It’s a strange, twilight world.
[U]nlike the case with nuclear weapons, anyone can play. Wes Brown, who has never sold a bug or exploit to a government but whose Mosquito program may have inspired part of the best-known cyber-warfare operation so far, puts it simply. “You don’t have to be a nation-state to do this,” he says. “You just have to be really smart.” (Vanity Fair)
Hackers who unearth software bugs and create “zero day” exploits to capitalise on them are richly rewarded by criminals, brokers and governments.
“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets. (Forbes)
In 2007 it all turned very serious.
Named Stuxnet, the worm appeared to have come from the U.S. or Israel (or both), and it seemed to have destroyed uranium-enrichment centrifuges at Iran’s nuclear facility in Natanz. If the suppositions about Stuxnet are correct, then it was the first known cyber-weapon to cause significant physical damage to its target. Once released into the wild, Stuxnet performed a complex mission of seeking out and destroying its target. Jason Healey, a former White House official who now runs the Cyber Statecraft Initiative for the Atlantic Council, argues that Stuxnet was “the first autonomous weapon with an algorithm, not a human hand, pulling the trigger.” (Vanity Fair)
What the US perhaps overlooked in pushing this particular button is its inherently asymmetrical nature. As Brown said, “You just have to be really smart.” The barriers to entry are minimal and, sure enough, blowback has already started:
They [an American security SWAT team] came to investigate a computer-network attack that had occurred on August 15, 2012, on the eve of a Muslim holy day called Lailat al Qadr, “the Night of Power.” Technically the attack was crude, but its geopolitical implications would soon become alarming.
The data on three-quarters of the machines on the main computer network of Saudi Aramco had been destroyed. Hackers who identified themselves as Islamic and called themselves the Cutting Sword of Justice executed a full wipe of the hard drives of 30,000 Aramco personal computers. For good measure, as a kind of calling card, the hackers lit up the screen of each machine they wiped with a single image, of an American flag on fire. (VF)
Maybe Iran was behind it, maybe not. In any case, they certainly wouldn’t have shed any tears. What’s really scary is how quickly (and how far) things could escalate:
Even so, many current and former government officials took account of the brute force on display and shuddered to think what might have happened if the target had been different: the Port of Los Angeles, say, or the Social Security Administration, or O’Hare International Airport. Holy shit, one former national-security official recalls thinking—pick any network you want, and they could do this to it. Just wipe it clean. (VF)
Holy shit indeed.