The theme of Secretary of Defense Panetta’s remarks at the
Intrepid Air and Sea Museum on October 12 before the “Business Executives for
National Security”, in the words of the BBC:
Actually, Mr. Panetta, the “cyber Pearl Harbor” has already
happened.
It was called Stuxnet, the virus designed and delivered by
the governments of the United States and Israel to sabotage Iran’s nuclear
program.
By unleashing Stuxnet—an act of cyberwar—a Rubicon was
crossed. Not my words, but the words of
Michael Hayden, the ex-director of the CIA.
Now the United States is scrambling to deal with the
consequences…and the Western media is by and large obligingly doing its best to
help shove Stuxnet into the memory hole.
Panetta used his speech to push for more cybersecurity
legislation by discussing cyberattacks on Aramco in Saudi Arabia and RasGas of
Qatar using the “Shamoon” virus. The
attacks—which occurred and were reported in August 2012, a few months after
Stuxnet—wiped data from tens thousands of management computers, replaced some
files with a taunting image of a burning American flag, and reportedly rendered
the computers useless.
I was amused to hear that Mr. Panetta carefully characterized these
incidents as “the most destructive [cyber] attack that the private sector has
seen to date.”
I assume he added the “private sector” qualifier to put the
fear of cyber-God into the security-obsessed executives he was addressing
(although applying the term “private sector” to Aramco, the state-owned Saudi
Arabian oil behemoth and RasGas, which is 70% owned by state-owned
Qatar Petroleum is a bit of a stretch).
But limiting the scope of discussion to “private sector” cyberattacks also excludes
the much more significant, expensive, fiendishly complex, and destructive Stuxnet virus, which attacked and
disabled a strategic Iranian government installation.
Stuxnet
typifies the grave threat to physical infrastructure that Mr. Panetta got so worked
up about much more vividly than an office computer data hack along the lines of Shamoon.
And Stuxnet escaped into the wild to infect computer systems around the world! Collateral damage-wise, there apparently wasn't much for Stuxnet to do in a non-uranium centrifuge environment, but it did
spread to 100,000 hosts in 155 (mostly US-friendly) countries. (There has recently been a good deal of
techie back and forth as to whether Stuxnet's global romp was really an unplanned escape; presumably people are implying that the Israeli spooks inserted some kind of hunter-killer app that allowed the virus to search Iran and the globe for similar installations to degrade.)
Despite its obvious utility as an object lesson in the
genuine, real world dangers of cyberweaponry, Stuxnet did not come up in Mr.
Panetta’s remarks, or in much of the media coverage.
Wonder why.
Instead, DoD backgrounders painted the Shamoon attacks as dastardly underhanded Iranian
payback for (legal and public) sanctions regime, not as possible direct retaliation for a
(secret and unilateral) cyberattack.
To its credit, the New York Times, which got the Stuxnet story from the
Obama White House back in June, did mention the Stuxnet exploit in its coverage of
Panetta’s speech.
In any case, the United States, having committed the first
cyberattack, is trying to pull up the cyberdrawbridge in anticipation of
retaliation.
One of more interesting elements of this exercise is the
U.S. efforts to paint its actions as a response to Chinese and Iranian
cyberthreats, instead of its own actions.
As indicated above, the Western media has been an obliging enabler,
leading to some topsy-turvy reporting.
The Daily News titled the AP report on Panetta’s speech:
Maybe a better title would be Anti-Iran Alliance Reaps Viral Retaliation for Stuxnet Sneak Attack.
Now, I’m sometimes accused of promoting false moral
equivalence between the PRC and the United States i.e. judging Chinese and US
actions by similar standards.
But, in my mind, what is really dangerous is the false
assumption of moral superiority that underlies much of the reporting about
China and Iran.
According the moral superiority equation, the United States
is automatically in the right in any dispute with the PRC and Iran because of
the innate superiority of our system and the ideological, economic, and human
rights defects of the PRC and Iranian regimes.
Despite the resounding disaster of the Iraq war, this
tendency has strengthened in recent years with the further institutionalization
of the “responsibility to protect” doctrine as a pretext for US foreign policy
intervention.
