Between Two Nerds: Cyber weapons

A

Hello, everyone, this is Tom Uren and I'm here with the Gruk for another between two nerds discussion. G'day, Gruk. How are you?

B

G'day, Tom. Fine, and yourself?

A

I'm well. So first of all, we should congratulate each other for reaching episode number 100, which was actually last week, but I kind of forgot about it. So we spoke a long time ago about cyber war episode BTN number three, in fact, so when we were just fledgling podcasters.

B

Right. So this is a deep cut for all the true fans that's been here since the beginning.

A

We've been harking back to the deep dark days of btn. And one thing I know both of us don't really like, the term is cyber weapons. And in fact, back in the day, what is this, 2018? I actually wrote a paper that took a stab at defining what a cyber weapon is.

B

Okay.

A

And I'm just looking at it now. It's called.

B

I'm just going to say from the beginning you're wrong. I don't know what you said, but it's preemptive because I don't believe in.

A

Them defining offensive cyber capabilities. So this was a paper I wrote for the Global Commission for the Stability of Cyberspace. I think that's what the name was at the time. It had people like Chris Painter on it after he'd retired from the US government. So he was the cyber guy at the Department of State until he retired. And it had Ilya Sakhov, he was the head of Group ib, which is the. I think they've moved now, but they were the Russian cybersecurity firm. And he was arrested for reason. Yeah, basically it was said that he collaborated with foreign intelligence services. So it was intended to be this sort of high powered group that tried to make cyberspace safer. And so one of the things they looked at was cyber arms control.

B

Okay.

A

I thought we could just have a look at what I wrote back then. That was 2018, so six years ago feels like a lifetime ago. And see how well it holds up. So part of it was just looking at what offensive cyber operations were. And I basically took the definition from US and UK and sort of Australian doctrine, such that it is, which is to manipulate, deny, destroy, disrupt, degrade. So it's not discombobulate.

B

Defender Straits.

A

Yeah, it goes beyond espionage. It's to destroy things. And then the point of the paper was to try and get it. Can we set up some sort of international scheme to stop the spread?

B

I'll try and let you finish before I.

A

Before you leave. And so there's a part where I talk about what a cyber weapon could be. And what I came up with is that the field, basically, it. Everything is dual use. And I looked at the Chemical Weapons Convention and the Biological Weapons Convention, which are similarly dual use.

B

Okay.

A

And they basically define.

B

So like, novichok is a fertilizer or something.

A

Well, they basically define a chemical as a weapon when it can't be used for anything else.

B

All right, okay.

A

So it's a very narrow definition. And I basically said, well, okay, by analogy, a cyber weapon can be something that can only be used for destructive stuff and can't be used for anything else.

B

Well, like what? As is or without modification. So, for example, based on that, like, the NotPetya worm would be a cyber weapon. But by the same token, if it didn't have that payload, it wouldn't be as malicious. It could be, you know, installing the patch instead. So is the payload the weapon or is the distribution mechanism, or is it that it does password brute forcing? Like, which part of the NotPetya bundle is the weapon? Like, the encryption part. Encrypting disks is like what BitLocker does. So as a nerd, I'm going to pretend, like, nitpick. Yeah, like just nitpicking.

A

Be a pedant. Yeah.

B

But I mean, the thing is, obviously the world doesn't work that way. Like, you can't go to a judge and be like, you know, yes, I encrypted their drives and asked for money, but BitLocker encrypts their drives and.

A

Yeah, yeah. So I actually have a table where I went through a whole lot of different types of malware that were known at the time. And I said, based on this narrow definition, would it be a weapon or not?

B

Right.

A

And so, for example, wannacry and not Petcha. I said, yes. And it's basically malware with no espionage capability designed to irreversibly encrypt computer hard drives. So I didn't dive into the modular part. Although somewhere in the paper I did talk about that software is inherently modular, so it's hard to break out different parts.

B

Yeah, I mean, I guess my argument to a degree does boil down to, well, a javelin is basically an aluminum tube, plus some bits are aluminum tubes. Weapons. Is that where you're going now? Are electronics weapons? Does a calculator become a weapon just because you put it inside it? So, all right, I still don't think weapon is the right word, but I'll accept that it's purely malicious for Example that there's.

A

Yeah. So the whole point of the paper was, is there a way to try and control these things? And does defining some of them as a weapon make any difference?

B

Oh, yeah, absolutely. Because then you can just ban it and then they go away. Right?

