An analysis of cyber warfare and its geopolitical consequences. How will the proliferation of advanced hacking technology affect Russia, and what role does Kaspersky Labs play?
As the stakes of cyber war and crime grow ever higher, governments are bilaterally aligning towards an entirely new kind of conflict while digital criminal enterprises are growing exponentially. International software proliferation means that private industry is playing an increasingly important role that regimes are eager to exploit; in Russia, the foremost such company is Kaspersky Labs. While Evgeny Kaspersky emphasizes the political independence of his company, serious questions remain about his connections with the FSB.
Background
Cyber attacks by relatively amateur groups such as Anonymous and Lizard Squad have cast a deceptive light on the cyber threat. These groups, who often make the news by attacking high-profile targets with low-complexity attacks such as Cross Site Scripting (XSS), SQL Injection (SQLi), or Denial of Service (DoS/DDoS), make the news far more often than more legitimate, widespread security threats such as Shellshock, BadUSB, or the infamous Heartbleed bug. The true nature of the cyber security threat exists in scripts that exploit security flaws such as the above, are virtually undetectable by all but the most advanced security companies, and are almost certainly state-sponsored.
With the combined knowledge of some of the world’s foremost experts on network security, a number of countries have begun to engage in what can effectively be labeled a cyber war. The goal of this conflict is far from conventional; the discovery of vulnerabilities in utility grids, military-grade research projects, and the extraction of intelligence from information systems take priority. This creates a very small number of actionable targets for cyber espionage, however the methods utilized, once exposed, become circulated first among upper-tier hackers and then amateur criminals, creating second and third-line effects that could prove catastrophic.
A New World Alignment
At the private level, cyber attacks are motivated mostly by financial gain, with loose alliances emerging and dissipating with the rise and fall of common interests, but at the state level more permanent relationships have begun to emerge. The most advanced techniques are known to utilize multiple zero-day flaws, vulnerabilities for which no software patch yet exists, and reportedly involve cooperation between states. The technical expertise required to identify these vulnerabilities, as well as the all-source intelligence cooperation required to identify attack vectors on secure targets, suggests these inter-nation relationships are anything but temporary, and two clear but unofficial alliances have begun to emerge.
In the West, NATO countries and Israel seem to have formed a common alliance to develop the most sophisticated cyber weaponry in the world. Cooperation within NATO is a natural extension of the existing treaty, with Estonia and its Cooperative Cyber Defence Centre of Excellence designated as NATO’s cyber powerhouse. Individual relationships between NATO countries are likewise strong, as alleged by Edward Snowden after he leaked documents showing that the NSA had provided GCHQ, its British counterpart, with at least EUR 100 million in funding in return for maintaining close cooperation. Meanwhile, the U.S., and therefore its NATO partners, seems intent on developing its relationship with Israel even further, most likely due to its common goal in preventing nuclear proliferation in Iran. So long as this goal is maintained, and given the secrecy associated with cyber warfare, it’s unlikely that Israel will actively develop a cyber relationship with Russia, in contrast to their warming relationships in other arenas.
In the East, Russia and China signed an unlikely cybersecurity treaty promising cooperation through joint cybersecurity operations and projects. The stated goal of this treaty is to cooperate on issues relating to cyber defense, not offense, but its common knowledge that there is virtually no difference between the skillsets involved in defensive and offensive hacking. This creates the potential for hacking techniques and procedures to be shared between China and Russia, posing a serious threat to Western nations. China’s cyber professionals, often referred to as the equivalent of a bull in a china shop, are notorious for wreaking havoc on targets and extracting information while leaving multiple clues indicating that an attack occurred and who was behind it. Russia, on the other hand, is known to conduct stealthier hacks that often go unnoticed, leading many US intelligence professionals to question whether Russia is actually the greater threat. If a learning relationship were established between these two nations, China’s ability and willingness to steal intellectual information would skyrocket, as the decreased likelihood of its attacks being noticed would reduce the risk associated with exacerbating tensions with the U.S.
