US Defence Secretary Ashton Cater has it right: "In cyber I worry about what we don't know."
In even the most technologically advanced countries there are almost certainly a large number of attacks taking place against different networks, systems and devices – and we have no idea they are happening.
With one of the world's leading cybersecurity companies – Kaspersky Lab – hacked to monitor and steal its latest technology, nobody is safe. If a world-class security company cannot keep its networks clean, it would seem an almost impossible mission for any other organisations to do so.
Duqu was a sophisticated piece of malware discovered in 2011 having been used in a number of intelligence-gathering attacks against a range of industrial targets. It had a number of similarities to the infamous Stuxnet worm, leading many to believe it was developed by the US and Israel.
Duqu 2.0 is an evolution of the original malware and is believed to have been created by the same group of attackers by Symantec. It is once again being used to hit very specific targets, including the P5+1 nuclear talks and the events marking the 70th anniversary event of the liberation of Auschwitz-Birkenau.
The highly stealthy malware would have gone completely undetected while gathering a lot of highly sensitive information before uploading that data remotely to command-and-control servers.
The inconvenient truth
Kaspersky says the highly complex Duqu 2 malware platform used to attack it was "a generation ahead" of anything they had seen previously.
Developing and operating such a professional malware campaign is expensive and requires resources and abilities beyond everyday cybercriminals or hacktivists. The Duqu attacks are clearly the work of a nation-state.
But analysing the technical sophistication of these cyberespionage tools will not show us the bigger picture. We must be able to rise above Duqu and Duqu 2.0 gossip and look at the wider strategic development. The inconvenient truth is that governments are spending a massive amount of resources to develop different cyber-capabilities, including spying tools for the digital domain. The only thing we really know is that nobody knows what is going on.
Accusations are getting harsher as the latest high-profile penetrations of US government networks have been blamed on Russian and Chinese hackers. Information, which is today almost entirely in digital format, is the most valuable asset for both governments and companies – and losing sensitive political, economic or military information can cause serious disadvantages.
Losing the fight
At the same time it is natural that espionage is active where that information resides – in the digital domain. Securing sensitive information is very challenging yet vital, and there are simply not enough people with the defensive skills we need to meet these highly complex advanced persistent threats (APTs) on equal terms.
Mikko Hypponen, chief research officer at F-Secure, has said that it is highly likely there are many other cyberespionage attacks under way that we have not detected yet. I estimate that cyberespionage is much deeper and more sophisticated than we actually realise in today's world, and we have to keep that fact in our minds.
Governments and private companies are both getting more frustrated defending their networks against skilled, mysterious and powerful APTs, and they know they are probably losing this fight. Cybersecurity companies are doing their best to prevent these attacks but the future does not look encouraging.
It is therefore fair for nation-states to question if we understand where this development will lead us.
Offensive responses evolving
After the news of Duqu 2.0 there will be a lot of talk about strengthening abilities to detect attacks, advancing cryptography and building higher walls around systems. But to build defence against APTs that are government-funded, well-organised and using the latest technology is very hard. Since getting hacked is always embarrassing for companies and governments, they are forced to rethink their defensive approach.
The answer is offence and these offensive responses are evolving. The idea of governments and companies striking back at their attackers is referred to as active defence. If active defence goes outside of its own networks, particularly if it targets a foreign network to retaliate, it becomes a matter of international law. Active defence tactics include hacking back into systems to retrieve data, shutting down systems, sabotaging data and infecting the attacker with malware.
There is also the challenge of attribution; anyone who has followed the event of the Sony Pictures hack will know how hard it is to know who is attacking you. If you hack back, you might retaliate against the wrong target. More importantly, hacking back does nothing to bring us closer to the desired goal of a well-ordered cyberspace governed by rules of behaviour that are enforced by appropriate authorities.
Cybersecurity expert Dan Geer says that when necessary, companies, individuals and governments should strike back against cyberattacks with counter-attacks.
Understandable, but I disagree. The temptation to hack back is strong but creates an escalation ladder we do not want to be on. This development means that the digital domain is getting much more dangerous place for every one of us and will accelerate the digital arms race even more. It has already been suggested that a state-sponsored cyberattack, including cyberespionage, is an act of war that could justify a military response. We are not far away from seeing that.
Jarno Limnéll is a professor of cybersecurity at Aalto University in Finland