The Blockchain Revolution
Page 19
“So, every week, we will tell him something different,” Dirk said. “I’m sure there are lots of ways we can spend the bank’s money if we set our minds to it.”
Taylor frowned. “But wait a minute, Dirk –”
“Ah!” Dirk smiled. “But he did not mention giving us any more budget to spend, did he? Perhaps that little item slipped his mind.”
“Look,” Lola interrupted, “let’s cut to the chase. What we’ve got here is a marketing problem, not a technical one. We all agree we’re covering every base we can already, right? Great. So, all we have to do is what Nukem asked us to: convince him and convince the customers and Wall Street we’re on top of things. Nukem’s not a technical guy. He doesn’t have a clue what you guys do to maintain security. So, every week why don’t we just bore him to death with some aspect of what we’re doing now. It doesn’t have to be anything new.”
Heads nodded. “Yeah, we could do that,” Taylor said.
“It sounds like a plan to me,” said Dirk, standing up. “In which case, you will have to excuse me now. It seems I have some previously unscheduled busy work to do before this time next week.”
* * *
Crypto played the NASLA video over and over, enjoying the spokesperson’s costume and performance.
Yes, the sudden appearance of NASLA was a welcome surprise. Not only was Crypto supportive of the mysterious group’s mission, but he was sure the NASLA attacks would help camouflage his own actions. True, law enforcement agencies around the world were now monitoring blockchains and scrambling to their defense. But the limited supply of skilled cyber investigators was stretched dreadfully thin: every few days now there was a new attack to investigate, and so many blockchains seemed equally at risk. How much time could the defenders spend on each one?
Surely the FBI and others would assume BankCoin must be the best designed and defended blockchain in existence. That BankCoin had not been NASLA’s first target would reinforce that conclusion. He could not have planned things better if he was the leader of NASLA itself.
* * *
“So, what’s the deal?” Doogie said, not waiting for Colonel Dix to call the task force meeting to order. “Why the extra get-together all of a sudden? And are we getting paid for this?”
“We’re meeting,” Dix said, “because the president has issued an executive order directing appropriate federal agencies to divert all available resources to the pursuit of NASLA. I’m sure you’re aware of the attacks the group has launched. It’s knocked four different industries flat so far, and there’s no telling how many more are in its sights.”
“No kidding,” Doogie said. “It took me forever to get an Uber out here and cost me an extra ten bucks when I did. So, what about our pay?”
“I don’t have the details on that yet. It may take a while to sort that through. But I’m sure you appreciate how great the threat NASLA poses to the national interest.”
“I only appreciate what I’m going to be paid!” Doogie said, looking around for applause for his little joke. He didn’t find any.
“All right, everyone,” Dix continued. “Thank you for meeting today on such short notice. As you just heard, the scope of our engagement has been expanded. Specifically, we are now additionally tasked with reviewing all NASLA attack data as it becomes available. The object of our analysis is to identify elements common to each of those attacks with the goal of hardening potential future targets. This effort will be in addition to our existing work, which will continue as before.
“With that by way of introduction, let’s turn to the briefing books you were handed as you arrived for today’s meeting …”
Frank wondered what he would find inside the thick binder he was now leafing through. Was he about to experience an Oh My God moment, realizing that BankCoin shared a common vulnerability with one of the blockchains NASLA had already hacked? If so, it would be an excruciatingly long and fidgety meeting before he could flee back to the bank and start developing a patch.
Chapter 24
Abracadabra
“Okay,” President Yazzi said. “Enough on that one. What’s next?” The National Security Council meeting was halfway through its agenda.
“That would be Jim Wakeman, Mr. President,” Carson Bekin said, referring to the national security adviser, “With this week’s summary of Russian actions.”
“Right. Jim, what do you have for us?”
“More of the same, I’m afraid, Mr. President. Broadly speaking, they can be summarized as working aggressively to undermine NATO and the European Union and to further destabilize the Near East with the aim of keeping oil prices high. Here are the details.
“First, the Russians have added another category of disinformation to their campaign to undermine popular support for NATO throughout Europe. Now they’re planting fake news on social media claiming NATO troops, usually Americans, are engaging in violent behavior in host countries, such as assault and rape. We’ve had tens of thousands of troops stationed in Europe since the end of World War II, so, unfortunately, such acts have occasionally happened in the past. That inclines some people to take the fake stories at face value. The Russians are pushing similar propaganda in Ukraine to discourage it from considering closer ties with, or joining, NATO.
“The Kremlin is also stepping up its funding of reactionary, populist candidates everywhere in Europe. Covertly, of course. They’ve been particularly generous to those advocating more autocratic, anti-democratic governments and those calling for countries to leave the European Union. Most recently, we’re getting reports Russian agents are attempting to revive and arm formerly violent movements, like the Basque separatists.
“In the Near East, the Russians are using a combination of approaches to further inflame relations between the local governments and the Kurds in Turkey, Iraq and Syria. For example, they’re spreading fake accounts of atrocities by both sides. Again, though false, it’s hard to squelch such stories, because there is a history of real crimes. Lots of people would like to believe what they’re being told, whether it’s true or not.
