Rainblog

In today’s despatch from the You Could Not Make This Up department, Russia, China, Uzbekistan and Tajikistan have jointly proposed an Internet code of conduct. The proposed code demands that countries show respect for “human rights and fundamental freedoms”, and work to combat “criminal and terrorist activities that use information and communications technologies”. It also enjoins states not to use the Internet to “carry out hostile activities or acts of aggression”.

It would perhaps be impolite to point out that none of the four backers are really known for their enlightened position on human rights, and when it comes to “criminal … activities that use … communications technologies”, Russia might want to deal with some of its own thriving population of hackers, spammers, carders and DDoS specialists before telling the rest of the world how to behave. As for “hostile activities or acts of aggression”, there’s reason to think that neither China nor Russia are innocent of this particular charge. Of course both nations claim to be more sinned against than sinning, with the Russian government in particular denying any involvement in, say, attacks against LiveJournal or regional rivals. (These attacks are usually blamed on a few overenthusiastic patriots; naturally, the Russian state deplores such anti-social behavior).

Which raises the question: whose idea was this, and were they able to keep a straight face when they presented it?

Back in July, I wrote about a piece of malware that used a Windows vulnerability to attack SCADA systems. Back then, it was believed that the purpose of the malware was to steal industrial secrets, a concept straight out of science-fiction.

Now the worm, which has been christened Stuxnet, looks like it’s even less benign. An article in Wired suggests that it was actually designed to cause SCADA controllers to malfunction, and not in a trivial way: there’s some reason to believe that it was intended to disrupt the parts of the controllers that, well, prevent stuff from blowing up. The fact that the first major infestation seems to have been detected in Iran has led to speculation that it was designed to target Iranian nuclear facilities, perhaps with the goal of triggering a major accident.

Any speculation needs to be taken with a helping of salt. Nevertheless, it does seem that the worm represented a substantial development effort and would have required detailed knowledge of a number of very different types of system. That makes it unlikely to have been the work of what John Brunner called a ‘hobby saboteur’. While the worm seems to have had some features, such as a resilient command-and-control system, commonly seen in botnet software created by so-called cybercriminals, there’s no evidence yet of any profit motive. That would seem to rule out cybercriminals as the authors.

So if the worm really was a weapon, then it was probably developed by a government. This raises two questions. The obvious one is ‘Which government?’; the less obvious one is how the authors intended to prevent the worm spreading to ‘friendly’ systems and causing damage there. As in biological warfare, the big worry is that the infection will run out of control and start hurting your own side. To avoid this, you either have to immunize your own population, or you have to have some expectation that the infection will be confined to a limited area (or duration). The worm seems to have been intended to propagate over local area networks; it’s unclear whether it could also have spread via the Internet. Still, it seems to have spread widely enough for the infestations to be detectable, something that the authors must have anticipated. I’d be curious to know whether any kind of ‘immunization’ program took place anywhere around the time that the worm was launched, designed to protect critical systems against precisely the kind of threat posed by this worm.

As for the question of ‘who?’, if the target was really Iran then the list of likely authors comes down to just two nations: Israel, and the United States. I think it’s quite possible that someone in Fort Meade or Tel Aviv has some ‘splainin’ to do.