How to Start a Cyber War: Lessons from Brussels

all right well good afternoon everyone uh thank you so much for having me all the way from amsterdam here in baltimore i've been enjoying my time quite a bit i'm glad to be in front of this audience to talk about one of my favorite topics which is cyber warfare so this uh talk is actually from the eu and nato member cyber warfare exercises that i helped run in brussels called the vanguard exercises and to give you a bit of an idea about my background i got into cyber warfare starting out at the us air force's space command back in the day at a place called buckley if you know anything about the early days before

u.s cyber command there were a lot of things going on there i also came from aramco the saudi aramco family after 2012 the shimon attacks they gave me a call and an offer i couldn't refuse to work for them to help remediate and set up all of their security worldwide amongst the entire family and currently i advise governments like the individual governments and places like the eu parliament on cyber warfare and artificial artificial intelligence and cyber warfare and i'm also on the our party parliamentary group on artificial intelligence at the house of lords as well so i like to have a lot of fun with technology so when we start to talk about technology i think all of us know that there are a

lot of vulnerabilities there are a lot of challenges and what we're finding more and more is that a lot of these challenges that we think might be just a bit of a simple vulnerability unfortunately can be used uh with devastating effect and large quantity against a particular government so these are the types of trends we're seeing now in the european union and amongst nato members there has been some very unusual and very challenging events that have occurred in the past few years we have an issue with the crimea region if you've ever heard of that which borders on the european union and is a european country we've seen in estonia earlier on if you move a soviet

soldier hero statue suddenly you can get patriotic russian hackers attacking your entire country's infrastructure and nowadays we're seeing a lot of push and pull from various governments so we have influences and different countries amongst european union and nato members with strong ties to the us also strong ties to russia and china has lots and lots of money they're going to be investing in italy and my government uh in the netherlands just announced yesterday that they're going to be using with kpn huawei as part of their 5g backbone so have the germans most likely the french will follow suit in the meantime there has been a rise in populism and politics which can be good can be bad but it's not looking great

and we also have to deal with our own members trying to talk to each other because sometimes there are some old feelings between uh the different countries and they have their own alliances like the visiguard nations which is some central and eastern european countries have much closer ties to each other than the european union them themselves so to describe what these exercises were the people who attended were ministries of foreign affairs ministers of defense ministers of war or their second hand person there these were the actual decision makers or people who would advise the decision makers whether or not to declare an act of war for example so it was very important to get these

topics to them in a way that they could understand we had some ambassadors we had some think tanks and we had a few non-nato members to join into the fun and to warm them up i went ahead and showed them some very interesting but real things one of the things that i was able to find was for example power plant and and hydroelectric dam and a government bank and agriculture were actually controlled by a remote access trojan the same exact one it was being controlled behind vimple isp in russia now these things are actually part of critical infrastructure in the united states right we all like food we like kind of like water and electricity right

i do and then i showed them a few other things they're a bit more realistic this is the power plant on the bottom you can see that modbus is in use and towards the top you can actually see uh what extreme rat looks like in that particular version of xtreme rat and that was the one that was controlling all of these other locations as well in addition this is a salmon farm which salmon for norway it's quite crucial for part of their economy and this was also being controlled by the same rat now to make it not so serious i do live in the netherlands and you might have heard that weed has been decriminalized for a while

and it is part of our tax base because it's heavily taxed but places like colorado they're now basing part of that agriculture with their gdp and if you can connect it to the internet this is actually a grow operation with no authentication it's completely disabled and directly connected unfortunately this was actually found in a country where it's not legal to grow but just remember if you're growing weed and it's iot secure it right so we don't have an official playbook for how to operate in cases of cyber war because different countries have different definitions and there is no international consensus for what the definition is we can't even decide what is critical infrastructure between country

