Non-Lethal Option for Syria: Interrupt Energy and Telecommunications Services using Cyber Warfare

Figure 1: Syria's national power grid (1)

What we know: Someone in Syria used Sarin gas and killed an estimated 100,000 people. 

What we don't know: Who did it. So far, no evidence has been collected which identifies the culprit. Was it by order of the Assad government, a rogue action by the Syrian military, or something that the rebels did to force engagement by the West against Assad? Currently, it's a judgment call.

What should we do: So far, the only public options that I've heard involve Tomahawk cruise missiles.

One alternative option that should be (and perhaps is being) considered by Western governments is to send a non-lethal message by breaching and taking control of Syria's national power grid and/or its telecommunications infrastructure. This is certainly within the capabilities of Israel and the U.S., and most likely available to other EU allies, not to mention Russia and China. 

It's a relatively small grid with only about 14 power generating stations that distribute electricity received from PEDEE (Public Establishment for Distribution and Exploitation of Electrical Energy) including:

• Deir Ali Power Generation Station 
• Teshreen Power Generation Station
• Jandar Power Generation Station 
• Al Zara Power Generation Station

Each of these companies utilizes foreign vendors (another access point) such as the Greek company Metka which services Deir Ali and the Indian company Bharat Heavy Electricals Limited which services Teshreen. 

I'll stop there because the goal of this post isn't to create an order of battle, however I do think that putting the Syrian government into a virtual vise where outside nations can control its critical infrastructure should at least be considered alongside Obama's inclination to use cruise missiles. Talk about "deter and degrade" - how much can Assad or anyone else in Syria do without power?

Add to Cart View detail

Arquilla's "Cool War" is Fiction

In this article for Foreign Policy, John Arquilla poses the question "Could the age of cyberwarfare lead us to a brighter future?". Arquilla proposes that it will but his article utterly fails to make the case.

He builds his case for pure cyber war as an alternative to kinetic war by using Stuxnet as an example claiming that it achieved "a serious disruption of Tehran's nuclear enrichment capabilities -- and possibly of a secret proliferation program." The fact is that Stuxnet caused limited disruption (by design) and it failed to halt Iran's nuclear enrichment program. It's also important to note that Stuxnet was only discovered because the malware design was flawed, which underscores the fundamental problem with Arquilla's imaginings of the efficacy of a pure cyber war. The effects of malware are often unpredictable and unpredictability is the enemy of military planners.

Later, he suggests that Flame, the cyber espionage tool which apparently infected Iran's network years before the Stuxnet worm was created, demonstrates how cyber espionage can replace old school tradecraft - "The code that comprises it seems to make the point that we no longer need physical agents in place if we can now rely on artificially intelligent agents to dredge up the deepest secrets." This is as ridiculous a notion as the one that Arquilla offers about cyberwarfare replacing boots on the ground. Both Chinese and Russian intelligence services continue to recruit human assets for acts of espionage even as they utilize cyber espionage as a force multiplier. HUMINT isn't going away - ever.

Arquilla writes that "On balance, it seems that cyberwar capabilities have real potential to deal with some of the world's more pernicious problems, from crime and terrorism to nuclear proliferation. In stark contrast to pitched battles that would regularly claim thousands of young soldiers' lives..." I challenge Professor Arquilla to present even a shred of evidence that supports his fantasy that this future could ever come to pass. I don't know what John Arquilla's motivations are behind this embarrasingly weak article but I wouldn't accept this from a student let alone a professor of his standing.

Add to Cart View detail

Flame, Russia and the ITU: A Geopolitical Agenda?

