Friday, October 12, 2012

America Freaked Out by the Cyberboogeyman It Unleashed




The theme of Secretary of Defense Panetta’s remarks at the Intrepid Air and Sea Museum on October 12 before the “Business Executives for National Security”, in the words of the BBC:


Actually, Mr. Panetta, the “cyber Pearl Harbor” has already happened.  

It was called Stuxnet, the virus designed and delivered by the governments of the United States and Israel to sabotage Iran’s nuclear program.

By unleashing Stuxnet—an act of cyberwar—a Rubicon was crossed.  Not my words, but the words of Michael Hayden, the ex-director of the CIA.

Now the United States is scrambling to deal with the consequences…and the Western media is by and large obligingly doing its best to help shove Stuxnet into the memory hole.

Panetta used his speech to push for more cybersecurity legislation by discussing cyberattacks on Aramco in Saudi Arabia and RasGas of Qatar using the “Shamoon” virus.  The attacks—which occurred and were reported in August 2012, a few months after Stuxnet—wiped data from tens thousands of management computers, replaced some files with a taunting image of a burning American flag, and reportedly rendered the computers useless.

I was amused to hear that Mr. Panetta carefully characterized these incidents as “the most destructive [cyber] attack that the private sector has seen to date.”

I assume he added the “private sector” qualifier to put the fear of cyber-God into the security-obsessed executives he was addressing (although applying the term “private sector” to Aramco, the state-owned Saudi Arabian oil behemoth and  RasGas, which is 70% owned by state-owned Qatar Petroleum is a bit of a stretch).  

But limiting the scope of discussion to  “private sector” cyberattacks also excludes the much more significant, expensive, fiendishly complex, and destructive Stuxnet virus, which attacked and disabled a strategic Iranian government installation.

Stuxnet typifies the grave threat to physical infrastructure that Mr. Panetta got so worked up about much more vividly than an office computer data hack along the lines of Shamoon.

And Stuxnet escaped into the wild to infect computer systems around the world!  Collateral damage-wise, there apparently wasn't much for Stuxnet to do in a non-uranium centrifuge environment, but it did spread to 100,000 hosts in 155 (mostly US-friendly) countries. (There has recently been a good deal of techie back and forth as to whether Stuxnet's global romp was really an unplanned escape; presumably people are implying that the Israeli spooks inserted some kind of hunter-killer app that allowed the virus to search Iran and the globe for similar installations to degrade.)

Despite its obvious utility as an object lesson in the genuine, real world dangers of cyberweaponry, Stuxnet did not come up in Mr. Panetta’s remarks, or in much of the media coverage.  

Wonder why.

Instead, DoD backgrounders painted the Shamoon attacks as dastardly underhanded Iranian payback for (legal and public) sanctions regime, not as possible direct retaliation for a (secret and unilateral) cyberattack.

To its credit, the New York Times, which got the Stuxnet story from the Obama White House back in June, did mention the Stuxnet exploit in its coverage of Panetta’s speech.

In any case, the United States, having committed the first cyberattack, is trying to pull up the cyberdrawbridge in anticipation of retaliation.

One of more interesting elements of this exercise is the U.S. efforts to paint its actions as a response to Chinese and Iranian cyberthreats, instead of its own actions.  As indicated above, the Western media has been an obliging enabler, leading to some topsy-turvy reporting.

The Daily News titled the AP report on Panetta’s speech: 


Maybe a better title would be Anti-Iran Alliance Reaps Viral Retaliation for Stuxnet Sneak Attack.

Now, I’m sometimes accused of promoting false moral equivalence between the PRC and the United States i.e. judging Chinese and US actions by similar standards.

But, in my mind, what is really dangerous is the false assumption of moral superiority that underlies much of the reporting about China and Iran.

According the moral superiority equation, the United States is automatically in the right in any dispute with the PRC and Iran because of the innate superiority of our system and the ideological, economic, and human rights defects of the PRC and Iranian regimes.