so it's been very challenging now uh some of the nato countries are nuclear power some of the european union countries are nuclear powers one of the things that we wanted to do in conjunction with the european council on foreign relations was to build a diplomatic toolkit for things that the people who are the actual decision makers could actually utilize during a large-scale attack when it happens and i do say when and the some of the different countries also have interesting laws like the netherlands a couple of years ago they decided that it was legal for them to hack back anywhere on any device at any time if they believe that it can threaten their country or their economic base or

their democracy and they're the only nation that legally can do that per their laws and you do not have to be a dutch citizen or resident and it can be a smartphone it can be a printer it can be anything so uh things are a bit uh interesting and to describe some of the scenarios it was a two day event and we were warming them up for the major one and how many of us have been so stressed out that uh you get a little burnout in i.t it's a it's kind of uh kind of a thing because it can be a stressful position well in the first scenario what we did was we actually used an embassy employee

who was suffering from some burnout from some stress and what he had started doing was hoarding information and paperwork from the embassy and bringing it home fortunately or unfortunately his adult daughter found the information and thought it must be declassified so in the scenario she wanted karma points on reddit and she also posted information on 4chan before it was caught yes so uh also another reason why i'm glad i never had children but you know once once it's up it's it's never going to come down and also in the scenario because she was using a regular laptop uh what had happened was i got infected by a virus by a cyber criminal organization that got all the rest of

the information and started selling it on the dark web so a fun scenario now for number two it was a little bit more involved and what we did was we gave them some of some very interesting decisions not all member nations have mature computer emergency response teams for example when i was last in bulgaria not too long ago their computer emergency response team doesn't even use encryption on their website yeah it's okay no it's not yeah not really so a security researcher a hacker like us uh found a pretty nice zero day that could affect a lot of different equipment including some critical infrastructure and the rule is generally in europe you're supposed to go to your national

level cert because although there is an eu cert they do not go into a country they are an advisory group so this particular cert was not set up with appropriate encryption and when the researcher went to send the exploit unfortunately another government who was listening in as you would because wouldn't that be a great place to collect exploits eh right uh went ahead and grabbed that exploit and uh also used it on top of which at the time we gave them the scenario of the shadow brokers now let's say you are a country and you know that the shadow broker subscription exists you're pretty sure that your neighbor might be a friend might be a friend of

me also has a subscription so we gave them the decision what would you do would you purchase a subscription obviously not publicly but privately and for the final part of the scenario we actually used the dutch scenario and the dutch mistakenly hit a chinese consulate and wiped some data it's not the best thing to do how many of us have gotten an ip address wrong come on there's more right so this is one of the dangers where you can make a mistake human error if you hack back and whoops that might be a hospital as well or might be something else and so these types of methods they really have to be thought through before they're utilized

now our final one my favorite one is called dead canary and it starts out in the evening one particular country they basically get estonian so to speak and their national banks are taken out their data centers are taken out their telecommunications are taken out and their government websites are ddosed massively the very next day we've got four events all at once and these involve five separate countries now think about diversion attacks and think about the ability for nato to be able to do something in five different countries at once this would be very very challenging so the next day we used a instance where attackers a nation state were able to get into the rotterdam porch

and adjust the lock system which tipped over a shipping container and killing sailors on board or missing then next another country they hit the electrical grid and caused an over voltage to take out the transformers to cause massive fires and shut down the electricity right now it takes up to 18 months for one transformer to be manufactured and we're talking about a large country with at least 30 million people in addition we hit london we decided to use this scenario because i also have advised for london transport and i know their systems quite well took out the signaling systems manipulated things and during rush hour in london made the trains go smashy smashy and causing mass casualties and then

shortly after a particular large country's stock exchange is taken out by the uh nation state adversary we also had a a twist in our exercise because we now realize that our relationship between the european union nato and the united states is quite strained at this time so we wrote a letter which although we could not get someone quick enough to do the voice of trump i went ahead and we read the letter and what the letter says basically for paraphrase is good morning america we have found out that five of our european union and nato allies have come under devastating cyber attack with mass casualties in the thousands however when i was last in brussels at the brand

