Cyberspies have launched the first publicly known global attack aimed at infiltrating hard-to-penetrate computer control systems used to manage factory robots, refineries, and the electric power grid.

The ultrasophisticated attack was discovered last week, but information about it – including the full range of capabilities of the espionage software – continues to emerge. The spyware had spread for at least a month undetected and has already penetrated thousands of industrial computer systems in Iran, Indonesia, India, Ecuador, the United States, Pakistan, and Taiwan, according to a Microsoft analysis.

The attack is part of a sophisticated new wave of industrial cyberespionage that can infiltrate corporate systems undetected and capture the “crown jewels” of corporations – proprietary manufacturing techniques that are worth billions, experts say. It’s significant, too, because of its potential to infiltrate and commandeer important infrastructure, such as the power grid.

No one knows who’s behind it. Cybersecurity analysts aren’t even sure yet what the spyware’s creators intend it to do to those industrial systems. The intent could be to sell corporate proprietary secrets – or to seek an advantage over the US in some future assymetric conflict, such as a cyberwar.

“We have not seen anything like this before aimed directly at the industrial control system environment,” says Walt Boyes, a control systems security expert and editor in chief of Control magazine. “It’s a clear-cut case of industrial espionage. We don’t know its ultimate aim yet.” But, he says, the attack is aimed specifically at the company that sells the lion’s share of industrial automation software to the electric power sector in North America and Western Europe. “That’s really scary,” Mr. Boyes adds.
USB memory stick the tool of choice

The spyware, dubbed the Stuxnet worm by Microsoft, uses the lowly, ubiquitous USB memory stick as its delivery vehicle. But others say it also has the attributes both of a “trojan” program that gains command of a system and of a virus that replicates. When an infected stick is plugged into a computer, the spyware instantly and almost invisibly loads itself onto that computer’s system. In a never-before-seen twist, it does this without the user taking any action or clicking on any button. The spyware then creates a secret “back door” for the attacker to access and control the computer remotely, say computer security experts.

But what makes security experts’ hair stand on end is what the cyber-spy program does next. It searches the victim computer for the database of a supervisory control and data acquisition (SCADA) software program created by Siemens, the electronic control systems giant. That specialized software is used to run chemical plants and factories – as well as electric power plants and transmission systems worldwide.

The only thing known for sure about the attackers’ goals is that the software attempts to harvest data from a history database within the Siemens software – and send it to servers on the Internet. How successful it has been in doing this isn’t known. In a statement on its website, Siemens said Friday that “we know of two cases worldwide where a WinCC computer has been infected. A production plant has so far not been affected.” The company is trying to determine if the spyware, besides attempting to send process and production data, “is able to send or delete system data, or change system files.”
Attackers’ intentions unclear

But the breadth of the threat could be far larger. The spyware has at least 5,000 functions, and only that one basic function – the database download – is well-understood so far, Frank Boldewin, an independent computer security researcher analyzing Stuxnet, writes in an e-mail interview.

“It’s still unclear what exactly are the intentions of the attackers,” he writes. “Someone might slightly change a process course, shut down the SCADA control servers, deleting the data base and so forth with a sabotage factor in mind, but I haven’t found any code-snippets yet which instruct a hacked SCADA system to do so.”

Electric utilities, like many companies, are known to be under attack around the clock by attackers probing their Internet firewalls. News reports last year suggested that some power-grid defenses may already have been penetrated by elite nation-state cyberattackers who may have planted “malware” bombs to deactivate or destroy a power system, or may have installed trap-door access for a future covert attack.

But nearly all of the publicly known cyberdamage to power stations’ computer controls has come from viruses rampaging on the Internet that workers accidentally introduced onto their companies’ systems. That’s not the case now.

“When power plants got hit before, it was always collateral damage from other Internet-based attacks,” says Eric Byres, a controls systems expert with Byres Security in Vancouver. “Now it’s clear that software-running generators and transmission systems and chemical plants are no longer just collateral damage – they are in the bull’s-eye.”

Symantec, the big antivirus company, was recently reporting 9,000 attempted infiltrations per day, worldwide, using the Stuxnet zero-day flaw in Microsoft operating systems. Microsoft reports about 1,000 new computers infiltrated per day. Any new USB drive or any device with a computer memory chip –including cameras and music players – that are plugged into an infected system become a transmitter of the worm.
Home computers vulnerable, too

Any computer hit by the spyware – even home computers that don’t have Siemens software – will have a “back door” installed on it that could potentially be exploited later, Mr. Byres says. Antivirus companies are working on a short-term fix. Microsoft, too, is working on a patch for its operating system – and has recommended some interim steps to help safeguard computers. But virtually every computer with a Microsoft operating system today remains vulnerable to attack, say Byres and other experts.

While a wide array of attack software is widely available on the Internet, the unusually sophisticated techniques used in the Stuxnet attack indicate that a large, well-funded, very sophisticated organization is most likely behind the attack, several experts say.

“The significance of this attack is that this is a really serious piece of malware that upped the ante for all of us about what the bad guys are doing,” says Ed Skoudis, cofounder of InGuardians, a software security firm. “The techniques being used here go way beyond what we’ve seen even from sophisticated organized crime groups.”
Three things the spyware does

First, the spyware uses a “zero-day” attack – a vulnerability that neither Microsoft nor antivirus companies knew existed. As a result, antivirus and other defenses were unprepared for it.

