Govt employing hackers to attack own facilities - hacking expert
The internet has connected millions across the globe, rooting itself into the day-to-day activities. If something happens to it, it’s not just the end of kitty pictures - the whole world’s economy would collapse. What would the fallout be? How much harm can be done online? What does it mean to be a hacker these days? We ask professor at the University of Sussex and author of a book about hacking communities, Tim Jordan, on Sophie&Co.
Sophie Shevardnadze:Tim Jordan, professor at the university of Sussex, an author of the book about hacking communities, welcome, it’s great to have you on our show. So, tell me please, what kind of attacks can a terrorist stage online - like, what would be the 9/11 of cyberterror?
Tim Jordan: Well, the 9/11 of the cyberterrorism is probably shutting down wide-scale websites. So, you could, technically, if you’re very well prepared, issue attacks which would flood sites with enough information that would take them down - that is called “Denial of Service Attacks” - and they are often on the news these days. If you’re very coordinated, you could potentially take an awful lot of sites down at once. Now, because these kinds of attacks have been going on now for years, most sites have defences and no ways around them, and so, once you’ve started attack, it would become a real battle of trying to keep sites online. But what you may have seen in some cases is you can, for example, if you pick a government that has a lot of services online, a government that’s highly wired, you could aim to try and take down those services. There has been a lot of talk about the 9/11 being things like air traffic control systems being taken down, dams being taken over and floods being released and so on. There’s very little, next to no, evidence that those kinds of systems are accessible over the Internet and therefore accessible to terrorists or hackers who are distinct, unless they can actually have physical access to systems. The only case we know of, where it looks almost certain that someone remotely, over the Internet, was able to damage the physical infrastructure was an attack on Iranian nuclear facilities…
SS: Actually, actually, I was going to ask you about that, because we know that the Western intelligence agencies allegedly managed to introduce the Stuxnet in the Iran’s uranium processing center, so I’m thinking, what can stop skilled terrorists from doing something similar?
TJ: Effectively defences against them can stop that, and the fact that that attack was incredibly sophisticated - you need considerable expertise and there’s a lot of suspicion about what kind of expertise is available to certain governments. So, in this case, it is almost certainly the U.S. government, perhaps the Israeli government who developed the Stuxnet virus, and what help they’ve had from companies - for example, there were, I think, at least three exploits or bugs in Microsoft operating systems that were used in that virus. Whether there was help there or not - we’ll never know, because those kinds of things are secret. We know enough through kind of recent revelations to know that there are connections between security agencies and Internet companies and digital companies.
SS: Just a little bit more about the 9/11 of cyberterror. There’s the economic threats, like destroying records, destroying bank accounts, there’s freezing networks - what about the possibility of hacking into military system, taking control over an air carrier, like you’ve said? A satellite? Is that possible?
TJ: Like most things on the Internet, it’s probably technically possible, but practically impossible. Any system that was not both air gapped and watched closely - that would mean that system is being managed negligently. Those systems are very hard to access. You’ll see a couple of proofs or concepts out there, that people suggest could be done, but it’s very hard to imagine anything but extremely highly resourced state actor being able to do that kind of an attack.
SS: So that means that all those vital areas are totally secured? Am I understanding that right?
TJ: I think one of the things that we have in our brave new digital world is that nothing is totally secured. I mean, you could lock a computer in the room and then lock the room and then hope that’s secure - as soon as you’re connected to the Internet, there are connections, but all of those systems will be are gapped, even in the Stuxnet case, the systems that were attacked were not connected directly to the Internet - they were gotten by someone using a USB drive on one computer and then transferring it into another one. So, nearly all of those systems will be are gapped, all of those systems will kind of be robust in many ways - so, it’s not impossible, but it’s as close to impossible as you ever going to get in our world.
SS: You once highlighted the absurd insecurity of U.S. cyber-defences. What exactly did you mean?
TJ: The U.S. as we now know and as is now confirmed through the revelations that Edward Snowden released on the world, it has really upped its capability - in a sense we might see Obama as the first really kind of natively digital President of the U.S. who in his responses has seen ways of using new technologies that were initiated previously, but he has really put his weight behind them - and you’ll find in Snowden revelation, in the leaks he made, documents detailing how much extra resources - which were considerable - were put into cyber-defences; but also, under Obama, into cyber-attack resources for the U.S. government and the U.S. military.
