These last few months have been some of the most exciting, depressing, and troubling times for those interested in the phenomenon of cyberwar. As a cyber skeptic deeply engaged in this emerging debate I want to take a step back and analyze what we have learned.
First there was news of the Flame virus menacing due to its sheer size and abilities. Then a cyber backdoor was discovered on a Boeing 787 that could potentially allow the planes to be taken over remotely. On top of all this, David Sanger released excerpts of his book detailing how Stuxnet was a US government effort, in tandem with Israel, to target Iranian systems.
All of these events are examples of the continuing cyber hype perpetrated by the news media. The Flame virus apparently was detected at least three and as long as five years ago and no one thought anything of it. Repackage it as a ‘massive’ virus in the vein of Stuxnet and now you have a story. No matter that this virus appears to be focused on simple espionage. Its capabilities sound interesting – logging keystrokes to reveal passwords, listening in on local conversations, and activating cameras attached to computers – but in reality these techniques have been around almost as long as computers have been.
More importantly, the vulnerabilities the Flame virus exploits were patched by Microsoft and have been accounted for by major anti-virus organizations before the recent news, so where is the real danger? The key lesson is to update your virus definitions, not to fear the cyber boogeyman.
NPR suggested the decision to label the virus dangerous was politically motivated. The analysis came from a Russian firm whose interests lie in deflecting blame for cyber activity away from Russia and its allies and towards the West. Once again we are reminded how even disclosures of certain cyber activities are a politically motivated act filled with subtext and hidden intentions. Flame was an early virus likely developed to test systems for weaknesses, future viruses will likely be more dangerous but one should deal with that threat when it materializes because you cannot fight against the unknown.
The problem with the Boeing 787 is much more pressing and dangerous. It signals a tendency in the cyber world for actors to be their own worst enemies. A backdoor was inserted by the manufacturer of the chip system in the plane. Programmers typically will allow a system designer a form of backdoor control to be built into systems, or the backdoor could be simple hubris by those making the chipset. Regardless of the reason, a backdoor that could allow cyber access to critical infrastructure such as airlines is highly problematic; yet, the real issue is that defense is the burden of the defender. If there is a backdoor to American or British cyber systems, it is the responsibility of developers of the system to prevent these from occurring. These errors of development, reminding one of the flaws inherent in the Death Star, are the problem for those using the system. Vulnerabilities will be exploited.
At about the same time the White House released a strategy to deal with Botnets, groups of computers joined together that can attack targets and networks. This is exactly the type of initiative that the government needs to undertake. As the Obama administration notes, the issue of Botnets extends far beyond the concerns of one state; rather, it is a global issue that can be tackled through coordination and institutions. Remarkably, there was no hype associated with this announcement, as the media skipped over it in favor of more extreme cyber topics that follow their narrative of the increasing cyber threat, such as Stuxnet.
While the cyber threat is increasing, it is not an enemy that defies conventional forms of defense. Organized and rational thinking is needed, not counter weapons or a cyber-military industrial complex.
The rise of the cyber military-industrial complex is the particularly troublesome and worrisome event. As part of a vicious circle we have constructed, a cyber military-industrial complex can be both the cause and beneficiary of cyber hype. It points to the problem, but when asked to deal with the problem in a normal and rational manner, the cyber military-industrial complex uses the public’s lack of knowledge about the threat to overstate the infrastructure needed to tackle the problem.
While Stuxnet appeared to be a successful strategy in some ways, it should be not overstated as an effective tool against a state’s enemies. Sanger notes the debate about the impact of Stuxnet varies according to the analyst, with some suggesting Stuxnet set back Iran 18 months while others point to a quick recovery.
In fact, the real lesson from Stuxnet is the unintended consequences of cyberwar. The Sanger piece notes there was an error in the code that allowed it to spread once it made contact with the external networks after leaving the target on the laptop of an unlucky worker. The article notes the attempt to deflect blame, “we think there was a modification done by the Israelis.” Unfortunately, the United States opened Pandora’s Box and should be prepared to deal with the consequences.
What do we have to fear? Cyber crime is an acute issue that needs to be dealt with by constructing a strong defense. This defense needs to be focused on cyber criminals rather than the extreme fears of cyber attacks led by states or terrorists. The United States needs to clean up its cyber infrastructure, educate IT professionals about the basics of cyber defense, and invest in protective systems that do not limit internet freedoms. There are tasks that will require a major effort, but they can be accomplished without spending billions. The focus should move away from military or intelligence led apparatus towards a cyber organization that would be an extension of the FBI or another law enforcement agency. Cyber bank fraud is a serious issue, but it is a serious issue for domestic police operations rather than the military.
Brandon Valeriano is an assistant professor at the University of Glasgow and can be reached at [email protected].