1 cbrne-terrorism newsletter – june 2012...3 cbrne-terrorism newsletter – june 2012 costing the...

1CBRNE-Terrorism Newsletter – June 2012

www.cbrne-terrorism-newsletter.com







Internet may drop for hundreds of thousands in July due tohacker malwareSource: http://abclocal.go.com/kabc/story?section=news/consumer&id=8630663

A few mouse clicks could mean the differencebetween staying online and losing your Internetconnection this summer.Unknown to most computer users, the problembegan with international hackers running anonline advertising scam to take control ofinfected computers worldwide. In response, theFBI set up a safety net months ago to preventInternet disruptions for those infected users.

But here's where the problem kicks in - thatsystem is to be shut down.So, the FBI is encouraging computer users tovisit www.dcwg.org, a website run by itssecurity partner. The website containsinformation to see if your computer is infectedand explains how to fix the problem.After July 9, infected users will not be able toconnect to the Internet.Most victims don't even know their computershave been infected, although the malicioussoftware probably has slowed their web surfingand disabled their antivirus software, makingtheir machines more vulnerable to otherproblems.Last November, the FBI and other authoritieswere preparing to take down a hacker ring thathad been running an Internet ad scam on amassive network of infected computers.However, officials said if they just threweveryone involved in jail, the victims of thevirus would be without Internet service."The average user would open up InternetExplorer and get 'page not found' and think the

Internet is broken," explained Tom Grasso, anFBI supervisory special agent.On the night of the arrests, the agency broughtin Paul Vixie, chairman and founder of InternetSystems Consortium, to install two Internetservers to take the place of the truckload ofimpounded rogue servers that infectedcomputers were using. Federal officialsplanned to keep their servers online until

March, giving everyone theopportunity to clean theircomputers. But it wasn'tenough time. A federal judge inNew York extended thedeadline until July.Now, said Grasso, "the fullcourt press is on to get peopleto address this problem." Andit's up to computer users tocheck their PCs.Here's what the hackers did:They infected a network ofprobably more than 570,000

computers worldwide. The malware turned offantivirus updates and changed the way thecomputers reconcile website addresses behindthe scenes on the Internet's domain namesystem.The DNS system is a network of servers thattranslates a Web address into the numericaladdresses that computers use. Victims'computers were reprogrammed to use rogueDNS servers owned by the attackers. Thisallowed the attackers to redirect computers tofraudulent versions of any website.The hackers earned profits fromadvertisements that appeared on websites thatvictims were tricked into visiting. The scamnetted the hackers at least $14 million,according to the FBI. It also made thousands ofcomputers reliant on the rogue servers for theirInternet browsing.When the FBI and others made the arrests inNovember, the agency replaced therogue servers with clean ones.Installing and running the twosubstitute servers for eight months is



















costing the federal government about $87,000.The number of victims is hard to pinpoint, butthe FBI believes that on the day of the arrests,at least 568,000 unique Internet addresseswere using the rogue servers. Five monthslater, FBI estimates that the number is down to

at least 360,000. The U.S. has the most, about85,000, federal authorities said. Othercountries with more than 20,000 each includeItaly, India, England and Germany. Smallernumbers are online in Spain, France, Canada,China and Mexico.

Iranian oil terminal 'offline' after 'malware attack'Source: http://www.bbc.com/news/technology-17811565

Iran has been forced to disconnect key oilfacilities after suffering a malware attack onSunday, say reports.The computer virus is believed to have hit theinternal computer systems at Iran's oil ministryand its national oil company.

Equipment on the Kharg island and at otherIranian oil plants has been disconnected fromthe net as a precaution.Oil production had not been affected by theattack, said the Mehr news agency.

However, the attack is believed to have beenresponsible for knocking offline the websites ofthe Iranian oil ministry and national oilcompany.The Ministry website was back in action onMonday but the oil company site has remained

unreachable.An Iranian oil ministry spokesperson wasquoted as saying that data about users ofthe sites had been stolen as a result of theattack. Core data about Iran's oil industryremained safe because it was on computersystems that remain separate from the net,they added.The terminal on Kharg Island handles about90% of Iran's oil exports.Iran is reported to have mobilised a "cyber

crisis committee" to handle the aftermath of theattack and bolster defences.This committee was set up following attacks in2010 by a virus known as Stuxnet that wasaimed at the nation's nuclear programme.

Preventing an Olympic-sized DisasterSource: http://www.infosecurity-magazine.com/view/25302/preventing-an-olympicsized-disaster/

The London 2012 Olympics will be one of thebest-protected yet, from a physical securitypoint of view. The UK government hasallocated £533m ($835m) for security staff andequipment, and the military has been drafted into bolster protection. In January, the authoritiesheld a high-profile security exercise in London,including the Royal Marines boarding boats onthe Thames.Fighter jets will be stationed around London,and the Royal Navy’s largest ship, HMSOcean, will be part of a 13,500-person militarydeployment. While the cost and scale of theoperation is smaller than the Beijing Olympics– where some estimates put security costs atUS$6.5bn – it is certainly a show of force.

The cybersecurity arrangements for theLondon 2012 Olympics, however, remain lesshigh profile. There are concerns, amonginformation security experts, that the Gamesremain vulnerable to sustained attacks fromhacktivists, criminal groups, cyber-terrorists oreven those who are setting out just to causemischief.There are growing concerns, too, that actsintended to disrupt the games could have far-reaching impacts on the wider UK businesscommunity, as well as the public. In someways, information security could be the ‘softunderbelly’ of the Games. Somesecurity companies have alreadyseen an upswing in fraudulent,Olympic-related websites, especially





























those offering cut-price tickets. But, whilefraudsters may have already started exploitingpublic interest around the event, those withmore serious intentions may still be markingtime.

Upping Their GameThe London Games face some risks that noOlympics have had to face before. The terroristthreat has, unfortunately, been with the Gamessince the Munich disaster, and London iscertainly a target for some high-profile groups.That threat has now extended, both to thepotential use of cyber attacks for terrorist ends,and because the attacks themselves are morepowerful, more varied, and more sophisticated.“While I don’t believe London is at any greater

risk than previous Olympic locations, the risk ishigher for more sophisticated cyber attacks”,says David Johnson, senior analyst atForrester Research. “Aswe’ve seen with Stuxnetand other elaborateschemes, thesophistication of bothcriminals and nation-states is an order ofmagnitude beyond even 2008.”Not only has the technology of a cyber attackchanged, so have the motivations. Althoughsome groups will be driven purely by thepotential for financial gain, others have moredeep-seated reasons to cause disruption. Theidea of hacktivism was, at most, embryonicduring the Beijing games. Today, though, it is areal concern for allsecurity experts.“The Olympics areactually a very attractiveattack target for political-driven groups or forhacktivism purposes”, cautions Chenxi Wang,also an analyst with Forrester. “There aren’tmany events that have such a large-scaleinternational impact as the Olympics.” Anysuch event, of course, is a draw for the internetunderworld.

Ready, Get Set, Go!Already, organizations that monitor informationsecurity threats have noticed a steady increasein Games-related malware. With tickets forLondon 2012 in scarce supply, fake ticket sites– and malware or social engineering attacks

using Olympic ticket offers to hook inconsumers – are a problem.“The authorities do seem to be doing a lot ofpreparation, but most of the information comingout appears to be focusing around keepingLondon running during the Games – aroundtransportation for example”, says Steve Bailey,head of operational risk at PA ConsultingGroup. “They need to move away from that alittle bit, towards things like the dangers ofsocial engineering, for example.”As Infosecurity has reported before, theLondon Games organizers were relatively lateto set up official ticketing sites, and to publicizeofficial (and safe) internet addresses for theevent. This may have given fraudsters andmalware writers a head start.“Ticketing scams have been around for severalmonths”, points out Carl Leonard, head ofWebsense Security Labs. “As soon as ticketing

started, malware authorsjumped on thatbandwagon to capitalizeon it. We’ve seen scamsites offering discountsfor specific events forseveral months. And as

we get closer to the event we’re likely to seesome scandals.”Members of the public are vulnerable on twofronts: scam ticket sites that take paymentsfrom consumers – and never send tickets –and those that use the attraction of ticket offersto inject malware on to a users’ computer or,potentially, their smartphones. Malware writers

are likely to target videosharing, as well as socialmedia sites, especiallyduring the Gamesthemselves.“When the Games begin

there will be highlights on social networks andvideo upload sites, and there will be scamslinking to malicious code”, Leonard cautions.Businesses should act now to educate

employees about the risks, he says. Inparticular, staff should be reminded about theadded risks of using insecure networks, suchas WiFi hotspots, and that malware may alsoattack – or spread – via their companysmartphones. This could be especiallydangerous as the UK Government isencouraging companies to make

"There would be a massive impact if therewere a cyber attack that affected the Tube,bringing down the Oyster network forexample"

Steve Bailey, PA Consulting Group

"The Olympics are actually a veryattractive attack target for political-drivengroups or for hacktivism purposes"

Chenxi Wang, Forrester Research



































more use of home working and remoteworking, to reduce Games-related congestion.To combat these additional risks, CISOs andCIOs should act now, if they have not alreadydone so. This means checking that remote andhome working systems are up to date, haveenough capacity and, critically, that theirsecurity measures are up to date. This includesensuring that employees’ computers –especially laptops – have the latest patches,and if they are to be used with sensitive data,support encryption.“The time to find out your home workingsystem doesn’t work is not the first day of theOlympics. Make sure disaster recovery sitesare prepared, and ready to go”, warns StephenBonner, a partner in the security practice atKPMG.

