the US Cyber Command, but senior officers in the conventional forces are beginning to argue for their integration into their services as organic capabilities.

For example, USAF Chief Information Officer (CIO) Lieutenant General William Bender, is reported as saying that the capability should centre on the USAF's five core missions, which are air and space superiority, intelligence, surveillance, and reconnaissance, rapid global mobility, global strike and command and control. While this is the focus of defensive cyber development in the service, its offensive counterparts don't exist yet. However, the US Army seems ahead of the curve here as it has established doctrine for Cyber-Electromagnetic Manoeuvre (CEM) that is laid out in a field manual.


Technology Convergence

There is also a technological convergence between Radio Frequency (RF) jamming systems and cyber weapons, which is a natural fit because jammers are powerful transmitters – increasingly software defined – that target certain kinds of receivers with signals intended to fool them. Conceptually at least, it is just a small leap to a system that can also inject malware into the target system. Potentially, this makes every weapon system equipped with RF antennas and receivers a target for cyber attack as they already are for jammers.

Another example of convergence in this domain on the horizon is that between Cyber/EW Applications (CEWA) and High Power Electromagnetic (HPMP) weapons, as the US Air Force Research Laboratory (AFRL) has asked industry to help it research how HPEM might make a contribution to CEWA, and the USAF has awarded contracts to the likes of  Booz Allen Hamilton, CSRA and Raytheon this year.

Studies are to cover single-pulse and repetitive-pulse concepts, develop them in the laboratory and conduct small scale demonstrations. Promising technologies include  electron beam devices  such as magnetrons, vircators, gyrotrons and backward wave oscillators as well as solid-state devices including bulk avalanche, optical switches and silicon carbide circuits, plus explosive generators that create magnetic flux compression effects with high explosives.

All of these can cause physical destruction to sensitive equipment with powerful electromagnetic fields. AFRL wants to understand effects from  back door coupling phenomena in which EM waves generate damaging currents in the circuits of the target system, and how many systems are likely to be susceptible.

The future of warfare among networked computer systems in civilian infrastructure and other domains of conflict will be characterised by trials of signal strength, logic and raw energy.



Related Articles