Targets of Western intervention are progressively delegitimized
so that unprovoked attack elicits no condemnation, and efforts by our
adversaries to defend themselves, especially by trying to establish a deterrent
by demonstrating an ability to retaliate are ipso facto morally indefensible.
I was struck, for instance, by the reporting of the Daily
News and New York Post, albeit tabloid outliers, on President Achmadinejad’s
visit to New York to address the UN General Assembly in September (post Stuxnet, of course).
They greeted him with front page, full-sized photos of
Ahmadinejad flashing the V sign, garlanded with the epithet PEACE OF SH!T (Post) and VILE
(News).
This sort of stuff is usually forgiven on First Amendment
grounds and excused as harmless hyperbole used to sell newspapers. But it’s certainly not making war with Iran
less likely, especially in the minds of the easily excited.
The Daily News
reported favorably on the assault by an MEK
–linked crowd on a Foreign Ministry official who got separated from his group
on the streets of New York:
An Arkansas man landed a blow for
democracy Wednesday — right to the gut of an Iranian official.
Gregory Nelson received cheers and
handshakes from anti-Iran protesters after slugging Foreign Ministry mouthpiece
Ramin Mehmanparast on 48th St. near Second Ave.
“It felt really good,” said Nelson,
50, after delivering his shot to the Iranian bigwig’s stomach. “It wasn’t that
hard, but he felt it.”
Nelson was flanked by a horde of
protesters, many of them Iranian immigrants demanding democracy in their
homeland, when Mehmanparast walked past after President Mahmoud Ahmadinejad’s
United Nations speech.
The former Army National Guard member,
doing his best Mike Tyson impression, saw an opening and swung at the
spokesman’s midsection before he could escape.
“We don’t usually conduct ourselves
like that, but he’s a murderer,” said the bearded, ponytailed Nelson. “That
whole regime, everybody is responsible for the murders that go on.”
Maybe Ahmadinjad feels he would have been treated with a
little more courtesy if he had the atomic bomb; in any case, I don’t think his
reception in New York convinced him Iran should abandon its ideas of a nuclear
deterrent.
For those with short memories, the whole “delegitimization
from an attitude of Western moral superiority” thing was applied to Saddam
Hussein before Mahmoud Ahmadinejad, until invading Iraq became a moral
imperative, not just an extremely dubious foreign policy option.
That’s why I consider China-bashing rather worrisome, even
though the combination of the PRC’s nuclear deterrent and Western squeamishness
about land wars in Asia makes an attack on China proper almost inconceivable.
As the Iran precedent shows, there’s still plenty of room
for terrorism, economic warfare, subversion, cyber wars, proxy wars, and every
kind of human misery short of outright invasion.
US policy toward China is getting locked into a
self-reinforcing cycle of continued provocation, response, and delegitimization
which creates an environment of escalating crisis that some in the United
States security establishment seem happy to promote and makes confrontation
with the PRC more likely.
Escalating responses to cyberthreats feed this dynamic.
As Secretary Panetta's speech demonstrates, touting the insidious cyberwar designs of our adversaries has too much
efficacy as a national security hot button for the US government and the
Western media to be squeamish about pushing it, no matter what we did with Stuxnet. We're the good guys, after all!
That's certainly the case for China, which is a cyber-adversary of considerable notoriety, though (unlike the United States)
it has apparently confined the bulk of its efforts to espionage rather
than sabotage to date.
In any case, Secretary Panetta (and the media)'s contortions over America's Stuxnet legacy provide a nice and timely segue into my most recent piece
for Asia Times.
The piece discusses the hullaballoo over Huawei and ZTE, two
Chinese telecommunications vendors who the U.S. House of Representatives
Intelligence Committee would like to see banned from any private as well as
public U.S. networks.
I argue that the reason why Huawei and ZTE can’t be trusted
is because the U.S. can’t be trusted. It
unleashed Stuxnet in a unilateral, secret cyberattack and rendered moot the
Pentagon’s hopeful effort to negotiate the rules of cyberwar. With cyberwar not just on the agenda but
actually being practiced out in the field, thanks to President Obama, I’d also
worry that somehow the Chinese government would try to diddle with our precious
networks and the sensitive infrastructure they control.
