Cybersecurity Guru Bruce Schneier, author of ‘Data & Goliath’, a New York Times bestseller, discussed the Internet’s resiliency and China’s suspected cyberattacks against major US companies.
NOTE: The day following this interview an attack occurred against Dyn, a domain name service provider, that disrupted access to high profile sites such as Twitter, Spotify and the New York Times. Attackers took over tens of millions of devices using malicious software called Mirai.
Bruce Schneier, aged 53 years, is an American cryptographer, computer security, privacy specialist, and author. Having written several books on general security topics, computer security and cryptography his latest book, ‘Data & Goliath’ is not only a best seller but a MUST read!
Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation‘s Open Technology Institute. He has been working for IBM since they acquired Resilient Systems where Schneier was CTO. He is also a contributing writer for The Guardian news organization.
Editor – I read some of your comments recently about the DDOS attacks and there were questions around the testing and resilience of the Internet. So I’m seeking your thoughts on who may have been testing the Internet and its vulnerability?
Bruce – It was the first story that I have written that has a lot of unsubstantiated rumours and I was told these things by some companies and I wrote about them because nobody else had. These were about a particular style of DDOS attack against large infrastructure companies, that look like someone very much testing the defensive capabilities of these companies.
Now I can’t name the companies, but there was this Verisign report on DDOS which confirmed that what they were experiencing had mirrored exactly what I was told. (Verisign Distributed Denial of Service Trends Report LINK)
So that’s the public information. Since I wrote that article, I was approached by two other companies that said yes we are seeing this too. So this is pervasive. The companies, including Verisign thinks it comes from China. China is, for some reason, testing these DDOS capabilities. They are not taking down any of these sites. It’s hard to know why they are doing it, it’s hard to know how effective it could be and would be. Is it a diversion or is it simply some kind of cyber war unit just running tests? It reminded me very much of the US actions during the Cold War, of flying planes high over the Soviet Union, and watching their air defences turn on to learn about capabilities. It felt like that.
Editor – Do you think it correlates to other military manoeuvres?
Bruce – I don’t know any of that; I don’t know enough to make that connection. All I know is that for the past year and a half, this has been happening to these large Internet infrastructure companies.
Editor – When you say it’s being sourced from China, there are other activities being sourced from Russia, according to the US. What do you think of that?
Bruce – This is bigger than that. It’s longer term. This isn’t something happening this week or this month, this has been going on for a year and a half, off and on.
Editor – Is the attack methodology the same? Is the Internet something they can actually break?
Bruce – I don’t know. So far, the companies that have been victims, Verisign included, have adequate defences, to defend against these attacks. Could it work? I don’t know. Would you want to do it? I can’t tell! It wouldn’t be permanent.
Editor – Is this the kind of thing nation states or terrorists might be preparing to use, such as during a 9/11 style attack?
Bruce – When you think about nation states using DDOS, it has to be in conjunction with something else. So, you can easily imagine China using it on themselves when there is a Tiananmen Square level of political unrest. Like Turkey, lots of countries sensor themselves during times of political unrest. You can imagine a country like China doing this against Taiwan for some reason. My guess it is just done as some testing capability. The companies involved were US companies, so I spend a lot of time with the Harvard Kennedy School and a lot of people there are working on cyber war, the Americans and occasionally the UK and other ‘five eyes’ countries, come in and test our cyber warfare readiness. That’s what military officers do, they plan for war and it’s my guess that it’s Chinese military officers that are doing this, like ours, like yours, like everybody’s, are planning for war. And this is one of the things that is being done in the eventuality. I think it is a risk!
Editor – So you wouldn’t be surprised if you saw these attacks – or stress tests – as a component of major military exercises?
Bruce – No it probably wouldn’t be that correlated. No, it’s a separate unit. This is going to be the cyber unit, who is all the way off over there. They’re not the same unit that runs submarines or does tank manoeuvres, they are the cyber people.
Editor – You don’t think they would be thinking at that scale?
Bruce – They might be thinking like that but the tests wouldn’t be correlated, because why bother?
Editor – Or it would be setting off too many red flags?
Bruce – A lot of what I am saying here is pure speculation. I saw this pattern and I thought we should make this public. I have been trying to get these companies to talk on the record, there is no shame here, but with the exception of Verisign, they never talked to me, but they published that report and I link to that in my article.
Editor – This leads me to the Internet of Things. What’s your view there?
Bruce – That’s the Brian Krebs story. Brian Krebs was attacked by digital video recorders, CCTV cameras, vulnerabilities in random devices, not computers.
Editor – That is something I was interested in. Princeton did some research on this, to find out how many devices are out there with just default, root passwords and there were about 13% of all devices on the Internet that were vulnerable.
Bruce – It’s really bad. The article I wrote after the Krebs attack is worth reading. I talk about the difference in the economics that means it’s not going to be like this [holding up his smartphone]. There is an entire team of security researchers that make sure this [smartphone] is secure. There is no such team for DVRs, and this thing gets patches every month, or every week! The DVR never gets patched and I throw this away every 18 months and buy a new one.
Editor – Thanks Bruce. Can you please sign my copy of Data & Goliath?
Get your copy at https://www.schneier.com/books/data_and_goliath/