A

Well, actually, it's simple.

B

These things are weapons. You're not allowed to have weapons. Boom, job done, problem solved.

A

And so then the next part of the paper, I talk about how conventional weapons control works and there's kind of three preconditions and I don't think I came up with these. I think it was somewhere in the literature I found them.

B

Right.

A

So these are the preconditions where you can get arms to control, to work. So, number one, capability development is limited to states. Ok. Usually because weapons development is complex and highly industrialised, there is a common interest in limiting proliferation and verification of compliance is possible.

B

So literally nothing that applies to cyber at all.

A

I said perhaps only one of these three conditions. A common interest. Interest in limiting proliferation exists in the world of cyber weapons, although even this is not immediately self evident.

B

I mean, how common is common? Right. I think that the EU probably has a very different opinion of who's allowed to have exploits than, you know, sub Saharan Africa.

A

Yeah. So at the time I argued that there may be a common interest because most states want to hold on to their secret cyber weapons. And back in those days I don't recall really knowing a lot about groups like NSO or anything like that. So spyware vendors. So the argument was, well, perhaps it's true, because they want to hang onto them themselves so they don't share them widely.

B

Okay, no, I will buy that. But then I would say that that first condition, where capability development is limited to states, I think that that invalidates the second condition because.

A

Yeah, yeah, yeah, I said all three.

B

Have to be present. Right, right. Like it's a tripod.

A

You need, like, so far I'm actually quite happy that I wasn't an idiot back then.

B

Yeah. Let me see a copy of that paper. Are you editorializing? That's right. Basically what I meant was.

A

So. And after writing this paper, I guess beforehand I had been not comfortable with the term cyber weapon, but after, you know, you sort of struggle with the concept for a bit and think about what it would really mean, you just go, it's. Yeah, it's kind of useless as a term.

B

Yeah. So I think it's worse than useless. I think it's actively harmful. And I'm going to put it out there that the term weapon Draws people into a certain set of analogies and ways of thinking that sort of lead you down the wrong path. The weapons analogy is very, very tempting. Right. You want to try and explain something like DDoS, it's basically like a howitzer. Whereas zero day, zero click is sort of like a sniper rifle, you know, and what you're trying to do is you're trying to get across that. Like one is this sort of like big mass targeted effect thing and one is very, very precisely targeted and dialed in. But that's all you're trying to convey. Not that one is explodey and one is long range. Like it's. Yeah, I think, I think the problem is that people take these and they start running with it. So things like, okay, well if you are worried about people having these howitzers, these information superhighway howitzers, then we need to make sure that they don't have ammunition. So we have to prevent the stockpiling of howitzers. And sniper rifles require precision tooling. So we have to make sure that only a few people have access to these things because then they won't be able to make their own.

A

Yeah, yeah. So I guess the terms I hear for those things are what? Stockpiling and proliferation.

B

Right, right.

A

Cyber stockpiling and cyber proliferation, please, sir.

B

Always with the cyber. And I think that both of those are problematic because if you start thinking about proliferation, you end up thinking about nuclear proliferation. And with nukes, there's specialized expertise, equipment, like hard to get supplies. Even if you have enough nuclear physicists, PhDs lying around, you still need to have like functioning nuclear reactors. Even then, like you need to have incredibly high precision like detonations. Otherwise you get like these fizzles. So it's quite hard. But if instead all it took for nuclear proliferation was a laptop, an 18 year old, and you know, three months of YouTube tutorials, we'd be living in a very, very different world.

A

Yeah, well, I guess that comes back to those three sort of premises. I had capability development, limited states, common interest, verification of compliance. And I guess there's good examples like North Korea, right?

B

They show that pariah state with no access, that they weren't buying exploits or tooling or training at Black Hat or any of these things that we think of when we think about how to get good at cyber stuff. They sat down a little over a decade ago and they said, this is a thing that we care about. We want to do it good. And so they invested in it. And a decade later they went from using other people's scripts and commodity malware to having multiple bug OD chains in Chrome targeting in complex operations. Targeting. Interesting. Like going after the security researchers to try and steal their bugs.

A

Yep.

B

Like all of this stuff they did basically without external help, which I think demonstrates that any state which wants to do this can do this. It's just a matter of will and time and it's not much time.

A

Yeah. Okay, so you're basically saying anyone can do it. In the case of things like I'll call it abusive spy wings, spyware that's sold to authoritarian regimes, used for purposes that I personally do not approve of, that seems like proliferation. Right. It's someone developing a tool that other states just buy.

