Steven Cherry Hi, this is Steven Cherry for Radio Spectrum.
At a conference of chief technology officers in 2016, General Michael Hayden, former head of, at different times, both the NSA and the CIA, told the audience, “Cyberwar isn’t exactly war, but it’s not not-war, either.”
Cyberattacks, at the nation-state level, were already almost a decade old at that point. In 2007, over the course of 22 days a Russian attack on Estonia took out commercial and government servers with distributed denial of service attacks; not just public websites but also what one report called “more vital targets, such as online banking and the Domain Name System,” without which people can’t find or look up websites and online servers.
The attack carried into the cyber realm an already heated political conflict between the two nations, and Estonia’s economy was as much under attack as its information infrastructure.
In 2009, China stole plans for an advanced U.S. fighter jet, and Chinese hackers have subsequently attacked Google, Intel, Adobe, Morgan Stanley, the Wall Street Journal, and the Army Corps of Engineers.
In 2010, we learned of the U.S.–Israeli attack on Iran and its uranium centrifuges, known as Stuxnet.
In 2015, a concerted attack, believed to have been Russian, on the power grid of another east European nation, Ukraine, left more than 200,000 people without electricity for at least several hours. It was the first attack on a grid, and perhaps the first large-scale SCADA attack—that is, on the control systems of critical infrastructure. Follow-up attacks struck the railway, television, and mining sectors.
In 2016, right around the time General Hayden was warning American audiences of the dangers of cyberwar, Russia, in conjunction with a private firm, Cambridge Analytica, and elements of the U.S. Republican party, crafted a disinformation campaign to influence the presidential election that year. Russia and Cambridge Analytica also undermined the Brexit referendum in the U.K. earlier that year.
Since then, we’ve seen entire families of malware appear, such as Trickbot. Arguably even worse was the recent SolarWinds hack, which in effect was an attack on what we might call the software supply chain. As many as 18 000 different organizations using SolarWinds may have been affected. Worse, the effects of the hack may have been reached out into other networks and therefore been exponential. For example, both Microsoft and security firm FireEye were affected, and they each have many enterprise customers.
That Fireeye itself could be vulnerable to attack in this way is stunning and humbling. As the fourth-century Roman poet Juvenal asked, Quis custodiet ipsos custodes? Who shall guard the guardians themselves?
We’re lucky to have with us today Justin Cappos. He’s a professor in the Computer Science and Engineering department at New York University and directs its Secure Systems Laboratory. He has a particular interest in building systems resilient to nation-state attacks and a particular interest in vulnerabilities in the software supply chain, especially in software updates. He joins us by Zoom.
Justin, welcome to the podcast.
Justin Cappos Thank you for having me.
Steven Cherry Do you think it’s fair to say that the Solar Winds attack represents something new and particularly dangerous? And maybe before even answering that, maybe we could talk a bit about how it evolved, the software update process and how that’s an especially vulnerable part of the software supply chain.
Justin Cappos The way that this particular attack worked is hackers were able to break in and they actually inserted some malware onto the build server so that when the software was being built to then be distributed, it contained several malicious actions, like several malicious capabilities that basically acted as a backdoor that attackers could then use to get control of those networks.
And so it is unfortunately not entirely unique in that attackers have time and time again broken into software repositories have put things in. Allegedly, the NSA broke into Juniper routers and added a back door that let them intercept VPN connections through them. Attackers have gone and inserted all sorts of malware in a variety of different software projects. In fact, Santiago Torres-Arias, who’s a former Ph.D. student of mine, now a professor at Purdue, maintains a an extensive list of software supply chain compromises, 60 or 70 of those, along with folks at the Linux Foundation that that they’re using there. So this attack was not entirely unique, but perhaps the overall severity in the fact that it hit even an extremely top-notch firm like FireEye and others like that were, I think, a little more Eye-Opening in some ways.
