Remember the Stuxnet computer virus that allegedly knocked an Iranian uranium enrichment facility offline a couple of years ago? Apparently, its reach went a lot farther than the enrichment facility:
Stuxnet, the sophisticated computer virus that attacked a nuclear enrichment facility in Iran two years ago, also inadvertently infected Chevron’s network.
Reportedly created by the U.S. and Israel, the highly destructive worm was designed to infect Iran’s Natanz nuclear facility. Rather than steal data, Stuxnet left a back door meant to be accessed remotely to allow outsiders to stealthily knock the facility offline and at least temporarily cripple Iran’s nuclear program.
The oil giant discovered the malware in July 2010 after the virus escaped from its intended target, Mark Koelmel, Chevron’s general manager of the earth sciences department, told The Wall Street Journal.
“I don’t think the U.S. government even realized how far it had spread,” he said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”
We should get behind an international accord to ban cyberwarfare that has some teeth behind it and insist that we, our allies, clients, and trading partners sign it and abide by it. The reason is simple. Weapons like the Stuxnet virus are more like chemical or bacteriological weapons than they are like guns, warplanes, or aircraft carriers. Once they’ve been released, the deployer has little control over where they go and what they infect. We just have too much to lose.
But there’s another reason, too. States have enormous resources. Over the period of the last 30 years malware in various forms has gone from being an occasional nuisance to a deadly threat that costs the world economy hundreds of billions of dollars in prevention tools, maintenance and administration, downtime, bandwidth costs, storage costs, data loss, etc. That’s what’s been accomplished by individuals working, basically, in their basements.
When a computer virus is released into “the wild”, it becomes visible to anyone who comes across it who has the knowledge and ability to investigate it. It can be reverse engineered, replicated, and even enhanced. Putting the enormous resources of states behind the development of such things, releasing them into the wild, and making the results of all of that R&D available to the hacker world is beyond irresponsible. It’s dangerous. And, as I said before, we just have too much to lose.
Until the next major hot war, this will be an ongoing cold war primarily between the US, China, and Russia. What is not done by the primaries will be outsourced. I agree with the WMD analogy, but I think it is well past “the point of no return”.
Eastern Europe was a pioneer of state sponsored malware creation, and organized crime has been using technoogy for some time. I think the Russian mobsters were the pioneers, but US mobsters are in the game. I think the Chinese were mostly after manufacturing and military technology.
I have thought that malware defense is one area for extensive US gov’t funded R&D. The gov’t could provide the virus definitions, and private companies would provide the software. The GPS system would be a model. In addition, hardening techniques could be open-sourced.
One thing that boggles my mind is that gov’t networks are connected to the internet.
I don’t think there is a “jinn out of the bottle” thing with offensive cyberwarfare weapons. I think there’s capital investment, R&D. The sooner you stop funding it, the better off you are. It’s a kind of asymmetric warfare. We’ll never have a competitive advantage but we can reduce the cost of entry for others.
On this we’re in full agreement. I think the main reasons we’re not seeing much, much more government involvement in the cyberdefense area are that Congress doesn’t understand the problems and there are companies who see cybersecurity as potential earnings.
IMO that’s a losing proposition. One idiot with a laptop can break security costing millions.
Dave,
The problem I see with your proposal is a practical one – such a ban is unenforceable.
Tasty,
Short of stringing millions of miles of fiber optic cable, the government doesn’t have much choice. And government employees often need the internet.
@Andy
For point to point, a VPN would provide security. I am not sure if all the capacity from the 90’s build-out is being used, but I would advocate laying more fiber instead of other gov’t spending schemes. They could lay substantially more fiber, and the excess could be leased.
If the employees need access to the public internet, there should be a separate network, and access should be provided through locked down terminals. In the old days, you left your desk, walked to the document library, and copied what you needed. Security is a major pain in the a$$, but it is the only way to be safe.
The problem with plants (manufacturing, power, etc.) is that the equipment and sensors use TCP/IP to communicate, and this equipment piggybacks on the computer network. This is how somebody in China can manipulate oil pressure sensor allowing the pump motor to burn-up.
So are bans on chemical and bacteriological weapons. We have them anyway.
Similar to other law, such bans have a number of purposes. They serve as a warning. They may deter someone from deploying such weapons. They are a statement of intent.
And, if as I believe we shouldn’t be using them anyway, we might as well get an international agreement banning their use into place.
The government does have separate networks but they are encrypted and classified. The encrypted data, however, still can travel over public communication lines. There’s not really any way to avoid it and the solution the government settled on long ago is encryption.
Also, it doesn’t make much sense to have one unclassified government-only network and one that can access the internet. And there are VPN’s – I’m able, for instance, to access my work email from my home computer with a common access card and some software.
There are some big differences between “cyber” weapons and chem/bio weapons. For instance, Biological and chemical weapons programs require specialized infrastructure, equipment and precursor materials, which can all be tracked. Weaponization for military use requires specialized delivery vehicles that can also be tracked and detected. These features provide the opportunity for verification in a nonproliferation scheme. Verification in just about impossible when it comes to cyber weapons, do not require special equipment, storage facilities or a delivery vehicle to use. Cyber weapons can be developed practically anywhere on the planet.
This leads to another problem – attribution. It’s pretty easy to figure out where the Scud with the Sarin warhead came from, it’s much more difficult to figure out where a virus or Cyber attack came from. Plausible deniability is a lot easier with cyber weapons.
I think you’re right that a ban might be useful as a statement of intent, but the inability to enforce the ban and verify compliance severely limits the utility of an attempt to ban them.
50 years ago, maybe. Nowadays biological weapons production in particular can be done in a closet.