new nato headquarters i warned them that all of the member nations needed to invest in their defense with the meeting the two percent gdp requirement for your defense spend as a nato member and they did not now is the time for europe to stand on its own two feet american blood will not be spilled god bless and god bless america donald j j trump so what we did was we actually planned that the united states would not stand with us with article 5 solidarity and what would europe do and what types of diplomatic actions would they do and would they take the lead and come to a consensus um now the scenario that we used was

actually based predominantly on the shimoon aramco attacks i believe i'm the only person who's ever publicly discussed it and trust me i got a lot of pressure from the government not to do so but involved in the attack there were a lot of telecommunications taken out the aramco network also ran the network for the police stations and fire departments because they're a national oil company so we based a lot of this on it and we believed it was extremely realistic now one of the most important things that came out of this was the lessons learned we could get small groups to come to a consensus but as a whole we could not get everyone to come to a consensus

which is quite scary um in addition to that the night before the final dead canary exercise after drinking some wine with the staff made a little bet to see if we could get any of our groups to agree to the nuclear option so i won that bet because i used to work with a project called hemp hardening against electromagnetic pulse for u.s air force base command and my group actually agreed to consider launching a nuclear weapon in the upper atmosphere of the attacking nation state to take it out in that manner so what we tried to stress was they could not come to a full consensus but preparation was absolutely key to begin to start talking to each other taking

these things seriously and study that diplomatic toolkit because it will be needed in the background now question is how realistic is this in the european union we've got a grid that is connecting every single member state and electricity also feeds in from countries like serbia now unfortunately there was a deharmonization between serbia and kosovo which did not deliver 113 gigawatts of electricity over a four year period causing system clocks on your microwave or so forth and the rest of the european union to actually lose four to six minutes and so we've already seen that's not a cyber warfare attack but politics and geopolitics are already affecting these types of things now there are some countries that rely a

lot on solar and wind and one of them and i'll show you how easy it is to find some of these things i used a simple dork in census dot io and i showed this at the european union commission which is the same thing basically as the u.s senate in october to show the fragility so i was able to find uh solar panels pretty easily because you know they're their iot systems now and i could quickly differentiate if there was anything more juicy because i like databases what else can you get to and then i was able to find basically all of denmark's wind turbine farms and denmark is now working on this after the presentation

but denmark relies heavily on wind now i'm not sure how many of you have smart meters yeah so there's a reason why uh in the netherlands it's the only european union country that we can refuse them i do not have one there is not a lot of security testing or requirements and we worry about electricity you can do a lot of very interesting things with electricity if you send a very small over voltage you can actually set fire to kitchen appliances because they're not made for that so there's a lot of things so i was able to find a lot of these devices unfortunately directly connected to the internet using various dorks in census for example and here is one

where you may notice there's no https and yeah there's the login and luckily since they didn't do any real security testing i was able to just bypass that with the file transversal and go ahead and get in see the electricity what the uses was and also i could change uh the pricing for the peak and off peak because it's fun now in north america you have a different system and one of the things that they're doing between the united states and canada is using something called the open automated demands demand response and this is a management interface that ties in different protocols for controlling the electricity so here again pricing demand and you can connect to

any of the smart appliances that it can actually see so you're not supposed to connect it to the internet but in a 138 milliseconds i was able to find 75 directly connected to the internet and here's one in quebecois canada which happens to be a hydroelectric dam because i you know like water and electricity and uh they um they're not using a correct certificate either so you know it's nothing like a false untrusted they're actually using a vendor demo certificate which is not what you want to use at all and i was able to find anything else that was juicy connected to any of the devices that were directly connected because you know so when it comes to

