For quite some time—and again over the weekend—U.S. government officials have been warning U.S. businesses to shore up their cyberdefenses. Without a hint of irony, the U.S. Department of Homeland Security (DHS) issued an alert to businesses about “Flame,” the Washington Postreported, even though it’s likely that Flame (as well as Stuxnet) is the result of U.S. and Israeli cyberwarfare cooperation.
Over the weekend, Israel admitted publicly for the first time to engaging in “cyber activity consistently and relentlessly” for the purposes of "thwarting and disrupting enemy projects,” according to a story in the Sydney Morning Herald.
Last week's revelation that the U.S. government long ago decided that launching cyber-attacks against countries it views as a threat is a legitimate foreign policy tool is now leading to the inevitable question of whether this behavior will serve as an open invitation to others to do the same. In an article at ComputerWorld, for example, this question was raised by several security experts. They argue that the United States, having kicked off its cover of plausible deniability, has “painted a huge target on [its] back.” They add that the admission also undermines any complaints the U.S. has against others, especially China, for conducting cyber operations against U.S. businesses or government organizations.
The revelation has also raised questions regarding exactly what is the U.S. policy in regard to cyberwarfare. David Sanger, the journalist who broke the story of U.S. involvement in a coordinated program of cyberattacks against Iran that fell under the moniker “Olympic Games,” wrote in a Saturday New York Timesarticle that US government officials:
“’… approached the Iran issue very, very pragmatically,’ one official involved in the discussions over Olympic Games told me. No one, he said, ‘wanted to engage, at least not yet, in the much deeper, broader debate about the criteria for when we use these kinds of weapons and what message it sends to the rest of the world.’”
This failure to think through all of the consequences of employing cyberwarfare parallels the lack of analysis preceding the initial deployment of armed drones to (and against) other countries, a move which continues to create major political as well as legal debate today.
While a Washington Post editorial yesterday noted that the U.S. “lives in a mammoth glass house and ought to be mindful of the dangers when we throw stones,” the time for counting up the cost of its actions looks long past. The U.S. cannot complain if it begins to reap what it has sowed.
And heralding what may be in store, there was an article today in the Washington Post about the search engine Shodan, which is able “to map and capture the specifications of everything from desktop computers to network printers to Web servers.” Users of Shodan, the Post said, were able to find that “uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in[to the Internet], and in some cases they were wide open to exploitation by even moderately talented hackers.”
So far, over 100 million devices have been discovered using Shodan, which has aided in “recording their exact locations and the software systems that run them.”
It doesn’t take too much imagination to think what a government intent on doing harm to U.S. infrastructural and business systems could do with that information.
(By the way, the Washington Post story on Shodan is the second part of a very well-worth-the-read multi-part series of articles on cyber security. Part one was on the anatomy of creating a zero-day attack.)
One final consideration is whether all this will lead to even a greater push by the U.S government for the sharing of certain cyberthreat intelligence among the intelligence community and cybersecurity entities, as called for in the proposed Cyber Intelligence Sharing and Protection Act. My bet, given past history, is most definitely.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.