Whether or not the PRC’s spooks would go through Huawei and
ZTE is, of course, another matter, one for the experts in cybersabotage to
consider. For one thing, many of the
network suppliers whom the Intelligence Committee considers trustworthy, like
Alcatel, already manufacture a lot of sensitive equipment within Chinese
borders.
Anyway, here’s the story on Huawei, the latest Chinese
bugbear. Readers are invited to consider
whether pounding on China this way is making us safer, or pushing us unprepared
toward some kind of dangerous and uncertain future.
It can be reposted if ATOl is credited and a
link provided.
By Peter Lee
Recently the US House of Representatives
Intelligence Committee took a meat-ax to Huawei,
the Chinese telecommunications giant, and its
little brother ZTE in a 60-page report on
national-security issues posed by the two
companies.
The conclusion:
They're commies.
We can't trust 'em. Or, as the executive
summary put it:
The United States should view with
suspicion the continued penetration of the US
telecommunications market by Chinese
telecommunications companies.
[1]
Specifically, the committee
recommended that the government not
purchase any Huawei or ZTE equipment.
The
committee rubbed further salt in the wound by
recommending that private companies not buy any
Huawei or ZTE telecommunications equipment either.
It also invited the legislative branch to
expand the jurisdiction of the Committee on
Foreign Investment in the United States (CFIUS) to
enable it to block procurement of Chinese
telecommunication equipment by US customers, in
addition to exercising its traditional powers of
blocking foreign investment deemed harmful to US
security. CFIUS had previously blocked Huawei's
participation in a deal to take 3Com private -
which was brokered by Mitt Romney's Bain Capital -
and recently denied Huawei's attempt to buy 3Leaf,
a California cloud computing company.
Certainly not the clean bill of health
that Huawei was hoping for when it invited the US
government to investigate its operations.
It is clear that the Chinese companies
were given the Saddam Hussein treatment. Just as
the Iraqi despot was put in the impossible
position of proving a negative - that he did not
have any weapons of mass destruction - Huawei and
ZTE executives were called upon to prove their
companies were not untrustworthy.
Mission
unaccomplished, for sure.
The public
committee report is little more than a litany of
complaints about unclear answers, insufficient
disclosure, inadequate clarification, failure to
alleviate concerns, making non-credible
assertions, failure to document assertions,
failure to answer key questions, refusal to be
transparent, and so on and so forth. Huawei, in
particular, was dinged for "a lack of cooperation
shown throughout this investigation".
The
committee's conclusion:
Throughout the months-long
investigation, both Huawei and ZTE sought to
describe, in different terms, why neither
company is a threat to US national-security
interests. Unfortunately, neither ZTE nor Huawei
[has] cooperated fully with the investigation,
and both companies have failed to provide
documents or other evidence that would
substantiate their claims or lend support for
their narratives.
To drive a stake
into the heart of any dreams that Huawei or ZTE
had of providing "mitigation assurances" -
bureaucratese for acceptable measures to allay US
security concerns - the committee made the
interesting decision to dump all over the British
government.
Keen on Chinese investment in
its backbone telecommunications networks, the
British government accepted the reassurance
provided by a cyber-security center, funded by
Huawei and staffed by UK citizens with security
clearances, with the job of vetting Huawei
products for hinky bits.
The US
intelligence committee dismissed these efforts as
futile given the complex, opaque and frequently
updated character of telecommunications software:
The task of finding and eliminating
every significant vulnerability from a complex
product is monumental. If we also consider flaws
intentionally inserted by a determined and
clever insider, the task becomes virtually
impossible.
In terms of specific
evidence of Huawei and ZTE malfeasance, there is
little meat on the bones of the public document.
On the technical side, the evidence
supporting Huawei and ZTE infiltration of the US
telecommunications software presented in the
public report was less than earth-shaking:
Companies around the United States
have experienced odd or alerting incidents using
Huawei or ZTE equipment. Officials with these
companies, however, often expressed concern that
publicly acknowledging these incidents would be
detrimental to their internal investigations and
attribution efforts, undermine their ongoing
efforts to defend their systems, and also put at
risk their ongoing contracts.
