Unseen, all-out cyber war on the US has begun

Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet

There's a war going on, and it's raging here at home -- not in the streets or the fields, but on the Internet. You can think of it as a war on the digital homeland. If you work for a power company, bank, defense contractor, transportation provider, or other critical infrastructure type of operation, your organization might be in the direct line of fire. And everyone can become collateral damage.

A cyber war has been brewing for at least the past year, and although you might view this battle as governments going head to head in a shadow fight, security experts say the battleground is shifting from government entities to the private sector, to civilian targets that provide many essential services to U.S. citizens.

[ When in China, it's not safe to leave your laptop alone. Bob Violino explains why. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

The cyber war has seen various attacks around the world, with incidents such as Stuxnet, Flame, and Red October garnering attention. Some attacks have been against government systems, but increasingly likely to attack civilian entities. U.S. banks and utilities have already been hit.

"The cyber war has been under way in the private sector for the past year," says Israel Martinez, a board member of the U.S. National Cyber Security Council, a nonprofit group composed of federal government and private sector executives.

"We're finding espionage, advanced persistent threats (APTs), and other malware sitting in networks, often for more than a year before it's ever detected," Martinez says. He says U.S. entities are being targeted on multiple fronts by China and Iran for espionage and intellectual property theft, by interests in Russia and Eastern Europe for syndicated crime such stealing cash and identities, by social-agenda "hacktivist" groups such as Anonymous, and by increasingly skilled individual criminal hackers.

The cyber war now raging in the digital homeland Such attacks have been going on for years, but what's new is the cyber war brewing between the United States and Israel on one side and Iran in the other, says Emilian Papadopoulos, chief of staff at Good Harbor Security Risk Management, a consulting firm focused on cyber threats.

Stuxnet, for example, was developed by Israel with U.S. support to hobble Iranian nuclear facilities, according to the New York Times and several security experts who spoke to InfoWorld off the record. Iran also accuses the United States and Israel of the cyber attacks that took Iran's Oil Ministry and a major oil terminal offline, Papadopolous says.

Iran or its proxies has apparently hit back with cyber attacks on U.S. banks, government officials say. Iran may have also been behind the Shamoon virus that wiped 30,000 hard drives and took computer networks offline for weeks at the oil producer Saudi Aramco, Papadopoulos says.

A 2011 attack on European certificate authority DigiNotar compromised the certificate system that underlies the Internet and enables users to trust in the identity of websites they visit and the source of communications they receive, Papadopoulos says.

"We have seen cyber attacks evolve from espionage attacks that steal intellectual property or monitor communications to disruptive or destructive attacks. ... Destructive and disruptive cyber attacks are relatively uncharted -- and troubling -- territory," he says.

The private sector owns and operates the infrastructure and systems that form the backbone of the Internet, and attacks on that system could break down trust in the Internet, with major economic and operational impact, Papadopolous says.

"In the past six months, we've seen foreign attacks on oil and gas companies in the Middle East and on U.S. banks, including Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC, and SunTrust. How will we react if the next attack is against the electric grid, or our food and water supply?" he asks.

In recent months, cyber attacks have become much more sophisticated, says the Cyber Security Council's Martinez. In some cases, overseas attackers have taken over servers in the United States that they then used to launch secondary attacks, making it appear as if one U.S. company was attacking another.

"The good news is [security] teams in most Fortune 500 companies are able to detect this and reverse it, but this type of threat is going to be a very big problem for us over the next 12 months," Martinez says.

Another battleground in the cyber war is the software industry. Much as we saw with the APT attack against Adobe Systems' software last year and with the attacks using weaknesses in Oracle's client-side Java over the last several years, we can expect to see more attacks against trusted software providers such as antivirus vendors, says Pat Clawson, CEO of security products vendor Lumension. "The attackers want to get to the unparalleled access they have to their customers," he says. "Once the antivirus vendors' payloads are compromised, the devastation could be staggering." Such fears explain why the feds recently advised all Americans to disable the compromised Java in their browsers.

Such cyber attacks on U.S. companies and their overseas partners, as well as on the Internet infrastructure, could be as devastating as the 9/11 attacks on the World Trade Center and the Pentagon, warned Leon Panetta, the U.S. Secretary of Defense. And Janet Napolitano, the Secretary of Homeland Security, warned just last week that a cyber 9/11 attack could happen at any time.

