Saturday, October 13, 2012

• US digs in for cyber warfare

Recently the US House of Representatives Intelligence Committee 
took a meat-ax to Huawei, the Chinese telecommunications giant, and its little 
brother ZTE in a 60-page report on national-security issues posed by 
the two companies


Secretary of Defense Leon Panetta has a stark new message about cyberterrorism: Hacker attacks that could destroy our power grid and transportation networks aren't the stuff of sci-fi movies and dystopian novels anymore. They could happen at any time.

Speaking at the Intrepid Sea, Air, and Space Museum in New York, Panetta warned of what he called a "cyber Pearl Harbor" that could come from China, Iran, or rogue extremist groups. He acknowledged for the first time that a malware attack last summer on the world's largest oil producer in Saudi Arabia destroyed 30,000 computers, and said he hoped his speech would be a "clarion call" for America to take more action to combat cyber threats.

Some experts accused Panetta of overheated language aimed at Congress, which has failed to a pass a bill that would require stricter security at places like power plants. But Panetta rejected that notion, telling Time magazine after the speech, "The whole point of this is that we simply don't just sit back and wait for a goddamn crisis to happen. In this country we tend to do that."


The conclusion:
They’re commies.
We can’t trust ‘em. Or, as the executive summary put it:
The United States should view with suspicion the continued penetration of the US telecommunications market by Chinese telecommunications companies. [1]

Specifically, the committee recommended that the government not purchase any Huawei or ZTE equipment.

The committee rubbed further salt in the wound by recommending that private companies not buy any Huawei or ZTE telecommunications equipment either.
It also invited the legislative branch to expand the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to enable it to block procurement of Chinese telecommunication equipment by US customers, in addition to exercising its traditional powers of blocking foreign investment deemed harmful to US security. CFIUS had previously blocked Huawei’s participation in a deal to take 3Com private – which was brokered by Mitt Romney’s Bain Capital – and recently denied Huawei’s attempt to buy 3Leaf, a California cloud computing company.

Certainly not the clean bill of health that Huawei was hoping for when it invited the US government to investigate its operations.

It is clear that the Chinese companies were given the Saddam Hussein treatment. Just as the Iraqi despot was put in the impossible position of proving a negative – that he did not have any weapons of mass destruction – Huawei and ZTE executives were called upon to prove their companies were not untrustworthy.

Mission unaccomplished, for sure.
The public committee report is little more than a litany of complaints about unclear answers, insufficient disclosure, inadequate clarification, failure to alleviate concerns, making non-credible assertions, failure to document assertions, failure to answer key questions, refusal to be transparent, and so on and so forth. Huawei, in particular, was dinged for “a lack of cooperation shown throughout this investigation”.

The committee’s conclusion:
Throughout the months-long investigation, both Huawei and ZTE sought to describe, in different terms, why neither company is a threat to US national-security interests. Unfortunately, neither ZTE nor Huawei [has] cooperated fully with the investigation, and both companies have failed to provide documents or other evidence that would substantiate their claims or lend support for their narratives.

To drive a stake into the heart of any dreams that Huawei or ZTE had of providing “mitigation assurances” – bureaucratese for acceptable measures to allay US security concerns – the committee made the interesting decision to dump all over the British government.

Keen on Chinese investment in its backbone telecommunications networks, the British government accepted the reassurance provided by a cyber-security center, funded by Huawei and staffed by UK citizens with security clearances, with the job of vetting Huawei products for hinky bits.

The US intelligence committee dismissed these efforts as futile given the complex, opaque and frequently updated character of telecommunications software:

The task of finding and eliminating every significant vulnerability from a complex product is monumental. If we also consider flaws intentionally inserted by a determined and clever insider, the task becomes virtually impossible.

In terms of specific evidence of Huawei and ZTE malfeasance, there is little meat on the bones of the public document. On the technical side, the evidence supporting Huawei and ZTE infiltration of the US telecommunications software presented in the public report was less than earth-shaking:

Companies around the United States have experienced odd or alerting incidents using Huawei or ZTE equipment. Officials with these companies, however, often expressed concern that publicly acknowledging these incidents would be detrimental to their internal investigations and attribution efforts, undermine their ongoing efforts to defend their systems, and also put at risk their ongoing contracts.

Similarly, statements by former or current employees describing flaws in the Huawei or ZTE equipment and other potentially unethical or illegal behavior by Huawei officials were hindered by employees’ fears of retribution or retaliation.

Presumably, the confidential annex to the committee report makes a more compelling case, but one has to wonder.

