Pages

22 November 2017

The future of cyberwar: ​Weaponised ransomware, IoT attacks and a new arms race

By Steve Ranger 

After at least a dozen years in the shadows, cyberwarfare is gradually emerging into daylight. While cyber weapons were mostly developed and used by intelligence agencies as part of secret missions, they are now becoming an acknowledged military option during conflicts. Here are predictions about how cyberwarfare will evolve over the next year.

The cyber arms race will accelerate

Having a cyberwarfare capability is the latest must-have for many nation states, which has sparked a cyber arms race that shows no sign of slowing down. NATO, for example, recently updated its strategy to include the potential use of cyber weapons alongside traditional munitions. In the short term, this will likely mean that researchers will find a ready market for the zero-day exploits, as governments continue to build their stockpiles. However, as intelligence agencies and the military spend more on building up cyber weapons there will come, inevitably, pressure to prove the worth of that investment.
Cyber weapons will become a standard feature of warfare


As NATO secretary general Jens Stoltenberg said recently, noting the use of cyber weapons against ISIS in Iraq and Syria: "in any military conflict, cyber will be an integrated part."

The actual type and sophistication of the attacks deployed will vary; an opponent with little in the way of tech to disrupt will require a different set of options to one with a sophisticated infrastructure to defend.

No doubt there will still be extremely sophisticated cyber weapons developed and deployed against specific extremely high-value targets (although we may not hear about them). But the use of more standard cyber weapons and techniques will become commonplace. Cyberspace is now considered just another part of the battlefield.
Stealthy cyberwar preparations will continue

There will be no let up for energy companies, high tech manufacturers and government agencies; state-backed hackers (from many nations) will continue to poke and pry at their systems, looking for access to those all-important industrial control systems, which could be used to cause chaos at a later date.

Some of these companies may still not even consider themselves to be potential targets because, unlike a big bank, they don't have much worth stealing. But these hackers aren't looking to steal money, but to break things (like a power or a rail network), which means even organisations involved in the least glamorous bits of our critical infrastructure need to pay attention, fast.

Weaponised ransomware will be your next big headache


Ransomware has been at the heart of some of the biggest security stories of this year, and it will be the same in 2018. But the motivation of ransomware users is shifting in an even more dangerous direction. Up until now most ransomware has been used to extract a ransom (usually in all-but-untraceable Bitcoin) from those unlucky enough to be hit with it.

That's bad enough: there's already a trend towards using ransomware as a weapon, where devices are encrypted, rendering data inaccessible, and the perpetrators don't offer a key. It's not hard to see this weaponised ransomware being utilised—perhaps by hackers loosely aligned with a nation-state—to cause problems for rivals. The only problem is that these kinds of attacks can rapidly spiral out of control: even if you aren't the intended victim you might still get hit.

The IoT will be a cyberwar and cyber espionage gold mine

Unsecured Internet of Things devices (like webcams and routers) have already press-ganged into a botnet - Mirai - which was then used to carry out Distributed Denial of Service attacks against websites. But because that secret double life didn't really affect the day-to-day performance of these gadgets, owners probably barely noticed (and likely cared even less). But it's easy to imagine a situation where the growing armada of IoT devices could be used against us, too. Perhaps an attacker could switch on every smart appliance at once in a bid to overload the power network, or simply cause chaos by turning every smart lock into a useless (and unbudging) piece of metal. IoT gadgets are also brilliant tools for cyber espionage: we are literally filling our homes and offices with cameras and microphones that are far too easy to hack. That's going to generate a fantastic trove of data that could be used to locate or even blackmail high value targets.

Failure to patch will be the cause of another giant security disaster

Everyone gets very excited about zero-day exploits; previously undiscovered holes in software that can be used to attack systems and against which there is no defence. Stuxnet used at least four different ones.

But already-known vulnerabilities will continue to be by far the biggest source of gaps in IT defences, and exploited by nation-state hackers and criminals alike. New software vulnerabilities are being found on a daily basis and vendors publish new patches and updates almost as regularly. Keeping up with that flow is hard, especially if the patches are for key systems and may need testing. This year demonstrated just what can happen when users fall behind on keeping systems up to date: a patch for the exploit that allowed the WannaCry ransomware to spread globally was available 59 days before the crisis hit.

Unless you are being specifically targeted (in which case, good luck) having the basics of security in place will be enough to make state-backed hackers go and find an easier target.
Encryption will be your friend

Governments and politicians will continue their love-hate relationship with encryption, wanting it as strong as possible for their own secrets and communications, while simultaneously wanting to water it down for everyone else. That dynamic is unlikely to change, but in the battle between politics and mathematics there is only going to be one winner.

That's probably going to be good for all of us, for both privacy and security. Particularly with the rise of the Internet of Things we are sharing our homes and work places with more devices that record our words and deeds. And as automatic systems (like driver-less cars) become commonplace, we'll need to be able to trust the security of those systems too. While governments would love to be able to access all communications, they don't want other governments to have the same privilege, which means banning encryption is off the table...for now.

No comments:

Post a Comment