Cyber attacks and counterattacks are escalatingWith the digital homeland now a cyber battlefield, "the paradigm in the U.S. must shift from defense to offense -- within internationally appropriate rules of engagement, of course. But offense will be necessary because a pure defensive strategy is not sustainable," says the Cyber Security Council's Martinez.

The U.S./Israeli cyber attacks on Iran are an example of such an offensive. But they likely unleashed attacks on the digital homeland in response. "It is nearly impossible for us to really know cause and effect here, but there has definitely been an escalating pattern of attacks," Papadopoulos says.

The escalation of attacks against private-sector targets is extremely troubling, he says. "If the attacks keep escalating and happening with more frequency and against more private-sector companies, we are putting at risk the stability and security of cyber space."

Nations have been testing each other's armor for long time, more quietly than not, Lumension's Clawson. Knowing your opponents' weaknesses is an important part of any defensive strategy, he says. That drives some of the offensive actions. Stuxnet, for example, "is a heavy engineering exercise that crossed never-seen-before-boundaries ... malware that could do new things."

But such offensive tests can also help the governments attacked respond more effectively, Clawson says. "That massive engineering effort is now being reengineered against us." Martinez concurs: "In the case of Stuxnet, an offensive maneuver engendered an offensive cyber response." As another example, Clawson notes that the apparently Iranian attack on Saudi Aramco had elements of the allegedly Israeli/U.S. Flame in its architecture.

Breaking the cycle of attacks and counterattacksUltimately, the solution to the cycle of cyber violence must be political, Martinez notes. Such attacks "are symptoms of a larger problem that must be resolved between ideologies of two very different cultures and people. ... In some cyber incidents, it's about the perceived or maybe true imbalance between corrupt power and common people. Balancing between these parties, toward the best interest and security of the common people, is a difficult task."

Until the conflicts are resolved, "almost everyone becomes a victim of unintended consequences during war, even cyber war," Martinez says. "Cyber war may be digital, but it is still a form of war."

Because cyber conflict is relatively new, interested parties need to focus more energy and attention on developing international norms that will say what is acceptable behavior and what is not, advises Good Harbor's Papadopolous. That is crucial for maintaining a stable, secure, and trusted Internet, he says.

Although some experts are trying to apply international law to curtail cyber war, these efforts are advancing slowly, and each new attack and counterattack implicitly establishes norms about what is acceptable, he says.

Clearly, the private sector has a vested interest in a stable, secure cyber space and needs to advocate for international norms that will rein in cyber conflict and attacks on critical infrastructure and other companies, Papadopolous says.

Playing defense at home until the cyber war endsIn the meantime, government policymakers and corporate CEOs alike need to think about and plan for escalating cyber conflicts and for disruptive and destructive attacks, not just espionage or intellectual property theft -- the major focus undertaken against advanced persistent threats and hack in recent years. After all, more countries and groups will gain the ability to launch sophisticated attacks, Papadopoulos says.

Policies such as the 2012 Securities and Exchange Commission's Guidance on Cyber Disclosure now require many Fortune 500 companies to report any type of meaningful cyber threats in their organizations, Martinez says. This is leading to an "age of transparency -- whether we like it or not -- which is a good thing because we now share more information about attacks, which allows us to more easily target bad actors," he says.

Still, Papadopolous says the cyber attacks on the private sector raise difficult questions: "What kinds of companies are fair targets? What kinds of attacks are acceptable?" Also, are companies liable when their services are disrupted by foreign attack? And who pays for clean-up, repairs, and compensation to affected customers?

Another key question: What is the government's role in protecting critical companies? In October 2012, Secretary of Defense Panetta said it was not the DoD's mission to provide for the day-to-day security of private and commercial networks, although he acknowledged the Pentagon had a role in the event of a "crippling cyber attack," Papadopoulos says.

Recently, there were reports of banks seeking help from the National Security Agency, Papadopoulos says. "How will the government's role change if we see more and more attacks against companies and they are more and more disruptive or destructive?" he says. That's a question many more people may ask if the world cyber war indeed escalates.

One thing is clear: The era of cyber warfare is here, and it's happening on the homefront.

This story, "Unseen, all-out cyber war on the U.S. has begun," was originally published at InfoWorld.com. Follow the latest developments in information security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerability AssessmentNetworkingapplication securityThe Industry Standardweb securitycyber crimegovernmentinternethackingnetwork securityintrusionsecurityAccess control and authentication

More about Adobe SystemsAdobe SystemsAPTHSBCLumensionNational Security AgencyOraclePNC BankSecurities and Exchange CommissionWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts