Defence Business: Have the dogs of cyberwar been let out already? | ADM August 2012

Australia and its allies would avoid a war with another state without due cause. However a cyberwar – aggression via mainly internet offensives – is quietly on the table.

Recent reports suggest such cyber offensive operations are not only planned but may have occurred. The evidence lies with recent analyses done on the three most formidable forms of computer worms, known as Stuxnet, Flame and Duqu.

The Stuxnet worm targeted industrial control systems, in particular a specific brand of Siemens industrial controllers. At the same time, the rootkit included control procedures for variable frequency drive converters of two specific brands (of Finnish and Iranian roots).

One estimate suggests up to half a million euros was invested in developing the software.

Stuxnet was unique in other respects. It deployed four earlier unknown Microsoft Windows bugs and two genuine security certificates - all at the same time. It was designed to work in a slow and unobtrusive fashion. Once introduced, it analysed its environment and expanded its presence. Based on the distribution of the worm, experts established a potential target of attack: software-controlled centrifuges at the uranium-enrichment facility at Natanz, Iran.

In late November 2010, Iranian President Mahmoud Ahmadinejad reportedly conceded that cyber attacks created "problems" in what he called a "limited" number of centrifuges.

However the virus in the network was discovered quickly and adverse consequences were avoided. More recently Stuxnet was followed by two other rootkits: Duqu, discovered in September 2011, and Flame, intercepted in late May 2012. Both rootkits could be described as comprehensive tracking systems. They gather information from infected computers. They can intercept passwords, track key presses, record sound from an in-built microphone, take screenshots, gather information on processed files and analyse network traffic. This information is then encrypted and downloaded to an external master server.

Kaspersky Labs, the security firm that discovered Flame, describes it as “the largest cyberweapon to date,” by virtue of its 20 megabytes file size. A later report from Kaspersky Labs tracked Flame in 189 attacks in Iran, 98 in Israel and Palestine, and 32 in Sudan.

An unnamed "former high-ranking US intelligence official", told the Washington Post: "[Flame] is about preparing the battlefield for another type of covert action.”

Analysts believe that the approaches to the development of Stuxnet and Duqu are strikingly similar and may share a common platform suggesting rootkits were created by the same team.

History

In June 2012, The New York Times reported that Stuxnet and Flame were developed during the operation known as “Olympic Games”, a joint effort between two electronic intelligence agencies, the US National Security Agency and Israel's Unit 8200.

According to the newspaper's sources, former president George W. Bush approved the project. But incoming President Barack Obama saw this accelerated with a view to impeding Iran's nuclear program. All efforts to this end were code-named Olympic Games. In Australia, there has been official reluctance to discuss such reports.

“Defence is aware that the origins of Stuxnet and Flame are the subject of speculation. Defence is not willing to enter into any speculation on this matter,” a Defence spokesperson told ADM. “As a matter of principle and long standing practice, Defence does not discuss specific cyber activities or capabilities.”

Whether Stuxnet's attack on Iranian nuclear facilities was effective is no longer the main issue.

Our collective industrial control systems are more widespread than many of our potential adversary states such as Iran. They are the backbone of all automated modern production systems, including hazardous ones. Computer systems run our energy facilities, gas compressor stations, sewage and control traffic.

Some strategists favour Australia’s taking hawkish positions, notably last year’s Kokoda Foundation report on Optimising Australia’s Response to the Cyber Challenge (Feb 2011).

This ethical dilemma is laid bare by The New York Times' David Sanger in his book, Confront and Conceal. It reveals how the US used a worm to infiltrate and confound Iran's nuclear computer system.

An unintended consequence of cyberweaponry could be the accidental disruption of a civilian hospital system overseas, for instance. With cyberweapons, collateral damage could harm civilians that use a targeted network. Deciding which networks to target and which should be ignored raises issues about rules of engagement.

Iran reportedly claims it can defend itself against the malware and clean up infected PCs.

There is a possibility that Stuxnet and Flame attacks could result in Iran or other states fast-tracking their own sophisticated cyber-capabilities, according to Mark Phillips, a research fellow at defence think tank the Royal United Services Institute (RUSI), via BBC News.

"If it did originate from the US and/or Israel, Iran is going to feel under siege as a result of a number of attempts - a previous one was Stuxnet - and will seek to improve its cyber-defences," he said. “The better you are at detecting cyber-actions, the better you are at infiltrating others.

"This cyber-onslaught that Iran has been facing from Stuxnet through to Flame is actually helping it to become a really serious cyber-power in its own right, which would not have been an intended effect of whoever developed Flame."

Wars against sovereign nations must not be conducted in secret. To what extent are such clandestine state-sponsored cyber offensives a kind of war?

But war by technological attacks on a nation's infrastructure is novel, and might be distinguished from a secret order to invade a country.

If technological attacks are acts of war – the so-called fifth battlefield – should there be a protocol or is it all too hard and tough to think through the consequences?

In 2009, in accepting the Nobel Peace Prize, Obama said, "Where force is necessary, we have a moral and strategic interest in binding ourselves to certain rules of conduct. And even as we confront a vicious adversary that abides by no rules, I believe the US of America must remain a standard bearer in the conduct of war. That is what makes us different from those whom we fight. That is a source of our strength."

If it is case that the US and allies sponsored Stuxnet and Flame as several reports seem to suggest, where does this take us in the future?