Both the ITU and the Russian government have been united in their interest to secure a global cyber warfare treaty since at least 2010. In recent weeks, Evgeniy (Eugene) Kaspersky has been increasing his rhetoric regarding a future cyber catastrophe and most recently his company was chosen by the ITU to investigate the Flame attack. That attack prompted today's press release by the ITU calling for "greater international collaboration" on cyber security matters at their upcoming conference in Dubai; a conference sponsored by Kaspersky Labs and where CEO Kaspersky will deliver the keynote:

Cybersecurity will be a major agenda theme at ITU Telecom World 2012 (Dubai, 14-18 October 2012), supported by key partners, one of whom is Kaspersky Lab. This agenda will explore issues such as mitigating risks posed by major coordinated cyber-attacks at the national level, the threats posed by malware such as Flame, and strengthening international cooperation. Kaspersky Lab CEO Eugene Kaspersky will deliver a Visionary Keynote speech at the event, outlining the magnitude and global nature of cyberthreats today.

 The Russian government has long been an advocate of an Information Warfare treaty limiting the use of cyber weapons and other acts of IW because it serves the interests of the Russian government (which has other means of conducting IW) while restricting cyber weapons development in the West. An excellent overview of the ramifications of such a treaty is Tom Gjelton's "Shadow Wars: Debating Cyber Disarmament".

Evgeniy Kaspersky, Kaspersky Labs, and the Russian Security Service

In November 2009, the Duma Committee on Security met on “the legislative, organizational and technical security aspects of the national info-communications infrastructure.”  The meeting included the Experts Council and several additional experts.  The invited experts were primarily senior government officials—including two from the FSB--with two from industry.  One was the President of MFI-Soft—the company that provides internet intercept systems to the FSB ISC—and the other was Evgeniy Kaspersky, Director of JSC Kaspersky Labs.

The President of MFI-Soft Alexander Ivanov is a former senior military communications officer.  MFI-Soft’s bread and butter are lawful intercept systems including SORM-1, SORM-2, and SORM-3.  MFI-Soft holds numerous licenses from the FSB and FSTEC for work on state secret information and encryption systems.  JSC Kaspersky Labs does as well.  While the Duma Security Committee did not post the meetings minutes, both companies are now involved in pushing Russian standards for the Commonwealth of Independent States (CIS).

Kaspersky Labs holds numerous security clearances authorizing work on projects involving state secret information (current list is posted at http://www.kaspersky.ru/license). The FSB only licenses two antivirus companies for work with state secret information; JSC Kaspersky Labs and Dr. Web. The licensing requirements effectively give JSC Kaspersky Labs and Dr. Web a monopoly on the Russian market since the IT market is dominated by the Russian Government and large industry closely aligned with the government.  Indeed, in 2009, the Russian Federal Antimonopoly Service (FAS) initiated proceedings against Kaspersky for possible violations of Russian antitrust laws, but no action appears to have been taken. Russian government tenders posted at zakpuki.gov.ru frequently specify JSC Kaspersky Labs products as required based on their FSB/FSTEC licenses.  The licenses are almost certainly critical to Kaspersky’s future.  According to Interfax, Kaspersky sales totaled $538 million in 2010 (last year for full data).  However, the revenue breakdown was stated in such a way that it is impossible to identify specific sources.

Summary

Kaspersky's elevation of Flame to a status that it doesn't deserve (a "highly sophisticated cyber weapon") takes on a new meaning when you examine the close relationship between Kaspersky Labs and the Russian government along with their relationship with the ITU and their parallel interests in promoting international cyber security agreements and cyber warfare treaties. Is Flame a means to a geopolitical end that favors those players interests? I think it is.

RELATED:
"Kaspersky's Problematic Flame Analysis"

Add to Cart View detail

Kaspersky's Problematic "Flame" Analysis

Countries infected by Flame (SecureList 28MAY12)

I'm beginning to wonder what's going on over at Kaspersky Labs. Eugene Kaspersky has begun sounding like Richard Clarke with his warning about mega-cyber disasters during his keynote address at the AUSCERT IT security conference. Then there's his repeating of the Russian government mantra that a cyber weapons treaty is needed (it's not). Now Kaspersky Labs has called a virus whose only purpose is to steal data a "cyber weapon". Come on, guys. You've done some terrific research in the past with DuQu. Now all of a sudden, it seems like you've become evangelists for a Russian government strategy to raise the stakes in cyber war rhetoric. Espionage is not warfare and never has been. Hence a tool created solely to conduct cyber espionage cannot also be legitimately called a cyber weapon.