A Marathon, Not a SprintIT helpdesks should also be drilled to handleadditional support calls – and to be aware ofthe risk of hackers posing as employees, inorder to take advantage of a busy ITdepartment to obtain passwords or other backdoors into systems. CIOs may also want toconsider putting critical IT systems intolockdown, to ensure that they work reliablyduring the event. IT support staff, for example,may find it hard to travel to data centers formaintenance tasks during the games.“A lot of large enterprises are going into a ‘nochange’ window, as they run up to theOlympics”, says Greg Day, CTO for EMEA atSymantec. “You don’t want to be makingmodifications at the same time as preparing for[a large event] happening. For enterprises, ifthey don’t have the right resources up andrunning now, they will run into that blackoutwindow.”If businesses only have a limited amount oftime to prepare, however, then those taskedwith defending the Games are already fightingon more than one front.Organizers will have to contend with distributeddenial of service (DDoS) and advancedpersistent threat (APT) attacks, as well as agrowing use of social media, and socialengineering to inject malware into computernetworks.“The world has moved on since Beijing, interms of the cyber threat”, says Jay Huff,EMEA director of HP enterprise security.“Beijing was a more controlled environment. Itwas much harder for cybercriminals to operate

there. But hacktivism is now one of the topscenarios to defend against.”There are concerns, too, that attacks aroundthe games will focus less on information theftor on IT systems, but will instead target controlsystems and critical national infrastructure(CNI). If successful, such attacks could causewidespread disruption.

Total Knock-OutThe utilities, systems such as those runningticketing for the Games themselves, and eventhe UK’s core internet infrastructure, could allbe targets. But an attack on the publictransportation system in and around Londoncould cause some of the most immediatedamage and disruption.“There is no better DDoS attack than[stranding] millions of visitors on the Jubileeline at peak time”, warns Stephen Bonner atKPMG. “It is how you prepare for that inpractice that matters.”His concerns are echoed by Steve Bailey at PAConsulting Group. “There would be a massiveimpact if there were a cyber attack that affectedthe Tube, bringing down the Oyster network forexample, or affecting signaling”, he says. “Theeffects would be disastrous, especially aroundtransport hubs like mainline railway stations.“The networks would also be a good place toattack; it would affect businesses but alsopeople’s enjoyment of the Games”, Baileyadds. It is here that the interests and securityconcerns of the London 2012 organizers andbusinesses in the UK converge. The UKCabinet Office has already warned businessesof possible disruption to internet connectionsas a result of Games-related congestion. Thiscould be much, much worse if thatinfrastructure is also targeted by cyber-crimegroups.Similar concerns also apply to the mobile voiceand data networks, which are likely to be moreheavily loaded both by visitors and London-based employees working from home, butwhich also form a significant part of manyorganizations’ backup plans forcommunications.“Mobile communications and public networkswould be the most obvious targets”, saysForrester’s David Johnson. “An attack thatsaturates network links and slowscommunication to a crawl is one waythat such an attack could disruptinternet infrastructure.”















That is why, practically speaking, the businessand IT security community needs to follow the

lead of the Games organizers: plan, test, andtest again.

Slowing time as a way to counter cyberattacksSource:http://www.homelandsecuritynewswire.com/srdisasters20120503-slowing-time-as-a-way-to-counter-cyberattacks

Researchers offer a new way to deal withcyberattacks on critical infrastructure like powerand water utilities and banking networks: slowdown Internet traffic, including the maliciouscode, when an attack is suspected; this wouldallow networks time to deal withthe attacksOne of the striking specialeffects in the film The Matrixoccurs during the scene inwhich Keanu Reeves’character Neo, sways andbends to dodge bullets astime appears to slow to a crawl. Now, thatscene has inspired researchers to develop away to deal with cyberattacks on criticalinfrastructure, like power and water utilities andbanking networks.The idea, developed by University of Tulsaengineers, is to slow down Internet traffic,including the malicious code, when an attack issuspected. This would allow networks time todeal with the attacks.This is accomplished by having an algorithmsend hyper-speed signals ahead of themalicious data packets in order to mobilizedefenses. “Slowing the malicious traffic by justa few milliseconds will let the hyper-speedcommands activate sophisticated network-defence mechanisms,” according to SjeetShenoi of Center for Information Security atU Tulsa.The core defensive capabilities offered byhyper-speed signaling include distributedfiltering, teleporting packets, quarantiningnetwork devices, tagging and trackingsuspicious packets, projecting holographicnetwork topologies, and transfiguring networks.Hyper-speed signaling would help thwartcyberattacks, but it is likely to be expensive toimplement. The reason for the expense, andanticipated resistance to the countermeasure,is that hyper-speed signaling would require areserved, exclusive data path for the commandand control signals, something that could beseen as an expensive waste of capacity.

Added to this is the need for more buffers andstorage. When an attack is sensed, and taintedtraffic is slowed down, that data needs to beheld somewhere or crucial data may be lost.Lastly, the core defensive measures offered by

hyper-speed signaling wouldrequire additional programmingto install the countermeasuresinto the routers, and to protecttargeted devices on the network,such as pump controllers, powergrid relays, and cash machines.

Hyper-speed signaling is only asgood as the threat sensors on which

it depends. The sensors might detect malwaredisguised as legitimate traffic if the virussignature is known, much the way typical anti-virus programs work now. It will fail, however,to identify variants or new malicious code it hasnever seen before.This presents a problem in itself. For the hyper-speed signaling paradigm to be effective, itmay mean slowing Internet traffic permanently.This is not likely to be a well-received option.Another detection option, funded by the U.S.Department of Energy and DHS, has beendeveloped by researchers at DartmouthCollege in New Hampshire in conjunction withthe University of Calgary, in Alberta, Canada.Led by Jason Reeves of Dartmouth, the teamhas developed a way for infrastructure tomonitor itself.Dubbed Autoscopy, the monitor is anexperimental host-based intrusion detectionmechanism that operates from within the kerneland leverages its built-in tracing framework toidentify control-flow anomalies, which are mostoften caused by rootkits that hijackkernel hooks.Autoscopy monitors the kernel, which is thecore code of a computer operating system.“We detect changes in the sequence of codethe program runs, ones oftenintroduced by malicious programs,”Reeves says. Autoscopy can also runverification on the operating system























code to determine wehether it has been alteredby malware.

Autoscopy could also trigger the hyper-speedsignaling countermeasures.

— Read more in Daniel Guernsey et al., “Implementing novel reactive defense functionalityin MPLS networks using hyperspeed signaling,” International Journal of CriticalInfrastructure Protection 5, no. 1 (1 March 2012): 40–52 (DOI: 10.1016/j.ijcip.2012.02.001);andJason Reeves et al., “Intrusion detection for resource-constrained embedded controlsystems in the power grid,” International Journal of Critical Infrastructure Protection (inproofs; available online 10 February 2012)

Travelers’ laptops infected through fake software updates inforeign hotel roomsSource: http://www.homelandsecuritynewswire.com/dr20120511-travelers-laptops-infected-through-fake-software-updates-in-foreign-hotel-rooms

The Internet Crime Complaint Center (IC3)reports that recent analysis from the FBI andother government agenciesdemonstrates that malicious actorsare targeting travelers abroadthrough pop-up windows whileestablishing an Internetconnection in their hotel rooms.Recently, there has been a surgein instances of travelers’ laptops beinginfected with malicious software while usinghotel Internet connections. In these instances,the traveler was attempting to setup the hotelroom Internet connection and was presentedwith a pop-up window notifying the user toupdate a widely used software product. Ifthe user clicked to accept and install theupdate, malicious software was installed on thelaptop. The pop-up window appeared to beoffering a routine update to a legitimatesoftware product for which updates arefrequently available.IC3 notes that the FBI recommends that allgovernment, private industry, and academic

personnel who travel abroad take extra cautionbefore updating software products on their

hotel Internet connection.Checking the author or digitalcertificate of any promptedupdate to see if it correspondsto the software vendor mayreveal an attempted attack.

The FBI also recommends thattravelers perform software

updates on laptops immediately beforetraveling, and that they download softwareupdates directly from the software vendor’sWeb site if updates are necessarywhile abroad.Anyone who believes they have been a targetof this type of attack should immediatelycontact their local FBI office, and promptlyreport it to the IC3. The IC3’s complaintdatabase links complaints together to referthem to the appropriate law enforcementagency for case consideration. The complaintinformation is also used to identify emergingtrends and patterns.

How Cloud Computing Can Benefit Disaster ResponseBy Valerie Lucus-McEwenSource:http://www.emergencymgmt.com/disaster/How-Cloud-Computing-Can-Benefit-Disaster-Response.html

As technology continues to redefineemergency management practices, theprocess of incorporating new concepts intodaily practice and planning can be confusing.This is especially true if the concept soundsmysterious and cryptic — cloud computingoften sounds complex and bewildering.

The truth isn’t nearly that exciting. Cloudcomputing is more like regressing to the earlydays of network design. The “cloud” in cloudcomputing was the symbol networkengineers used to illustrate unknowndomains and large networks ofservers located elsewhere. Using thepower of other computers somewhere































on the Internet — that’s what cloud computingis all about.“Cloud computing is just hosted computerservices,” said Pascal Shuback, a programcoordinator for the King County, Wash., Officeof Emergency Management. “It is simply usingthe power of other computers on the Internet.”Emergency managers use a cloud every daywithout thinking twice to: check email,collaborate with applications like SharePoint,access social and professional networks, watchvideos on YouTube, or use almost anythingfrom Google.

Cloud computing is not new. What is new ishow it’s being applied. What it can do foremergency management is make the job a loteasier.Nick Crossley, manager of emergencymanagement and mission continuity for theUniversity of California, Davis, uses MicrosoftSharePoint as a collaborative planning tool forevents on campus. “I can set up discussionboards, share documents or resource lists,” hesaid. “I can control access to it, and all theplayers in any event or incident can access itanytime, from anywhere, on or off campus.”Commercial incident management software isalso in the cloud. “We used WebEOC as acloud for communication and emergencyresponse between all the local, regional andstate emergency management,” said DarylSpiewak, former emergency, safety andcompliance manager for the Brazos RiverAuthority in Waco, Texas.

The AdvantagesLike everything else, there are pros and consto delivering services via cloud computing.

