“The world will be full of fear”

“We’ve already warned you, and this is just a beginning,” reads the message plastered across the computer screens at Sony Pictures’ Culver City HQ on 24th November. “We’ve obtained all your internal data including your secrets and top secrets.” To emphasise their point, the hackers superimpose their message over a cackling red skeleton.

Three days later the leaks begin. Five films, four of which haven’t yet made it into cinemas, are released on file-sharing websites, and 40 gigabytes’ worth of information about more than 6,000 Sony employees – including medical histories and salary details – is dumped online. A 25-page list of employee complaints is sifted out of the data, and is gleefully disseminated across the web by Gawker. A further, somewhat nebulous, threat is emailed to some Sony Pictures employees: unless they sign a statement condemning their company, “Many things beyond imagination will happen at many places of the world”.

And then, on 8th December, the digital burglars reveal themselves to be a group called ‘Guardians of Peace’ and announce their demands in a post on the open-source developers’ website GitHub. They want Sony to pull The Interview, a film in which Seth Rogen and James Franco play two journalists tasked with assassinating North Korea’s real-life supreme leader, Kim Jong-un – or else. “Stop immediately showing the movie of terrorism which can break the regional peace and cause the War!” the message says. A week later, the threat is ramped up further. “The world will be full of fear. Remember the 11th of September 2001.”

For the first time ever the US explicitly accuses another state of carrying out a cyber attack”

Cinemas pull out of plans to show The Interview. Seth Rogen and his co-stars are assigned bodyguards. An early script for James Bond film Spectre is released online. And on 17th December The Interview’s theatrical release, scheduled for Christmas Day, is cancelled. The Guardians of Peace have won.

In bullying a major US corporation (Sony Pictures has a turnover of $8 billion) into submission, the hackers have pulled off an extraordinary coup. The amount of data they claim to have stolen – 100 terabytes – is unprecedented. Most interestingly, for the first time ever the US explicitly accuses another state of carrying out a cyber attack. The FBI points the finger at North Korea on 19th December, and President Obama chimes in two days later, calling the attack “an act of cyber-vandalism”. In early January, the US imposes economic sanctions on North Korea in retaliation.

There is some initial skepticism about the FBI’s allegations. Only a few thousand North Koreans are thought to be hooked up to the web, and it seems unlikely that a cyber strike as sophisticated as the Sony hack could originate from such an unwired society. But the attack is not without precedent.

On 4th July 2009, as Americans enjoyed their traditional Independence Day pyrotechnics displays, North Korea let off some fireworks of its own. That day, the regime launched seven ballistic missiles into the Sea of Japan. At the same time, the websites of 27 US and South Korean government agencies and businesses were so overwhelmed by access requests that they temporarily went down in a so-called DDOS (distributed denial of service) attack – a technique in which hundreds of computer systems are press-ganged into deluging a single target until its servers seize up under the weight of traffic.

Computer security expert Graham Cluley has described DDOS attacks as “fifteen fat men trying to fit through a revolving door all at once – nothing moves.” But the North Koreans haven’t just jammed the door in the past – they’ve also broken in. In March 2013, several South Korean banks and TV stations had their hard drives wiped by a so-called “logic bomb”, a malicious piece of code which, once inserted, can be left dormant until triggered at a later date when specified conditions are met, and wreak havoc on its host, damaging both software and hardware. Experts pointed the finger of blame squarely at Pyongyang.

It’s difficult to get any certainty about what goes on in a country as sealed off as North Korea, but defectors have shed some light on the hermit kingdom’s cyber capabilities. In December 2014 Jang Se-yul, a defector said to be a former student at the country’s military college for computer science, told Reuters that hackers are handpicked to work for the secretive ‘Bureau 121’. The elite agency is said to be part of the General Bureau of Reconnaissance, North Korea’s military spy agency, and is thought to employ around 1,800 cyber warriors who are drafted in from as young as 17.

“For them, the strongest weapon is cyber,” Jang told Reuters. “In North Korea, it’s called the Secret War.”

Cyber warfare is interesting to North Korea because it enables the pariah state to carry out major attacks for a relatively small amount of money. North Korea is also very well-placed to lash out in cyberspace precisely because it is so poorly connected. Any retribution will only affect a very small portion of society and won’t have nearly the same potential for disruption as cyber attacks in western states.

Still, the allegation that North Korea was behind the Sony hack begs the question why the country would pour their scant resources into punishing a company for a film that is, ultimately, very silly. Sample dialogue:

“The CIA would love it if you could take Kim Jong-un out.”
“For coffee? For dinner? For kimchee?”

“North Korea is not so upset about the movie because a bunch of westerners are going to see it,” says Martyn Williams. “A lot of westerners already think North Koreans are crazy.”

