IT Security: From Stuxnet to Your Smartphone

Share

by Michael Liebig


In my last column, I have already pointed out that IT security was an exciting topic at the Feb. 3-5 Munich Security Conference (MSC). This pertains particularly to the remarks by Eugene Kaspersky, CEO of Kaspersky Labs, a leading international company specializing in IT security, and the Gen. Michael Hayden, former head of the CIA and National Security Agency (NSA).

The Russian and the American didn’t push a paranoid hype about „cyberwar“, as one might have expected at such an event. And they didn’t parade their expert knowledge in front of an audience of mostly IT laymen. Instead, they focused on “basics,” stressing that we are only at the beginning of a new era about which there are far more questions than definite answers. During the past two decades, information technology and the internet have catalyzed paradigmatic change on a global scale, but this transformation hasn’t really been “mentally processed.” With respect to the implications of the IT and internet-vectored transformation, our “mental maps” are still littered with with terra incognita. At first, this may sound somewhat trivial, but it is not.

Hayden turned to the past in trying to explain what is happening. He drew the comparison with the discovery of the Americas 1492. This discovery changed not only mankind’s view of the physical world, but also its “weltanschauung”: No one could seriously claim that the earth was flat any longer. Unknown products appeared and transcontinental trade with them changed the economy profoundly. The gold of South America paved the path for the money economy. The geopolitical structure of Europe changed with the rise of the sea powers: Spain, Portugal, England, the Netherlands and France. Also religious structures in Europe changed with the Reformation in North-Western Europe. And along came new forms of warfare: “religious” wars and transcontinental colonial wars. Strangely, Hayden didn’t mention the almost simultaneous Gutenberg Revolution, which made books and leaflets relatively cheap. Knowledge was no longer the privilege of a tiny minority and the literacy of the population advanced rather rapidly.

In a similar upheaval of weltanschauung, we are in right now. Hayden pointed out that the internet was invented by the American military research organization DARPA. For the military, over thousands of years, there existed only two domains: land and sea. In the 20th century, two new domains were added: air space and cosmic space. Now there is a fifth domain: „cyberspace“. Even if cyberspace depends on a material-technical base, it’s essentially „immaterial.“ Cyberspace doesn’t fit the traditional notions of physical space and time. The “real time” information flows in the internet cannot be “localized.” However, out of this intangible domain cyberspace very tangible effects in the „real world“ can be generated.

The younger generation is already „IT socialized”, using the internet and information technologies as something self-evident and practical. As Kaspersky put it, this generation cannot imagine a world without internet just as the baby-boomer generation cannot imagine a world without electricity, cars and airplanes. But that does not mean that the young generation – and naturally much less so the baby boomer generation – is truly understanding information technology and the internet. Do they grasp the implications of the IT Revolution – socially, politically, economically and culturally? And, one may add, the same question goes for IT professionals – even though they possess all necessary technical knowledge.

Not unlike the early modern age of the 16th century, today the structures of the economy, politics, public administration, media and social life are changing dramatically. Hayden was not wrong when he declared that there would not have been „globalization“ or the rise of China, India or Brazil without the IT Revolution.

Cyber Crime

A particularly important aspect of our lack of understanding vis-a-vis the IT Revolution is the issue of IT security – for individuals and societies. And again, that’s not just a “technical” matter, but a question of mental attitudes.

Kaspersky turned to the “dark side” of the internet by first addressing some human “basics”. He referred to anthropological constants: People have benign character traits and evil ones – they can be vindictive, greedy, predatory or violent. This anthropological constants are now interacting with a new information technology-based environment. There no inherent dark side “in” the internet and information technology, the problem is how the internet is used or misused. Even if that may appear trite, it is really a crucial conceptual distinction.

Kaspersky chose a sober and unemotional view of IT security, which he arranged into four main threat categories: cyber crime, ideologically motivated hackers, cyber espionage and
cyberwar.

Cyber crime is by far the largest threat. The estimates of the global turnover of cyber crime range between $200 billion and $1000 billion. Unbelievable figures. EU Commissioner Neelie Kroes said at the MSC that the number of $1 trillion was the correct one and that cyber crime has overtaken the international drug trade. However, Kaspersky was cautiously optimistic that the current asymmetry between cyber criminals and the law enforcement authorities will shift in the coming years. At national and international level, the legal, organizational and technical-forensic means to combat cyber crime are being improved. State agencies, private companies, Interpol and the United Nations seem to have woken up to the threat of cyber crime. But in the meantime, a lot of people will loose their money and their privacy.

This realization has not yet arrived at the „normal users.” Shortly before the MSC, I took part in a conference on IT security in Frankfurt. Speakers included representatives from Kaspersky Labs and the Federal Office for Information Security (BSI). What I learned was both instructive and alarming.