While the majority of hostilities between these alliances are kept covert, NATO’s hesitation to identify the threshold whereby a cyber attack would trigger an Article 5 response has allowed for multiple overt attacks on NATO or NATO-affiliated countries with no clear directive for response. As a result, high profile state-sponsored attacks such as the ones directed at Sony and JP Morgan are likely to continue in the face of relatively weak responses, such as temporarily disabling a country’s network.
A Growing Industry
As government cyber offensives become more complex, criminal enterprises are becoming more prevalent to the point of becoming a legitimate threat to national security. In 2007, the number of cyber attacks affecting federal agencies reported to the United States Computer Emergency Readiness Team numbered 5,500, by 2012 that number reached 48,500. The number of attempted attacks has likewise risen exponentially; the Pentagon and National Nuclear Security Administration each suffer 10 million cyber-intrusion attempts per day, and large companies such as BP report suffering 50,000 attacks per day. A recent report by Cisco likewise claims malicious traffic has seen “unprecedented growth” in advanced attacks, saying the number of vulnerabilities found in software and the threat level from hackers is the highest it’s been since 2000.
These attacks aren’t only growing in number, they’re also growing in complexity. As new exploits and techniques are discovered, more experienced hackers encode their methods and sell the resulting software to amateurs, vastly lowering the expertise required to conduct complex attacks and opening participation in the industry to a much larger group of individuals. Now, even top-level hackers exchange zero-day exploits on dark-web markets.
This explosion in attack growth has had an interesting effect on governments’ role in the digital world. On one hand, agencies can recruit new talent from an ever-growing pool of professionals to create highly sophisticated malware with specific target sets. On the other, exponential growth in technology and the number of hackers developing and learning from advanced techniques is slowly exceeding governments’ ability to stay ahead of the market, as the sheer number of attacks exceeds the human resources able to be allocated. To keep up, governments will almost certainly increasingly rely on private security companies, developing intimate relationships to not only neutralize external threats but also create flaws that can be exploited by the respective agency. For Russia, the most visible such company is Kaspersky Labs.
The Kaspersky Connection
While government-sponsored hack groups have proven extremely efficient at identifying vulnerabilities and carrying out attacks, the most valuable assets in the cyber war are the companies who produce the technology being attacked. Having access to product specifications and schematics gives a hacker intimate knowledge of the target, and therefore allows them to identify new zero-day vulnerabilities. In the West, the NSA is notorious for strong-arming tech companies into provided this information, though these claims are vehemently denied as it could irreparably damage companies’ holds over overseas markets. In the East, the fast-growing Kaspersky Labs appears to be filling the equivalent role.
Trained at the KGB-backed Institute of Cryptograph, Telecommunications, and Computer Science, Kaspersky was commissioned as a Soviet Intelligence Officer in 1987. His interest in computer security began in 1991 when his system was infected by a virus called “Cascade;” seven years later Kaspersky Labs was founded.
Evgeny Kaspersky and his company Kaspersky Labs are without a doubt among the top private security experts in the world. Kaspersky’s software currently protects an estimated 270 million businesses from cyber attack, and companies such as Microsoft, Cisco, and Juniper Networks even embed its software into their products. Given that the field of cybersecurity is rapidly evolving, these products almost certainly require that Kaspersky’s servers be regularly pinged for updates, creating a clear medium through which digital backdoors into software could be embedded or exploited. The question is, would Kaspersky sacrifice his company’s standing to engage in a state-directed cyber offensive?