Steven Cherry I mentioned Trickbot, this is a piece of malware that apparently arrived on the scene in about 2016 and is still plaguing us. It’s, among other things, a sort of infrastructure for ransomware. Does it exemplify something in today’s cybersecurity challenges? It seems like we no longer have just viruses and worms and a process of problem, discovery of the problem, and solution to the problem. Nowadays, it’s more like an endless series of flare-ups and recoveries—like flu seasons. The malware mutates and the defenses mutate to match the only offering partial protection.
Justin Cappos I think one thing that has changed a bit over time is that malware went from something that used to be things that people would just write to show what they could do. And then gradually, over time, it became the domain of cybercriminals. And then once there was a profit center involved and there was a way ... a lot of incentives to write really good malware. And people started to build things like botnet for hire and so on. And once you got into that realm, they were like software companies, like really any other software companies. But what’s been scarier and come along more recently is when governments get involved and start to fund it, because then it starts to look a lot more like a military operation, like it is something with some very, very serious resources.
For instance, the attack that everybody thinks of, the piece of malware people think of with going after the centrifuges in Iran is Stuxnet. But there was another piece of malware along with it called Flame that actually was spread via flaws in Microsoft’s software update system that enabled it to go and do the surveillance and things that they needed in order to go and have a successful campaign. And this was an order of magnitude more complex than Stuxnet was and was really responsible for the relative success of that operation.
So the thing that that to me is scary is the fact that we’ve moved from ... some of the early viruses were very silly things where somebody just sat down and wrote a few lines of Visual Basic and then it got sent around and copied via email automatically and caused problems. But now people, by and large, have much more nefarious things in mind and have many more resources behind them.
Steven Cherry Yeah, I mean, this militarization can involve actual counterattacks, right? I mean, in Trickbot there was one. Microsoft went to the courts to be allowed to conduct a counterattack on the malware. And it’s as if the courts are there to reassure us that Microsoft is one of the good guys and its enemies are the bad guys and it’s okay for Microsoft to strike back. Does that sound right? And in your opinion of the courts up to serving in that role?
Justin Cappos I think this is a very difficult question. There are judges that know quite a bit about security. If I think you took the average judge in the average court, I think they’re absolutely not prepared for this. I certainly wouldn’t want to try to speak for all judges because I have seen some very well reasoned things come out of individual judges here and there who really do seem to understand the technologies and things involved that at a reasonable level to make that judgment.
I do feel overall that going in launching counterattacks is a very, very problematic way of dealing with things because there tends to be collateral damage and there tends to be other types of problems from launching counterattacks. In some ways, it’s a little bit like bringing in an outside species to try to control the problem you have with some other pests where time and time again humans have tried. Oh, we’re going to just we’re going to bring in the cane toads to eat these flies that are plaguing our sugar cane plants or we’re going to bring in this, or we’re going to do that. It just has a way of escalating and getting out of control and causing more damage than perhaps it should. So in general, I think that there are often other ways you can go about this, sort of depending on how you need to strike back and where. But I think that in general, launching retaliatory cyber attacks is a bad idea.
Steven Cherry I mentioned the attack on the Ukrainian electrical grid. It seemed particularly disturbing, both in its consequences; I don’t think anybody wants to be without power at the start of an Eastern European winter. Ever since Napoleon, we’ve known that. And the challenge for the defense as well was particularly disturbing. We’re talking about a sprawling national electrical grid. It must have a million different entry points.
Justin Cappos It does, and one very scary thing about the electrical grid in the United States is how interconnected and how cascading failures can occur. There’s a really nice book by Ted Koppel called Lights Out, which is quite accurate overall with describing potential problems and potential risks due to cyberattack in this area. Attackers usually don’t go for the strongest target. They can. They usually look for the weakest areas and then attack those and accomplish their goals that way. And when you have a system that failure in one area can cascade over and cause damage in others. This is a real concern. And you combine this with the fact that the power grid wasn’t designed from the start to be connected to things like the Internet and what we’ve seen many times is that, technologies that weren’t really designed to do this, get features added and added and added. They slowly become more networked and more connected and they pose a lot of security risks as a result. It’s sort of ... No one ever stops to do a very clean security-based design and figure out how to do things in that principled of a way. So I do have very serious concerns about there being a major attack on different parts of the U.S. infrastructure, the power grid being one of those.
