The difference between cyber crime, cyber espionage and cyber war is a matter of a few keystrokes. They use the same techniques.
These were the words of Richard Clarke, chairman of Good Harbor Consulting, during his keynote at the RSA Europe 2010 conference, being held in London this week.
Giving background, he said cyber crime is not a theory, it goes on every day. "Just two weeks ago, there were arrests of a cyber cartel in the US. However, those arrested were students, acting as mules. To be a mule all they have to do is open a bank account and allow money to flow in and out of it. They are on the lowest level of the cyber crime structure."
This is typically the situation in cyber crime, explained Clarke. "These cartels are often based in Moldova, Estonia, Belarus or Russia. Once there has been an investigation, often long and complicated, using warrants to search computers and servers, crimes are traced back to these countries. However, when the investigators ask for co-operation from these countries, none is forthcoming. They have become, in effect, cyber sanctuaries."
As long as the attacks happen outside their countries, he added, and the cyber criminals give the police kickbacks, they turn a blind eye. This can also take on a more sinister tone, as when governments need a friendly hacker to attack another nation they use these cyber criminals and gain a little plausible deniability when a finger is pointed at them.
"This is not dissimilar to the situation that arose about money laundering," added Clarke. "Countries that traditionally used to launder money were approached, and given a set of norms established to prevent the problem, and standards for enforcement. Nothing happened until they were approached again, and threatened with consequences, such as the devaluation of their currency."
The same can be done for cyber crime, he stated. "If they don't live up to the standards there will be consequences. For example, we could limit traffic in and out of those countries, or filter and monitor that traffic. At the moment, nothing is being done. The fact is today, cyber crime pays."
In fact, Clarke said cyber criminals are making so much money they are hiring computer scientists to alter hardware or firmware that is being produced to ensure they will have a backdoor to exploit through an existing flaw.
"Who are the victims here?" he asked. "Traditionally, the banks are seen as victims as they usually pay out losses to customers. However, the banks filter those costs down to their customers. We are paying the price."
Major corporations hire business intelligence firms to get them information on their competitors, and too often are not fussy about where the intelligence comes from, he explained. In this case, things stolen will include industrial designs, chemical formulas, new product information or release information, aerospace information and so on."
Clarke cited as an example the recent Google hack that was traced to attacks on 3 000 other US companies, all of which had updated AV, intrusion detection, intrusion prevention, firewalls and similar. Many of these companies were spending tens or hundreds of millions a year on cyber security.
More worrying though, he said, was the fact that most companies in the US that knew they had been attacked were informed by a source outside the company. "When people come into your network to copy information, the information is still there. It's not like an art heist where the painting is missing from the wall. This makes it much harder to detect. The network will look as if no one has been on it. Terabytes of information could have left the system."
Occasionally people do see it. He said recently a very advanced cyber research facility discovered they were being hacked, and could only stop it by pulling the plug. Each block they instituted was counter-attacked. As a result they were offline for days.
"If this is happening to such advanced companies, what is happening to less sophisticated organisations? They are losing information, including vital data such as source codes for operating systems and routers. How then do you protect the network?"
The answer: a few keystrokes. "The same techniques apply. What is cyber warfare? Going into someone else's network, with the intent of damaging, disrupting or destroying."
He said the US conducted an experiment, accessing the Internet, then an intranet, then into a SCADA system, to manipulate a generator, causing it to explode. This can be done.
Clarke cited some potential consequences from hacking and controlling SCADA systems. "You could cause trains to derail, blow up generators, melt power lines. The recent pipeline in San Francisco, which is still being investigated, could have happened as a result of this. The control system can be made to appear perfectly normal, while the functionality is being messed with, by blocking one end of the pipeline, causing it to explode."
Think of the damage that could be done to financial institutions or stock exchanges, said Clarke. The recent debacle where the US stock exchange went down, with stocks gaining and losing extreme value for an hour, and being closed down, could have resulted from this. "Their solution? Pretend it had never happened."
Neither of these, however, are examples of intentional attack. "Stuxnet is the first example of a malicious attack involving SCADA systems. It made use of four zero-day vulnerabilities. However, most unusual, was its use of built-in controls, limiting its replication, where it would attack and similar. It was after Siemens Win CC systems, not broader SCADA systems. It was narrowly targeted, like a guided missile."
The question is, he said, is cyber war about to happen tomorrow? No. "Nation states don't rush out and use their new toys. They put them in the inventory for when they need them. It does mean that should they get into a conflict situation, instead of using a cruise missile, they could launch a cyber attack. I cannot imagine a scenario, for example, where the US or the UK would be involved in a war with Russia or China."
Also, Clarke advised to bear in mind that Stuxnet was targeted at Iran. "For some time, the Iranian nuclear weapons programme has been causing controversy across the world. Sanctions have been passed to prevent them from producing nuclear weapons.
"It's not hard to imagine a scenario where the US, Israel and Iran are fighting each other. If bombs were falling on Iranian soil, would they be satisfied with only retaliating at home? Wouldn't they want to attack the US? Iran could launch a cyber attack that could cripple systems in the US. No one has a great cyber defence. The fact that the US could retaliate doesn't really matter.
"In all countries we have to stop worrying about cyber war on the offence, and start worrying about it on the defence. We need plans – strategy doesn't really tell you how to defend the country in the event of a cyber attack."
What too, of cyber peace?, he asked. "What about treaties or agreements? If you don't begin the process you'll never get there. Sure it takes a while, as did the nuclear arms treaties, but you have to start somewhere. We can have cyber arms control agreements that will make us safer.
"One last thing," he concluded. "Instead of spending money on security solutions, maybe we need to seriously think of redesigning network architecture, giving money for research into the next protocols, maybe even think about another, more secure Internet."