One big advantage is the cost. The individualuser needs only a terminal/monitor/modem withsome limited local storage and access to theInternet. Commercial software packagesvanish in favor of subscriptions to the programsor services needed. The agency doesn’t needa room full of servers, and IT departmentsshrink because the data center doesn’t exist.The end-user experience is certainly lesscomplicated. Compatibility problems decrease,because software updates are always current.Dependability increases because services aremaintained and available remotely 24/7, no

more waiting for desktopsupport. Profiles remainconsistent across alldevices, and “intelligentassistants” (think Siri) cancustomize neededinformation.There is a growing nichemarket for specificindustries. A service fromClio lets lawyers managetheir practice andcommunication with clientsfrom the cloud. OxfordUniversity in England

maintains a service to giveacademic researchers a space for long-termretention of their research data. Autodesk hascloud-based tools for designers. The ElectronicMedical Records initiative replaces doctors’charts with terminals that allow them to keeptrack of medical treatments regardless of apatient’s physical location.

Now the DownsideAs idyllic as it all sounds, there are concernsabout migrating to cloud computing, likebandwidth. Think of bandwidth as the InterstateHighway System. The roadway is the network;the wider the roadway, the more cars (or data)can travel along it; more roadways (networks)mean more options for cars (and data) to getfrom one place to another. We have theinterstate; we don’t have the city streets. Thedownside is that public infrastructure —physical or virtual — isn’t a high priority in theU.S. these days.Another concern is maintaining connectionsto a cloud. If the link is severedbecause of a power outage, softwarecrash, or an earthquake or hurricanetaking out the local infrastructure, and





















the Internet can’t be accessed, neither can thedata or applications stored there. Case in pointbeing the Microsoft Azure cloud service failureon Feb. 29 that left customers worldwidewithout access for several hours to severaldays. This problem is easier to solve: Theanswer is collaborating clouds. Just like thereare failover procedures in data centers, therewill be failover clouds.Security is one of the chief roadblocks toimplementing cloud computing systems,certainly for government agencies or anyagency receiving federal funding. Some of thatmay be resolved with the Federal Risk andAuthorization Management Program(FedRAMP), which will provide a standardizedcloud certification process across the federalgovernment and is set to be launched in June.It is hoped that FedRAMP can address some ofthe more frustrating complications. Forexample, Los Angeles excluded its lawenforcement departments from the city’s newGoogle cloud-based email system, because ofclaims that the company couldn’t comply withthe FBI’s Criminal Justice Information Servicespolicies.Thin notebooks with Internet access can betaken anywhere, used anywhere and becausethey don’t contain much data, can provide alevel of security that doesn’t exist today. Cloudcomputing would end the stories about laptopswith classified or unencrypted informationbeing stolen, like the ones that were taken fromNASA last year that contained command andcontrol codes for the International SpaceStation.Regardless, the biggest issue for deployment issimply selling people on the concept. There areIT techs, agencies and ordinary peopleunwilling to move data and applications tosome remote location they can’t see or touch.Whether it’s a concern about privacy, distrustor just plain stubbornness, keeping files andprograms in a cloud requires a shift in mindset— like the one that pushed the widespreadadoption of the Internet. And that might takesome time.

Virtual Mission ContinuityFor emergency management, cloudcomputing’s biggest advantage can besummed up in three words: virtual missioncontinuity.Cloud computing reduces concerns aboutwhether the data center will survive a disaster.

Businesses and agencies are good at copyingand backing up data, but the real challenge isrestoring the applications to keep essentialservices and critical functions online. Entireservers, including systems, applications anddata can be copied, backed up and be ready toactivate in another data center in a matter ofminutes.Employees can be sent to a location that hasInternet access and it is all still there —accurate as of the moment the disasterhappened. Writing most of the devolutionsection of a continuity of operations plan —how the agency will transfer essential functionsand responsibilities to personnel at a differentoffice or location (and back) — becomes a no-brainer. The best part is that cloud computingis equally available to a small agency or mom-and-pop business as it to big ones.“One of the significant benefits of using thecloud is that you can distribute your personnel,”said Gavin Treadgold, former director of theKestrel Group, a risk, continuity andemergency management consultant group. “Itmakes it quite a bit easier to have remotepersonnel contributing without the logisticaloverhead of bringing them into a disasterzone.”Another mission continuity solution istelecommuting. “The cloud is also helpful whenyour team, which is normally in a singlebuilding, is spread around residential homes orsuburban offices,” Treadgold added.Applications and data house in a cloud enableemployees to work from remote locations. Itremoves the burden of running applications ona home computer, permits virtual collaborationof documents and allows real-timecommunication via instant messaging orprograms like Skype.And isn’t it a short jump from that to a virtualEOC? As universal broadband accessbecomes commoner, an activated EOC can beestablished in minutes and operated frommultiple remote locations simultaneously. Itmaintains the flexibility and scalability inherentin incident management systems, and makes iteasier to send and receive data or visual feedsfrom the field.Emergency managers pride themselves onbeing flexible and resourceful. Cloudcomputing is a tool that can enhancethe primary mission of ensuring thatcommunities survive disasters. Itoffers increased access to resources













and faster response.“The cloud is going to change the wholementality of emergency management,”Shuback said. “Responders can be anyonewith connectivity, the public included. We can

regionalize our capabilities and create virtualoperation support teams composed of thepeople able to support an event, and it doesn’tmatter where they are.”

Valerie Lucus-McEwen is a certified emergency manager and certified business continuityprofessional. She also writes the Disaster Academia blog for Emergency Management atwww.emergencymgmt.com/academia

Virtual Terrorism: Al Qaeda Video Calls for 'Electronic Jihad'Source:http://abcnews.go.com/Politics/cyber-terrorism-al-qaeda-video-calls-electronic-jihad/story?id=16407875#.T7y8aVKaXAl

Al Qaeda may be turning its destructiveattention to cyber-warfare against the UnitedStates. In a chilling video, an al Qaedaoperative calls for "electronic jihad" against the

United States, and compares vulnerabilities invital American computer networks to the flawsin aviation security before the 9/11 attack.The al Qaeda video calls upon the "covertmujahidin" to launch cyber attacks against theU.S. networks of both government and criticalinfrastructure, including the electric grid. Thevideo was obtained by the FBI last year, andreleased today by the Senate Committee onHomeland Security and Governmental Affairs."This is the clearest evidence we've seen thatal Qaeda and other terrorist groups want toattack the cyber systems of our criticalinfrastructure," Homeland Security andGovernmental Affairs Committee Chairman JoeLieberman, I-Conn., said in a statement.

"This video is troubling as it urges al Qaedaadherents to launch a cyber attack onAmerica," said Sen. Susan Collins, R-Maine,the ranking member on the committee. "It's

clear that al Qaeda is exploring all means to dous harm and this is evidence that our criticalinfrastructure is a target."The national security community says thethreat of cyber attack is real, and the gapbetween terrorist aspirations and capability isclosing. The senior intelligence official at CyberCommand, Rear Adm. Samuel Cox, has said alQaeda operatives are seeking the capability tostage cyber attacks against U.S. networks andterrorists could purchase the capabilities to doso from expert criminal hackers.Increasing evidence also suggeststhat Iran is looking to commit cyberattacks against the United States,according to testimony last month























before the House Committee on HomelandSecurity. Iran's sponsorship of terrorist groupstakes on a new dimension in cyberspace,where it could develop a powerful cyberweapon and pass it on to a terrorist group.Lieberman is using the al Qaeda video tounderline what he says is the need for newlegislation.."Congress needs to act now to protect theAmerican public from a possible devastatingattack on our electric grid, water deliverysystems, or financial networks," he said. "Asnumerous, bipartisan national security experts

have said, minimum cyber security standardsfor those networks are necessary to protect ournational and economic security. That is why theSenate needs to act on our bipartisan CyberSecurity Act that requires minimum securityperformance requirements for key criticalinfrastructure cyber networks."The Homeland Security Committee says theDepartment of Homeland Security receivedmore than 50,000 reports of cyber intrusions orattempted intrusions since October, anincrease of 10,000 reports over the sameperiod the previous year.

Cyber Warfare: Concepts and Strategic TrendsSource: http://www.inss.org.il/upload/%28FILE%291337837176.pdf

Cyberspace is a new domain of warfare that inrecent years has joined the traditional arenasof land, sea, air, and space. The study thatfollows describes the unique characteristics ofthis new domain of warfare, offers

freshinterpretations of familiar concepts, and

surveys landmark events and organizations inthe field of cyberspace in Israel and abroad.Modern nations and advanced militariesaround the world are intensifying their activities

in cyberspace, which simultaneouslyconstitutees a source of power and a softunderbelly. The infrastructures critical forthe functioning of a state (electricity,communications, water, transportation,finance, and so on) all rely on thisdomain. Military command and controlnetworks depend on cyberspace, as doall the most advanced technologies ofthe modern battlefield, such asintelligence gathering, processing andfusion systems, satellite use on thebattlefield, use of autonomous fightingtools, real time integration of sensorsto identify targets with fire systems,and more.As an arena of warfare, cyberspacepresents some unique features,including the ability to operatequickly, in thousandths ofseconds, against enemies locatedfar away, without risking the livesof combat personnel. The uniquefeatures of the domain alsomake it attractive forconfrontation in the intervalsbetween conventional wars.One may distinguish betweenconfrontations incyberspace (such as