Williams is the founder of North Korea Tech, a blog that tracks technological developments in the country. One of the developments Williams has recently noticed is an increase in western films being smuggled into the country on DVDs and USB sticks. “The biggest threat to the regime is probably information,” he says. “If the movie gets into North Korea, those images can be quite subversive.”

The spy who hacked me

The internet has created a brave new world for hackers, but people and countries have been breaking into electronic networks since way before www. came on the scene. Possibly the first ever network hack happened in June 1903, as John Ambrose Fleming and Guglielmo Marconi were getting ready to demonstrate their new wireless telegraphy machine to an audience in London. While Marconi prepared to send lines of morse code over the airwaves from Cornwall to the capital, tapping noises started making their way into the Royal Institution’s lecture theatre. Fleming’s assistant Arthur Blok recognised the code, which repeatedly spelled out the word ‘rats’. Then, a longer sentence followed:

“There was a young fellow of Italy, who diddled the public quite prettily.”

Four days after his morse code hack, Nevil Maskelyne wrote a letter of confession to The Times. The stage magician and inventor had interrupted Fleming and Marconi’s demonstration by sending signals through a transmitter he had set up near the Royal Institution. In his letter, Maskelyne said he did it to point out security flaws in Marconi’s machine. It later transpired that Maskelyne had been eavesdropping on Marconi’s transmissions for several years before he performed his hack, using a 50-metre radio mast he had built just west of Porthcurno, Cornwall. His paymaster was the Eastern Telegraph Company, which ran the world’s first global cable network from Porthcurno and was worried that Marconi’s wireless technology might one day put them out of business.

States have also long proven adept at finding ways to hack into new communications technologies. Stolen data played a big role in turning around the First World War: In 1917, the interception and decryption of the so-called ‘Zimmermann Telegram’ helped persuade the US to join the Allied cause, ultimately sealing the fate of the Central Powers.

The telegram was a coded message sent by Germany’s foreign secretary Arthur Zimmermann to Heinrich von Eckardt, the German ambassador to Mexico. If the US were to join the war on the side of the allied powers, it said, von Eckardt should offer Mexico German help to invade its neighbour to the north and “reconquer [its] lost territory in Texas, New Mexico, and Arizona.”

German telegraph cables had been cut by the British at the beginning of the war. To get the message to their man in Mexico City, the telegram was sent to Copenhagen and then by secret diplomatic cable to London before making the transatlantic jump to Mexico City through Porthcurno – the same Cornish communications centre where Marconi’s transmissions had been intercepted. What the Germans didn’t know, though perhaps should have guessed, was that all messages passing through the hub were being copied to Room 40, an office of codebreakers working out of the British Admiralty. When the UK finally shared the content of the telegram with the US, both American officials and the public back home were outraged. Less than two months later, the US officially entered the war.

States weren’t just stealing electronic communications in the pre-internet era – they were also using lines of code to directly impact the situation on the ground. The explosive potential of the logic bomb was demonstrated as early as 1982. In his memoirs, former US air secretary Thomas Reed writes how the KGB sent a spy into a Canadian company to steal the technology the Soviets needed to automate operation of their newly built trans-Siberian gas pipeline. What the Soviet spy agency didn’t know was that one of their agents had gone rogue. The CIA had been tipped off about the imminent theft and had fiddled with the computer control system to make it “go haywire” at a later date.

Soon after the Soviets started using the stolen system, pump speeds and valve settings were reset, putting more pressure on the joints of the pipeline than they could take. In June 1982, Reed writes, US early-warning satellites reported a detonation in the Siberian wilderness, which caused fears of a Soviet missile launch. What had really happened, claims Reed, was that part of the trans-Siberian pipeline had gone up in a three-kiloton explosion, “the most monumental non-nuclear explosion and fire ever seen from space”.

But it was the information explosion of the mid-’90s that really made hacking a global force to be reckoned with. The proliferation of websites and PCs offered hackers a handy back-door into countless previously unreachable systems – their users often tricked into installing “trojan horse” applications disguised as useful software. Email, meanwhile, provided the perfect delivery method for ‘worms’ and other types of self-replicating virus programs that could spread malicious code from system to system. And Usenet and bulletin boards – precursors of modern social networks – meant that hackers could get together to pool their knowledge, resources and endless creativity. The internet took hacking mainstream – and made it infinitely more dangerous.

Hacked to death

To get an idea of the scale of cyber attacks today, visit computer-security firm Norse’s Live Attack map, and you can see them arcing back and forth across the globe in real time, regularly building into multicoloured crescendos of activity which obscure the map with their digital aggression.

But while DDOS attacks can cause mass disruption and more bespoke hacks have the capacity to set off explosions, there are sneakier, more sniper-like ways to deal with an enemy over the web.