Second, the spyware managed to fool personal computer security systems by using a real, not a forged, digital certificate (or complex encrypted code) from a computer company named RealTek. That circumvented another Microsoft barrier, giving the spyware automatic permission to install. It’s possible that the keys used to create the digital certificates were stolen – a serious problem, but not as serious as if the certificates could be created. A variant of Stuxnet (one that uses another company’s apparently stolen digital certificate) has already been found.

Third, the spyware payload – or its core program – was tailored to hunt for Siemens’ SIMATIC WinCC and PCS 7 programs and to download the history of the systems’ operations. That history could include pressures, temperatures, voltages, and all manner of SCADA settings for factories or power plant operators, Byres says. Such a history could, for instance, allow the attacker to replicate the proprietary settings for production of a costly chemical. For a utility, it’s less obvious what use that would be, although it may provide a larger understanding of the settings of a power plant’s turbines, for instance.

The spyware was detected by VirusBlokAda, an antivirus company based in Belarus, in mid-June. But its SCADA-specific payload was not recognized until last week. The spyware may even have been active many months earlier, judging from a January 2010 digital “time stamp” on it, says Chester Wisniewski, senior security analyst in the Vancouver office of Sophos, a global computer security firm.
An ‘advanced persistent threat’?

The attack suggests that someone with deep pockets is behind it, to be sure. But it also is an example of what some cybersecurity experts call “advanced persistent threat,” that is, attackers whose goals are not a big financial payoff but rather an ability to lurk for long periods on corporate or government systems in order to steal secrets – or lay the groundwork for cyberwar.

Security experts in the utility industry say only a nation state or very deep-pocketed organization staffed by professional hackers could have pulled off this triple-play malware.

“One of the best ways to attack the power grid is through a USB stick, to give it to a human being to just walk it past all the cyberdefenses and firewalls that have been set up – and then just put it straight into a vulnerable computer. It’s really perfect,” says one utility-industry cybersecurity expert who asked not to be named because of his sensitive position.

Microsoft was working on a software patch to address the attack at time of publication. Siemens on Thursday began offering a software tool to deal with the threat. Yet the problem of patching SCADA systems will be slow, difficult, and costly, experts say. In the past, utilities and others have resisted efforts to bolster cyberdefenses largely because of the costs involved in upgrades.

Siemens, GE, and ABB, as well as other control system vendors and users from several countries, will meet in London in October to discuss strategies for blocking the advanced threat now targeting their systems globally, the Sans Institute, a computer security group, reported.

Yet the fundamental threat remains, experts say.

“The good news as far as the power grid goes is that there’s awareness, because the threat has been discovered and advisories have gone out,” says the utility cyberexpert who asked for anonymity. “The bad news is that not everyone is as mature in dealing with these problems as they need to be. Right now there’s a big window of exposure.”

http://www.csmonitor.com/USA/2010/0723/Stuxnet-spyware-targets-industrial-facilities-via-USB-memory-stick/(page)/3

The arrest of 11 people on charges of espionage for the Russian government was a case of old-fashioned spy craft straight from the annals of the Cold War: dead drops, moles and communicating in code, known as steganography. Yet Russia is not alone in trying to crack U.S. secrets. China is engaged in a massive espionage effort against the United States that exceeds Russian efforts on a crucial front: Cyber espionage.

The Chinese military — namely the People’s Liberation Army — is behind many of the cyber intrusions into U.S. government and corporate computer networks as part of a broad effort to steal technological, military and political secrets. This form of espionage costs the United States hundreds of billions of dollars per year and represents a dangerous threat to U.S. national security.

In early 2010, news reports from Washington indicated that Google, along with other U.S.-based corporations, was being hacked by unnamed parties in China. A progressive political organization, Patriot Majority, asked me and a team of journalists and researchers to investigate the likeliest source of the attacks. After combing through government documents, military land technical literature we concluded the Chinese military was likely behind many cyber intrusions against the United States.

Why? In 1995, the U.S. Navy humiliated the PLA during the Taiwan Strait Crisis by a massive show of force, as not one but two aircraft carrier battle groups sailed unmolested between the mainland and Taiwan, quelling mainland threats of force. That episode underscored the PLA’s technological inferiority in case of an actual shooting war.

And it set off a rush within China’s huge but antiquated military to modernize. The military ramped up its spending to improve its technological quality in areas such as space and cyber warfare, as well as its traditional military’s precision-strike capabilities. The conception of this effort came in the form of a book in 1999 called “Unrestricted Warfare.” Written by two Chinese colonels and promoted as required reading for officers, it said, “The first rule of unrestricted warfare is that there are no rules, with nothing forbidden.”

As a result, and under orders from President Hu Jintao, the PLA reorganized to engage in cyber warfare in case of war — and to engage in cyber espionage during peace. In 2004, a PLA white paper stated that its primary goal in modernizing was “building an informationalized force and winning an informationalized war.” The military shed 200,000 troops while investing between $50 billion and $100 billion per year. The government has even conscripted entire civilian companies, in fact, and rolled them into the PLA as cyber warfare units.

One interesting focus of the PLA’s modernization efforts — and a potential source of the cyber intrusions against the United States — is a military complex on Hainan Island in the South China Sea. Hainan features a space launch complex, an underground submarine base and it is home to a large signals intelligence unit that seems to have been converted from eavesdropping on satellite transmissions to cyber missions.

Hainan has for years also been the scene of confrontations and collisions between U.S. efforts to gather intelligence and China’s efforts to safeguard its own secrets. In 2001, for instance, a U.S. Navy EP-3E Aries II spy plane collided with a Chinese fighter and landed there. And in 2009, Chinese trawlers intercepted and harassed the U.S. spy ship Impeccable approximately 75 miles from the island.

