The UK is developing a cyber-weapons programme that will give ministers an attacking capability to help counter growing threats to national security from cyberspace, the Guardian has learned.
Whitehall officials have revealed that the UK needs to have a new range of offensive options, and not just bolster defences around the country's critical services and government departments, which regularly come under attack from hackers.
Several articles in the Guardian about this today as including a recap on stuxnet, the first known major state sponsored act of cybercrime aimed at offline architecture.
Today at work we are calculating operational costs for a large Saudi owned client who want anti ddos protection option as a standard. It's going to me up to me to find a decent supplier for this service, after which we'll routinely sell the anti ddos option as standard with all hosting we do.
Shit is frankly, getting real on the internet as I see large scale internet crime change from being the exception to being the norm. If you're not protected against it, you at least want a quick option to be should something like this happen.
Anyhow, the government having offensive 'cyberweapons'? What do we think? Well, on one hand the government will probably manage to mess a few things up and get things wrong a few times, but I have the feeling there is a beginning of a mutinational arms race finally showing its face, where you simple have to have these services as a deterrant to attack.
What kinds of cyberweapons are on the cards? Please link me if anyone can find anything else, but I'm assuming it'll be of two varieties, botnets and viruses, the things that are hard to ethically deploy. (I almost count spam here, but we're fighting an incremental war here that is evolving over time)
First of all with the botnets, a legal botnet is expensive, but not necessarily prohibatively so. One would take out a very varied range of cheap but bandwidth burstable accounts on shared or VPS hosting from a variety of suppliers all around the world. All purchases would have to be done via a series of shell accounts to cover the fact the funds came from the government. Assuming one can set up with 1000 small (£20k/month?) and 100 large (another £20k/month?) accounts, you hook them into your obscurcated command and control server and send software updates and orders to this. I wouldn't be surprised if this is the sort of project we'd collaborate with the US on.
To do so illegally would involve infecting home pcs and playing the same game as the cybercrooks so I don't seeing a legitimate government backed attempt doing that.
Secondly, viruses. The stuxnet worm was exceptional in that it knew 4 zero day windows exploits, and that it had a deep knowledge of Iranian power plant control systems. I'm sure we can all believe the government knows a few zero days exploits, or could find their own if they had to. It also has the existing espionage infrastructure in place to audit target systems before attack as well as perform the initial insertion. But the question I ask myself, do we really have to fear the offline effects of an online attack? Currently, I say no, stuxnet was the exception, not the rule.
In the old days of the internet, securing your basic forms site against SQL injection was the exception, not the norm. That changed long ago with the rise of ecommerce. As I said, people are now starting to want anti ddos options as standard. Will critical offline machinary now come with warnings:
Warning, do not connect control machine to a Windows PC
Warning, administer from local console only
Not yet they won't, but questions will be raised about existing IT consolidation and support projects. Industrial automation experts and intergrators will be getting pay rises. The concept of IT being 'mission critical' and not just something that you get on your computer, but something that is a part of your everyday life, all around you will spread.