Archive for the 'Cyberwar' Category

Cowardice, Hollywood style

[link] Friday, December 19th, 2014

George Clooney nails it in an interview with Deadline.

DEADLINE: How could this have happened, that terrorists achieved their aim of cancelling a major studio film? We watched it unfold, but how many people realized that Sony legitimately was under attack?

GEORGE CLOONEY: A good portion of the press abdicated its real duty. They played the fiddle while Rome burned. There was a real story going on. With just a little bit of work, you could have found out that it wasn’t just probably North Korea; it was North Korea. The Guardians of Peace is a phrase that Nixon used when he visited China. When asked why he was helping South Korea, he said it was because we are the Guardians of Peace. Here, we’re talking about an actual country deciding what content we’re going to have. This affects not just movies, this affects every part of business that we have. That’s the truth. What happens if a newsroom decides to go with a story, and a country or an individual or corporation decides they don’t like it? Forget the hacking part of it. You have someone threaten to blow up buildings, and all of a sudden everybody has to bow down. Sony didn’t pull the movie because they were scared; they pulled the movie because all the theaters said they were not going to run it. And they said they were not going to run it because they talked to their lawyers and those lawyers said if somebody dies in one of these, then you’re going to be responsible.

So does the hacking of Sony signify a new era in cyberwarfare?

[link] Thursday, December 18th, 2014

Some people think that it does

Most cyberattacks to date—by China, Russia, Iran, Syria, North Korea, Israel, the United States, and a dozen or so other nations, as well as scads of gangsters and simple mischief-makers—have been mounted in order to steal money, patents, credit card numbers, or national-security secrets. Whoever hacked Sony (probably a North Korean agency or contractor) did so to put pressure on free speech—in effect, to alter American popular culture and suppress constitutional rights.

Matt Devost, president and CEO of FusionX LLC, one of the leading computer-security firms dotting the Washington suburbs, told me in an email this morning, “This is the dawn of a new age. No longer do you have to worry just about the theft of money or intellectual property, but also about attacks that are designed to be as destructive as possible—and to influence your behavior.”

Bob Gourley, co-founder and partner of Cognito, another such firm, agrees. “I have tracked cyber threats since December 1998 and have never seen anything like this. It might have roots in the early Web-defacements for propaganda”—usually by anti-war or animal-rights groups—“but they were child’s play, done really for bragging rights. A new line has been crossed here.”

And the attack has had effects. Sony has canceled the film’s scheduled release due to terrorist threats against theaters (even though no evidence links the source of the threats to the source of the hacking). While a Seth Rogen comedy is an unlikely cause for a protest of principle, a case can be made that Sony’s submission to political pressure—especially pressure from a foreign source, especially if that source is Kim Jong-un—should be protested.

Well, it might be seen as an attack on American popular culture, I suppose.

Apparently some (off-the-record-natch) US sources think that Kim Jong Un and his chaps are responsible. In which case it’s an instance of cyberwarfare, not just an anti-corporate stunt.

And, as @dangillmor asks, “Are these the same US govt people who determined that Iraq had weapons of mass destruction?”

Kim Zetter has a good, sceptical piece in Wired.

What it all adds up to is that the big difference between “cyberwar” and the kinetic version is that it’s very hard to be sure who has just attacked you.

And, as usual, Dave Winer has an original take on it:

Back in 2000 when Napster was raging, I kept writing blog posts asking this basic question. Isn’t there some way the music industry can make billions of dollars off the new excitement in music?#

Turns out there was. Ask all the streaming music services that have been born since the huge war that the music industry had with the Internet. Was it necessary? Would they have done better if they had embraced the inevitable change instead of trying to hold it back? The answer is always, yes, it seems.#

Well, now it seems Sony is doing it again, on behalf of the movie industry. Going to war with the Internet. Only now in 2014, the Internet is no longer a novel plaything, it’s the underpinning of our civilization, and that includes the entertainment industry. But all they see is the evil side of the net. They don’t get the idea that all their customers are now on the net. Yeah there might be a few holdouts here and there, but not many. #

What if instead of going to war, they tried to work with the good that’s on the Internet? It has shown over and over it responds. People basically want a way to feel good about themselves. To do good. To make the world better. To not feel powerless. It’s perverted perhaps to think that Hollywood which is so averse to change, could try to use this goodwill to make money, but I think they could, if they appealed to our imaginations instead of fear.#

So what will it take to wake people up?

