more on cyberwar and cyberespionage

It seems like state-sponsored hacking is hitting Iran again with the discovery of the Flame virus which seems to be screen scraping and key-logging infected machines dominantly in Iran. The logical culprit is Israel, but nothing’s been confirmed and any allegations about Israel coming from Iran should be taken with more than a grain of salt.

Interestingly, it seems like Iran is being pretty open about the compromise and the potential effects. They eventually did similar things with Stuxnet too. I’m a bit curious as to what they have to gain from this especially from a country that is not renowned for it’s honesty on the international stage.

Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.

In and of itself, this isn’t very interesting and I suspect that this kind of thing is happening nearly constantly between most major nations in the world, but it’s interesting to me because of a recent CACM article on “Why Computer Scientists Should Care About Cyber Conflict and U.S. National Security Policy.”

It actually does a pretty good job of laying out rational issues in cyberwar and whether or not it is something that we should be paying attention to. It points out that so far most things which might be misconstrued as cyberwar are actually just cyber-espionage which in and of itself is not generally considered to be an act of war—cyber or otherwise.

Most of what is discussed in the popular media as “cyber attacks” is really espionage of various kinds. What is “lost” is information: technical documents, political memos, credit card numbers, Social Security numbers, money in bank accounts, business plans, and so on. As most computer scientists know, these are breaches of confidentiality—the legitimate owner still has the information, but someone else has it as well, someone who should not have it and who might be able to use it against the legitimate owner.

These acts are undeniably unfriendly—but do they amount to “acts of war”? Espionage is not traditionally regarded as a violation of international law—primarily because all nations do it. They do violate domestic law, which is why such acts are (properly) regarded as criminal acts—appropriate for investigation and prosecution by law-enforcement authorities.

However, with the proof of concept in Stuxnet, we can envision a potential cyber attack which could cost lives and perhaps be considered an act of war.

A number of examples of actual cyber attacks—actions taken to destroy, disrupt, or degrade computers—are known publicly. It is alleged that in 1984, the U.S. modified software that was subsequently obtained by the Soviet Union in its efforts to obtain U.S. technology. Ostensibly designed to operate oil and gas pipelines, the Soviets used this software to operate a natural gas pipeline in Siberia. After a period in which all appeared normal, the software allegedly caused the machinery it controlled to operate outside its safety margins, at which point a large explosion occurred.6 And, in 2010, the Stuxnet worm disrupted industrial control systems in the Iranian infrastructure for enriching uranium, apparently destroying centrifuges by ordering them to operate at unsafe speeds.3

In this case, actions could in fact be an act of war. What does this mean though and how should a nation—and the U.S. in particular—respond? That turns out to be complex and the article brings up a bunch of issues. The main one logically seems to be attribution. Cyber attacks are notoriously difficult to attribute to a given entity especially in the time frame during which a retaliation might make sense.

They conclude with a set of things which computer scientists in the U.S. should think about and possibly offer advice about when it comes to issues of cyber attacks and our policy about responding to them.

  • Attack assessment. Knowing that a nation or even a particular facility is under serious cyber attack is highly problematic given the background noise of ongoing cyber attacks occurring all the time. What information would have to be collected, from what sources should that information be collected, and how should it be integrated to make such a determination?
  • Geolocation of computers. Given that computers are physical objects, every computer is in some physical location. Knowledge of that location may be important in assessing the political impact of any given cyber attack.
  • Techniques for limiting the scope of a cyber attack. Associated with any bomb is a lethal radius outside of which a given type of target is likely to be unharmed—knowledge of a bomb’s lethal radius helps military planners minimize collateral damage. What, if any, is the cyber analog of “lethal radius” for cyber weapons?
  • How could a penetration of an adversary’s computer system be conducted so that the adversary knows the penetration is an exploitation rather than an attack?
  • Given a continuing and noisy background of criminal and hacker cyber attacks, how would two nations that agreed to a “cyber cease-fire” know the other side was abiding by the terms of the agreement?
  • How might catalytic cyber conflict between two nations be avoided? (Catalytic conflict refers to conflict between two parties initiated by a third party, perhaps by impersonating one of the two parties.)
  • How can small conflicts in cyberspace between political/military adversaries be kept from growing into larger ones?

These are all good questions and vary between very ambitious goals which would take a lot of deep thought to break off pieces and work on and simpler things which researchers could work on today.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>