Cyber Spying Is Out, Cyber Lying Is In

BY ELIAS GROLL-NOVEMBER 20, 2015

Lets say a military commander the captain of a destroyer, for example walks into a darkened
room packed with screens and can no longer trust the pictures his radar and other sensors are
generating, Adm. Michael Rogers, director of the National Security Agency, wondered aloud at a
defense forum earlier this month. What happens if what Im looking at, in fact, leads me to make
decisions that only exacerbate the problem Im trying to deal with?
Our system whether its in the private sector or for us in the military is fundamentally founded
on the idea of trust of the data were looking at, Rogers said, speaking at the Reagan National
Defense Forum, a whos-who gathering of the U.S. national security establishment in Simi Valley,
California. What happens if the digital underpinning that weve all come to rely on is no longer
believable?
In public appearances and congressional testimony in recent months, Americas top intelligence
officials have repeatedly warned of what they describe as the next great threat in cyberspace: hackers
not just stealing data but altering it, threatening military operations, key infrastructure, and broad
swaths of corporate America. Its the kind of attack they say would be difficult to detect and capable of
seriously damaging public trust in the most basic aspects of both military systems and a broader
economy in which tens of millions of people conduct financial and health-related transactions online.
Director of National Intelligence James Clapper has made equally dire predictions about what the
future holds: operations that change or manipulate electronic information to compromise its integrity,

instead of simply deleting or disrupting access to it.

Drones could beam back images of an empty battlefield that is actually full of enemy fighters.
Assembly robots could put together cars using dimensions that have been subtly altered, ruining the
vehicles. Government personnel records could be modified by a foreign intelligence service to cast
suspicion on a skilled operative.
So far, such attacks arent taking place in vast number, but as militaries theorize about their use and
cyberweapons continue to proliferate, recent cutting-edge attacks illustrate how information can
become a domain of warfare. In Iran, the Stuxnet worm released by the United States and Israel
convinced engineers at the Natanz plant that their centrifuges were operating correctly, when they had
in fact been overpressurized in order to malfunction. In Georgia and Ukraine, Russia has defaced and
targeted websites as part of its ongoing military operations in the two countries. According
to documents leaked by Edward Snowden, GCHQ, the British signals intelligence agency, has
explored developing tools to alter the outcome of online polls.
Some computer experts argue that the data manipulation threat may be overblown. At its most basic
level, cryptologist Bruce Schneier said, an attack manipulating or undermining the integrity of data
tries to change a one to a zero, referring to the basic binary code at the heart of computer systems.
While there are obvious military applications for such attacks, there are easier ways for cybercriminals to make their money. Attacks that manipulate data tend to be more damaging than
profitable, he said.
In an interview with Foreign Policy, Sean Kanuck, the national intelligence officer for cyber-issues and
a senior advisor to Clapper, said there are reasons to believe that criminals could profit from data
alteration and integrity attacks, which he said could range from website defacements to changing
financial records.
In 2013, Kanuck noted, a pro-Assad group known as the Syrian Electronic Army hacked into the
Twitter account of the Associated Press and broadcast a fake report about explosions at the White
House. The Dow Jones industrial average then dropped nearly 150 points, erasing $136 billion in
market value.
As it became clear that the report was a hoax, the market quickly recovered. But that steep fall,
followed by a sudden gain, almost certainly redistributed financial value as stocks were bought and
sold, Kanuck said. The hackers, in theory, could have shorted a market index fund and liquidated their
position during the turmoil, making themselves a handy profit.
Its difficult to say whether thats a far-fetched, conspiratorial scenario or something that might actually
take place. Theoretically, its possible. In reality, no evidence has been made public that the group
placed those bets or currently has plans to.
The challenge lies in drawing the line between actual capabilities in cyberspace and warnings by
Washingtons top spies that are overblown. Kanuck conceded that advanced data manipulation
attacks may not be fully upon us and said Clappers warning stems mostly from theoretical,
conceptual, and strategic thought processes at the National Intelligence Council.
Such attacks seem far more probable and would be far more dangerous in future intelligence
operations or military confrontations. In an imagined naval battle between the United States and
China, for example, Beijings forces could conceivably hack into the computer system of a destroyer
and wipe from its sensors the fighter jets speeding toward it.

