Sunday, June 30

Welcome to Shutter Island or: How I Learned to Stop Worrying and Love Cyberwar

Dr. Strangelove to Russian Ambassador de Sadesky: "Of course the whole point of a Doomsday Machine is lost if you keep it a secret. Why didn't you tell the world, eh?"

Ambassador de Sadesky: "It was to be announced at the Party Congress on Monday. As you know, the Premier loves surprises."

-- Dialogue from Stanley Kubrick's 1964 film "Dr Strangelove or How I Learned to Stop Worrying and Love the Bomb"

********************

The commander of the world's military hyperpower might have planned to inform the American public at some point that he'd ordered a secret military strike, in conjunction with Israel's military, on an Iranian uranium enrichment plant. But the way things worked out, Americans and indeed the entire world public had to come by the information the hard way. This happened after the Stuxnet virus wandered off the reservation and began attacking the computers of major American corporations.

As further indication that President Obama and his spin doctors might be candidates for Shutter Island, the American public was told that the use of computer technology to launch a physical attack on a nuclear facility was to slow down the development of a nuclear WMD. In other words, it was necessary to secretly set in motion cyber war in order to stop Iran from bringing on doomsday.

And here we thought the lunatics in Dr Strangelove were caricatures.

Maybe they were only the stuff of nightmares in 1964 but now the caricatures are real. The biggest problem with cyber war is that once it gets started between nations it is a matter of when, not if, it will destroy civilization -- cyber war being distinct from cyber spying and cyber crime.

NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us Into Cyberwar

The Secret War

INFILTRATION. SABOTAGE. MAYHEM. FOR YEARS, FOUR-STAR GENERAL KEITH ALEXANDER HAS BEEN BUILDING A SECRET ARMY CAPABLE OF LAUNCHING DEVASTATING CYBERATTACKS. NOW IT’S READY TO UNLEASH HELL.

By James Bamford
June 12, 2013
Wired Magazine

[emphasis in the following excerpts is mine]

[...]

Never before has anyone in America’s intelligence sphere come close to [General Keith Alexander's] degree of power, the number of people under his command, the expanse of his rule, the length of his reign, or the depth of his secrecy. A four-star Army general, his authority extends across three domains: He is director of the world’s largest intelligence service, the National Security Agency; chief of the Central Security Service; and commander of the US Cyber Command. As such, he has his own secret military, presiding over the Navy’s 10th Fleet, the 24th Air Force, and the Second Army.

[...]

Alexander runs the nation’s cyberwar efforts, an empire he has built over the past eight years by insisting that the US’s inherent vulnerability to digital attacks requires him to amass more and more authority over the data zipping around the globe. In his telling, the threat is so mind-bogglingly huge that the nation has little option but to eventually put the entire civilian Internet under his protection, requiring tweets and emails to pass through his filters, and putting the kill switch under the government’s forefinger.

“What we see is an increasing level of activity on the networks,” he said at a recent security conference in Canada. “I am concerned that this is going to break a threshold where the private sector can no longer handle it and the government is going to have to step in.”

In its tightly controlled public relations, the NSA has focused attention on the threat of cyberattack against the US—the vulnerability of critical infrastructure like power plants and water systems, the susceptibility of the military’s command and control structure, the dependence of the economy on the Internet’s smooth functioning. Defense against these threats was the paramount mission trumpeted by NSA brass at congressional hearings and hashed over at security conferences.

But there is a flip side to this equation that is rarely mentioned: The military has for years been developing offensive capabilities, giving it the power not just to defend the US but to assail its foes. Using so-called cyber-kinetic attacks, Alexander and his forces now have the capability to physically destroy an adversary’s equipment and infrastructure, and potentially even to kill. Alexander—who declined to be interviewed for this article—has concluded that such cyberweapons are as crucial to 21st-century warfare as nuclear arms were in the 20th.

And he and his cyberwarriors have already launched their first attack. The cyberweapon that came to be known as Stuxnet was created and built by the NSA in partnership with the CIA and Israeli intelligence in the mid-2000s. The first known piece of malware designed to destroy physical equipment, Stuxnet was aimed at Iran’s nuclear facility in Natanz. By surreptitiously taking control of an industrial control link known as a Scada (Supervisory Control and Data Acquisition) system, the sophisticated worm was able to damage about a thousand centrifuges used to enrich nuclear material.

The success of this sabotage came to light only in June 2010, when the malware spread to outside computers. It was spotted by independent security researchers, who identified telltale signs that the worm was the work of thousands of hours of professional development. Despite headlines around the globe, officials in Washington have never openly acknowledged that the US was behind the attack. It wasn’t until 2012 that anonymous sources within the Obama administration took credit for it in interviews with The New York Times.

But Stuxnet is only the beginning. Alexander’s agency has recruited thousands of computer experts, hackers, and engineering PhDs to expand US offensive capabilities in the digital realm. The Pentagon has requested $4.7 billion for “cyberspace operations,” even as the budget of the CIA and other intelligence agencies could fall by $4.4 billion. It is pouring millions into cyberdefense contractors. And more attacks may be planned.

[...]

Now 61, Alexander has said he plans to retire in 2014; when he does step down he will leave behind an enduring legacy—a position of far-reaching authority and potentially Strangelovian powers at a time when the distinction between cyberwarfare and conventional warfare is beginning to blur. A recent Pentagon report made that point in dramatic terms. It recommended possible deterrents to a cyberattack on the US. Among the options: launching nuclear weapons.

[MORE]

Now if that's not enough clarity about the extreme danger posed by the U.S. "unleashing hell," here are a few quotes from a November 12, 2012 report at Information Week:

Cyber Weapon Friendly Fire: Chevron Stuxnet Fallout
by Mathew J. Schwartz

Malware's jump from Iranian uranium enrichment facility to energy giant highlights the downside to custom-made espionage malware -- its capability to infect friends as well as foes.

[...]

The pioneering Stuxnet computer virus, which was designed to attack a single Iranian uranium enrichment facility, went on to infect PCs around the world. Security experts have identified thousands of resulting Stuxnet infections. On Monday, multinational energy giant Chevron became the first U.S. company to admit that it, too, was infected by Stuxnet. Chevron found that some of its systems had been infected by Stuxnet soon after security firms discovered the virus in July 2010.

"I don't think the U.S. government even realized how far it had spread," Mark Koelmel, general manager of the earth sciences department at Chevron, told The Wall Street Journal. "I think the downside of what they did is going to be far worse than what they actually accomplished," he said.

What remains worrying about Stuxnet is the ease with which the custom malware was able to surreptitiously alter the behavior of programmable logic controllers (PLCs) used in industrial control systems. As the Chevron infection highlights, PLCs aren't just used in uranium refineries, but for a broad range of applications -- spanning oil and gas enrichment, manufacturing plant floors and even prisons. Furthermore, businesses might replace their industrial control systems only every 10 or 20 years. In the interim, what could safeguard PLC environments against future attacks of the Stuxnet variety, especially if launched by foreign adversaries?

"There are no automated defense systems that can protect power systems and other critical infrastructure resources against these advanced attacks," said Alan Paller, director of research at the SANS Institute, in a SANS newsletter. "The only defense -- admittedly imperfect -- is radically improved technical skills."

[END REPORT]

.

No comments:

Post a Comment