Idealog talks with a cyber-war expert

International cybercrime experts descended on Auckland yesterday for the Cyber Security Summit to discuss the government’s new cyber security strategy, NZ’s vulnerability on an international scale and the ramifications of the high-profile ‘Panama Papers’ leak.

Among the more interesting speakers was Richard Bejtlich, chief security strategist at FireEye, former military intelligence officer and current pursuer of a pursuer of a Doctor of Philosophy in War Studies at King's College London.

Idealog sat down with him to discuss all things cyber and war-like.

Idealog: You're currently studying a Doctor in Philosophy in War Studies…

Bejlich: Yes, that right. I'm working on that at King's College London. 

That's the most exciting-sounding degree I ever heard of. What's involved?

Well there's a gentleman named Thomas Rid who wrote a book called Cyber War Will Not Take Place. I read it, I thought it was very interesting, but I fundamentally disagreed with it and when I found out he was the professor of war studies and KCL – and I have always been interested in doing my PhD – so I said 'Would you be interested in having me as one of your students?' and he said 'Of course'.

I've been working on it for about a year and a half and I've got about a year and half to go. 

So what was the thesis you disagreed with? 

Thomas, he’s German – and I dare say he may even be Prussian – so he's very ‘Clausewitzian’. Clausewitz was a famous Prussian strategist, one of the most famous strategists of all time, and Clausewitz says, 'If it's not violent, it’s not war'. My professor agrees: If it’s not violent, it's not war; cyber is not violent, so it can’t be war; therefore, cyberwar will not take place.

If you take a wider point of view however, perhaps from the Chinese perspective or the Russian perspective, they have a very expansive view of what war is – they think about it in terms of economics, finance, legal affairs, cultural affairs, and if you talk to some Chinese thinkers for example, they think they’re in a cyberwar with the United States and the West in general, they think, specifically that the United States started it and that the Great Firewall is the way that they defend themselves against Western culture. 

You're not just pontificating here as an academic, you've got a background in military digital security, right? 

Yes, that's right. I'm a graduate of the Air Force Academy and I was captain in the Airforce, an intel officer and I transitioned into the information side in the 90s and early 2000s. 

So what was that era like? 

Well, back then we were still trying to figure out what all this meant and how to best defend ourselves. There were some famous hacking cases in the 80s. There was a gentleman named Cliff Stoll who found a German group who was working for the KGB who was breaking into all sorts of military bases and that got people thinking about this problem in the mid-eighties. Then, in the early nineties, and as more security technologies started to be developed, we started to put some of these technologies out in the network to look for intruders, and, lo and behold, as soon as you start looking for them, you find them. That kicked off a desire to build a military computer response team. That was the beginning of a lot of the capability we have today. A lot of the people who are doing this sort of work come from the military and intel community.


Richard Bejtlich, chief security strategist at FireEye

So how do those issues compare to what we're facing now? 

Well, back then the targets were mostly military and government so the hackers who were out there were going after other military and government offices. The commercial hackers were very few and then there were a lot of kids and young adults who were fooling around on the network.

During the course of the 2000s the scope of that increased dramatically, particularly the activity from the Chinese and organised crime groups in Eastern Europe as the Soviet Union fell apart. The volume of the activity and the intensity of that activity has increased since then – in addition to more actors joining the environment. 

Here in New Zealand we might think 'Hey, these aren’t really our problems. These are the problems of superpowers. Who would care about this little dot at the bottom of the world?' How realistic is that world view?

The unfortunate reality is this: If you’re connected to the internet, you’re vulnerable and you’re a target, and the reason is, even if you have nothing of value, no intellectual property, no personal information, no credit cards, no bank account, none of that, your computers would still be used by other people to launder their activities. If you want to hide your identity, you break into computers in this country and route through this country to attack others, and as far as the victim sees, it looks like New Zealand is the source of the attack. 

But the fact is, this country does have intellectual property, it has world-leading industry, it has personally identifiable information, it has financial accounts, all of this makes a great target for a variety of actors who can reach you from anywhere in the world. 

So what are we doing at addressing this issue? 

Well the positive is that you have a government that seems to be very motivated. You’re putting together a national computer emergency response team, which is great, you have a strategy that's gone through two iterations and the commitment to keep updating it as necessary to meet the realities of the situation, so all that’s great. 

The areas for improvement basically involve mind-set. You have to make sure that this is recognised as being a problem, that boards and companies are engaged and they see this as a problem that needs to be worked on, and you need to make sure that you’re spending your time and recourses on approaches that work. So it's not about just deploying more firewalls and rolling out more anti-virus software. You really need to spend time figuring out what you have, what you’re trying to protect. You want to spend time looking for intruders that are probably already in your environment. 

So business should be leading the way themselves, right? This isn't the kind of thing the government can just 'take care of'. 

