6/20/2019 Can NSA Stop China Copying Its Cyber Weapons?

Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary

Breaking Defense eBrief: Army Aviation Modernization – Down

NETWORKS / CYBER, THREATS

Can NSA Stop China Copying Its Cyber

Weapons?
China is copying malware the NSA has used against them. Is this preventable or is it an inherent
weakness of cyber warfare?

By THERESA HITCHENS on May 08, 2019 at 3:45 PM

124    
SHARES

NSA headquarters

WASHINGTON: Adversaries have been copying and stealing each others’ weapons
ever since Ape A threw a rock at Ape B and Ape B got the bright idea to throw it back.
But recent revelations from Symantec and The New York Times suggest this problem
is much bigger with cyber weapons. Why? In order to attack an enemy’s computer,
they have to copy their code onto it. It’s like bombing an enemy with munitions that
scatter their own blueprints around the blast site.

US hacking tools have gone astray before, most notoriously when a mysterious group
called Shadow Brokers repeatedly released National Security Agency code for hackers
around the globe to use in attacks like WannaCry. But cybersecurity analysts at
Symantec have found evidence that hackers working for China’s Ministry of State
Security were using NSA-built cyber weapons “at least a year prior to the Shadow
Brokers leak.” (To avoid offending nation-states, the Symantec report only IDs the
https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 1/5
6/20/2019 Can NSA Stop China Copying Its Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary
Chinese as “Buckeye” and NSA as “Equation Group”). Symantec’s suggested
explanation: “one possibility is that Buckeye may have engineered its own version of
the tools from artifacts found in captured network traf c, possibly from observing an
Equation Group attack.”

“This is a signi cant revelation,” one retired naval

of cer told us. “With Shadow Brokers, the
assumption was that it was a group with signi cant
insider knowledge …. who had somehow pilfered the
software and released it. [This report] suggests to
me that 1) the issue of loss of control of sensitive
malware has gone on longer than understood and 2)
if Symantec’s [correct] that China likely captured the
software while it was been used by NSA, [then] using
cyber to collect intelligence is far riskier than
generally acknowledged.
Bryan Clark
“The new element in the story is that an
organization has reverse-engineered a deployed US cyber tool and reused it; previous
cases involved the theft or loss of a tool,” agreed Bryan Clark of the Center for
Strategic & Budgetary Assessments. “This would be similar to the Chinese nding a
Tomahawk missile that had failed to detonate and using it to build their own.”

The difference, Clark continued, is that physical bombs and missiles automatically
destroy themselves in the course of an attack, unless they’re duds. Cyber weapons
don’t.During war games, the cyber teams often assume that a weapon will only be
used once, for precisely this reason. “The solution is to make cyber weapons tamper
resistant,” he said, “which means their code cannot be determined without proper
encryption, or the code rewrites itself after use, ‘dudding’ the weapon.”

But even self-destructing code doesn’t guarantee a target of our cyber weapons can’t
copy them, Clark warned: “They will still run the risk of being detected and
characterized by a defensive system before the tamper resistant features activate.”

The

The American B-29 bomber (left) and its Soviet

copy, the Tu-4 (right) Blueprint Is The Weapon

Arti cial Intelligence: Ethics, Congress, Data

And The Tech

https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 2/5
6/20/2019 Can NSA Stop China Copying Its Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary
Join Breaking Defense in this fascinating video webcast as we explore the
fundamental issues in the emerging age of arti cial intelligence and what that means
for national security.

Presented by Technical Partner

From BREAKING DEFENSE

Clever techniques, like malware that encrypts and/or deletes itself, can reduce the
risk that the target can copy weapons used against it. But part of the problem is
inherent to the nature of cyber warfare, which may require the US to think very
differently about this new form of con ict.

Of course, copying isn’t new: “Monkey see, monkey do” is central to the success of
primates in general, not just humans. In his book Guns, Germs, & Steel, Jared
Diamond traces how concepts like written language spread around the globe through
a combination of direct “blueprint copying” — the way the Romans adopted the Greek
alphabet, with minor changes, to write their own, very different language — and
indirect “idea diffusion” — as when Cherokee picked up the concept of written
language from European settlers, along with the shapes of some letters, but used
them to represent entirely different sounds.

Copying is common in the military realm as well. The Soviet Union spied extensively
on the American Manhattan project and used the stolen information to build their
own atomic bomb years before the West expected it. When American B-29 bombers
landed in Soviet territory in World War II, Stalin refused to return them to his nominal
allies and instead ordered his engineers to make the closest possible copy — not even
converting US measurements to metric — which became the Soviet Union’s rst
strategic bomber, the Tu-4.

