World War Web: Are nation state attacks really on the rise?
Why the world will one day need nuclear-style 'cyber treaties'
The spectre of cyber warfare hovers over the security industry like a dark cloud. Infosec professionals whisper ghost stories to each other about state-sponsored Chinese and Russian super-hackers. But are we really on the brink of a digital D-Day?
David Emm, principal security researcher at Kaspersky Lab, points out that countries have been conducting stealth attacks against one another for generations, saying: "As humans we've always done that, but now it will be done using technology."
But despite media hype, the actual number of state-sponsored cyber attacks is comparatively small, especially when compared with financially-motivated cybercrime, he adds.
"Back in 2000, malware was universally vandalism," Emm explains. "From 2003 onwards, we started to see the vandalism side go down and the crime for profit go up and up and up."
"I don't think we'll ever get to a point where we say '90 per cent of what we see is nation-state'. It'll always be tiny."
That's not to say that state-sponsored cybercrime isn't dangerous, however. For example, the recent BlackEnergy attack on the Ukrainian power grid - which the Ukrainian government attributed to Russia - left 700,000 homes without power.
According to Scott Zoldi, chief analytics officer at big data analysis firm FICO, state-sponsored attacks pose "a genuine threat".
"They take some of the very best cybersecurity professionals and hackers out there, and they can assemble an incredible team," he says.
"My contacts in the military would say it's very definitively a threat and that's why in the US, we have a division of our military focused on cybersecurity issues."
The physical damage caused by nation state attacks makes them a unique threat. While even a major business data breach is unlikely to result in fatalities, attacks on critical infrastructure such as water and power could affect millions of people.
"In terms of the impact that this has, it's human lives," says Jose Palazon, CTO of Telefonica's security-focused subsidiary ElevenPaths.
"If you're designing the controller that is going to decide if you're selling or buying electricity from your wind turbine, you're not thinking about human lives," he adds. "But if someone compromises a thousand wind turbines in the field, you might leave an entire city without electricity. Think about the consequences."
So great is the potential fallout from targeted, state-sponsored attacks, that Emm believes we could eventually see a sort of 'cyber treaty', similar to agreements over nuclear weapons, "where governments will say 'we've seen the outcome of this, so we'll all sign up to limit their use'."
"It may well be - sadly, probably after some further bad things have happened - that the great powers do get round the table and say 'maybe we need to apply this to cyber attacks as well'," Emm says.
There are problems, however, with the notion of a 'cyber treaty'. For one thing, it can be incredibly difficult to prove the identity of an attacker. "Attribution is sometimes impossible", Emm concedes, which makes sanctioning countries who break a treaty much more difficult.
Tim Rains, Microsoft 's chief security advisor, agrees, saying: "It's very difficult to determine who's attacking you, and what their motivation is."
Part of the reason for this is the sheer variety of threat actors that have emerged over the past five years. "So now you have economic espionage, military espionage, hacktivism, hackers that are motivated by profit..."
Of course, while definitively stating who carried out an attack is often not possible, there are nevertheless persistent rumours that creep through the security community.
"Take Stuxnet as an example," Emm said. "Nowhere did we say who was responsible for that, but there were people who drew conclusions, given the geopolitical situation."
Indeed, it often seems that any major cyber attack is quickly pinned on the Scary Foreign Government du jour. When Sony Pictures was hacked back in 2014, its proximity to the release of controversial film The Interview led many to blame North Korea.
Similarly, when the US Office of Personnel Management was hit by one of the biggest data breaches in government history - including 21 million people's personal information and the biometric data of 5.6 million - the spotlight quickly fell on China as a likely culprit.
"If you look at Duku, Stuxnet, any of the malware that has made the general media," Palazon says, "those contain such an amount of advanced technology and zero-days that most companies believe that the only way you can create one of those is to be funded by a government."
This may not be the most helpful reaction, though. "When there is an attack," said Emm, "it's understandable that people seek to attribute blame. However, this is notoriously difficult - not least because it's possible for attackers to set 'false flags' to try and cover their tracks".
These 'false flags' act as a trail of breadcrumbs, leaving clues that point towards another group or nation, rather than the actual perpetrator.
"You could have people like us saying 'well actually, it looks like the peak time for compiling these modules was GMT'," Emm says. "But then, if you're the Russians, or the Americans, you could say 'guys, for six months, you're going to be working on a night shift. This has all got to look like it was done on GMT'."
So are major world powers waging a secret cyberwar in the shadowy corners of the internet? The short answer, apparently, is that there's no way of knowing.
"You can say that the sophistication of attacks is generically increasing," says Stuart Aston, Microsoft's national security officer for the UK. "Things like crimeware kits are becoming more and more common, but whether you can say as a result of that, 'that's a government'... I think that's very hard to actually judge."
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now