Last month we discussed two successful attempts at bridging air gaps. The first was the Reagan Administration-inspired insertion of malware into controller software that was supplied by Canadians to the Soviet Union for their trans-Siberian pipeline. That malware, like Stuxnet thirty years later, was specifically crafted to cause the targeted systems to self-destruct. Both attacks required some means of bridging the air gaps. In neither case did the air gaps prove to be much of a barrier. In this column we look to the lessons that may have been learned.
There are many lessons learned from the point of view of the exploits themselves. “Offense-in-Depth” was the reason for Stuxnet's success. Burning five quasi-zero-day injectors would have been considered overkill by all but major state-sponsors. In addition, a solid foundation in experimental computing with industrial control systems was the sine qua non of a successful hack. The authors were solid programmers who had access to a test bed of Natanz-like industrial controllers, software and centrifuges. This fact alone narrows the range of suspects considerably. From the moment that Stuxnet v.1.0 began unraveling during the summer of 2010, attribution was never seriously in doubt. From a political perspective, plausible deniability was instantly displaced by non-repudiable attribution. To this day, alternative accounts haven't been offered because no one would believe them due to the overwhelming body of circumstantial evidence (even without GitHub) and indisputable political motives.
But the technical lessons pale in comparison to the importance of the lessons learned from the politics of nation-state cyber-kinetic warfare strategies. While important, they are largely ignored by the mass media. I'll suggest just a few of them.
The first lesson learned follows from both the Trans-Siberian Pipeline and Stuxnet examples was that air gaps are relatively useless as a defensive layer to the determined state-sponsored adversary (read: CIA, NSA, Mossad, …..). This lesson should have been learned in 1982 with the Pipeline hack if not as far back as the days of Herbert Yardley's Black Chamber. For the past fifty years, the suggestion that an air gap strategy might be alone sufficient to defend critical infrastructures has been a mark of the unenlightened. It was a dumb strategy in 1982, and its wisdom dropped precipitously with time. Air gaps stand to cyber-defense as chain link fences stand to physical security – they only discourage nuisance attacks ( http://www.latimes.com/nation/la-na-grid-attack-20140211-story.html ). Of course, an even dumber idea is to connect critical infrastructures to the Internet. IoT is coming to mean the Internet of Trouble!
Second, although we have had well over a decade of experience with state-sponsored cyber-attacks (cf. Richard A. Clarke and Robert A. Knake, Cyber War, Ecco, 2010), we have apparently taken an ostrich-like approach to the revelations. To make this point clear, let me draw your attention to the threat vectors predicted in the 1997 Marsh Report ( https://fas.org/sgp/library/pccip.pdf , pp. 15-16):
It’s as if Flame, Duqu and Stuxnet were taken from the Marsh Report playbook, in order, and ten years later. Ironically, the Marsh Report says that cyber warfare “presents significantly new challenges for the intelligence community in identifying and assessing threats to the United States.” (p. 19) Olympic Games clearly shows that a byproduct of this work is “introducing new threats to the United States,” for the Flame and Tilded code bases are at this point in time accessible to every digital miscreant and weaponeer. In one of life’s little ironies, The 2010 Cyber Storm exercises that stress-tested the U.S. critical infrastructure failed to use the most advanced weaponry at the time already deployed: Flame, Duqu and Stuxnet. The humor of this should not be overlooked. But, then, Cyber Storm exercises do keep the burn rate within acceptable standards, and that’s what really matters to bureaucrats!
Third, the long-term implication of Stuxnet on industrial controllers is serious and far-reaching. ICs are general purpose, which means that the exploit potential of the Stuxnet family of malware extends to virtually the entire global infrastructure: transportation, energy, water supply, emergency services, etc. At bottom, the collective vulnerability is due to the fact that industrial controllers were manufactured with virtually no concern for security. While that in itself was a bad design philosophy (a brand of myopia that I have labelled technology absurdism: technology development that either ignores, fails to appreciate, or underrepresents obvious negative externalities (see Noirware, Computer, March, 2015), the ultimate in stupidity was to connect these controllers to the Internet! Let me emphasize that the problem isn't that these critical infrastructures were built around a weak security model – they were built around no security model. As I've said before, society should demand of companies that contribute to the global infrastructure that all potential technology abuse be included in the calculated velocity of all innovation. Industrial controllers have been a disaster-in-the-waiting for half a century. As things now stand, proper discussion of IC insecurities must necessarily include infrastructure eschatology.