Despite the resounding disaster of the Iraq war, this tendency has strengthened in recent years with the further institutionalization of the “responsibility to protect” doctrine as a pretext for US foreign policy intervention.  

Targets of Western intervention are progressively delegitimized so that unprovoked attack elicits no condemnation, and efforts by our adversaries to defend themselves, especially by trying to establish a deterrent by demonstrating an ability to retaliate are ipso facto morally indefensible.

I was struck, for instance, by the reporting of the Daily News and New York Post, albeit tabloid outliers, on President Achmadinejad’s visit to New York to address the UN General Assembly in September (post Stuxnet, of course).



They greeted him with front page, full-sized photos of Ahmadinejad flashing the V sign, garlanded  with the epithet PEACE OF SH!T (Post) and VILE (News).

This sort of stuff is usually forgiven on First Amendment grounds and excused as harmless hyperbole used to sell newspapers.  But it’s certainly not making war with Iran less likely, especially in the minds of the easily excited.

The Daily News reported favorably on the assault by an MEK –linked crowd on a Foreign Ministry official who got separated from his group on the streets of New York:

An Arkansas man landed a blow for democracy Wednesday — right to the gut of an Iranian official.
Gregory Nelson received cheers and handshakes from anti-Iran protesters after slugging Foreign Ministry mouthpiece Ramin Mehmanparast on 48th St. near Second Ave.

“It felt really good,” said Nelson, 50, after delivering his shot to the Iranian bigwig’s stomach. “It wasn’t that hard, but he felt it.”

Nelson was flanked by a horde of protesters, many of them Iranian immigrants demanding democracy in their homeland, when Mehmanparast walked past after President Mahmoud Ahmadinejad’s United Nations speech.

The former Army National Guard member, doing his best Mike Tyson impression, saw an opening and swung at the spokesman’s midsection before he could escape.

“We don’t usually conduct ourselves like that, but he’s a murderer,” said the bearded, ponytailed Nelson. “That whole regime, everybody is responsible for the murders that go on.”

 
Maybe Ahmadinjad feels he would have been treated with a little more courtesy if he had the atomic bomb; in any case, I don’t think his reception in New York convinced him Iran should abandon its ideas of a nuclear deterrent.

For those with short memories, the whole “delegitimization from an attitude of Western moral superiority” thing was applied to Saddam Hussein before Mahmoud Ahmadinejad, until invading Iraq became a moral imperative, not just an extremely dubious foreign policy option.
That’s why I consider China-bashing rather worrisome, even though the combination of the PRC’s nuclear deterrent and Western squeamishness about land wars in Asia makes an attack on China proper almost inconceivable.  

As the Iran precedent shows, there’s still plenty of room for terrorism, economic warfare, subversion, cyber wars, proxy wars, and every kind of human misery short of outright invasion.

US policy toward China is getting locked into a self-reinforcing cycle of continued provocation, response, and delegitimization which creates an environment of escalating crisis that some in the United States security establishment seem happy to promote and makes confrontation with the PRC more likely.

Escalating responses to cyberthreats feed this dynamic.

As Secretary Panetta's speech demonstrates, touting the insidious cyberwar designs of our adversaries has too much efficacy as a national security hot button for the US government and the Western media to be squeamish about pushing it, no matter what we did with Stuxnet.  We're the good guys, after all!

That's certainly the case for China, which is a cyber-adversary of considerable notoriety, though (unlike the United States) it has apparently confined the bulk of its efforts to espionage rather than sabotage to date.


In any case, Secretary Panetta (and the media)'s contortions over America's Stuxnet legacy provide a nice and timely segue into my most recent piece for Asia Times.

The piece discusses the hullaballoo over Huawei and ZTE, two Chinese telecommunications vendors who the U.S. House of Representatives Intelligence Committee would like to see banned from any private as well as public U.S. networks.