B

Okay, so I'm going to counterfactual this one. I'm going to go all counterintuitive. I would say that selling those things is actually how counterproliferation is done. That's how you. The way that you stop them developing their own tools is by selling them tools. Right. Because then you suppress their domestic market and their domestic expertise, which is what you're trying to do. Because the problem isn't so much that someone has an exploit, it's that someone has an exploit factory. Right. That it's their ability to produce new capabilities when necessary. That is scary. Right. Simply having access to something right now is. It's a point in time. Like it's useful for the next month, six months, maybe even 12 at the outside, but it's not going to be useful in five years.

A

So what you're proposing is that Israel having, say, a number of spyware vendors, NSO group, Candiru, what is it, the Intellectual alliance, those are the ones I can name just off the top of my head. I guess a number of those have been sold to countries that are not necessarily friendly to Israel. And So is your 4D chess hypothesis here that they've gone, we would rather them buy it from us and not be able to use it against us?

B

Absolutely. We would rather they buy it from us and not make their own. Because if they're buying it from us, we have some amount of control, some amount of influence and some amount of visibility. You have this transparency, you have a little bit of accountability and you have a little bit of influence over what's happening, which you lose entirely if they move to an indigenous platform that they've built from scratch.

A

So does that mean that the answer for the European politicians who do not like abusive spyware is to start a EU company?

B

Absolutely. Yeah, yeah, yeah.

A

And do the same thing and make sure. That it's only used for lawful purposes.

B

Correct? Absolutely. That if what you have is the best thing in town, you can undercut anyone else on price, which will drive them out of the market. Right. If it's subsidized by the eu, you can like go like, hey, you know, if you're a state, you can buy it for a dollar. Right. And the support contract is free for the first 12 months. The only thing is it's got like blocks, so you can't use it against certain phone numbers, which you shouldn't want to anyway. And if you do, then we want to sanction you. It is so much better to be in charge of their capability than it is to leave them to develop and use whatever they want. Right. Because as I said, you lose visibility, you lose influence, and you lose any sort of insight into what they're planning next. So, for example, if you're selling them the tooling and they start coming to you and say, like, hey, we're really interested in routers. Do you have router support? Well, that tells you that they're at a particular stage of SIGINT collection development. You know what they're then moving to. That's useful information. If they're building it themselves, you do not get that.

A

Hmm. Yeah. This is, this is an interesting idea in my reading about the discussions, like the Paul Moore process, which is a sort of intergovernmental and civil society effort to try and limit the damage by abusive spyware. There are these two camps. One camp is basically governments and they're relatively realistic. They will say things like, yes, spyware has its place, right. And it can be used for legitimate purposes, worthwhile purposes. And there's another camp which is mostly the civil society camp, which is it's just terrible and should never be ever used.

B

Worst thing ever.

A

And so I think your proposal could possibly get traction with one camp, except for the fact that the other camp exists.

B

But anyway, here's the thing. I think from a pragmatic point of view, it's either you play the strategic move and you have something, or you don't play the strategic move and you lose. And I think that they're going to lose.

A

So this is, I guess, a harm minimization strategy.

B

Right. Which as we know governments love going for, as opposed to prohibition.

A

Well, okay, now that's proliferation. We've solved that problem.

B

There we go.

A

Thank you for the good malware, the non abusive spyware.

B

Yeah. Please send all your checks for our brilliant policy think piece. I'd say that the fundamental Thing is, unless they're developing their own exploits, they're only going to have the sort of short window of opportunity that they can use things until they need more and they're going to come back for more. So you have that sort of continual access. If you have an exploit, it's going to be useful for a certain period of time, not forever.

A

So what you were saying before reminded me so much of drug addicts. And the analogy that popped into my head was that an exploit that you can use is like a fix. It works for a little while, but then you need another one.

