On a cold afternoon in Finland, F-Secure’s Mikko Hypponen discusses cyber weapons and nation state threats, and explains why arms limitations treaties might one day expand to include malware and other threats.
“There’s some work being done on attribution 80km away from here at the CDCCOE, which is the Nato Centre of Excellence for Cyber Warfare, in Tallinn. You should visit,” says F-Secure’s chief research officer, Mikko Hypponen, projecting an air of cool, studied neutrality, as he tips his head slightly in what I assume must be the general direction of Estonia.
It is a bright and blustery October afternoon across the sea in Helsinki, and as we discuss the problems of attributing cyber threats, the emergence of cyber weapons and the possibility of open cyber war between nation states, it occurs to me that, given the recent history of his country, Hypponen is ideally placed to assess the parlous state of international geopolitics with a neutral eye.
It is easy to understand why the Finns have good reason to be neutral. They won full independence from Russia only a little over 100 years ago and – remarkably, given their location – stayed out of the Cold War, walking a tightrope as the Americans and the Soviets faced off across a divided Europe. Finland has never joined Nato, and did not enter the European Union until the 1990s.
However, a few days before our meeting, a group of countries, including Finland, came together to put their names to a joint statement on advancing responsible state behaviour in cyber space, and it is this topic that gets us talking about the goings-on in Estonia. But to begin with, Hypponen says he is not convinced that UN declarations will help address the problem of nation state-level attacks.
“It is only effective when you talk about fighting crime,” he says. “We should expect, we must expect, international cooperation when we fight cyber crime, but it would be foolish to expect much cooperation between countries when it comes to cyber spying because everybody does it already.
“And how do you agree internationally to restrict these kinds of things when everybody is doing it anyway and doesn’t want to get caught?”
Hypponen adds: “As long as these joint statements and agreements go further in helping us work together to fight criminal gangs and get them behind bars, that’s useful and we should be doing that. We shouldn’t be holding our breath for international cooperation beyond that – at least not yet.”
“It would be foolish to expect much cooperation between countries when it comes to cyber spying”
Mikko Hypponen, F-Secure
So, what would change to make international cooperation on governance for cyber weapons a reality? What would need to happen? Could it be a single horrific event, say the decimation of a state’s electricity grid causing mass panic and even deaths, or it could be just that sufficient time passes and, like we started to do with nuclear weapons 50 years ago, we come to our senses?
The will may not be there yet – but the technology certainly is. “Take kill dates,” says Hypponen. “When you create a cyber weapon, it doesn’t need to work for ever. If it’s going to last six months or 12 months or 16 months or whatever, you’re going to have a kill date and, after two years, if somebody gets infected by it, nothing’s going to happen. It’s perfectly easy to do. There’s no reason not to and we could easily all agree that if you use offensive cyber power, fine, but put a kill date in there so it doesn’t float around for ever.
“Or you could develop mechanisms to try to restrict cyber weapons from flowing into the hands of criminals, like payload encryption, or attribution. Just like in the real world, battlefield soldiers are required to carry their flag. If I fight for Finland, I’m carrying a Finnish flag on my uniform.”
In the same way, Hypponen suggests, governmental malware could have some sort of public key system that could be used to identify the owner of a piece of malware – something that the CDCCOE itself is taking an interest in.
The fog of war
The form of a future legal governance framework for cyber weapons will hinge on a crucial difference between a cyber weapon and a conventional weapon – once your enemy knows you have a cyber weapon, its power disappears, whereas the power of a conventional weapon increases.
“If you use a fighter jet to drop bombs on someone else, they can’t use that to build their own fighter jet,” says Hypponen. “But if you use a cyber attack to attack someone else, and they detect it, they can now reverse-engineer your weapon and they can see what’s been happening.
“So, this is a different scenario and it’s hard to see how it will play out. But we are at the beginning of this arms race and I believe eventually we will enter discussions around the rules of engagement and what should be done with exploits and the rules of law for cyber war or cyber disarmament, all these discussions which we eventually had about nuclear weapons.”
But for now, cyber weapons remain shrouded in mystery. Currently, the known landscape comprises the UK, the US and their Five Eyes allies, with the addition of Israel and probably a few other advanced states, ranged against the big four known state advanced persistent threat (APT) actors of China, Iran, North Korea and Russia. Beyond that, we don’t really know who has cyber weapons, if they have used them, or when they did.
“What is the offensive cyber capability of Vietnam? What is the offensive cyber capability of Argentina? We have no clue,” says Hypponen. “They most likely have something, but because they are not showing it, and because there’s no way for us to find out, we’re just guessing. And this means most countries, practically all countries, have no deterrence power against these weapons.
“That is problematic because, just like real-world weapons, cyber weapons rust. They have a limited window during which they must be used and if you don’t use them during that window, they will expire and will never work again. Let’s say you’re targeting a Windows 10 vulnerability. Windows 10 won’t be there for ever, like in five years’ time, we’re no longer running it or somebody finds your bug and fixes it.”
This causes more problems, says Hypponen, because it means intelligence agencies and military bodies are pouring funding into tools that will struggle to generate a return on investment (RoI) for them unless they are used.
Hypponen is at pains to point out that this doesn’t mean the US or Russia will start a war just to get some use out of their cyber weapons, but he suggests it may well mean people within government organisations with access to them become incentivised to use them purely because the threshold is lowered. This magnifies the danger of leakage down the threat supply chain.
WannaCry: the nightmare scenario
Leakage is where cyber weapons become extremely dangerous, and it has already happened in the form of the WannaCry ransomware outbreak – one of the most high-profile cyber security events of recent years.
The EternalBlue Microsoft exploit that WannaCry relies upon was allegedly developed by the US’s National Security Agency (NSA), which kept it under wraps and them promptly lost control of it to the Shadow Brokers hacking group.
It ended up being used by a nation state actor against US citizens and companies, and the collateral damage spread far and wide, including to the NHS.
“This is the crucial question when an intelligence agency finds a vulnerability in a general-purpose software like an operating system that we all use – what exactly do we expect them to do with it?” says Hypponen.
“Basically, we have two choices. Choice number one, tell the vendor: protect your own people by patching the holes so that people can’t use the hole to hack your citizens. Or option number two, don’t tell the vendor: weaponise the exploit and use it to breach the bad guys.
“Today we see intelligence agencies doing both. I’m not making any calls about what is the right thing to do, I’m just noting that if you don’t tell the vendor, and then you end up losing the exploit, well, that’s the nightmare scenario.”
There have probably been other attacks, as Hypponen points out – he has clearly spent some time thinking about how they work. “If I was deploying a government attack, whether for sabotage, or intelligence gathering purposes, I would definitely aim to make it look like it’s a run-of-the-mill banking trojan or a key logger or something that is typically used by criminals,” he says.
“You can imagine when a breach is detected inside a government organisation, everybody’s running in circles going, ‘Who is it who attacked us? Oh, it’s just a banking trojan. Phew. We were worried for a moment’.”
Hypponen concludes: “If something seems to have functionality that you would typically find in enterprise malware, it’s going to look harmless. I think it’s perfectly possible some of the big cases we’ve seen over the years which seem to have a financial motivation, could have been just cover stories.”