This was not empty rhetoric. The U.S. government now allocates around $5-6 Billion USD dollars per year for their cyber defence budget. There is a new covert cold war looming, but this time it’s online, in the deep realms of the cyber world.
Enter Kim Zetter, an award winning journalist who has been covering this growing area of cyber-security for over 15 years, and was voted as one of the top 10 security reporters in the US. She is the author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon – an account of the world’s first “digital nuke”, called Stuxnet, which was 20 times more potent than any other digital virus ever created, and was purportedly developed by Israel and America to freeze any nuclear ambitions Iran had.
Since then small warning signs may have potentially emerged from around the globe. Planes have been grounded and grids have been temporarily frozen, but Zetter tells us this is nothing compared to the unpredictable future we face if we do not take the right precautions. As this invisible war rages on, many questions remain unanswered. We put these questions to Kim, and the answers we got were both fascinating and frightening.
I recently watched the new Alex Gibney documentary Zero Days that was based on your book. How much were you involved with the film?
Alex Gibney met with me early in 2014 before my book came out. He basically wanted me to hand over all my information and classified sources to him. I was reluctant to do that and he got angry. They then tried to go around me and get an advanced copy of my book by lying to the publisher. The publisher didn’t agree to give them a copy so they got an electronic copy on the day it was published. They were desperate to get it. Alex read the electronic copy, emailed me to tell me that it was a great book and that he would be in touch, and then he never was.
It wouldn’t have been so bad except in all his publicity for the movie, all of his talking points are from my book. It’s also really unnerving, the comments he’s made publically about the book. Someone tweeted him about the fact that I wasn’t in the movie at all and also pointed out that there weren’t actually any women interviewed in the movie. He denied it and said that simply wasn’t true, but I don’t know how you can deny it when there clearly are no women in the movie. This person also asked, “how did you not interview someone who wrote the definitive book on this?” and his response was, “it’s a good book but there are other good books as well.” He was denying that my book was the basis for the entire movie. I don’t really understand why someone who is such a prolific filmmaker has to diss my work in order to promote his, but he did nonetheless.
Countdown to Zero Day is an incredible account of the world’s first “digital nuke”, Stuxnet. How did you first hear about this story? And why do you think it’s not bigger news? It should be on the front page of every newspaper.
Stuxnet became public in July when a Belarusian company announced it. It got picked up by a tech reporter and that’s when it started circling around. Symantec announced that there was this thing that appeared to be attacking a PLC (industrial digital computer used for critical infrastructure). I’d been writing about security since 1999 and PLCs had never come on my radar, critical infrastructure was not on my radar. Industrial control systems were a black hole in my education. Even Symantec’s criminologists said they didn’t know what a PLC was at the time. So that was the intriguing thing. Here was this attack that appeared initially to be espionage, because that’s all we knew – nation state attacks were espionage attacks. This looked like some economic espionage where they were trying to steal secrets, but then it became clear that it wasn’t this at all.
To answer your question about why it’s not been a bigger news story, first of all it’s very technical and the average mainstream media doesn’t have the appetite for a lot of technical detail. It’s a complicated story. The New York Times did write about the fact that this was created by Israel and the US. So it fell to the tech media. It was a tech story for a long time, and we followed it along as the researchers at Symantec were taking it apart. It took them four months to determine what Stuxnet was doing and along the way they were writing blog posts.
Also US media often ignores what the US does. Look at the assassinations by drone strikes. And again, the average American reader, between the coasts, is interested in the sports event this weekend, and if they have enough money to buy a house, or a new car or whatever. Their focus is on other things, not world events. That’s not a surprise. Americans are not very engaged in things outside of the U.S. borders.
"Nation states are all positioning themselves to have the capability...but they’re not taking that final step because they don’t need to yet."
Kim Zetter on the intentions of nation states
Would it be fair to say that 9/11 accelerated cyber warfare?