the 2007 attack on Estonia, attributedto Russia) and wars in which attacks























in cyberspace are but one component in a waralongside other forces (such as Russia’s attackon Georgia in 2008). Furthermore, one maydistinguish between attacks taking place incyberspace (attacks on computerized systems)and the use of cyberspace as a means todamage the functionality of machines operatingin the physical domain, e.g., the 2009cyberspace attack on Iran’snuclear program. This event (theStuxnet virus attack), whichdemonstrated the great potentialimpact of cyberspace weapons,was formative in thedevelopment of cyberspace asgrounds for warfare. It appearsthat from now on, cyberwar willlikely play a part in every modernwar. Indeed, both cyberspaceattacks that have occurred andprocesses undertaken by statesto prepare themselves in thisdomain indicate that thecyberspace arms race hasalready started. As part of thisrace, a number of states (theUS, Great Britain, France,Germany, China, and others)have in recent years establishedoffices and headquartersdedicated to cyberspace as adomain of warfare, and securitystrategies for cyberspace havebeen formulated. At the sametime, states are also faced withconsiderations regarding theconstraints of cyber attacks andthe risk of exposure tocounterattacks, especiallybecause defenses are still not sufficientlystrong. In addition, non-state elements such asterrorist organizations are liable to usecyberspace to launch attacks, oncethey achieve the capability of causing severedamage. In tandem, there is growinginternational recognition that it is necessary todefend cyberspace and regulate its activities –similar to regulation inother realms. This type of regulation can beachieved through inter-state cooperation,adaptation of international law to cyberspace,and formulation of a compelling internationaltreaty. Progress thus far has been slow,certainly not in pace with developments incyberspace. In the Israeli context, information

technologies and cyberspace play a decisiverole in Israel’s qualitative superiority in terms ofits economy and security. Cyberspace iscrucial to Israel’s society, the bond between thegovernment and the population, and Israel’sconnections with the world at large. Even moreso, it plays a critical role in Israel’s nationalsecurity, especially given the developing

cyberspace threats, Israel’s informationtechnology advantage, and the potentialcyberspace implications for the modernbattlefield. All of these dimensions oblige Israelto accelerate its efforts to improve defense ofits cyberspace and contribute of its capabilitiesto the defense of cyberspace on a global scale.This research was conducted in the frameworkof the INSS Program on Cyber Warfare,headed by Prof. Isaac Ben-Israel and Dr. GabiSiboni and supported by the Philadelphia-based Joseph and Jeanette NeubauerFoundation. The authors would like toextend their thanks to Dr. AmosGranit, Head of the Institute forIntelligence Research in Military













Intelligence, for his constructive comments,and to Patrizia Isabelle Duda for hercontribution to the memorandum.

This study is published with the assistance ofthe gift of the late Esther Engelberg.

NOTE: You can download the full Memorandum at the Newsletter’s website – “CBRNE-CT Papers”section.

Powerful 'Flame' cyber weapon found in Middle EastSource: http://www.msnbc.msn.com/id/47590214/ns/technology_and_science-security/#.T8TrB1KaXAm

Security experts have discovered a highlysophisticated computer virus in Iran and otherMiddle East countries that they believe wasdeployed at least five years ago to engage instate-sponsored cyber espionage.Evidence suggest that the virus, dubbed"Flame" may have been built on behalf of thesame nation or nations that commissioned the

A computer engineer checks equipment at aninternet service provider in Tehran on Feb. 15,2011.

Stuxnet worm that attacked Iran's nuclearprogram in 2010, according to Kaspersky Lab,the Russian cyber security software maker thatclaimed responsibility for discovering the virus.Kaspersky researchers said on Monday theyhave yet to determine whether Flame had aspecific mission like Stuxnet, and declined tosay who they think built it.Iran has accused the United States and Israelof deploying Stuxnet.Cyber security experts said the discoverypublicly demonstrates what experts privy to

classified information have long known: thatnations have been using pieces of maliciouscomputer code as weapons to promote theirsecurity interests for several years."This is one of many, many campaigns thathappen all the time and never make it into thepublic domain," said Alexander Klimburg, acyber security expert at the Austrian Institute

for International Affairs.A cyber security agency in Iran said on itsEnglish website that Flame bore a "closerelation" to Stuxnet, the notorious computerworm that attacked that country's nuclearprogram in 2010 and is the first publicly knownexample of a cyber weapon.Iran's National Computer EmergencyResponse Team also said Flame might belinked to recent cyber attacks that officials inTehran have said were responsible for massivedata losses on some Iraniancomputer systems.Kaspersky Lab said it discoveredFlame after a U.N.

























telecommunications agency asked it to analyzedata on malicious software across the MiddleEast in search of the data-wiping virus reportedby Iran.

Stuxnet connectionExperts at Kaspersky Lab and Hungary'sLaboratory of Cryptography and SystemSecurity who have spent weeks studyingFlame said they have yet to find any evidencethat it can attack infrastructure, delete data orinflict other physical damage.Yet they said they are in the early stages oftheir investigations and that they may discoverother purposes beyond data theft. It tookresearchers months to determine the keymysteries behind Stuxnet, including thepurpose of modules used to attack a uraniumenrichment facility at Natanz, Iran."Their initial research suggest that this wasprobably written by the authors of Stuxnet forcovert intelligence collection," said JohnBumgarner, a cyber warfare expert with thenon-profit U.S. Cyber Consequences Unit thinktank.Flame appears poised to go down in history asthe third major cyber weapon uncovered afterStuxnet and its data-stealing cousin Duqu,named after the Star Wars villain.The Moscow-based company is controlled byRussian malware researcher EugeneKaspersky. It gained notoriety after solvingseveral mysteries surrounding Stuxnet andDuqu.Their research shows the largest number ofinfected machines are in Iran, followed byIsrael and the Palestinian territories, thenSudan and Syria.The virus contains about 20 times as muchcode as Stuxnet, which caused centrifuges tofail at the Iranian enrichment facility it attacked.It has about 100 times as much code as atypical virus designed to steal financialinformation, said Kaspersky Lab seniorresearcher Roel Schouwenberg.

Gathering dataFlame can gather data files, remotelychange settings on computers, turn on PCmicrophones to record conversations, takescreen shots and log instant messagingchats.Kaspersky Lab said Flame and Stuxnet appearto infect machines by exploiting the same flaw

in the Windows operating system and that bothviruses employ a similar way of spreading.That means the teams that built Stuxnet andDuqu might have had access to the sametechnology as the team that built Flame,Schouwenberg said.He said that a nation state would have thecapability to build such a sophisticated tool, butdeclined to comment on which countries mightdo so.The question of who built flame is sure tobecome a hot topic in the security communityas well as the diplomatic world.There is some controversy over who wasbehind Stuxnet and Duqu. Some expertssuspect the United States and Israel, a viewthat was laid out in a January 2011 New YorkTimes report that said it came from a jointprogram begun around 2004 to underminewhat they say are Iran's efforts to build a bomb.The U.S. Defense Department, CIA, StateDepartment, National Security Agency, andU.S. Cyber Command declined to comment.Hungarian researcher Boldizsar Bencsath,whose Laboratory of Cryptography andSystems Security first discovered Duqu, saidhis analysis shows that Flame may have beenactive for at least five years and perhaps eightyears or more.That implies it was active long before Stuxnet."It's huge and overly complex, which makes methink it's a first-generation data gathering tool,"said Neil Fisher, vice president for globalsecurity solutions at Unisys Corp. "We aregoing to find more of these things over time."Others said that cyber weapons technologyhas inevitably advanced since Flame was built."The scary thing for me is: if this is what theywere capable of five years ago, I can only thinkwhat they are developing now," Mohan Koo,managing director of British-based DtexSystems cyber security company.Some experts speculated that the discovery ofthe virus may have dealt a psychological blowto its victims, on top of whatever damageFlame may have already inflicted to theircomputers."If a government initiated the attack it might notcare that the attack was discovered," saidKlimburg of the Austrian Institute forInternational Affairs. "The psychologicaleffect of the penetration could benearly as profitable as the intelligencegathered."















Be afraid: Die Hard 4 reveals a real threatSource: http://www.smh.com.au/it-pro/security-it/be-afraid--die-hard-4-reveals-a-real-threat-20120528-1zeg0.html?goback=.gde_2708813_member_119700532

Five years on, John McClane's securitynightmare is not so sci-fi.Diligence and gritty determination may havehelped Eugene Kaspersky become one of thesoftware world's most successfulentrepreneurs, but there's one thing theantivirus king can't bear: Die Hard 4.0."I watched the movie for 20 minutes, thenpressed pause, got a cigarette and a glass ofScotch. To me it was really scary: they weretalking about real scenarios. It was like a userguide for cyber terrorists. I hated that movie,"the flamboyant Russian entrepreneur says.The popular 2007 action film pits Bruce Willis'character, John McClane, against a domesticterrorist who's bent on launching a large-scalecyber attack that would disable financialmarkets, traffic lights, and other computer-controlled infrastructure across the UnitedStates.

Eugene Kaspersky, CEO of Kaspersky Labs,saw cyber threats coming. Photo: Lee Besford

For most viewers, it was nothing more than afast-paced popcorn flick combining machobravura with implausible technobabble. ForKaspersky it represented the popularisation ofa relatively new mode of cyber attack that hasnow emerged as a real threat."We came to the [potential] of cyber terroristattacks years before Die Hard 4.0," explainsKaspersky, the co-founder and chief executiveof security firm Kaspersky Labs. "But it was

forbidden in my company to explain it tojournalists, because I didn't want to openPandora's Box. I didn't want to let people thinkthat my business is the business of fear. And Ididn't want the bad guys to learn from theseideas."His "silence" wasn't enough: as at least onehigh-profile hacking attack has recently shown,industrial control systems – and, in particular,SCADA (Supervisory Control and DataAcquisition) systems used to monitor andmanage physical plant processes - can be atarget of interest for a number of attackers,from hackers to military operations.Because of their mission-critical nature,SCADA systems traditionally run on separatedata networks with no internet or intranetconnectivity. However, some have beenbrought online, to enable remote access and

control.Their security environments are oftenmanaged separately to those of thegeneral enterprise, and they often run ondifferent operating systems that aren'tupdated as often as enterprise software,leading some experts to believe SCADAsystems present potential holes in thecyber defences of critical infrastructureoperations.The threat became clear in mid 2010as the notorious Stuxnet wormspread across Windows desktopsinside Iran's nuclear facilities, until itfound systems running Step-7. Thesoftware application from Germangiant Siemens manages SCADA

programmable logic controllers(PLCs) that control industrial process lines. It isbelieved Stuxnet then grant itself root accessand reconfigured SCADA systems that metcertain specific criteria.An incident in 2000 brought SCADA sabotageto our shores as Queensland-based formerMaroochy Shire Council (now Sunshine CoastCouncil) was forced to deal with attacks fromdisgruntled SCADA contractor Vitek Boden,whose work with a laptop and radiotransmitter flooded parks, rivers, anda local hotel with 800,000 litres of rawsewage.





