Ten or 15 years ago, protection of home or business PCs against malicious software – malware – was rather rare. Only after enormous damage had been done to individuals, businesses and public organizations by criminal malware, did things change. Since, the protection of PCs against malware has become standard. But now, history seems to repeat itself – with respect to smartphones.

Today, a fashionable smartphone has a memory capacity of 8 GB – that’s more than most PCs had only a few years ago. I learned that the “wikileaks” file of thousands of U.S, State Department documents would take only 10% of the memory capacity of a regular smartphone. And while smartphones are also increasingly used like PCs, protection against malware is a rare exception – particularly with the most-widely used Android smartphones. Intrusive malware attacks by cyber criminals is the most serious, but by no means the only security problem with smartphones. Many apps require access to the email address file and other sensitive data – and often get them, because the user does not know what he or she is consenting to. Unlike PCs and laptops, smartphones are lost or stolen en masse. One can easily imagine what might happen if the stored data in a lost or stolen smartphone are not securely locked.

No special expertise on IT security is necessary to imagine the vast opportunities which smartphones offer to cyber crime. Smartphones are massively used and they are massively targeted by cyber crime. Again, it will probably take lots of painful experiences until smartphones will be as secure as PCs are today.

Hackers and Cyber Espionage

For Kaspersky, the second major threat to IT security are ideologically motivated hackers who penetrate the information systems of state institutions, business enterprises and private actors. The vast majority of these hackers proclaim to pursue the aim of political and social „justice“ and the exposure of hidden „scandals“. Kaspersky is concerned, however, that the ideologically motivated hacker milieu could attract political or other extremists, who might want to go beyond “mere exposing” and onto “active” cyber attacks. That could mean cyber terrorism: cyber attacks with the intent to do physical damage against individuals and institutions.

In quantitative terms, cyber espionage comes right behind theft-vectored cyber crime. Kapersky sees cyber espionage as the second biggest threat to IT security. Cyber espionage is conducted by states against other states. By businesses against competitors. And by states against their citizens. In the latter case, we have a particular contradiction: On the one side, there’s a manifest need that governments provide IT security for their citizens: protecting them against cyber crime and safeguarding their privacy against commercial and other intrusions. On the other side, the security agencies of the state – in the name of fighting crime, terrorism or extremist subversion – have a disposition to violate the IT-related privacy of citizens which the state is legally bound to protect.

Finding a reasonable regulative setting for this contradiction is an enormous challenge. It’s one of the real big societal issues and the emergence of political formations like the “Pirates” parties is one indicator that it is indeed becoming a key aspect of the political discourse. Under the new and unique conditions of an IT and internet-vectored society, the state must protect the personal (and material) integrity of the citizens. At the same time, such imperatively needed regulation and protection must not infringe on the citizens‘ privacy. What seems like a “Catch 22”, is an issue that can reasonably resolved. In simple words, the exception to the rule has to remain the exception. When there is a clear and present danger of heavy crime or terrorism, the penetration of private information systems must only occur in a precisely defined legal framework and under the supervision of the judiciary.

Cyberwar

Finally, cyberwar – which means: a country attacks with „non-kinetic means“ the information systems of another country in order to effect material damage and human losses. The attitude of Gen. Hayden with respect to cyberwar was schizophrenic. On the one hand, he said that cyberwar can lead to incalculable and catastrophic consequences. He compared the Stuxnet cyber attack against Iranian nuclear facilities with the testing and use of the atomic bomb in 1945. On the other hand, Hayden endorsed the Stuxnet cyber attack because it sabotaged Iran’s nuclear research. Not surprisingly, he gave no hint as to who was responsible for the Stuxnet attack.

Kaspersky said that the unpredictable consequences of cyber warfare may constitute a kind of self-deterrent. It may not be possible to trace a cyber attack back to the aggressor. But the state under attack can make calculations on strategic interests and motivations behind the cyber attack – and retaliate in kind. Even smaller, technologically and economically less developed countries can develop effective capabilities for cyberwar, while technologically advanced states with big “IT power” are particularly vulnerable due to their extensive and complex IT infrastructures. Precisely because of its unique opaqueness, cyberwar can lead strategic miscalculations with unprecedented consequences.

Kaspersky hopes that these factors may add up to a self-deterrent effect and lead to an international convention against cyberwar. Because the capability for cyberwar does exist already with many countries, they may – in view of the incalculable risks for all – be more willing to go for an international treaty against cyberwar. However, the Stuxnet attack against Iran points to another, ominous direction.

It was good that cyberwar was not the all-dominating issue on the MSC panel. Cyberwar is not a thing for itself, but one dimension of IT security, which has to situated within a comprehensive understanding of the IT Revolution in its entirety. The worst mistakes are made – by individuals and states – when there is a lack of understanding of what’s really happening. The more governments, academia and civil society develop an adequate understanding of the internet and IT-vectored transformation, the greater are the chances for our security. Only when you understand something, you can act reasonably.

Die Kommentarfunktion für diesen Beitrag wurde beendet.