Category: cyberwar

Cyberwar: the west started it

<originally a Webwereld column – in Dutch – also on HuffPo UK, Consortiumnews en Globalresearch>

The War Room, Dr. Strangelove - 1965

A few years ago, Israeli and American intelligence developed a computer virus with a specific military objective: damaging Iranian nuclear facilities. Stuxnet was spread via USB sticks and settled silently on Windows PCs. From there it looked into networks for specific industrial centrifuges using Siemens SCADA control devices spinning at highspeed to seperate Uranium-235 (the bomb stuff) from Uranium-238 (the non-bomb stuff).

Iran, like many other countries, has a nuclear program for power generation and the production of isotopes for medical applications. Most countries buy the latter from specialists like the Netherlands that produces medical isotopes in a special reactor at ECN. The western boycott of Iran makes it impossible to purchase isotopes on the open market. Making them yourself is far from ideal, but the only option that remains as import blocked.

Why the boycott? Officially, according to the U.S. because Iran does not want to give sufficient openness about its weapons programs. In particular, military applications of nuclear program is an official source of concern. This concern is a fairly recent and for some reason has only been reactivated after the US attack on Iraq (a lot of the original nuclear equipment in Iran was supplied by American and German companies with funding from the World Bank before the 1979 revolution). The most curious of all allegations of Western governments about Iran is that they are never more than vague insinuations. When all 16 U.S. intelligence agencies in 2007 produced a joint study there was a clear conclusion: Iran is not developing a nuclear weapon (recent speech by the leader of this study here).

And that’s strange.

For if the 16 American intelligence services and their Israeli colleagues, the famous Mossad, can all agree that Iran is not making nuclear weapons, how do you justify an attack against civilian industrial infrastructure? And that this is the equivalent of a military attack is clear when you consider what would happen if Iran had been caught in a cyber attack on ‘our’  instalations in Borssele or Indian Point.

Stuxnet is designed for a single purpose: the damage of nuclear enrichment facilities in Iran. This is a country that just may perform these activities in accordance with the international agreements stipulated in the Non Proliferation Treaty. Iran, like most other countries in the world (except Israel, India, Pakistan, S Sudan and N Korea) signed this Convention. Nuclear weapons are not allowed but civil nuclear industry is,  a detail that sometimes escapes the attention of editors. Like the reason why Iran is not a democracy. I’m not saying the Iranian government are darlings, but the country has not attacked anyone in the past 200 years, unlike several of our NATO partners.

But Stuxnet has made some things very clear to Iran and the rest of the non-Western world. It does not matter that you abide by established agreements and treaties. It does not matter that you’re not a threat to the West. It does not matter that the countries that accuse you most of violating the non-proliferation agreements (U.S. and Israel) arethemselves the most egregious violators; USA by delivering plutonium to Israel and Israel by not even signing the treaty and secretly stashing 100-200 nuclear bombs in the basement.

So there is no reason for you to stick to agreements or treaties because it does not guarantee that the parties on the other side will do the same and it may offer a strategic disadvantage. And if you going to have the disadvantage of alleged conduct (boycotts, threats of bombing), it is logical that you also want the benefits. It is almost rational for Iran to develop a military nuclear program. Certainly North Korea seems to get away with it. As a bonus, is now has a few nuclear weapons and that is still the best guarantee that the U.S. will not be bringing unsolicited packages of "democracy" (although a lack of oil wells also seems to help).

Like the attack on Iraq, which was carried out based on deliberate lies (The US and UK knew Saddam had no WMDs), the U.S. again does not comply with the standards that it happily tries to impose on others. With the result that no-one takes such standards seriously anymore and the world (and cyberspace) becomes a wild west shooting gallery.

And that’s exactly what you do not want in a world where a handful of angry Chinese / Russian / Iranian / Iraqi / <insert other country> can completely anonymously and in secret take down your critical infrastructure. Western countries are much more vulnerable due to their high degree of automation than countries that have just outgrown their third world status. Cyber ??weapons are relatively inexpensive and developing them is more difficult to detect than the construction of missiles and aircraft carriers. The best defense against it is the prevention of an arms race. Like a nuclear war everybody loses in a cyber war. Safety in such a context is created by moral leadership (starting with: follow your own rules) and actively working at de-escalation. And that is exactly what the U.S. and Israel have not done.

With such friends, we are assured of a continuous stream of new enemies in countries that mainly want to be left alone, but that arm themselves just in case the "free West" is on the prowl in their region.

Setting up a Dutch Cyber ??Army while the sluices and pumping stations are equipped with factory-default passwords in their SCADA controllers seems pretty stupid. If you live in a glass house, not throwing stones and not motivating others to do so, is the smarter move.