Similarly,
statements by former or current employees
describing flaws in the Huawei or ZTE equipment
and other potentially unethical or illegal
behavior by Huawei officials were hindered by
employees' fears of retribution or
retaliation.
Presumably, the
confidential annex to the committee report makes a
more compelling case, but one has to wonder.
According to The Economist:
Years of intense scrutiny by experts
have not produced conclusive public evidence of
deliberate skulduggery, as opposed to mistakes,
in Huawei's wares. BT, a British telecoms
company that buys products vetted in [the
cyber-security center at] Banbury, says it has
not had any security issues with them (though it
rechecks everything itself, just to be sure).
[2]
In a sign that no existential
smoking cyber-guns had been revealed, the worst
punishment for Huawei's lack of cooperation that
the committee could apparently mete out (other
than trying to destroy Huawei's US business) was
threatening to forward information to the Justice
Department concerning possible corporate
malfeasance in the routine areas of immigration
violations, fraud and bribery, discrimination, and
use of pirated software by Huawei in its US
operations.
It can be taken as a given
that the People's Republic of China (PRC) is
intensely interested in cyber-espionage -
diplomatic, military, and commercial - against the
United States and cyber-warfare against US
government, security, and public infrastructure if
and when the need arises.
However, the
case that Huawei is a knowing or even a necessary
participant in these nefarious schemes is
unproved.
Nevertheless, Huawei's attempts
to generate a clean bill of health for itself with
Western critics are pretty much futile.
That's because government weaponization of
communications technology is a given - for
everybody, in the West as well as in China.
Beneath the freedom-of-information
rhetoric, the West is converging with the East and
South when it comes to protecting, monitoring and
controlling its networks.
In the United
States, providing government law enforcement with
back-door access to networks, aka "lawful
intercept", is a legal requirement for digital
telecom, broadband Internet, and voice-over-IP
service and equipment providers under the CALEA
(Communications Assistance to Law Enforcement Act)
law. The Federal Bureau of Investigation (FBI) is
currently lobbying the US administration and the
Federal Communications Commission to require that
social-media providers such as Facebook provide
similar access so that chats and instant messaging
can also be monitored in real time or extracted
from digital storage.
In Europe, similar
law-enforcement access is institutionalized under
the standards of the European Telecommunications
Standards Institute.
Particularly in the
environment after the attacks of September 11,
2001, law enforcement has expressed anxiety about
"going dark" - losing the ability to detect and
monitor communications by bad actors as data and
telecommunications moved from fixed-wire analog
systems to digital, wireless, and band-hopping
protocols.
The situation is aggravated by
the availability of theoretically unbreakable
public/private key 128-bit encryption.
(I
say "theoretically", by the way, because creation
of the private key relies on a random-number
generator on the encrypting computer. A recent
study found that some programs were spitting out
non-random random numbers, raising the possibility
that a certain spook agency of a certain
government had been able to diddle with the
programs to generate certain numbers
preferentially, giving said spook agency a leg up
to crack the private keys through otherwise
ineffective brute-force computing techniques.)
[3]
One way to get around the problem of
anonymous users employing unbreakable encryption
from multiple devices is the trend around the
world toward requiring real name registration -
stripping anonymity from Internet posters - and
requiring Internet service providers to become
active participants in law enforcement by
monitoring the activities of their customers.
For encrypted documents and communications
using genuinely random numbers - and absent a
mandated, law-enforcement-accessible third-party
repository for private keys (a demand recently
made of RIM, the BlackBerry people, by the Indian
government), the government has to employ either
judicial compulsion or covert means to obtain
information on private keys from individual
computers. Covert means presumably involve
using a
virus or some other means of access to install a
keylogger. [4] [5]
A while back, the FBI
admitted it had such a program, code-named Magic
Lantern - strictly a research operation, of course
- creating the interesting issue of whether or not
anti-virus software vendors could be dragooned
into modifying their programs to ignore the
officially sanctioned virus.
One plausible
reason for excluding Huawei and ZTE from US
networks would be to deny them a possibly
privileged view of how the legal intercept
cyber-sausage gets made.
Even Western
governments have also expressed an interest in
flipping the dastardly "kill switch" that deprives
Internet users of their precious connectivity and
is the badge of shame for totalitarian regimes.
