For most of recorded human history, wars have included some form of kinetic attack involving the physical world. However, in the modern connected world with nation-states attacking each other electronically, the next world war could well be World War C (Cyber). In fact, according to a former Naval Criminal Investigative Service (NCIS) agent, the war could have already begun.
Kenneth Geers is a senior global threat analyst at FireEye and had previously worked for the U.S. government at NCIS and the North Atlantic Treaty Organization (NATO). Prior to joining FireEye, Geers was the U.S. representative to the NATO Cooperative Cyber Defence Centre of Excellence in Estonia. Estonia is perhaps the first nation-state victim of a full-scale cyber-attack, which took place back in 2007. Geers was the NCIS cyberdivision chief in 2007 and had a front-row seat to that attack.
“The Estonian president came to the White House, and The Pentagon was all spun up about whether a cyber-attack was in fact an act of war,” Geers said.
What happened next is Geers moved to Estonia and built a NATO cyber-center there, which physically opened in 2008. In the years since, multiple incidents have occurred around the world as nation-states have built their cyber-offensive capabilities. At FireEye, Geer has continued his research into the current state of nation-state cyber-attacks and is planning on providing full disclosure about his findings at the Black Hat Brazil event at the end of November.
“I’m going to try to back up all the stories people see in the news with real data,” Geers said. “At FireEye I’m in a position now to analyze data from thousands of collection points.”
Geers’ assertion is that governments already have forward deployed assets in preparation for cyber-attacks and a cyber-war. Computer network operations are also likely to play a critical role in terms of land, air and sea components of a potential future conflict.
“It seems to me that you had better be hacking in peacetime to get ready for war,” Geers said.
Attacks Today
FireEye will have a new paper out in the coming weeks that examines recent events in the context of World War C. Geers said that over the first six months of 2013, FireEye’s network sensors deployed around the cloud collected approximately 129 million network security events. Geers is examining approximately 100,000 of those events that have been categorized as advanced persistent threats (APTs). That data also presents a view into the command and control (C2) infrastructure for APTs.
The data will help Geers answer the question of whether or not the next world war has already begun. The key to any APT is that it is persistent, and it is that persistence that Geers considers to be a smoking gun for nation-state involvement when the target is critical infrastructure such as power plants.
“A lone hacker could never have the persistence that APTs exhibit,” Geers said.
Even a hacktivist group like Anonymous is too ad hoc to be able to maintain the type of long-term persistence that FireEye is tracking in modern APTs, he said. In addition, he noted, cyber-crime gangs aren’t likely behind APTs either as the potential to generate easy money isn’t there.
Geers asserted that the consistent persistence of an APT requires a concerted effort and a team of individuals in order to properly execute. The fact that the attack is persistent also means that there is dedicated staff in place, which is another telltale sign of nation-state participation.
“If you find consistent and persistence activity against national critical infrastructure, I’m betting it’s a nation-state,” Geers said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.