Well 9/11 wasn’t about nations, it was asymmetric warfare. It was terrorism. The digital warfare programme in the US began in the 90s. That’s when the NSA started doing research in the techniques of going after industrial controls systems because they knew that this controls critical infrastructure. They started looking at the tools that hackers used and realised that as more and more control systems were coming online, (because remember in the 90s we still weren’t online to the degree that everyone was after 2000), they needed to start looking at the targets that weren’t even there yet.
The Stuxnet incident, as you said, really opened the pandora’s box of cyber warfare. Why haven’t we seen other cyber attacks of that nature? I know that part of the Ukrainian power grid was recently attacked, but at the moment it seems like a very incognito war.
I wrote about the Ukraine power grid and it appeared to the experts who examined it to be some sort of hybrid attack. What may have happened in the Ukraine hack was that criminals, possibly in Russia, got into the systems first, made the first initial forays into the system and started mapping it, discovered that they actually could get to the critical component that controlled the distribution of power, and then handed over that access to another group that was more sophisticated and actually understood how those systems work. Then it was that second group that may have actually taken down the power.
I think everyone is stumped as to why we haven’t seen more of this but then again we don’t know if we haven’t seen more of it because Stuxnet continued for three years without being discovered. The effects were noticeable but the cause was unknown. There have been a lot of other incidents over the years that could have been digital attacks but we don’t know for sure.
If you look at the Sony hack the government wanted to point out that when it comes to nation states and the NSA’s ability to monitor what nation states are doing, you can’t always be certain that you can remain anonymous. Nation states are all positioning themselves to have the capability, to be in systems and be ready to do something if they need to, but they’re not taking that final step because they don’t need to yet.
Vladimir Putin’s attack in the U.S. election year sent a chill into the security community.
One of the things that is talked about a lot and was mentioned in Alex Gibney’s film Zero Days is that some countries have a kill switch for other countries, meaning they can shut off their whole grid if need be.
“Kill switch” is a very dramatic term, and really there’s no such thing. One thing that I point out in the book is that you can take a system down, but it’s hard to keep it down. Things change much more quickly in the digital world than they do in the physical world. With digital systems, you can command a digital system silently in the background one day and then the very next day they may update the software and suddenly you’ve been kicked out, and you’ve lost your access. So a digital blue print is only good for that moment in time. It can change at any moment and cause you to have to go back to square one again.
In any case Alex got that wrong in the film. Nitro Zeus is a contingency plan and nothing more than that. And Iran wasn’t unique in this sense, there are contingency plans for attacking Russia and China. The military wouldn’t be doing its job if it didn’t have contingency plans for all of these countries, and that’s all Nitro Zeus was. It wasn’t even a digital plan. It had some digital elements to it, but every attack plan has digital elements to it. So the movie mischaracterised that.
The contingency plan for Iran was primarily wrapped around its nuclear programme. So it was about asking, what are the steps that we need to take in order to contain Iran and its nuclear programme? What are the targets? Any contingency plan contains the blue prints of the critical targets that the US would have to bomb physically, or take out by some other means. That’s all it is. It’s a blueprint of how you would attack this country, because obviously you can’t wait until the last minute to figure out the assets you need to take out. These contingency plans point out the critical targets and go to the degree of mapping out how you might take them out, so that when an emergency takes place you’ve already got that plan and you can put it into action.
Let’s talk about emerging powers like Russia and China, these countries are building a strong digital arsenal and a generation of younger people who are very tech savvy. What do you think their ambitions are within this cyber narrative?
Certainly the biggest adversary for the US and Europe is Russia and China, in terms of capability and the will to do things. The aim here is to steal secrets. It’s conventional espionage done through digital means. Countries have always spied on each other in order to understand political plans. In the case of China the motivation probably leans a little more to economic espionage because China wants to maintain, or even achieve superiority, over the US in terms of economics, so to build its businesses it takes a step of economic espionage to aid its companies and investments. That’s the primary aim, traditional espionage.
The second element is the attack stages, setting up for potential attack if you need it. If Russia let’s say does end up getting into some kind of conflict with the US and with NATO, then it is already positioned to take out some systems to cripple troops and cripple leadership. So the planning stages of disabling an adversary in some way to gain advantage of them.
