For the past decade at least, the overarching narrative of the information security industry has been the growing commercialisation of cybercrime. Before, viruses and other kinds of malware were the work of misguided computer geniuses showing off to their peers, but now criminal gangs bent on extorting funds lie behind many security threats.
And while there were the occasional examples of cybercriminal methods being used for political ends, for the most part it was an intriguing sideshow to the more money-minded main event.
In 2010, however, politically or ideologically motivated cybercrime became the dominant theme, not only in discussions about information security but also, it appeared at times, about international relations too.
It kicked off in January with an official blog post by web giant Google, titled ‘A new approach to China’, which recounted how it and several other major US corporations had fallen victim to a coordinated cyber attack a month earlier.
The objective of its assailants had been to gain access to the web-based email accounts of Chinese human rights activists, Google said, but they had failed in this regard. In reaction to the incident, dubbed ‘Operation Aurora’, Google decided to discontinue its search operations on the Chinese mainland. It also led several governments to drop Internet Explorer temporarily, after it emerged that an exploit in the Microsoft web browser had been used to execute the attack.
Another politically charged cyber threat was Stuxnet, a new form of worm found to have infected IT systems attached to Iran’s nuclear infrastructure in July 2010. Like the virus that struck Google, Stuxnet appeared to have a remarkably specific payload: it was written to disrupt IT systems that controlled nuclear centrifuges. Iranian authorities insisted that the attack was identified and contained before achieving its desired result.
Uncorroborated speculation suggested the involvement of US and/or Israeli intelligence agencies in Stuxnet’s creation. Jonathan Penn, a security analyst at Forrester Research, says Stuxnet was “too well resourced” to be the work of opportunist cybercriminals.
The worm provided a proof of concept of how computer viruses can disrupt operational systems, argues Penn. He explains that the virus could be rewritten to sabotage critical national infrastructure such as electricity grids. Furthermore, the likelihood of this happening will only ncrease as infrastructure becomes “intelligent”, and relies more on IT systems and interconnectivity. “We’ve got utilities and power plants, and we’re going to see more of that with Smart Grid. We’re also seeing healthcare delivery and diagnostics having smarter end points,” he says. “Stuxnet is just a harbinger of things to come.”
This may help to explain Intel’s decision to splash out $7.7 billion on McAfee in August 2010. At the time, the acquisition baffled many industry watchers, who pointed to an apparent lack of synergy between the world’s largest chipmaker and a provider of desktop antivirus software.
Announcing the acquisition, Intel CEO Paul Otellini claimed that security was “the third pillar of what people demand from all computing experiences”, in addition to Internet connectivity and energy efficiency. Otellini added that the purchase would be pertinent to the vendor’s mobile device strategy – a market that it is becoming essential for Intel to tap into, as demand for PCs has weakened.
Forrester’s Penn thinks that the McAfee acquisition is a play for the mobile market, but also believes it has one eye on the future, particularly intelligent, Internet- connected devices that are not necessarily suited to running much software. “There are some places where security goes at the hardware level,” he explains. “As things like TVs and refrigerators get Internet connected, you don’t want to have to download and update software.”
Rise of the hacktivist
It was not just state agencies that were implicated in the cyber skirmishes of 2010. As a report by think tank Chatham House noted in November, “cyberspace gives disproportionate power to small and otherwise relatively insignificant actors”.
This principle was proved beyond all doubt by an amorphous collective of online ne’er-do-wells calling themselves Anonymous. The group is loosely affiliated with notorious Internet image board 4chan, and is staunchly opposed to what it sees as unfair and outmoded copyright protection laws.
This cause was the motivation for ‘Operation Payback’, a campaign that Anonymous waged against a number of organisations representing copyright holders. The websites of the Motion Picture Association of America, the British Phonographic Industry and UK law firm ACS:Law, which represented copyright holders, were all subjected to denial-of- service (DoS) attacks, the group’s favoured weapon of cyber war.
Anonymous switched targets later in the year, after various companies moved to distance themselves from whistle-blower website Wikileaks, in some cases at the behest of the US government.
Amazon Web Services, which was temporarily used to host the site, removed Wikileaks’ servers saying that its terms and conditions had been violated. Soon after, Visa, MasterCard and PayPal all ceased processing donation payments to the organisation. Within days, the websites of Visa and PayPal began to suffer sporadic outages, with Anonymous triumphant in its admission of responsibility.
Forrester analyst Penn says the Wikileaks episode is indicative of the Internet’s infancy. He observes that both technology and regulation have so far failed to protect against DoS attacks. “There’s a degree of lawlessness [on the Internet],” he says, “and we don’t have the frameworks to deal with it.” Furthermore, Penn argues, Wikileaks’ ability to obtain the classified files in question shows how even US intelligence agencies struggle to enforce sound information security practices.
The leaked diplomatic cables were said to be accessible by up to three million US civil servants, thanks to an information-sharing initiative launched after the 9/11 terrorists attacks. Former intelligence analyst Bradley Manning, accused by the US government of perpetrating the breach, is alleged to have done so by simply burning the documents onto a CD marked ‘Lady Gaga’.
In a public demonstration that it takes cyber threats seriously, the UK government outlined in November a new national security strategy that places them among the gravest risks to Britain and its citizens, alongside international terrorism and flu pandemics. The strategy elevated cyber attacks to a ‘Tier 1’ threat and earmarked £650 million in government funding to fighting them, even as overall security spending fell. The money will be spent on measures including a UK Cyber Defence Operations Group within the Ministry of Defence and, perhaps ironically, improved information sharing between the US and UK.
“As a Tier 1 threat, the UK government publicly recognises that cyber risks are an immediate and growing challenge,” comments Dr Mils Hills, a professor of risk, crisis and disaster management at the University of Leicester.
Even in the first weeks of 2011, the scale of cyber conflict continued to spread, as Anonymous launched DoS attacks on websites run by the governments of Zimbabwe and Tunisia, due to their censorship of Wikileaks.
Dr Hills believes that attacks such as this call for some kind of ‘cyber deterrent’. “One would hope that the government would be investing and collaborating with the US and others in a strategic cyber deterrent,” he remarks, “such as an electronic equivalent of the Trident nuclear programme to dissuade adversary states, and those that they influence, from cyber attacks.”