Rainblog

In today’s despatch from the You Could Not Make This Up department, Russia, China, Uzbekistan and Tajikistan have jointly proposed an Internet code of conduct. The proposed code demands that countries show respect for “human rights and fundamental freedoms”, and work to combat “criminal and terrorist activities that use information and communications technologies”. It also enjoins states not to use the Internet to “carry out hostile activities or acts of aggression”.

It would perhaps be impolite to point out that none of the four backers are really known for their enlightened position on human rights, and when it comes to “criminal … activities that use … communications technologies”, Russia might want to deal with some of its own thriving population of hackers, spammers, carders and DDoS specialists before telling the rest of the world how to behave. As for “hostile activities or acts of aggression”, there’s reason to think that neither China nor Russia are innocent of this particular charge. Of course both nations claim to be more sinned against than sinning, with the Russian government in particular denying any involvement in, say, attacks against LiveJournal or regional rivals. (These attacks are usually blamed on a few overenthusiastic patriots; naturally, the Russian state deplores such anti-social behavior).

Which raises the question: whose idea was this, and were they able to keep a straight face when they presented it?

From time to time, the topic of ‘cyberwar’ comes up in the media, usually accompanied by breathless speculation about the impact on our lifestyle when They (whoever They are) finally launch Their attack on Us, and sometimes by a picture of a steely-haired Air Force general who has been charged with keeping us all safe. No one knows exactly what a cyberwar will look like (my best guess: ridiculously long ping times) but everyone is sure that it’s only a matter of time. When the cyber-attack hits, our electronic defenses will be overwhelmed in a heartbeat and the shattered nation - unable to download Justin Bieber clips, shop on Amazon or receive timely Farmville updates - will suffer a collective collapse of morale that will render us easy pickings for foreign invaders. Something like that, anyway.

This kind of thinking is oddly reminiscent of NATO’s picture of a Warsaw Pact invasion of Europe in the 1980’s, except that instead of tank divisions pouring through the Fulda Gap it’ll be rogue Chinese packets flooding across Comcast and Level3.net. But just as the long-expected armored invasion never materialized and we had to hastily retool our war-fighting plans to take on hirsute fanatics in the cities of Iraq and the mountains of Central Asia, it’s possible that the coming cyberwar won’t look exactly the way we expect.

In fact, there seems to be a cyberwar - or at least a cyberskirmish - going on right now and it resembles nothing so much as an extended streetfight. In the red corner, anonymous ‘patriots’, opposed to the dissemination of leaked government information by the Australian whistleblower, seducteur extraordinaire and current guest of Her Majesty, Julian Assange; in the blue corner, an equally anonymous group fighting under the banner of “transparency right or wrong”. Battlegrounds - or collateral damage - include the Wikileaks website and hosting or DNS services that supported it, Paypal, Mastercard, a Swedish law firm, and a Swiss bank. The weapons used include various forms of homebrew DDoS tools, including 4chan’s infamous ‘low orbit ion cannon’ (LOIC), the switchblade of choice for street punks fighting for control of the Intertubes.

Pandalabs has a more detailed description of the current wave of DDoS attacks. Reading it, it’s hard not to think of Matthew Arnold’s line about “where ignorant armies clash by night” … actually, no, it’s very easy not to think of that. I just threw it in because it sounded cool. Seriously, though, it starts to look as if a better model for cyberwar might be the drug-gang wars in Mexico. There too we have ‘non-state actors’ whose identities and objectives are more or less mysterious (and some of whom may be deniable proxies for the state). We have the state intervening as just another combatant, and not necessarily a successful one. And we have a kind of take-no-prisoners ferociousness that threatens to spill over and make life unlivable for everyone. 

Looking further back, it’s possible to see analogies in medieval times, where each walled village was pretty much responsible for its own defense. If your website arouses the ire of some angry gang of zealots or the cupidity of professional extortionists, the state isn’t going to leap to your defense. The feudal lord to whom you pay shield money - known these days as an internet service provider - might send troops, but if the action gets too hot and threatens to embroil him in a battle he can’t win, he’ll probably cut you loose.

All this doesn’t offer much scope for steely-haired Air Force generals. They don’t have the interest or the resources to fight in a dozen brushfire wars raging simultaneously. Whatever big guns the state is able to dream up are likely to sit idle most of the time for lack of suitable targets. Cyberwar is asymmetric warfare par excellence: having the most resources or a professional standing army doesn’t guarantee you victory when you have so many weak spots that are vulnerable to hit-and-run attacks by scrappy bands of irregulars. 

The Chinese electronic invasion may come one day or it may not. In the meantime, the cyberwars have already started and they aren’t playing out quite the way the media said they would.

Back in July, I wrote about a piece of malware that used a Windows vulnerability to attack SCADA systems. Back then, it was believed that the purpose of the malware was to steal industrial secrets, a concept straight out of science-fiction.

Now the worm, which has been christened Stuxnet, looks like it’s even less benign. An article in Wired suggests that it was actually designed to cause SCADA controllers to malfunction, and not in a trivial way: there’s some reason to believe that it was intended to disrupt the parts of the controllers that, well, prevent stuff from blowing up. The fact that the first major infestation seems to have been detected in Iran has led to speculation that it was designed to target Iranian nuclear facilities, perhaps with the goal of triggering a major accident.

Any speculation needs to be taken with a helping of salt. Nevertheless, it does seem that the worm represented a substantial development effort and would have required detailed knowledge of a number of very different types of system. That makes it unlikely to have been the work of what John Brunner called a ‘hobby saboteur’. While the worm seems to have had some features, such as a resilient command-and-control system, commonly seen in botnet software created by so-called cybercriminals, there’s no evidence yet of any profit motive. That would seem to rule out cybercriminals as the authors.

So if the worm really was a weapon, then it was probably developed by a government. This raises two questions. The obvious one is ‘Which government?’; the less obvious one is how the authors intended to prevent the worm spreading to ‘friendly’ systems and causing damage there. As in biological warfare, the big worry is that the infection will run out of control and start hurting your own side. To avoid this, you either have to immunize your own population, or you have to have some expectation that the infection will be confined to a limited area (or duration). The worm seems to have been intended to propagate over local area networks; it’s unclear whether it could also have spread via the Internet. Still, it seems to have spread widely enough for the infestations to be detectable, something that the authors must have anticipated. I’d be curious to know whether any kind of ‘immunization’ program took place anywhere around the time that the worm was launched, designed to protect critical systems against precisely the kind of threat posed by this worm.

As for the question of ‘who?’, if the target was really Iran then the list of likely authors comes down to just two nations: Israel, and the United States. I think it’s quite possible that someone in Fort Meade or Tel Aviv has some ‘splainin’ to do.