As the news wave broke on Friday; from the NY Times; then across the technology sector and spread around the world (a sample of articles from Ars Technica, PC World, PC Mag, Reuters, Ireland, the UK, Himalayan Times, Forbes), on Saturday; the US “unofficially” took credit, while Israel officially backed away from Stuxnet, I couldn’t help but notice that I had a sick feeling in my stomach.
This whole situation is disheartening for me on many levels; some of which have started to get attention in the news sources I linked to above. For instance, while running this covert operation; the US went on record stating that they would retaliate to a cyberattack with military forces. That opens up a playing field that has some great nightmare plot lines that I hope stay only in Hollywood and don’t become reality.
Other implications that are being discussed, that are; and will become more real:
- Ars Technica focused on the probable policy impact to the US.
- PC World focused on the fact that the tool box is now out there and can be re-used by anyone (group, nation-state, etc.).
- Washington Post identified that the future of war and recruitment is now about computers.
- Forbes pointed out that Iran is now justified in retaliation; but that at least the truth is out now, so moving forward the US shouldn’t just be pointing fingers at China and Russia for being less than stellar cyber neighbors.
- As Reuters quoted: “The U.S. will now be blamed for any sophisticated, malicious software, even if it was the Chinese or just criminals,” added Jason Healey, who has worked on cyber-security for the Air Force, White House and Goldman Sachs, and is now with the Atlantic Council research group.
The heart of my personal concern starts to show up at the end of the Forbes article: “These guys are playing war in cyberspace, and they’re doing stuff that affects our networks,” says Schneier. “When countries attack each other in cyberspace, we’re all in the blast radius.” Now that the US government has (un)officially stated they were behind the impacts of Stuxnet; the arms race is on, and no country will want to be left behind.
For physical dimensions of war, we have certain rules of engagement that we’ve crafted over the centuries; and we’ve evolved those rules as we evolve the weapons. From the Geneva Convention to the Biological Weapons Convention , we have set boundaries around what you can do in the name of war. When people (groups or nation states) violate those boundaries, most of the world is repulsed; and usually that is enough to re-establish that these boundaries are also cultural norms.
But now we have a new weapon that just moved into arms race territory, and we don’t really understand the damage it can do. No more than the scientists in the Manhattan project (our their international counterparts) really understood the human impact, or the long-term environmental impact of the nuclear bomb. This brings me back to war conventions (people or tools) – they are usually created well after an involuntary set of victims suffer typically irrevocable harm. Historically, many of the victims have been civilians; and I see no reason to believe this is any different.
In addition, any weapon requires testing; and usually testing evolves to using ‘real’ targets. In this case, the targets are those who have accessible computer infrastructure; and the further up the first world scale you are, the more this describes your economy. Not to mention, even if your particular 1st world country isn’t a target, in the geopolitical world of maneuvering, there’s a lot of cachet in being able to successfully attack in that arena, and again, no one (group or nation) wants to be left behind.
To really focus on impact, this is the kind of thing that starts by impacting people working at corporations with a disproportionate impact on security companies. How will specific people be impacted? Given that attribution is a challenge on a good day, with the actors potentially being one to many nation states, and the probability for successful damage goes up, as the opportunities for restitution likely start heading toward zero. This doesn’t even count the impact of things like harming energy grids in winter, and the direct impact on that regions civilians. Today, failure to protect a company or its reputation due to a security issue is often a direct negative impact on the person considered to have failed, regardless of how realistic the expectation was. (We like to kill the messenger, and sometimes everyone related to the messenger, if we can’t change the message.)
Why a disproportionate impact on security companies? In the last decade, nation states have proven that they are not above informing security organizations to cease and desist actions that are considered to have geopolitical implications, so the people and companies that are best placed to protect and serve function with local nation handcuffs; and those handcuffs could easily gain impact due to commercial organization lawsuits against the security company for failure to protect them (and again, the expectation mismatch of a single security research team taking on partnered nation states could be pretty huge, even without the handcuffs.)
Now, factor in that if you want to test your weapon, and you’ve successfully proven its damage capability on the commercial markets in your target region, where can you get the most confirmation of your tools destructiveness and people’s inability to stop it? By proving that the security infrastructure of your target nation state can’t stop you – even if there’s no payload, this could be an announcement that there’s a new geopolitical player. Since the national security groups and agencies don’t leave large signs pointing to where to test your products against them, you’ll likely chose to go after civilian resources who defend companies and resources in the target region.
That leaves the security companies that are resident or popular in the target region as highly probable targets to do an efficacy check of your weapon against. Since the gloves are now off on the arms race, and the gauntlet just hit the floor, we just took the defender asymmetry and started to ramp up the need to be able to respond to anything with speed in an exponential way. I recommend stock in sleeping aids for your local security people and companies; you’ll make a killing and sleep fantastically; even if a lot of others won’t.