[link] Thursday, December 11th, 2014

At dinner last night I had a long talk with one of my Masters students who is as baffled as I am about why people seem to be so complacent about online surveillance. This morning a colleague sent me a link to this TEDx talk by Mikko Hypponen, a well known Finnish security expert. It’s a terrific lecture, but one part of it stood out especially for me in the context of last night’s conversation. It concerned an experiment Hypponen and his colleagues ran in London, where they set up a free wi-fi hot-spot that anyone could use after they had clicked to accept the terms & conditions under which the service was offered. One of the terms was this:

First_born_child_EULA

Every user — every user! — clicked ‘Accept’.

Why ‘cybersecurity’ is such a flawed term

[link] Monday, December 8th, 2014

In a sentence: it lumps three very different things — crime, espionage and warfare — under a single heading. And, as I tried to point out in yesterday’s Observer column, instead of making cyberspace more secure many of the activities classified as ‘cyber security’ make it less so.

Bruce Schneier has a thoughtful essay on the subject.

Last week we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It’s more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there’s substantial evidence that it was built and operated by the United States.

This isn’t the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted.

I dislike the “cyberwar” metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and NGOs. Sometimes these attacks are accidental, but often they are deliberate.

For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat.

This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.

Yep. Remember that the ostensible mission of these companies is to make cyberspace more secure. By keeping quiet about the Regin threat they did exactly the opposite. So, as Schneier concludes,

Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn’t. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.

Bletchley Park and the erosion of the freedoms it was set up to defend

[link] Sunday, June 22nd, 2014

This morning’s Observer column.

It’s terrific that Bletchley Park has not only been rescued from the decay into which the site had fallen, but brilliantly restored, thanks to funding from the National Lottery (£5m), Google (which donated £500,000) and the internet security firm McAfee. I’ve been to the Park many times and for years going there was a melancholy experience, as one saw the depredations of time and weather inexorably outpacing the valiant efforts of the squads of volunteers who were trying to keep the place going.

Even at its lowest ebb, Bletchley had a magical aura. One felt something akin to what Abraham Lincoln tried to express when he visited Gettysburg: that something awe-inspiring had transpired here and that it should never be forgotten. The code-breaking that Bletchley Park achieved was an astonishing demonstration of the power of collective intelligence and determination in a quest to defeat the gravest threat that this country had ever faced.

When I was last there, the restoration was almost complete, and I was given a tour on non-disclosure terms, so I had seen what the duchess saw on Wednesday. The most striking bit is the restoration of Hut 6 exactly as it was, complete with all the accoutrements of the tweedy, pipe-smoking genuises who worked in it, right down to the ancient typewriters, bound notebooks and the Yard-O-Led mechanical pencil that one of them possessed.

Hut 6 is significant because that was where Gordon Welchman worked…

Read on

Flame, Stuxnet and cyberwar

[link] Thursday, June 21st, 2012

From Good Morning Silicon Valley, citing the Washington Post.

There have been persistent whispers that the United States and Israel collaborated on the Stuxnet worm, which hit the computer systems of a nuclear plant in Iran a few years ago and was discovered in 2010. Earlier this month, spyware dubbed Flame was found on computers in Iran and elsewhere in the Middle East. Security experts have said Stuxnet and Flame have the same creators. Now the Washington Post reports, citing anonymous “Western officials,” that the U.S. and Israel were those creators; that Flame was created first; and that Flame and Stuxnet are part of a broader cyber-sabotage campaign against Iran. That campaign started under President George Bush and is continuing under President Barack Obama, according to a New York Times report earlier this month. (See Burning questions about Flame and cyberwar.) The Washington Post report describes Flame as “among the most sophisticated and subversive pieces of malware to be exposed to date” — a fake Microsoft software update that allows for a computer to be watched and controlled from afar.