Fourth, Operation Olympic Games unmistakably and recklessly pushes the world toward cyber-weapons proliferation. Nuclear weapons did the same thing in the 1940s and 1950s. However, the parallel between these two eras quickly breaks down. For one thing, the concept of mutually-assured destruction doesn't apply without attribution – that is, retaliation-in-kind only makes sense if one has the “retaliatee” in mind. Absent cyber-radar for incoming bit-bombs on the commercial Internet, no such candidate would be identifiable at the level of certainty required for any responsible retaliation.
Fifth, contemporaneous to Stuxnet was the burgeoning gray market in cyber-weapons. Due to a robust, clandestine brokerage industry, every cyber-mercenary, terrorist and cyber-criminal in the know - not to mention government contractors and nation states – have access to current cyber-weaponry, including zero-days. This is one of the most intoxicating aspects of the Olympic Games. No one knows for sure how large this black market is because Black Budgets are classified, but Kim Zetter reports (Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Crown, 2014, p. 219ff.) that in 2013 the NSA had budgeted $25.1 million for covert purchases of software vulnerabilities from government contractors and independents. One can only imagine how many players are in this market, besides the NSA. There are two things to take away from this new digital boutique. First, it was ushered in by Stuxnet-like aggression from nation-state players. Second, this cyberweapons-cottage industry was entirely predictable given even a modest knowledge of how arms races work. Third, this malware is purchased with the full understanding that they will not be reported to the software vendors who might patch their products to protect the public. Since the value of this malware to the aggressor is directly proportional to its uniqueness, novelty, effectiveness, and stealth, there is little value to nation-states and state-sponsors, not to mention major cyber-criminal gangs, for “used” malware.
Serious ethical questions surround the gray market in cyber-weapons. First among them is whether a government that purports to represent their citizens should be actively involved with digital weapons brokerages that attack their interests. One may certainly conjure up hypothetical situations where the possession of invasive malware might be of use (e.g., to avoid a terrorist attack or to interrupt an adversary's decision cycle in wartime), but that's a far cry from the tactics currently in use by the U.S. government's three-letter agencies that range from hacking Microsoft's BitLocker encryption system, to hacking Apples OS updater, to spoofing Apples Xcode iOS applications platform development tool ( https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/ ). To claim that reverse-engineering U.S. software manufacturer's code that is sold to the public, or buying malware that compromises its integrity, is required by national security is an absurdity. The courts offer many avenues for government agencies to legally spy on citizens. The the Fourth Amendment only requires the government to establish probable cause (considered to be a nuance by former NSA Director Michael Hayden - https://www.youtube.com/watch?v=cGhcECnWRGM ). So not only is there no major hurdle to legal surveillance, there is virtually no hurdle at all - as long as the courts approve! We need to be very clear about this: the use of digital aggression to surveil criminal suspects is ethically and legally distinct from surveilling an entire population. The former falls under the rubric of legitimate intelligence gathering, while the latter accompanies totalitarianism and tyranny. To illustrate, on which side of the ledger would you place the attempt to circumvent the encryption all GSM cell phones ( https://firstlook.org/theintercept/2015/02/19/great-sim-heist/ )? It is hard to imagine how compromising the encryption of two billion cell phone users per year does not fall under the category of government abuse. And this is not to mention that such compromises create an ideal platform from which to launch global extortion and blackmail.
It is worth noting that issue of gray market malware was addressed in President Obama's commissioned study, “Liberty and Security in a Changing World” ( https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf ). Recommendation 30 states that “ US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments. (p. 219)” To continue, “ We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability. Before approving use of the Zero Day rather than patching a vulnerability, there should be a senior-level, interagency approval process that employs a risk management approach.” (p. 220) Understand that the five members of the panel were not chosen at random from associations of civil libertarians and constitutional scholars. They were all hand-picked by Obama. And even this coterie of loyalists couldn't abide by the current government policy on exploiting zero-day malware. It was good advice. It was also ignored.
