NSA headquarters

WASHINGTON: Adversaries have been copying and stealing each others’ weapons ever since Ape A threw a rock at Ape B and Ape B got the bright idea to throw it back. But recent revelations from Symantec and The New York Times suggest this problem is much bigger with cyber weapons. Why? In order to attack an enemy’s computer, they have to copy their code onto it. It’s like bombing an enemy with munitions that scatter their own blueprints around the blast site.

US hacking tools have gone astray before, most notoriously when a mysterious group called Shadow Brokers repeatedly released National Security Agency code for hackers around the globe to use in attacks like WannaCry. But cybersecurity analysts at Symantec have found evidence that hackers working for China’s Ministry of State Security were using NSA-built cyber weapons “at least a year prior to the Shadow Brokers leak.” (To avoid offending nation-states, the Symantec report only IDs the Chinese as “Buckeye” and NSA as “Equation Group”). Symantec’s suggested explanation: “one possibility is that Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.”

CSBA photo

Bryan Clark

“This is a significant revelation,” one retired naval officer told us. “With Shadow Brokers, the assumption was that it was a group with significant insider knowledge …. who had somehow pilfered the software and released it. [This report] suggests to me that 1) the issue of loss of control of sensitive malware has gone on longer than understood and 2) if Symantec’s [correct] that China likely captured the software while it was been used by NSA, [then] using cyber to collect intelligence is far riskier than generally acknowledged.

“The new element in the story is that an organization has reverse-engineered a deployed US cyber tool and reused it; previous cases involved the theft or loss of a tool,” agreed Bryan Clark of the Center for Strategic & Budgetary Assessments. “This would be similar to the Chinese finding a Tomahawk missile that had failed to detonate and using it to build their own.”

The difference, Clark continued, is that physical bombs and missiles automatically destroy themselves in the course of an attack, unless they’re duds. Cyber weapons don’t.During war games, the cyber teams often assume that a weapon will only be used once, for precisely this reason. “The solution is to make cyber weapons tamper resistant,” he said, “which means their code cannot be determined without proper encryption, or the code rewrites itself after use, ‘dudding’ the weapon.”

But even self-destructing code doesn’t guarantee a target of our cyber weapons can’t copy them, Clark warned: “They will still run the risk of being detected and characterized by a defensive system before the tamper resistant features activate.”

Wikimedia Commons

The American B-29 bomber (left) and its Soviet copy, the Tu-4 (right)

Wikimedia Commons

The Blueprint Is The Weapon

Clever techniques, like malware that encrypts and/or deletes itself, can reduce the risk that the target can copy weapons used against it. But part of the problem is inherent to the nature of cyber warfare, which may require the US to think very differently about this new form of conflict.

Of course, copying isn’t new: “Monkey see, monkey do” is central to the success of primates in general, not just humans. In his book Guns, Germs, & Steel, Jared Diamond traces how concepts like written language spread around the globe through a combination of direct “blueprint copying” — the way the Romans adopted the Greek alphabet, with minor changes, to write their own, very different language — and indirect “idea diffusion” — as when Cherokee picked up the concept of written language from European settlers, along with the shapes of some letters, but used them to represent entirely different sounds.

Copying is common in the military realm as well. The Soviet Union spied extensively on the American Manhattan project and used the stolen information to build their own atomic bomb years before the West expected it. When American B-29 bombers landed in Soviet territory in World War II, Stalin refused to return them to his nominal allies and instead ordered his engineers to make the closest possible copy — not even converting US measurements to metric — which became the Soviet Union’s first strategic bomber, the Tu-4.

But at least Imperial Japan wasn’t able to make its own copies of the B-29 just by observing their bomb runs over Tokyo. That, in rough terms, is what Symantec believes China has done with NSA’s cyber weapons.

The fundamental problem? To copy any physical weapon in history, from copper swords to hypersonic missiles, you either have to steal the physical object and try to reverse-engineer how it was made — as the Soviets did with the B-29 — or steal the information that tells you how to make it — as the Soviets did with the A-bomb. But to copy a cyber weapon, all you have to do is see it, because the weapon itself is made of information. China copying the code the NSA used to attack them is less like what the Soviets copying the A-bomb or the B-29 and more like the Romans copying the Greek alphabet: Enemy see, enemy do.

That makes copycat cyber weapons extremely hard to stop. Even if the code is encrypted, even if it erases itself after its attack, it has to be executed on the target’s computer in order to affect it. That means the information of which the weapon is made has to pass at some point through the enemy system. If the targeted computer couldn’t understand the code, it couldn’t run it, so the attack wouldn’t work.

Air Force photo

Air Force Cyber Protection Team exercise

A Call For Caution

The ease with which cyber weapons can be copied calls for extraordinary caution in their use, several experts told us. Even if Symantec’s analysis is wrong and the Chinese were not actually able to copy US malware simply by analyzing the code it left on the computers it attacked, there have been too many cases of hacking tools getting loose in other ways.

“There is a trend of either — we don’t really know which — of insiders giving up secrets (Snowden definitely / Shadow Brokers maybe) and now insecure operations (if Symantec is correct),” the former naval officer said. “It seems like there should a different [level of] oversight because of the risk to US systems…. an outside panel or something of that sort. It would require NSA to really open up the books.

Chendgu J-20 fighter prototypes, considered suspiciously similar to the American F-35 Joint Strike Fighter

“NSA will need to think about how to protect against its cyber weapons when they inevitably proliferate, as weapons builders in the military services already do,” Clark agreed. “It will be more problematic with cyber weapons than physical weapons.” One possible protection, he suggested, would be to write a countermeasure for each weapon developed, a patch for each vulnerability to be exploited, and share them with allies when (or even before) the weapon is actually used.

Another option is simply to use cyber weapons much more rarely — or not at all. The loss to US intelligence-gathering and offensive operations will be outweighed by the gains for cyber defense, one former Defense Department cyber official argued. “What you need to do for intelligence on cyber tools and what you need to do for defense fundamentally conflict,” the official said.

It’s all too easy for someone to copy your cyber weapon once you unleash it — or even before you use it, if someone inside your organization leaks the code, accidentally or intentionally. At the same time, because so many targets use the same software, and so many would-be attackers are always probing those systems for weaknesses, the fact that an adversary found the same vulnerability you did doesn’t mean they copied you: They could have discovered it on their own. As a result, it’s tremendously difficult to figure out who originally developed a particular piece of code and who actually attacked you with it — and the developer and the user don’t have to be on the same side.

“There is no way to fix this,” the official said. “I can think of an environment where risks are more controlled, and that might be where the leading cyber powers are having some dialogue about collaborative risk management for the use of cyber tools…. If those dialogues were happening, then the risk of bad attribution would be lower. It wouldn’t be eliminated.”

But the US and its rivals aren’t having those conversations, as far as we know. “The absence of dialogue is very destabilizing,” the official said. “I don’t think this has been well thought through.”