You've also wrongly simplified the scope of cyber actors out there to three when it has never been that cut and dried:

Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.

You've conveniently failed to mention an important fourth category: mercenary hacker crews - principally from Russia and the Commonwealth of Independent States - who steal IP and sell it to both corporations and governments. Crews that would love a tool like Flame and who, in my opinion, are the most likely actors involved in using such a tool. If you'd be forthcoming with more information - such as Flame's Command and Control server URLs - a lot more could be learned about who may be behind this virus.

UPDATE (31 MAY 2012): See my related article "Flame, Russia and the ITU: A Geopolitical Agenda?"

Add to Cart View detail

China: Our Incompetent Master Adversary?

According to an article in today's Guardian, State Department and Pentagon officials with their Chinese counterparts have engaged in at least two cyber war games in 2011 and have another planned for next month. These war games are coordinated by two think tanks: Center for Strategic and International Studies for the U.S. and the China Institute of Contemporary International Relations. The goal is to try to manage escalating hostilities between the two nations over China's perceived massive cyber espionage campaign against U.S. companies.

It's distressing to see that the tensions have risen to this point because its based on a seriously flawed evaluation of the facts by well-known companies plus former and present U.S. government officials. For example:

U.S. information security companies like RSA, McAfee, Mandiant, and others routinely issue reports blaming China and ONLY China for intrusions that they've encountered. It's incredible to me that in spite of the 30+ countries actively engaging in acts of cyber espionage, these security giants have only caught China in the act.

Secretary of State Hilary Clinton has been quick to blame China for cyber attacks that targeted Google but for no other reason then because Google said so. And the Secretary has never once warned other countries to cease their cyber attacks against the U.S.

The U.S. China Economic and Security Review Commission routinely puts out alarmist reports about China's military cyber buildup while deliberately refusing to hear testimony by experts who have contrary views to the commission's anti-China agenda.

Richard Clarke's sinophobic, alarmist op-eds routinely get published in the Wall Street Journal and elsewhere even though Mr. Clarke has no standing as a cyber security expert.

No wonder that the Chinese government's irritation with the U.S. has risen to the point where we need CSIS and its Chinese counterpart to conduct a mediation. Beijing is getting tired of being blamed for every attack against every company everywhere in the world, and they're right to be mad. As I've said many times before, it's not that China doesn't do it; they absolutely do, but so do many other countries and just as frequently yet we almost never hear about a major breach being blamed on any country other than China. Either China is the greatest and dumbest adversary that we've ever had, or the real dummies are those in the InfoSec industry who can't be bothered to question the obvious when doing incident response, or who choose to cater to the rising tide of Sinophobia in the U.S. in order to boost their sales; or to politicians and journalists who parrot back the faulty claims of those same companies thereby perpetuating a bad cycle that has resulted in real-world tensions that could have been handled in a more constructive way all along.

While the marketing of anti-China sentiment by some in the InfoSec industry is clearly one part of this disaster in foreign relations, Media deserves its share for opting to print stories that cater to China FUD because it results in higher readership which means more advertising revenue. Since the American public is generally naive about cyber operations by nation states, they believe what they hear about China in the media and cast their votes for the politician who will save them from the menacing red dragon who's sopping up their brain waves and living inside their electric wires. Politicians being what they are cater to that fear and make pronouncements and threats accordingly in order to win votes.

The solution to this problem is simple. As a nation, we need to ask more questions. Accept nothing at face value no matter which "authority" tells it to you, including me. Good intelligence analysts uses negative analysis to test their findings before sending it on to their customers. A little more negative analysis by all parties involved may be what's needed to reduce U.S.-China tensions and improve U.S. security. And it doesn't cost any money to do it. 

Add to Cart View detail