That's right. There is no government solution to this problem. There are no laws that can be passed that will make this go away. There are certain responsibilities and powers that the government has – in terms of its relationship with other states and setting up an environment that’s conducive to business – but as far as defending yourself, that's a private sector responsibility. 

What are the emerging trends in regards to cyber warfare? What are we going to be facing in five to ten years? 

Anyone who can project five or ten years ahead, I'd like to have them pick my stocks, but one of the things I think you'll see in that timeframe is more and more nations having capabilities to inflict against each other. So there's the US, the UK, Russia, China, Iran and North Korea, but there are plenty of other countries - Brazil, South Africa and Australia to a certain extent. There's been reports of places like Vietnam developing their own capabilities, and many times this is driven by fears of other countries and what's being done by them, so I think you’ll see more actors out there. 

In the immediate term, what we've been tracking more and more of is extortion, ransomware. You break into a company, encrypt the files on various computers and then demand a ransom to get the encryption key to decrypt those files. It's a wonderful business model if you’re a criminal. Extremely low risk, very high pay-outs – the pay-out can be done anonymously with Bitcoin – so we've been working a lot of those cases over the last year. 

These things are often framed as us – the good guys – responding to foreign aggressors. But are we aggressors in this game too?

Well I guess it’s what you consider 'aggression'. In that respect, intelligence agencies of the developed world are very active against each other to the extent that you consider their presence inside your network a cause for worry. Most of the time though, just conducting reconnaissance or surveillance on somebody else’s network isn’t seen as aggressive. The problem is that if you’re in somebody else's network, there's no way to tell whether that access is for information gathering or for some destructive action. The only difference is the intent of the intruder. Because if I’m on your computer I could just as easily watch, destroy, change or steal, so that's what makes it an unstable situation. When you find an intruder inside an organisation you don’t know what they’re there to do. 

We're really conscious of our physical, military presence around the world, but cyber warfare isn’t the kind of thing we acknowledge as a constant presence. Is it, essentially, a secret war? 

Yes, some people have described it that way. Speaking as an intelligence officer, in those days it was a combination of passive collection – getting information by radar or via dishes, or watching satellites and that sort of thing – or you had active collection via human assets, with people breaking into facilities to access files or whatever. Cyber is in-between. It's an active collection but it doesn’t involve humans being sent to some place. They're not standing outside the building with a dish collecting signals, they're inside that other organisation. That’s what's different about it.

And because you’re on somebody else's infrastructure it can be an unstable situation. It doesn't even have to be an intentional act. You could be simply looking around in someone's computer and you accidentally type in the wrong command or you make a mistake and you wipe out their computer by accident. The other side will interpret that as an aggressive act and you just made a mistake. There are several instances of that attributed to the United States where, apparently by accident, some operators may have taken down some routers in Syria, blacked out the country as far as internet goes and they didn't mean to. They were simply trying to conduct some surveillance on internet traffic in Syria. 

Wow. That's kind of terrifying. 

Well that's what's scary about it. If you find yourself in the hospital or an electric grid and you're there by mistake – and you make a mistake while you're there and cause a problem – the other side isn't going to care. They are going to say 'Hey why did you kill the people in this hospital? Why did you black out the electric grid? ', and by that point it’s too late.  

Is this the future of war? Will viruses one day replace bombs? 

That's a very hot topic and what it comes down to is reliability. If you’re in a meeting of military commanders and the lead commander is saying 'We have a target, we need to achieve this effect; who's going to take responsibility?', the air power commander can say 'Well, I can get my stealth pilot in there and I can drop a bomb and take care of that target’; The navy commander might say 'Well I can send a missile and destroy it' and you can go around the table and get all these different answers. If you go to the cyber-person, they'll say 'Well we need to check that we have access to that target, I can’t really guarantee at this point whether the effect would be what you expect'. The cyber-world doesn’t necessarily have that level of reliability. However, in some cases it’s the best option, because you don’t want to have an overt act of war. So the United States and Israel could have bombed the factories or the enrichment plants at Natamz in Iran and achieved their objective of slowing down the Iranian nuclear program, but that would've been really obvious, really dangerous and clearly an act of war.

Instead, by all reports, they decided to use a cyber capability like Stuxnet. So in some cases, even though you don't get to know that it will be 100% effective, it is the best answer because maintains that plausible deniability and it's below the threshold that most people would consider to be 'very aggressive'. 

It’s been a trend since World War II that we don’t have these all-out wars and we're not dropping nuclear weapons on each other, thankfully. There has been plenty of real fighting wars like Korea and Vietnam and Iraq and Afghanistan, but they've all stayed below that threshold of bringing out nuclear weapons, so to the extent that cyber can be part of that equation where we don’t want to have an all-out nuclear war where hundreds of thousands of people are being killed on each side, cyber, I think, will be part of that new capability. 

Well that’s good, but I suppose the other side of that is that we trade all-out war for perpetual war, right? 

Well, yes. To a certain degree any way. I think that's true.