Amongst the extensive fallout from the extraordinary release this week of the CIA’s cyber espionage documents, perhaps the most damaging is the realisation that governments contribute to the problem of cyber security as much as they try to fix it.
That was the conclusion of the open source Linux group that was among several operating systems the CIA allegedly sought to exploit. The release sent a shock wave through the big tech community, with vendors and platform operators rushing to reassure users their systems were secure. Linux claimed their systems were patched virtually daily. Other internet giants Apple, Google, Samsung and the firm that manages the big industrial routers that directs traffic to particular websites, Cisco, all issued cautious but reassuring PR statements.
The CIA is a relatively recent player in the cyber world. Its big brother the National Security Agency has about double the budget and is very focused on the plumbing of the internet and screening trillions of bytes of data looking for malevolent actors.
In Australia, the NSA equivalent is the highly secretive Australian Signals Directorate. Most think it is ASD that would weaponise code for any “offensive strikes” the Australian government has admitted it undertakes to protect national interests.
Prime Minister Malcolm Turnbull has even declared that cyber security is the next frontier of warfare and espionage. Which means that at the very time the government has swung hundreds of millions into promoting cyber security capability, it also has whole agencies running campaigns to promote e-safety. This means the very vulnerabilities the federal government is warning civilians to be aware of are busily being used by ASD to spy on and attack bad actors.
This very mixed message confuses the vast bulk of citizens. Research suggests people are already fatigued by the scale of cyber attacks, with US evidence indicating many have just decided not to care.
Or that they are victims of a new contagion they can’t defend against. Nations are now under taking major cyber offensives — according to US intelligence, most notably the Russians. The Chinese have been playing this game for a long time, as have the Brits through their MI5 agency. Normal citizens are mere bit players as world powers play dangerous games in this world.
The release of the CIA documents is a major security breach in its own right. Hugely embarrassing for the very agency that is meant to be ensuring American security, something that has lit up the interest of the local Russell espionage community that shares much of its work with the US security agencies.
The attack methods used also underline two significant trends. The first is the focus of CIA activity is very much at the deep end of the tech stack, the core operating systems. Rapid advances in encryption have largely outdone the capability of most attackers, so the better strategy is to seek to breach the operating system and let it look at whatever is on the screen or typed etc.
The nature of the CIA activity meant they were not mass attacks, but rather were specifically targeting particular devices, routers, phones and (fantastically) an upscale Samsung TV. This is a device by device game. In the case of the CIA’s Samsung TV, the exploit required USBs to be physically planted into the TV so it could be turned into a spy device. All very James Bond 2017, but not the mass game Edward Snowden revealed.
This points to the second, more scary, trend. That the CIA was exploiting the firmware weaknesses of these devices signals the looming security challenge as the number of internet-connected devices explodes — known as the internet of things. The scenario is millions of internet-connected devices — parking meters, printers, cars and televisions — as potential devices of mass destruction.
Many have basic firmware that is easily hacked and late last year we saw the first of several major attacks of a scale not seen before, using thousands of infected devices to ping and bring down a major ISP in the US.
It stretched the defences of even the top grade cyber security players such as Akamai. Akamai provides a network for nearly a third of internet services that demand high-performance industrial-grade delivery, such as the ABC and the Australian Tax Office. This gives them huge visibility over the internet which they use to secure these same clients and others.
Significantly Akamai has observed a tripling in attacks from local sources combined with an uplift in IP traffic volumes in Australia following the US attacks. This data is most apparent when seen on the public website the Australian Communications and Media Authority runs for the Australian Internet Security Initiative.
According to Akamai’s local analysts, there was a similar uptake in malware volumes. This marks a tipping point in Australian cyber history. Until now most threats came from offshore and were often repelled by geo-blocking, better known as the Island Australia defence.
This assumed no real threats would originate from Australia, but with evidence of major malevolent activity across the Australian internet, this is no longer valid.
For government this is a major headache. Big agencies like the Australian Tax Office and Centrelink have industrial protection, but as the recent Australian Bureau of Statistics and BOM attacks revealed, there is a long list of federal and state government agencies that would be smashed by any IoT bot attack.
The asymmetry of most cyber attacks is bluntly confronted by the federal government’s cyber strategy. The practical solution, according to the prime minister’s cyber adviser Alastair McGibbon, is to push as fast as possible for agencies to move key data into highly secured cloud environments. This is a slow process given the complex legacy systems and also does not really address the social engineering practices that typically are how most data is fraudulently compromised. How the IoT is hardened is a policy issue fast coming Australia’s way.
But the more profound threat is an existential one. As nation states authorise dangerously provocative cyber attacks there is a major risk of these getting out of control, exploding across the internet, bringing down major infrastructure and in all likelihood, causing significant casualties. This network effect is like dynamite.
We tightly monitor other major network or viral threats such as financial meltdown, deadly chemicals and of course nuclear weapons. The CIA documents suggest we also need to get rapidly more sophisticated in our understanding and response to the explosion of vulnerable internet devices.