Story

Cyberwarfare may lead to flying missiles, Russian hackers keep on hacking

Today we're continuing the series on cyber-crime and cyber-warfare. The United States, having come up with the internet in the first place, were also probably the first ones to acknowledge it as future - if not present - battlefields.

In 2009 it has established US Cyber Command. The official description is as follows: "USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries." Pretty vague if you ask me, but I guess well within the limits of a defensive military doctrine.

No one would be surprised though if it was found out that these guys do a little more than install firewalls and track down hackers - a couple of similar viruses - Stuxnet and Duqu - has been analyzed by IT specialists around the world with the conclusion that the sheer amount of resources and planning needed to create such sophisticated malware as well as narrow range of end targets suggest the programs were commissioned by a governmental entity.

The fact that they've been hampering Iranian nuclear program and the snide remarks left by some US officials in this regard gives grounds to believing they're taking cyberwarefare seriously and maybe not just defensively.

Moreover, last year the Pentagon declared cyber attacks a potential act of war - real war this time. That's right, the US top-echelon military have concluded that computer sabotage coming from another nation can constitute an act of war; in turn, this opens the door for the US to respond using traditional military force as one would respond to, say, a missile attack or ground invasion.

An unnamed military official told the Wall Street Journal: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks." But of course, the world community world most likely frown upon that, given that what exactly constitutes an act of cyber-war is not really legally defined anywhere. For instance, there were rumors of viruses and worms crawling around US power grids that were allegedly commissioned by Russia or China. Are such rumors well-grounded? Do they warrant military response? Even if there was proof in, say, IP addresses left by hackers that led to some country, would this be enough?

What if it was done through proxy servers to lose the trail and done professionally enough not get noticed? Or, better yet, imagine a scenario where some rogue government comes up with the ultimate virus that is able to shut down a nation's vital infrastructure. It then sends the team of hackers to a major political arena player - seemingly, for a holiday.

The team then goes to an internet cafe or uses internet access from a library, a mall, a thousand places one can find connection these days. So they go online and work their magic, shutting down another major player on the global arena, perhaps deliberately leaving traces leading to the originating country. How would that play out? Or take the Stuxnet virus and the way some US and Israeli officials hinted they had something to do with it.

Would that virus be considered an act of war against Iran? Moreover, in January 2012, Mike McConnell, the former director of national intelligence at the US National Security Agency under President George W. Bush told the Reuters news agency that the United States has already launched attacks on the computer networks of other countries, not naming any nation in particular. Given the Stuxnet virus rumors and a number of unnamed sources quoted here and there, the general opinion is that it was, indeed, a cyber-attack against Iran. So by this logic, basically Iran was within rights of launching a military operation against the US, right?

Well, anyway, a little less than a year after this bold statement about cyber-war warranting real war made by the Pentagon, the Department of Defense realized it would need some sort of bulletproof set of rules, something to refer to should the aforementioned scenario take place. Thus, the US DOD now plans to draft up some relevant guidelines.

A House Armed Services Committee hearing earlier this week was mostly dedicated exactly to these issues. The bottom line is that the DOD will be delivering a set of cyberspace-specific rules of engagement in the coming months. Madelyn Creedon, assistant secretary of defense for Global Strategic Affairs said: "We are working closely with the joint staff on the implementation of a transitional command and control model for cyberspace operations".

In addition to setting ground rules for cyber-warfare, the DOD also plans to expand efforts to share classified information on possible threats with internet service providers and defense contractors. The latter is probably a smart move - as I've mentioned yesterday a lot of vital infrastructure networks are handled by private companies, not the state.

Oh, by the way, remember I talked about the Google-sponsored hackathon with a total of 1 million US dollars to go to those that find weaknesses in the Chrome browser? First one to win the largest prize - 60,000 dollars - was a Russian student Sergey Glazunov: he managed to hack into Chrome without exploiting third-party or operating system software.

A teenage hacker who identified himself only as PinkiePie was the second one to come with his own way of circumventing defenses. The remaining $880,000 was then left to be distributed to the Chrome Security Team as apparently no one else was able to tackle Google's browser.

But you know, Google isn't the only one paying hackers to direct their shady ways for the good of the users. Facebook is not only the largest social network, the team that's responsible for procrastination and stalking and, of course, socializing of over 700,000,000 people follows sort of a hacking philosophy.

It's called "The Hacker Way" and Mark Zuckerberg, the network's founder, shared this philosophy in an open letter to investors prior to Facebook's IPO earlier this year. "As part of building a strong company, we work hard at making Facebook the best place for great people to have a big impact on the world and learn from other great people. We have cultivated a unique culture and management approach that we call the Hacker Way." He acknowledges that the word “hacker” has somewhat of a negative rep these days - well, there's a reason for that, I mentioned some of these reasons earlier this week.

Anyway, he goes on to say that "In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers [I’ve met] tend to be idealistic people who want to have a positive impact on the world." Hence the "Hacker Way" - continuous improvement and iteration with a core belief something can always be better, and that nothing is ever complete.

Yes, the ever-changing Facebook and its every iteration spawning millions of user complaints is part of the Hacker Way. I guess they didn't come up with this philosophy just before the IPO - the company has conducted Facebook Hacker Cup last year and looks like it's going to be an annual event as the second iteration recently came to its conclusion.

And you know they take it seriously. The registration for the event opened in back January and started off with three online rounds of problem solving. Out of 6,000 qualifying submissions, the group finally has been shrunken down to just 25 and flown to Facebook headquarters for the finals. So what's the demographic of the best hackers willing to compete for some legal cash?

Turns out they were all male from all across around the world and a mix of students, independent coders, and employed professional programmers. With only one finalist from the US, the rest were from Russia, Germany, Ukraine, Poland, China, South Korea, Taiwan, and Japan. See anything familiar?

Looks like the stereotype of talented coders and hackers being concentrated in Eastern Europe and Far East are not necessarily just stereotypes, just saying. Along with the title of “world champion” as the top hacker, the first prize was $5,000, second prize is $2,000, $1,000 for third. Everyone else still gets a bonus - $100 - not much, really, but still better than nothing. Well, even the first prize is not quite the $60,000 from Google, but hey, at least they were flown to California for free, right?

I guess the organizers of the event really are shooting for the stars or at least urge the participants do the same as both last and this year no one was able to solve all three problems during the given time. But based on speed and accuracy, the winner completed one problem only 1 minute faster than the second place contestant. And that lucky participant, well, rather talented than lucky, I presume, hails from none other than Mother Russia. Roman Andreev, an 18-year old student of the St. Petersburg State University, sporting a bear and glasses could very well play a hacker slash nerd in a movie, but chose to actually be one and carried home the $5000 check as well as the very much physical trophy for his digital victory.

It is unclear if this annual event is anything more than just a hacking competition - but if I worked for Facebook, Google or national security recruiting department I would treat such competitions as a free headhunting pool of highly-qualified personnel. Or someone to put on my watch list. You know, just in case. With two major hacking competitions having Russian students as headliners, I guess those responsible for recruiting for the Russian cyber command know where to start.