Don’t call Richard Stiennon a cyberwar alarmist. While his new book, Surviving Cyberwar, is the latest in a series of recent books about the global online threat, he told The New New Internet he’s not just another voice in the “sky is falling” cyber chorus. Instead, Stiennon, who serves as chief research analyst at IT-Harvest, offers what he calls a historical analysis to prove his thesis: that state-sponsored cyber attacks have already happened and are on the rise. While cyber warmongers are harping about some future, amorphous threat to cyber sovereignty, Stiennon quietly makes the case that the future of cyber war is already here.
The New New Internet: What are some of the key findings or the main takeaway points from your research and from the book?
Richard Stiennon: The first key finding is that cyber espionage has been going on for at least 10 years, and it has been going on from China as well as from other countries. But China appears to be the main aggressor. The research for the book included interviewing and digging into the story of Titan Rain that involved a young man by the name of Shawn Carpenter who was one of the first to discover the Chinese hacking. When he saw it, he took it upon himself to back hack into Chinese servers. [He] discovered documents belonging to all of these research labs and defense agencies in the U.S., and that led up to reaching out to them. He started getting involved in helping them discover where the leaks were and patch them. It also led to being recruited by the FBI as a confidential informant, which led to being fired from his day job at Sandia Labs in Albuquerque.
That’s the cyber espionage we’ve seen just grow, like the attacks against Google, which have been attributed to China. Also just this past week, the WikiLeaks information from the State Department that at least members of diplomatic corps attribute the Google attacks to the Chinese Politburo. There’s a growing body of evidence of attribution there. On the cyber espionage side, we’re talking about the engagement of militaries in the cyber world and that’s closer to cyber warfare. The militaries are all taking the asymmetric capabilities of adversaries very, very seriously and responding by reorganizing thus the creation of the U.S. Cyber Command and similar organizations in every modern western nation in the world. They are preparing and training to protect their cyber domain during future conflicts.
The New New Internet: You mentioned a lot of the hacking comes from China, why is that?
Richard Stiennon: It is a very, very old tradition for countries that are behind of the times economically and industrially to try and leapfrog their technology. In the mid ‘90s, China academics started publishing articles about what they call the Revolution of Military Affairs, which has a strong information warfare component. Basically, most research labs in the United States and around the world were pretty open to remote hacking. You can deny it, which China has done consistently, and yet you can gather all of this information and use it for economic benefit if you are trading the world markets for oil and gas and other resources, for industrial benefits, if you are stealing industrial designs or for military benefit. If you are for instance stealing the entire data set of the design of the U.S. joint Strike Fighter, all of these things can happen.
The New New Internet: There has been a lot of talk about cyber war and there as many definitions for the term as there can be. How do you define cyber war?
Richard Stiennon: My definition of cyber war is using network-based attacks against computer infrastructure coinciding with physical attacks. Actually, my definition always used to have . . . tanks rolling across the border. That happened in 2008, when Russia attacked Georgia. The actual cyberwar incidents around the world are harder to come by than all of the attacks going on with WikiLeaks right now. We learned from Richard Clarke that during the Gulf War, they contemplated attacks – they didn’t do it. We heard about Israeli’s invasion of Lebanon, where they took out radar installations supposedly by a cyber attack delivered over those radar antennae.
Richard Stiennon: My book is meant to be the historical argument that state-sponsored cyber attacks are on the rise. Both Richard Clarke and Jeffrey Carr take a warning that the sky is falling and we have to do something drastic, or the end of the world will come. I believe that there will be malware and cyber attacks that lead to power outages or interruptions, or something like that. I don’t believe that those are going to be as damaging as some of the others do. My book wasn’t to warn of the next threat to our sovereignty, or whatever the title of Richard’s book is. The focus was to demonstrate all of the things that have happened and they are going to continue to happen.
The New New Internet: Some people say all of this talk about cyber war–and especially when you couch it as a warning– is not very helpful and kind of ratchets up the rhetoric about cyber warfare. What is your take on it?
Richard Stiennon: I don’t think there is any value in heightening the rhetoric because all of these attacks are not only possible but have been going on. It’s much more important for those that are responsible for the security of all of our infrastructure to just pay attention to what has happened and start reacting to that, not reacting to some future threat that has not materialized yet. You can’t predict what that future threat will be. There are too many openings, too many types of dastardly things people can do. Who could have predicted that MasterCard would have their website taken down by a bunch of activists just because they complied with the press . . . the United States and WikiLeaks.
The New New Internet: It’s kind of difficult to talk about cybersecurity post-Thanksgiving without WikiLeaks being brought up. Do you think governments will crack down on information sharing or make it harder for whistle-blower sites to spring up? Or does it open the flood gates and it will only be a continuous stream?