Murder by internet may sound like a plot for a low-budget sci-fi flick, but a small army of so-called ‘white hat hackers’ have shown that it’s not so far fetched”

In 2013, former US vice president Dick Cheney revealed that he had had the wireless function of his pacemaker disabled for fear of assassination at the hands of a hacker. Europol devoted an entire section of a 2014 threat assessment report to the ‘Internet of Things’ (IoT), the ever-expanding network of devices – from light bulbs to smart cars – that are being hooked up to the internet. The IoT, Europol wrote, could soon be exploited for new forms of cybercrime, including “physical injury and possible death”.

Murder by internet may sound like a plot for a low-budget sci-fi flick, but a small army of so-called “white hat hackers” have shown that it’s not so far fetched. In 2013, Charlie Miller and Chris Valasek demonstrated how they could hack into a Ford Escape and a Toyota Prius, taking control of the steering wheel and brakes from behind their laptops. Barnaby Jack, the New Zealand hacker who once made an ATM spit out cash, claimed he could deliver a potentially lethal 830-volt shock to a pacemaker but died of a drug overdose before he could demonstrate his invention.

Jay Radcliffe, a security researcher at computer security firm Rapid7, gave a demonstration in 2011 at a Las Vegas hackers conference of how to hack into an insulin pump and tinker with the dosages of insulin administered by the device. Radcliffe, a diabetic himself, had set to work after a friend had jokingly challenged him to hack his own pump. It was a long, slow process of reverse engineering. “I had to figure out what all the ones and zeros were attempting to communicate,” he says. Once he cracked it, it was plain sailing. “It’s a really scary thing,” Radcliffe reflects. “I ended up going to a different manufacturer and currently I don’t use an insulin pump at all.”

Cyber security firm IID warned in 2012 that “ubiquitous internet connections will allow death by device… by 2014.” While its president Rod Rasmussen is pleased to see that awareness of the risks has improved since then, he adds that he’s not impressed by the security standards on some smart devices. “We’re seeing really stupid things like default passwords and no passwords,” he says.

Still, Rasmussen doesn’t expect the CIA and MI6 to start widespread use of this technology anytime soon. What’s more dangerous, he thinks, is a scenario in which vulnerabilities in devices are sold on illicit online marketplaces, making them easily available to common criminals. “People kill each other a lot, for all sorts of reasons,” he says. “If somebody creates a way to do something to a car, do something to a person’s pacemaker, whatever it is, it’s likely somebody will build the software for it and say ‘hey, you want to do something with this? 500 bitcoin and you can buy it’.”

“Ooh, the first cyber war”

Whether they’re investing in algorithmic sniper fire, logic bombs or digital defence, states have been amassing cyber capabilities at a formidable rate. In 2010, the US established Cyber Command as its go-to organisation for ‘cyberspace operations’. Its budget has quadrupled from $114 million in its first year to $447 million in 2014. The UK allocated £650 million for its 2011 Cyber Security Strategy and last year launched a national Computer Emergency Response Team to create a more centralised line of defence against cyber attacks. Other states that have invested heavily in cyber warfare include China, Russia and Israel.

Taken together, these capabilities raise the spectre of the ultimate hack: all-out cyber war. In his 2010 book Cyber War: The Next Threat to National Security and What to Do About It, former US counter-terrorism czar Richard Clarke paints a picture of cybergeddon. In his scenario, a nationwide power blackout hits during rush hour. Airplanes collide mid-air after the national air traffic control centre’s system collapses. The financial system dissolves as critical data centres are wiped. Freight trains derail, gas pipelines explode. With ATMs no longer functional, panicked Americans start looting stores. Nobody knows what has hit them – or who.

There are all kinds of scary and catastrophic scenarios and we’re definitely not there yet”

Thomas Rid, a professor in security studies at King’s College and author of Cyber War Will Not Take Place has become exasperated with scenarios like these and the cyber war debate in general. “It just sounds cool, it sounds like science fiction,” he says. “The first cyber war has happened 25 times now. Everybody always claims, ‘This is the first cyber war,’ then people forget about it because it’s not that serious and, again, a couple of months later: ‘Ooh, the first cyber war!’” Rid does see potential dangers in states’ use of cyber capabilities, but thinks the mediagenic stories that involve physical damage take away attention from real trends in, for example, data theft and interception.

There’s another reason why it’s not time to panic quite yet. “There are all kinds of scary and catastrophic scenarios and we’re definitely not there yet,” says cyber-security researcher Caroline Baylon. She says that a dangerous precedent is being set by countries reportedly “hoarding vulnerabilities” – placing logic bombs into each other’s infrastructures. But with governments covertly building their cyber capabilities and delivering the occasional warning shot, a situation reminiscent of the Mutually Assured Destruction of the Cold War has emerged: “Nobody would want to cause damage in that way just because of the fear of retribution,” Baylon says.

Except North Korea, maybe.

Posted on Wednesday, July 15th, 2015 - Categories: #17 - Oct-Dec 2014, From the archive, Long reads.