Show Hide image

This woman can hack prisons... and that’s a good thing

She can, in theory, open the doors in any prison in the US from her computer. Thankfully, Tiffany Rad is a “white hat”, an expert who uses the tools of the hacking trade to find cyber-security weaknesses before the bad guys do

In the state of Virginia, possessing lock-picking tools is a criminal offence. Why else, Virginian law asks, would you have lock-picking tools if you don’t intend to pick a lock? And why would you pick a lock if you don’t have criminal intent?

For many in the hacking community, this train of thought falls short of rationality. Tiffany Rad, a practising lawyer who is also a “white hat” hacker and penetration tester, tells me that her father taught her to pick locks as a child, and that she will be teaching her own children the same skill. “It teaches problem-solving,” she says, “but also understanding how something works, how it can be broken and what would make this lock harder to pick.”

Helpfully, she has a lock to hand. “In this example we’re doing, it would be more pins within the lock, picking the pins at different angles, using different tools that would make it harder.”

She points out that, in the UK, an organisation called Toool teaches people how to pick locks – “and then many go on to become locksmiths”.

White hat hackers could perhaps be considered the locksmiths of the cybersecurity world. They search for weaknesses and vulnerabilities within a company’s system and bring it to the attention of the organisation, for the good of their security. “Hacking” may be a term that gets a bad press, but the key difference between “good” and “bad” hacking, Rad argues, is intent. White hats intend to cause good, helping companies to improve their security from the perspective of a potential “black hat” hacker. Just as a locksmith may carry his lock-picking equipment on his person with no harmful intent, a white hat may use their hacking capabilities to make gateways stronger. Ability doesn’t equate to criminality.

In 2013, the Turner Guilford Knight Correctional Center in Miami, Florida experienced a potentially catastrophic security breach when the cell doors in the maximum security wing of the prison simultaneously opened, allowing prisoners to leave their cells unguarded. Although the incident was never proven to have been the work of a third party, or black hats, concerns were raised that it might have been an attack orchestrated from the outside. Video footage seemed to suggest that one of the inmates had anticipated the opening of the doors, proceeding to carry out an attack on another inmate. In the years since, the spectre of a hack on a maximum security prison has overshadowed discussions about the future of cyber security.

The Miami prison episode inspired Tiffany, and her father, the security consultant and engineer John Strauchs, to see if it was possible to hack an industrial control system in such a way, and to shed some light on whether what had happened at the prison could have been the work of sinister forces.

“I had the idea for this project initially because I was studying the mechanics of the Stuxnet worm,” Rad explains. Stuxnet was a computer worm that collected information and compromised the centrifuges in the Iranian nuclear programme, causing them to selfdestruct. Although speculation remains about who was actually behind it, there is little doubt about the severity of the hacking: a fifth of the centrifuges were destroyed and huge damage caused to Iran’s nuclear programme.

Stuxnet specifically targeted the programmable logic controllers (PLCs) within the system. PLCs are commonly used in prisons and other industrial facilities such as power plants. “The programmable controller acts as a simple junction,” says Rad. “One wire can go back to the control centre instead of having tons of copper wire going through these facilities. So that type of controller is used in a lot of places.

She continues: “We wrote an exploit [the software] in just two weeks. We had purchased a programmable logic controller on eBay. The fact that we were able to create a project like this in two weeks [made it] evident to us that the bad guys already know how to do this – and they have a lot more funding and time han we have.”

The discovery was vital security information, because although the system was known to be hackable, the fact that it had been so easily infiltrated by outsiders raised considerable concern.

“I think there had been other people talking about industrial control-system vulnerabilities before,” says Rad. “This wasn’t a surprise. What was a surprise is that we could do it in two weeks and hire equipment off eBay, and if we didn’t want to pay for the appropriate legal licence it would have a cost $500 plus the cost of an export writer.

“Where do we hear that these facilities are not connected to the internet but there would be a huge national security risk if something actually happened? We found so many places. It wasn’t just correctional facilities – it was public transit, heating and air conditioning. In the middle of summer when it’s very hot, you can do significant destruction to the computer if you turn up the heat and turn down the AC.”

Despite the benefits gained from their expertise, attitudes towards white hats are still somewhat hostile. The Wassenaar Arrangement, a multilateral agreement intended to strengthen international security, has disadvantages for the cyber-security industry, Rad argues. Amended in 2013, it now includes the control of intrusion software, which she says makes the job of white hats harder: “When you’re hired as a penetration tester, you need to have a good set of tools. And when there is legislation that affects your ability to collect these tools, create them, buy them, sell them, trade them with other people that do this kind of work, that’s not good.”

Some organisations are more grateful to white hats than others, Rad says. “As an attorney I get calls frequently from those doing security research that want to tell the company about their vulnerability. They want to disclose it to them but they’re afraid they’re going to turn around and get sued.