During the riots in England last year, the
British government thought of taking a page from
the playbooks of former Egyptian leader Hosni
Mubarak and Iranian President Mahmoud Ahmadinejad.
British Prime Minister David
Cameron, in a statement to the House of Commons
earlier today, made reference to and mooted the
possibility that social media could be
"disrupted" or turned off if riots continue.
Services such as Facebook, Twitter and
crucially BlackBerry Messenger - which has been
used by rioters and looters to organize
disruption across the British capital and other
cities in England - could be restricted in a bid
to prevent further violence; present day or in
future warranted situations.
Speaking in
the House of Commons, David Cameron said: "The
free flow of information can be used for good.
But it can also be used for ill" ...
Conservative Tobias Ellwood MP said in
Parliament that police should be given the
option to switch off cell network masts "and
other social networks" used to coordinate
trouble, violence and disorder.
[6]
Putting a kill switch in the hands
of Huawei is probably the biggest US headache.
With more and more sensitive data
encrypted, it is unclear that squatting on a
Huawei switch and copying the flow of 1s and 0s
will deliver Chinese spies a considerable
incremental benefit over the prodigious targeted
hacking operations they are allegedly engaging in
already.
The real danger from a hostile
piece of telecommunications kit would be
disablement in time of crisis or war, as Fred
Schneider, a computer scientist at Cornell
University in New York state, told Technology
Review:
A trigger could be built either into
the software that comes installed in switches
and network hardware or into the hardware
itself, in which case it would be more difficult
to detect, says Schneider. The simplest kind of
attack, and one very hard to spot, would be to
add a chip that waits for a specific signal and
then disables or reroutes particular
communications at a critical time, he says. This
could be useful "if you were waging some other
kind of attack and you wanted to make it
difficult for the adversary to communicate with
their troops", Schneider says.
[7]
There is a good reason Huawei
can't be trusted to deliver clean kit to critical
US infrastructure customers. That is that we now
live in a world in which cyberwar is an acceptable
and legitimate national tactic.
This
Pandora's box of cyberwar has already been opened
...
... by the United States.
Amid
the ferocious Iran-bashing - and "by any means
necessary" justifications for covert action
against that country's nuclear program - that have
become endemic in the West, the true significance
of the Stuxnet exploit has been overlooked by
many, at least in the West.
Stuxnet was
the release of an important cyber-weapon - a virus
that did not simply seek sensitive information or
attempt to disrupt communication, but one that was
reportedly rather effective in damaging a
strategic Iranian facility by an act of sabotage.
It was an act of cyberwar.
As
David Sanger, The New York Times'
national-security adviser, wrote in his White
House-sanctioned account:
"Previous cyberattacks had effects
limited to other computers," Michael V Hayden,
the former chief of the CIA, said, declining to
describe what he knew of these attacks when he
was in office. "This is the first attack of a
major nature in which a cyberattack was used to
effect physical destruction", rather than just
slow another computer, or hack into it to steal
data.
"Somebody crossed the Rubicon," he
said. [8]
In true US imperial style,
Stuxnet was unleashed unilaterally and without a
declaration of war, to satisfy some self-defined
imperatives of US President Barack Obama's
administration.
That's not a good
precedent for other cyber-powers, including China,
to rely on US restraint, or to restrain
themselves.
The Obama administration's
attempt to deal with the issue of its first use of
cyber-warfare seems to go beyond hypocritical to
the pathetic.
There are rather risible
efforts to depict the Stuxnet worm - which caused
the centrifuges to disintegrate at supersonic
speeds - as little more than a prank, albeit a
prank that might impale hapless Iranian
technicians with aluminum shards traveling at
several hundred kilometres per hour, rather than a
massive exercise in industrial sabotage:
"The intent was that the failures
should make them feel they were stupid, which is
what happened," the participant in the attacks
said. When a few centrifuges failed, the
Iranians would close down whole "stands" that
linked 164 machines, looking for signs of
sabotage in all of them. "They overreacted," one
official said. "We soon discovered they fired
people."
