The Invisible War

A determined, dangerous army is working to take down the mightiest nation on Earth—but nobody even knows who the soldiers are.
From the August 2011 Trumpet Print Edition

In June, hackers took down cia.gov, compromised the main site of the United States Senate, and shut down an Atlanta-based website devoted to tracking cybercrime.

The same month, hackers released personal information—names, addresses, phone numbers, complete online details—for Arizona police officers, painting a target on men serving in one of the most dangerous parts of the country. By comparison, the tens of thousands of online passwords and bank accounts compromised this year might seem less important, but these could still have both societal and military implications.

Millions of computers have been compromised and are sometimes used by hackers without their owner’s knowledge or permission to launch attacks. It was this sort of blunt attack that crippled Estonia in 2007—proof positive that an entire nation can be brought to its knees by even a crude cyberattack.

Then there is Stuxnet, perhaps the most frightening and effective digital weapon to date. Now, just months after it crippled Iran’s nuclear program, this ultra-sophisticated computer worm is open source and available to any teenager in his basement as a play toy.

Add them all together, and you have a war—maybe several wars. But who are its fighters? How does cybercrime change the traditional nature of warfare? And how do you fire back when you don’t know who are shooting or where they are located?

In 1992, Joseph de Courcy wrote in Intelligence Digest: “Computer dependence is the Western world’s Achilles heel, and within a few years this weakness could be tested to the full” (March 20, 1992; emphasis added throughout).

We are now seeing the evidence of these tests almost every day.

The Great Equalizer

In previous years, the vast majority of cybercrime stories in the news were about blunt attacks: lots of compromised computers overwhelming a network with too much data. Though this requires little sophistication, its effectiveness as a military device is proven.

This was what crippled Estonia in 2007, in the first concerted attack on an entire nation’s computer systems. At the height of Estonia’s weakness, ambulance and fire services were down. The attack affected the websites of the presidency, the parliament, almost all of the government ministries, political parties, news organizations and banks. It is possible that more than a million computers were on the attacking side.

Though the details of the Estonia attack were somewhat unique, one aspect of it returns in every form of cybercrime: Its nature made it impossible to positively identify the attacker. Was it the Russians? Probably—but how can a nation respond based on probabilities? And was it the Russian government, or rogue hackers in their basements? There’s no way to know. New technologies coming online make it virtually impossible to trace attacks back to their point of origin.

The Pentagon recently formed a new policy: Cyberattacks can be met with traditional warfare: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” one military official described a potential response.

But whose smokestack? Can you fire a missile at a group named Anonymous?

Humbling Sony

One of the highest-profile hacks in the last year was when 21-year-old George Hotz—known in the hacking community as “Geohot”—in January compromised the Playstation 3 (ps3), giving users complete access to the video game console. Just another video game device? No. The ps3 is a computer—a supercomputer, by some definitions. In 2009, the U.S. Department of Defense bought 2,200 ps3s to supplement its supercomputer cluster, which itself was implemented on 336 ps3s. Long story short, these are powerful machines. A couple of months later, Sony was briefly in danger of losing control of all its consoles.

In April, after penetration by hackers, Sony took down its entire ps3 network for more than a month, leaving its customers unable to play games or music online. Why? A primary reason had to be this: Sony didn’t want to be responsible for the largest botnet the world has ever seen. Hackers might have used Sony’s own update mechanism to take over millions of consoles—many times the computational power that took down Estonia.

Sony has sold over 50 million ps3s, and these machines are all over the world. “With an army of literally millions of zombie ps3s under their control, hackers would own a supercomputer at par or superior to those possessed by most nation-states, and they wouldn’t even have to foot the power bill” (Register, April 29).

It may seem to some that the losses corporations have suffered in the last year are simply a matter of poor security that needs to be corrected. Make no mistake: Security lapses do account for almost every successful hacking attempt, whether it’s Sony, Paypal, Apple, or the security specialists themselves. But no computer is totally secure. “The only secure computer,” wrote former hacker Paul Day, “is one that is disconnected from the Internet, turned off and locked away in a cupboard.” At times, the hackers even hack each other.

On February 4, the ceo of HBGary Federal—a highly respected security firm—announced that he could identify the leaders of several founding members of Anonymous, a group well known for going after the Church of Scientology, as well as hacking MasterCard, Visa and anyone else it deemed as an enemy of WikiLeaks (an organization that, itself, has made its name by profiting from gross examples of cybercrime).

By February 6, the ceo’s Twitter account was under some hacker’s control, and his mobile number and Social Security number had been published. By February 7, Anonymous had “exposed Social Security numbers, publicized private e-mails, deleted company files, replaced the phone system, and attacked the LinkedIn accounts of employees …” (PCMag.com, February 7). The security company’s reputation was crushed. One report said that even the company backups were deleted. But again, no one knows who carried out the attack.

