In March, unidentified hackers penetrated RSA, a top U.S. cybersecurity company, and stole complex security codes. At the same time, intruders broke into Google's Gmail system and stole passwords, enabling them to potentially gain access to sensitive facilities or information.
Cybersecurity experts say these recent intrusions are the most sophisticated hacking efforts ever perpetrated against private computer networks. Even more worrisome, such actions could have set the stage for cyberwar. The perpetrators may have gained the capability to identify targets, assess vulnerabilities and position themselves for future attacks.
"I think what we're seeing today are the reconnaissance activities of cyberwar," said Herbert Thompson, who teaches cybersecurity at Columbia University.
Security experts cite several features of the recent attacks as distinguishing them from intrusions more typically attributed to individual hackers. The RSA and Google attacks are both thought to have been carried out by a foreign government, or by actors associated with a foreign government. Both seem to be examples of multistage operations, in which the initial intrusion makes possible subsequent attacks against entirely separate targets.
'Small, Subtle Battles'
The theft of RSA security codes, for example, apparently enabled the perpetrators to launch a later attack against Lockheed Martin. The penetration of Google's Gmail accounts may have permitted the intruders to gather intelligence about individuals who could be significant targets during a more ambitious cyberattack in the future.
"We're likely to see a series of these small, subtle battles where the adversary, or the nation state, is gathering information," said Thompson, who is also chairman of his own company, People Security. "It is being done by many large countries, and it's probably an important thing to do. But the big question is: Where is this all headed?"
In some cases, hackers may be seeking to gain access to a company's computer network simply to have it as a base of operations during a future conflict.
"If you have a technology company and a bunch of servers and a lot of bandwidth going to those servers, there's no direct indication that that's a cyberwarfare asset," noted Max Kelly, who investigated cyber-activity as a FBI agent and subsequently served as chief security officer for Facebook. "[But] if a state actor ... gets access to those computers and that bandwidth, they can suddenly use that to attack anywhere in the world, and it's going to look like it came from you."
Kelly, speaking last week at a cybersecurity conference sponsored by the Center for a New American Security, said attackers who gain access to someone's computer system would most likely be content "to just sit there" and wait for an opportunity to use the system to move against someone else.
Cybercrime Versus Cyberwar
Pentagon officials have generally been careful to separate cybercrime, cyber-espionage and cyberwar. "Right now, what we typically are seeing is criminal activity," said Robert Butler, deputy assistant secretary of defense for cyber policy. But Butler said his department and other U.S. agencies, in assessing cyberattacks, often struggle to understand "what has happened" and "what type of threat" they are facing.
Some recent attacks are hard to categorize, inasmuch as the goal may be either to steal industrial secrets or to gather intelligence that could be used in wartime.
"When I look at what real cyberwarfare scenarios are going to be, I think they're going to be very much like cybercriminal scenarios," said Kelly. "They [will be] largely covert. If there are actual actions, they will be very targeted actions, for a specific purpose."
In fact, that description could apply to recent intrusions.
"If you just look at cyber as a new theater of war, these are the types of activities that happen in a new theater," said Thompson. "With any new theater come new techniques to gather intelligence. New warfighting capabilities are drawn up. That's the phase we're in right now."