I argue that the reason why Huawei and ZTE can’t be trusted is because the U.S. can’t be trusted.  It unleashed Stuxnet in a unilateral, secret cyberattack and rendered moot the Pentagon’s hopeful effort to negotiate the rules of cyberwar.   With cyberwar not just on the agenda but actually being practiced out in the field, thanks to President Obama, I’d also worry that somehow the Chinese government would try to diddle with our precious networks and the sensitive infrastructure they control.

Whether or not the PRC’s spooks would go through Huawei and ZTE is, of course, another matter, one for the experts in cybersabotage to consider.  For one thing, many of the network suppliers whom the Intelligence Committee considers trustworthy, like Alcatel, already manufacture a lot of sensitive equipment within Chinese borders.  

Anyway, here’s the story on Huawei, the latest Chinese bugbear.  Readers are invited to consider whether pounding on China this way is making us safer, or pushing us unprepared toward some kind of dangerous and uncertain future.

It can be reposted if ATOl is credited and a link provided.
US digs in for cyber warfare
By Peter Lee

Recently the US House of Representatives Intelligence Committee took a meat-ax to Huawei, the Chinese telecommunications giant, and its little brother ZTE in a 60-page report on national-security issues posed by the two companies.

The conclusion:





  • They're commies.
  • We can't trust 'em.        Or, as the executive summary put it:
    The United States should view with suspicion the continued penetration of the US telecommunications market by Chinese telecommunications companies. [1]
    Specifically, the committee recommended that the government not purchase any Huawei or ZTE equipment.

    The committee rubbed further salt in the wound by recommending that private companies not buy any Huawei or ZTE telecommunications equipment either.

    It also invited the legislative branch to expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to enable it to block procurement of Chinese telecommunication equipment by US customers, in addition to exercising its traditional powers of blocking foreign investment deemed harmful to US security. CFIUS had previously blocked Huawei's participation in a deal to take 3Com private - which was brokered by Mitt Romney's Bain Capital - and recently denied Huawei's attempt to buy 3Leaf, a California cloud computing company.

    Certainly not the clean bill of health that Huawei was hoping for when it invited the US government to investigate its operations.

    It is clear that the Chinese companies were given the Saddam Hussein treatment. Just as the Iraqi despot was put in the impossible position of proving a negative - that he did not have any weapons of mass destruction - Huawei and ZTE executives were called upon to prove their companies were not untrustworthy.

    Mission unaccomplished, for sure.

    The public committee report is little more than a litany of complaints about unclear answers, insufficient disclosure, inadequate clarification, failure to alleviate concerns, making non-credible assertions, failure to document assertions, failure to answer key questions, refusal to be transparent, and so on and so forth. Huawei, in particular, was dinged for "a lack of cooperation shown throughout this investigation".

    The committee's conclusion:
    Throughout the months-long investigation, both Huawei and ZTE sought to describe, in different terms, why neither company is a threat to US national-security interests. Unfortunately, neither ZTE nor Huawei [has] cooperated fully with the investigation, and both companies have failed to provide documents or other evidence that would substantiate their claims or lend support for their narratives.
    To drive a stake into the heart of any dreams that Huawei or ZTE had of providing "mitigation assurances" - bureaucratese for acceptable measures to allay US security concerns - the committee made the interesting decision to dump all over the British government.

    Keen on Chinese investment in its backbone telecommunications networks, the British government accepted the reassurance provided by a cyber-security center, funded by Huawei and staffed by UK citizens with security clearances, with the job of vetting Huawei products for hinky bits.

    The US intelligence committee dismissed these efforts as futile given the complex, opaque and frequently updated character of telecommunications software:
    The task of finding and eliminating every significant vulnerability from a complex product is monumental. If we also consider flaws intentionally inserted by a determined and clever insider, the task becomes virtually impossible.
    In terms of specific evidence of Huawei and ZTE malfeasance, there is little meat on the bones of the public document.

