Cyberspace Triggers a New Kind of Arms Race

In dark corners of the Internet, criminals vie for access to weapons available to anyone with cash and a computer.

Advances in automated cyber weapons are fueling the fires of war in cyberspace and enabling criminals and malicious nation-states to launch devastating attacks against thinly stretched human defenses. Allied forces must collaborate and deploy best-of-breed evaluation, validation and remediation technologies just to remain even in an escalating cyber arms race.

The wholesale investment in and propagation of cyber weaponry is behind the growing scale and severity of the threat forces face today. An arms race for offensive cyber capabilities among government, terrorist and other groups has resulted in a digital cold war with a goal of global dominance that has, up until now, only been achievable with conventional weapons.

Recent events indicate that nation-states and criminal gangs can penetrate the physical national infrastructure and hide their tracks. Large-scale cyber attacks crippled Germany’s rail networks, knocked out vital radiation-monitoring systems at the Chernobyl nuclear plant and hit more than 40 hospitals across Britain’s National Health Service.

To carry out such attacks, criminal cells trade caches of intelligent weapons in dark corners of the Internet in a cyber arms bazaar, allowing even unsophisticated hackers to strike with nation-state expertise and enabling nation-states to use crime gangs as proxies.

The U.S. armed forces as well as other security services operate on the front line of this cyberwar. The threats they confront become more numerous and dangerous every year, and attacks can hamstring key military systems and equipment. For example, the U.S. Air Force recently estimated that its network of more than 1 million airborne and ground-based computer systems faces over 1 million cyber attacks daily. Thomas Exline, U.S. Air Force cybersecurity and operations manager, says if just one of those systems goes down, “C-130s don’t fly, and Cheyenne Mountain Air Force Station doesn’t function.”

Examples of the number and effects of automated cyber warfare systems are growing more notorious. Identified in 2010, the Stuxnet virus was one of the first indications of the physical damage a cyber attack can trigger. This one self-replicating worm destroyed more than 1,000 nuclear centrifuges across an Iranian nuclear facility, setting back Iran’s nuclear ambitions by at least two years. In late 2015, attackers took down part of Ukraine’s power grid and used a telephone denial-of-service attack that prevented people from reporting outages to call centers. More recently, autonomous delivery software known as EternalBlue was leaked from a trove of next-generation cyber weaponry and used to distribute WannaCry ransomware packages en masse. The virtual transport tool enabled the ransomware to scan for a specific vulnerability in the file-sharing protocols set up across internal computer networks, then issued a payload whenever that vulnerability was found. As a result, a single weapon rendered more than 300,000 computer systems useless in at least 150 countries.

The nature of cyberspace means that these weapons are far easier to steal, smuggle or replicate than conventional armaments. Because it is easier and less costly to steal lines of code than a cruise missile, criminals increasingly are pilfering arsenals of cyber weapons and selling them in the digital “wild west” known as the dark web. Within this highly developed online black market, criminals barter the cyber equivalent of smart bombs and nuclear devices, many of which come complete with user guides, money-back guarantees and user ratings. Powerful custom-made tools designed to exploit unpatched vulnerabilities and autonomously reproduce themselves across the world are widely available to buy, rent or franchise. These tools also can be repurposed and customized for a particular task, from hacking a warship to stealing personal data from a school.

Evidence is now mounting that nation-states are deliberately sharing these kinds of cyber weapons with illegal hacker collectives, hiding their actions behind these groups and engaging in proxy wars similar to those of the Cold War. Anthony Ferrante, White House director of cyber incident response under the Obama administration, recently warned, “The Internet allows malicious cyber actors to deliver weaponized tools at a scope and scale like we’ve never seen.”

The connection works both ways, with cyber crime groups also sharing tools with governments in return for payment or protection from prosecution. These tools may be accidently leaked or deliberately stolen, finding their way further down the food chain and ending up in the hands of low-level hackers. The increasing simplicity of these weapons means that users only require enough knowledge to operate them—even amateurs can wield the power of governments.

Many countries are sitting on a time bomb of vulnerabilities in their defense or critical infrastructure. Numerous organizations face a race against the clock, as they lack the human resources required to comb through thousands of networked systems for vulnerabilities that could be mass-exploited in seconds.

Last year’s (ISC)2 Global Information Security Workforce Study, one of the largest surveys of the global cybersecurity work force, predicts a shortfall of 1.8 million cybersecurity workers by 2022. The increasing use of automated cyber warfare weapons, coupled with the shortage of defenders, means military armed forces are fighting an uphill battle to protect themselves online.

Machine-aided cyber attacks further stretch overworked and in-demand cybersecurity personnel. To combat this trend, U.S. military forces, domestic intelligence communities and security services increasingly are deploying intelligent software to automate essential but time-consuming cybersecurity tasks.

Before the availability of automated auditing technology, nation-states often relied on human auditors to go through critical systems and networks with a fine-tooth comb in an extremely slow and costly process vulnerable to human error and knowledge gaps.

Traditional scanning software was then added to provide both network visibility and vulnerability assessments. Scanners replicated generic cyber attacks, indiscriminately bombarding networked systems in the hopes of finding a weakness. While this technique provided organizations an idea of how their networks would hold up against a typical attack, it lacked the thoroughness to delve into all aspects of their defenses.

The broad method missed vulnerabilities and left bases open to attack. In a move toward more modern cyber defenses, some developers are beginning to add elements of configuration analysis to scanning tools, but these are proving to be unsophisticated. The prevalence of false positives that scanning software produces and the validation of scan results continue to suck time from already overstretched cyber teams.

To address this issue, advanced cyber defenses now use legacy scanning software for network visibility but more detailed, faster configuration analysis software to identify configuration issues and vulnerabilities accurately.

Running scanners across military information technology infrastructure is the equivalent of an army shelling its own front line to find weak points. In contrast, advanced configuration analy­sis tools resemble a sniper’s focused shot. They scour individual network infrastructure components, use virtual modeling to find deep structural vulnerabilities, and produce systematic reports on how to improve defenses. These technologies can run a line-by-line audit of 200 systems in seconds, which means entire military bases can be audited in minutes, a process that could take human auditors weeks.

Acting as virtual cyber assistants, new automated technologies allow organizations to, in effect, deploy virtual armies to audit and secure defense infrastructure. Leading defense agencies and military forces, including the U.S. Defense Department, Air Force, Army, Navy and NATO, have been among the first to adopt automated cybersecurity auditing.

Automated configuration auditing works by replicating the skills of human testers and enables organizations to harden their firewalls and network devices at a speed and scale that is beyond human capabilities. For the military, this is a major asset.

As nation-state cyberthreats to critical national infrastructure swell, senior military leaders are under constant pressure to ensure that the defenses of their digital assets are airtight. All too often, information security officers are bogged down in painstaking line-by-line analysis during auditing, allowing little time for more strategic and crucial tasks. Using automation tools enables leaders to reallocate security officers to more strategic and offensive cyber roles, leaving the security auditing to machines and plugging the military’s cybersecurity skills gap.