Richard Stiennon: Where I’ve seen the fractionalization of WikiLeaks is [in] special organizations such as OpenLeaks, due to go public this week. There will be other models that will make it easier to share information and prevent it from being squelched by government. That was of course always possible, and WikiLeaks is just heightening the rise of free information. At the same time, governments will react in such a way to actually curtail freedom of information. We’ve already seen several bills in conflict before Congress just last week and around the world. There will be a battle for freedom of information going on that is going to get more and more interesting to watch.
The New New Internet: Some say WikiLeaks and the hacktivists afterward shutting down credit card company’s websites was the opening shot in a cyber war, or an information war. What’s your take on that?
Richard Stiennon: I liken it more to like a cyber riot. For social and government stability, the street is very, very important. In the Middle East, the street is what the government kowtows to. In the U.S. and other Western nations, the street is usually a little bit more sedate and limited to peaceful rallies. But what we have going on online right now is people that think that they are anonymous engaging in cyber riots. They get together and decide on their targets and they start lobbing the equivalent of digital bricks at their target’s windows. They are breaking those windows and doing that damage, but nothing that shuts down the business.
The New New Internet: I have to admit I’ve never heard of Shawn Carpenter or the Titan Rain. That was something that went under my radar. I thought it presented a kind of dichotomy between the idea of the benevolent whistle-blower to this idea of WikiLeaks, and who knows what kind of whistle-blower that is. I was wondering if you could talk about that?
Richard Stiennon: Whoever the WikiLeaks whistle-blower was felt that he was acting in the best interest of the world, I guess. Shawn Carpenter felt that he had uncovered attacks against his country and the government that he worked inside. He didn’t publicize what he had found, but reached out to those individuals or organizations – he notified them. He stepped over the lines potentially that what his employers thought was appropriate. For a member of the armed service to steal information is first of all highly illegal and well defined as illegal. Everybody knows what their top secret clearance means; and then the next level beyond that is the organizers of WikiLeaks are the recipients of the illegally gained information so making it public is their decision. They are motivated by something that they think that the world has to know.
The New New Internet: 2010 saw a lot of cyber-related events; Operation Aurora, Stuxnet and now WikiLeaks. Is there anything else that might have slipped under the radar that didn’t get as much attention but would be a notable thing for cybersecurity for the past year?
Richard Stiennon: There’s one more that I think and that is the rise of denial service attacks in Asia. From China through Hong Kong to Singapore and even Australia, denial service attacks have taken off dramatically. It’s criminal organizations extorting money from online gaming sites, which are allowed in that region, but it’s also just one website hiring an attacker to take down their competitor website because their revenue goes up if the competitor is not available. That level of the wild, wild west if that were to translate into the rest of the digital world would be extremely disruptive.
The New New Internet: Your book is called Surviving Cyber War; in the event of a cyber war in the future, how would a country survive?
Richard Stiennon: I’m a technologist at heart, and I believe that most of the identified attacks can be addressed with technology. I don’t even think that we need to completely revamp the Internet to get there. Certainly, for individual companies they can do a much better job of investing in defenses if only they didn’t wait until after their attacks, which sadly is the way a corporation works. Why spend $1 million on preventing something that has never happened – wait until after the fact and then spend $2 million as TJX found out. They set aside $200 million to counter a pretty simple breach that occurred against them.
Government has a long, long way to go to get up to speed with the cyber-defense posture that most corporations are at today. There is a complete revamping of how things are done inside government from the IT perspective that has to happen. Obviously, there has been lots and lots of talk and chest beating about how we have to do something. Congress has 40 bills in process last session – nothing got close to passing, of course. There has been a cybersecurity coordinator appointed by the president. That role doesn’t have the power to get something done. It is going to take a bigger breach or outage than the Pentagon has suffered so far to really get things to start happening. As a nation, we are reactive and as humans we are reactive, and certainly the bureaucracies are reactive.
The New New Internet: Those were all of my questions, is there anything that I didn’t touch on that you think is important to note?
Richard Stiennon: You’ve already pointed out the acceleration. There are three ground-breaking events – we haven’t talked about Stuxnet, but Stuxnet is the wake-up call for manufacturing, I believe. Manufacturing has been on the sidelines of cybersecurity because they don’t have a lot of credit cards [and] cyber criminals aren’t after them. But Stuxnet was designed to target control systems [so] it doesn’t matter if it is a bunch of centrifuges that ran for a robot paint shop at an automotive plant. The types of new attacks that we are going to see target those control systems. These will be very expensive for those manufacturing operations. The types of things that they are going to have to do to prevent it are pretty straight forward and a lot of them won’t do it until after the fact.