In addition, in 2009, Canadian researchers at The SecDev Group and The Munk Center concluded that a series of cyber intrusions against political and government targets around the world included many that emanated from an Internet protocol address on Hainan. “The attacker(s)’ IP addresses examined here trace back in at least several instances to Hainan Island,” researchers wrote. Later, Rafal Rhozinski, one of the report’s authors and chief executive of The SecDev Group, told the U.S-China Commission in testimony there was “a high degree of certainty that the attackers were located in Hainan Island, China.”

A commission member, Larry Wortzel, said that he has not seen confirmation of attacks originating in Hainan but there is no question about the involvement of the Chinese military in cyber espionage against the United States. “China has one of the most sophisticated and well-manned cyber operations around the world,” Wortzel said in response to questions. “And the effort is supported by what seems to be a well-thought through military doctrine consistent with China’s military structure and capabilities.”

“This is a reasonable and sensible conclusion based on decades of knowledge and work on the domestic politics of China and the workings of China’s government, the People’s Liberation Army, intelligence and security services and the Communist Party,” according to Wortzel, who recently wrote in the Federal Times that at least 43,785 reported incidents cyber intrusions were directed at the U.S. Defense Department alone in just the first half of 2009

China’s efforts to steal U.S. secrets, however, are not confined to the realm of computers. Cyber espionage is part of an unprecedented wave of espionage at large against the United States. Chinese intelligence agencies have begun to change tactics, including recruiting Americans, as well as sifting huge amounts of digital information. In the first three quarters of 2009, the U.S. Justice Department prosecuted 9 espionage cases involving spying for China and the Customs Department is investigating 540 cases of potentially illegal technology transfers to China.

Intelligence-gathering and military modernization is the normal business of governments around the world, particularly in peacetime. China’s military would not be doing its job if it wasn’t trying to steal secrets and train for conflict; the United States maintains a massive offensive cyber war capability as well and recently established a unified military command.

However, the price of China’s cyber-spying is high. By one estimate it costs at least $200 billion to the United States alone annually — a cost borne by both taxpayers and shareholders. Yet the national security cost is the highest price tag of all, particularly as the Chinese military focuses on attempting to cripple U.S. forces in case of an armed conflict.

There are plenty of warnings: The U.S.-China Commission provides a roadmap for both Congress and the administration to follow, in tracking the PLA’s cyber espionage and offensive warfare capabilities and dealing with them. Cyber espionage may not be as spell-binding as the Russian spy ring. But right now China’s cyber spying is far more damaging to U.S. national security.

http://www.vancouversun.com/technology/just+Russians+spying/3228905/story.html

(Reuters) – Top arms groups are on high alert to counter cyber spies from stealing their own secrets at a major arms bazaar outside Paris, even as they market new ways to clients on how to repel hackers in the digital battlespace.

France is hosting the world’s largest arms fair for land forces near Paris airport Charles de Gaulle, attended by up to 50,000 people who make, buy and use advanced weapons.

The exhibition space bristles with weaponry from 130 countries including tanks, armored vehicles, riot gear and display cases crammed with guns and ammunition.

But the crowded arms bazaar is also a snooper’s paradise and another proving ground for the cyber war which is already testing the resources of major-league Defense companies.

“It is very easy to go crawling over everybody’s systems here. Some people come and their approach is to grab everything they can,” said a senior Western Defense company official.

“There are two approaches — they either try to take the whole haystack and look for a needle, or there are those who know exactly what needle they are looking for.”

Scouting out the competition is as old as trade fairs themselves, but the biennial Eurosatory arms gala brings together sensitive targets from the United States, Europe, Russia and — for the first time this year — China.

The United States has long suspected the Chinese and Russians of using cyber attacks to try to steal sensitive information, but both countries have denied this.

Risks at the Eurosatory arms show range from petty theft to covert photography and electronic eavesdropping. Behind the suits and dark glasses there is an atmosphere of mutual distrust.

“Everyone is told to keep their eyes and ears open, watch that equipment doesn’t disappear. If people take photographs, we need to know who they are,” said a French Defense executive.

Exhibitors are careful not to bring classified material into a show. But portable computer networks contain commercially sensitive information and may betray a useful signature that could later provide a side door into more sensitive systems.

ACHILLES’ HEEL

The threat at a trade show can be hidden inside something as apparently innocent as an electronic press kit, handed out on discs or memory sticks and casually swiped by a competitor.

“At these shows you have to bolt everything down,” said an executive with a European Defense company.

Like others, the executive declined to be named when speaking about the threat from other exhibitors.

But virtually all major Defense companies were promoting systems to reduce the risk of cyber attacks whether from hackers, criminals or well-organized, state-run cyber armies.

Defense companies are investing heavily in systems to fight a growing onslaught of cyber attacks on corporations, utilities, financial services companies and government computer banks.

The drive has both strategic and hard-headed financial logic — to counter new threats that have shifted the odds away from traditional force, and to tap into homeland security budgets as Defense spending gets chopped.

“The digital battlespace brings a new set of non-kinetic challenges. You can do anything there you can do kinetically,” said Julian Hellebrand, chief of staff at UK’s Cobham.

In actual operations, cyber bombing seeks to exploit a possible Achilles’ heel in the way modern warfare is waged. Commanders increasingly want to link up smart systems between land and air or individual soldiers and vehicles.

With the increasing use of coalitions and connections, the number of vulnerable entry points multiplies.

