If you discovered a casino with a slot machine that had a flaw that would allow you to win and continue to win, what would you do?
The virtuous thing to do would be to immediately inform the casino operator. There would also be the temptation to “dine out” on the vulnerability. A more lucrative option would be to sell the information to unscrupulous others.
But when the flaws in any system are discovered, and they can be bought and sold on the market, the consequences can be catastrophic, as depicted by Nicole Perlroth in her book This Is How They Tell Me The World Ends, published earlier this year.
Nicole Perlroth is an award-winning cyber-security journalist who reports for The New York Times and regularly lectures on this subject at the Stanford Graduate School of Business.
Oh, and incidentally, without going into specifics, the slot machine story is not a furphy. It’s exactly what happened through 2001-03, and many people made a motza.
The money lost by vendors and operators through defective slot machines pales in significance against the socio-economic costs and losses of a catastrophic infrastructure meltdown.
Most of the world’s infrastructure is now online. Suffice to say, critical infrastructure is viewed as a high-value target for hackers. And with the advent and exponential expansion of the Industrial Internet of Things (IIoT), wherein myriad systems interact with the physical world, an escalation of vulnerabilities is inevitable.
Picture this: ambulances career down car-crashed streets as traffic lights flash all three colours simultaneously. Casualties are rushed to the hospital but find them full of pandemic patients. The power grid goes down. No water, no heating. People are freezing. Vaccinations are spoiling along with produce. E-commerce, transportation systems, utilities, and all kinds of critical communications come to a halt. Add an extreme climate event, and you wouldn’t be blamed for thinking the end of the world was nigh.
Excluding the extreme climate event—the increasing frequency and intensity of which we can attribute to climate change—this kind of orchestrated nightmare might be the work of a “zero-day attack”.
It’s all a bit Hollywood, but sophisticated hackers are proving a nightmare for governments all around the world
Perlroth, in her book, which gets a bit technical at times but is a gripping read nonetheless, lays out the findings of her “seven-year” investigation into the “zero-days” market.
A prominent thread running through her story, much in the mould of the former MI5 spy and simply superb writer, John le Carré, is how governments are more and more devising ways to use hacking as a weapon.
Throw some Eric Snowden in there and an inkling of Peter Hyams’s End of Days, and Perlroth sets the scene for a suspenseful spy cum apocalyptic thriller.
So what’s a “zero-day”?
Perlroth explains: “A zero-day is a software or hardware flaw for which there is no existing patch. She goes on: “They got their name because, as with Patient Zero in an epidemic, when a zero-day flaw is discovered, software and hardware companies have had zero days to come up with a defence.”
A “zero-day vulnerability”, the most effective weapon in a spy’s arsenal, according to Perlroth, has the power to shut down major fuel pipelines (for example, last month’s ransomware cyberattack on the Colonial Pipeline in the US) or alter the outcome of an election (for example, Russian interference in the 2016 US presidential election) or shutdown an electricity grid (such as the world-altering 2015 cyberattack on Ukraine’s power grid).
Even more devastating would be to circumvent the safety controls of a nuclear power plant. Thankfully this one hasn’t happened yet, but we all know the potential fallout, with Three Mile Island in 1979, Chernobyl in 1986, and Fukushima in 2011.
And if you think this couldn’t happen, before Ukraine’s power grid was shut down by hackers, who used malicious malware to infiltrate the system’s control network, a cyber assault of this kind was considered science fiction.
As Chris Soghoian, a prominent privacy rights researcher and activist, warned at the Kaspersky Analyst Summit back in 2012: “As soon as one of these weaponised zero-days sold to governments is obtained by a ‘bad guy’ and used to attack critical U.S. infrastructure, the shit will hit the fan.”
One can now say with confidence that the “shit has certainly hit the fan”.
The digital universe now links all so-called “smart” devices to all of the people
Most software flaws are innocuous, and the software behemoths regularly issue patches to correct them. Zero-days, however, are vulnerabilities that can be used to extort, influence, spy, disable, damage, and destroy. In short: as weapons to extract a ransom or as weapons of war to destroy an adversary’s capacity to function.
And according to Perlroth, governments have been buying them up and storing them in heavily secured vaults. As Perlroth puts it, the “vaults contained a catalogue of vulnerabilities and exploits that granted entry into most nooks and crannies in the digital universe”.
And the digital universe covers most of our planet and the satellites orbiting it. But some of the more mundane vulnerabilities held in the vaults were details of how the CIA could hack into smart TVs, cars, and web browsers. Virtually anything from your smartphone to government agencies and company databases to banks and the distribution networks of major energy suppliers.
And as Perlroth explains, agencies such as the NSA and CIA could hack and spy on devices even when they were turned off.
But US intelligence agencies don’t hold all the keys just yet
In 2015 the iPhone used by one of two shooters in the December terrorist attack in San Bernardino, California, that left 14 people dead and 22 seriously injured became the centre of a dispute between the FBI and Apple.
Naturally, the FBI believed Apple should help with the investigation by providing access to the encrypted iPhone. But, conversely, Apple believed that creating a back door would weaken the iPhone’s security which could be exploited by malicious actors.
The FBI initially sought a court order to compel Apple to comply with its request. But later backed down after it found an outside group that could access the locked and encrypted phone.
That outside group was Azimuth Security, a publicity-shy Australian company that claims to only sell its services to democratic governments. Azimuth covertly devised a solution to unlock the device and provide access to the FBI.
Azimuth was only recently exposed (in April this year) as the group engaged to unlock the iPhone. Apple is now suing Azimuth for breaching its security protocols. This, however, shows that no matter the device’s encryption and data protection, there is always someone who can hack it.