Indeed, altering the data available to enemy forces represents a key part of military cyberstrategies, a
development the Pentagon has laid out in its official doctrines. The Defense Departments Joint
Publication 3-13, on information warfare, explains that cybercapabilities can be used to deny or
manipulate enemy decision-making, including by altering the contents of messages. According
to a 2010 report by the Swedish Defense Research Agency, the manipulation of information and data
represents an offshoot of the Russian military doctrine of maskirovka or camouflage, concealment,
and deception.
Moscow has already demonstrated its willingness to use data manipulation in its military conflicts with
Ukraine and Georgia. Cyberattacks linked to Russia that targeted Ukraines 2014 election included the
publication of a hoax chart claiming a strong result for a far-right candidate, the Wall Street
Journal reported this month. Prior to the Russian invasion of Georgia in 2008, pro-Moscow hackers
defaced a website belonging to then-Georgian President Mikheil Saakashvili and posted images of
him with Hitler.
In the future, you are going to see nation-states try to pull off data manipulation attacks against one
another leading up to a conflict, said Martin Stytz, an associate research professor at Georgetown
University and a retired U.S. Air Force lieutenant colonel. Its just another tool in the toolbox. It gives
you just too much advantage.
Conceptually, computer security experts tend to describe their work in terms of ensuring the
availability, confidentiality, and integrity of data. Distributed denial-of-service attacks, such as those
U.S. officials say Iran launched on major American banks in 2013, affected the availability of
information by taking down online banking services. Breaking into a banks computer systems and
stealing customer information, such as the breach of JP Morgan Chase in 2014, affects the
confidentiality of information. Attacks on availability and confidentiality have gotten the lions share of
attention, Kanuck said, when integrity issues could pose just as great a problem.
Indeed, the effort by the United States and Israel to cripple Irans ability to enrich uranium with a
cyberweapon shows how data manipulation can serve as a complex attack on physical infrastructure.
The first version of that virus, known as Stuxnet, attempted to damage centrifuges enriching uranium
by slightly raising the pressure in the devices, causing them to break. It included an ingenious piece of
deception to ensure that the plant managers at Natanz wouldnt notice the rising pressure levels.
Stuxnet recorded a set of pressure data and then replayed it to the control room as it was carrying out
the sabotage just like a Hollywood thief records closed-circuit footage of an empty hallway leading
to a vault and then plays it back during the heist.
Countries with significant offensive cybercapabilities China, Iran, Russia, and North Korea, among
them have almost certainly analyzed the code and could pull off a copycat attack, according to
experts who have studied the malware.
Not that it would be easy to pull off, according to Ralph Langner, an industrial security expert whose
firm works to protect nuclear power plants, steel mills, and other complex plants from cyberattacks. He
authored the early, definitive analyses of Stuxnet, and his work illustrates how difficult it is to use
cyberweapons to destroy physical objects. Whoever provided the required intelligence may as well
know the favorite pizza toppings of the local head of engineering, his 2013 report on Stuxnet notes.
Any idiot can manipulate data in some way once they have the access, Langner told FP. To cause
physical destruction, however, the hacker must be able to engineer an attack, requiring a deep
understanding of how complex industrial systems function.

The future, Langner explained in his 2013 report, is burdened by an irony: Stuxnet started as nuclear
counter-proliferation and ended up [opening] the door to proliferation that is much more difficult to
control: The proliferation of cyber weapon technology. So as criminal groups increasingly operate in
cyberspace and cyberweaponry becomes increasingly available, sophisticated alteration attacks,
including those that target physical infrastructure, begin to seem less far-fetched.
Manipulation of data also has a far simpler, earlier analogue on the history of computer breaches.
Mikko Hypponen, the chief research officer at F-Secure, said Rogerss and Clappers statements
reminded him of so-called data-diddling attacks in the late 1990s and early 2000s. Those attacks
targeted Excel files and would randomly alter data entries, say, up or down five percent. If such a
document contained manufacturing tolerances for a plant, random alterations could have devastating
impacts.
Such a simple attack illustrates the virtues of a subtle, slow approach. When Iranian hackers targeted
Saudi Aramco, the oil company, in 2012 and wiped the hard drives of 30,000 computers, the results
were devastating and immediately apparent. Recovering from such an attack means merely
restoring back-ups, assuming such copies were made anyway.
According to FireEye, it typically takes around 200 days for a company to discover that its computers
have been breached, and, in that time, an attacker altering data can make changes that a company
may not be able to recover from. When was everything still OK? When was the data that we should
return to? Six months ago? How do we go back six months? said Jani Antikainen, summing up the
questions a company faced with such an attack will ask itself.
Antikainen believes Clapper and Rogers have identified a real threat moving forward and is the
founder of Sparta Consulting, a Finland-based company set up to take advantage of what he sees as
a market opportunity. His firm helps companies protect databases from manipulation. In an indication
that firms are perhaps reaching the same conclusions as American spies, Antikainen said he counts
the company that manages the Finish electrical grid as one of his clients.
Photo credit: JACQUES DEMARTHON/AFP/Getty Images
Posted by Thavam