“This makes the world more threatening. The more entrances there are to a system, the more the risks increase,” said Jean-Marc Bonnet, a cyber expert at France’s Thales.

The electronics firm on Tuesday unveiled a system, Nexium, to prevent hackers choking military and civil networks.

But it was forced to cancel celebrations for a contract with Safran and Nexter to design a “net-centric” war system for the French army called Scorpion after the Defense ministry said it needed more time to review the impact of budget cuts.

(Additional reporting by William Maclean)

http://www.reuters.com/article/idUSTRE65E4Q620100615?type=technologyNews

A recent simulation of a devastating cyberattack on America was crying for a Bruce Willis lead: A series of mysterious attacks—
probably sanctioned by China but traced to servers in the Russian city of Irkutsk—crippled much of the national infrastructure, including air traffic, financial markets and even basic email. If this was not bad enough, an unrelated electricity outage took down whatever remained of the already unplugged East Coast.

The simulation—funded by a number of major players in network security, organized by the Bipartisan Policy Center, a Washington-based think tank, and broadcast on CNN on a Saturday night—had an unexpected twist. The American government appeared incompetent, indecisive and confused (past government officials, including former Secretary of Homeland Security Michael Chertoff and former Deputy Secretary of State John Negroponte, were recruited to play this glamorous role on TV). “The U.S. is unprepared for cyberwar,” the simulation’s organizers grimly concluded.

The past few months have been packed with cyber-jingoism from former and current national security officials. Richard Clarke, a former cybersecurity adviser to two administrations, says in his new book that “cyberwar has already begun.” Testifying in Congress in February, Mike McConnell, former head of the National Security Agency, argued that “if we went to war today in a cyberwar, we would lose.” Speaking in late April, Director of Central Intelligence Leon Panetta said that “the next Pearl Harbor is likely to be a cyberattacking going after our grid.”

The murky nature of recent attacks on Google—in which someone tricked a Google employee into opening a malicious link that eventually allowed intruders to access parts of Google’s password-managing software, potentially compromising the security of several Chinese human rights activists—has only added to public fears. If the world’s most innovative technology company cannot protect its computers from such digital aggression, what can we expect from the bureaucratic chimera that is the Department of Homeland Security?

Google should be applauded for going on the record about the cyber-attacks; most companies prefer to keep quiet about such incidents. But do hundreds—or even thousands—of such incidents that target both the private and the public sector add up to the imminent threat of a “cyberwar” that is worthy of such hype? The evidence so far looks too shaky.

Ironically, the more we spend on securing the Internet, the less secure we appear to feel. A 2009 report by Input, a marketing intelligence firm, projected that government spending on cybersecurity would grow at a compound rate of 8.1% in the next five years. A March report from consulting firm Market Research Media estimates that the government’s total spending on cybersecurity between now and 2015 is set to hit $55 billion, with strong growth predicted in areas such as Internet-traffic surveillance and monitoring.

Given the previous history of excessively tight connections between our government and many of its contractors, it’s quite possible that the over-dramatized rhetoric of those cheerleading the cyberwar has helped to add at least a few billion dollars to this price tag. Mr. McConnell’s current employer, Booz Allen Hamilton, has just landed $34 million in cyber security contracts with the Air Force. In addition to writing books on the subject, Richard Clarke is a partner in a security firm, Good Harbor Consulting.

“The point we have made about cyberwar is that the U.S. has created a large and expensive cyberwar command, as have other nations. Thus, the government thinks cyberwar is possible no matter what the naysayers think,” says Mr. Clarke in an email. Mr. Clarke says 90% of his firm’s revenue in 2009 and 2010 to date comes from consulting unrelated to cybersecurity, and none of the proposals from his book would financially benefit Good Harbor. In a statement, Booz Allen Hamilton says of Mr. McConnell: “As director of national intelligence he delivered the same messages of concern about the vulnerability of our cyber-infrastructure to President George W. Bush and presidential candidate Barack Obama…As a longstanding intelligence professional, McConnell has an awareness across the full spectrum of classification,and sees it as his duty in public service to foster the right kind of discussion so the nation’s leadership can debate and mitigate the risks.”

Both Messrs. McConnell and Clarke—as well as countless others who have made a successful transition from trying to fix the government’s cyber security problems from within to offering their services to do the same from without—are highly respected professionals and their opinions should not be taken lightly, if only because they have seen more classified reports. Their stature, however, does not relieve them of the responsibility to provide some hard evidence to support their claims. We do not want to sleepwalk into a cyber-Katrina, but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.

Steven Walt, a professor of international politics at Harvard, believes that the nascent debate about cyberwar presents “a classical opportunity for threat inflation.” Mr Walt points to the resemblance between our current deliberations about online security and the debate about nuclear arms during the Cold War. Back then, those working in weapons labs and the military tended to hold more alarmist views than many academic experts, arguably because the livelihoods of university professors did not depend on having to hype up the need for arms racing.

Markus Ranum, a veteran of the network security industry and a noted critic of the cyber war hype, points to another similarity with the Cold War. Today’s hype, he says, leads us to believe that “we need to develop an offensive capability in order to defend against an attack that isn’t coming—it’s the old ‘bomber gap’ all over again: a flimsy excuse to militarize.”

How dire is the threat? Ask two experts and you will get different opinions. Just last month, Lt. Gen. Keith Alexander, director of the NSA, told the Senate’s Armed Services Committee that U.S. military networks were seeing “hundreds of thousands of probes a day.” However, speaking at a March conference in San Francisco, Howard Schmidt, Obama’s recently appointed cybersecurity czar, said that “there is no cyberwar,” adding that it is “a terrible metaphor” and a “terrible concept.”