According to Sanger, at least
President Obama knew what he was getting into:
Mr Obama, according to participants
in the many Situation Room meetings on Olympic
Games, was acutely aware that with every attack
he was pushing the United States into new
territory, much as his predecessors had with the
first use of atomic weapons in the 1940s, of
intercontinental missiles in the 1950s and of
drones in the past decade. He repeatedly
expressed concerns that any American
acknowledgment that it was using cyber-weapons -
even under the most careful and limited
circumstances - could enable other countries,
terrorists or hackers to justify their own
attacks.
"We discussed the irony, more
than once," one of his aides said. Another said
that the administration was resistant to
developing a "grand theory for a weapon whose
possibilities they were still discovering". Yet
Mr Obama concluded that when it came to stopping
Iran, the United States had no other choice ...
Mr Obama has repeatedly told his aides
that there are risks to using - and particularly
to overusing - the weapon. In fact, no country's
infrastructure is more dependent on computer
systems, and thus more vulnerable to attack,
than that of the United States. It is only a
matter of time, most experts believe, before it
becomes the target of the same kind of weapon
that the Americans have used, secretly, against
Iran.
But Obama did it anyway, in the service
of a dubious foreign-policy objective - forcibly
and unilaterally disabling Iran's (currently)
non-military nuclear program - that was arguably
an overreaction to Israel's blustering threat to
attack Iran unilaterally, and an attempt to get
himself some political breathing space from
vociferously pro-Israeli interests in US politics.
And of course there were problems.
Stuxnet made a mockery of its reputation
as a "surgical strike" magic bullet that would
destroy Iran's centrifuges but otherwise do no
harm. It escaped into the wild - something that
Obama's team likes to blame on the Israelis, but
an evasion of culpability that would probably not
hold up in a court of law - and infected computer
systems around the world.
Presumably,
Chinese intelligence services did not have to wait
for Stuxnet to arrive in China; they were probably
invited to help out with the forensics by the
Iranian government, and probably have a very nice
idea of how it works, and creative ideas about how
it could be modified to target other systems.
The Stuxnet background provides an
interesting context to the immense ballyhoo about
Chinese cyber-espionage and cyber-warfare threats,
of which the House Intelligence Committee report
is only one instance.
What better way to
distract attention from one's own first use of
cyber-weapons than to raise the alarm about what
the bad guys might do instead?
One of the
sweetest fruits of this exercise in misdirection
is an April (pre-Sanger expose) National Public
Radio report on what it identified as the real
cyber-threat in the Middle East: Iran.
The big fear in the US is that a
cyberattacker could penetrate a computer system
that controls a critical asset like the power
grid and shut it down. Such an effort is
probably beyond the capability of Iranian actors
right now, according to cyber-security experts.
But a less ambitious approach would be to hack
into the US banking systems and modify the
financial data. [Dmitri] Alperovitch, whose new
company CrowdStrike focuses on cyber-threats
from nation-states, says such an attack is well
within Iran's current capability.
"If
you can get into those systems and modify those
records, you can cause dramatic havoc that can
be very long-lasting," he says.
The
possibility that Israel's traditional bugbear,
Hezbollah, could be prevailed upon to deliver the
fatal code on Iran's behalf is discussed in
detail. [9]
The Pentagon's cyberwar
strategists did their best to frame the cyberwar
issue as law-abiding America vs the unprincipled
cyber-predators of the PRC.
With
Sanger-assisted Stuxnet hindsight, this May
report, with its wonderful title "US hopes China
will recognize its cyber war rules", is, well,
hypocritical and pathetic:
While no one has, with 100%
certainty, pinned the Chinese government for
cyber-attacks on US government and Western
companies, in its 2012 report "Military and
security developments involving the People's
Republic of China", the US secretary of defense
considers it likely that "Beijing is using
cyber-network operations as a tool to collect
strategic intelligence" ...
The report
raises China's unwillingness to acknowledge the
"Laws of Armed Conflict", which the Pentagon
last year determined did apply to cyberspace ...
Robert Clark, operational attorney for
the US Army Cyber Command, told Australian
delegates at the AusCERT conference last week
how the Laws of Armed Conflict in cyberspace
might work internationally to determine when a
country can claim self-defense and how they
should measure a proportionate response.
One problem with it was highlighted by
Iran, following the Stuxnet attack on its
uranium-enrichment facility in Natanz, which
never declared the incident a cyberattack.