While isolated, these events remain a threat,says Bill Holder, a SCADA security expert.

"The threat from hackers is real," he explains,arguing that infrastructure authorities shouldbuild security controls at every level of theinfrastructure to limit their exposure to majorattacks."Catastrophic failure is one end of the scale,and is the type of thing that fail-safe [measures]and monitoring would mitigate. The idea ofsecurity is that it is not added on aftereverything else is done; it should be part of theoverall design and development," Holder says."There has been a limited focus on securitywhen it comes to control systems. Some of thecontrol systems in place today are very old,and were installed long before security was anissue. In a perfect world with unlimited time andbudgets it would be great to start again, but thereality is that a lot of money has been investedin control systems that can't just be thrownaway."Kaspersky is one of a large chorus of voicesarguing for infrastructure operators to tightenSCADA security as a matter of priority – buteven he admits that the high cost and longtimeframe for replacing systems makes itunlikely much will change in the short term.

Holder agrees: "There is no reason to throw outperfectly good control system infrastructure if itcan be made secure," he says. "The real key iswhether the equipment can be brought up to

standard."Ongoing delays could leave any infrastructureoperator exposed – with disastrous side effectsif state-sponsored cyber attacks lead to all outcyberwar. Some consider Stuxnet to be the firstvolley in a new kind of economic and politicalconflict.Many governments have moved to contain thepossibility of unchecked cyber warfare, with theUS and China recently running 'war games'testing cyber attacks.Far from the rarefied heights of internationalcyber warfare, however, Kaspersky warns thatcompanies can't be complacent when it comesto cyber-security. While new tools areconstantly being developed and improved in aneffort to keep up with often bloody-mindedhackers, he believes companies need to makesecurity an endemic part of their culture.This includes everything from reworking long-unimproved administrative systems, to forcingsenior business managers to undergo formalsecurity training and certification. "Thesetargeted attacks just started to happen on aregular basis in the last two years," he says."Some of these incidents smell so high-levelthat I'm sure the bad guys were testing thembefore they attacked.""Companies are becoming aware of this," headds, "but it can take years to develop a newdesign. In the meantime, they should considerdisconnecting some parts of the IT from thenetwork; introducing military security standardsto the enterprise environment; and makingtop managers pass security training.There is no 100 per cent security."















Obama Order Sped Up Wave of Cyberattacks Against IranSource: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=2&pagewanted=1&pagewanted=all

From his first months in office, PresidentObama secretly ordered increasinglysophisticated attacks on the computer systemsthat run Iran’s main nuclear enrichmentfacilities, significantly expanding America’s firstsustained use of cyberweapons, according toparticipants in the program.

Iran’s nuclear enrichment facility at Natanz.

Mr. Obama decided to accelerate the attacks— begun in the Bush administration and code-named Olympic Games — even after anelement of the program accidentally becamepublic in the summer of 2010 because of aprogramming error that allowed it to escapeIran’s Natanz plant and sent it around the worldon the Internet. Computer security experts whobegan studying the worm, which had beendeveloped by the United States and Israel,gave it a name: Stuxnet.At a tense meeting in the White HouseSituation Room within days of the worm’s“escape,” Mr. Obama, Vice President JosephR. Biden Jr. and the director of the CentralIntelligence Agency at the time, Leon E.

Panetta, considered whether America’s mostambitious attempt to slow the progress of Iran’snuclear efforts had been fatally compromised.“Should we shut this thing down?” Mr. Obamaasked, according to members of the president’snational security team who were in the room.Told it was unclear how much the Iraniansknew about the code, and offered evidencethat it was still causing havoc, Mr. Obamadecided that the cyberattacks should proceed.In the following weeks, the Natanz plant was hitby a newer version of the computer worm, andthen another after that. The last of that seriesof attacks, a few weeks after Stuxnet wasdetected around the world, temporarily took outnearly 1,000 of the 5,000 centrifuges Iran hadspinning at the time to purify uranium.This account of the American and Israeli effortto undermine the Iranian nuclear program isbased on interviews over the past 18 monthswith current and former American, Europeanand Israeli officials involved in the program, aswell as a range of outside experts. None wouldallow their names to be used because the effortremains highly classified, and parts of itcontinue to this day.These officials gave differing assessments ofhow successful the sabotage program was inslowing Iran’s progress toward developing theability to build nuclear weapons. InternalObama administration estimates say the effortwas set back by 18 months to two years, butsome experts inside and outside thegovernment are more skeptical, noting thatIran’s enrichment levels have steadilyrecovered, giving the country enough fueltoday for five or more weapons, with additionalenrichment.Whether Iran is still trying to design and build aweapon is in dispute. The most recent UnitedStates intelligence estimate concludes that Iransuspended major parts of its weaponizationeffort after 2003, though there is evidence thatsome remnants of it continue.Iran initially denied that its enrichment facilitieshad been hit by Stuxnet, then said it had foundthe worm and contained it. Last year,the nation announced that it hadbegun its own military cyberunit, andBrig. Gen. Gholamreza Jalali, the

















head of Iran’s Passive Defense Organization,said that the Iranian military was prepared “tofight our enemies” in “cyberspace and Internetwarfare.” But there has been scant evidencethat it has begun to strike back.The United States government only recentlyacknowledged developing cyberweapons, andit has never admitted using them. There havebeen reports of one-time attacks againstpersonal computers used by members of AlQaeda, and of contemplated attacks againstthe computers that run air defense systems,including during the NATO-led air attack onLibya last year. But Olympic Games was of anentirely different type and sophistication.It appears to be the first time the United Stateshas repeatedly used cyberweapons to crippleanother country’s infrastructure, achieving, withcomputer code, what until then could beaccomplished only by bombing a country orsending in agents to plant explosives. Thecode itself is 50 times as big as the typicalcomputer worm, Carey Nachenberg, a vicepresident of Symantec, one of the many groupsthat have dissected the code, said at asymposium at Stanford University in April.Those forensic investigations into the innerworkings of the code, while picking apart how itworked, came to no conclusions about whowas responsible.A similar process is now under way to figureout the origins of another cyberweapon calledFlame that was recently discovered to haveattacked the computers of Iranian officials,sweeping up information from those machines.But the computer code appears to be at leastfive years old, and American officials say that itwas not part of Olympic Games. They havedeclined to say whether the United States wasresponsible for the Flame attack.Mr. Obama, according to participants in themany Situation Room meetings on OlympicGames, was acutely aware that with everyattack he was pushing the United States intonew territory, much as his predecessors hadwith the first use of atomic weapons in the1940s, of intercontinental missiles in the 1950sand of drones in the past decade. Herepeatedly expressed concerns that anyAmerican acknowledgment that it was usingcyberweapons — even under the most carefuland limited circumstances — could enableother countries, terrorists or hackers to justifytheir own attacks.

“We discussed the irony, more than once,” oneof his aides said. Another said that theadministration was resistant to developing a“grand theory for a weapon whose possibilitiesthey were still discovering.” Yet Mr. Obamaconcluded that when it came to stopping Iran,the United States had no other choice.If Olympic Games failed, he told aides, therewould be no time for sanctions and diplomacywith Iran to work. Israel could carry out aconventional military attack, prompting aconflict that could spread throughout theregion.

A Bush InitiativeThe impetus for Olympic Games dates from2006, when President George W. Bush sawfew good options in dealing with Iran. At thetime, America’s European allies were dividedabout the cost that imposing sanctions on Iranwould have on their own economies. Havingfalsely accused Saddam Hussein ofreconstituting his nuclear program in Iraq, Mr.Bush had little credibility in publicly discussinganother nation’s nuclear ambitions. TheIranians seemed to sense his vulnerability,and, frustrated by negotiations, they resumedenriching uranium at an underground site atNatanz, one whose existence had beenexposed just three years before.Iran’s president, Mahmoud Ahmadinejad, tookreporters on a tour of the plant and describedgrand ambitions to install upward of 50,000centrifuges. For a country with only one nuclearpower reactor — whose fuel comes fromRussia — to say that it needed fuel for itscivilian nuclear program seemed dubious toBush administration officials. They feared thatthe fuel could be used in another way besidesproviding power: to create a stockpile thatcould later be enriched to bomb-grade materialif the Iranians made a political decision to doso.Hawks in the Bush administration like VicePresident Dick Cheney urged Mr. Bush toconsider a military strike against the Iraniannuclear facilities before they could produce fuelsuitable for a weapon. Several times, theadministration reviewed military options andconcluded that they would only further inflamea region already at war, and would haveuncertain results.For years the C.I.A. had introducedfaulty parts and designs into Iran’ssystems — even tinkering with













imported power supplies so that they wouldblow up — but the sabotage had had relativelylittle effect. General James E. Cartwright, whohad established a small cyberoperation insidethe United States Strategic Command, which isresponsible for many of America’s nuclearforces, joined intelligence officials in presentinga radical new idea to Mr. Bush and his nationalsecurity team. It involved a far moresophisticated cyberweaponthan the United Stateshad designed before.The goal was to gainaccess to the Natanzplant’s industrialcomputer controls.That required leapingthe electronic moatthat cut the Natanzplant off from theInternet — called the air gap,because it physically separates the facility fromthe outside world. The computer code wouldinvade the specialized computers thatcommand the centrifuges.The first stage in the effort was to develop a bitof computer code called a beacon that could beinserted into the computers, which were madeby the German company Siemens and anIranian manufacturer, to map their operations.The idea was to draw the equivalent of anelectrical blueprint of the Natanz plant, tounderstand how the computers control thegiant silvery centrifuges that spin attremendous speeds. The connections werecomplex, and unless every circuit wasunderstood, efforts to seize control of thecentrifuges could fail.Eventually the beacon would have to “phonehome” — literally send a message back to theheadquarters of the National Security Agencythat would describe the structure and dailyrhythms of the enrichment plant. Expectationsfor the plan were low; one participant said thegoal was simply to “throw a little sand in thegears” and buy some time. Mr. Bush wasskeptical, but lacking other options, heauthorized the effort.