SS: Is it impossible to secure anything that can be accessed through Internet? I mean, you’ve mentioned Stuxnet being partially off-line, terrorist like Osama Bin Laden, managed to become hack-proof by simply going off-line as well. Did governments and firms perhaps do something similar? Is that the only way?
TJ: Well, unfortunately, I think, that is the only way and we can also remember the West German government starting to buy typewriters again to get their documents off-line. Once things are online, you can make it extremely difficult to access them, but once things are online they are accessible in some ways, and what’s key about them is that they’re much easily copied; the Snowden leaks didn’t come out by someone hacking in - the NSA wasn’t broken into and documents copied and taken out. Someone inside copied them - and the fact is that in the past, for example in the Pentagon papers, Daniel Ellsberg had to spend a long time in the room with the photocopier - Snowden just had to download and copy things, and then that was easily copied to give them to several people, so the leaks become much harder to contain and it becomes much easier to have much larger leaks, and you can do that without any breaking into the system, you just need someone inside them. These systems are so large that there are thousands, hundreds of thousands of people who access to them, in any government around the world.
SS: Now, the U.S. says Chinese intelligence is using hackers for cyber attacks and so is Russia. How active is the U.S., in your opinion?
TJ: That is certainly true of the Chinese government. I’ve yet to see considerable report that establishes Russian government - but it would be a surprise if the Russian government wasn’t doing it also. The U.S. as we now know from the Snowden’s revelations is the best documented national government indulging in this kind of activity - and it is clearly doing extensive hacking of other governments, from physical hacking - if the government is buying, say, routers from a company in the U.S., they will intercept that, open the box, alter the router, re-seal it and send it on - and that’s all been documented, if you look it up in the correct areas of the Internet, you can see pictures of people doing that, that have been picked out from the Snowden’s revelations. So, there’s no question the U.S. government is doing it, it’s no question the Chinese government is also doing it.
SS: So, basically, we already witnessing an undeclared cyber world war, right? It seems like it.
TJ: Yes. I think, “war” is probably not quite the right word, because war involves destruction - this is much more of espionage. This is much more that, you know, James Bond is no longer the kind of films started - we see he’s very much someone sitting at the computer, developing viruses, worming their way into place, into opposition computers. So, it’s very much kind of cyber espionage which is going on here. It’s also industrial espionage - it’s pretty clear that on both sides of the fence, the governments involved in this are passing secrets onto companies to try and gain advantage for their own companies.
SS: Now, governments have hackers working for them, right - spying on other countries, on their own citizens - we’ve discussed that. In your opinion, does that increase or decrease the global security?
TJ: It decreases global security, it’s very clear that governments employing hackers can help to secure their own facilities, so nearly all governments will employ hackers to attack their own facilities - it’s a very common practice. You employ some hackers, give them the right to attack some systems, and you find out the vulnerabilities. So, hackers will be helping in their activities to secure government systems, the systems we all rely on these days - but in the same times, they will be introducing vulnerabilities. They’ll be introducing viruses like Stuxnet, they’ll be introducing other vulnerabilities. In the Snowden’s revelations it is clear that the U.S. government has tried to attack, for example, the protocol which secures most credit card transactions on the Internet and tried to introduce vulnerabilities into that, so that they will find it easier to track money by decrypting when someone uses the credit card. That introduces a wide vulnerability for all of us and undermines key component of global commerce.
SS: You’ve mentioned earlier how people are vulnerable while they’re online - because people want to be online every minute, that kind of activity is the future of consumer technology, phones, glasses, watches, books - so combined with worries about being snooped on and hacked, aren’t users just compromising their security when they’re always plugged in?
TJ: Unfortunately that is now the case. But it’s not so much that users are compromising their own security. Their security is being compromised by, for example, the British GCHQ, the British intelligence service, syphoning off all Internet-traffic that comes in on landlines into the UK, and putting it into the database that they can then review over three days. So, it’s not that user are making themselves insecure. All users should take a number of basic precautions, but we all know how difficult some people find it do to basic things, like updating their virus-checker, and running a firewall. Doing those things will give you a great deal of safety, because people who aren’t doing that are the ones who are being picked out most easily. Then, small, other efforts like not clicking on links in email - if someone sent you a link in an email, however friendly that seems to be, don’t click on it, ask them to send you a different way to find your way there.