Air Force Colonel Gary Brown, an
attorney for US Cyber Command, in March this
year detailed dozens of reasons why Iran, in the
context of the Laws of Armed Conflicts in
cyberspace, didn't declare it an attack. This
included that difficulties remain in attributing
such an attack to a single state.
[10]
A few days later, Sanger's story
confirmed that the Obama administration had indeed
released Stuxnet, rendering moot the Pentagon's
plans for a chivalric, rules-based cyberwar
tournament, with the US occupying the moral high
ground.
Heightened mutual suspicion -
maybe we should call it endemic mistrust - is now
a given in cyber-relations between the United
States and its adversaries/competitors, for a lot
of good reasons that don't necessarily have
anything to do with Chinese misbehavior, but have
more than a little to do with the US willingness
to unleash a cyberattack on an exasperating enemy
without setting clearly defined ground rules, and
its need to pull up the cyber-drawbridge over the
national digital moat to prevent retaliation.
Suspicion of other people's cyber-motives
has become a self-fulfilling prophecy, and anxious
allies are expressing their cyber-solidarity by
banding together against the external threat.
In the midst of important national debates
on Chinese investment, Canadian and Australian
intelligence services, probably prompted by their
opposite numbers in the United States, both issued
damning reports on Chinese cyber-threats.
The Australian government has banned
Huawei and ZTE from participation in its massive
National Broadband Network project. In Canada,
cyber-spying is cited as a justification for
limiting investment by Chinese state-owned
enterprises (such as CNOOC) in any strategic
Canadian businesses.
On the other side of
the fence, Iran, in a decision that was widely
mocked in the United States, is developing a more
secure national intranet - with equipment
allegedly provided by Huawei.
Of course,
in the up-is-down rhetoric that drives US Internet
policy, Iran's attempts to shield itself from
foreign threats is itself a threat:
"Any attempt by a country to make an
intranet is doomed to failure," Cedric Leighton,
a retired deputy director at the National
Security Agency, said in an interview. But he
said Iran's "cyber-army", a network of
government-supported hackers that has attacked
Western targets in recent years, does stand to
gain from the attempted creation of a national
network. By connecting thousands of servers
inside Iran, the government would "build on
their knowledge of networks and how they
operate", he said, increasing their capabilities
to both launch and repel cyberattacks.
[11]
By the way, the largest intranet
in the world is the unclassified chunk of the US
military's data network, known as NIPRNET, a fact
that perhaps escaped Leighton. SIPRNet, the
classified part of the US military network, with
4.2 million users, is also doing OK, though it was
the source for the WikiLeaks CD.
As The
Economist put it, the Internet is becoming
balkanized. [12]
And as Winston Churchill
might have put it, a digital curtain is descending
across the Middle East, Asia, and virtually every
significant national border. This phenomenon is a
direct expression of the insecurity of governments
as they attempt to limit the vulnerabilities that
encrypted connectivity reveal to their internal
and external enemies, and as they deal with the
consequences of their own efforts to exploit and
compromise the Internet.
It is easy for
governments to blame others, but they might as
well blame themselves.
Notes:
1.
Click
here
for full text of the report (pdf file).
2.
The
company that spooked the world, The Economist,
Aug 4, 2012.
3.
Crypto-Gram
Newsletter, Schneier, Mar 15, 2012.
4.
FBI
software cracks encryption wall, MSN, Nov 20,
2001.
5.
India:
We DO have the BlackBerry encryption keys, The
Register, Aug 2, 2012.
6.
British
PM considers turning off social networks amid
further riots, ZD Net, Aug 11, 2011.
7.
Why
the United States Is So Afraid of Huawei,
Technology Review, Oct 9, 2012.
8.
Obama
Order Sped Up Wave of Cyberattacks Against
Iran, The New York Times, Jun 1, 2012.
9.
Could
Iran Wage a Cyberwar on the US?, Apr 26,
2012.
10.
US
hopeful China will recognise its cyber war
rules, CSO, May 21, 2012.
11.
Iran
tightens online control by creating own
network, Guardian, Sep 25, 2012.
12.
The
company that spooked the world, Economist, Aug
4, 2012