more and more smart stuff because these things can also be used against us how many of you have smart appliances or a nest or an alexa or yeah yay right so this is a particular manufacturer out of europe called melee i've i have desperately tried to get a hold of them uh they don't do any security testing and you can do lots of things with their appliances if you can find them and they're not encrypted usually this is a melee hub so if you've got about an extra thousand dollars you can buy this smart appliance hub just for melee devices because you don't need that but um you can connect to everything that happens to be connected to it and

luckily for them they actually hard coded the username so then you know all you gotta do is yeah i see headshaking like yeah no no yes yes yes bad so if if i wanted to cause a diversion there was a story i heard where when uh trump and clinton were on the campaign trail they were in the same kind of location and what some bank robbers did was set off a bunch of alarms to divert things and also knew that the police were paying attention to the candidates and then they went ahead and robbed a bunch of banks which was kind of cool but these are home alarm systems that are directly connected to the internet

france has a problem yeah i did this by yeah by european countries but yeah they have a bit of a problem there so so france has been looking at that with their cert because they're now starting to do proactive scans like the department of homeland security does so that's kind of a good thing and here's an actual house uh yes you can have a smart house and you can do a lot of things with it especially if it has cameras and you can adjust the heat and shut it off during the winter time because that's you know always kind of fun again with no encryption so we're seeing how some of these things can affect us i

should say there is one time i had to lead an incident uh because a whole line of smart appliances including smart fridges were infected and were being used by botnet network for a spam campaign so your house could be spamming you right now unfortunately again no encryption i was able to bypass everything see the camera see everything that i wanted which is always fun you don't want me to do that so to conclude because i would like time for questions is this is actually a picture 13 days after the initial shimun attack by the iranians against saudi aramco and what had happened was they took out about 85 percent of their windows-based computer systems and things that connected

some of their industrial systems so they could no longer auto load any of these gasoline trucks and there were miles and miles of them stuck there they also had lost the ability to charge them money luckily for ramco they're very wealthy so they ended up giving away gasoline to make sure that the rest of the country ran and after this was posted unfortunately the saudi journalist who posted this has since disappeared but i'm not saying it's a trend but and what had happened was at this time if you went to go ahead and try to get gasoline how many days supply do you think that a country can use or excuse me store they need it for their military they

need it for their police their ambulances and so forth saudi arabia also provides a refined pet refined gasoline sorry wrong country uh to bahrain and bahrain was starting to get shut off and one day after this qatar raz gas was hit with a variant of shimon the big difference between the variants were ours and saudi arabia actually had a burning american flag basically it looked a bit like the flame attack that had hit iran i'm not saying anything but i'm saying something so um one of the more difficult things with this particular attack was about 25 of the world's energy goes through ramco every day i think you might have heard on the news they are the most valuable company

in the world and we were facing a crisis where if we could not ensure the oil supply between uh 25 of the world's energy from aramco and 13 of the world's energy coming from qatar we were looking at the possibility of a barrel of oil being 400 to 450 dollars a barrel yes who likes expensive gas no right so you can see if there is a country that is hit that is a primary supplier of something it can actually have a domino effect around the world which is one of the things that we need to absolutely be prepared for and many of these things can be solved on the back channels diplomatic back channels without pressing a button

aren't you all glad of that right i am and it really is because we've we're seeing these more and more some of it's public much of it is some of it is not we really do need to plan now we really do need to get with our particular allies because one of the things that keeps me up at night is the fact that many european union nations do not have cyber security as part of their national defense i spoke about this in berlin two weeks ago basically hoping that they would listen to me so i'll go ahead and conclude and say thank you very much and i would love to take questions there's got to be some questions

any question okay almost any question ah yes so uh can you talk a little bit about a little bit more about the shaman attack in terms of what the impact and some of the things you dealt with but in fact i only talked about this as previous time but as far as applying that to future scenarios what what were the lessons what were the main lessons learned out of chat mode that you would say apply to any scenario and talk about it okay so what lessons learned were there from the shamoon attacks there were quite a few firstly segment your network they had a perfectly flat network at the time and that's that's just crazy sauce

