This essay was written for the 2017/2018 Secureworx essay competition. The essay question was: “How is cyber security a human issue?” My essay was chosen as 1 of 2 winners and received a $2000 cash prize.
Information security has ultimately always been a human problem. It is humans whom the machines serve, humans that attack them and humans that are often the weakest point in the security chain. Computer security used to be about preventing viruses or worms that would delete hard drives or use too many resources eventually forcing the machine to restart but now as the malware community has developed so too have their goals. Ransomware, Remote Admin Tools (RATs) and more have been used to target anyone from home users all the way through to international shipping companies and nuclear facilities. Malware has become commoditized, a product for dark web users to buy and sell on hidden forums before turning their products on their true targets.
Often the authors of malware like ransomware, RATs, banking trojans and ATM skimmers are not the end users. On forums in Chinese, English, Russian or any other language, users can find, read reviews, purchase and even receive support for their favourite kind of malware. Whether it’s stalking an ex or running a phishing campaign to get money via ransomware there’s something for everyone. Authors will often caveat the sale with some vague disclaimer that the product can only be used legally but this has yet to hold up in court, especially since law enforcement is able to more often catch the end-user than the original author.
So, who is writing this malware? The answer to this is murky and rife with misdirection, which makes it hard to find answers. There are several kinds of attackers ranging in capabilities. There are nation states like the US, Australia or China that are able to use defence and intelligence funds to find exploits used for law enforcement or cyberwarfare. Companies like Hacking Team provide products and services to governments and companies in the same way any other company would. The third and fourth groups are far harder to nail down. They are individuals and private groups, the lines between these two can blur because any attacker using proper operational security will hide the size and location of their group. These authors are often working to create a sellable product that other groups can turn into their own.
It’s great to know who is writing the malware but what is probably more important is finding out who is using it. After all we don’t care as much who made a gun, we care far more about the context in which it’s used.
One set of groups and individuals that may soon have great impact on Australia are those linked to terrorist or ideological groups such as Gaza Cybergang, Syrian Electronic Army, Pakistan Cyber Army and even ISIS. The groups mentioned here are based around Islamic or national ideology however there are groups motivated on both sides of the political spectrum to commit cybercrime against nations and the public.
These groups can be funded by nation states, larger paramilitary organisations such as ISIS or Hezbollah, or just bootstrapped by individuals. In 2008 Lebanese authorities found that Iran had built a secret communications network including internet using fibre optic within Lebanon without knowledge or approval from the Lebanese government to ensure that communications could bypass US/Israeli/Lebanese controls. This shows the amount of effort that some nations are willing to go to support their chosen organisations whether in official or unofficial capacity.
All of this information is vital to know as the Australian government and Australian companies look for ways to protect themselves from the human factor of cybersecurity. There have been several terrorist attacks publicly prevented in Australia by the AFP, ASIS and ASIO, groups that work very well when dealing with local, physical targets. As we move further into a world where cyber security attacks can be purchased for as little as $4 AUD there needs to be Australian considerations of cyber-retaliation for any actions committed by the government in DFAT or Defence operations.
Traditionally, Australian forces have been concerned by the risk of retaliation attacks either on military bases, embassies and other external facilities after carrying out offensive operations. Now, a new risk is emerging of remote retaliation attacks on Australian businesses and government infrastructure through cyber weapons. These kinds of cyber-attacks can be carried out anonymously and at any time. A backdoor could be found in some piece of Australian infrastructure and after a defence or diplomatic operation abroad, a ransomware or denial-of-service attack could be triggered resulting in a myriad of potential consequences.
Since the 2013 election the Liberal National Coalition has had a focus on reducing immigration to Australia and one of the reasons given is security. Immigration policies will be unable to keep Australia safe from the next wave of paramilitary or terrorist threats when attacks can be launched from anywhere.
Australia can begin to prevent this by promoting a robust aid program in conflict areas involving Australian forces. In countries and regions that begin redeveloping, Australia and allies should contribute to telecommunications education promoting responsible computer use as well as promote Australia as a friendly nation in the region. By building telecommunication systems Australia can establish a strong relationship with local authorities that can help track down any threats identified as coming from the region.
Access to the internet is becoming recognised as an international human right alongside essentials like food, water and safety. This means that in areas damaged by conflict we will begin to see telecommunications infrastructure become a priority within the rebuilding process. People living in refugee camps and destroyed cities will remember the conflict for many years alongside whom they consider responsible.
Historically they have only been able to retaliate against local adversaries such as Israel or US military bases but with new technology the attacks can bypass strong, secure targets with conventional weapons and go straight to softer targets like local banks, hospitals or even a company like Equifax.
The very human issues of war and global poverty may soon lead to consequences outside of the region as people get back online and begin looking for money from or revenge on any easier targets. Cyber security has always been a human issue but now it’s becoming tied to other human issues and this is something that we should all be prepared for.
Footnotes:
- Petya ransomware: Cyberattack costs could hit $300m for shipping giant Maersk – Danny Palmer, 16/08/2017 – http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/
- An unprecedented look at Stuxnet, The world’s first digital weapon – Kim Zetter, 03/11/2017 – https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
- Gaza Cybergang – updated activity in 2017 – GReAT, 30/10/2017 – https://securelist.com/gaza-cybergang-updated-2017-activity/82765/
- Lebanon told allies of Hezbollah’s secret network, WikiLeaks shows – Ian Black, 05/12/2010 – https://www.theguardian.com/world/2010/dec/05/lebanon-warned-allies-hezbollah-telecoms
- Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms – Dave Liebenberg, 15/08/2017 – http://blog.talosintelligence.com/2017/08/chinese-online-ddos-platforms.html
- U.N. report declares internet access a human right – David Kravets, 06/03/2011 https://www.wired.com/2011/06/internet-a-human-right/
- Equifax Announces Cybersecurity Incident Involving Consumer Information – Equifax, 07/09/2017 – https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