The truth is, not surprisingly, somewhere in between. There is no doubt that the Internet brims with spamming, scamming and identity fraud. Having someone wipe out your hard drive or bank account has never been easier, and the tools for committing electronic mischief on your enemies are cheap and widely accessible.

This is the inevitable cost of democratizing access to multi-purpose technologies. Just as any blogger can now act like an Ed Murrow, so can any armchair-bound cyberwarrior act like the über-hacker Kevin Mitnick, who was once America’s most-wanted computer criminal and now runs a security consulting firm. But just as it is wrong to conclude that the amateurization of media will bring on a renaissance of high-quality journalism, so it is wrong to conclude that the amateurization of cyberattacks will usher in a brave new world of destructive cyberwarfare.

In his Senate testimony—part of his confirmation process to head the Pentagon’s new Cyber Command—
Gen. Alexander of the NSA explained those “hundreds of thousands of probes” could allow attackers to “scan the network to see what kind of operating system you have to facilitate…an attack.” This may have scared our mostly technophobic senators but it’s so vague that even some of the most basic attacks available via the Internet—including those organized by “script kiddies,” or amateurs who use scripts and programs developed by professional hackers—fall under this category. Facing so many probes is often the reality of being connected to the Internet. The number of attacks is not a very meaningful indicator of the problem, especially in an era when virtually anyone can launch them.

From a strictly military perspective, “cyberwar”—with a small “c”—may very well exist, playing second fiddle to ongoing military conflict, the one with tanks, shellfire and all. The Internet—much like the possibility of air combat a century ago—has opened new possibilities for military operations: block the dictator’s bank account or shut down his propaganda-infested broadcast media. Such options were already on the table—even though they appear to have been used sparingly— during a number of recent wars. Back in 1999, Gen. Wesley Clark, then the outgoing supreme allied commander in Europe, instilled American policy makers with high hopes when he said in Senate testimony that NATO could have “methods to isolate Milosevic and his political parties electronically,” thus preventing “the use of the military instrument.”

Why have such tactics—known in military parlance as “computer network attacks”—not been used more widely? As revolutionary as it is, the Internet does not make centuries-old laws of war obsolete or irrelevant. Military conventions, for example, require that attacks distinguish between civilian and military targets. In decentralized and interconnected cyberspace, this requirement is not so easy to satisfy: A cyberattack on a cellphone tower used by the adversary may affect civilian targets along with military ones. When in 2008 the U.S. military decided to dismantle a Saudi Internet forum—initially set up by the CIA to glean intelligence but increasingly used by the jihadists to plan on attacks in Iraq—it inadvertently caused disruption to more than 300 servers in Saudi Arabia, Germany and Texas. A weapon of surgical precision the Internet certainly isn’t, and damage to civilians is hard to avoid. Military commanders do not want to be tried for war crimes, even if those crimes are committed online.

As Gen. Clark pointed out in 1999, cyberwarfare may one day give us a more humane way to fight wars (why, for example, bomb a train depot if you can just temporarily disable its computer networks?), so we shouldn’t reject it out of hand. The main reason why this concept conjures strong negative connotations is because it is often lumped with all the other evil activities that take place online—cybercrime, cyberterrorism, cyber-espionage. Such lumping, however, obscures important differences. Cybercriminals are usually driven by profit, while cyberterrorists are driven by ideology. Cyber-spies want the networks to stay functional so that they can gather intelligence, while cyberwarriors—the pure type, those working on military operations—want to destroy them.

All of these distinct threats require quite distinct policy responses that can balance the risks with the levels of devastation. We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism.

Perfect security—in cyberspace or in the real world—has huge political and social costs, and most democratic societies would find it undesirable. There may be no petty crime in North Korea, but achieving such “security” requires accepting all other demands of living in an Orwellian police state. Just like we don’t put up armed guards to protect every city wall from graffiti, we should not overreact in cyberspace.

Recasting basic government problems in terms of a global cyber struggle won’t make us any more secure. The real question is, “Why are government computers so vulnerable to very basic and unsophisticated threats?” This is not a question of national security; it is a question of basic government incompetence. Cyberwar is the new “dog ate my homework”: It’s far easier to blame everything on mysterious Chinese hackers than to embark on uncomfortable institutional soul-searching.

Thus, when a series of fairly unsophisticated attacks crashed the websites of 27 government agencies—including those of the Treasury Department, Secret Service and Transportation Department—during last year’s July Fourth weekend, it was panic time. North Korea was immediately singled out as their likely source (websites of the South Korean government were also affected). But whoever was behind the attacks, it was not their sophistication or strength that crashed the government’s websites. Network security firm Arbor Networks described the attacks as “pretty modest-sized.” What crashed the websites was the incompetence of the people who ran them. If “pretty modest-sized” attacks can cripple them, someone is not doing their job.

What we do not want to do is turn “weapons of mass disruption”—as Barack Obama dubbed cyberattacks in 2009—into weapons of mass distraction, diverting national attention from more burning problems while promoting extremely costly solutions.

For example, a re-engineering of the Internet to make it easier to trace the location of cyberattackers, as some have called for, would surely be expensive, impractical and extremely harmful to privacy. If today’s attacks are mostly anonymous, tomorrow they would be performed using hijacked and fully authenticated computers of old ladies.