According to The Economist:
Years of intense scrutiny by experts have not produced conclusive public evidence of deliberate skulduggery, as opposed to mistakes, in Huawei’s wares. BT, a British telecoms company that buys products vetted in [the cyber-security center at] Banbury, says it has not had any security issues with them (though it rechecks everything itself, just to be sure). [2]

In a sign that no existential smoking cyber-guns had been revealed, the worst punishment for Huawei’s lack of cooperation that the committee could apparently mete out (other than trying to destroy Huawei’s US business) was threatening to forward information to the Justice Department concerning possible corporate malfeasance in the routine areas of immigration violations, fraud and bribery, discrimination, and use of pirated software by Huawei in its US operations.

It can be taken as a given that the People’s Republic of China (PRC) is intensely interested in cyber-espionage – diplomatic, military, and commercial – against the United States and cyber-warfare against US government, security, and public infrastructure if and when the need arises.

However, the case that Huawei is a knowing or even a necessary participant in these nefarious schemes is unproved. Nevertheless, Huawei’s attempts to generate a clean bill of health for itself with Western critics are pretty much futile. That’s because government weaponization of communications technology is a given – for everybody, in the West as well as in China. Beneath the freedom-of-information rhetoric, the West is converging with the East and South when it comes to protecting, monitoring and controlling its networks.

In the United States, providing government law enforcement with back-door access to networks, aka “lawful intercept”, is a legal requirement for digital telecom, broadband Internet, and voice-over-IP service and equipment providers under the CALEA (Communications Assistance to Law Enforcement Act) law. The Federal Bureau of Investigation (FBI) is currently lobbying the US administration and the Federal Communications Commission to require that social-media providers such as Facebook provide similar access so that chats and instant messaging can also be monitored in real time or extracted from digital storage.

In Europe, similar law-enforcement access is institutionalized under the standards of the European Telecommunications Standards Institute. Particularly in the environment after the attacks of September 11, 2001, law enforcement has expressed anxiety about “going dark” – losing the ability to detect and monitor communications by bad actors as data and telecommunications moved from fixed-wire analog systems to digital, wireless, and band-hopping protocols.

The situation is aggravated by the availability of theoretically unbreakable public/private key 128-bit encryption.
(I say “theoretically”, by the way, because creation of the private key relies on a random-number generator on the encrypting computer. A recent study found that some programs were spitting out non-random random numbers, raising the possibility that a certain spook agency of a certain government had been able to diddle with the programs to generate certain numbers preferentially, giving said spook agency a leg up to crack the private keys through otherwise ineffective brute-force computing techniques.) [3]

One way to get around the problem of anonymous users employing unbreakable encryption from multiple devices is the trend around the world toward requiring real name registration – stripping anonymity from Internet posters – and requiring Internet service providers to become active participants in law enforcement by monitoring the activities of their customers.

For encrypted documents and communications using genuinely random numbers – and absent a mandated, law-enforcement-accessible third-party repository for private keys (a demand recently made of RIM, the BlackBerry people, by the Indian government), the government has to employ either judicial compulsion or covert means to obtain information on private keys from individual computers. Covert means presumably involve using a virus or some other means of access to install a keylogger. [4] [5]

A while back, the FBI admitted it had such a program, code-named Magic Lantern – strictly a research operation, of course – creating the interesting issue of whether or not anti-virus software vendors could be dragooned into modifying their programs to ignore the officially sanctioned virus.

One plausible reason for excluding Huawei and ZTE from US networks would be to deny them a possibly privileged view of how the legal intercept cyber-sausage gets made.

Even Western governments have also expressed an interest in flipping the dastardly “kill switch” that deprives Internet users of their precious connectivity and is the badge of shame for totalitarian regimes.

During the riots in England last year, the British government thought of taking a page from the playbooks of former Egyptian leader Hosni Mubarak and Iranian President Mahmoud Ahmadinejad.

British Prime Minister David Cameron, in a statement to the House of Commons earlier today, made reference to and mooted the possibility that social media could be “disrupted” or turned off if riots continue.

Services such as Facebook, Twitter and crucially BlackBerry Messenger – which has been used by rioters and looters to organize disruption across the British capital and other cities in England – could be restricted in a bid to prevent further violence; present day or in future warranted situations.

Speaking in the House of Commons, David Cameron said: “The free flow of information can be used for good. But it can also be used for ill” … Conservative Tobias Ellwood MP said in Parliament that police should be given the option to switch off cell network masts “and other social networks” used to coordinate trouble, violence and disorder. [6]

Putting a kill switch in the hands of Huawei is probably the biggest US headache. With more and more sensitive data encrypted, it is unclear that squatting on a Huawei switch and copying the flow of 1s and 0s will deliver Chinese spies a considerable incremental benefit over the prodigious targeted hacking operations they are allegedly engaging in already.

