Sunday Insight: Rattling of the cyber sabres

By Juha Saarinen

The L.aCrews hackers have defaced 847 websites, showing no sign of stopping - or being stopped.
The L.aCrews hackers have defaced 847 websites, showing no sign of stopping - or being stopped.

When Dani Wright set up a website to collect nursery rhymes from around the world, little did the Auckland writer and mum know that the site would be caught up in a shadowy battle between anonymous cyber guerrillas. Late last year, itsasmallworld.co.nz was broken into and defaced by Malaysian hackers called L.a Crews, who posted anti-Israeli and pro-Palestine messages on it twice.

"I didn't quite know what to do," Wright says. "Who do you call when these things happen? There is no police or fire service who can help."

Wright says her site is not commercial, but a resource for librarians and others interested in nursery rhymes. Sorting out the mess from the hack attacks was costly.

"It cost $400 each time, which is a fair bit of money for me," she says. "The $800 I spent on getting the site right would have been enough for a short break with the kids.

"You definitely feel more vulnerable and much less secure," she says. "I assume that the whole world can read what's on my computer and am careful about what goes on there."

Wright was not targeted for any reason apart from the fact that her site hosting company was vulnerable. At first she thought the attackers were Pakistani, as the defacement mentioned "the Pakistani Cyber Army".

Via Twitter, a Pakistani man saw what had happened and apologised to Wright. "He said it was nothing personal, just that some people get caught in the cross fire."

It wasn't anything personal. In less than a year, the L.aCrews hackers have defaced 847 websites, showing no sign of stopping - or being stopped.

Such cyber-attacks may seem like little more than online graffiti but they carry a mounting cost to the global economy. In the wake of the Boston Marathon bomb, a different group of Muslim terrorists hacked the Twitter accounts of several global media companies, sending out a fake tweet about two explosions at the White House that sent international markets into freefall. The hackers, from a group supporting the Syrian dictator Bashar al-Assad, infiltrated the Associated Press, National Public Radio, the BBC and 60 Minutes. They sent out a false tweet from the AP account this week, saying US President Barack Obama was injured.

Within minutes, the Dow Jones index had dropped 150 points. The markets soon recovered but the temporary drop was estimated by Reuters to have cost the markets US$13.6 billion ($16 billion). Only one conclusion can be drawn: a cyber- terrorists virtual bomb can be almost as damaging as a real terrorist's pressure cooker and nails.

So to what extent is NewZealand under attack? Clearly, living in a remote corner of the planet does not afford us the same protection from cyber terrorists thatwelike to think it provides us from Al Qaeda and the like.

Prime Minister John Key says there have been attempts to steal New Zealand technology that "could be used to create weapons of mass destruction", but neither he nor the government agencies he's in charge of are willing to provide detail.

In many cases, that's because neither Key nor the spy agencies know for sure what's going on. By using unbreakable encryption, and multiple compromised systems on different networks, an attack that may appear to come from China could originate from anywhere.

Pointing the finger at any one country for cyber attacks, when the evidence is weak and fleeting, risks diplomatic incidents such as that between China and the US last month, sparring over who hacked whom.

New Zealand is a bit late to the cyber war party: The construction of most of our defences has been under

way only since 2011. Several agencies including the Department of the Prime Minister and Cabinet are involved in the cyber war effort, but the geeks of the Government Communications Security Bureau (GCSB) are New Zealand's official cyber warriors. Tasked with keeping an eye on our networks and information technology system with an official budget of $57 million, the bureau is part of a global network of spy agencies in allied countries.

That network was once limited to intercepting communications between foreign nations, but now the role of the bureau looks set to widen as it has for similar agencies overseas. They are expected to not just listen in on communications but also to protect legitimate communications from being intercepted by shadowy digital miscreants, domestic and international. Underneath the GCSB is the NCSC (National Cyber Security Centre) which works with government agencies and aims to collect reports of cyber- attacks - and yes, the intelligence officials there believe New Zealand is under threat.

GCSB director Ian Fletcher - who, appropriately, was willing to answer questions only by email - says 90 incidents were reported to the NCSC in 2011, the year it was set up. Last year there were 134 reports and there have been 79 incidents this year.