    On the technical side, the evidence supporting Huawei and ZTE infiltration of the US telecommunications software presented in the public report was less than earth-shaking:
    Companies around the United States have experienced odd or alerting incidents using Huawei or ZTE equipment. Officials with these companies, however, often expressed concern that publicly acknowledging these incidents would be detrimental to their internal investigations and attribution efforts, undermine their ongoing efforts to defend their systems, and also put at risk their ongoing contracts.

    Similarly, statements by former or current employees describing flaws in the Huawei or ZTE equipment and other potentially unethical or illegal behavior by Huawei officials were hindered by employees' fears of retribution or retaliation.
    Presumably, the confidential annex to the committee report makes a more compelling case, but one has to wonder.

    According to The Economist:
    Years of intense scrutiny by experts have not produced conclusive public evidence of deliberate skulduggery, as opposed to mistakes, in Huawei's wares. BT, a British telecoms company that buys products vetted in [the cyber-security center at] Banbury, says it has not had any security issues with them (though it rechecks everything itself, just to be sure). [2]
    In a sign that no existential smoking cyber-guns had been revealed, the worst punishment for Huawei's lack of cooperation that the committee could apparently mete out (other than trying to destroy Huawei's US business) was threatening to forward information to the Justice Department concerning possible corporate malfeasance in the routine areas of immigration violations, fraud and bribery, discrimination, and use of pirated software by Huawei in its US operations.

    It can be taken as a given that the People's Republic of China (PRC) is intensely interested in cyber-espionage - diplomatic, military, and commercial - against the United States and cyber-warfare against US government, security, and public infrastructure if and when the need arises.

    However, the case that Huawei is a knowing or even a necessary participant in these nefarious schemes is unproved.

    Nevertheless, Huawei's attempts to generate a clean bill of health for itself with Western critics are pretty much futile.

    That's because government weaponization of communications technology is a given - for everybody, in the West as well as in China.

    Beneath the freedom-of-information rhetoric, the West is converging with the East and South when it comes to protecting, monitoring and controlling its networks.

    In the United States, providing government law enforcement with back-door access to networks, aka "lawful intercept", is a legal requirement for digital telecom, broadband Internet, and voice-over-IP service and equipment providers under the CALEA (Communications Assistance to Law Enforcement Act) law. The Federal Bureau of Investigation (FBI) is currently lobbying the US administration and the Federal Communications Commission to require that social-media providers such as Facebook provide similar access so that chats and instant messaging can also be monitored in real time or extracted from digital storage.

    In Europe, similar law-enforcement access is institutionalized under the standards of the European Telecommunications Standards Institute.

    Particularly in the environment after the attacks of September 11, 2001, law enforcement has expressed anxiety about "going dark" - losing the ability to detect and monitor communications by bad actors as data and telecommunications moved from fixed-wire analog systems to digital, wireless, and band-hopping protocols.

    The situation is aggravated by the availability of theoretically unbreakable public/private key 128-bit encryption.

    (I say "theoretically", by the way, because creation of the private key relies on a random-number generator on the encrypting computer. A recent study found that some programs were spitting out non-random random numbers, raising the possibility that a certain spook agency of a certain government had been able to diddle with the programs to generate certain numbers preferentially, giving said spook agency a leg up to crack the private keys through otherwise ineffective brute-force computing techniques.) [3] 


  • One way to get around the problem of anonymous users employing unbreakable encryption from multiple devices is the trend around the world toward requiring real name registration - stripping anonymity from Internet posters - and requiring Internet service providers to become active participants in law enforcement by monitoring the activities of their customers.

    For encrypted documents and communications using genuinely random numbers - and absent a mandated, law-enforcement-accessible third-party repository for private keys (a demand recently made of RIM, the BlackBerry people, by the Indian government), the government has to employ either judicial compulsion or covert means to obtain information on private keys from individual computers. Covert means presumably involve using a virus or some other means of access to install a keylogger. [4] [5]


    A while back, the FBI admitted it had such a program, code-named Magic Lantern - strictly a research operation, of course - creating the interesting issue of whether or not anti-virus software vendors could be dragooned into modifying their programs to ignore the officially sanctioned virus.

