When The Biggest Hacker On The Block Is Your State

30/05/2017 14:29

Once the province of the bored but gifted teenager or lone wolf technical aficionado, effective cyber attack became the bailiwick of various hacking and hacktivist groups, from the Cult of the Dead Cow, through loose affiliations such as Anonymous, to the very recent emergence of exploit leakers and auctioneers the Shadow Brokers. Some have political agendas while others profess a desire to counter the perceived lack of professionalism of large software producers. Alongside this we have seen the rise of well-funded criminal groups. In the 21st Century, however, nation states have emerged as major offensive players. This has reared its head again in the wake of the recent WannaCry ransomeware attack. The vulnerability underpinning the attack seems to have originated with the National Security Administration (NSA) in the USA and the attack itself may be the result of North Korean action. The direction of travel is clear: various states are 'tooling up' for the cyber challenges ahead, developing and maintaining active cyber capability. There are good reasons why states would wish to do so.

Firstly, state cyber attack capability is clearly deployable - witness the number of major cyber attacks with suspected state involvement. From early 21st Century attacks on a variety of US systems (with suspected Chinese involvement), through attacks on Estonia and Georgia (when at loggerheads with their superpower neighbour), to the suspected retaliatory targeting of Sony following an unflattering depiction of North Korean leader Kim Jong-un, the role of the state looms large. Carefully crafted cyber attacks 'work'.

Secondly, attack attribution is fraught. Much public attribution is based on code analysis and is circumstantial and spoof-able. Furthermore, assertions of attribution, whether correct or not, are seen as political statements from far from disinterested stakeholders; there is generally an element of 'They would say that, wouldn't they?'. Even when conclusive evidence of attribution exists it may not be possible to release it. Plausible deniability is often achievable. Some states may wish to claim responsibility for cyber attacks, others may wish to deny all involvement, others will deny any involvement but privately welcome that they are deemed (probably correctly) to be advanced enough to launch sophisticated attacks, whilst others may wish to attack and implicate other states. An attack by a nation state and an attack by individuals or groups seemingly acting with goals that would meet with state approval might be difficult to distinguish, a convenience for some states. Also, attacks do not need to be launched from within the physical boundaries of the responsible nation state. Analysis for attribution may also need to go back several years. Determining the ultimate 'source' poses significant challenges.

Thirdly, advanced economies are hugely dependent on IT and the fabric of our society is set to become more computer-centric with the rise of, for example, the Internet of Things, smart homes, smart cities, smart vehicles and transport infrastructure, and manufacturing automation. There are juicy targets galore and the set is expanding. Disabling a health service's IT or an intelligent transport system by cyber means is ultimately a far easier and more attractive proposition than lobbing a nuke. Plausible deniability is much better, of course.

Finally, cyber attack is cost-effective beyond belief. The economics are monumentally non-linear: it may take a single researcher only a few hours to discover a flaw with the technical force of a digital nuke. The destruction per dollar may be enormous. Similarly, where intellectual property or other confidential information is concerned, whether the domain be diplomatic, military, or commercial, the advantages of cyber theft over toil are clear.

The economics of cyber-weaponry raises uncomfortable issues for advanced nation states. They can and do maintain a general technological lead in cyber matters and are able to fund significant tooling up for the tasks ahead. But the economics of cyber attack means that the bar to entry is not prohibitive. A small but highly talented team can wreak enormous damage and be a major offensive asset. You simply don't need a Manhattan Project. Cyber warfare may be the ultimate expression of the power of ideas and intellectual talent and the most advanced economies of the world do not have a monopoly on that.

Overall the rationale for maintaining a direct engagement capability seems overwhelming, whether states admit to it or not. We will doubtless see many more states build up significant capability and there remains the possibility of various pseudo-states doing so. Interesting times lie ahead.