“In summary, for the last six months we’ve seen a consistent increase in Russian interference throughout Europe and the Near East.”
“Hugh,” Yazzi said, turning to the secretary of state. “Is there anything new on the diplomatic front? Any back-channel indications of a change in Russia’s intentions?”
“Nothing, Mr. President. It appears the Russian government is largely focused on maintaining voter support through next year’s presidential and State Duma elections. The worse the Russian economy gets, the more President Denikin relies on rallying public sentiment against NATO in general and the United States in particular. And the harder we push him, the harder he pushes back.”
“How about after the elections? Are you getting any indications he might discuss a thaw after that?” Yazzi asked.
“None, Mr. President,” said Calhoun. “And frankly, I’m not surprised. The hotter the Kremlin rhetoric gets, the less possible it becomes for Denikin to do an about-face.”
Yazzi turned to the secretary of energy. “Howard, how about the oil companies? Are they still solid?”
Blaine frowned, “Not as solid as we’d like. The NASLA attack on the petroleum supply chain has been a nightmare for them, and it took longer than we expected to get the new drilling leases through Congress. Then there’s all the law suits. Environmental groups are trying to block drilling in over sixty percent of the new tracts we auctioned. Finally, you can imagine how they feel watching Russia selling oil for more than twice as much as they’re allowed to. So, all in all, the oil producers aren’t what you could call happy.”
“Well, what did they expect?” Yazzi said. “Anyway, what’s the bottom line?”
“I’d say we can get them to hold out for another three months, but that’s it.”
“Okay, the last question’s
for you, Terry. What’s happening with the Russ?”
“Mixed, Mr. President,” the director of the CIA replied. “Its value dropped as expected when we added it to the embargo list. We and our major trading partners have been pretty successful squelching speculation in it. But the Russian government is still propping it up, so the amount of trade in violation of the trade restrictions has continued to increase.”
“So, there we are,” Yazzi said, glaring around the table. “We’re stuck in the same rut we’ve been in for months now – stay the course and keep the pressure on until they crack. Except the Russ trade keeps extending Russia’s resources while we’re facing a three-month deadline.”
“That’s the most obvious conclusion, Mr. President,” Calhoun said, “which is why I believe we should consider privately signaling the Russians we’d like to work out a way to avoid further escalation on both sides,” Calhoun said.
“Meaning what?” Yazzi said.
“We’ve been engaging in an internal exercise at State where we have a ‘pro’ and a ‘con’ team – something we do fairly often to help develop and evaluate policies. Essentially, we hold a debate as another means of testing policy alternatives to see which one stands up best.
“In this case, the ‘con’ team has made some good points recently. The first is that the harder we push the Russians, the more difficult it becomes for us to predict the result. That’s for several reasons, including the possibility that factions and pressures within the Kremlin may shift, leading to decisions we didn’t expect. And if there’s an internal shake-up, our assumptions could go out the window entirely.
“Another point is that we don’t want to end up with no choice but to take down the Russ. Granted, we have a task force designing just such an attack in case we decide there’s no other way to bring Denikin to the negotiating table. But if we do go that route, we’ll have legitimized a form of cyber aggression we’re more vulnerable to than the Russians are. Or the Chinese, or, really, any of our enemies. To date, no one’s taken down a financial system. Once we do that, the genie will be out of the bottle. Even the fact our attack can’t be conclusively traced back to us will complicate our defense in the future, because it will prove how successful such a ploy can be.”
“So, what would you suggest?” Yazzi asked.
“That we send a message to the Russian foreign minister stating we would be open to discussing a package deal in exchange for lifting all economic sanctions. Those discussions might be directed at signing a treaty addressing a variety of topics: barring social media interference, extradition of cyber criminals, adopting mutual policies of no first use of online weapons, and so on. Privately, it would also require them to stop baiting and undermining NATO.”
“What do you expect the response would be?”
“There’s the hard part,” Calhoun responded. “At this point, we don’t know how such an offer would be received.”
“Mr. President, if I may?” The NSA director interrupted.
“Yes, Jim?”
Wakeman chose his words carefully. “While I applaud Secretary Calhoun’s objective, I must go on record as advising that sending such a signal would be seen as a sign of weakness. We’re already teetering on the edge of failure in our efforts to bring Russia around using economic pressure. The Russians must know the oil companies aren’t going to cooperate much longer. Giving any indication we may be ready to break would incentivize Denikin to hold out until the last possible minute on the assumption he can outlast us. Then you’d have to choose between launching the Russ attack or backing off.”
“Hugh?” Yazzi asked. “What’s your response to that?”
“Well, Mr. President,” Calhoun said, “there’s nothing magic about today. We can wait and watch on a week-by-week basis and see what happens. But we can’t dither for too long. This is one of those strategies you have to initiate early or not at all, because putting out a diplomatic feeler has its own time line. If you look hurried, you lose leverage. Once you’ve raised the topic, you’ve got to wait for the other side to respond at its own speed, and that can take time.”