The universal rule of the zero-day market is you don’t talk about the zero-day market
To say that the zero-day market is shrouded in secrecy is an understatement. You do not talk about the zero-day market. That said, post the publication of Perlroth’s book, the number of related postings on Google has ramped up significantly.
Websites openly list the going price for zero-day exploits, ranging from $60,000 (Adobe Reader in May this year) up to $2,500,000 (the iOS and iPadOS mobile operating system in March this year) per one zero-day exploit.
Naturally, it’s all about the money for individual hackers, brokers, and organised cybercrime groups. They reserve their zero-day exploits for high-value targets, so there is an unwritten code of strict silence regarding the discovery of a zero-day vulnerability and the lucrative transaction it might afford.
On the flip side, as a cybersecurity software team member charged to defend against cyberattacks, a zero-day vulnerability means a patch must be developed “yesterday” because the hack has already happened.
It’s like leaving the back door of your house open, and intruders are already in your kitchen replacing your vitamin C tablets with poison pills. You need to find a way to get them out and lock that door post haste.
The zero-days market is now an incredibly lucrative playground for brokers and hackers
From about the early 2000s, the US lost control of its hoard of zero-day vulnerabilities. The market for zero-days has since evolved into a veritable smorgasbord for enterprising cybergangs.
As such, the frequency of zero-day attacks continues to grow. In April of this year, after the worst year for “extortion-related cyberattacks” in 2020, the US Department of Justice created its first ransomware task force (RTF). This was prompted by a 102 per cent increase in cyberattacks in the first half of 2021 compared to 2020.
And as a consequence of the COVID-19 pandemic that has forced companies to institute remote workforces, hackers have significantly more opportunity to orchestrate ransomware cyberattacks. They are also hugely more sophisticated than they were just a few years ago.
From the beginning
The Internet will be 30 years old on August 6 this year. And although its benefits are manifold, malicious users continue to invent ways to weaponise it for profit, influence an outcome, or cause chaos.
On July 1, 2019, the Australian government launched its ACSC Annual Cyber Threat Report. Since the launch, 59,806 cybercrimes have been reported at an average of 164 per day or one every 10 minutes. Incidents range from cyber abuse to identity theft to ransomware and the shutdown of major business operations, for example June’s cyberattack on JBS, the world’s largest meatworks.
But as far back as the mid-1960s and the initial planning of the Advanced Research Projects Agency Network (ARPANET) — the first reliable wide-area packet-switching network — the Pentagon’s Defense Science Board Task Force on Computer Security was aware that existing technology could not provide a bulletproof security system in an open network environment.
In a report on the threats and risks of an open network in October 1972, the prominent security change agent James P. Anderson argued that communication via computers provided a “unique opportunity” for espionage and sabotage by malicious actors and was virtually impossible to defend against. And because of the exponential growth of connections, one solitary attack could take down an entire network.
Anderson went further to list additional security threats and risks, including “accidental spillage of classified information, physical penetration of system sites, interference with or intercept of communications, mishandling of classified material and the like”. All were vulnerable to an external breach and “require attention in the design, implementation and operation of a system.”
Paul Maxwell, a cybersecurity expert at the US Army Cyber Institute, summed up the zero-days threat perfectly in a paper he presented at the 12th International Conference on Cyber Warfare and Security in 2017:
“In the current state of global affairs, a market exists for zero-day exploits where researchers, nation-states, industry, academia, and criminal elements develop, buy, and sell these commodities. Whether they develop zero-days or purchase them, nation-states commonly stockpile them for the future. They may then use them for purposes such as: espionage, offensive cyber operations, or deterrent effect. The immediate effect of this stockpiling though is that the exploit is not divulged to the public and is therefore not remediated. In our increasingly networked and code dependent world, this creates the potential for a cyber disaster with yet unimaginable impacts on global stability.”
And as Perlroth writes: “There are no patches for zero-days, until they are uncovered.” That is, before you can devise a solution to get out of it, you’re already deep in it.
Have we inadvertently created a monster?
British scientist Tim Berners-Lee created the world wide web (WWW) in 1989. His vision was for an open, egalitarian system that would be for everyone.
In 2018 he wrote on a Medium Blog that “The changes we’ve managed to bring have created a better and more connected world. But for all the good we’ve achieved, the web has evolved into an engine of inequity and division; swayed by powerful forces who use it for their own agendas.”
In the months just before the publication of Perlroth’s book, multiple US government agencies and major corporations were hit with a massive cyberattack.
Hackers, believed to be Russian, used several tactics to compromise the networks of more than 250 companies and government agencies, including the Department of Homeland Security, the Commerce and Treasury Departments, the State Department, the Department of Justice, and the Pentagon.
All of which have numerous layers of the most sophisticated cybersecurity money can buy. Despite this, hackers managed to insert a vulnerability into a piece of monitoring software common to all of them.
Weaponising the web is now a focus of both governments and cybercriminals. To be sure, the monster we have created is far removed from what Tim Berners-Lee envisioned back in the 1980s. Few could have predicted the downside of an invention that was purposely built to enhance connectivity between people.
But as the nonconformist poet, painter, and visionary William Blake so eloquently articulated: “hindsight is a wonderful thing but foresight is better”!
Dr Stephen Dark has a PhD in Climate Change Policy and Science, and has lectured at Bond University in the Faculty of Society & Design teaching Sustainable Development and Sustainability Economics. He is a member of the Urban Development Institute of Australia and the author of the book Contemplating Climate Change: Mental Models and Human Reasoning.