In October, Mirai malware used default login credentials to compromise thousands of routers, digital video recorders, Internet cameras, and other Internet-connected devices. Mirai then created a botnet with the hacked hardware and targeted Dyn, a key provider of domain name services. The result wreaked havoc across the Internet, taking down several prominent websites and disrupting services for millions of users. Put another way, Mirai was a digital assassin who fired a sniper’s bullet at an essential Internet node. Speculation on the hack’s origin and purpose ranged from Russian cyber teams conducting pre-election disruption tests to Wikileaks supporters protesting against Ecuadorian authorities.
Notably, Mirai did not affect any Department of Defense (DoD) assigned Internet protocol (IP) addresses. Even more intriguing, this avoidance was by design. An analysis of the botnet’s source code shows the writer excluded DoD IP ranges. The analysis goes on to describe the likely author as “a skilled, yet not particularly experienced, coder who might be a bit over his head.” This assessment might be valid, but I find the humor short-lived.
This is because for anyone with even mild aptitude with the C programming language, amending Mirai’s now publicly available code to target DoD interests is trivial. Editing the code to yield more destructive results, such as deleting essential files, would require only slightly more effort. An altered program aimed at DoD would be troublesome, primarily because DoD does not possess the resources to combat the growing field of ideologues who need little more than the ability to write code in order to begin firing digital bullets at the US government.
Cyberattacks against the DoD are not new. The difference with Mirai and similar malware is the enemy might commandeer DoD’s own resources for an attack. If DoD has not done so already, it should immediately implement the recommendations put forth by computer security expert Brian Krebs to prevent DoD assets from participating in a future attack. Specifically, DoD should direct network administrators to canvass their Internet-connected devices and ensure that no device continues to operate using its default login and password. Similarly, the DoD must obtain and install the latest device firmware and close unnecessary Internet ports. And while there is no panacea for the growing risks posed by the Internet of Things (IoT), applying these relatively quick fixes will help prevent the next wave of attacks.
In 2013, the US Air Force published a social media guide, ostensibly to help airmen navigate the labyrinthine social media landscape without leaking sensitive but unclassified information, such as their location or deployment details, to adversaries.
Disappointingly, the DoD has not issued similar guidance with respect to the IoT, an area arguably of much greater concern given human life and technology are on a collision course in areas I refer to as cyber life zones. Future attackers may use the IoT not only to disrupt, as they did with Mirai, but also to cause harm, perhaps through an attack aimed at a DoD command center or against systems controlling global positioning satellites.
Thus the next tactical step should be an “IoT guide,” made available to the more than one million employees of the DoD. Armed with basic knowledge, DoD personnel could shield hardware both at work and in their homes—potentially millions of devices—from Mirai-like attacks. Even more importantly, properly configured devices, patched to fix known vulnerabilities, would also help mitigate the risk from ransomware and other more sinister exploits. At an even higher level, DoD would benefit from an overarching IoT strategy, something I am actively working to develop.
Mirai’s creator did not craft this botnet to strike systems essential to global combat operations. In that sense, DoD is fortunate. At the same time, Mirai’s code should lead us to take notice of existing risks and be forewarned. After all, the difference between “living” and “dying” is three keystrokes.
Lt. Col. Ian Fairchild is the US Air Force senior fellow at the Atlantic Council’s Brent Scowcroft Center on International Security. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the US government. You can follow him on Twitter @ianmfairchild.