The third stage would be positioning yourself to take out civilian systems, and that’s really going to the nth degree. Here it’s a whole new and interesting realm for the US. The US has never had to face that kind of destruction. In the past all of our wars have been fought outside of US borders and our critical infrastructure here has been pretty safe. No one could reach our airspace in order to bomb us, aside from the attack at pearl harbour. Now in the digital realm that’s no longer the case. All critical infrastructure is on the front lines if it’s connected to the internet, and in some cases even if it’s not connected to the internet you can still get into the system. So that changes the whole equation for the US in defence of its critical infrastructure. The US still hasn’t figured that out. That’s largely because critical infrastructure in the US is partly owned by private industry so the government can’t secure it.
The SONY NORTH KOREA HACK in 2014 was a watershed moment in cyber security
What amazes me about what you’re saying is how highly connected everything becomes. This sense of territory, and the traditional way of fighting a war, is completely lost.
Right, and we saw that in the US in the case of Libya. When Libya was going through the first stages of its deterioration, the coalition forces were planning an airstrike, and the US was going to go in digitally and take out the communication systems. At the last minute they decided not to do it because they couldn’t map the systems in a way that they felt confident would not affect all of the communications. If they went after the military communications it was going to cascade out and that’s the reason that they didn’t do that.
It happened also in the Iraq war with Saddam Hussain. There was a case reported where the government was going to go after Saddam Hussein’s financial accounts. It’s unclear exactly what they were going to do but the secretary of treasure intervened. You know, if you go after these financial accounts, you may not understand all the implications of how they’re interconnected with other world financial activity and it could also end up affecting you as an economy.
I want to bring in this element of information leaks like the Edward Snowden case. How do you feel his leak of information effected the sensitivity of this kind of cyberwarfare?
Yeah the Snowden leaks really started a much more open acknowledgement from the government. They gave us a greater idea of the scale of activity that’s going on by government hackers, whether for destruction or espionage. It’s primarily espionage being described in the Snowden documents, but it’s also setting the stage for future destructive attacks as well. They do talk about mapping out critical infrastructure of adversaries and getting into those systems. But what really got the government finally acknowledging this activity was something that was completely unrelated to those and that was the discovery of the Heartbleed vulnerability. It was all very inadvertent. Heartbleed gets publicised in 2014 and we learn that here is this Zero Day (unknown vulnerability to attack in some software) vulnerability in systems that have existed for years that would allow a well-resourced adversary, that has the capability of intercepting internet traffic, to decrypt that traffic. So obviously this is a vulnerability that would be of use to a nation state.
There was a Bloomberg story that was published basically asserting that the NSA had known about this vulnerability for three years and had been exploiting it. That prompted the NSA to come out publicly and deny it. The NSA doesn’t generally deny things. They usually have a standard answer. Every call to them you make they say, “we follow the rules of the law, we don’t discuss our programmes,” or something like that. It always seems like a non-denial. But in this case the NSA was very adamant that they didn’t know about Heartbleed and had never used it. In doing this they prompted the White House to announce its policy on Zero Days.
Before then the White house had never acknowledged that it used Zero Days or stockpiles them, but the false story on Heartbleed prompted the them to come forward and say that it does use Zero Days but its policy is to disclose the vast majority of Zero Days that it discovers. Unless they discover a Zero Day that has national security uses, or criminal investigation uses, which of course is a huge loophole. Since then we have had this sort of battle among journalists and civil liberty groups with the government, trying to extract more information about this programme, which we now know is called the vulnerabilities equities process. We are getting a greater idea now and the government is releasing more information about this. You see more and more officials publicly talking about the use of Zero Days.
Stills from the Alex Gibney documentary Zero Days
You’ve said that you think the US loses its moral high ground in having made Stuxnet. To me it seems appropriate that if Iran was building nuclear weapons and the US was not sure of it’s intentions, that two countries are within their rights to could come together and do something about it.