SS: Now, in the 1980s hackers were talented school kids in their bedrooms. Who are they now?
TJ: They are a wide variety of people. As we discussed earlier, they’re now employed by the state, they’re employed by governments, they’re employed by companies - there are still individuals in their bedroom, communicating with other hackers. They’ve never been really isolated, hackers have always communicated with other people online, so even if they’re alone in their bedroom, they usually got 4-5 chat windows going and talking to 4-5 other people one way or another. So, there’s a whole range of different kinds of hackers, and there are hackers that are doing what we not often think of as hacking, which is breaking into systems - but are building systems: they are building software programs, they are building secure systems we can use. So, there’s kind of quite a range of hackers now out there.
SS: Now, in recent years, we also witnessed a rise of hacktivism - with politically-motivated hacker groups like the Anonymous, and they’ve targeted government agencies like the CIA, major corporations like Visa, Mastercard, Sony - how are they getting away with it. Are they impossible to catch, are they unstoppable?
TJ: Hackers get caught. We should be clear that if a hacker sends out a signal from their computer, however much they can conceal that by running it through different computers all over the world, that trace always ends up back at their computer - and so, hackers have been caught. For example, the LulzSecgroup, which was an offshoot of Anonymous and about two summers ago caused a major hacktivist action by hacking into a whole range of different services and so on - nearly all of those were caught. One of them, Hector Monsegur, who was known as Sabu has turned informant for the FBI, and still appears to be working for them. The rest were caught and jailed, and some of them are still in jail, but most of them are now out, so - hackers get caught.
SS: Now, Anonymous considers themselves freedom fighters. They support pro-Democracy protests, offer protection to human rights activists, like in Bahrain, for example. Are they the criminals the government labels them as? What do you think?
TJ: No, I think they are public protesters, but public protest is often criminal, you know - if you have a street demonstration, technically, you could probably be charged with criminal trespass for going to the street, but public protest is a part of most societies and it’s a vital part that enables the articulation of grievances. It’s also a vital part that allows protest against regimes that are extremely repressive. So, although, the Arab Spring and the succession of governments that were toppled there has led to very complex situation - it has also led to some real democratic advances in some of the countries, and Anonymous played a role in those; it certainly wasn’t the determining role and the view particularly of Western media that over-emphasized the role of Facebook and Twitter in those revolutions got to the point of being slightly silly, but it is very clear that those kind of resources played a role in the Arab Spring in helping the Arab Spring to be communicated and then helping the Arab Spring to be organised.
SS: Revelations about the massive extent of government spying has sparked a debate about online privacy. Will encryption become so user-friendly that anyone will use it, like using a proxy has become - because it was sparked by internet-control measures?
TJ: Yes, I think it will and it will have to. I mean, if you read some of the Snowden’s revelations, one of the triggers, that is listed in one of the internal documents there, for picking out target and looking more closely at them is whether they use encryption or not. Now, if we all used encryption, or if the majority of people used encryption, then you would no longer be able to pick out. But for that to happen it needs to be embedded in various systems, and that currently is not as easy as it may sound: it is certainly possible to do, and it’s possible to make it seamless and easy, but it would mean moving people off some of the email programs that are very popular, and them learning a bit more in terms of technical skills. One of the things to note about is that the fact that we would have such widely available encryption is thanks to hackers. The hackers who write programs as opposed to people who break into systems, produce kind of free encryption that’s available to everyone. If you download Thunderbird email browser and add to it the encryption with pretty good privacy - you can fairly quickly get your email set up with encryption that is widely available and do that with free programs, and the fact that that’s possible is really down to hackers.
SS: What about this area of Internet called the “Deep Web” - that kind of fascinates me. It was created by the U.S. intelligence in the first and now the NSA can’t even break into it. How did that happen?