Breakthrough, Aided by IsraelIt took months for the beacons to do their workand report home, complete with maps of theelectronic directories of the controllers andwhat amounted to blueprints of how they were

connected to the centrifuges deepunderground.Then the N.S.A. and a secret Israeli unitrespected by American intelligence officials forits cyberskills set to work developing theenormously complex computer worm thatwould become the attacker from within.The unusually tight collaboration with Israelwas driven by two imperatives. Israel’s Unit

8200, a part of its military,had technical expertisethat rivaled the N.S.A.’s,and the Israelis haddeep intelligence about

operations at Natanz thatwould be vital to makingthe cyberattack a success.But American officials hadanother interest, todissuade the Israelis from

carrying out their own pre-emptive strike against the Iranian nuclearfacilities. To do that, the Israelis would have tobe convinced that the new line of attack wasworking. The only way to convince them,several officials said in interviews, was to havethem deeply involved in every aspect of theprogram.Soon the two countries had developed acomplex worm that the Americans called “thebug.” But the bug needed to be tested. So,under enormous secrecy, the United Statesbegan building replicas of Iran’s P-1centrifuges, an aging, unreliable design thatIran purchased from Abdul Qadeer Khan, thePakistani nuclear chief who had begun sellingfuel-making technology on the black market.Fortunately for the United States, it alreadyowned some P-1s, thanks to the Libyandictator, Col. Muammar el-Qaddafi.When Colonel Qaddafi gave up his nuclearweapons program in 2003, he turned over thecentrifuges he had bought from the Pakistaninuclear ring, and they were placed in storageat a weapons laboratory in Tennessee. Themilitary and intelligence officials overseeingOlympic Games borrowed some for what theytermed “destructive testing,” essentiallybuilding a virtual replica of Natanz, butspreading the test over several of the EnergyDepartment’s national laboratories to keepeven the most trusted nuclearworkers from figuring out what wasafoot.



















Those first small-scale tests were surprisinglysuccessful: the bug invaded the computers,lurking for days or weeks, before sendinginstructions to speed them up or slow themdown so suddenly that their delicate parts,spinning at supersonic speeds, self-destructed.After several false starts, it worked. One day,toward the end of Mr. Bush’s term, the rubbleof a centrifuge was spread out on theconference table in the Situation Room, proofof the potential power of a cyberweapon. Theworm was declared ready to test against thereal target: Iran’s underground enrichmentplant.“Previous cyberattacks had effects limited toother computers,” Michael V. Hayden, theformer chief of the C.I.A., said, declining todescribe what he knew of these attacks whenhe was in office. “This is the first attack of amajor nature in which a cyberattack was usedto effect physical destruction,” rather than justslow another computer, or hack into it to stealdata.“Somebody crossed the Rubicon,” he said.Getting the worm into Natanz, however, was noeasy trick. The United States and Israel wouldhave to rely on engineers, maintenanceworkers and others — both spies and unwittingaccomplices — with physical access to theplant. “That was our holy grail,” one of thearchitects of the plan said. “It turns out there isalways an idiot around who doesn’t think muchabout the thumb drive in their hand.”In fact, thumb drives turned out to be critical inspreading the first variants of the computerworm; later, more sophisticated methods weredeveloped to deliver the malicious code.The first attacks were small, and when thecentrifuges began spinning out of control in2008, the Iranians were mystified about thecause, according to intercepts that the UnitedStates later picked up. “The thinking was thatthe Iranians would blame bad parts, or badengineering, or just incompetence,” one of thearchitects of the early attack said.The Iranians were confused partly because notwo attacks were exactly alike. Moreover, thecode would lurk inside the plant for weeks,recording normal operations; when it attacked,it sent signals to the Natanz control roomindicating that everything downstairs wasoperating normally. “This may have been themost brilliant part of the code,” one Americanofficial said.

Later, word circulated through the InternationalAtomic Energy Agency, the Vienna-basednuclear watchdog, that the Iranians had grownso distrustful of their own instruments that theyhad assigned people to sit in the plant andradio back what they saw.“The intent was that the failures should makethem feel they were stupid, which is whathappened,” the participant in the attacks said.When a few centrifuges failed, the Iranianswould close down whole “stands” that linked164 machines, looking for signs of sabotage inall of them. “They overreacted,” one officialsaid. “We soon discovered they fired people.”Imagery recovered by nuclear inspectors fromcameras at Natanz — which the nuclearagency uses to keep track of what happensbetween visits — showed the results. Therewas some evidence of wreckage, but it wasclear that the Iranians had also carted awaycentrifuges that had previously appeared to beworking well.But by the time Mr. Bush left office, nowholesale destruction had been accomplished.Meeting with Mr. Obama in the White Housedays before his inauguration, Mr. Bush urgedhim to preserve two classified programs,Olympic Games and the drone program inPakistan. Mr. Obama took Mr. Bush’s advice.

The Stuxnet SurpriseMr. Obama came to office with an interest incyberissues, but he had discussed them duringthe campaign mostly in terms of threats topersonal privacy and the risks to infrastructurelike the electrical grid and the air traffic controlsystem. He commissioned a major study onhow to improve America’s defenses andannounced it with great fanfare in the EastRoom.What he did not say then was that he was alsolearning the arts of cyberwar. The architects ofOlympic Games would meet him in theSituation Room, often with what they called the“horse blanket,” a giant foldout schematicdiagram of Iran’s nuclear production facilities.Mr. Obama authorized the attacks to continue,and every few weeks — certainly after a majorattack — he would get updates and authorizethe next step. Sometimes it was a strike riskierand bolder than what had been triedpreviously.“From his first days in office, he wasdeep into every step in slowing theIranian program — the diplomacy, the













sanctions, every major decision,” a senioradministration official said. “And it’s safe to saythat whatever other activity might have beenunder way was no exception to that rule.”But the good luck did not last. In the summer of2010, shortly after a new variant of the wormhad been sent into Natanz, it became clear thatthe worm, which was never supposed to leavethe Natanz machines, had broken free, like azoo animal that found the keys to the cage. Itfell to Mr. Panetta and two other crucial playersin Olympic Games — General Cartwright, thevice chairman of the Joint Chiefs of Staff, andMichael J. Morell, the deputy director of theC.I.A. — to break the news to Mr. Obama andMr. Biden.An error in the code, they said, had led it tospread to an engineer’s computer when it washooked up to the centrifuges. When theengineer left Natanz and connected thecomputer to the Internet, the American- andIsraeli-made bug failed to recognize that itsenvironment had changed. It began replicatingitself all around the world. Suddenly, the codewas exposed, though its intent would not beclear, at least to ordinary computer users.“We think there was a modification done by theIsraelis,” one of the briefers told the president,“and we don’t know if we were part of thatactivity.”Mr. Obama, according to officials in the room,asked a series of questions, fearful that thecode could do damage outside the plant. Theanswers came back in hedged terms. Mr.Biden fumed. “It’s got to be the Israelis,” hesaid. “They went too far.”In fact, both the Israelis and the Americans hadbeen aiming for a particular part of thecentrifuge plant, a critical area whose loss, theyhad concluded, would set the Iranians backconsiderably. It is unclear who introduced theprogramming error.

The question facing Mr. Obama was whetherthe rest of Olympic Games was in jeopardy,now that a variant of the bug was replicatingitself “in the wild,” where computer securityexperts can dissect it and figure out itspurpose.“I don’t think we have enough information,” Mr.Obama told the group that day, according tothe officials. But in the meantime, he orderedthat the cyberattacks continue. They were hisbest hope of disrupting the Iranian nuclearprogram unless economic sanctions began tobite harder and reduced Iran’s oil revenues.Within a week, another version of the bugbrought down just under 1,000 centrifuges.Olympic Games was still on.

A Weapon’s Uncertain FutureAmerican cyberattacks are not limited to Iran,but the focus of attention, as one administrationofficial put it, “has been overwhelmingly on onecountry.” There is no reason to believe that willremain the case for long. Some officialsquestion why the same techniques have notbeen used more aggressively against NorthKorea. Others see chances to disrupt Chinesemilitary plans, forces in Syria on the way tosuppress the uprising there, and Qaedaoperations around the world. “We’veconsidered a lot more attacks than we havegone ahead with,” one former intelligenceofficial said.Mr. Obama has repeatedly told his aides thatthere are risks to using — and particularly tooverusing — the weapon. In fact, no country’sinfrastructure is more dependent on computersystems, and thus more vulnerable to attack,than that of the United States. It is only amatter of time, most experts believe, before itbecomes the target of the same kind ofweapon that the Americans have used,secretly, against Iran.

This article is adapted from “Confront and Conceal: Obama’s Secret Wars and SurprisingUse of American Power,” to be published by Crown on Tuesday (June 3, 2012).

India: Cyber Terrorism And The Fifth Domain – AnalysisBy Sanchita BhattacharyaSource: http://www.eurasiareview.com/05062012-india-cyber-terrorism-and-the-fifth-domain-analysis/

Expressing grave concern about the growingthreat of cyber terrorism in his openingstatement at the meeting of Chief Ministers on

National Counter Terrorism Centre(NCTC) held on May 5, 2012, Union





















Home Minister P. Chidambaram stated:…there are terrorist threats in the cyberspace, which is the fifth domain after land,sea, air and space. Much of our criticalinfrastructure lies in cyber space. Cybercrimes such as hacking, financial fraud,data theft, espionage etc. would, in certaincircumstances, amount to terrorist acts.Our counter terrorism (CT) capacity mustbe able to meet the threats in cyber space.Since there are no boundaries in cyberspace, how will the Central Governmentand the State Governments share theresponsibility to face the threats in cyberspace?

