Cyber weapons: 4 defining characteristics

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Clay Wilson
 

Connecting state and local government leaders

By Clay Wilson

|

Analysis of recent sophisticated cyberattacks has revealed four common characteristics that help provide a clearer and more useful definition for cyber weapons.

Nations can take advantage of anonymity and deniability while conducting military campaigns in cyberspace, enabling a type of “clean coercion” warfare. The number and sophistication of cyberattack campaigns by nations will continue to increase because they minimize the need to risk military personnel or costly equipment. Unlike personnel and equipment, computer code may be instantly redeployed to any area, and because code is reusable, it offers a practically bottomless magazine for future attacks.

News reports now describe cyberattacks that can result in severe physical damage to facilities and equipment, and a tendency has arisen for the media to compare malicious cyber code to weaponry. But, what is the definition of a weapon, and how can we more clearly identify when a cyberattack should be correctly labeled as a “cyber weapon”?

Each U.S. military service has its own written definition for what comprises a weapon. However, a “weapon” must also meet international legal standards. The Hague and Geneva conventions describe how a “capability” that is called a weapon cannot legitimately be used by the military until after a legal review. These conventions are intended to protect the civilian population from unnecessary suffering during a war. The “Tallinin Manual on International Law Applicable to Cyber Warfare” was developed after a series of cyberattacks were directed against Estonia in 2007, causing extensive disruption to civilian services. This manual defines a cyber weapon as a “cyber means of warfare” that is capable, by design or intent, of causing injury to persons or objects. So, if there is intentional injury, or if computer functionality is intentionally disrupted through a cyberattack, then we might be experiencing a cyber weapon.

With most cyberattacks, however, the attribution and intention may be unknowable. In addition, cyberattacks often create cascade effects that were outside the original intentions of the attacker. However, reverse-engineering and analysis of malicious code used in recent sophisticated cyberattacks have revealed four common characteristics that help provide a clearer and more useful definition for a cyber weapon:

  1. A campaign that may combine multiple malicious programs for espionage, data theft, or sabotage.
  2. A stealth capability that enables undetected operation within the targeted system over an extended time period.
  3. An attacker with apparent intimate knowledge of details for the workings of the targeted system.
  4. A special type of computer code to bypass protective cybersecurity technology.

The most frequently discussed example of a state-sponsored cyber weapon attack resulting in physical damage involved a years-long campaign of stealth, data theft and sabotage targeting the nuclear program in Iran. Malicious programs, given names such as Flame, Duqu, and Stuxnet and reportedly created by the same design team of hackers, were crafted to steal sensitive information, monitor internal messages and then disrupt and disable targeted industrial control systems for a specific type of centrifuge equipment in a special nuclear facility in Iran. The entire campaign may have been in operation secretly from 2006 through 2010 before being discovered by security personnel working outside Iran. Analysts agree that such a sophisticated and long-running cyber campaign showed that the designers of the malicious code had acquired an intimate knowledge of the targeted systems before launching the cyberattacks.

A recent cyberattack that resulted in physical damage occurred in 2014, when the German Federal Office for Information Security (BSI) reported that a steel mill suffered severe damage and forced a shut down due to a cyberattack that caused heavy equipment to go out of control. Analysts have concluded that the attack was effective primarily because the unknown hackers had an intimate knowledge of the workings of the steel mill plant, according to BBC News.

Technologies used for cybersecurity defenses are becoming less reliable in providing adequate protection as attacks become more sophisticated. A major cause of this reduced effectiveness is the zero-day exploit, which is a type of computer code specially designed to defeat protective cybersecurity controls.

A ZDE is added onto the larger malicious payload of a cyber weapon and is designed to take advantage of a vulnerability that is new and unknown within the targeted system. A ZDE is able to bypass or temporarily suspend the operation of protective technology used for cyber security controls, and thus it can open a targeted computer system so the malicious payload can enter and begin its mission. Many highly skilled hackers around the globe work diligently to discover computer system vulnerabilities that allow creation of newer ZDEs. These hackers are motivated because ZDEs can be sold for large amounts to bidders such as nation states or extremists. The ZDEs that are discovered by hackers are growing in numbers as software systems become more complex, making them an important player in current and future generation cyber weapons.

A cyber weapon campaign can also have problems of control. Although Stuxnet operated undetected, it reportedly was secretly updated several times to add new functionality. However, the code unexpectedly escaped the confines of the Iranian uranium enrichment facility, and since that time instances of Stuxnet infections have been detected in facilities operating in many countries outside of Iran. However, the equipment in other countries escaped damage because the Stuxnet payload was designed to attack only the specific equipment inside the nuclear facility in Iran. Future cyber weapons that are not as carefully designed as Stuxnet could spread unexpectedly and cause unintended collateral damage to facilities in other countries.

The Stuxnet cyber weapon campaign caused Iran’s nuclear program to suffer a setback, but one that lasted only a short time. Since the attack was discovered, Iran has taken steps to increase management of its security and has revived its capabilities for enrichment of nuclear materials. Future generation cyber weapons will undoubtedly take greater advantage of opportunities that are expanding as more intimate knowledge about designs and vulnerabilities for equipment and facilities becomes available over the internet. Future targets will likely include complex military weapon systems, along with command and control (C3/C4 Computer) systems, or even missile defense systems.

As another example of growing vulnerabilities for sophisticated military equipment, the Defense Science Board reportedly has given the Pentagon a classified list of U.S. military weapons systems where designs were stolen by cyber espionage. The list includes designs for the advanced Patriot missile system, known as PAC-3, according to the Washington Post. A separate report, also available on the Internet, shows research on vulnerability analysis of U.S. national missile defense software, including the PAC-3 Patriot Missile System.

It is clear that cyberattacks are becoming more sophisticated, and when the following characteristics are combined, it is fair to label the attack code a cyber weapon:

(a) use of ZDEs to bypass cybersecurity technology;

(b) use of a coordinated campaign of malicious programs for espionage, theft and sabotage;

(c) use of stealth to prolong malicious operations; and

(d) an attacker with apparent intimate knowledge of the workings of the targeted system – then the attack code can be labeled as a cyber weapon.

As more information describing details and possible vulnerabilities of sophisticated civilian and military equipment is acquired through cyber espionage, or is published openly, these systems may become the targets for future generation cyber weapons. The Stuxnet example has shown that future generation cyber weapons can go out of control, with unpredictable consequences.

While there has been no reported loss of life directly linked to cyberattacks, there is a growing temptation for nations to view cyber weapons as a “cleaner” form of warfare, to be favored over, or perhaps even replace, traditional negotiations that can be prolonged or frustrating. However, the next generation of cyber weapons will increasingly target and destroy physical equipment in industrial and military facilities, and the time may come when we also begin to see human casualties.

NEXT STORY: States flex cyber leadership muscle

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.