TJ: But if you think about it, the web most of us know is the World Wide Web. And basically, that is just the way of pointing to resources that are available - so if you don’t point to yourself, you don’t get connected to the World Wide Web, but you’re still on the Internet. The Internet and the World Wide Web are slightly separate technical systems, and the World Wide Web sits on top of the Internet and relies on it. So if you just stay on the Internet - but that means, therefore, people have to know, for example, your internet protocol number, which is the number that identifies your computer on the Internet - they have to know that to find you. So, you can go dark, but it is still not off the Internet, it’s not some kind of wildly inaccessible place, and this has been rather overdramatized, particularly by security agencies seeking extra funding to try and get into these kind of places. The securing of the “dark” is really an issue of what’s called the “TOR” or the Onion router. TOR is a volunteer-run set of servers and code which would encrypt, which will bounce your communications between encrypted servers such that in makes it difficult to follow. TOR was co-invented by the U.S. military, by the U.S. Naval Research lab, but it’s open source and available, so it’s able to be worked on. So, it’s now a top version of TOR that is kind of out there. Of course, we can imagine, all military agencies have a requirement for secure communications, and that’s why they developed it - and ironically, it’s now something that’s available to all of us. It’s also clear from Snowden’s revelations that the U.S. government has been trying to break into it consistently and has only partially succeeded, as far as we know.
SS: So does that just mean that the Deep Web opened up possibilities for hackers to always have an upper hand on the authorities?
TJ: I don’t really think so, because the authorities are in the Dark Web as well. The Dark Web is not inaccessible, it’s not a place that the governments can’t find. In fact, a large part of Dark Web activity will government activity, as governments increasingly found and corporations increasingly found kind of activities that they want to keep out of public view. The idea of Dark Web as being some kind of shadowy, subterranean place that no one can find entry to is just isn’t the case. So, it will provide a place that hackers can access, but they had that forever. Hackers have always had - because their power and ability to act is based on expertise, on their knowledge of systems - they’ve always had the ability to create these channels, but most of us cannot be bothered with. Most of us will skype if we need to communicate with someone over the Internet, or use the voice communication program - and hackers will use more secured forms of those kinds of things.
SS: Could hacking activities cause a nation-wide internet outage? As Snowden has revealed in August, the NSA accidentally cause an internet outage in Syria in 2012.
TJ: The only times we’ve seen the Internet turned off is when governments have tried to turn it off. So, we’ve seen during the Arab Spring, Egypt at one point turned off the access to the Internet, we’ve seen that happen across in number of other governments. So, we’ve never seen hackers able to take down the whole infrastructure, but we have seen governments able to do it, so there is kind of technical possibility there.
SS: The FBI chief James Comey wants to stop Google and Apple from encrypting their device - but surely they can’t introduce anything that can’t be hacked by the government, can they?
TJ: Yes, certainly, it’s technically possible. You can introduce encryption that is extremely difficult to break down. Now, what we don’t know, what Snowden shot a light on, is that the government is far more advanced in breaking encryption that we had expected. So, it’s not clear whether the encryption that has been introduced would prevent governments accessing it, and it’s not clear whether it would in the future. It is certainly technically possible, currently to introduce - unless the government has a lot of secret means of breaking encryption - it is certainly technically to introduce encryption that is extremely difficult to break, whether to your private emails or whether someone like Google or whatever introducing it at corporate level.
SS: Tim Berners-Lee, the British computer scientist who invented the Web 25 years ago recently called for a Bill of Rights that would guarantee the independence of the Internet and ensure user’s privacy. At this point, how realistic is that prospect?
TJ: That prospect is not very realistic technically, because a lack of security was built into the fundamental design of the Internet, and Vint Ceft, who was one of the co-designers of the protocol that basically creates the Internet, whose rules you have to meet to go on to the Internet has recently lamented the fact that they didn’t built in security much more at the start. So, the underlying Internet is always going to be vulnerable until it is re-engineered, and people are looking at that. So, it’s technically possible to engineer a much greater level of security, because computers are a lot faster these days, and things you couldn’t do 20 years now are feasible. Whether a governance of the Web and Internet could be created, which was international and nation-state free is highly dubious at the moment. All the arguments about governing the Internet revolve around the fact that the U.S. technically owns the basic infrastructure but has basically given it over to a non-government corporation to run - it is now offering to give it over completely, and a lot of governments feel it should be run by something like the UN, a lot of engineers who run the Internet look in horror at that prospect and want to be independent of all government interference. Whether the governments will allow that or not, and whether we would see something as legitimate that is just run by engineers and technicians - I think it’s highly dubious.
SS: Tim, thanks a lot for this interesting view into the cyberspace, we were talking to Tim Jordan, professor at the university of Sussex, an author of the book about hacking communities, we were talking about what the government officials, terrorists and hackers can do over the Internet. Thanks a lot for that, that’s it for this edition of Sophie&Co, I will see you next time.