B

Yeah, yeah. And it's. I mean, someone has said that, like SIGINT is the heroine of intelligence collection, right? Like, it's so good that you, you refuse to use anything else, you just need more. And this is the thing, right? So I'm going to quote Dave, I tell you, or paraphrase Dave, I tell here, what you need to worry about is not exploits, it's exploit factories. So it's not having a fix, it's having the heroin factory, to continue your analogy. And that's the real problem. You want to avoid that because that's where you lose all control of what's going on. To go on a tangent, which, I mean, I almost never do, so please indulge me for once, the way that these groups tend to end up defining like exploit and zero day and all these things, it's like it's code that exploits a security vulnerability that hasn't been reported to the vendor and there's no fix yet, and there's so on and so forth. And even that, I think, is a problematic definition because the assumption is that the problem is the exploit, not the vulnerable software. And it's actually the vulnerable software that you care about. So, for example, like Sanos 2.41, there are people who still have exploits written for that. At the time, it was not very popular to submit bug reports to vendors, and people would just sit on things and they'd stick around forever. And then when Sonos got discontinued and then replaced by Solaris, and then Solaris got discontinued and replaced by Linux, and so now you can have an O day for Sonos. It can work absolutely perfectly, but there's nowhere to use it. Right? So what good is a stockpile of Sonos exploits?

A

Okay, so one of the incidents that's been used as an example of stock pathing is when the shadow brokers, they leaked a bunch of allegedly NSA tools, including, I think it was called Eternal Blue, right?

B

Yes.

A

And so that exploit had Been around for donkey's years, I think.

B

Yeah.

A

And so surely, surely, surely Gruk.

B

No, you've got me there. You have, you have brought up an example I've never even considered and boom, that.

A

So I guess what would make you think it's stockpiling is that the exploit was around for a very long time and it was very effective.

B

Right. And I would point, point out that while it was in the hands of private actors, no one else had it, so it was very, very safe. But as soon as it was patched, I'm leaving out the bit where the exploit was leaked, but as soon as it was patched, it became widely exploited. So I think that this is part of that fallacy of focusing on the exploits rather than the vulnerable software in that once NSA knew that it was out, they went with Microsoft and they worked to get the bug fixed and they got it fixed and it was rolled out silently. I believe it was in February of that year, like months before the actual exploit itself was leaked. Right. So the patch was rolled out, deployed and available live. And yet still we had WannaCry. And then months later, even after the WannaCry 5 alarm fire warning people, maybe you should patch this. Even after that, we then had NotPetya, which also used the same bug. And I think that this sort of goes to show that it's not the exploits that are the problem, it's the vulnerable software. If it's not patched, then it doesn't really matter. And to one degree, one might argue that this shows that stockpiling is bad. But conversely, if that bug had been released and reported when it was discovered, the patching environment and the security environment was far worse in 2012. There's just no way.

A

So NSA did everyone a favor by using it for 10 years.

B

Yeah, they waited. You know.

A

It'S a win for everyone.

B

You're welcome, world.

A

If only they'd had you in public relations at the time.

B

Absolutely, absolutely right. If that bug had come out earlier, I think the impact would have been worse simply because the world was less prepared, security wise to handle it. We're much less mature, so it would have had a longer tail of damage. But this also goes to show that the stockpiling doesn't work because bugs only have a short shelf life.

A

Typically, yes. I mean, EternalBlue worked for a long time, Right?

B

I mean, so this is one of the funny things is the summary of this RAND report where they were commissioned to look at how much money would the Marines need to have a cyber capability for five years. What sort of budget would be necessary for keeping some level of capability available, so that if they need it, it's there. And so this group went away. They downloaded all the CVEs they started looking at, from discovery date to patch date to, like, deployment and all this stuff. And what they came out with was there's absolutely no pattern. There's nothing you can rely on. And so you're probably going to need like $400 million.

A

There was a recent Google paper, they were talking about how shifting to memory safe languages yields disproportionate benefits, even if most of your code base is still written in an older lesson or unsafe language. And it's because most of the vulnerabilities appear in new code. And there's like, I think they called it a half life for vulnerabilities. And they get discovered or patched out.

B

I mean, there's natural death that happens as well. Like you might have a bug that it exists in a core component and you can reach it because a certain feature exists. But then when someone comes along and says this feature should do even more and they readjust how it works. For example, now you can no longer reach that bug, even though it hasn't been fixed. It's just that the path that you had to get there no longer exists. So that sort of thing can happen.

A

Yeah. So vulnerability decay, I guess. What's the point in stockpiling?

B

Yeah, it's stockpiling fruit. What are you going to do with a warehouse full of nectarines? It's not like you can load them up and be like, all right, in five years we'll have a feast. So I remember there was a tweet a while ago which was basically saying, everyone tells you about O days getting burned, but no one tells you about having to support an Oday for five years across 12 ISAs, three major OS revisions, and 17 patches. That's the other side, is that if you do have a bug that lives so long, you're going to have to keep adding support for the new things that come out while maintaining support for the old stuff and then making sure that you can detect which version you're against, you don't crash, and all sorts of stuff. In a way, you'd prefer to not have to deal with the old ones. Just having to do new developments. It's more exciting anyway.