Kaspersky Labs came under fire last March after a Bloomberg exposé linked Kaspersky to the Russian FSB, claiming personal relationships between Kaspersky and senior FSB officers, as well as allegations that Kaspersky replaced a number of his senior employees with FSB agents. Critics are also vocal about allegations that Kaspersky regularly meets with FSB officials to spend time in the banya (a Russian sauna), though the documented relationship between the organizations is far more concerning. Kaspersky Labs is known to conduct training for the FSB, and provides consulting services on a regular basis to the point of actively assisting with situations related to Russia’s national security. Of particular importance is Kaspersky’s Global Research and Expert Analysis Team (GREAT), the group of his most skilled hackers. The group has certainly earned its title; they exposed many of the NSA’s most advanced offensive tools, including Stuxnet, Flame, and the recent firmware discovery, and have cracked a number of high-profile criminal cases. It should be noted, however, that the vast majority of malware discovered is attributable to Western governments or criminal enterprises, and rarely the Russian government.
Kaspersky’s assistance to the FSB is also reciprocated. In April 2011, Kaspersky called in a personal favor with the FSB when his son was kidnapped, and the agency immediately set to work on tracing calls and conducting surveillance of various locations. Ivan was recovered safely after four days, and Kaspersky initially blamed himself for failing to protect his family. Then, conveniently as Russian political opposition groups gained momentum online, a Russia Today documentary was created encouraging all internet users to protect themselves by disconnecting their lives from the internet. Kaspersky was featured prominently, having changed his stance on the kidnapping of his son, blaming the Russian social networking service Vkontakte for tempting Ivan into posting personal information such as his address, saying, “if a site asks for private information, then criminal charges should be brought against it in the event of a leak.” Kaspersky’s ex-wife Natalya later contradicted his position, telling journalists that Ivan had used a fake address online, and that the kidnappers had probably followed Ivan for some period of time to develop a pattern of life. Regardless of the circumstances under which Ivan was kidnapped, the ordeal quickly became a political tool of the regime, and Kaspersky showed that he was more than willing to cooperate.
At the same time, close relations between large Russian companies and state security agencies is quite common. Alexei Kondaurov, a former General of the KGB, said that apart from Putin himself, “there is nobody today who can say no to the FSB,” and one current FSB Colonel openly admitted that the FSB “must make sure that companies don’t make decisions that are not in the interest of the state.” Kaspersky readily asserts that the FSB has never made a request to create backdoors in his software, and that his teams detect and defend against malware regardless of its origin, however Putin’s previous willingness to go after Russia’s oligarchs makes it extremely unlikely that Kaspersky would refuse such a request, or would be able to prevent it if he were to.
Going Forward
For now, the Western world appears to maintain the advantage in cybersecurity and offensive strategies, though the recent exposures of multiple U.S.-backed malwares by Kaspersky has dealt what could be a severe blow to Western cyveillance capabilities. Worse, it can be assumed that Russian authorities are now well-versed in the methods and code underlying these Western creations, opening the door for retaliatory attacks that would have otherwise been years ahead of Russian technology. The damage caused by existing programs is currently limited to purely military targets, however once reverse engineered it would not be difficult to broaden the malware’s scope to include utility or even civilian networks.
In the near future, a large-scale state-sponsored cyber attack is not imminent, and will not likely occur unless conventional war breaks out, in which case a complete dismantling of the largest portion of the target network possible would likely immediately prelude the outbreak of open hostilities. NATO has made some progress in identifying cyber attacks as a trigger for Article 5, making events on par with the internet outage in Estonia 2007 less likely to reoccur, but the Russian strategy of “hybrid warfare” will no doubt continue for the foreseeable future unless more hardline resolutions are adopted. Until such a time, both sides will no doubt continue to search for new zero-day flaws, seeking to develop the capacity to completely cripple a digital network within minutes should the need arise.
The more immediate threat lies in the rise of cybercrime. As new high-level techniques are exposed and published, related methods and workarounds are developed for criminal purposes that evade security patches and further strain companies’ ability to protect their software. While the threat of cybercrime is currently limited to the private sector, the reality that criminal organizations and non-state actors could pose a legitimate threat to national security cannot be ignored. For now, governments probably have at least a few techniques left that the public is unaware of, some of which are no doubt equal to earlier revelations that the FBI had effectively broken Tor, but it’s unknown how long this head start will last.
Photo courtesy of Wikimedia Commons
leksikablog.wordpress.com 