Trump Is Opening A Cyber Pandora’s Box

President Trump’s reversal of Obama-era rules governing the use of cyberweapons shows he doesn’t understand what they are or the consequences of using them.

National Security Agency headquarters at Ft. Meade (Wkimedia Commons)

National Security Agency headquarters at Ft. Meade (Wikimedia Commons)

According to the Wall Street Journal, President Trump rescinded Obama-era rules governing the offensive use of America’s cyberweapons. If you’re not sure what that means, you’re not alone. The world of cyber warfare is extremely obscure and descriptions of the weapons in question can be very vague, often deliberately so because they’re highly classified. This isn’t just because no military agency wants to give its adversaries an exact inventory of its tools and methods, but because these exploits and viruses are extremely easy to reproduce for anyone with the skillset and knowhow. Unlike, say, nuclear warheads, which require highly specific expertise and highly refined and dangerous components, cyber armaments are essentially just weaponized math.

But because computers have to be infected and these weapons are eventually found out when something is amiss, we have some clues. Stuxnet, the virus that damaged Iranian centrifuges and is credited with forcing Iran to start negotiating on a non-proliferation treaty was the brainchild of the NSA, started under the auspices of a Bush-era operation called Olympic Games, and developed in partnership with Israeli intelligence. It was an extremely refined exploit that terrified researchers who found it because everything they theorized in their worst-case scenarios for power plants and factories, this software did.

Unlike malware scripts used by non-state agents, government-funded malware tends to surgically target enemy software and hardware, sabotaging rather than destroying to help it hide from expert eyes for months, if not years. Not only does this increase the odds of a successful attack, but it buys time to create new generations of malware. By the time it’s detected, there’s a very high chance that multiple updated versions have already been deployed in the wild to do their jobs in silence, and sibling viruses that incorporate even more exploits and feature even more refined and damaging code are infecting network after network.

It’s very likely that American cyberweapons include more viruses like Stuxnet, custom-built to attack key infrastructure nodes without drawing much notice to themselves. There are only so many command-and-control systems and they have a finite number of settings to manipulate. It seems almost inevitable that the most common configurations and setups have been thoroughly analyzed, exploits have been developed and tested, and the viruses are on standby. Of course, that prompts the question of how cyber warriors know what all those common configurations look like, and we have some idea of how it’s done thanks to yet another trio of Obama-era exploits found after Stuxnet: Flame, Gauss, and DuQu.

They’re different types of extremely powerful and stealthy spyware that infiltrates computers and takes over their networking capabilities to spread far and wide, spying on the activities of the computers’ users and mapping industrial control systems to be targeted. Like Stuxnet, they’re also very different from in-the-wild exploits by hackers. Instead of targeting a known vulnerability or two to infect a system, they’re platforms for prolonged, surgical, expandable, adaptable espionage. In fact, to any enterprise architect looking at their code and general organization, design patterns typically used in large commercial systems are almost instantly recognizable. Decentralized into plug-and-play modules, they’re easy to update and more resilient to having a module, or two deleted, blending exploits bought from hackers with unknown attacks clearly discovered by the engineers who put them together.

And there’s another trick we know of from leaks by former NSA contractor Edward Snowden to install sophisticated spyware without using infected USBs or a multitude of other attacks. Gear being shipped to organizations targeted by the NSA can be intercepted by its Tailored Access Operations unit, and the malware can be installed with an update to the code that serves as the interface between the device’s hardware and software. Routers, computers, and other critical components in your digital infrastructure then arrive pre-bugged.

The result is that American cyberwarriors know a lot about their potential targets and how to strike. Their platform approach allows attacks to be automated, exponentially increasing the speed and scale of infections and their deleterious effects. Tens of thousands of devices and systems could be compromised, sabotaged, or taken offline within seconds. Tamed botnets could muscle entire countries offline, shutting off smartphone functionality and e-commerce for hours, if not days. This is why they were governed by strict and concrete frameworks for deployment. They are not to be taken lightly.

And this brings us back to Trump’s reversal of President Obama’s directive on the use of cyberweapons. Where the Obama-era rules were nuanced and tried to weigh when and when not to leverage this malware, Trump’s blaze attitude and lack of his own directive on their use indicates that he and his advisers might see it as just another kind of gun or bomb without respecting the full sophistication of this code and how quickly it could be reverse-engineered and turned back toward American assets. This should also rattle governments across the world.

American prowess in spyware and virus platforms is well appreciated after the Snowden leaks. And since negligence and cutting corners by rank and file workers is the most common vector of infection, they’re almost impossible to keep out of their computer systems. Trump’s rash decision could escalate the already ongoing cyber arms race and may encourage some adversaries to attack first or invite an attack so they can isolate and appropriate the virus for their own use. Ultimately, we don’t know what will happen since cyber warfare is a brand new realm and no nation seems sure of how to properly respond to either.

This is why any rash decisions when it comes to the cyber domain can have serious unforeseen consequences, and what should worry us more about the digital arsenal states have is the lack of guidance with which Trump is leaving us. It’s rather remarkable to see detailed rules of engagement with extremely precise, powerful, and complicated weapons not just amended or replaced with another set, but simply thrown away, setting the stage for a Wild West of digital combat. We better make sure we have the latest updates, our antivirus is up to date, and we don’t download anything even remotely questionable on any computer, or pick up USB sticks and start plugging them into computers. The consequences of poor security hygiene may have just went up by an order of magnitude.

Politech // Cyber Warfare / Cybersecurity / Donald Trump / NSA