This was not empty rhetoric. The U.S. government now allocates around $5-6 Billion USD dollars per year for their cyber defence budget. There is a new covert cold war looming, but this time it’s online, in the deep realms of the cyber world.
Enter Kim Zetter, an award-winning journalist who has been covering this growing area of cyber-security for over 15 years, and was voted as one of the top 10 security reporters in the US. She is the author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon – an account of the world’s first “digital nuke”, called Stuxnet, which was 20 times more potent than any other digital virus ever created, and was purportedly developed by Israel and America to freeze any nuclear ambitions Iran had.
Since then, small warning signs may have potentially emerged from around the globe. Planes have been grounded, and grids have been temporarily frozen, but Zetter tells us this is nothing compared to the unpredictable future we face if we do not take the right precautions. As this invisible war rages on, many questions remain unanswered. We put these questions to Kim, and the answers we got were both fascinating and equally frightening.
Countdown to Zero Day is an incredible account of the world’s first “digital nuke”, Stuxnet. How did you first hear about this story? And why do you think it’s not bigger news? It should be on the front page of every newspaper.
Stuxnet became public in July when a Belarusian company announced it. It got picked up by a tech reporter and that’s when it started circling. Here was this attack that appeared initially to be espionage, because that’s all we knew – nation-state attacks were espionage attacks. This looked like some economic espionage where they were trying to steal secrets, but then it became clear that it wasn’t this at all.
To answer your question about why it’s not been a bigger news story, first of all, it’s very technical, and the average mainstream media doesn’t have the appetite for a lot of technical detail. It’s a complicated story. The New York Times did write about the fact that Israel and the we created this. So it fell to the tech media. It was a tech story for a long time, and we followed it along as the researchers at Symantec were taking it apart. It took them four months to determine what Stuxnet was doing, and along the way, they were writing blog posts.
The US media often ignores what the US does. Look at the assassinations by drone strikes. And again, the average American reader, between the coasts, is interested in the sports event this weekend, and if they have enough money to buy a house, or a new car or whatever. Their focus is on other things, not world events. That’s not a surprise. Americans are not very engaged in things outside of the U.S. borders.
"Nation states are all positioning themselves to have the capability...but they’re not taking that final step because they don’t need to yet."
Kim Zetter on the intentions of nation states
Would it be fair to say that 9/11 accelerated cyber warfare?
9/11 wasn’t about nations; it was asymmetric warfare. It was terrorism. The digital warfare programme in the US began in the 90s. That’s when the NSA started researching the techniques of going after industrial controls systems because they knew that this controls critical infrastructure. They started looking at the tools that hackers used and realised that as more and more control systems were coming online, they needed to start looking at the targets that weren’t even there yet.
The Stuxnet incident, as you said, really opened the pandora’s box of cyber warfare. Why haven’t we seen other cyber attacks of that nature?
I wrote about the Ukraine power grid, and it appeared to the experts who examined it to be some hybrid attack. What may have happened in the Ukraine hack was that criminals, possibly in Russia, got into the systems first, made the first initial forays and started mapping it, discovered that they actually could get to the critical component that controlled the distribution of power, and then handed over that access to another group that was more sophisticated and understood how those systems work. Then it was that second group that may have actually taken down the power.
I think everyone is stumped as to why we haven’t seen more of this, but then again we don’t know if we haven’t seen more of it because Stuxnet continued for three years without being discovered. The effects were noticeable, but the cause was unknown. There have been a lot of other incidents over the years that could have been digital attacks, but we don’t know for sure.
If you look at the Sony hack, the government wanted to point out that when it comes to nation-states and the NSA’s ability to monitor what nation-states are doing, you can’t always be sure that you can remain anonymous. Nation-states are all positioning themselves to have the capability, to be in systems and be ready to do something if they need to, but they’re not taking that final step because they don’t need to yet.
Vladimir Putin’s attack in the U.S. election year sent a chill into the security community.
One of the things that are talked about a lot and was mentioned in Alex Gibney’s film Zero Days is that some countries have a kill switch for other countries, meaning they can shut off their whole grid if need be.
“Kill switch” is a very dramatic term, and there’s no such thing. One thing that I point out in the book is that you can take a system down, but it’s hard to keep it down. Things change much more quickly in the digital world than they do in the physical world. With digital systems, you can command a digital system silently in the background one day and then the very next day they may update the software, and suddenly you’ve been kicked out, and you’ve lost your access. So a digital blueprint is only suitable for that moment in time.
Let’s talk about emerging powers like Russia and China; these countries are building a robust digital arsenal and a generation of younger people who are very tech-savvy. What do you think their ambitions are within this cyber narrative?
Yes, the biggest adversary for the US and Europe is Russia and China, in terms of capability and the will to do things. The aim here is to steal secrets. It’s conventional espionage done through digital means. Countries have always spied on each other to understand political plans. In the case of China the motivation probably leans a little more to economic espionage because China wants to maintain, or even achieve superiority, over the US in terms of economics, so to build its businesses it takes a step of economic espionage to aid its companies and investments. That’s the primary aim, traditional surveillance.