A

Right. So I guess the way that I'm thinking about it is that the way people describe proliferation is that there's this huge cache of exploits that are just hanging around doing nothing and they're not being used. And that's not my conception of how things work at all, for all those reasons we've just talked about. And that when you have to redevelop or keep them up to date, you're going to keep up to date the ones that are useful and working now.

B

Right. The guy who's really focused on the Sonos 4.0 stuff is probably not going to be getting a lot of time. It's not going to get a lot of resources. Yeah.

A

And you can see that a bit in NSO Group malware. So the sort of. Some of the Citizen Lab reports, you can see that they had some capability, it got patched, and then there's often a gap before they can reacquire targets. And so I'm presuming that they're. As soon as they've got something working, they're like, right, okay, let's find something for that day when it's patched. And that, I guess, would be the motivation to stockpile and have off the shelf. But even they're not able to do it because there is a lag often.

B

Right. One of the problems is that when you're doing bug discovery, it might be a particular technique that you're using or a particular area that you're focusing on. So that technique might find you three bugs that all have the same sort of problem, or you might be looking at just one module and find a number of bugs in that module. The problem you're going to have with sockpiling is that when the maintainer goes to patch that bug, they might look at the technique, like, look at the pattern that produces that problem and just patch all instances of that, proactively go out and fix all the stuff. Or if they're just looking at that module where you've got bugs, they might say, well, actually, this is kind of crap. Let's really review this and clean it all up. So you might have one exploit that you're using die, but several vulnerabilities that you were sitting on might die at the same time. So stockpiling doesn't necessarily work in that case, simply because, yeah, like, bug death can catch bugs that you haven't made public yet. And just to bring up the shadow brokers again, it's quite telling that if you were to call this a stockpile of NSA cyber weapons, they basically had like, one for Solaris 2.51, one for Solaris 2.6, one for ERICS, one for Red Hat. What they had was things that worked and they just used those things. They didn't need large numbers of stuff that they weren't using. Because that's kind of the thing is when you have exploits, you have them because you need to use them.

A

So, okay, the problem with what you and I have been saying is the problem with saying that cyber weapons isn't a useful way to talk about this and stockpiling and proliferation, that they're both problematic in the way that they talked about. The problem with all of that, which I think is true of course, is that I don't have a better suggestion. I think your idea of just setting up an arbiter of spyware, the one true spyware, is interesting, but it's like clearly a non start.

B

No one's going to, it's just never going to happen.

A

So going back to the paper we started with, the whole point of the paper was to try and come up with some ideas. And I had encouraged the establishment of vulnerabilities, equities, processes measure damage for more effective responses. And so in this one I was mostly talking about, not Petra and WannaCry and that kind of thing where people go, these are really costly. What are we gonna do about it? Yeah, nothing.

B

Well, I mean to be fair, that has worked. Doing nothing has resulted in no more, not patches.

A

Like, you know, these actually seem quite weak. Invest in transparency and confidence building. So at that time a few states had talked about what offensive cyber capabilities are. A few more states have done it, the UK has done more. And I guess at the time people were talking about cyber weapons, their value as planet melting weapons that could destroy civilization.

B

Right.

A

I think people are more realistic now. So perhaps that recommendation worked. People were more transparent than everyone's.

B

Yeah, I mean to a degree the transparency that you want there is to dispel the myths, to sort of just make it a lot more clear what's actually possible and what isn't.

A

Yeah. So I guess now looking back at the paper, you know, more and more I feel that cyber offensive stuff is interesting to me and it's a new field and people are learning how it works, but it seems more and more likely that it'll be less and less conclusive or decisive I guess is the word I'm looking for. And so maybe the whole point is why worry about it?

B

Doing nothing has worked so far. See, and all of this I think is completely misguided because the biggest problem is ransomware. Right. And ransomware is not using new exploits or novel techniques or any of this stuff. So even this whole like we need to keep Oday out of the hands of authoritarian regimes. That doesn't matter. Like, it's. That's not relevant.

A

So, in fact, what you're telling me is. Yeah, nice paper. Premise was entirely misguided.

B

I hope you got paid up front.

A

Thanks a lot, mate.

B

Thanks a lot.

A

Tomorrow.