First of all, if you were going to imagine the US taking the first strike on anything justifiable, I think most people would probably say that going after Iran’s nuclear programme was the right use of this kind of covert activity. Most people would agree that if Iran was being disingenuous about its programme, and there was a lot that was unknown about it, this is the proper use of it. However, regardless of that it does have this counter effect in that it opens the door for other countries to view this as an acceptable means of dealing with political difficulties. So if the US can do this then other countries can, and who decides what the proper level of threat is that justifies the use a digital attack like this? In the US they decided that Iran’s nuclear programme was a big enough threat. Other countries will have a different idea depending on their needs and fears and whatever. So it validates the use of digital weapons in that way.
The other thing is that the US has taken the moral high ground in another area of digital attacks and that is economic espionage. We saw that when the US announced the indictments of Chinese officials for economic espionage. Basically the US had had enough of China hacking into US defence contractors and corporations and stealing economic secrets, and so they indicted five individuals in the military who they said were behind it and were directing these activates. I was surprised by that because when you do that what you’re basically saying is that it’s open field day on nation state hackers. If you’re willing to indict hackers who are working for the US government then you’re going to find that US NSA hackers are going to be in the same position by other countries. We saw that when CIA operatives in Italy who kidnapped a Muslim cleric were indicted and tried in Italy.
So you start this ball rolling where nation state actors are no longer protected from criminal prosecution. Now the government’s response to that it is not a problem because US actors don’t engage in economic espionage. The government felt that it was ok to indict these Chinese targets because the US doesn’t engage in economic espionage, so there won’t be a tit-for-tat. But that’s really naive because other countries aren’t going to make that distinction.
“The aim here is to steal secrets,” says Kim Zetter of nation states
It feels as if we’re entering into a new kind of covert cold war. Would you agree with that?
Yes this is creating a digital arms race. It’s an area that we don’t fully comprehend, and it hasn’t been well thought out even legally. We had an attempt with the release of the Tallinn manual. That’s a 600 page document that was produced by legal authorities as an attempt to determine if the laws of war that currently exist apply in the digital realm, and if they do, how do they apply? And if they don’t then do we need new laws? For the most part they came to the conclusion that the current laws of war do still apply in the digital realm, but there are a lot of new areas introduced by digital warfare that aren’t quite covered by existing laws. So those have to be worked out. The manual is not a binding document in any way, it’s simply an academic exercise and the US government disagreed and took a very strong stance against some of the conclusions that the Tallinn experts came to about what constitutes an act of war and what can be responded to in retaliation. So this hasn’t been fully worked out. Governments don’t agree. Russia and China tried to get the US to engage in a cyber treaty and the US refused. All of this stuff is still to be determined.
We are entering a new age of warfare and we don’t fully comprehend it. It’s the same with drone strikes. This technology moves too fast for legal issues to keep pace with it, and what we end up doing is trying to figure things out afterwards by looking at the consequences. We’re lucky that we haven’t seen other things like Stuxnet.
"We are entering a new age of warfare and we don’t fully comprehend it."
So what happens next? What do think we will see as cyber-warfare begins to dominate the way in which countries deal with each other?
I think we will see a lot of pockets of things happening. I don’t see a cyber Armageddon. I don’t see cyber pearl harbour. But what I see is a lot of test cases. I lot of people felt that the attack of the Ukraine power grid was a test case, to see how far an attack like that could go. I think we will see a lot of unexplained incidents.
We’ve had a series of incidents happen here in the US with airlines. In the last year and a half we’ve had incidents where airlines have grounded all of their planes for a day. That has happened probably three or four times. Each time the airline has said that there’s been a computer glitch, or the system has gone down, or something like that. That’s what they’re saying, but we don’t have a fully clear explanation of what’s going on and unfortunately there is no governing body that investigates that kind of thing. We have a governing body that investigates crashes, and near misses, and things like that, but they’re not going to investigate what is going on with the computer systems of airlines.
So we’ll see things happen with unexplained, or not fully explained, causes. We’ll see things that could be test attacks, and not necessarily nation states, but possibly just a single hacker, testing the limits of the system. They’ll be a lot more mystery as we try to figure out what’s going on, and we’re going to be left with a lot of unanswered questions. We aren’t going to know when something is an attack and when it isn’t.