2010 Saw the Dawn of Nation-State Cyber Wars: Citrix CTO

By Chris Preimesberger  |  Posted 2010-12-27

2010 Saw the Dawn of Nation-State Cyber Wars: Citrix CTO

Citrix CTO Simon Crosby looks back at 2010 in the cloud computing sector--and ahead at what 2011 may bring--and isn't very comfortable with a number of things emerging on the security side of that very hot business.

Crosby has become a go-to resource for knowledge in virtualization, cloud computing and data security. He was founder and CTO of XenSource prior to its acquisition by Citrix for $500 million in 2007. Previously, Simon was a principal engineer at Intel, where he led strategic research in distributed autonomic computing, platform security and trust.

It's Crosby's job as the CTO of an international enterprise IT provider to maintain a big-picture view of what the trends are, where they're going and how they will affect companies making strategic IT plans.

It's not necessarily cloud infrastructure issues that worry Crosby. It's protection of stored data and access to servers that keeps him up at night.

"This was the year when nation-state attacks started to happen," Crosby said. "You've got Stuxnet, you've got the Chinese government attack on Google, and you've got WikiLeaks. My take is that every CIO should be shivering in a state of panic."

Everybody's long been aware of denial of service attacks and their potential, but Crosby thinks many people have become indifferent to these events, believing such an attack won't happen to them.

"All of these have profound lessons for us," Crosby told eWEEK. "We're in a space of hyper-innovation, and that's fueled by Moore's Law on the client and the server, and Moore's Law helping the network, so we get the network effect of that. And the network effect of that innovation is unbelievable.

World's largest cloud: Conficker

"If you look at the world's largest cloud, it's probably something called Conficker. It has probably 30 million CPUs. It requires something like 20 terabits of bandwidth, and it's for hire. You can hire it today, and point it at anything you want," Crosby said.

"Think cloud now. Every single one of those hosts up there that are infected with Conficker--and there are still millions and millions of them--are all out there, and they can be remotely controlled and instructed to do something. It's similar to the way the anonymous guys at WikiLeaks have been getting people to download and attack payload, and then they can remotely point that attack payload at any site they want to attack."

For example, anonymous hackers have been able to put together an attack of 10GB per second and point it at Visa, PayPal, Amazon and a couple of other places to shut them down for various times, Crosby said.

"Conficker is still out there, and that's 28 terabits/second. If that thing was pointed at any U.S. national interest or any national interest, it would go down in a heartbeat," Crosby said.

So why hasn't this happened yet, if there are people in the world devious and knowledgeable enough to activate this dangerous weapon?

"Well, it hasn't yet for the same reason that nobody has launched an atomic bomb--it's that big, right?" Crosby said. "It turns out that most of the Conficker stuff is relatively straightforward--denial of service and blackmail stuff in the hands of organized crime.

"But the scary thing is that this was the year [2010] that nation-states started to engage in cyber war actively--and everybody saw it for the first time."

Stuxnet Worm: Prime Example of What Can Happen

The Stuxnet worm, which appeared in July 2010, was a prime example, "wreaking havoc on the Iranian nuclear facilities," Crosby said.

Stuxnet exploited four zero-day vulnerabilities in Windows and a vulnerability in Windows' Print Spooler service to do its dirty work. Early versions of the virus abused Windows' AutoRun feature in an effort to infect industrial control systems, Symantec revealed in September.

"The interesting departure [this year] is that we have started to see nation-states play an active role in these attacks," Crosby said. "That is more threatening than the traditional bad guys who spam you with email or blackmail the gambling sites to say, 'Your site's going to be down until you pay me some money.' "

Crosby said that all these concerns point to the cloud as the best place to maintain a "survivable" application.

"Here's a good example: Visa was nailed by the anonymous crew on WikiLeaks. But Amazon didn't even blink when Anonymous pointed 10 gigabits of traffic at it. Amazon has this massive cloud that's redundant, has multiple availability zones spread around geographical regions, and so on. So if you want to make your application survive a big attack, the place to run it is called the cloud."

This is probably counter to what most people think in response to these attacks, Crosby said.

"Most people are going to want to close all the boundaries, run a private cloud, and get my head down in my bunker and hope that I'm secure," he said. "But in that situation, you are more vulnerable than if you are automated. People are running around your infrastructure with USB sticks and everything else. That's how WikiLeaks happened."

When nation-states start pouring defense budget-sized amounts of money into cyber war, then we will see "very interesting attacks," Crosby said. It has been estimated that it cost somebody "on the order of $10 million" to build Stuxnet, for example, Crosby said.

"We don't know where it [Stuxnet] came from, but it's pretty clear that it was organized by a nation-state because of the sophistication of the attack," Crosby said. "Most attacks use a single vulnerability; Stuxnet used four--four that were previously unknown to anyone, including Microsoft. So that basically suggests that somebody had the Windows source code and used it [for that attack]."

Access to source code a major problem

Many governments have access to this source code, he said.  Stuxnet also targeted very specific enterprise devices, Crosby said, and was not aimed at the average consumer.

"It was clearly targeted for political reasons, it cost a lot of money to do, and it was very robust," Crosby said. "It still has not been cleared; it's out there causing havoc."

This trend is going to make IT managers sit up and take notice, he said.

"You may say, well, I have good people and procedures in place, but the more people you have involved, the more vulnerable you are--either through mistakes or deliberate sabotage," Crosby said.

"That basically says you need to get on the cloud."

Bradley Manning, the U.S. military IT assistant implicated in the WikiLeaks controversy, used a USB stick on a PC to access most of the information that ended up being published on the site.

"Now, if that organization had been using desktop virtualization, that would never have been allowed to happen. Every single device on every client is policy controlled for access, and you can shut these off. Any properly automated cloud would have prevented WikiLeaks from happening," Crosby said.

Prior to founding XenSource, Crosby was the founder of CPlane Inc., a network-optimization software vendor, where he held a variety of executive roles. Before CPlane, Simon was a tenured faculty member at the University of Cambridge, UK, where he led research on network performance and control, and multimedia operating systems.

He is author of more than 35 research papers and has patents on a number of data center and networking topics, including security, network and server virtualization, resource optimization and performance. In 2007, Simon was named one of InfoWorld's Top 25 CTOs.

Rocket Fuel