The spectre of cyberspace weaponisation

320

BY PETER WANYONYI

Watching TV will never quite feel the same again. On March 7th, the activist website WikiLeaks released a massive tranche of secret documents from a source ostensibly deep within America’s Central Intelligence Agency (CIA). The documents detailed a wide variety of techniques and tools that CIA spooks use to spy on people around the world. Among them: hacking into Smart TVs, turning network routers into spy tools, remotely turning mobile phone cameras and microphones on and off, collecting all manner of data surreptitiously and vanishing while leaving no trace.

One document detailed how the CIA can hack into vehicle control systems in “Smart Cars” and pretty much make the car do anything they wanted it to – they could make the car crash and kill its occupants, for example. Privacy advocates were left shocked and some nearly in tears – which would have been appropriate: one of the tools used is called “Weeping Angel”.

More leaks were promised by WikiLeaks. In America, this came at a politically very sensitive time: President Donald Trump is at war with his own intelligence agencies, and accuses them of tapping his communications when he was running for president. The intelligence agencies came out defending themselves and denying spying on anyone without due authorisation and probable cause – but then WikiLeaks, ever the masters of timing, unleashed their stolen documents and the intelligence agencies, egg on face, quietly retreated back into the spyholes to plot damage control and then revenge.

The CIA story is not a new one, however. It has been known for quite some time that Western countries’ intelligence agencies have the tools and means to spy on pretty much any electronic communication on earth. What was not known is the extent to which they go to hoover up just about every little byte of electronic data transmitted anywhere in the world. The leaks came as a massive blow to the US intelligence community, which was still trying to recover from the Edward Snowden expose: a former contractor with US intelligence agencies who hightailed to Russian exile after exposing yet another set of highly-sensitive documents that detailed the spying antics of the National Security Agency, which is (yet) another American spook outfit. With all this spying in cyberspace going on, the question is – should you be worried?

The answer is, yes. The days when cyberspace was a relatively nerdy but harmless realm whose most nefarious threat was a virus or a worm are long gone. Today, companies across the world employ the best hackers to break into rivals’ and governments’ information systems and extract information about rival products and services, financial information, and secrets that should not be out in the open. Even scarier, criminal entities like terrorists and similar non-state actors have the capability to wreak cyber-havoc on selected targets for whatever reasons. Kenya, for example, depends on just one power transmission organisation, the Kenya Power (KP) company. Imagine the havoc if a group of hackers broke into KP systems and took them hostage, shutting down power across the country and demanding ransom to restore control to KP.

Developing countries put lots of effort and resources into physical security. Kenya Power facilities, for example, are generally well-secured and guarded. The same applies to air traffic control facilities in the country – say, at the Jomo Kenyatta International Airport (JKIA). It would be very difficult for an attacker to penetrate JKIA or the Kenya Civil Aviation Authority in order to cause chaos in Kenya’s skies. But why bother attempting physical access when these organisations have systems exposed to the internet and generally secured quite poorly? And these are just two hypothetical examples!

The West is even more vulnerable. Their very high development has come with an inbuilt Achilles’ Heel: they are dependent on very tight supply chains underpinned by information systems that operate almost autonomously, managing the transmission of power, flow of water to homes, operation of the internet, the scheduling and management of mass transportation networks in cities, the supply of goods and services to shopping centres and supermarkets, and the management of airports and hospitals and even buildings and security installations. America’s nuclear missiles are managed online, as are her GPS guidance system – which is used by the whole world – and their vast network of drones, both armed and unarmed, as well as the assets of the US Navy, the most formidable fighting force in the history of humankind.

What would happen if control of any of these fell into the hands of terrorists? The prospect is almost too horrendous to imagine. It is of no comfort to note that America itself, as well – no doubt – as other Western countries, have been creating tools to make it easy to hack into all these systems – and these tools have now leaked and are available to everyone else out here.

The weaponisation of cyberspace is real. Cyber-weapons exist that will deny any corporate their normal systems access, and which can be used to blackmail or even completely take down a corporate entity. And there are very few countermeasures against them – in the same way that no country can have countermeasures against, say, a ballistic nuclear missile launched by one of the superpowers. It is just something we have to live with today: the possibility that a cyber-attack is just around the corner.