Steven Cherry It seems like it’s only going to get worse. I mean, specifically the electrical grid. First of all, we’re going to probably have distributed clean-energy generation. So electricity not only coming from the grid to our homes, but our excess home- and office-generated solar and wind power going back to the grid. And that’ll be millions of hackable, smart meters in between, won’t there?
Justin Cappos Yes. As we connect more and more devices, there’s certainly the potential. I would think as we go and we continue to connect things to humans in general aren’t good at seeing slow, creeping problems. We didn’t sort of evolve that way. And so seeing the sorts of potential dangers and issues that can happen from increasingly many Internet of Things devices all over the place, being available to hackers is something I think many people have a hard time recognizing.
Steven Cherry There’s another potential point of vulnerability on the horizon I thought I might ask you about. Cars are getting smarter. They’re starting to communicate more with the cloud. They may soon come to depend on the cloud for some of their functionality and they may start communicating with one another for maximum safety. Car companies are not software companies, and even if they were, software companies have enough trouble getting this right. Is this a potential recipe for cyber disaster?
Justin Cappos I will say that the automakers have really started to move a lot more into software than you would think. I would say you could almost view modern automakers as software companies whose software happens to go into things that move. So they really do spend a lot of effort and a lot of focus on that part of engineering as well. That being said, there’s a shortage of cybersecurity experts overall in automotive at times has a hard time hiring and getting qualified people everywhere that they’d like to. I do know there are a lot of very smart people working on and looking at these types of issues in vehicles.
But I think you would be right to be nervous that this could potentially cause issues. Frankly, though, if you look at the sort of risk factor from cars, cars increasingly became computerized over the from around 2000 until today, the functionality in a modern car has just increased. But there were some pretty big wake-up calls related to security that happened with some of the automotive hacking work that happened with Yoshi Kohno, Stefan Savage, [NYU colleague] Damon McCoy, others like that, where they demonstrated that you could hack modern automobiles, and we’ve seen those hacks be repeated. And because of that, there was, I think, a lot more security awareness in the automotive field. And they really have put a lot of effort to try to address a lot of these issues.
In terms of Internet of Things devices, I think they have one of the highest risk profiles, like the most damage could be done in some ways, and it can be especially targeted to individual cars or things like that, which is also very, very scary. But the automakers have also been increasingly improving their security since that 2010ish time frame where they started to look at it. So in some ways, it’s really the cars that are a little older than that that you have to worry about because they have a lot of computers and they didn’t have the same quality level of security engineering that a brand new car today may.
Steven Cherry Just to circle back to our earlier topic, are cars more or less vulnerable than the average software-driven device when it comes to the software update process?
Justin Cappos This is a complicated question. So when it comes to the software-update process, a lot of devices you have—and I’m going to leave out for the moment things like your laptop or your phone; your laptop and your phone are probably quite secure in how they’re they’re doing their updates, these use architectures in general that have been scrutinized by experts and have had a lot of care and design in the design done. That’s not to say that they’re perfect, but they’re relatively hard to attack.
If you’re talking about something like your smart TV or your wireless router or your smart toaster or whatever other devices you might have around your home, I think your car has a lot more vulnerabilities in general related to the update process. A lot of vehicles are using now a free, open standard called Opt-In that I and some of my collaborators at a bunch of other universities and a bunch of other car companies and regulatory bodies and others work together on over several years. And this has really heavily been scrutinized and looked at and is quite an effective way to protect vehicles, even against nation-state actors, because it requires them to do Mission-Impossible-style stunts, to be able to break in and cause damage. Whereas if you look at some of the systems they were using before that, some of the car companies that haven’t yet switched over are using, the kinds of attacks that would be successful are even simpler than the SolarWind attack. So it’s obviously a big concern.