What is worse, any major re-engineering of the Internet could derail other ambitious initiatives of the U.S. government, especially its efforts to promote Internet freedom. Urging China and Iran to keep their hands off the Internet would work only if Washington sticks to its own advice; otherwise, we are trading in hype.

In reality, we don’t need to develop a new set of fancy all-powerful weaponry to secure cyberspace. In most cases the threats are the same as they were 20 years ago; we still need to patch security flaws, update anti-virus databases and ban suspicious users from our sites. It’s human nature, not the Internet, that we need to conquer and re-engineer to feel more secure. But it’s through rational deliberation, not fear-mongering, that we can devise policies that will accomplish this.

—Evgeny Morozov is a fellow at Georgetown University and a contributing editor to Foreign Policy. His book about the Internet and democracy will be published this fall.

http://online.wsj.com/article/SB10001424052748704370704575228653351323986.html?mod=WSJ_latestheadlines

NEW DELHI: Reports of a China-based cyber spy network targetting the Indian military and the consequent alert sounded by Army authorities may be only the tip of the iceberg — investigations have revealed a fully dedicated India-specific espionage system aimed at business, diplomatic, strategic and academic interests.

The detailed research and investigations carried out by Canada-based authors of the report ‘Shadows in the Cloud’ and experts from India’s NTRO have pointed to a command and control system that used free web-hosting services and social networking sites like Twitter, Baidu blogs and Google. These accounts were manipulated by a “core” of servers based in Chengdu in China.

The report, released in early April, received fairly wide publicity but its fuller implications are only now beginning to sink in. The largely India-centric cyber warfare system is described as “son of ghost net”, an allusion to a Chinese effort to infiltrate the Tibetan exile community. The current investigations also began in Dharamshala but revealed a larger intent linked to an underground hacking community in Chengdu.

An email used in ghostnet turned up in the Shadows probe as well and is identified as losttemp33@hotmail and was associated with Xfocus and Isbase, two popular Chinese hacking forums and possibly was a student of master hackers Glacier and Sunwear. The individual is believed to have studied at University of Electronic Science and Technology at Chengdu in Sichuan.

The Canadian team used a domain name system (DNS) sinkhole to turn IP addresses into domain names by grabbing suspect servers abandoned after ghostnet investigations. The list of compromised Indian computers is disturbing: machines at Indian missions at Kabul, Moscow, Dubai, Abuja, US, Serbia, Belgium, Germany, Cyprus, UK and Zimbabwe were infected.

A machine at the National Security Council Secretariat was tapped as were computers at military engineering services at Kolkata, Bangalore and Jalandhar. Computers linked to the 21 Mountain Artillery Brigade, the Air Force Station at Race Course Road opposite the PM’s residence, the Army Institute of Technology at Pune and Military College of Electronics and Mechanical Engineering at Secunderabad were also compromised.

Thinktanks such as the Institute for Defence Studies and Analyses and publications like India Strategic and FORCE were also targeted as were corporations like DLF Limited, Tata and YKK India. Computers at the National Maritime Foundation and Gujarat Chemical Port Terminal Compnay were also hit.

On-ground investigations at Dharamshala, where the Tibetan exile community is headquartered, showed that computers were beaconing with server ‘jdusnemsaz’ in Chongqing in China. Interestingly, while Chengdu has a military research bureau, Chongqing is host to several triads — criminal networks with connections to the Chinese government and Communist Party.

In a lucky break, the Canadian team was able to recover data being removed by attackers and discovered a list of compromised computers. Registering and monitoring four of the domain names revealed by the earlier ghostnet probe, they reached those used in the shadows network like www.assam2008.net, aaa.msnxy,net, sysroots.net, www.lookbyturns.com and www.macfeeresponse.org.

The investigations showed that the infected email or social networking accounts were infiltrated with malware which then allowed the compromised computer to receive more sophisticated software through attachments. All through, there was a core of master servers based in China that kept a close check on infiltration of computers and transfer of all sorts of documents from personal details to missile analysis to safe drop zones.

http://timesofindia.indiatimes.com/India/Made-in-China-Cyber-spying-system-with-focus-on-India/articleshow/5891039.cms

We marched into Baghdad on flimsy evidence and we might be about to make the same mistake in cyberspace.

Over the past few weeks, there has been a steady drumbeat of alarmist rhetoric about potential threats online. At a Senate Armed Services Committee hearing this month, chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.”

The increased consternation began with the suspected Chinese breach of Google’s servers earlier this year. Since then, press accounts, congressional pronouncements, and security industry talk have increasingly sown panic about an amorphous cyberthreat.

Bush administration cybersecurity chief Michael McConnell recently warned that the United States “is fighting a cyber-war today, and we are losing.”

According to McConnell, now a vice president at Booz Allen Hamilton, “our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy.” More recently, Sens. Jay Rockefeller (D) and Olympia Snowe (R) wrote about “sophisticated cyber adversaries” with the potential “to disrupt or disable vital information networks, which could cause catastrophic economic loss and social havoc.”

Yet none of the prognosticators of disaster presents any evidence to sustain their claims. They mention the Google breach, but that was an act of espionage that, while serious, did not lead to catastrophe.

There have been and continue to be many “cyberattacks” on government and private networks, from the Korea attacks to the denial-of-service attacks during the Georgia-Russia war. To be sure, these attacks are a serious concern and we should continue to study them.

But so far, these types of events tend to be more of a nuisance than a catastrophe. The biggest result is that websites are down for a few hours or days.

