'Cyber war will mean end of world as we know it'
Questions raised during press conference at Tel Aviv University cyber warfare panel event concern 'Die Hard' style disasters.
Eugene Kaspersky, the founder of the Russian Internet security firm that alerted the world to the Flame virus, ignited a fire of his own yesterday in Tel Aviv when he sketched out nightmare scenarios that cyberwarfare could cause.
Speaking at a press conference at "The Cyber Warfare Conference: Challenges in the Global, Political, and Technological Arenas," organized by Tel Aviv University's Yuval Ne'eman Science, Technology, and Security Workshop, Kaspersky said that Flame was "just the beginning," adding, "I'm afraid that it will be the end of the world as we know it."
In response to a question about what the world would look like after the kind of cyberterror apocalypse that he feared, he referenced the Hollywood-imagined dystopia of the 2007 film "Live Free or Die Hard," in which Bruce Willis, as cop John McClane, teams up with a young computer hacker to stop a cyberterror attack that is shutting down the United States.
"Before 'Die Hard 4.0,' the word cyberterrorism was a taboo in my company. It could not be uttered aloud or discussed with the media," Kaspersky said, adding that 15 minutes into the movie he fetched himself a glass of whiskey and a cigarette, and that 10 or 15 minutes later he refilled his glass and began shouting at the screen: "Why are you telling them [how to do this]?"
Kaspersky is not the only dystopian prophet around. "If somebody would have told me five years ago that by 2012 it would be commonplace for countries to launch cyberattacks against each other, I would not have believed it," Mikko Hypponen, chief research officer at Finland's F-Secure Corporation and an internationally recognized authority on cybercrime, wrote in The New York Times this week. "If somebody would have told me that a Western government would be using cybersabotage to attack the nuclear program of another government, I would have thought that's a Hollywood movie plot. Yet, that's exactly what's happening, for real."
Both Kaspersky and Hypponen have been accused of sowing panic and fanning the flames around Flame. But some experts say that even if Kaspersky's colorful descriptions may be over the top, the fact is that critical infrastructure in most of the world's countries is vulnerable to high-tech attacks. It happened in Iran, and it happened in Estonia in 2007, when a dispute with Russia over a Soviet-era statue triggered a massive distributed denial-of-service (DDoS ) attack that paralyzed the country for weeks.
When Guy Mizrahi, CEO of Israeli security firm Cyberia, was asked whether Kaspersky's apocalyptic scenarios were an exaggeration, he said that after the Hollywood special effects were toned down the dangers nevertheless remained. "It's a question of will and of capability, and today both exist," Mizrahi said, adding, "As soon as they join together, [Kaspersky] is not exaggerating. Today it's pretty easy to create significant cyberattacks that will affect our daily lives on every level," Mizrahi said.
But, he reminded his audience, "Just because you have the capability doesn't mean you will always use it." Mizrahi's colleagues say that most cyberweapons are developed for espionage purposes, as in the cases of Flame and Duqu, a worm related to the Stuxnet virus used against Iran's uranium enrichment program. Intelligence agencies are loath to give up their sources for the sake of sabotage.
Kaspersky said he believes that Flame cost less than $100 million to develop and that Stuxnet cost less than $10 million. He also said it is possible that Flame is still capable of sophisticated transmission, explaining that because of the enormous size of the virus there may still be undetected modules. He said that Flame underlines the danger of cyber warfare.
"These ideas are spreading too fast," Kaspersky later said, "That cyber boomerang may get back to you." He said governments must cooperate to stop such attacks, as they have done with nuclear, biological and chemical weapons.
Kaspersky used the example of an electricity-generating plant targeted by a virus similar to Flame. He explained that similar power plants anywhere in the world could end up being attacked by the virus.
"Flame is extremely complicated but I think many countries can do the same or very similar, even countries that don't have enough of the expertise at the moment. They can employ engineers or kidnap them, or employ 'hacktivists'," he said.
When Kaspersky speaks of these dangers, the main concern is Supervisory Control and Data Acquisition systems, known as Scada. It was Siemens' Scada systems used in Iran's nuclear program that was targeted by Stuxnet.
It was not for nought that Evyatar Matanya, head of Israel's new National Cyber Defense Authority, part of the Prime Minister's Office, said yesterday at the conference that his unit, in cooperation with the Ministry of Energy and Water Resources, has developed a pilot program that involved mapping and carrying out a risk assessment for all of the country's critical national infrastructure, with an eye to developing defense measures in the future.
The problem is the large number of different systems that were developed, long before anyone even thought of computer viruses, or for that matter of connecting these systems to the Internet. Mizrahi said that he has come across Scada systems that are based on Microsoft Windows 95 operating system, while Kaspersky topped him by talking about systems based on DOS, which, contrary to popular belief, is still out there somewhere.
Over the past several years many of these Scada systems have been adapted for remote control over the Internet. The interface between the old systems and the Internet can be a point of vulnerability, partly thanks to various hacking tools, but also because of the ease with which such systems can be found using search engines for hackers, such as Shodan.
"By definition, Scada systems are old systems," Mizrahi said. "They work, and they must continue to work, period. It's not a problem in some cases, because they aren't connected to the Internet. In other cases the systems are so old that the existing hacking tools don't work against them. But if somebody wanted to, he could pretty easily develop the capability to hurt them. And even systems that are not networked could be vulnerable," Mizrahi said.
However, the Scada systems aren't the only ones in jeopardy. Last year, Richard Clark, the former special advisor on cybersecurity to three U.S. presidents, said that the state of American cyber security was so serve that Washington needed to thik twice before launching a war.
Among other dangers, Clark wanted of a possible hit of military systems, saying that there was no way to ensure that U.S. equipment would wok when confronted with an enemy with cyber warfare capabilities.
To a large extent, Kaspersky is painting these extreme scenarios to support his campaign to get countries to stop developing cyber-warfare tools and establish an international treaty which prohibits the use of such measures.
While Russia publically shares Kaspersky's view, a report by U.S. intelligence agencies published last year determined that Moscow and Beijing were behind most of the espionage-motivated cyber attacks on the United States.
Hypponen, however, claims that the process can no longer be reversed, adding that the United States, as well as other countries, were already active in the field.
Nonetheless, Mizrahi said, one should "take into account not only the nightmare end-of-the-world scenario. The likelier probabilities are a much more banal."
"Someone can get into your bank [account], or steal information from your email," he said, adding that, "chances are that if you brought your computer into our labs right now, we'd find a Trojan horse.