But at least Imperial Japan wasn’t able to make its own copies of the B-29 just by
observing their bomb runs over Tokyo. That, in rough terms, is what Symantec
believes China has done with NSA’s cyber weapons.

Recommended

Iran: Israeli F-35s Rehearse Strikes As US Sends Troops — But

Will Europe Flinch?
https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 3/5
 Israeli experts
6/20/2019
fear that the Iranian attacks aim to drive a wedge between the US
Can NSA Stop China Copying Its Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary

and Europe.

By ARIE EGOZI

The fundamental problem? To copy any physical weapon in history, from copper
swords to hypersonic missiles, you either have to steal the physical object and try to
reverse-engineer how it was made — as the Soviets did with the B-29 — or steal the
information that tells you how to make it — as the Soviets did with the A-bomb. But to
copy a cyber weapon, all you have to do is see it, because the weapon itself is made of
information. China copying the code the NSA used to attack them is less like what the
Soviets copying the A-bomb or the B-29 and more like the Romans copying the Greek
alphabet: Enemy see, enemy do.

That makes copycat cyber weapons extremely hard to stop. Even if the code is
encrypted, even if it erases itself after its attack, it has to be executed on the target’s
computer in order to affect it. That means the information of which the weapon is
made has to pass at some point through the enemy system. If the targeted computer
couldn’t understand the code, it couldn’t run it, so the attack wouldn’t work.

Air Force Cyber Protection Team exercise

Call For Caution

The ease with which cyber weapons can be copied calls for extraordinary caution in
their use, several experts told us. Even if Symantec’s analysis is wrong and the
Chinese were not actually able to copy US malware simply by analyzing the code it
left on the computers it attacked, there have been too many cases of hacking tools
getting loose in other ways.

“There is a trend of either — we don’t really know which — of insiders giving up

secrets (Snowden de nitely / Shadow Brokers maybe) and now insecure operations
(if Symantec is correct),” the former naval of cer said. “It seems like there should a
different [level of] oversight because of the risk to US systems…. an outside panel or
something of that sort. It would require NSA to really open up the books.
https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 4/5
6/20/2019 Can NSA Stop China Copying Its Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary
“NSA will need to think about how to protect
against its cyber weapons when they
inevitably proliferate, as weapons builders in
the military services already do,” Clark
agreed. “It will be more problematic with
cyber weapons than physical weapons.” One
possible protection, he suggested, would be
to write a countermeasure for each weapon
Chendgu J-20 ghter prototypes, considered
developed, a patch for each vulnerability to
suspiciously similar to the American F-35 Joint
be exploited, and share them with allies Strike Fighter

when (or even before) the weapon is actually

used.

Another option is simply to use cyber weapons much more rarely — or not at all. The
loss to US intelligence-gathering and offensive operations will be outweighed by the
gains for cyber defense, one former Defense Department cyber of cial argued. “What
you need to do for intelligence on cyber tools and what you need to do for defense
fundamentally con ict,” the of cial said.

It’s all too easy for someone to copy your cyber weapon once you unleash it — or even
before you use it, if someone inside your organization leaks the code, accidentally or
intentionally. At the same time, because so many targets use the same software, and
so many would-be attackers are always probing those systems for weaknesses, the
fact that an adversary found the same vulnerability you did doesn’t mean they copied
you: They could have discovered it on their own. As a result, it’s tremendously dif cult
to gure out who originally developed a particular piece of code and who actually
attacked you with it — and the developer and the user don’t have to be on the same
side.

“There is no way to x this,” the of cial said. “I can think of an environment where
risks are more controlled, and that might be where the leading cyber powers are
having some dialogue about collaborative risk management for the use of cyber
tools…. If those dialogues were happening, then the risk of bad attribution would be
lower. It wouldn’t be eliminated.”

But the US and its rivals aren’t having those conversations, as far as we know. “The
absence of dialogue is very destabilizing,” the of cial said. “I don’t think this has been
well thought through.”

Topics: B-29, Bryan Clark, China, cyber espionage, cyber warfare, cybersecurity, National Security Agency, networks,
New York Times, nsa, o ensive cyber operations, Russia, Shadow Brokers, software, Soviet Union, symantec, Tu-4
bomber

Advertise

https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 5/5