This shows that security should be a serious concern for any network operator. It does not show, however, that these attacks can lead – much less have ever led – to the types of doomsday scenarios that politicians imagine. There is no evidence that these attacks have ever cost any lives or that any type of critical infrastructure has ever been compromised: No blackouts, no dams bursting, no panic in the streets.

The cyberalarmist rhetoric conflates the various threats we might face into one big ball of fear, uncertainty, and doubt. This week for example, the director of the Central Intelligence Agency announced that a cyberattack could be the next Pearl Harbor.

Cyberwar, cyberespionage, cyberterrorism, cybercrime – these are all disparate threats. Some are more real than others, and they each have different causes, motivations, manifestations, and implications. As a result, there will probably be different appropriate responses for each.

Unfortunately, the popular discussion largely clumps them into the vague and essentially meaningless “cyberthreat” category.

Before we can effectively address any of these amorphous “cyberthreats,” we must first identify what, specifically, these threats are and to what extent the federal government plays a role in defending against them.

The war metaphor may be useful rhetoric, but it is a poor analogy to the dispersed and different threats that both public and private information technology systems face.

The fact is, as long as we have had networks, they have been under attack. But over the past 20 years network operators have developed effective detection, prevention, and mitigation strategies.

This is why we should be wary of calls for more government supervision of the Internet. Last week, as part of its National Broadband Plan, the Federal Communications Commission began an inquiry into whether to establish a “voluntary cybersecurity certification program.” Through the program the FCC would certify communication service providers based on a set of cybersecurity standards developed directly by the FCC, or indirectly through a third party.

More ominously, Senators Rockefeller and Snowe have introduced the Cybersecurity Act of 2010 that aims to change how the Internet works in the name of security. It would also create a national system of licensing for security professionals, and would dole out millions of dollars in cyberpork to “regional cybersecurity centers” and other programs.

At the heart of calls for federal involvement in cybersecurity is the proposition that we reengineer the Internet to facilitate better tracking of users in order to pinpoint the origin of attacks. The Rockefeller-Snowe bill looks to develop such a “secure domain name addressing system.”

That’s a slippery slope.

And there’s the fact that we have seen a wasteful military-industrial complex develop before, and in this rush to “protect” we might be seeing a new one blossoming now. The greater the threat is perceived to be – and the less clearly it is defined – the better it is for defense contractors like Booz Allen Hamilton, which last week landed $34 million in Defense Department cybersecurity contracts.

That money could certainly be put to better use right now.

Anyone concerned about net neutrality or civil liberties – in particular online privacy and anonymity – should take notice. Before the country is swept by fear and we react too quickly to the “gathering threat” of cyberattacks, we should pause to calmly consider the risks involved and the alternatives available to us.

Rather than pass a sweeping “cyberdefense” bill right away, Congress should take the time to untangle the different threats that confront us and make sure they are addressing each appropriately. If not, we will be saddled with an overreaching one-size-fits-all result.

Giving the military and federal agencies the tools to protect their online assets might be an appropriate first response. But reengineering the Internet and imposing standards and licensing on the most innovative sector of our economy should give us pause. There is no reason to rush to action.

Jerry Brito and Tate Watkins are technology policy researchers at the Mercatus Center at George Mason University.

http://www.csmonitor.com/Commentary/Opinion/2010/0429/Cyberattacks-Washington-is-hyping-the-threat-to-justify-regulating-the-Internet/(page)/2

Cyberwar. A conflict without footsoldiers, guns, or missiles.

Instead the attacks are launched by computer hackers. Digital spy rings. Information thieves. Cyberarmies of kids, criminals, terrorists – some backed by nation states.

In the Us there Is a growing fear that they pose a massive threat to national security, and a conviction that the world’s military superpower must prepare for the fight ahead.

At stake: Crucial national infrastructure, high value commercial secrets, tens of billions of dollars in defence contracts, as well as values like privacy and freedom of expression.

In this episode of Fault Lines, Josh Rushing enters the domain of “cyber” and speaks to a former US national security official turned cybersecurity consultant, a Silicon Valley CEO, a hacker, and those who warn of a growing arms race in cyberspace.

He asks: Is the US contributing to the militarisation of cyberspace? Are the reports of cyber threats being distorted by a burgeoning security industry? And are the battles being waged in cyberspace interfering with the Internet as we know it?

http://english.aljazeera.net/programmes/faultlines/2010/04/2010421152728872905.html

WASHINGTON — The Army intelligence officer nominated to lead the Pentagon’s new command devoted to warfare in cyberspace has warned Congress that policy directives and legal controls over digital combat are outdated and have failed to keep pace with the military’s technical capabilities.

The officer, Lt. Gen. Keith B. Alexander, wrote to members of the Senate Armed Services Committee that computer network warfare was evolving so rapidly that there was a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.”

As he prepared for a confirmation hearing on Thursday as the first head of the Cyber Command, he pledged that the White House and Pentagon were “working hard to resolve the mismatch.”

In a 32-page response to questions from senators, General Alexander sketched out the broad battlefield envisioned for the computer warfare command and acknowledged the kind of targets that his new headquarters could be ordered to attack.

The target list included traditional battlefield prizes — command-and-control systems at military headquarters, air defense networks and weapons systems that require computers to operate.

But he agreed with a question submitted by the Senate that asked whether the target list would include civilian institutions and municipal infrastructure that are essential to state sovereignty and stability, including power grids, banks and financial networks, transportation and telecommunications.

General Alexander promised that the Cyber Command would be sensitive to the ripple effects from this kind of warfare, and would honor the laws of war that govern traditional combat in seeking to limit the impact on civilians.