now secondly you need money if you do not have the money to recover you can definitely be put out of business two make sure you have printed copies at the time they had did a full digitization and when they went to contact people was also during ramadan which is like our christmas period where most of the employees were allowed to take vacation when else should the iranians hit right and they could not get contact information because everything was on sharepoint and sharepoint was not functioning at all another lessons learned was most of the employees at the time did not have cell phones they had voice over ip phones for their desks and there were no no more voice over ip

at all so we had to buy a lot of cell phones as well another thing would be make sure you have older equipment that you can jump to with a known good configuration they had to dig out older equipment that they knew that could work and even typewriters because they didn't have anything else to type and they had to get fax machines out which are not popular in use in saudi arabia or most of the rest of the world except if you're in japan they're really popular there so that those were some very big lessons learned for us one big one at the time when it happened they didn't know really who to call because

saudi arabia did not have a computer emergency response team and they did not have these types of relationships with various companies and governments because they absolutely did not expect to be attacked they thought hey we don't have any commercials we've only got a a few gasoline stations only inside saudi arabia who on earth would attack us well there's there's money and there's politics so you're now a target yay so uh those were the major lessons learned from the entire event yes i see you one two three have a blue shirt first on the uh you mentioned a lot of european nations

well like i said uh his question was uh basically kind of like which countries uh don't particularly have this as part of their strategy and some of the discussions that i have and some of the things that i've been pushing basically if i got that correct well i've been pushing for a more proactive computer emergency response system uh all across european union for a few years now and also trying to push the seriousness of this matter i'll actually be at a nato event on the 9th of may discussing this more with them another point that i've been trying to make for a few years now with eu and nato members is one of the ways

that we can meet our defense spend requirements is through cyber security education tanks and guns are one thing but we're moving now into a domain where that is just not applicable but we could not only meet our demands but raise the technological education of the country for the longer term by doing so those are the major things that i've been concentrating on is that did i answer it enough okay next question so in events like the nato games do you see that people understand those lessons learned or why and why do the policy makers still actually they are learning and paying attention quite a bit quite a bit uh i think that that's due in part with

one of my partners in crime uh stefan soasanto who also is a digital fellow of various things and is a nuclear weapons expert at the same time so we like to be rather direct with ministers and luckily they actually listen to us and listen to me i have no idea why but they they they do so we're bringing them along but then they have to get other people within their countries to actually listen and that's the harder part i'm not scalable all right next question um

so the question was which legal body would i think that should define what cyber warfare is in and of itself well i would say that one of the uh one good agency would most likely be the united nations it would at least start to set the tone now they did try to do negotiations with various countries about this but we got some bad news in december of 2017 that one country which shall remain nameless at the last minute dropped out of the negotiations and ended it all which was a shame because it had been worked on for almost two years at the u.n questions there's got to be more i have a better time um what can we do as like individuals

trying to help the state of security in our nation without getting into politics um well some of the things that you can do is if you see something say something to the appropriate agency using encryption [Laughter] and because they can't do everything there's also some states that don't actually have a computer emergency response team i got into a bit of a flame war with the now former alaskan ceso because myself and another researcher tried to report a rather major vulnerability on some of their oil and gas infrastructure and instead the cso then blocked myself and the other security researcher on twitter and linkedin and also blocked our domains from sending email so that that's a bit of a problem so we

had to go to uh another method we even got one of the co-founders of us army cyber command involved to try to get alaska to actually listen so if you see something like that and you are not very successful try to then push it over to department of homeland security and they'll help so there are certain things you can do always use encryption always encrypt good encryption and not a demo certificate please okay don't do that so so in this scenario he was starting a pack with a package joy communication telecommunication system given that self-defeating from the outserve perspective that actually well when we say telecommunications there are various types of telecommunications so in these scenarios they were hitting