The real danger from a hostile piece of telecommunications kit would be disablement in time of crisis or war, as Fred Schneider, a computer scientist at Cornell University in New York state, told Technology Review:

A trigger could be built either into the software that comes installed in switches and network hardware or into the hardware itself, in which case it would be more difficult to detect, says Schneider. The simplest kind of attack, and one very hard to spot, would be to add a chip that waits for a specific signal and then disables or reroutes particular communications at a critical time, he says. This could be useful “if you were waging some other kind of attack and you wanted to make it difficult for the adversary to communicate with their troops”, Schneider says. [7]

There is a good reason Huawei can’t be trusted to deliver clean kit to critical US infrastructure customers. That is that we now live in a world in which cyberwar is an acceptable and legitimate national tactic.

This Pandora’s box of cyberwar has already been opened …
… by the United States.

Amid the ferocious Iran-bashing – and “by any means necessary” justifications for covert action against that country’s nuclear program – that have become endemic in the West, the true significance of the Stuxnet exploit has been overlooked by many, at least in the West.

Stuxnet was the release of an important cyber-weapon – a virus that did not simply seek sensitive information or attempt to disrupt communication, but one that was reportedly rather effective in damaging a strategic Iranian facility by an act of sabotage.

It was an act of cyberwar.
As David Sanger, The New York Times’ national-security adviser, wrote in his White House-sanctioned account:

“Previous cyberattacks had effects limited to other computers,” Michael V Hayden, the former chief of the CIA, said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction”, rather than just slow another computer, or hack into it to steal data.

“Somebody crossed the Rubicon,” he said. [8]
In true US imperial style, Stuxnet was unleashed unilaterally and without a declaration of war, to satisfy some self-defined imperatives of US President Barack Obama’s administration.

That’s not a good precedent for other cyber-powers, including China: to rely on US restraint, or to restrain themselves. 
The Obama administration’s attempt to deal with the issue of its first use of cyber-warfare seems to go beyond hypocritical to the pathetic.

There are rather risible efforts to depict the Stuxnet worm – which caused the centrifuges to disintegrate at supersonic speeds – as little more than a prank, albeit a prank that might impale hapless Iranian technicians with aluminum shards traveling at several hundred kilometres per hour, rather than a massive exercise in industrial sabotage:

“The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”

According to Sanger, at least President Obama knew what he was getting into:
Mr Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyber-weapons – even under the most careful and limited circumstances – could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering”. Yet Mr Obama concluded that when it came to stopping Iran, the United States had no other choice …

Mr Obama has repeatedly told his aides that there are risks to using – and particularly to overusing – the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

But Obama did it anyway, in the service of a dubious foreign-policy objective – forcibly and unilaterally disabling Iran’s (currently) non-military nuclear program – that was arguably an overreaction to Israel’s blustering threat to attack Iran unilaterally, and an attempt to get himself some political breathing space from vociferously pro-Israeli interests in US politics.And of course there were problems.
Stuxnet made a mockery of its reputation as a “surgical strike” magic bullet that would destroy Iran’s centrifuges but otherwise do no harm. It escaped into the wild – something that Obama’s team likes to blame on the Israelis, but an evasion of culpability that would probably not hold up in a court of law – and infected computer systems around the world.

Presumably, Chinese intelligence services did not have to wait for Stuxnet to arrive in China; they were probably invited to help out with the forensics by the Iranian government, and probably have a very nice idea of how it works, and creative ideas about how it could be modified to target other systems.

The Stuxnet background provides an interesting context to the immense ballyhoo about Chinese cyber-espionage and cyber-warfare threats, of which the House Intelligence Committee report is only one instance.

What better way to distract attention from one’s own first use of cyber-weapons than to raise the alarm about what the bad guys might do instead?

One of the sweetest fruits of this exercise in misdirection is an April (pre-Sanger expose) National Public Radio report on what it identified as the real cyber-threat in the Middle East: Iran.

The big fear in the US is that a cyberattacker could penetrate a computer system that controls a critical asset like the power grid and shut it down. Such an effort is probably beyond the capability of Iranian actors right now, according to cyber-security experts. But a less ambitious approach would be to hack into the US banking systems and modify the financial data. [Dmitri] Alperovitch, whose new company CrowdStrike focuses on cyber-threats from nation-states, says such an attack is well within Iran’s current capability.

“If you can get into those systems and modify those records, you can cause dramatic havoc that can be very long-lasting,” he says. The possibility that Israel’s traditional bugbear, Hezbollah, could be prevailed upon to deliver the fatal code on Iran’s behalf is discussed in detail. [9] The Pentagon’s cyberwar strategists did their best to frame the cyberwar issue as law-abiding America vs the unprincipled cyber-predators of the PRC.