“It is difficult for me to conceive of an instance where it would be appropriate to attack a bank or a financial institution, unless perhaps it was being used solely to support enemy military operations,” he wrote. General Alexander did not note it in his response, but the Bush administration considered exactly that kind of network attack on Iraq’s banking system before the invasion of 2003, but rejected the idea, fearing an unintended impact on global financial markets.

The confirmation hearing will be the public’s first opportunity to hear General Alexander describe the computer warfare command’s proposed objectives and responsibilities — and what safeguards he will pledge to protect privacy in the United States and to respect the interests of allies and neutral nations.

He is the first chief of the Pentagon’s newest global combatant headquarters, and the first whose sole mission is cyberspace.

If confirmed, General Alexander would receive a fourth star and be the first career military intelligence officer to lead a global combatant command. He would, in military jargon, be dual-hatted, a term to describe his role in charge of the Cyber Command while continuing to lead the National Security Agency, which specializes in electronic intelligence, including phone and computer espionage.

The N.S.A.’s role in intercepting international calls to and from the United States since the Sept. 11 attacks, first approved by secret orders from President George W. Bush and largely continued by President Obama with the blessing of Congress, generated intense contention — and scrutiny by Congress and the courts. Because the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be put in charge of both finding and, if need be, neutralizing cyberattacks in the making, as well as defending military computer networks.

“If confirmed, I will operate within applicable laws, policies and authorities,” General Alexander wrote to the senators. “I will also identify any gaps in doctrine, policy and law that may prevent national objectives from being fully realized or executed.”

The military is moving into uncharted territory as it seeks to defend national interests and carry out offensive operations inside computer networks, he wrote, with nations of the world not even agreeing on what constitutes a computer attack or the appropriate response.

He wrote that there was no theory of deterrence to guide planning for cyberwarfare similar to strategies that guided nuclear planning in the cold war, and that it remained difficult to assess exactly who carried out an attack over computer networks.

The new Cyber Command was announced last year, and the unusually long delay in scheduling a confirmation hearing for its proposed leader is evidence of the intense behind-the-scenes debate over the command’s role, missions, authorities and safeguards.

Another challenge highlighted by General Alexander is the role that the military’s Cyber Command would play on American soil, since it has far greater capabilities than the Department of Homeland Security. By tradition and law, the military only operates within the United States if ordered by the president. But a computer network attack on targets in the United States could happen instantaneously and with little warning.

General Alexander reiterated that a presidential order would be required for the Defense Department and the Cyber Command to take the leading role in responding to a computer network attack on American soil.

The world of computer network warfare remains highly secret, and many of General Alexander’s answers to the senators were excised from the 32 pages of responses, and placed in a separate classified addendum.

A version of this article appeared in print on April 15, 2010, on page A10 of the New York edition.

http://www.nytimes.com/2010/04/15/world/15military.html?src=me

NEW DELHI: The assault by Chinese hackers on Indian sites continue unabated. Reports from Moscow said the website of the Indian embassy in Moscow was attacked twice by Chinese hackers, prompting the mission to boost its cyber security.

The two cyber attacks were traced to Chinese servers. The embassy’s Local Area Network (LAN) also has no direct internet access and the firewall has been fortified, they said, adding the only hacking victim was the official website, maintained by the information wing. The website allows for online filling of visa and passport applications.

“The indianembassy.ru website in the public domain was affected to some extent that e-mail IDs of the senior officials were cloned in the .com or gmail domains to spread the malware,” agency reports quoting embassy officials said. “For example for the legitimate ‘infowing@ indianembassy.ru’ , IDs like ‘infowing@indianembassy . com’ and ‘infowing@gmail .com’ were used to spread spam with malware,” officials said.

In a recent incident, the ‘Daily Media Digest’ issued by the Information Wing in the evening was received by its recipients, including Moscowbased Indian journalists, early morning and instead of word document, it had RAR archive arrangement. The prompt warning circulated by the embassy not to open the attachment saved many computers from the fresh lot of malware.

The incident assumes significance in the wake of a report about alleged Chinese cyber espionage which has infected scores of Indian government and defence related sites. US and Canada based Information Warfare Monitor and Shadowservers Foundation in their report ‘Shadows in the Cloud’ had traced China’s Chengdu-based servers of ex-filtering sensitive information from the Indian computers, including Indian diplomatic missions in Moscow, London and Washington.

Commenting on the report, Russian media had raised concerns about sensitive and secret information about Moscow and New Delhi’s defence cooperation falling into the Chinese hands. Kommersant daily had said even in the cyber age the Russian missions use well tried method of using old typewriters and a sheet of paper to guard their secret information.

http://economictimes.indiatimes.com/news/politics/nation/Chinese-hackers-reach-Indias-Russian-embassy/articleshow/5830043.cms

Crime and espionage form a dark underworld of cyberspace. Whereas crime is usually the first to seek out new opportunities and methods, espionage usually follows in its wake, borrowing techniques and tradecraft. The Shadows in the Cloud report, released today, illustrates the increasingly dangerous ecosystem of crime and espionage and its embeddedness in the fabric of global cyberspace.

As our everyday lives move online, criminals and spies have migrated to this domain. They leverage complex, adaptive attack techniques to take advantage of the fissures that have emerged in an era where “e” is everything. Every new software, social networking site, cloud-computing system, or web-hosting service represents opportunities for the predatory criminal ecosystem to subvert, adapt, and exploit.