"The fact that an incident has been reported indicates that a person or an organisation has detected activity," Fletcher says. "It should not be taken as meaning an incident caused disruption or harm.

"There's no reason to think New Zealand is any different from any other country when it comes to threats from cyber activity."

That's about all the detail Fletcher is willing to provide. To encourage further reporting of incidents, and so as to not attract further attacks on an existing target, the NCSC doesn't provide anymore information.

That's one reason for not naming the hackers. Another is that we don't know who is to blame. "When it comes to identify in any individual threat, attribution is genuinely difficult," Fletcher says.

That assessment is echoed by the Prime Minister's Department. "The threats come from a range of sources - individuals or issues motivated groups, state actors, criminal groups and, in some instances, insiders," said Paul Ash, the manager for the Government's National Cyber Policy Office, at a speech at the New Zealand Information Security Forum this month.

"Attribution is a major challenge. It can be extraordinarily difficult to understand the source of a threat."

The thing with spooks is, they don't like to come out of the shadows. The Herald on Sunday spoke to several digital insiders who spoke on condition of anonymity. One security researcher says intelligence activity by overseas nations heightens during trade negotiations and state visits. However, this doesn't always require active espionage efforts and breaking into computer systems to steal data. "These days," the researcher suggests, "it's probably easier to use automatic tools to sift through social media to work out what's going on in any particular country - and nobody will notice."

Another, a former security consultant, pours cold water on New Zealand being under threat. "Anyone who is willing to talk to media about such targeted attackswould not have
been involved in dealing with them," he says.

The buzz-term in the network security industry is APTs, or advanced persistent threats. These are hyped up to be seen as almost supernatural hackers with government backing who are able to get through just about any network protection.

Last month, Fletcher explained APTs at a security conference in Hamilton: "Advanced persistent threats are the sort of well-researched software that will defeat or bypass commercial security systems."

APTs are a convenient label with which to demonise countries such as China as cyber-attackers, but it may be more of a marketing notion coined by security vendors rather than an actual threat.

Should China count as an APT? German telco Deutsche Telecom's real-time Sicherheitstacho (security tachometer) shows that of the top 15 attack sources, the Russian Federation is the most common. Germany is second, followed by Taiwan, the US and Australia, with China 10th.

The lines are being drawnin a new ColdWar, a cyber armsrace inwhich each nation purports to be protecting itself from the aggression of the other. The US Cyber Command draws on staff and resources from the country's army, navy, air force and Marine Corps. Britain, South and North Korea have similar units and the People's Liberation Army of China established a cyber-threat department in 2010 in response to the Americans.

The US is arguably furthest down the road when it comes to preparing for action on the cyber front. This month, the US Air Force announced that it has designated six specific cyber tools as weapons.

A Nato-connected research institute, the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, finalised a manual on international law applicable to cyber warfare. Called the Tallinn Manual, the lengthy tome essentially sets out the rules of cyber war, defining when it's okay for attacked states to hit back.

The manual was developed to guide decision makers who until now have had to guess how international law around war applies to hostile cyber actions. Among the findings of the group of legal specialists that wrote the Tallinn Manual is that if cyber attacks cause disruption or damage on civilian infrastructure, it's an act of aggression and a country can retaliate.

In the same way, the manual appears to rule out first strikes such as the Stuxnet malicious program used to sabotage the Iranian nuclear fuel refinement programme. Stuxnet was allegedly written by Israeli and US intelligence services and reprogrammed industrial controllers in uranium enrichment centrifuges so that these spun out of control and broke. According to the Tallinn Manual, Iran would have been within its rights to strike back, if it had evidence of who deployed Stuxnet.

China and US military leaders held a meeting in Beijing this month on cooperation to prevent further nuclear weapons proliferation - and to contain cyber threats.

General Fang Fenghui said: "If the security of the Internet cannot be guaranteed," he said, "then results may be as serious as a nuclear bomb.

- Herald on Sunday

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on production apcf03 at 21 Dec 2014 15:55:34 Processing Time: 522ms