Snooping and state power

[link] Sunday, April 8th, 2012

This morning’s Observer column:

The basic scenario hasn’t changed. Because of technological changes, we are told, criminals and terrorists are using internet technologies on an increasing scale. Some of these technologies (eg Skype) make it difficult for the authorities to monitor these evil communications. So we need sweeping new powers to enable the government to defend us against these baddies. These powers are as yet unspecified but will probably include “deep packet inspection” as a minimum. And, yes, these new measures will be costly and intrusive, but there will be “safeguards”.

The fierce public reaction to these proposals seems to have taken the government by surprise, which suggests ministers have been asleep at the wheel. My hunch is that the proposals were an attempt by the security services to slip one over politicians by selling them to senior officials in the Home Office, who, like their counterparts across the civil service, know sweet FA about technology and are liable to believe 10 implausible assertions before breakfast. In that sense, the Home Office has been “captured” by GCHQ and MI5 much as the health department has been captured by consultancy companies flogging ludicrous ICT projects….

On reading (and not understanding?) Heidegger

[link] Sunday, April 1st, 2012

This morning’s Observer column.

If you write about technology, then sooner or later you’re going to meet a smartarse who asks whether you’ve read Heidegger’s The Question Concerning Technology. Having encountered a number of such smartarses in recent years, I finally decided to do something about it, and obtained a copy of the English translation, published in 1977 by Harper & Row. Having done so, I settled down with a glass of sustaining liquor and embarked upon the pursuit of enlightenment.

Big mistake. “To read Heidegger,” writes his translator, William Lovitt, “is to set out on an adventure.” It is. Actually, it’s like embarking on one of those nightmares in which you’re wading through quicksand and every time you grasp a rope or a rock it comes apart in your hand. And it turns out that Heidegger’s fiendish technique is actually to lure you into said quicksand.

Cybercrime more dangerous than cyberwar, Says Obama Aide

[link] Wednesday, April 14th, 2010

From Technology Review.

A top White House cybersecurity aide said yesterday that transnational cybercrime, such as thefts of credit-card numbers and corporate secrets, is a far more serious concern than ‘cyberwar’ attacks against critical infrastructure such as the electricity grid.

Christopher Painter, the White House’s senior director for cybersecurity, made his comments at a conference arranged by top Russian cybersecurity officials in Garmisch-Partenkirchen, Germany. Russia is a major source of cybercrime, but its government has declined to sign the European Convention on Cybercrime–the first international treaty on the subject. The treaty aims to harmonize national laws and allow for greater law-enforcement cooperation between nations.

Painter acknowledged that critical infrastructure needed to be made more secure, but said that the best defenses start by cracking down on crime. “There are a couple of things we need to do to harden the targets, and make the systems as secure as possible,” he said. “But the other thing you need to do is reduce the threat. And the predominant threat we face is the criminal threat–the cybercrime threat in all of its varied aspects.”

We need Hague Convention 2.0. And we need it soon

[link] Sunday, June 28th, 2009

This morning’s Observer column.

If you’re not worried, you have not been paying attention. Almost without realising it, our societies have become hugely dependent on a functioning, reliable internet. Life would go on without it, but most people would be shocked by how difficult much of the routine business of living would become. It would be like being teleported back to the 1970s. Even a minor conflict could slow the global internet to a crawl. So cyberwar is a bit like nuclear war, in that even a minor outbreak threatens everyone’s life and welfare.

In those circumstances, isn’t it time we thought about devising treaties to regulate it? We need something analogous to the 1925 Geneva Protocol to the Hague Convention, which prohibited chemical and biological weapons. And we need to start now.

UPDATE: Interesting to see that this is also the lead story in today’s New York Times .

The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet.

Both nations agree that cyberspace is an emerging battleground. The two sides are expected to address the subject when President Obama visits Russia next week and at the General Assembly of the United Nations in November, according to a senior State Department official.

But there the agreement ends.

Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.

The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.

“We really believe it’s defense, defense, defense,” said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. “They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.”

Any agreement on cyberspace presents special difficulties because the matter touches on issues like censorship of the Internet, sovereignty and rogue actors who might not be subject to a treaty.

United States officials say the disagreement over approach has hindered international law enforcement cooperation, particularly given that a significant proportion of the attacks against American government targets are coming from China and Russia.

And from the Russian perspective, the absence of a treaty is permitting a kind of arms race with potentially dangerous consequences.