IndiaChidambaram was, of course,using the cyber threat to buttresshis arguments in favour of theNCTC, a pet project that hasmet with tremendous resistancefrom the States. Nevertheless,the threat of cyber terrorism isreal and growing, as global andnational systems becomeincreasingly interlinked andinterdependent. Indeed, speculationabout the potential threat of cyberattacks has been rife since the 1980s, andGovernment systems across the world havebeen targeted from time to time, principally inmarginally disruptive and vandalizing actions,variously, by politically motivated, mischievousand state backed groupings. Definitionaldisputes abound, and it is not clear how manyof these can be described as cyber terrorist‘attacks’. Nevertheless, cyber technology hasbecome a crucial tool in the terrorist arsenal,and its use to directly engineer widespread,and potentially life threatening, disruptionscannot be overestimated. The USGovernment’s Stuxnet attack against Iran’sprincipal uranium enrichment facilities, whichexperts believe may stall Iran’s nuclearprogram by as much as five years, recentlydemonstrated the potential capability of cyberwar interventions.Cyber technology has played a role – albeitprincipally as a covert communication,propaganda or psychological warfare tool – interrorist activities in India, for some time now.This includes prominent attacks in citiesincluding Ahmedabad, Jaipur, Delhi, Mumbaiand Varanasi, among others, over the past

years. Significantly, the perpetrators of theNovember 26, 2008, Mumbai terrorist attacks(26/11), which claimed 166 lives, madesubstantial use of cyber technology inpreparing and mounting the operation. USMarine Corps Lieutenant General George J.Flynn, on May 15, 2012, observed, “All the(26/11) mission planning was done via GoogleEarth… The terrorists used cellular phonenetworks as command and control and socialmedia to track and thwart the efforts of Indiancommandos.” He noted, further, “Space andcyber will continue to play an increased role inevents, with each becoming increasingly

contested domains – so it’s anew domain that we’re

going to have tocontest.”

A December 2008report had earliernoted that the

Pakistan-backedLashkar-e-Toiba

(LeT) had usedVoice-over

Internet Protocol(VoIP) software to

communicate with the26/11 attackers on the

ground and direct the largescale operation on a real-time basis. CitingIndian intelligence sources, the report claimedthat the attackers’ handlers “were apparentlywatching the attacks unfold live on television[and] were able to inform the attackers of themovement of security forces from newsaccounts and provide the gunmen withinstructions and encouragement”. Thedistinguishing feature of VoIP-basedcommunications, which form the technicalbasis of popular communications software suchas Skype and Vonage, is that audio signals areconverted to data and travel through most ofthe Internet infrastructure in binary, rather thanaudio, format, making them near impossible todetect and proactively intercept.After the terrorist attack on Delhi High Court onSeptember 7, 2011, in which 15 persons werekilled and another 87 were injured,investigative assistance was sought from theUS and some south-east Asian countries,including Myanmar, Thailand,Malaysia and Indonesia, to trace backcyber linkages connected with theincident. Terrorists had hacked into





























unsecured wi-fi internet connections to send e-mails after the attack.The Indian Mujahedeen (IM) has carried outover a dozen high profile attacks, including theMay 13, 2008, Jaipur (Rajasthan) bombings;the July 25, 2008, Bangalore (Karnataka) serialblasts; the July 26, 2008, Ahmedabad (Gujarat)serial blasts; the September 13, 2008, Delhiserial blasts; the Pune German Bakery blastsof February 13, 2010; and the Mumbai serialblasts of July 13, 2011. Before almost all ofthese attacks, IM activists sent out e-mails tovarious media organisations.Police traced e-mails sent by IM from NavinComputer in Sahibabad area of GhaziabadDistrict in Uttar Pradesh (UP) soon after theMay 13, 2008, Jaipur (Rajasthan) blast, whichclaimed 80 lives. Three video clips attached toone of the e-mails showed two explosive-fittedbicycles moments before they were detonated.The e-mails were sent from two accounts –[email protected] [email protected] activists had hacked into the unsecured wi-fiinternet connection of an American national,Kenneth Haywood, residing in the Sanpadaarea of Navi Mumbai, minutes before the July26, 2008, Ahmedabad terror attack, whichkilled 53 people. An e-mail claiming the attackwas sent prior to the blasts from his InternetProtocol (IP) address.After the September 19, 2010, Jama Masjid(Delhi) attack, Delhi Police confirmed, a daylater, that the IM had sent a threat e-mail fromthe IP address of a computer in Mumbai.Investigations into the Varanasi (UP) blast ofDecember 7, 2010, highlighted the need for‘wardriving’ to detect threat mails posted by IM,allegedly from Mumbai. ‘Wardriving’ is used tosearch for wi-fi wireless networks with the helpof a laptop from a moving vehicle, in order todetect unsecured wi-fi internet points that maybe exploited.The LeT has attained a significant degree of‘cyber efficiency’, and has been makingincreasing use of VoIP for communications.LeT’s 26/11 ‘master-mind’, Zaki-ur RehmanLakhvi, who is presently in a Rawalpindi(Pakistan) jail, is known to have beennetworking with LeT cadres from jail, using aprivate VoIP on his smart phone. “Lakhvi’scompound serves as Lashkar’s alternativeheadquarters,” an unnamed top intelligencesource disclosed. Pakistan-based LeT, which isheaded by Hafiz Mohammad Saeed, started

using VoIP as soon as the technology becamecommon in the early 2000s. Highlighting theproblems this creates, an unnamed intelligencesource explained, “Earlier, we could interceptconversations on phone or locate Lashkarcadres based on their IP addresses throughtheir emails. But now we’re finding it tough togather intelligence because Lashkar men holdaudio or video conferences using private VoIP”.According to an article written by RaviVisvesvaraya Prasad, published in TheHindustan Times on December 19, 2000, anumber of Pakistani hacker groups, including‘Death to India’, ‘Kill India’, and ‘G-ForcePakistan’, have openly circulated instructionsfor attacking Indian computers. Websites runby Nicholas Culshaw of Karachi, and anotherrun by Arshad Qureshi of Long Beach,California, circulated malicious anti-Indianpropaganda along with step-by-stepinstructions for hacking into thousands ofIndian websites. Anti-Indian terroristinstructions were also hosted byhttp://62.236.92.165, http://209.204.7.131, andhttp://209.204.5.113. All these sites appear tobe disabled now, but their architects quicklyrecreate new platforms.On December 3, 2010, in a breach of securitywas detected on the Central Bureau ofInvestigation (CBI) website, which had beenhacked by the ‘Pakistan Cyber Army’. The CBIhome page carried a message from the‘Pakistani Cyber Army’ warning India not toattempt to attack their websites. It furtherclaimed to have defaced another 270 Indianwebsites.Interestingly, according to the report of theSecurity and Defence Agenda (SDA), a leadingdefence and security think-tank in Brussels(Belgium) and McAfee, India has been rankedfifth in the worldwide ranking of countriesaffected by Cyber Crime.Explaining the severity of Cyber Crime in India,Minister of State for Communications andInformation Technology, Sachin Pilot, on March26, 2012, informed the Rajya Sabha (UpperHouse of Parliament) that cyber crimes wereon the rise in the country. He also palced datamaintained by the National Crime RecordsBureau (NCRB) before Parliament,documenting the number of cyber crimecases and related arrests under theInformation Technology Act, 2000:











Years Cyber CrimeCases

Arrests

2007 217 1542008 288 1782009 420 2882010 966 799

Further, the number of cases registered underCyber Crime related sections of Indian PenalCode (IPC), along with the number of arrests,were given as:Years Cyber Crime

CasesArrests

2007 328 4292008 176 1952009 276 2632010 356 294

Earlier, explaining the threat faced byGovernment websites due to Cyber Crime inthe Lok Sabha (Lower House of Parliament),the Minister had stated, on November 30,2011, that a total of 90, 119, 252 and 219Government websites, as reported and trackedby the Indian Computer Emergency ResponseTeam (CERT-In), had been defaced by varioushacker groups in the year 2008, 2009, 2010and January–October 2011, respectively.As far Government initiative is concerned,following the 26/11 attacks, the InformationTechnology Act, 2000, has been amended byInformation Technology (Amendment) Act,2008 with effect from October 27, 2009. Theamended Act is a comprehensive Act andprovides legal framework to fight all prevalentcyber crimes. Stringent punishment rangingfrom imprisonment of three years to lifeimprisonment and fine has been provided forvarious acts of cyber crime.On March 27, 2012, explaining Governmentinitiatives to contain Cyber Crime, Pilot

informed the Rajya Sabha that a majorprogramme had been initiated on thedevelopment of cyber forensics, setting up ofinfrastructure for investigation and training ofusers, including Police and judicial officers, andtraining for the collection and analysis of digitalevidence. He disclosed that the Data SecurityCouncil of India (DSCI) had organized 112training programmes on Cyber CrimeInvestigation and awareness, and a total of3,680 Police and judicial officers, as well aspublic prosecutors, had been trained.On May 16, 2012, National Security AdvisorShiv Shankar Menon disclosed that theGovernment was in the ‘final stages’ ofpreparing the ‘national cyber securityarchitecture’ and would hold consultations onthe subject with the National Association ofSoftware and Services Companies(NASSCOM), the apex body of the softwareand services companies in India, in June.Cyber crimes and the use of cyber space andtechnologies by terrorists are, currently, atworst, powerful facilitators for terrorist groups.In the main, they remain marginal irritants tothe system. Nevertheless, the potential threatthey constitute is grave, and this has beennoticed by the Indian state. A decision hasbeen taken to establish a National CyberCoordination Centre, a full-fledged agency tocounter this menace. However, current deficitsin trained manpower and state of art equipmentand infrastructure may hobble effectiveoperationalization for some time. A race iscurrently on, with terrorists, on the one hand,pushing the frontiers of cyber space to harnessthe most disruptive of tools possible, and stateagencies, on the other, seeking to interdictthem in this enterprise. It remains to be seenwhich side in the conflict has the greatercoherence and more sustained motivation.

