Security expert Mark Russinovich talks about the complexities and ambiguities of cyber-warfare and cyber-terrorism.
Ten years after 9/11 the threat of terrorism remains. But the battleground has expanded beyond land, sea and air to include the digital realm.
In fact, this month U.S. Homeland Security Secretary Janet Napolitano called cyber-attacks the nation’s biggest challenge because the threat is so pervasive.
“It is by nature international in scope. There are no international conventions really to hang your hat on, so we are really dealing in a very amorphous world,” Napolitano told The Christian Science Monitor in remarks about the threat of cyber-terrorism.
Napolitano’s sentiment about the growing threat of cyber-warfare is echoed by Mark Russinovich, a technical fellow for Microsoft in the Windows Azure product team who is a widely recognized expert on design and security of operating systems. Russinovich is also the author of the novel Zero Day, a thriller that tells of the race to stop a global cyber-terrorism attack.
Russinovich shared his thoughts on modern cyber-terrorism with Government Technology and how the emerging threat affects America today.
GT: Why are cyber-attacks such a big threat today? Why are they more dangerous than they were in the past?
MR: I think that we’ve been vulnerable for a long time, and there’ve been a number of people high up in government and counterterrorism who have been saying for 15 to 20 years that we’ve been at risk for cyber-attack.
I think that the risk has gone up over time because all our systems are becoming even more dependent on computers. Everything now is run by computers, and the awareness of the ability to leverage cyber-space as an attack vehicle has been raised as well. Events like last year’s Stuxnet and all of the Anonymous and LulzSec attacks this year, and the breaches by China have raised awareness that [cyber-space] is a vehicle that can be used to great effect.
Another thing is that there are many more people who are proficient at this kind of activity, many who are available for hire. If you look at Eastern Bloc nations and China and Korea, there are a lot of extremely talented computer programmers having trouble finding jobs or are looking for lucrative jobs in the dark side of cyber. Right now a lot of them are being hired by cyber-crime gangs, but they could just as easily be hired by somebody willing to or wanting to perform an attack.
GT: So the motivation for a lot of out-of-work people could be to go to the dark side.
MR: That’s the way that a lot of these guys are. A lot of the guys behind the cyber-financial oriented crime are hackers who are being hired because they can make good money at it. But these guys don’t even know that they’re writing code for cyber-attacks. They believe that they’ve been hired to write pieces of malware. They don’t know what it’s going to be used for.
GT: Some hackers are so clandestine and insidious that they don’t even let their employees know what they’re really doing?
MR: Yeah, they don’t necessarily have to.
GT: When you said “cyber-financial,” you were referring to the general category and not a specific type of attack?
MR: The kind of malware that spreads to people’s machines and then logs their keystrokes so that [hackers] can get passwords to their financial accounts, and phishing attacks where people are lured to sites that look like their bank and are tricked into entering their passwords.
GT: Could cyber-warfare replace conventional warfare?
MR: I think that it becomes another battleground. I don’t think it makes sense to say that it’s going to replace it. Just like the sea’s the battleground, and land warfare is a battleground, cyber is another battleground. Depending on the scale of the confrontation and the goals of the confrontation, [cyber-space] can used by itself or in conjunction with other theaters.
GT: Secretary Napolitano said recently that local governments should focus on maintaining security that’s already in place rather than buying what they don’t have. What are your feelings on that?
MR: I think that the federal government has put more emphasis on it than probably local governments have. One of the problems is, the federal government has a tremendous amount of resources at its disposal, so it’s able to, if it wants to, focus significant energy on cyber-security to get the right experts and the right policies. [In] state and local governments, resources are more limited and are likely to go directly toward the business rather than the hard-to-measure risks of cyber-space.
I think that once you get into private sector, you’ve also got that issue as well. Most of our critical infrastructure is run by private industry, where there’s no regulation and no oversight and little incentive for them to invest money in cyber-security. All it takes is one hole in your defenses — that you could have invested unbelievable amounts of money in — to let somebody in and destroy you. If you put yourself in the shoes of somebody running a business, where being competitive means focusing that energy on the business, spending money on cyber-defenses — when you haven’t seen you or any of your competitors be attacked or suffer cyber-attacks — is going to be something that you’re probably not going to think of.
GT: What is an act of cyber-warfare? How do you define it?
MR: The Obama administration published a cyber-security strategy this summer. They’ve got a definition for an act of cyber-warfare … [pertaining to] the nation’s infrastructure. [If] cyber-systems are disrupted in any way, cyber or physical, that’s an act of cyber-war. And they went so far as to say that we reserve the right to retaliate kinetically or with physical military action in the face of something like that.
So from that perspective, I think that’s the definition that I go with. Somebody planting something in your systems so that they can monitor what you’re doing wouldn’t necessarily be classified as an act of cyber-warfare: [It’s] cyber-espionage — espionage being an activity that all governments have been engaged in since the beginning of time; that is kind of just part of doing business. If we find somebody spying in the country, we kick them out. We don’t respond by attacking that country, so I think that that’s a good way to draw the distinction between those two.
GT: How would a nation know whether or not a hacker was acting independently or on behalf of his or her government?
MR: I think that’s a huge problem when it comes to cyber-attacks, being able to tell who carried it out. When it comes to cyber-warfare though, usually there’s a buildup of incidents or confrontation that leads to the attack, and so it’s not necessarily so ambiguous.
GT: If you’re someone who’s savvy enough to launch an online attack, wouldn’t you know how to hide or mask it?
MR: That’s definitely a giant problem. The Google attacks from last year … Google says it was China, but there’s not really conclusive evidence that it was China. In Zero Day, I view a cyber-attack as being just an awesome weapon for terrorists because, if they’re carrying out a physical attack, that’s a lot easier to trace it back to exactly who did it. If it’s a cyber-attack, they can carry it out and it becomes very difficult to really attribute it to exactly where it was perpetrated from. I think that it is an interesting dilemma — the attribution problem in cyber-space.
GT: Does the government have that attribution problem?
MR: I think it’s a definite problem that we’ve got.