Is the US Ready For Cyberwar?

Richard Stiennon

A highly-regarded cybersecurity analyst has recently published a book which makes a convincing case that not only is cyberwar between major world powers inevitable, but that the US has allowed itself to fall dangerously behind in preparing for it.

Richard Stiennon, who was previously an executive with Fortinent and Gartner, offers his analysis in There Will Be Cyberwar, published by IT-Harvest Press. In an interview for this column, Stiennon described how the motivation for his book came from an analysis of the U.S. military’s move into networking or, as he characterizes it, how they “jumped onto the Internet.”

Earlier this month, reports came out that of the $3 billion allocated by the Air Force Space Command on cybersecurity, not a single cent was spent on defending software vulnerabilities in weapons systems. This funding gap led Stiennon to believe that the U.S. military “was completely unprepared to fight a cyberwar.”

The problem is that in today’s technology age, weapons platforms, which include radar, targeting and missile systems, all contain tons of software. For example, Stiennon estimates that there are 9 million lines of code in one F-35 fighter jet and another 15 million lines in support systems. And, as we all know, software can be hacked.

At current government contracting rates, the cost to fix security flaws in all of the weapons platform code could be very high. Stiennon is critical of what he terms “the archaic contract selection system,” and faults the military for being unwilling to change.
“Think about how deep you would have to go in a military organization to change their thinking,” says Stiennon.

Looming over the cyberwar preparedness debate is the dark cloud of increased nation state hacking. The Wall Street Journal published a story two days ago that Iranian hackers were able to gain control of a dam in New York State back in 2013. And, according to Stiennon, there is evidence that China has stolen data on missile systems.

During a joint appearance at the White House with President Obama in September, China’s President Xi Jinping pledged that his country would not conduct economic spying in cyberspace. When asked if he believed that China had lived up to its promise, Stiennon was quick to reply, “No, not for a minute.”

Another ominous development concerns recent reports, which indicate that malware authors are getting more sophisticated in devising new techniques to evade detection. Intel Security, the company’s MacAfee Labs division reported an unprecedented increase in new macro malware that includes fileless attacks which leave no trace on disk, making detection much more difficult.

In a separate interview for this column with Vincent Weafer, vice president of Intel Security’s McAfee Labs, he confirmed that the tools outlined in his firm’s most recent report were being adopted by nation states. “Actors are trying to find ways to get their malware on the box without leaving any footprint,” says Weaver.

According to the Intel report, the use of malware attacks on companies and the US government are becoming more successful in part because of social networking. Malware developers can find out if a particular individual recently attended an industry conference or ordered a holiday gift through FedEx simply be accessing often publicly-available information posted to sites like Facebook or Twitter. They can then craft an innocuous-looking email referencing the conference or shipment, inject the malware once opened, and then reap the cyber-spy benefits.

In a separate development, the news broke late last week that Juniper Networks found unauthorized code had been inserted into its ScreenOS software that can decrypt devices without leaving a trace of who did it. The company makes communications equipment for large enterprises, including the US government. The FBI is investigating whether foreign governments were involved.

What is not clear at this point is when and how the first cyberwar conflict will play out. Stiennon believes that the first occurrence will be in less than five years and will most likely include an engagement between world powers, such as China and Taiwan.

He also points out that the military has acknowledged the funding gaps in defending software vulnerabilities and are beginning to take steps to address them. In the meantime, the clock is ticking and recent developments just this month alone highlight the urgency of the task.

Examiner: http://exm.nr/1Jx8s47