    One plausible reason for excluding Huawei and ZTE from US networks would be to deny them a possibly privileged view of how the legal intercept cyber-sausage gets made.

    Even Western governments have also expressed an interest in flipping the dastardly "kill switch" that deprives Internet users of their precious connectivity and is the badge of shame for totalitarian regimes.

    During the riots in England last year, the British government thought of taking a page from the playbooks of former Egyptian leader Hosni Mubarak and Iranian President Mahmoud Ahmadinejad.
    British Prime Minister David Cameron, in a statement to the House of Commons earlier today, made reference to and mooted the possibility that social media could be "disrupted" or turned off if riots continue.

    Services such as Facebook, Twitter and crucially BlackBerry Messenger - which has been used by rioters and looters to organize disruption across the British capital and other cities in England - could be restricted in a bid to prevent further violence; present day or in future warranted situations.

    Speaking in the House of Commons, David Cameron said: "The free flow of information can be used for good. But it can also be used for ill" ...

    Conservative Tobias Ellwood MP said in Parliament that police should be given the option to switch off cell network masts "and other social networks" used to coordinate trouble, violence and disorder. [6]
    Putting a kill switch in the hands of Huawei is probably the biggest US headache.

    With more and more sensitive data encrypted, it is unclear that squatting on a Huawei switch and copying the flow of 1s and 0s will deliver Chinese spies a considerable incremental benefit over the prodigious targeted hacking operations they are allegedly engaging in already.

    The real danger from a hostile piece of telecommunications kit would be disablement in time of crisis or war, as Fred Schneider, a computer scientist at Cornell University in New York state, told Technology Review:
    A trigger could be built either into the software that comes installed in switches and network hardware or into the hardware itself, in which case it would be more difficult to detect, says Schneider. The simplest kind of attack, and one very hard to spot, would be to add a chip that waits for a specific signal and then disables or reroutes particular communications at a critical time, he says. This could be useful "if you were waging some other kind of attack and you wanted to make it difficult for the adversary to communicate with their troops", Schneider says. [7]
    There is a good reason Huawei can't be trusted to deliver clean kit to critical US infrastructure customers. That is that we now live in a world in which cyberwar is an acceptable and legitimate national tactic.

    This Pandora's box of cyberwar has already been opened ...

    ... by the United States.

    Amid the ferocious Iran-bashing - and "by any means necessary" justifications for covert action against that country's nuclear program - that have become endemic in the West, the true significance of the Stuxnet exploit has been overlooked by many, at least in the West.

    Stuxnet was the release of an important cyber-weapon - a virus that did not simply seek sensitive information or attempt to disrupt communication, but one that was reportedly rather effective in damaging a strategic Iranian facility by an act of sabotage.

    It was an act of cyberwar.

    As David Sanger, The New York Times' national-security adviser, wrote in his White House-sanctioned account:
    "Previous cyberattacks had effects limited to other computers," Michael V Hayden, the former chief of the CIA, said, declining to describe what he knew of these attacks when he was in office. "This is the first attack of a major nature in which a cyberattack was used to effect physical destruction", rather than just slow another computer, or hack into it to steal data.

    "Somebody crossed the Rubicon," he said. [8]
    In true US imperial style, Stuxnet was unleashed unilaterally and without a declaration of war, to satisfy some self-defined imperatives of US President Barack Obama's administration.

    That's not a good precedent for other cyber-powers, including China, to rely on US restraint, or to restrain themselves.

    The Obama administration's attempt to deal with the issue of its first use of cyber-warfare seems to go beyond hypocritical to the pathetic.

    There are rather risible efforts to depict the Stuxnet worm - which caused the centrifuges to disintegrate at supersonic speeds - as little more than a prank, albeit a prank that might impale hapless Iranian technicians with aluminum shards traveling at several hundred kilometres per hour, rather than a massive exercise in industrial sabotage:
    "The intent was that the failures should make them feel they were stupid, which is what happened," the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole "stands" that linked 164 machines, looking for signs of sabotage in all of them. "They overreacted," one official said. "We soon discovered they fired people."
    According to Sanger, at least President Obama knew what he was getting into:
    Mr Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyber-weapons - even under the most careful and limited circumstances - could enable other countries, terrorists or hackers to justify their own attacks.