Sanchita Bhattacharya is a Research Assistant, Institute for Conflict Management

Cyberweapons: Bold steps in a digital darkness?Source: http://thebulletin.org/web-edition/op-eds/cyberweapons-bold-steps-digital-darkness

In 1945, the United States organized acommittee to investigate whether nuclearweapons should become a central militarytechnology, or whether to abjure the weaponsand, through self-restraint, avoid a costly andpotentially deadly nuclear arms race. Led by

Undersecretary of State Dean Acheson andChairman of the Tennessee Valley AuthorityDavid Lilienthal, the committeeproduced the eponymous Acheson-Lilienthal Report, which, after it failedto gather reasonable support, marked




Arrests

2007 217 1542008 288 1782009 420 2882010 966 799


CasesArrests

2007 328 4292008 176 1952009 276 2632010 356 294










Arrests

2007 217 1542008 288 1782009 420 2882010 966 799


CasesArrests

2007 328 4292008 176 1952009 276 2632010 356 294









a turning point in the Cold War and signaledthe beginning of the nuclear arms race. Almost70 years later, we find ourselves at a similarjuncture with cyberwarfare. Cyber weapons donot appear to be capable of mass destructionin the way nuclear weapons clearly are, butthey hold at risk some of the most preciousassets of our time: the information storage andcontrol mechanisms on whichmodern society has been built. It is not difficultto imagine catastrophic scenarios such as thedestruction of a banking sector, the eliminationof a stock market, the flooding of a dam, or thepoisoning of a water supply -- all initiated bymalfunctions induced by malicioussoftware. The United States rushed into thenuclear age eager to cement its technicalsuperiority, causing a decades-long nucleararms race that threatened global extinction.Before policymakers go too far, they shouldnow take a moment to consider theimplications -- both intended andunintended -- of cyberweapons.While digital spying has taken place fordecades, the era of computer-mediateddestruction has only recently begun. Earlythis month The New York Times publishedan investigative feature that exploredOlympic Games, a cyberweapons programdesigned to sabotage an element ofanother country's infrastructure. Startedduring the Bush administration, this is thefirst known program of its kind. Inembarking on Olympic Games, the UnitedStates and Israel stepped boldly, but naively,into uncharted territory.The first battle of Olympic Games reached thepublic eye in July 2010, when news broke ofStuxnet, a creative worm designed to causeIran's uranium-enrichment centrifuges toexplode by changing, with software, theiroperating parameters. On its heels were Duqu,Wiper, and Flame, a set of multipurpose toolsthat collected intelligence, identifiedvulnerabilities, and sabotaged informationsystems.In some small way, the strategic vision ofOlympic Games is commendable.Cyberattacks might have reduced Israelipressure for conventional military strikes thatcould have led to a deadly and protracted warwith Iran and triggered Iran to race for thebomb. The cyberstrategy might have also beenrationalized as providing more opportunity fordiplomacy -- but as with most experimental

programs, events did not go according to planand unforeseen consequences soon emerged.Consider as a case study Stuxnet: Firstinjected into Iran's computers in June 2009, theworm appears to have destroyed more than1,000 of Iran's 5,000 gas centrifuges, accordingto data reported by the International AtomicEnergy Agency (IAEA). However, by drawingfrom its centrifuge reserves, Iran was able toreplace quickly its destroyed centrifuges andcompensate for the losses, even while theStuxnet attack was ongoing.Indeed, if the measure of Iran's progresstoward a nuclear weapon is its inventory of

enriched uranium, then Iran came out ahead.IAEA data indicates that Iran was able to boostoutput enough to reverse all Stuxnet-inducedproduction losses by March 2010, about eightmonths after the attack first began to have aneffect. After the successful eradication ofStuxnet in the summer of 2010, Iran sustainedits heightened level of production, expandingits low-enriched uranium stockpile at ratesexceeding the pre-Stuxnet trend. If, withoutStuxnet, Iran would have expanded productionaccording to its historical trajectory, then onewould conclude that the cyberattack wound upenhancing Iran's ability to make nuclearweapons instead of setting the program back.What went wrong? Stuxnet was designed tooperate on an ongoing basis without beingdetected: a strategy of steady attrition in thepursuit of time. The worm was notsupposed to leave Iran or bediscovered -- but it soon spreadbeyond the confines of Iran's nuclear

Article Highlights The United States rushed into the nuclear age eager to

cement its technical superiority, disregarding warnings of keystatesmen and scientists that a decades-long nuclear armsrace would ensue. Before they go too far, policymakers shouldconsider the implications -- both intended and unintended -- ofcyberweapons.

Though Israel and the United States may have vast resourcesto support sophisticated and creative cyberweapons programs,it is worth remembering that such advantage could be itsdisadvantage: Each new cyberattack becomes a template forother nations -- or sub-national actors -- looking for ideas.

As nations begin to develop cyberwarfare organizations, theyrun the risk of creating bureaucratic entities, which will protectoffensive cyber capabilities that simultaneously subject theirown publics to cyber vulnerabilities. Since the United Stateshas the most to lose in this area, the safe approach is to directcyber research at purely defensive applications.





















facilities until, ultimately, members of thecomputer-security community identified PDF it.Stuxnet both failed to operate according to planand failed to have a long-term benefit.Perhaps, then, the lesson for the authors offuture cyberweapons is to recognize the short-lived and unpredictable nature of cyberattacksand aim for more acute, immediate destruction,rather than persistent manipulation of anothernation's assets -- a worrisome conclusionsuggesting that cyberweapons may be bettersuited for terror than for strategic affairs.After Stuxnet, other components of the cyberaffront were quickly exposed and removed, andIran's uranium-enrichment capabilities grewfaster than ever. The American and Israelileaders who launched the games suddenlyfound themselves in a state of panic. Theirability to influence Iran's nuclear program haddropped precipitously, yet no diplomaticprogress had been made to ensure a softlanding. Perhaps leaders had grown toonarrowly focused on the play-by-playexcitement of a new cyberattack and toocomfortable with relative inaction on thediplomatic front. Or perhaps leaders began tofeel that a technical fix was potentially withinreach, or at least that cyberattacks could holdIran's nuclear program at bay until its leaderscapitulated to the pressure of sanctions.Whatever the likely reasons, the current realityis that the United States finds the diplomaticchallenge harder than ever before: AfterStuxnet, Iran, with even larger centrifugereserves, has more to sacrifice, but now truststhe United States even less. Furthermore,Israeli threats of armed conflict have reached anew high. The situation has become unstable,and Olympic Games has yet to realize anyenduring benefits.Despite their questionable utility, thecyberattacks have not been withoutconsequence. Immediately after Iran admittedto being a victim of Stuxnet, it created a newCyber Command of its own. Brig. Gen.Gholamreza Jalali, the head of Iran's PassiveDefense Organization, said that the Iranianmilitary was prepared "to fight our enemies" in"cyberspace and Internet warfare," a formulathat may imply aspirations to go on theoffensive. The US Defense Departmentresponded by announcing a new policy inwhich cyberattacks against US assets areconsidered to be acts of war. More bold stepsinto the darkness.

In the world of armaments, cyber weapons mayrequire the fewest national resources to build.That is not to say that highly developed nationsare not without their advantages during earlystages. Countries like Israel and the UnitedStates may have more money and moretalented hackers. Their software engineersmay be more skilled and exhibit more creativityand critical thinking owing to better training andeducation. However, each new cyberattackbecomes a template for other nations -- or sub-national actors -- looking for ideas. Stuxnetrevealed numerous clever solutions that arenow part of a standard playbook. A Stuxnet-likeattack can now be replicated by merelycompetent programmers, instead of requiringinnovative hacker elites. It is as if with everybomb dropped, the blueprints for how to makeit immediately follow. In time, the strategicadvantage will slowly fade and once-esotericcyber weapons will slowly become weapons ofthe weak.Whatever the greater nature of cyberwarfare, itis clear that individual cyberweapons areinherently fragile. They work because theyexploit previously unknown vulnerabilities.Stuxnet, for example, exploited four "zero day"vulnerabilities in the Windows operatingsystem. As soon as Stuxnet made them public,they were patched and thus no longer availablevectors for future attacks or intelligencegathering. Such vulnerabilities are also closedthrough routine software updates and patches.Powerful hacker entities like the US NationalSecurity Agency must continue to discover newweaknesses in an attempt to stay ahead, andprobably maintain a sizable list of unpublishedvulnerabilities for future exploitation -- but towhat end? These security gaps apply to allcomputer systems of a specific type regardlessof national borders. Every vulnerability keptsecret for the purpose of enabling a futurecyberattack is also a decision to let thatvulnerability remain open in one's own nationalinfrastructure, allowing it to be exploited by anenemy state or even a terrorist hacker. Thisraises a basic philosophical question abouthow states should approach the question ofcyberwarfare: Should countries try to accrueoffensive capabilities in what amounts to asecret arms race and, in doing so, hold theirown publics at risk? Or should statestake a different tack, releasingknowledge about vulnerabilities in acontrolled way to create patches to











shore up their own digital frontiers?We are at a key turning point -- the Achesonand Lilienthal moment of the digital age inwhich a nation must decide what rolecyberweapons will play in its national defense.As nations begin to build out cyberwarfareorganizations, they run the risk of creatingbureaucratic entities that will seek to protectoffensive cyber capabilities and in doing so willnecessarily subject their own publics to cybervulnerabilities. For states that have little to loseon the cyber front, an offensive approach may

be interesting. But for the United States andother highly developed nations whose societiesare critically and deeply reliant on computers,the safe approach is to direct cyber research atpurely defensive applications. Fortunately,unlike the Acheson and Lilienthal moment ofthe nuclear age, the United States can makethis choice unilaterally. The alternativeapproach, to continue to launch ambitiouscyberattacks, is to cross the Rubicon with anunpracticed weapon, naked to the attacks ofenemies and terrorists alike.









1 cbrne-terrorism newsletter – june 2012...3 cbrne-terrorism newsletter – june 2012 costing the...

Documents