The second element is the attack stages, setting up for potential attack if you need it. If Russia let’s say does end up getting into some conflict with the US and with NATO, then it is already positioned to take out some systems to cripple troops and cripple leadership. So the planning stages of disabling an adversary in some way to gain the advantage of them.
The third stage would be positioning yourself to take out civilian systems, and that’s going to the nth degree. Here it’s a whole new and exciting realm for the US. The US has never had to face that kind of destruction. In the past, all of our wars have been fought outside of US borders, and our critical infrastructure here has been pretty safe.
No one could reach our airspace to bomb us, aside from the attack at pearl harbour. Now in the digital realm, that’s no longer the case. All critical infrastructure is on the front lines if it’s connected to the internet, and in some cases, even if it’s not connected to the internet, you can still get into the system.
What amazes me about what you’re saying is how highly connected everything becomes. This sense of territory, and the traditional way of fighting a war, is completely lost.
Right, and we saw that in the US in the case of Libya. When Libya was going through the first stages of its deterioration, the coalition forces were planning an airstrike, and the US was going to go in digitally and take out the communication systems. At the last minute, they decided not to do it because they couldn’t map the networks in a way that they felt confident would not affect all of the communications. If they went after the military connections, it was going to cascade out, and that’s the reason that they didn’t do that.
It also happened in the Iraq war with Saddam Hussain. There was a case reported where the government was going to go after Saddam Hussein’s financial accounts. It’s unclear exactly what they were going to do, but the treasury secretary intervened.
I want to bring in this element of information leaks like the Edward Snowden case. How do you feel his leak of information affected the sensitivity of this kind of cyberwarfare?
The Snowden leaks started a much more open acknowledgement from the government. They gave us a more significant idea of the scale of activity that’s going on by government hackers, whether for destruction or espionage. It’s primarily espionage being described in the Snowden documents, but it’s also setting the stage for future destructive attacks as well. They do talk about mapping out the critical infrastructure of adversaries and getting into those systems.
But what got the government finally acknowledging this activity was utterly unrelated to those, and that was the discovery of the Heartbleed vulnerability. It was all very careless. Heartbleed gets publicised in 2014, and we learn here is that this Zero Day (unknown vulnerability to attack in some software) vulnerability in systems has existed for years and that would allow a well-resourced adversary, the capability of intercepting internet traffic to decrypt it. This is a vulnerability that would be of use to a nation state.
Stills from the Alex Gibney documentary Zero Days
“The aim here is to steal secrets,” says Kim Zetter of nation-states
It feels as if we’re entering into a new kind of covert cold war. Would you agree with that?
Yes, this is creating a digital arms race. It’s an area that we don’t fully comprehend, and it hasn’t been well thought out even legally. We had an attempt with the release of the Tallinn Manual.
That’s a 600-page document that was produced by legal authorities as an attempt to determine if the laws of war that currently exist apply in the digital realm, and if they do, how do they apply? And if they don’t then do, we need new laws? For the most part, they concluded that the current rules of war do still apply in the digital realm, but there are a lot of new areas introduced by digital warfare that isn’t entirely covered by existing laws. So those have to be worked out.
We are entering a new age of warfare, and we don’t fully comprehend it. It’s the same with drone strikes. This technology moves too fast for legal issues to keep pace with it, and what we end up doing is trying to figure things out afterwards by looking at the consequences. We’re lucky that we haven’t seen other things like Stuxnet.
"We are entering a new age of warfare and we don’t fully comprehend it."
So what happens next? What do think we will see as cyber-warfare begins to dominate how countries deal with each other?
I think we will see a lot of pockets of things happening. I don’t see a cyber Armageddon. I don’t understand cyber pearl harbour. But what I see is a lot of test cases. I lot of people felt that the attack of the Ukraine power grid was a test case, to see how far an attack like that could go. I think we will see a lot of unexplained incidents.
We’ve had a series of incidents that happen here in the US with airlines. In the last year and a half, we’ve had incidents where airlines have grounded all of their planes for a day.
That has happened probably three or four times. Each time the airline has said that there’s been a computer glitch, or the system has gone down, or something like that. That’s what they’re saying, but we don’t have an entirely clear explanation of what’s going on, and unfortunately, there is no governing body that investigates that kind of thing. We have a governing body that investigates crashes, and near misses, and things like that, but they’re not going to investigate what is going on with the computer systems of airlines.
So we’ll see things happen with unexplained, or not fully explained, causes. We’ll see something that could be test attacks, and not necessarily nation-states, but possibly just a single hacker, testing the limits of the system. They’ll be a lot more mystery as we try to figure out what’s going on, and we’re going to be left with a lot of unanswered questions. We aren’t going to know when something is an attack and when it isn’t.