    "We discussed the irony, more than once," one of his aides said. Another said that the administration was resistant to developing a "grand theory for a weapon whose possibilities they were still discovering". Yet Mr Obama concluded that when it came to stopping Iran, the United States had no other choice ...

    Mr Obama has repeatedly told his aides that there are risks to using - and particularly to overusing - the weapon. In fact, no country's infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

     But Obama did it anyway, in the service of a dubious foreign-policy objective - forcibly and unilaterally disabling Iran's (currently) non-military nuclear program - that was arguably an overreaction to Israel's blustering threat to attack Iran unilaterally, and an attempt to get himself some political breathing space from vociferously pro-Israeli interests in US politics.

    And of course there were problems.

    Stuxnet made a mockery of its reputation as a "surgical strike" magic bullet that would destroy Iran's centrifuges but otherwise do no harm. It escaped into the wild - something that Obama's team likes to blame on the Israelis, but an evasion of culpability that would probably not hold up in a court of law - and infected computer systems around the world.

    Presumably, Chinese intelligence services did not have to wait for Stuxnet to arrive in China; they were probably invited to help out with the forensics by the Iranian government, and probably have a very nice idea of how it works, and creative ideas about how it could be modified to target other systems.

    The Stuxnet background provides an interesting context to the immense ballyhoo about Chinese cyber-espionage and cyber-warfare threats, of which the House Intelligence Committee report is only one instance.

    What better way to distract attention from one's own first use of cyber-weapons than to raise the alarm about what the bad guys might do instead?

    One of the sweetest fruits of this exercise in misdirection is an April (pre-Sanger expose) National Public Radio report on what it identified as the real cyber-threat in the Middle East: Iran.
    The big fear in the US is that a cyberattacker could penetrate a computer system that controls a critical asset like the power grid and shut it down. Such an effort is probably beyond the capability of Iranian actors right now, according to cyber-security experts. But a less ambitious approach would be to hack into the US banking systems and modify the financial data. [Dmitri] Alperovitch, whose new company CrowdStrike focuses on cyber-threats from nation-states, says such an attack is well within Iran's current capability.

    "If you can get into those systems and modify those records, you can cause dramatic havoc that can be very long-lasting," he says.
    The possibility that Israel's traditional bugbear, Hezbollah, could be prevailed upon to deliver the fatal code on Iran's behalf is discussed in detail. [9]

    The Pentagon's cyberwar strategists did their best to frame the cyberwar issue as law-abiding America vs the unprincipled cyber-predators of the PRC.

    With Sanger-assisted Stuxnet hindsight, this May report, with its wonderful title "US hopes China will recognize its cyber war rules", is, well, hypocritical and pathetic:
    While no one has, with 100% certainty, pinned the Chinese government for cyber-attacks on US government and Western companies, in its 2012 report "Military and security developments involving the People's Republic of China", the US secretary of defense considers it likely that "Beijing is using cyber-network operations as a tool to collect strategic intelligence" ...

    The report raises China's unwillingness to acknowledge the "Laws of Armed Conflict", which the Pentagon last year determined did apply to cyberspace ...

    Robert Clark, operational attorney for the US Army Cyber Command, told Australian delegates at the AusCERT conference last week how the Laws of Armed Conflict in cyberspace might work internationally to determine when a country can claim self-defense and how they should measure a proportionate response.

    One problem with it was highlighted by Iran, following the Stuxnet attack on its uranium-enrichment facility in Natanz, which never declared the incident a cyberattack.

