Cyber Spying Is Out, Cyber Lying Is In

Let’s say a military commander — the captain of a destroyer, for example — walks into a darkened room packed with screens and can no longer trust the pictures his radar and other sensors are generating, Adm. Michael Rogers, director of the National Security Agency, wondered aloud at a defense forum earlier this month. “What happens if what I’m looking at, in fact, leads me to make decisions that only exacerbate the problem I’m trying to deal with?”

“Our system — whether it’s in the private sector or for us in the military — is fundamentally founded on the idea of trust of the data we’re looking at,” Rogers said, speaking at the Reagan National Defense Forum, a who’s-who gathering of the U.S. national security establishment in Simi Valley, California. “What happens if the digital underpinning that we’ve all come to rely on is no longer believable?”

In public appearances and congressional testimony in recent months, America’s top intelligence officials have repeatedly warned of what they describe as the next great threat in cyberspace: hackers not just stealing data but altering it, threatening military operations, key infrastructure, and broad swaths of corporate America. It’s the kind of attack they say would be difficult to detect and capable of seriously damaging public trust in the most basic aspects of both military systems and a broader economy in which tens of millions of people conduct financial and health-related transactions online.

Director of National Intelligence James Clapper has made equally dire predictions about what the future holds: operations that “change or manipulate electronic information to compromise its integrity, instead of simply deleting or disrupting access to it.”

Drones could beam back images of an empty battlefield that is actually full of enemy fighters. Assembly robots could put together cars using dimensions that have been subtly altered, ruining the vehicles. Government personnel records could be modified by a foreign intelligence service to cast suspicion on a skilled operative.

So far, such attacks aren’t taking place in vast number, but as militaries theorize about their use and cyberweapons continue to proliferate, recent cutting-edge attacks illustrate how information can become a domain of warfare. In Iran, the Stuxnet worm released by the United States and Israel convinced engineers at the Natanz plant that their centrifuges were operating correctly, when they had in fact been overpressurized in order to malfunction. In Georgia and Ukraine, Russia has defaced and targeted websites as part of its ongoing military operations in the two countries. According to documents leaked by Edward Snowden, GCHQ, the British signals intelligence agency, has explored developing tools to alter the outcome of online polls.

Some computer experts argue that the data manipulation threat may be overblown. At its most basic level, cryptologist Bruce Schneier said, an attack manipulating or undermining the integrity of data tries to change a one to a zero, referring to the basic binary code at the heart of computer systems. While there are obvious military applications for such attacks, there are easier ways for cyber-criminals to make their money. “Attacks that manipulate data tend to be more damaging than profitable,” he said.

In an interview with Foreign Policy, Sean Kanuck, the national intelligence officer for cyber-issues and a senior advisor to Clapper, said there are reasons to believe that criminals could profit from data alteration and integrity attacks, which he said could range from website defacements to changing financial records.

In 2013, Kanuck noted, a pro-Assad group known as the Syrian Electronic Army hacked into the Twitter account of the Associated Press and broadcast a fake report about explosions at the White House. The Dow Jones industrial average then dropped nearly 150 points, erasing $136 billion in market value.

As it became clear that the report was a hoax, the market quickly recovered. But that steep fall, followed by a sudden gain, “almost certainly redistributed financial value” as stocks were bought and sold, Kanuck said. The hackers, in theory, could have shorted a market index fund and liquidated their position during the turmoil, making themselves a handy profit.

It’s difficult to say whether that’s a far-fetched, conspiratorial scenario or something that might actually take place. Theoretically, it’s possible. In reality, no evidence has been made public that the group placed those bets or currently has plans to.

The challenge lies in drawing the line between actual capabilities in cyberspace and warnings by Washington’s top spies that are overblown. Kanuck conceded that advanced data manipulation attacks “may not be fully upon us” and said Clapper’s warning “stems mostly from theoretical, conceptual, and strategic thought processes at the National Intelligence Council.”

Such attacks seem far more probable — and would be far more dangerous — in future intelligence operations or military confrontations. In an imagined naval battle between the United States and China, for example, Beijing’s forces could conceivably hack into the computer system of a destroyer and wipe from its sensors the fighter jets speeding toward it.

Indeed, altering the data available to enemy forces represents a key part of military cyberstrategies, a development the Pentagon has laid out in its official doctrines. The Defense Department’s Joint Publication 3-13, on information warfare, explains that cybercapabilities can be used to “deny or manipulate” enemy decision-making, including by altering the contents of messages. According to a 2010 report by the Swedish Defense Research Agency, the manipulation of information and data represents an offshoot of the Russian military doctrine of maskirovka — or camouflage, concealment, and deception.

