Posted by Don McLenaghen on July 27, 2011
In a recent hearing of the House Oversight and Government Reform Committee, Greg Schaffer (acting deputy undersecretary of the Department of Homeland Security National Protection and Programs Directorate) stated that there were instances where consumer electronics were imported with hardware/software security risks…These risks were implied to be purposeful and with the intent of surveillance, spying or as a potential weapon (as in a kill switch on electronics). In plan speak; it was the judgment of DHS that there were actual attempts at ‘cyber surveillance’ and perhaps ‘cyber sabotage’.
The risks come in two forms, first direct inclusion…where the actual devices are ‘altered’ at the source. So, for example, a number of business security experts have suspected that china has used it manufactural ‘centrality’ (ie. Everything is “made in China”) to facilitate industrial espionage. Others also suspect that the Chinese (or Indians, Israel, Russians, etc…) have included security back doors for political/military spying or added command code to shut down critical systems.
Another risk comes from the globality of production. There has been some concern about supply-chain security, as computers, portable devices and other electronic devices pass through several suppliers before the final product goes on sale. A federal report released January on the supply chain between the United States and China speculated the possibility that somewhere along the line someone could compromise a component or design a capability that could enable cyber-attacks. These inclusion expand the possible perpetrators of ‘cybercrime’ to non-obvious industry, third-party nations or non-government groups (such as terrorist et al). It seems highly unlikely, and the importance of Schaffers comments, that such ‘cyber-attacks’ have already occurred and is perhaps as common an issue as ‘civilian’ viruses on the internet.
Of course there is a difficulty between identifying ‘real’ intent versus accidental. During the design phase of software (including that imbedded in hardware) or hardware, it is common practice to include back-doors, quick-switches and tracking logs to facilitate debugging. Occasionally…well actually often, this code gets left in due to forgetfulness. Anyone who plays video games knows there are all kinds of ‘hacks’ that can be used to ‘alter’ game play. Almost all were created not for the benefit of the player but to make the life of the programmer easier. Of course it is almost impossible to determine whether these ‘developmental’ tools where left in on-purpose or accidental.
Occasionally, infection happens accidentally. At a recent conference IBM was embarrassed to discover on a USB memory stick they were handing out was malware. It was via this ‘accidental’ contamination that the Stuxnet virus made its way to the Iranian processing plants.
The Stuxnet virus stunned the tech world. For those who do not know, Stuxnet was a virus that most analysts believe was created by either or both Israel and the US to delay Iran’s attempts at developing a nuclear power. The unique thing about this virus vs. the billions already breeding on the Internet is the specificity of this one. It seems it was designed to infect ANYTHING it came in contact with but to only ‘damage’ Iranian centrifuge motors…from what I understand; they could cause the motors to spin out of control to the point of self-destruction.
The creation of the Stuxnet virus…the suspected attacks on Lithuania by Russian nationals in response to ‘political dispute’…an attack on Georgia “from the former soviet countries” as a prelude to ‘physical’ attack…the numerous claims that Chinese ‘hackers’ have infiltrated US (and others) military networks…all these point to another major issue that has arisen – the militarization of the internet.
This can be a huge issue these days because in a recent press release, the US Pentagon added cyber-attacks as a legitimate causa-belli or justification for war. This means that if there is a major malfunction of some key hardware/software and the US believe the source pre-infected electronics from…let’s say China…it could see this as an act of war and respond militarily.
As innocents, we the people are placed in a bad spot…on the one hand we have to be worried that electronics we are purchasing may come ‘pre-infected’ with spy war (targeting not only our own personal data but that of our infrastructure or government) while knowing that our own espionage agencies are likewise turning the internet into the next battlefield. I think what worries me the most is not the loss of privacy or even the fact my own country is actively participating in contaminating yet another miracle of science for military use…no what worries me is the mis-call.
For those of us who grew up during the latter part of the cold war was not the possibility that the USSR and the USA would actual launch a nuclear war but that due to some electronic malfunction (movie: Failsafe) or rogue individual (movie: Dr. Strangelove) a war would occur by accident. When I look at the power and more importantly the accessibility of the internet I worry.
In the old days, if an individual ‘went rogue’ they picked up a gun and shoot a number of people…lots of local harm but no real risk of global conflagration…or that a fanatic would have to ‘pass as normal’ until they attained a unique position of power from which they could launch a ‘meaningful’ attack. No, now it is possible for a series of simple accidents…a youthful hacker creates a ‘virus’ to do ‘cool things’ (maybe cause motors to spin out of control or electrical circuits to shut down during the full moon) and a lax or lazy official who downloads this virus (like onto an USB stick of music to play at work) and contaminates a ‘critical network’ (like nuclear power plant control system). This combined with the rapidity of contagion via the internet; the uncertainty of knowing if an ‘attack’ was deliberate or accidental’ and lastly the now stated policy of nuclear powers to see cyber-attacks as ‘acts of war’ (allowing for physical attacks in response to cyber-attacks)…all these factors remind me all too well of the time when I went to bed uncertain I would wake to the world I knew or to a nuclear holocaust…perhaps an existential fear for the ‘cyber generation’.