    Air Force Colonel Gary Brown, an attorney for US Cyber Command, in March this year detailed dozens of reasons why Iran, in the context of the Laws of Armed Conflicts in cyberspace, didn't declare it an attack. This included that difficulties remain in attributing such an attack to a single state. [10]
    A few days later, Sanger's story confirmed that the Obama administration had indeed released Stuxnet, rendering moot the Pentagon's plans for a chivalric, rules-based cyberwar tournament, with the US occupying the moral high ground.

    Heightened mutual suspicion - maybe we should call it endemic mistrust - is now a given in cyber-relations between the United States and its adversaries/competitors, for a lot of good reasons that don't necessarily have anything to do with Chinese misbehavior, but have more than a little to do with the US willingness to unleash a cyberattack on an exasperating enemy without setting clearly defined ground rules, and its need to pull up the cyber-drawbridge over the national digital moat to prevent retaliation.

    Suspicion of other people's cyber-motives has become a self-fulfilling prophecy, and anxious allies are expressing their cyber-solidarity by banding together against the external threat.

    In the midst of important national debates on Chinese investment, Canadian and Australian intelligence services, probably prompted by their opposite numbers in the United States, both issued damning reports on Chinese cyber-threats.

    The Australian government has banned Huawei and ZTE from participation in its massive National Broadband Network project. In Canada, cyber-spying is cited as a justification for limiting investment by Chinese state-owned enterprises (such as CNOOC) in any strategic Canadian businesses.

    On the other side of the fence, Iran, in a decision that was widely mocked in the United States, is developing a more secure national intranet - with equipment allegedly provided by Huawei.

    Of course, in the up-is-down rhetoric that drives US Internet policy, Iran's attempts to shield itself from foreign threats is itself a threat:
    "Any attempt by a country to make an intranet is doomed to failure," Cedric Leighton, a retired deputy director at the National Security Agency, said in an interview. But he said Iran's "cyber-army", a network of government-supported hackers that has attacked Western targets in recent years, does stand to gain from the attempted creation of a national network. By connecting thousands of servers inside Iran, the government would "build on their knowledge of networks and how they operate", he said, increasing their capabilities to both launch and repel cyberattacks. [11]
    By the way, the largest intranet in the world is the unclassified chunk of the US military's data network, known as NIPRNET, a fact that perhaps escaped Leighton. SIPRNet, the classified part of the US military network, with 4.2 million users, is also doing OK, though it was the source for the WikiLeaks CD.

    As The Economist put it, the Internet is becoming balkanized. [12]

    And as Winston Churchill might have put it, a digital curtain is descending across the Middle East, Asia, and virtually every significant national border. This phenomenon is a direct expression of the insecurity of governments as they attempt to limit the vulnerabilities that encrypted connectivity reveal to their internal and external enemies, and as they deal with the consequences of their own efforts to exploit and compromise the Internet.

    It is easy for governments to blame others, but they might as well blame themselves.

    Notes:
    1. Click here for full text of the report (pdf file).
    2. The company that spooked the world, The Economist, Aug 4, 2012.
    3. Crypto-Gram Newsletter, Schneier, Mar 15, 2012.
    4. FBI software cracks encryption wall, MSN, Nov 20, 2001.
    5. India: We DO have the BlackBerry encryption keys, The Register, Aug 2, 2012.
    6. British PM considers turning off social networks amid further riots, ZD Net, Aug 11, 2011.
    7. Why the United States Is So Afraid of Huawei, Technology Review, Oct 9, 2012.
    8. Obama Order Sped Up Wave of Cyberattacks Against Iran, The New York Times, Jun 1, 2012.
    9. Could Iran Wage a Cyberwar on the US?, Apr 26, 2012.
    10. US hopeful China will recognise its cyber war rules, CSO, May 21, 2012.
    11. Iran tightens online control by creating own network, Guardian, Sep 25, 2012.
    12. The company that spooked the world, Economist, Aug 4, 2012

     Newspaper images from Capital New York

    1 comment:

    blowback said...

    "The United States should view with suspicion the continued penetration of the US telecommunications market by Chinese telecommunications companies."

    That is the exclusive preserve of Israeli companies!