Search This Blog

Tuesday, March 22, 2011

Bombing with Bytes

Just as much as the introduction of air power transformed the battlefield in the Second World War, the rise of cyberspace and the possibility to launch attacks in this virtual landscape has continued to blur geographical barriers and the readiness of states to shield themselves from such attacks.

Way back in the 80's I used to be awestruck when Italian TV channels used to air the film 'War Games' starring Matthew Broderick. The plot was very simple. Whilst using his home computer to perform simple hacking exercises like changing his school grades stored on the school's IT system, a teenager computer wizard stumbles by mistake into a US military supercomputer which is responsible for military nuclear simulations. The interactions between the kid and the supercomputer end up with the US military believing that a nuclear strike from the USSR is underway and that Armageddon is in the making, only to realise that this was purely a simulation and the result of a computer game gone wrong.

The story portrayed in War Games has become more of a reality than we think as the malicious use of software has dramatically increased and code is now being written to specifically attack national infrastructures.

In summer of 2010 a sophisticated piece of malware called Stuxnet was reportedly targeting Iran's nuclear programme including uranium enrichment centrifuges at the Natanz facility. Iranian officials admitted that the worm had infected computers but denied that its nuclear programme had suffered any delays even though it is understood that there were a number of setbacks. It was also reported that over 60% of computers infected with Stuxnet were located in Iran and thereby fuelling theories that this was not just another incident of malware gone wrong.

The novelty of Stuxnet lied in the fact that, unlike other malware which was designed to infect desktop computers in order to recruit them into large interconnected botnets aimed mostly at spam operations, Stuxnet was the first virus specifically designed to attack real-world infrastructures. Very simply put, Stuxnet attacks supervisory control and data acquisition (SCADA) computer systems which are responsible to control various infrastructures such as power stations, grid systems, processing plants as well as traffic lights and public transport systems. Various reports suggested that Stuxnet was created to specifically hit motors controlling centrifuges working within nuclear plants and disrupt the creation of uranium fuel pellets.

Pointing towards the fact that this malware required the largest and costliest development effort in malware history, many industry experts went as far as claiming that in light of the complex code with which Stuxnet was build, everything pointed towards a situation where only 'nation states' would have had the capabilities to produce it citing US and Israel as the potential authors of the virus. Surely, the present relationship between Iran, US and Israel would lead one to further believe in such theories.

The latest Stuxnet attacks are not the only incidents which surfaced during the past few years and which have been compared to cyber warfare. The attacks by China on Google in 2009 is another example which was widely publicised.

What is even more worrying is that fact that very recently a decompiled version of Stuxnet also became available online by the collective of hacktivists known as 'Anonymous' and thereby providing the tools to everyone to have a try at SCADA attacks.

What we are seeing here is 'pure' computer crimes where computers are not only the weapon by which attacks are launched but are also the targets or victims of such attacks; computers as instruments to commit the crime as well as its victims. Think of Denial of Service Attacks within a military context and you will start to comprehend what these pure computer crimes can achieve.

The Computer Misuse provisions contained in our Criminal Code lay down that the production, sale, procurement, importation, distribution, possession or the making available of computer programs which are designed or adapted primarily for the purpose of accessing or damaging computers and computer networks is a criminal offence. This would render, as far as Maltese law is concerned, the production of malware and internet worms like Stuxnet a criminal act. But what would happen if Stuxnet was developed by nation states as has been widely suggested in international press? Is this just another example of clandestine war? Would any computer crime law have any teeth in such scenarios? I guess not.

In recent months, some commentators went so far as suggesting a 'Geneva' type of convention relating to cyber-attacks and cyber warfare in order to have some international agreements in place so that enemy's hospitals or certain types of civilian infrastructures are not attacked. As in any other act of war, whether countries would end up respecting such international legislative frameworks is a different question altogether.

Only last week, General Keith Alexander, head of the US Cyber Command testified before US Congress arguing that all future conflicts will involve cyber warfare tactics. It would be interesting to see if UN Security Council Resolution 1973 sanctioning a no fly zone on Libya also contemplates cyber warfare and would prove Alexander right and that the internet is destined to become a war ground and that national infrastructures not only have to be weary of bombs but also of bits and bytes.

No comments:

Post a Comment