Perhaps the most important consequence of these activities has nothing to do with the activities themselves but rather the partisan and biased coverage of the stories by the mass media. Specifically, the leaks of Operation Olympic Games to journalist David Sanger. There has been no serious comparative analysis of the recent selective prosecutions of Chelsea Manning, John Kariakou, Stephen Kim, Shamai Leibowits, Jeffrey Sterling ( https://firstlook.org/theintercept/2015/05/11/sterling-sentenced-for-cia-leak-to-nyt/ ) and many others for leaking classified information, compared to near zero-accountability demanded of General David Petraeus after pleading guilty to the same charges ( http://abcnews.go.com/Politics/cia-head-david-petraeus-plead-guilty/story?id=29340487 ). And this is not to mention the near complete lack of judicial and media investigation of the leak of Stuxnet ( http://www.slate.com/articles/news_and_politics/war_stories/2013/06/did_retired_gen_james_cartwright_leak_the_stuxnet_virus_story.2.html ). For a dramatic, comparative view into the selective use of the Expionage Act, compare the charge sheets of Stephen Kim ( http://fas.org/sgp/jud/kim/offense.pdf ) and Lawrence Franklin ( www.fas.org/sgp/jud/aipac /franklin_facts.pdf). Kim was convicted of giving classified information to Fox reporter James Rosen, while Franklin was convicted of giving classified information to representatives of a foreign government! Kim received a thirteen month prison sentence while Franklin received ten months of house arrest. The major story in my view is not the prosecutions or lack thereof, but rather the selective and biased enforcement of laws depending on multiple standards. For a good defense these days, it's not enough to lawyer-up, you also have to lobby-up.
It seems very clear to me that the 1917 Espionage Act is not being used to protect national security but rather to intimidate iconoclasts and contrarians into silence. I'll call this “message prosecution” – the point is to circumvent the Supreme Court's ban on prior restraint (aka “censorship) by sending a clear signal to everyone who might speak out against wrongdoing to “shut up or else.” I would encourage everyone to read Executive Order 13526 that covers Classified National Security Information ( https://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information ), most especially Sec. 1.7. This EO makes it very clear that The Espionage Act and laws like it are not supposed to be used against citizens who anger the government or blow whistles. Nor is there any exemption for government officials who leak classified information for the political benefit of elected officials -- even if authorized to do so by a sitting president! In these times, you are more likely to be investigated by the FBI for environmental activism than for leaking classified on behalf of the Administration ( http://www.theguardian.com/us-news/2015/may/12/revealed-fbi-spied-keystone-xl-opponents ). According to my college political science instructor, the principle of rule of law specifically excluded arbitrary, politically inspired, and/or self-serving enforcement, and no person is above the law. The current contemptuous neglect of the rule of law should make every self-respecting nomocrat puce with rage. In the words of Plato, “... that state in which the law is subject and has no authority, I perceive to be on the highway to ruin.” (Plato, Laws, book IV, https://www.gutenberg.org/files/1750/1750-h/1750-h.htm ).
Until such time that a public interest defense is allowed under the 1917 Espionage Act by the courts (don't hold your breath on that one), I recommend that Congress amend the Espionage Act to include a clause faithful to the late Nebraska Sen. George Norris' platform on hypocrisy reduction in government: “This Act specifically exempts any person considered a political crony by the Executive Branch, or any person who leaks classified information on behalf of said Executive Branch for political advantage,” thereby bringing the Act into accordance with actual practice.
We pass over in silence the public's interest in the Government's System Vulnerabilities Equities Policy and Process ( http://www.wired.com/2014/04/obama-zero-day/ ). This policy and process has to do with what the Government does when it discovers or purchases malware that may affect the privacy and security of its citizens. All that is known at this point is that there is a policy and process, but the details are concealed from the public ( http://www.wired.com/wp-content/uploads/2015/03/Vulnerability-Equities-Process-Highlights-7.8.10-DOC-65-redactions_Redacted1.pdf ). The default seems to be that the government feels no obligation to inform anyone about malware unless the NSA has no interest in exploiting it. This is an especially problematic stance when one considers that governments are both creating such malware themselves while also encouraging the burgeoning gray market for it. $25.1 million per annum buys a lot of cyberweapons at $50,000-$100,000 each ( http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ ). The public debate should not be about whether this gray market should exist (that toothpaste is well out of that tube), but rather what might be done about it. At this point there's a totally hidden and unregulated, state-sponsored, world-wide brokerage of malware that potentially affects privacy and data-integrity of all citizens worldwide. This is a critical issue that deserves much more investigation than it is receiving.
Related to the vulnerabilities equities policies is the fragile relationship between state-sponsorship of malware development, the developers and vendors whose products are vulnerable, and the security companies that are in the business of mitigating against vulnerabilities on behalf of the customer. All three allegedly represent the same constituency, but with differing levels of integrity. This again should prompt an extensive open public debate thus far absent.
I conclude with a comment about the alleged motives behind Stuxnet. I note that absent public policy discussion or Congressional oversight sufficient to deflate any criticism of false dilemma, the claim that Stuxnet was the least objectionable alternative (forget optimal) to anything exposes the claimant to ridicule. The public may never be able to debate, much less discover, the real motives behind Stuxnet. Such is life in the world of dark governments.