Operation Shady RAT May Be The First Big Battle In Knowledge-Economy Warfare

“Operation Shady Rat” has been identified as a drawn-out and economically significant cyber-attack against national, commercial, and even NGO entities. But unlike an attack meant to immediately cripple governments or financial markets, Shady RAT was intended to ferret out trade secrets and high-level national intelligence with long-term value.


One of the scenarios I evoke frequently when speaking with clients about computer security is called “Frontier Friction.” At the beginning of the story, a coordinated terror attack takes out the servers of a large banking institution. They also take out their backup systems. A coordinated cyber-terror attack further disrupts the financial systems. In essence, all forms of non-physical finances become impossible to track and all transaction systems come to halt overnight. No recovery plan exits for such an attack. The developed world reverts into the third world within weeks.

The recent revelation of “Operation Shady RAT,” a massive hacking operation that targeted both private industry and the U.S. government and revealed by Cyber-security firm McAfee, represents a version of this scenario, one with an interesting twist (see Revealed: Operation Shady RAT). It appears, unlike the Frontier Friction scenario, that “Shady RAT” has been a knowledge economy attack, not an industrial age attack.

Let me explain the difference. In Frontier Friction, the target was the transaction system, along with the records of transactions and records of holdings. Using industrial age imagery, the financial markets ground to a halt. When the production systems were compromised, the system collapsed.

“Operation Shady RAT” appears to be taking a different tack, one that is not about the compromise of the production system, but a symbiotic siphoning off of its outcomes. “Shady RAT” was after intellectual property. It
needed the systems of creation and validation to continue to work in order to create new value. “Shady RAT” was not intended to cripple its targets in any noticeable way. Whoever was behind the attacked wanted trade secrets and high-level national intelligence.

I have found that knowledge economy work differs from industrial work in two key ways. First, knowledge economy decouples value realization from production. Second, knowledge economy work requires processes outside of its production process to assign value. “Shady RAT” fits both of these criteria. The act of insertion of the malicious code is separate from the value obtained–and that value has been obtained months and years after the code
was active. In the Frontier Friction case, the code, and the weapons, were used to simultaneously disrupt a system, thus their value was realized immediately upon use.

In “”Shady RAT,” the value of the skimmed assets could not be determined at the time of they were transferred. Only after examination, and perhaps coordination with other activities (such as sharing such information
with the appropriate bidding team) did the pilfered content obtain value.


Has the United States already suffered its cyberwar Pearl Harbor?” writer Steve J. Vaughan-Nichols asked in an article on ZDNET. I think Vaughan-Nicols is relying on industrial age metaphors. Pearl Harbor, like the fictional events in my Frontier Friction scenario, are meant to be immediately impactful–to disrupt supply lines, render equipment unusable, and kill enemy soldiers. Whoever perpetrated “Operation Shady RAT” was not after the immediate destruction of anything. They were after the slow compromise of governments and industries through indirect use of the information obtained. Knowledge work
unfolds more slowly than production work, and it occurs in fits and starts. “Operation Shady RAT” also appears to have taken this into account as a lack of continuous patterns made it hard to detect. The very nature of its espionage profile didn’t look like what the targets we were looking for, thus it took
seemingly Herculean (and may I add, diligent and lucky) work from McAfee to discover the infiltration. And it needs to be noted that no other cyber-security firm seems to have discovered the attack, though I’m sure not all the targets were exclusively McAfee accounts.

What this means is that our uncertainties about the future need to be receptive to new metaphors. If the only thing you are looking for is an attack on a physical factory, then you probably won’t see the exchange of money in the parking lot that compromises access codes to its computers. I was
involved in the implementation and design of a firewall and data transfer system for a major corporation. After six months of operation, I asked if what the attacks looked like at the firewall. I was told something like: “Sure, we’ve had a few low level attacks. But why spend time trying to knock down the front door when all the back doors are so much more easily compromised?”

For knowledge-economy warfare the uncertainties are very different. We aren’t looking for enemies with tanks and bombs, not even enemies with IEDs. We aren’t looking for places, but streams of data, perhaps individual files periodically and unobtrusively sent over public networks. The uncertainties are no longer about what target will be hit and how, but when the information stolen will be invoked, and how it will be invoked. Will the information be used to subtly erode trust? Will it be used to capture market share? Will it be used to out innovate? Yes. Yes. And Yes. And in many more ways. In order to sense patterns we need to look in very different places, and against very different temporal landscapes.

“The systemic effect of draining trust from networks eventually has an impact that may be larger than the collapse of the financial system,” says Robert Salkowitz, author of Young World Rising and fellow Fast Company blogger. “If this type of attack causes companies and governments to retreat from collaboration, transparency, and technology like the Cloud because of security concerns, we will not only feel the slow drain of knowledge, but also suffer a loss of
information-age productivity multipliers. The net economic loss will reduce quality of life, diminish innovation and cost large sums of money to combat.”

The twin attributes of production-decoupled value realization and external determinates of value make compromises to the world’s
intellectual relationships very hard to detect. That means that we have to look for much bigger, more complex patterns that will likely be reflected in the actions of people using the information to inform their actions. The next stage of knowledge-economy warfare will result in a software buildup that produces major models capable of linking suspected information to the behavior of actors. That’s a tall order. Good thing people are already working on those models for consumer behavior pattern detection. As with all warfare, commercial ideas will be used to protect the State. I just hope whoever perpetrated “Operation Shady RAT” hasn’t already figured out a way to spoof those patterns. They have, after all, seemingly had a good head start. At least in knowledge-economy warfare, unlike traditional warfare, staying smart, alert, innovative, and adaptive will keep you employed and in the fight, no matter who is involved on the battlefield.



[Image: Flickr user mksavage]


About the author

Daniel W. Rasmus, the author of Listening to the Future, is a strategist who helps clients put their future in context