Clicks and keystrokes can now crash economies and burn governments faster than fighter jets and firearms.
So-called ‘cyber-munitions’ are technological products and protocols with both offensive and defensive capabilities, little-known to the public, and hotly debated by digital security experts. The U.S. government is currently in the process of deciding how to categorize and regulate cyber-munitions.
Traditional munitions are weapons and technologies like firearms, fighter jets, and bombs that are intended to cause physical, real-world damage. Cyber-munitions are code-based tools that can both cause real-world damage and wreck havoc in the digital realm.
Cyber-munition development has become a lucrative industry. Aliya Sternstein, writing for government security website Defense One, reported that in October the United States Cyber Command issued a request for proposals from private contractors to fill a $460 million contract that would help the government agency hire over 6 thousand new ‘cyber-warriors’. These government-paid hackers will be deployed across 133 defense agencies. While specific assignments will likely be classified, it is widely believed CYBERCOM coders will be charged with fending off attacks from Chinese and Russian-backed groups, and developing and deploying next-generation digital weapons.
The Stuxnet worm might be the most well-known offensive digital weapon. Discovered in 2010, Stuxnet was a rootkit worm allegedly developed as a part of Operation Olympic Games by the United States or a close ally that targeted industrial computer systems produced by Siemens and used to control the speed of centrifuges used to enrich uranium at Iran’s Natanz nuclear facility.
Stuxnet worked by manipulating the speed of centrifuges at Natanz in ways that were undetectable to Iranian engineers. The malware was well-cloaked and although the worm spread as many do, on the Windows operating system, the virus targeted systems with specific hardware and software profiles suspected by the Western intelligence community to be used on Iranian machines. On the vast majority of infected devices, Stuxnet lay dormant. But on machines that fit the Iranian profile, the code performed a specific and nuanced set of instructions. After the malware carried out its attack, it hid itself and became nearly invisible.
While Stuxnet is one of the most well-known tactical deployments of weaponized software, the malware is only part of the ‘cyber-munitions’ equation and may be an outlier that portends the future of cyberwar rather than a barometer of the current state of the industry.
“It is important to acknowledge defensive weapons serve a purpose just as much as offensive,” said former Department of Homeland Security employee who didn’t want to be named. “[Cryptographic systems] are not as sexy [as Stuxnet], but they’re just as important.”
The expression ‘cyber-munition’ dates back to hacker culture of the late-1980s and early 90s and is generally used in relation to cryptographic systems that protect strategically sensitive and often classified information.
The United States and its allies are proficient at developing and deploying a variety of cryptographic systems, said John Pironti, and much like traditional weapons the U.S. often seeks to degrade and deter rivals from obtaining equivalent capabilities. “We’re pretty good at hacking and cracking less sophisticated and older systems,” he said, “and we’d like to keep that advantage.”
‘Cyber munitions’ are typically defined as a part of the Federal Information Processing Standards, a series of 140 cryptographic standards required by the federal government. These standards are commonly referred to in the crypto community as FIPS 140.
Suite-A and Suite-B are the two types of cryptographic standards defined by the National Security Agency as ‘modern cryptography‘
Suite-A cryptographic systems are classified and are only intended to be used by the U.S. government, allies, or contractors with appropriate levels of security clearance. Suite-B cryptographic systems are a set of algorithms that are available to the general public. According to security firm KoolSpan, Suite-B tools consist of four different technical protocols based off of work by Dr. Stephen Kent, a pioneer of widely-used encryption standards.
Both Suite-A and Suite-B systems are very strong and respected systems, said Pironti. But Suite-A is classified, and, he added with a chuckle, “unless it’s based on a public key standard, if the U.S. government is moving algorithms to from Suite A to Suite B they likely know how to get around it.”
So why were ‘digital products’ removed from the list of so-called cyber munitions? In recent years the United States has been engaged in a policy called Export Control Reform (ECR). The “U.S. Munitions List frankly has too many items on it,” said a U.S. government official with knowledge of the situation, “since a lot of these items made the list back in the 1970s and 80s, there are a lot of technologies that have long since gone over to the commercial world.”
In the past, classification of security tools served to limit the distribution of a technical advantage, added Pironti. It is generally assumed by the defense community that today both state and non-state actors are able to obtain high-quality encryption technology.
Today, said the government official, limiting access to technology and intellectual property serves as political leverage for negotiation in trade and commerce agreements with other states. The official added “if the [technology] item is commercial in nature or of dual-use, then generally the Department of Commerce, not the Department of State, regulates its export. For this reason, a lot of items typically viewed as “cyber weapons,” are actually under the Department of Commerce’s jurisdiction.
Category XI of the U.S. munitions list addresses military electronics under State Department jurisdiction that deal specifically with Suite-A technologies.
Currently the White House is involved with a State Department and Department of Defence project to update the munitions list and shift lower priority tech items over to the jurisdiction of the Department of Commerce. “This helps us focus more on protecting the high-end technologies essential to our national security,” said the official.
Unlike previous generations, the U.S. no longer holds a monopoly on cyber-defense development. “Other actors are getting really good at developing these technologies,” said Pironti. “There are tools I wish certain actors didn’t have, but it’s not a closed-loop system anymore.”