We are in the early years of a cyber war arms race, security guru Bruce Schneier warned delegates at the Infosecurity Europe exhibition on Wednesday.
Schneier, CTO of Resilient Systems, said the much publicised Stuxnet attacks on Iran by the US and Israel in 2010, Iran’s attack on Saudi Aramco, China’s apparent role in hacking GitHub, and the North Korean assault on Sony Pictures last year are all examples of the phenomenon.
More ReadingSecurity gurus deliver coup de grace to US govt's encryption backdoor demandsgit commit -m 'Add $200m to GitHub, tweak valuation to $2bn'Westpac buys stake in Canberra crypto king QuintessenceLabsTech giants gang up on Obama over encryption key demandsInfosec turns 20 to face battle with BSides, RSAC Unplugged
“These nations are building up for cyber war and now we're all in the blast radius,” he warned, while speaking in London.
Most of these attacks — including Stuxnet and the assault on GitHub — inflict collateral damage, Schneier told El Reg, adding that cyber attacks are likely to become mainstream aspect of many conflicts. “I’m afraid things will get out of hand,” he said.
During a keynote presentation, Schneier focused on a detailed commentary on last year’s attack on Sony Pictures. After months of doubting North Korea’s involvement in the attack Schneier was finally convinced of its role by a mid January article by David Sanger in the New York Times.
Other theories — most notably that a disgruntled insider collaborated with elements of Anonymous to launch the attack — were widely touted in the weeks following the attack. This illustrates the wider point that attributing attacks in cyberspace is very hard, Schneier said.
“You can be attacked and not be sure if it's a nuclear-powered government or two guys in a basement,” Schneier noted.
The security industry has developed technology to rebuff high volume, unfocused attacks. However, skilled and focused attackers, commonly referred to in the infused biz as advanced persistent threats (APTs), or otherwise known as state-sponsored cyberspies, remain a huge challenge.
“A sufficiently skilled, funded and motivated attacker will never fail to get in,” Schneier said. The “high skill, high focused” attack thrown against Sony would have floored most every target, he added.
“Fundamentally, I don't think any of us could withstand this type of attack from this type of adversary,” Schneier concluded.
Schneier claimed that the $15m clean-up costs booked by Sony Pictures in the wake of the attack seem to under-estimate costs and further charges will likely follow. ®