Stuxnet, Snowden and Sony: Why we've passed the cyber security tipping point

Heavy-handed pressures from tech-unaware legislators, successful strikes by laterally-thinking hackers, a growing tide of dissent about government intervention and corporate concerns about last year's massive hack of Sony Pictures corporate documents have pushed us past the security tipping point into an environment where cyber-attacks will increasingly become favoured tools of nation states and terrorist groups, a leading security journalist has warned.

Speaking to CSO Australia after a keynote presentation at the CSO Perspectives Roadshow 2015, Kim Zetter – an award-winning security journalist with Wired and author of the recent book Countdown to Zero Day – said that while the Stuxnet industrial-espionage worm had shown some people how serious the cyber-security arms race had become, it was attacks against Sony that had really crystallised the issue in the minds of the world's business leaders.

“Stuxnet was discovered in 2010 and it wasn't enough for anyone to take seriously,” she said. “The Sony attack was probably the tipping point, not Stuxnet. People care about CEO emails – and the decision makers are saying 'oh wait, it's not just my customers that are going to lose on this, but this is going to embarrass me and possibly cause me to lose my job'.”

Broad alarm over the implications of the Sony hack had also been fuelled by concerns about the revelations of Edward Snowden, whose exposé on the US government's systematic mass collection of personal data reshaped international relations and sent governments around the world scrambling to defend and adapt surveillance programs fatally compromised by the revelations.

The previous secrecy of such programs had allowed programs like the Stuxnet worm to operate under the radar, but “the Snowden stuff in the last year and a half has really opened a lot of eyes,” Zetter said. “There has been a lot of realisation that the oversight process is broken.”

This, in turn, had contributed to a difficult climate for governments in Australia and elsewhere, where collection of personal data has been railroaded through parliamentary processes based on claims it will help improve enforcement of anti-terrorism efforts.

Snowden's revelations were outlined in a recent Australian government report that blamed him for helping terrorists close the technology gap with the governments that were monitoring them. But Zetter was having none of that, arguing that even though US president Barack Obama had been a trailblazer in technology-aware leadership, “we don't have a tech savvy Congress” and the government should have anticipated the backlash should its domestic spying be revealed.

“The government can say 'this has ruined our methods' but the government is its own worst enemy,” Zetter said. “Had they done a more reasonable kind of collection, Snowden wouldn't have leaked.”

“I don't think anyone doubts that we need the NSA to be doing spying,” she added, “but we need it to be doing targeted spying. They don't need to be collecting everyone's phone records in order to find the needle in the haystack. There are clearly better ways that they can be doing what they need to do and not involve everyone's data.”

Despite the growing acknowledgement that new methods of surveillance and data analysis needed to be applied to problems such as terrorism, Zetter was sceptical that the gap can ever be properly closed.

Hackers are working overtime to circumvent protections that had been put in place to protect all manner of security mechanisms, and with the likely entry of terrorist groups like ISIS it was “only a matter of time” before new forms of attack unleashed the likes of Stuxnet onto the same governments that were using them to get the upper hand in the fight against cybercrime.

ISIS “isn't focused on cyber-attacks yet, but there will eventually be a group that does focus on cyber-attacks,” Zetter predicted. “It takes a lot more planning and a lot more skill, but you can buy that.”

Security lessons

While the proliferation of Stuxnet and similar attacks represented an escalation in online nation-state conflicts, corporate concerns about the reputational damage of the Sony hack were likely to see IT security budgets increased and CSOs pressured to close security holes like never before.

Fellow keynote speaker Bill Cheswick – co-inventor of the first network firewall – had in a separate CSO Perspectives Roadshow presentation flagged the need for IT developers to revisit their security practices, potentially starting from scratch in an effort to incorporate current thinking into secure new computing architectures.

No matter how threatened business executives may feel in the wake of the Sony hack, however, Zetter was sceptical that Cheswick's call for expensive, complex and time-consuming reworking of security architectures could be executed in practice.

“When you're dealing with things like that you're patching,” she said. “You're not fixing things, really, and it's often a knee-jerk response. In some cases you do need to start from scratch, but I don't think that's necessarily realistic because the business model isn't there.”

Zetter was also cynical about the idea that security could ever be practically improved by redesigning systems around secure 'sandboxes' built into specific-purpose environments that could not be compromised – something that Cheswick had argued would be a desirable design goal in the effort to reduce the potential for human mistakes to compromise corporate security.

“Software is complex and the people who write it are human,” she said. “You're never going to get a system that doesn't have vulnerabilities in it. And even with sandboxes, if you can bypass the sandbox and go to something else,” security would be compromised.

“That's all hacking is,” she continued, “to find the next way to go around all the secure barriers that [companies have] put in. And so far, hackers have been pretty successful at going around every security barrier.”

That said, just what constitutes the new business model is changing rapidly as organisations come to grips with their security vulnerabilities and the implications of those. This, she added, had had a trickle-down effect on cybersecurity researchers and the tools they offer the market to protect against attacks.

“Stuxnet really changed the cybersecurity industry,” she said.

“You have cybersecurity researchers whose primary job until now was to protect the customers. But now they are caught between protecting the customer and exposing the covert operations of the government.”

“I talk about everything being before Stuxnet or after Stuxnet,” she added. “It's really about the marked politicisation of cybersecurity research, and we had never seen that before. It raises questions about whether this is going to become a new method of warfare.”


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Last chance March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)