Moscow has already demonstrated its willingness to use data manipulation in its military conflicts with Ukraine and Georgia. Cyberattacks linked to Russia that targeted Ukraine’s 2014 election included the publication of a hoax chart claiming a strong result for a far-right candidate, the Wall Street Journal reported this month. Prior to the Russian invasion of Georgia in 2008, pro-Moscow hackers defaced a website belonging to then-Georgian President Mikheil Saakashvili and posted images of him with Hitler.

“In the future, you are going to see nation-states try to pull off data manipulation attacks against one another leading up to a conflict,” said Martin Stytz, an associate research professor at Georgetown University and a retired U.S. Air Force lieutenant colonel. “It’s just another tool in the toolbox. It gives you just too much advantage.”

Conceptually, computer security experts tend to describe their work in terms of ensuring the availability, confidentiality, and integrity of data. Distributed denial-of-service attacks, such as those U.S. officials say Iran launched on major American banks in 2013, affected the availability of information by taking down online banking services. Breaking into a bank’s computer systems and stealing customer information, such as the breach of JP Morgan Chase in 2014, affects the confidentiality of information. Attacks on availability and confidentiality have gotten the lion’s share of attention, Kanuck said, when integrity issues could pose just as great a problem.

Indeed, the effort by the United States and Israel to cripple Iran’s ability to enrich uranium with a cyberweapon shows how data manipulation can serve as a complex attack on physical infrastructure. The first version of that virus, known as Stuxnet, attempted to damage centrifuges enriching uranium by slightly raising the pressure in the devices, causing them to break. It included an ingenious piece of deception to ensure that the plant managers at Natanz wouldn’t notice the rising pressure levels. Stuxnet recorded a set of pressure data and then replayed it to the control room as it was carrying out the sabotage — just like a Hollywood thief records closed-circuit footage of an empty hallway leading to a vault and then plays it back during the heist.

Countries with significant offensive cybercapabilities — China, Iran, Russia, and North Korea, among them — have almost certainly analyzed the code and could pull off a copycat attack, according to experts who have studied the malware.

Not that it would be easy to pull off, according to Ralph Langner, an industrial security expert whose firm works to protect nuclear power plants, steel mills, and other complex plants from cyberattacks. He authored the early, definitive analyses of Stuxnet, and his work illustrates how difficult it is to use cyberweapons to destroy physical objects. “Whoever provided the required intelligence may as well know the favorite pizza toppings of the local head of engineering,” his 2013 report on Stuxnet notes.

“Any idiot can manipulate data in some way once they have the access,” Langner told FP. To cause physical destruction, however, the hacker “must be able to engineer an attack,” requiring a deep understanding of how complex industrial systems function.

The future, Langner explained in his 2013 report, is burdened by an irony: “Stuxnet started as nuclear counter-proliferation and ended up [opening] the door to proliferation that is much more difficult to control: The proliferation of cyber weapon technology.” So as criminal groups increasingly operate in cyberspace and cyberweaponry becomes increasingly available, sophisticated alteration attacks, including those that target physical infrastructure, begin to seem less far-fetched.

Manipulation of data also has a far simpler, earlier analogue on the history of computer breaches. Mikko Hypponen, the chief research officer at F-Secure, said Rogers’s and Clapper’s statements reminded him of so-called “data-diddling” attacks in the late 1990s and early 2000s. Those attacks targeted Excel files and would randomly alter data entries, say, up or down five percent. If such a document contained manufacturing tolerances for a plant, random alterations could have devastating impacts.

Such a simple attack illustrates the virtues of a subtle, slow approach. When Iranian hackers targeted Saudi Aramco, the oil company, in 2012 and wiped the hard drives of 30,000 computers, the results were devastating — and immediately apparent. Recovering from such an attack means merely restoring back-ups, assuming such copies were made anyway.

According to FireEye, it typically takes around 200 days for a company to discover that its computers have been breached, and, in that time, an attacker altering data can make changes that a company may not be able to recover from. “When was everything still OK? When was the data that we should return to? Six months ago? How do we go back six months?” said Jani Antikainen, summing up the questions a company faced with such an attack will ask itself.

Antikainen believes Clapper and Rogers have identified a real threat moving forward and is the founder of Sparta Consulting, a Finland-based company set up to take advantage of what he sees as a market opportunity. His firm helps companies protect databases from manipulation. In an indication that firms are perhaps reaching the same conclusions as American spies, Antikainen said he counts the company that manages the Finish electrical grid as one of his clients.

Photo credit: JACQUES DEMARTHON/AFP/Getty Images