The Unintended Consequences of Undeclared Cyberwar
The latest mysterious cyber weapon detected in recent weeks is called Flame. It is being described by security researchers as “the most sophisticated cyber weapon yet unleashed.”
It is a big package of software that apparently offers an attacker something like a Swiss Army knife, because it can do a lot of things that might be called for. It can monitor a computer’s network traffic, including tracking which Web sites are visited, and log and copy email coming in and going out. It can turn on a computer’s internal microphone and record conversations in the room and presumably send audio files of those recorded conversations to someone who will listen to them. Ditto with a machine’s internal Web cam. It can record what characters are typed on the keyboard, thereby capturing sensitive information like passwords and other user credentials that can be used later. It can capture shots of what is being displayed on a computer’s screen.
Seen in the wild some weeks back, the Washington Post, citing Western intelligence officials, reported today that Flame was created by the combined efforts and resources of the U.S. and Israeli intelligence agencies. The story matches and fills in some details on reporting by the New York Times on the same subject.
Work on Flame, the Post says, predated and later led to the creation of the Stuxnet worm, which is newer but was seen first in 2010. In that case, an Israeli-created worm that targeted industrial control computers in Iran is thought to have caused some centrifuges used to enrich uranium to spin too fast and explode.
Allow me to stitch this thread together with another: It was about a year ago that the Obama Administration made some broad pronouncements on treating cyberspace — the Internet and other scattered parts of the digital stage — as a new theater of warfare, equal, for military purposes, to land, sea, sky and space. An attack in one place warrants a military response or retaliation in another.
At the time, I wondered what a cyberwar might look like. Now we have an idea. The governments of the United States and Israel have been conducting a not-so-covert war against Iran without having to disclose it to their people.
Knowing this leaves me with two questions, one perhaps a legal technicality, the other more practical.
First, if the U.S. views attacks in cyberspace the same as other attacks, then how is a country being attacked supposed to see that? If the U.S. reserves the right to respond to a cyber attack with an air strike, does that not mean that Iran can do the same thing? And if the U.S. is launching attacks, shouldn’t there be some overt public acknowledgement of that fact? Yes, I’ll grant, fighting with bits is preferable to fighting with bullets and bombs, but if it’s the Obama Administration’s position that fighting with one is legally equal to fighting with another, shouldn’t one be done as readily in the open as the other? Warfare requires a degree of public approval. Espionage doesn’t.
Second, I have longer-term concerns about blowback and unintended consequences. Stuxnet and Flame were hard to make, and they were never intended to be discovered, let alone pulled apart and studied as closely as they have been. The fact that they’ve been studied in detail by both the good guys and the bad guys makes me wonder who might be learning from Stuxnet and Flame in order to adapt them for such things as, say, corporate espionage.
If Flame amounts to an early example of a new type of malware that can both easily evade detection and record everything happening both on and around a computer, then companies will have to respond accordingly. Imagine a world where anytime anyone holds a meeting where sensitive information is discussed, it takes place in a secure room with no electronics present. And that’s just for openers.