Update: a NATO research team has determined thet Stuxnet ‘attack’ against Iran was an ‘Act of Force‘ (not an ‘Act of War). We’ll see if that determination holds up if a non-NATO country (let’s say Iran) does the same to a NATO country.


Cybercrime; prevention vs. repression

<originally a Dutch Webwereld.nl column>

Cybercrime and cyber-warfare are currently the trendy terms the government throws around to acquire additional laws and powers. If it can also link cybercrime to the distribution of images of child abuse (also known as child pornography), the government has hit political pay dirt and can do pretty much what it wants. What continues to puzzle me is how all this focus on the distribution of such images actually protects the child victims themselves.

Bart Schremer published his opinion piece recently, providing an overview of the issues that law enforcement agencies are facing. On the one hand society (or at least the media) expects law enforcement to solved all crime immediately, preferably on a modest budget. On the other hand most Dutch people would still prefer to avoid a police state along the lines of the North Korean or American model.

But in all discussions on permissible methods of detection, hacking police officers and crime-fight-using politicians is missing, is why cybercrime has grown so enormously. The fact that our reliance on IT is increasingly complex will certainly have contributed. But one other important factor is the huge digital illiteracy among the vast majority of citizens. Aside from some half-hearted campaigns, the government has done little to teach citizens anything of real use or value.

If you have been online for a while (ie more than 15 years), it is difficult to imagine that many Internet users today do not know how a URL is constructed or what is does – and with today’s browsers you don’t need to know. I often see people typing the name of a site into Google (which is set as the homepage) and then clicking on it. And so, without batting an eye, they click their bank details through to helpdesk.br.ru/ING, or something similar. Just because the logo was in the mail, is it still the help desk of the ING bank? If people could understand the difference between a top level domain and the rest of the URL, they could probably work out for themselves if the ING bank is really based in Russia.

One of the main causes of the proliferation of cybercrime is the profound ignorance of most computer users. This ignorance is partly caused by an education system that teaches handy computer tricks rather than real understanding. The "computer licence" is simply a course in MS Windows & MS-Office and provides no insight whatsoever into what a computer actually does or how networks function. Not that everyone needs to be a system programmer, but ensuring a bare minimum of understanding  (such as the ‘reading’ a URL) could avoid so much pain.

In addition, the vast mono-culture of computer systems is a major problem that the government is actively propagating. Thus, in the Netherlands, it is virtually impossible to finish high school without access to a system with MS-Windows and MS Office. Running a school  and getting it funded is even harder. Studying at many universities without a Google account is rapidly becoming  impossible, and a Facebook account is required to function in other institutions

The Lower House listening to the arguments, noted in 2002 that “software playes a crucial role in the knowledge society, and that the supply side of the software market at that time is highly monopolised.” It asked the government to fix this

These are the first sentences of the 2002 Vendrik Paralimentary Motion on the dysfunctional desktop software market. But this malfunctioning market aspect was soon forgotten in many discussions about various open standards and what open source web-system really is the best. But it did focus so primarily to a disturbance of the software market, not the internal management of secondary schools, municipalities and other public sector agencies

A lot of hot air is wasted discussing nebulous cloud systems, but interaction with these clouds still occurs primarily via desktop/laptop systems. And the market for these systems remains almost as monopolised as in 2002. Whoever has control over these desktops, has de facto control over most information processing in the Netherlands. To date mostly criminals seem to be interested in our desktops. And because the desktop landscape of the Netherlands is an extreme software mono-culture, and this makes us vulnerable, and yet for the last ten years the government has done virtually nothing to reduce this vulnerability

Meanwhile the role of IT in the minute-by-minute functioning of our society has greatly increased in recent years. What about hospitals, ports, airports, schools, police stations, and ambulance dispatchers? All of them can only function with working desktop PCs. And those PCs are often running Windows without the latest updates. Criminals or foreign cyber armies can take over these systems, gain a stranglehold on our society and unlike rumbeling tanks we would only figure this out after it was already done (or even much later than that).

If cybercrime and even cyber-warfare were really so vitally important, it would be logical for the government to institute a computer education that really teaches, to dismantle of our software mono-culture, and reduce our high dependency on foreign service-providers. Real advances in these areas would make so much more sense than abrogating yet more power to a government that displays ever more totalitarian tendencies and, at the same time, highly questionable competence.

Update, while writing this column a criminal (presumed to be from Russia) made my point by infecting 100.000 computers via a java vulnerability and a hack of the Dutch news website nu.nl around lunchtime. All infected computers ran MS-Windows. More details in the post-mortum rapport of Fox-IT.