“So, I help facilitate that information trade-off while protecting that person’s identity. As an attorney, I get a special privilege where I don’t have to tell anyone who my client is. I can just say, ‘You need to know this information. I’m protecting them. They are a client of mine. I’m going to give you the information, but please let’s not turn it around.’ Most of them [her clients] are white-hat security researchers who have stumbled on something and want them to fix it.”

The situation for these people is improving, she adds. “I’m glad to say that it’s changed over the years. When I first started ten years ago it used to be very confrontational. I’d call [and say], ‘I’d like to speak to a security engineer.’ Sometimes that didn’t exist – I’d be put through to IT, and IT is not the same. Then they would say, ‘We’re going to have you talk to our attorneys.’ It’s not a good way [to respond] because the researcher gets very nervous and the other side makes you tell them who did this, and it’s just not right.

“It’s a trade-off, and nowadays you need to welcome this type of information. You want to hear it from someone who is a white hat before you read it in the paper that someone else with malicious intent just took all your data and put it in the bin.”

Indeed, it is in the company’s best interests to respond with gratitude to any security breach by a white hat, as Rad makes clear: “Because if I know about it, chances are a lot of people do too.” These people may not necessarily be the locksmiths.

It’s not just companies and industries that need the help of white-hat hackers. White hats can also identify threats to their country’s national security. In 2015, a man claimed that he had hacked into the entertainment system while on a United Airlines passenger jet, and had subsequently turned the aircraft on its side by putting its omputer system into “climb mode”.

 “If what he did was true, that’s pretty irresponsible,” Rad says. “But if he was able to do this, then the aviation service has some vulnerabilities.”

Whether someone could hack a plane is undoubtedly a question for national security. “It’s hard to say, because the newer ones have different networks but, saying that, the older ones will be up in the air for a while.”

Ultimately, Rad argues, the key to preventing attacks is not trying to speculate whether they could happen, but using penetrative and offensive testing to actively simulate security breaches. If we are to do that, we need to listen to and encourage the white hats. “I want to believe that the aviation industry looks at things from a hacker’s perspective.”

She adds: “I’m also a dual [US-Latvian] citizen. Latvia and the Baltic States are very nervous about Russia’s capabilities – it’s the future, I think. Every government is going to need to have these [cyber-security] capabilities and if you make it illegal for your citizens to create or design these, you are going to be stifling your own defence.”

The Pentagon this year launched its first “bug bounty” programme, in which it challenged the white hacker community to penetrate its systems to try to find vulnerabilities within them. It received 138 legitimate reports of vulnerabilities, which were then patched up.

If the Pentagon has come to understand the benefits of white hats, why do we continue to legislate against them? It comes back to the Wassenaar Arrangement, Rad says. “I don’t think it was intended to be written that way, but that was the consequence of that.”

However, she remains optimistic: “There are some people I know who cannot work for the military or US federal government. They don’t want to but they’re very good at writing these exploits. They just don’t want 9-5 jobs. The way that they work and their personality is not the same as everyone else in the army or the navy. But the [armed services] would like these people to share some of the information they have with them.”

In fact, the Pentagon has in recent years recruited software writers, she says. “They need people with these skills, and you don’t have to wear a suit every day.”

Overall, as with many things, the key lies in education and greater public awareness, so that hacking is more widely seen as a beneficial tool.

Rad concludes: “Hopefully the next generation will be telling employers: ‘We need to design this with security in mind because here’s an example of when this didn’t go right. Let’s not do this again.’ ”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

China’s strategy to become the world’s strongest cyber power

Nigel Inkster, former operations and intelligence director of MI6, analyses China’s efforts to impose order on its vast online community.

When just over two years ago I began researching a book on China’s cyber power, mainstream western media were full of stories about China’s alleged programme of state-sponsored cyber industrial espionage directed against US and other western corporations. Following an agreement between Presidents Xi Jinping and Barack Obama in December 2015 that “that neither the US nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” that story dropped out of the headlines. But the importance of China as a cyber power has not diminished and understanding China’s capabilities and objectives in the cyber domain has become a key element in understanding its global strategic objectives. It is also an important prism through which to understand China’s long struggle to achieve modernisation whilst retaining its cultural and political self-esteem.

China came out of the Cultural Revolution in a state of economic and technological backwardness that demanded urgent attention. Its new leadership was seized of the important role modern ICT would play. Although the internet did not become accessible to ordinary Chinese citizens until 1996, the subsequent take-up has been dramatic. China has over 700 million “netizens”, the majority of whom access online service through smartphones. In 2015, the total value of online sales was $581bn, making China the world’s largest digital marketplace. The Chinese government has ambitious plans to switch from an export-dominated economic model to one based on domestic consumption; and to move up the value chain to break free of a middle-income trap. A key enabler will be an Internet Plus strategy that aims to integrate the real-world and digital economies.

