Cyberwar, like any war, never rests. Neither does the simulated one taking place at HackMiami, where co-founder Rod Soto, a 38-year-old computer-security specialist from the area, is running a cyberwar game. Though the consequences of their hacking are fake, the technology they're breaking is real. They actually are hacking Fedora, an operating system used by computers in China, infiltrating Zeus, a malicious "botnet" army of computers, and commandeering North Korean industrial controls for power-plant systems. It's just that everything's simulated and run on a closed network, so as not to inadvertently start World War III. The purpose of this event, besides the recruiting going on, is to teach the hackers how to find vulnerabilities in other nation's machines. "It gives you the blueprint and the knowledge if you ever want to attack them," Soto says.
So far, the truth about the extent of the U.S.'s offensive attacks against other countries has been shadowy at best. There's Stuxnet, which has yet to be officially attributed to the U.S. (or Israel), and NSA leaker Edward Snowden's recent claim the U.S. has launched widespread cyberattacks against China. Beyond that, the closest we've come was Hillary Clinton's admission last year of a State Department attack on an Al Qaeda propaganda site in Yemen.
Related: Julian Assange Opens Up About Wikileaks Battle, House Arrest and the Future of Journalism
The tensions around this topic are partly because the laws governing cyberwar are still being determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S. military networks, put it last year, "Attorneys and scholars face a variety of complex legal issues arising around the use of this new technology." But experts are pushing for more offensive measures regardless. The Commission on the Theft of American Intellectual Property concluded that "new options need to be considered." It seems our government is already heeding the call.
A June leak of a presidential directive from Obama, which had been issued in October, reveals that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling for a list of international targets, the directive argued that "Offensive Cyber Effects Operations... can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging."
But while the government remains quiet about the existence or extent of their offensive measures, hackers and contractors I spoke with are, albeit cautiously, more forthcoming. HackMiami organizers James Ball and Alex Heid, security specialists for a major financial company they prefer not to name so as not to anger their bosses, say they have based this weekend's cyberwar simulation on real-life hacks they conducted on their own of terrorist networks and organized-crime groups. Ball infiltrated an Al Qaeda forum online and posted the archives on his site, TerroristMedia.com. Heid became notorious for hacking the stealthy Zeus botnet in Russia.
But the government hires private contractors to do such attacks on its behalf as well. The cyberwar underworld is rife with contractors who fashion themselves to be "the Blackwater of the Internet," as Heid puts it, "information mercenaries…private sector guys who are going on the offensive, but you don't hear about it." At least not usually.
Companies like Accuvant are capable of creating custom software that can enter outside systems and gather intelligence or even shut down a server, for which they get can paid up to $1 million. For example, Humperdink says, they would be able to unleash an attack to take a country like China completely offline. "We could stop their cyberwarfare program," he says. "Five years ago, I remember the North Koreans were doing missile testing, right? If [the U.S. government] came to a company like us and said, 'Here's $15 million,' we could turn a North Korean missile into a brick. If you came to us with $20 million and said, 'We wanna disable every computer there in Iran, and they'd have to replace them' – not a problem." For added flair, each program Accuvant sells gets its own cyberpunk handle – like Purple Mantis – and is delivered on a jet-black thumb drive inside a custom case with the name laser-etched on a plaque.
"So how many offensive plays are going on now?" I ask.
"A lot," Bonvillain says.
"More than people would realize?"
"Yes," he replies.
Then Bonvillain falls silent. He puffs his e-cigarette, considering a more diplomatic response. "The U.S. government," he says, "is great at hiding everything they do."
To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security's mission control. It's one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely.
The four-year-old NCCIC – employees pronounce it "enkick" – is the country's nerve center for online threats. Twenty-four hours a day, teams drawn from a pool of 500 DHS cyberpersonnel sit at the ready in this sprawling, windowless command cave. Flickering diagrams on the front wall track the dangers in real time: traffic anomalies at federal agencies, cyberalert levels for each state's website, a map of our country's telecommunications system ("There's no cyber without fiber!" a steely engineer tells me).
Fortunately, at the moment, the threat against the IRS and NASA proves to be relatively harmless. However, the number of cyberincidents is on the rise. Fiscal year 2012 saw 190,000; this year's number is already over 214,000.
Overhauling the feds' image to lure young tech talent has become a major priority. In a way, it's akin to the shift in Silicon Valley – away from the business suits of IBM to the Adidas sandals of today. The National Science Foundation now offers a CyberCorps Scholarship for Service program that places winning students in government agencies. The DHS is among the sponsors of the invite-only "Cyber Camps," which hold hacking contests for prospective employees. Aside from the "sense of duty" and high-level security clearance that NCCIC director Larry Zelvin tells me lures his team away from fat paydays elsewhere, the power of being inside the government system is the greatest perk. "You just don't get that in a corporation," he says.
Last year, the DHS assembled a cyberskills task force, which drew from hacker hubs including Facebook and DefCon, to recommend changes in their recruiting. To get the estimated 600 more hackers the DHS needs, the report concluded, the agency should "focus more attention and resources on…'branding' of cybersecurity positions," including "cool jobs."
Napolitano says that "the money and the culture" are the chief obstacles the Department of Homeland Security runs into when recruiting hackers to join. "We don't require our folks to wear a coat and tie," she says, "and I'm not interested in the precise hours they work as much as I'm interested in getting the work done" – but she stops short of saying hackers can work from home in Teenage Mutant Ninja Turtle pajamas.
But maybe if you're young and brilliant and looking for online action, there's something undeniable about working for the biggest, baddest government on the planet. Sitting here under the dormant red warning lights, there's a sense of being at the center of the matrix – and this is plenty tantalizing for some, including th3_e5c@p15t, winner of the cyberwar contest back at HackMiami. With his skills, he can write his own ticket, which he hopes to cash in with the feds. He says he wants to be as close to the front line as he can get: "I see it as a righteous cause."
^ed
No comments:
Post a Comment