some of the internet-based voip base which is basically what most of our telephone communications are nowadays we don't have a lot of analog left not really it's mostly digital so they were trying to take out that particular infrastructure and then at the same time they were hammering away at some of the mobile networks as well but there's there's always a way there's other ways that you can keep different types of telecommunications up to keep launching your attacks as well from inside the country even if it's closed off through the use of bots and other systems and perhaps nation-state patriotic hackers that happen to be inside that country as well [Music] oh uh the question was would it be

wouldn't it be self-defeating if you attacked the telecommunications of a country uh basically ending the ability to perform additional attacks

yes a few years ago i was speaking with an area command person for davis-monthan air force base outside of tucson arizona when they go through joint operations with the city of tucson state of arizona and the air force in order to prepare for emergency evacuation and all that one of the main issues there by having with the key actors in the demos was they were getting away from having people in the field who had ever worked as like skilled labor they had never done the hands-on things in the field they had not grown up on farms or in construction or anything like that and that was causing a problem even with the core of engineers or being able to

put infrastructure in place in any of these scenarios we never went through this with other countries has something similar presented itself so if i can summarize the question that uh some of the people that are sent out for exercises and for these scenarios they've run into difficulty because they don't have certain hands-on experience not just with the technology but we'll say non-tech tech technology and yes so the black energy attacks that hit the ukraine the ukraine has never been an extremely wealthy country however they were able to go to manual operation within 13 hours which was very good for them contrary to that there was an event which didn't really hit the news but through a friend we uh

in in the particular country of israel uh there was a variant that hit an israeli power company this particular power company was very very modern and they could not switch to manual operation until about 48 hours later so in a way it's kind of good to have old tech versus new tech sometimes it's not and we've seen how do you go back to manual how do you try to uh keep your operations up and running while you're trying to fix everything else and get the digital sphere going so yes we did we used that as well so another question yeah and what do you think well uh that's now the international norms use and behavior

when do i think that there'll be some sort of consensus it's going to take a while uh to have any sort of consensus unless there is a country like the united states which is the leaders in making that consensus and it's one of the things that was discussed in a workshop i was just in colorado springs at the joint services academy cyber security summit and we were discussing these particular man uh matters and i uh chatham house rules uh workshop so i can't tell you who i was speaking with but i do want to stress that the united states is the perfect nation to actually lead that effort and many of the rest of the nations and our allies

will most likely follow suit i've seen from the aramco attacks that the bronze age civilization collapse i know you probably don't remember it it was a while back but it was the first known major collapse of mass civilization and domino effect and we could see the same thing if a country like or excuse me a company like ge is actually attacked so it could be very problematic and that that's why we need to come up with some consensus and europe is fantastic but the leadership is fragmented the united states leadership is not as fragmented so i've got only a few more minutes left do i have one more question there [Music]

i just want to know which country you think is educating your university security so which country do i think is taking the best steps to educate its youth right now i would say estonia because they have to they are very digitized they have digital ids they vote with the digital id the residency is digital accessing their records digital they've got a very strong technology education system because they have to they've already seen what it's like to be under constant attack one time for one more question what's been your best tool or tactics nations or organizations that you're working with in terms of cybersecurity so what is my best tactic for getting bigwigs to listen to me right

using direct examples and i can pull up so many different direct examples that they cannot deny that it it's just something that is an airplane or airport novel it's actually reality so by using actual examples and using their terminology because they don't know what a packet capture is so you have to explain it with nice pictures that are not packet captures so uh i think i have time for one more there you go how do i all right so the question was i'm talking to people who can direct change how do i know who to talk to well i've got friends and various think tanks and also governments that uh make sure that i'm talking to the right people

because otherwise it's just a waste of time that's how i do it i it works very well it works very well yes all right so i think we're actually out of time thank you very much everybody for having me all the way from amsterdam hey