In pursuing this, China’s government had to confront two vulnerabilities. The first is the potential of the internet to serve as a vector for subversive influences that challenge the Communist Party’s legitimacy. The second is a high level of dependence on western – largely US – technologies and software, seen as a security threat. From the outset China’s authorities sought to control online content through a combination of firewalls to filter externally generated content, regulation of service providers and censorship; the latter becoming ever more technologically enabled but still reliant on large numbers of censors and pro-government activists who promote and defend official views on social media sites such as Weibo.  

The result has been a cat-and-mouse game in which China’s netizens have sought to bypass censorship by relying on the infinite capacity of the Chinese language to generate homonyms for terms which are banned, giving rise to a rich lexicography of online dissidence. But it is a game the authorities are winning thanks to technology dominance and the huge manpower resources devoted to an issue seen by the leadership as existential. This is not to say that the Chinese internet is characterised by an atmosphere of sterile ideological conformity; in many respects it is more vibrant and anarchic than its western equivalent and has been used to good effect by its citizenry to hold officialdom to account. But first under Hu Jintao and ever more under Xi Jinping a climate of greater political and cultural conformity has led to popular bloggers –so-called Big Vs – being shut down. And China is unapologetic about asserting an approach to the internet based on the concept of cyber sovereignty, in effect its right to determine what its citizenry can access.     

Meanwhile, China is pursuing a policy of indigenous innovation to reduce dependence on western technologies. Dependence on western ICT is such that when in 2014 Microsoft announced that it would cease supporting Windows XP it subsequently had to make an exception for China, such was its reliance on that system. That dependence will take time to erode. But there is a growing number of indigenous Chinese software companies, Chinese smartphones and other devices are increasingly competitive with western equivalents and Chinese entrepreneurs have shown considerable ingenuity in developing and marketing a range of online services. As the Chinese state seeks to impose greater order on what to date has been an anarchic and insecure Chinese cyber environment, new laws have imposed greater demands on western companies such as the provision of source code. China is seeking to leapfrog the west in key areas of ICT including artificial intelligence (AI), quantum encryption and quantum computing. And the Chinese government is facilitating the purchase by Chinese companies of western technology start-ups. In 2014, $22bn had been spent on such deals, which have significant medium-term implications for the competitiveness of advanced industrial economies including the UK, France and Germany.

The global outlook of China’s leadership is dominated by the so-called Century of Humiliation covering the period from the mid-19th century up to the founding of the People’s Republic in 1949 during which China was virtually colonised by the west. The determination not to repeat this experience has translated into a transformation of China’s defence posture from a land-based, low-tech, mass-mobilisation force to one that is increasingly based on a capacity for naval force projection with a view to securing China’s supply lines and protecting its growing range of overseas interests. Digitisation is seen as critical for China’s efforts to develop armed forces on a par with its only real comparator, the United States. This is exemplified by an ambitious reorganisation at the end of 2015 which led to the creation of a new Strategic Support Force that combines signals intelligence, electronic warfare and information warfare capabilities within a single organisation that also has responsibilities for space-based activities. After a long period of coyness PLA officers now talk openly of China developing offensive cyber capabilities albeit at a “moderate rate” and in response to the activities of states such as the US.

This posture also translates into a more assertive foreign policy, no longer merely concerned as until recently with ensuring peace and stability to permit economic development. China probably does not aspire to replace the US as, in their words, “global hegemony”.  But it does wish to move from a global governance system dominated by the US and its allies to a world that is multi-polar and which respects different political and cultural systems. And to transition to a “new security concept” which while broadly respectful of international institutions like the United Nations, also subordinates customary international law to the interests of major powers. Here too the cyber domain plays a major role with China championing its vision of a global cyber governance and security order where the USA is no longer predominant. This vision enjoys some support in the developing world, not least due to the activities of national champions such as Huawei and ZTE who are building and operating core backbone IT infrastructure systems in countries that would otherwise remain on the wrong side of the digital divide.

To revert to cyber espionage, it is now clear that US threats of financial sanctions against Chinese companies deemed to have benefited from the theft of US intellectual property (IP) persuaded China’s leaders that this particular game was no longer worth the candle. The “noisy” reduplicative exploits that characterised so many cyber-attacks emanating from China are now much less in evidence. But cyber capabilities have become a major enabler of Chinese statecraft and are inter alia reducing the space within which overseas-based opponents of the regime can operate. For better or worse China is transitioning from becoming a large cyber power to a strong cyber power and can be expected to play an increasingly prominent role in this space.

The west will have to get used to living in a world in which it no longer enjoys the unquestioned technology dominance to which it has long been accustomed.