“How much time would you need?” Yazzi asked.
“Generally, I’d say three to six weeks. But if we think the oil companies are weakening, we can’t wait too long if we want to give this a try.”
Yazzi frowned. So, now there was a third option, albeit briefly. But that was no reason to act in haste.
“All right,” he said at last. “Thank you all for this input. I’ll take both viewpoints under advisement. What’s next on the agenda?”
* * *
It was very late, and the light of a single window broke the dark silhouette of the cavernous headquarters of the Federal Security Service. Suspended between the blackness outside and the darkness of the hallways inside sat Aleksandr Shukov, hunched over his drab, metal, government-issue desk. The sole furnishing in the brightly-lit office was a small picture that sat on that desk. It showed Shukov’s three-year-old son, laughing and holding a stuffed animal.
Shukov did not appreciate being assigned a one-month deadline to pull a cyber rabbit out of a hat, particularly since he wasn’t convinced the hat contained any rabbits at all, given how secure the blockchain was supposed to be. Like Frank, he saw only two potential ways to take down a financial system based on a blockchain. And, like his counterpart across the globe, he had ended up in more or less the same place.
The first approach he had considered was to design an attack that could compromise the entire BankCoin network. That would mean penetrating the defenses of hundreds of different computer systems, each with its own unique security controls. Then he’d need to plant malware capable of compromising each of those systems.
Designing such software might be possible. But gaining access to every single system would be a different matter. It would take thousands of staff to find at least one vulnerability in each of those systems, and, in any given week, the hosts of some of those systems would discover and patch their vulnerabilities. If he failed to compromise even one bank, then the entire attack would fail, since every other bank could reboot its systems from the surviving one.
And then there was the second approach: find a flaw in the part of the BankCoin software that created the blocks. Again, before someone in the network spotted that vulnerability and patched it first.
So, in reality there was only one way: his people must find a needle in the BankCoin software haystack and then exploit it to compromise the entire BankCoin system.
If he could do all that, and he had no reason to assume he could, it would turn the security advantage of the blockchain upside down: instead of needing to hack every bank, he could penetrate just one system – the one that hosted the master copy used for updating the system. That would be an elegant solution to a difficult problem. Perhaps it might even be possible.
Very well. So, what more could he ask his team to do to devise such an attack? His top programmers were already deep in their review of the BankCoin software, conveniently available as open source code at GitHub. Others on his staff were monitoring the sites on the Dark Web where exploits were sold, ready to place the highest bid for anything interesting that might pop up.
He had also assigned field agents to join the BankCoin open source project itself, and they were working their way up the meritocracy ladder at the BankCoin Foundation. At some point one of those coders might rise to a position where he could plant malware on the authoritative version of BankCoin. But that would take months, and Shukov was not sure it would be possible to disguise malware to the point where it would not be recognized as such by other developers. This was, after all, a development process that allowed everyone to see everything, and bragged that “many eyes make all bugs” visible.
Finally, and perhaps most discouragingly, there was the risk that any flaw his team discovered or bought would be discovered and patched before it could
be exploited. Most of the banks must have experts assigned to look for such weaknesses. So even if some day Shukov could report to the Joint Cyber Strike Council that the FSS was ready to strike, he would be unable to guarantee how long that capability might last.
It was all very challenging and depressing.
Chapter 25
Stop That!
Frank was having one of the professional insecurity attacks that from time to time snuck out of nowhere to bite him. He frowned as he watched the familiar monuments come into and out of view as the commercial jet climbed, circling over the nation’s capital before heading off to New York. Everything looked the same as it always did – of course. Just as everything did for him every day at work. He’d been pulling down his huge salary at First Manhattan for months now, and except for finding a few flaws, what had he really accomplished? Not much. Not that anyone seemed to care, so long as he continued to let Lola trot him around like the rental pony at a grade school birthday party.
He scowled at the clouds and drummed his fingers on the arm rest. What should he be doing that he hadn’t done yet? NASLA had everyone on edge, and for all he knew, his time to head off a huge disaster might be running out. Between the massive alt coin attack months before and NASLA’s all-out war now, he’d had plenty of wake-up calls. The next assault might be Iran making off with a trillion dollars in BankCoin.
So, what would an enemy nation do, besides put its best people on the project?
Then he had a disturbing thought. He’d never asked Hank Taylor whether someone at the bank was monitoring the Dark Web sites where zero-day exploits were sold! The National Security Agency and its equivalents around the world scanned those sites daily. That might explain why there hadn’t been a successful criminal attack yet – government buyers could have been buying all the vulnerabilities anyone had found so far. But what if the winning bidder was an enemy government?
He opened his laptop. Darn! The Wi-Fi on the plane wasn’t working, and they had just taken off. Calm down. There was no way Taylor wouldn’t have covered that base a year ago. And anyway, another hour wouldn’t make a bit of difference.