Steven Cherry So let me close with the General Hayden question. Is cyberwar war?
Justin Cappos Well, it can certainly cause a lot of damage. It can potentially cause a lot of deaths. One thing that I think tends to be quite different is in war, you usually have a moderate amount of attribution, so you know who’s behind it. And you know somewhat about how to strike back. You may have to go and figure out that it’s a terrorist group operating out of this country and do things. But at least you fairly clearly have something to point at. It’s a lot harder to do that in the cyber space and to know how to have an appropriate response. So, yeah, we will see what happens with this. It certainly can be very fatal and very, very damaging to some of the estimates for the damage from the MeDoc [Ukraine] attack which shut down ... You know, it was also a software update based—and shut down shipping for major companies worldwide, along with a whole bunch of other industries, were certainly as disruptive and damaging as the many past military strikes have been. So, yeah, whether it’s war or not, I’m perhaps not the right one to judge, but it’s certainly very damaging.
Steven Cherry Well, just to calibrate this a little bit, let’s make a comparison. In World War One, airplanes played only a small role, but a mere 20 years later, Germany almost took out England with air power alone. Comparing cyberwar to air combat. Are we still at the WWI stage or closer to WWII?
Justin Cappos It depends a lot who’s fighting. I wouldn’t want to see the U.S., Russia, China, any of those three countries battle each other. And I think that other countries are certainly increasing their capabilities rather quickly. So I could certainly see something happen in 10, 15 years from now where two countries that today are rather small and regional could cause widespread damage well outside their borders, just like MeDoc did, which was, at least reportedly, a Russian attack that spilled over and caused massive damage around the world. The things we need to do to protect against this, which is to really focus more on the defensive capabilities that we build into systems and to make the things that we engineer more solid are by and large not being done at the level they would need to make this problem go away. And until we really get to that kind of mindset and work through things like that, really, until there’s a major effort put into those aspects, I think that we’re all going to remain vulnerable and at risk.
Steven Cherry And just generally, are you more concerned on the nation-state level or at this kind of commercialization of cyber risks?
Justin Cappos I think the things that nation-state actors can do today are going to be able to be done by the more commercial hackers in 5 to 10 years if the defensive landscape doesn’t drastically change. And that’s obviously very concerning. My hope is that there’s enough focus and enough attention paid to all the aspects that need to have this paid, like, for instance, making sure that the water supply in Florida doesn’t have a bunch of lye dumped into it.
The way in which the systems like this are designed so that an operator has to notice that, you know, and at first just says, oh, I just thought a manager might have gone and been poking around in my system. As sometimes happens, you know, it’s a bit concerning. So, yes, there may be multiple physical failsafes and things, but it’s still concerning and worrying what could happen if attention hadn’t been appropriately paid.
Steven Cherry Well, Justin, in cybersecurity, the attackers just need to succeed once while the defenders need to succeed every time. So it’s really an impossible and thankless task to be wearing one of the white hats. So let’s at least thank you for your work in this and for joining us today.
Justin Cappos Thank you very much. Happy to talk with you.
Steven Cherry We’ve been speaking with Justin Cappos of NYU’s Secure Systems Laboratory, about the endless commercial, economic, and governmental cyberbattles covertly being waged around us.
Radio Spectrum is brought to you by IEEE Spectrum, the member magazine of the Institute of Electrical and Electronic Engineers, a professional organization dedicated to advancing technology for the benefit of humanity.
This interview was recorded February 10, 2021 on Adobe Audition and via Zoom. Our theme music is by Chad Crouch.
You can subscribe to Radio Spectrum on Spotify, Stitcher, Apple, Google, and wherever else you get your podcasts, or listen on the Spectrum website, which also contains transcripts of all our episodes. We welcome your feedback on the web or in social media.
For Radio Spectrum, I’m Steven Cherry.
Note: Transcripts are created for the convenience of our readers and listeners. The authoritative record of IEEE Spectrum’s audio programming is the audio version.