If angry hackers can humble Sony and security professionals, don’t think governments are immune. Since June, there has been a major cyberattack on the International Monetary Fund, a defacement of the cia website that led to the publishing of its member database, and a penetration of Senate e-mail. These hacks all made the newswires. But we should hardly believe that governments and corporations feel a duty to report to the public anytime a breach occurs.

Stuxnet

The sophistication of the previous examples is like children in a muddy sandbox compared to the development of Stuxnet.

In June 2010, Stuxnet was found infecting computer systems around the world. It had an array of capabilities including the ability to shutdown oil pipelines, cause industrial equipment to overheat, and even turn up the pressure in nuclear power plants. Even though Stuxnet quietly spread to thousands of industrial computer systems in almost every major country, it remained dormant until its code came into contact with a very specific target: the centrifuges at Iran’s nuclear enrichment facilities.

Once infecting Iranian computers, it began to systematically destroy not only software, but the industrial machines the software operated as well—all the while telling Iranian engineers that everything was operating as designed. The Institute for Science and Technology reported that Stuxnet ruined 1,000 Iranian centrifuges before the virus was impeded.

This was an example of what is called a “zero day attack”—an exploitation of flaws in a system no one knew existed and therefore had zero days to prepare for. “Our largest fear … is the zero day attack,” said Sherrill Nicely, the cia’s deputy chief information officer. “It’s very, very, very difficult to protect oneself from an attack that you did not know was coming or the vulnerability that you did not know existed.” Reports say Stuxnet used anywhere from 4 to 20 separate zero day attacks and had a legitimate security clearance.

Experts estimate Stuxnet set the Iranian nuclear program back two years. And it heralds an evolution in the way warfare is conducted around the world. It revolutionizes modern war.

Ralph Langner, a German cybersecurity researcher, called Stuxnet “a precision, military-grade cyber missile.” It was “a 100-percent-directed cyberattack aimed at destroying an industrial process in the physical world,” he said. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.”

Stuxnet should be a giant warning shot across the bow of modern, technology-dependent America.

According to officials, Stuxnet required massive amounts of man-hours and resources to create. It is thought to have had millions of dollars in support. Although no one has taken responsibility for it, it is clear that one sovereign government attacked another. It was an act of war—but because of the anonymity of the cyber-realm, like in the earlier cases, no one knows for sure who actually fired the shot. Was it America? Israel? Germany?

And though the resources needed to design Stuxnet were immense, now it is out there for anyone to tweak. Just months after its successful implementation, Stuxnet was decompiled and put on the Internet for any government, hacker or teenager with a laptop to download and manipulate. What will it be aimed at next—and who is most vulnerable?

The Achilles Heel

When the U.S. military created the arpanet, predecessor to today’s Internet, the idea was to create communications that could not be disrupted, even if large portions of the network were destroyed by war or natural disaster. But now everyone uses the Internet, and the thing that made it so appealing—its broad-based structure—has become its greatest weakness. Disruption of the Internet can upset everyone’s way of life, our communication systems, our financial systems. And the military may be the most vulnerable of all.

In his June 1999 Trumpet personal, editor in chief Gerald Flurry warned about “America’s Achilles heel”—the vulnerability of our computer systems.

“One of the main reasons we won World War ii was because the British broke German radio code. We knew about most of their war plans in advance! Quite a gigantic advantage. Some experts think we would have lost the war without that knowledge,” he wrote. “We could lose the next war before we even begin, if somebody breaks our military codes.”

Clearly the United States is at terrible risk because of its technological dependence. Military codes, the U.S. power grid, the systems that keep Hoover Dam and other dams from releasing a flood—even nuclear power plants—all rely on computer systems that are vulnerable to cyberattack.

These types of breaches have already occurred. In 2010, the U.S. military bought 59,000 microchips that turned out to be counterfeits from China. In 2008, the most significant breach of U.S. military computers ever occurred. U.S. Deputy Secretary of Defense William Lynn explained it: “The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary” (Foreign Affairs, September/October 2010).

We now see frequent cyberattacks on government facilities. Pentagon computers are probed 250,000 times per hour for vulnerabilities, according to the head of the U.S. military’s Cyber Command.

Mr. Flurry also wrote in May 2005: “Exploiting this vulnerable point could trigger the greatest shock in the history of warfare! … I believe one key end-time Bible prophecy could well be fulfilled through [cyberwarfare]: ‘They have blown the trumpet, even to make all ready; but none goeth to the battle: for my wrath is upon all the multitude thereof’ (Ezekiel 7:14). The trumpet of war is to be blown in Israel—mainly America and Britain. (If you would like more information, request our free booklet on Ezekiel. All of our literature is free.) It seems everybody is expecting our people to go into battle, but the greatest tragedy imaginable occurs! Nobody goes to battle—even though the trumpet is blown! Will it be because of computer terrorism?”

We have reached the stage where computers are used to fight against corporations, against police officers, against our military. We have witnessed a demonstrated capability to take out industrial facilities with weapons like Stuxnet. If we couldn’t clearly see the danger posed by our technological dependence 20 years ago, we should certainly see it today. It is all around us.