With Sanger-assisted Stuxnet hindsight, this May report, with its wonderful title “US hopes China will recognize its cyber war rules”, is, well, hypocritical and pathetic:
While no one has, with 100% certainty, pinned the Chinese government for cyber-attacks on US government and Western companies, in its 2012 report “Military and security developments involving the People’s Republic of China”, the US secretary of defense considers it likely that “Beijing is using cyber-network operations as a tool to collect strategic intelligence” …

The report raises China’s unwillingness to acknowledge the “Laws of Armed Conflict”, which the Pentagon last year determined did apply to cyberspace … Robert Clark, operational attorney for the US Army Cyber Command, told Australian delegates at the AusCERT conference last week how the Laws of Armed Conflict in cyberspace might work internationally to determine when a country can claim self-defense and how they should measure a proportionate response.

One problem with it was highlighted by Iran, following the Stuxnet attack on its uranium-enrichment facility in Natanz, which never declared the incident a cyberattack. Air Force Colonel Gary Brown, an attorney for US Cyber Command, in March this year detailed dozens of reasons why Iran, in the context of the Laws of Armed Conflicts in cyberspace, didn’t declare it an attack. This included that difficulties remain in attributing such an attack to a single state. [10]

A few days later, Sanger’s story confirmed that the Obama administration had indeed released Stuxnet, rendering moot the Pentagon’s plans for a chivalric, rules-based cyberwar tournament, with the US occupying the moral high ground.

Heightened mutual suspicion – maybe we should call it endemic mistrust – is now a given in cyber-relations between the United States and its adversaries/competitors, for a lot of good reasons that don’t necessarily have anything to do with Chinese misbehavior, but have more than a little to do with the US willingness to unleash a cyberattack on an exasperating enemy without setting clearly defined ground rules, and its need to pull up the cyber-drawbridge over the national digital moat to prevent retaliation.

Suspicion of other people’s cyber-motives has become a self-fulfilling prophecy, and anxious allies are expressing their cyber-solidarity by banding together against the external threat. In the midst of important national debates on Chinese investment, Canadian and Australian intelligence services, probably prompted by their opposite numbers in the United States, both issued damning reports on Chinese cyber-threats.

The Australian government has banned Huawei and ZTE from participation in its massive National Broadband Network project. In Canada, cyber-spying is cited as a justification for limiting investment by Chinese state-owned enterprises (such as CNOOC) in any strategic Canadian businesses.

On the other side of the fence, Iran, in a decision that was widely mocked in the United States, is developing a more secure national intranet – with equipment allegedly provided by Huawei. Of course, in the up-is-down rhetoric that drives US Internet policy, Iran’s attempts to shield itself from foreign threats is itself a threat:

“Any attempt by a country to make an intranet is doomed to failure,” Cedric Leighton, a retired deputy director at the National Security Agency, said in an interview. But he said Iran’s “cyber-army”, a network of government-supported hackers that has attacked Western targets in recent years, does stand to gain from the attempted creation of a national network. By connecting thousands of servers inside Iran, the government would “build on their knowledge of networks and how they operate”, he said, increasing their capabilities to both launch and repel cyberattacks. [11]

By the way, the largest intranet in the world is the unclassified chunk of the US military’s data network, known as NIPRNET, a fact that perhaps escaped Leighton. SIPRNet, the classified part of the US military network, with 4.2 million users, is also doing OK, though it was the source for the WikiLeaks CD.

As The Economist put it, the Internet is becoming balkanized. [12]
And as Winston Churchill might have put it, a digital curtain is descending across the Middle East, Asia, and virtually every significant national border. This phenomenon is a direct expression of the insecurity of governments as they attempt to limit the vulnerabilities that encrypted connectivity reveal to their internal and external enemies, and as they deal with the consequences of their own efforts to exploit and compromise the Internet.

It is easy for governments to blame others, but they might as well blame themselves

1. Click here for full text of the report (pdf file).
2. The company that spooked the world, The Economist, Aug 4, 2012.
3. Crypto-Gram Newsletter, Schneier, Mar 15, 2012.
4. FBI software cracks encryption wall, MSN, Nov 20, 2001.
5. India: We DO have the BlackBerry encryption keys, The Register, Aug 2, 2012.
6. British PM considers turning off social networks amid further riots, ZD Net, Aug 11, 2011.
7. Why the United States Is So Afraid of Huawei, Technology Review, Oct 9, 2012.
8. Obama Order Sped Up Wave of Cyberattacks Against Iran, The New York Times, Jun 1, 2012.
9. Could Iran Wage a Cyberwar on the US?, Apr 26, 2012.
10. US hopeful China will recognise its cyber war rules, CSO, May 21, 2012.
11. Iran tightens online control by creating own network, Guardian, Sep 25, 2012.
12. The company that spooked the world, Economist, Aug 4, 2012.

Peter Lee