Stuxnet, Flame and the new world disorder

• ‘The most sophisticated and subversive’ to date came from the US Govt
• State-sponsored cyberweapons continue to be developed

IT reads like the plot of a high-tech thriller, a mash-up of John LeCarre and William Gibson: A Western government develops a computer virus targeted at the key systems of an enemy state. The malware gets loose and wreaks havoc in the wild. The world comes to halt.

Except for the last bit, the rest of it is true and is happening in the real world.

Over the last couple of months, thanks to some sterling journalism primarily by The New York Times and The Washington Post, it has been revealed that one of the most devastating computer viruses ever created, Stuxnet, was actually developed by the United States and its close ally Israel, under a project codenamed Operation Olympic Games.

That blackest of ops was begun by the Bush Administration and then accelerated by President Barack Obama a few months after he moved into the Oval Office. Stuxnet was targeted at the computer systems that ran Iran’s main nuclear enrichment facilities, but got loose because of a programming error; while Flame was designed to collect information from the computers of Iranian officials.

“The virus is among the most sophisticated and subversive pieces of malware to be exposed to date,” the Post reported. “Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geo­location data from images, and send and receive commands and data through Bluetooth wireless technology.”

When it comes to malware, much of the world’s efforts seem to be focused on protecting commercial interests and systems that are critical to a nation, such as the electrical grid. There has been speculation of state-sponsored attacks from one nation on another’s most popular websites, with China being a favourite whipping boy here, but mainly for mischief and harassment.

The US-Israel attack on Iran, however, is perhaps the first act of war ever conducted in cyberspace.

“Act of war”? Surely I am over-reacting here. But it has been said, that “computer sabotage coming from another country can constitute an act of war. … If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

And who said that? Oh, a Pentagon official apparently, according to this Wall Street Journal article. Of course, this was last year, and that poor military man was probably unaware that his government was already at war on the cyberspace front.

It’s a natural regression from the early days of hacking and virus-writing for fun and mischief. Things have been getting steadily worse, notes Graham Cluley (pic), one of the world's leading experts in viruses and spam, and senior technology consultant at security software specialist Sophos.

“Then we saw the financially-motivated cybercriminals -- stealing banking passwords, installing keyloggers, hijacking computers to display adverts for money-making schemes, recruiting compromised computers into botnets in order to send spam,” he tells Digital News Asia.

“More recently, we have seen the rise of hacktivism, with more hackers breaking into systems to expose what they view as corporate hypocrisy or lax security or to spread a political message.

“However, state-sponsored cybercrime and Internet espionage is the area of cybercrime that is shrouded in the deepest, thickest fog,” he adds.

Cluley says that speculation about government and military use of the Internet to spy continues to grow.

“It would be naive to think that countries are not using the Net for such purposes,” he says. “And why shouldn't they? After all, it's probably cheaper and less dangerous to spy on another state's government or a foreign company using malware than to use the old-fashioned method of planting a physical agent there.”

“So, yes, I'm not astonished to read that businesses and governments are believed to be under Internet attacks from other states,” he adds.

It’s getting ugly out there – or in there, rather, in cyberspace.

The United States has committed an act of war (by its own definition). It may have been against a single nation, but the collateral damage has been inflicted worldwide. Why are other governments so quiet about this? Where are the displays of outrage and sense of righteous indignation? What is the UN Security Council doing about this?

Why has there been a deafening silence?

Cluley has an idea about this: “There seems little doubt that state-sponsored cyberweapons (if that is indeed what Stuxnet was) continue to be developed – and chances are that it's not just the United States and Israel who are developing them, but other developed countries.”

There you have it: All par for the course.

I don’t know about you, but I find this scary. Just apply the “Malone Model of Escalation,” as I call it, to this. That’s Sean Connery’s character in the 1987 classic, The Untouchables: “They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue.”

Welcome to the new world disorder, folks.
 
* This article was previously published in The Malaysian Insider