Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary
124
SHARES
NSA headquarters
WASHINGTON: Adversaries have been copying and stealing each others’ weapons
ever since Ape A threw a rock at Ape B and Ape B got the bright idea to throw it back.
But recent revelations from Symantec and The New York Times suggest this problem
is much bigger with cyber weapons. Why? In order to attack an enemy’s computer,
they have to copy their code onto it. It’s like bombing an enemy with munitions that
scatter their own blueprints around the blast site.
US hacking tools have gone astray before, most notoriously when a mysterious group
called Shadow Brokers repeatedly released National Security Agency code for hackers
around the globe to use in attacks like WannaCry. But cybersecurity analysts at
Symantec have found evidence that hackers working for China’s Ministry of State
Security were using NSA-built cyber weapons “at least a year prior to the Shadow
Brokers leak.” (To avoid offending nation-states, the Symantec report only IDs the
https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 1/5
6/20/2019 Can NSA Stop China Copying Its Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary
Chinese as “Buckeye” and NSA as “Equation Group”). Symantec’s suggested
explanation: “one possibility is that Buckeye may have engineered its own version of
the tools from artifacts found in captured network traf c, possibly from observing an
Equation Group attack.”
The difference, Clark continued, is that physical bombs and missiles automatically
destroy themselves in the course of an attack, unless they’re duds. Cyber weapons
don’t.During war games, the cyber teams often assume that a weapon will only be
used once, for precisely this reason. “The solution is to make cyber weapons tamper
resistant,” he said, “which means their code cannot be determined without proper
encryption, or the code rewrites itself after use, ‘dudding’ the weapon.”
But even self-destructing code doesn’t guarantee a target of our cyber weapons can’t
copy them, Clark warned: “They will still run the risk of being detected and
characterized by a defensive system before the tamper resistant features activate.”
The
https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 2/5
6/20/2019 Can NSA Stop China Copying Its Cyber Weapons? « Breaking Defense - Defense industry news, analysis and commentary
Join Breaking Defense in this fascinating video webcast as we explore the
fundamental issues in the emerging age of arti cial intelligence and what that means
for national security.
Clever techniques, like malware that encrypts and/or deletes itself, can reduce the
risk that the target can copy weapons used against it. But part of the problem is
inherent to the nature of cyber warfare, which may require the US to think very
differently about this new form of con ict.
Of course, copying isn’t new: “Monkey see, monkey do” is central to the success of
primates in general, not just humans. In his book Guns, Germs, & Steel, Jared
Diamond traces how concepts like written language spread around the globe through
a combination of direct “blueprint copying” — the way the Romans adopted the Greek
alphabet, with minor changes, to write their own, very different language — and
indirect “idea diffusion” — as when Cherokee picked up the concept of written
language from European settlers, along with the shapes of some letters, but used
them to represent entirely different sounds.
Copying is common in the military realm as well. The Soviet Union spied extensively
on the American Manhattan project and used the stolen information to build their
own atomic bomb years before the West expected it. When American B-29 bombers
landed in Soviet territory in World War II, Stalin refused to return them to his nominal
allies and instead ordered his engineers to make the closest possible copy — not even
converting US measurements to metric — which became the Soviet Union’s rst
strategic bomber, the Tu-4.
But at least Imperial Japan wasn’t able to make its own copies of the B-29 just by
observing their bomb runs over Tokyo. That, in rough terms, is what Symantec
believes China has done with NSA’s cyber weapons.
Recommended
and Europe.
By ARIE EGOZI
The fundamental problem? To copy any physical weapon in history, from copper
swords to hypersonic missiles, you either have to steal the physical object and try to
reverse-engineer how it was made — as the Soviets did with the B-29 — or steal the
information that tells you how to make it — as the Soviets did with the A-bomb. But to
copy a cyber weapon, all you have to do is see it, because the weapon itself is made of
information. China copying the code the NSA used to attack them is less like what the
Soviets copying the A-bomb or the B-29 and more like the Romans copying the Greek
alphabet: Enemy see, enemy do.
That makes copycat cyber weapons extremely hard to stop. Even if the code is
encrypted, even if it erases itself after its attack, it has to be executed on the target’s
computer in order to affect it. That means the information of which the weapon is
made has to pass at some point through the enemy system. If the targeted computer
couldn’t understand the code, it couldn’t run it, so the attack wouldn’t work.
The ease with which cyber weapons can be copied calls for extraordinary caution in
their use, several experts told us. Even if Symantec’s analysis is wrong and the
Chinese were not actually able to copy US malware simply by analyzing the code it
left on the computers it attacked, there have been too many cases of hacking tools
getting loose in other ways.
Another option is simply to use cyber weapons much more rarely — or not at all. The
loss to US intelligence-gathering and offensive operations will be outweighed by the
gains for cyber defense, one former Defense Department cyber of cial argued. “What
you need to do for intelligence on cyber tools and what you need to do for defense
fundamentally con ict,” the of cial said.
It’s all too easy for someone to copy your cyber weapon once you unleash it — or even
before you use it, if someone inside your organization leaks the code, accidentally or
intentionally. At the same time, because so many targets use the same software, and
so many would-be attackers are always probing those systems for weaknesses, the
fact that an adversary found the same vulnerability you did doesn’t mean they copied
you: They could have discovered it on their own. As a result, it’s tremendously dif cult
to gure out who originally developed a particular piece of code and who actually
attacked you with it — and the developer and the user don’t have to be on the same
side.
“There is no way to x this,” the of cial said. “I can think of an environment where
risks are more controlled, and that might be where the leading cyber powers are
having some dialogue about collaborative risk management for the use of cyber
tools…. If those dialogues were happening, then the risk of bad attribution would be
lower. It wouldn’t be eliminated.”
But the US and its rivals aren’t having those conversations, as far as we know. “The
absence of dialogue is very destabilizing,” the of cial said. “I don’t think this has been
well thought through.”
Topics: B-29, Bryan Clark, China, cyber espionage, cyber warfare, cybersecurity, National Security Agency, networks,
New York Times, nsa, o ensive cyber operations, Russia, Shadow Brokers, software, Soviet Union, symantec, Tu-4
bomber
Advertise
https://breakingdefense.com/2019/05/this-code-wont-self-destruct-can-nsa-stop-china-copying-its-cyber-weapons/ 5/5