Smartpros Legal and Ethics Newsletter January 2011

SmartPros Legal and Ethics Newsletter January 2011

Wikileaks and Stuxnet: Part II

By Stephen K. Henn

In 1981, President Reagan was presented with some very interesting information. The French had recruited a Soviet intelligence officer – codename “Farewell” – who was highly placed in the KGB’s Directorate T which was responsible for “acquiring” advanced technology from the West. In computers, software and microelectronics, the Soviets were some 10 to 15 years behind the United States and bridged the gap by espionage.

In the shopping list of technologies, the Soviets wanted industrial systems to control their new Trans- Siberian Gas Pipeline which offered both resources for the western part of the USSR and a source of hard currency through exports to Europe. After a request for the technology was rejected, Directorate T sought to pilfer the technology from a Canadian company. With this knowledge, the CIA allowed the theft to occur, but with extra code inserted into the software – code that would stress the limits of the pipeline until the system failed. In June 1982, the pipeline ruptured, producing the largest non-nuclear explosion recorded.

“Farewell” was exposed and executed in 1983, but upon exposure, the counter-espionage had its final victory: all the technology stolen from the West was suspect which cast doubt on a host of major industrial projects; slowed the advancement of technology and caused a large increase in costs for Soviet projects. (For more background, please see the CIA’s The Center for the Study of Intelligence, Duping the Soviets by Gus Weiss.)

Sound familiar?

Last month’s article looked at the effect of Wikileaks as both a tool for fast dissemination of information – potentially confidential – and the use of cyber attacks to “force” companies toward particular policies. The attack methodology, the denial of service (DOS) attacks, were fairly crude, but did cause some disruption of the target companies’ website. In addition, we looked at the use of Stuxnet virus to delay and potentially damage the nuclear program for Iran. Iran is not a commercial enterprise, but the increasing sophistication of cyber attacks against commercial enterprises portends a day when a Stuxnet-like worm will be used against a company. Further, there is a fair chance that these attacks will come from entities out of the reach of law enforcement – if they can be accurately traced.

The next question is “what can be done about it?” To answer this question, a more fundamental one needs to be raised, “are we, as a corporation, willing to stand up for principle?” If so, what are those principles? MasterCard, Visa and PayPal broke commercial ties with Wikileaks and were attacked. (It should be noted that the website was affected, not the transaction network.) According to Mastercard, it did so because of its policy against doing business with those who engage in or facilitate illegal activity; a principled position. Once decided – or better yet, well in advance of the decision – protecting against the hackers became paramount.

Understanding the threat is the first step in prevention. A DOS attack is different than a virus plant. Amazon also ceased doing business with Wikileaks and was attacked, but did not suffer any consequences. That is because Amazon – due to the nature of its business – is designed to handle large spikes in traffic. The other sites – designed with marketing and communications in mind – were not. One would think, though, that Mastercard and the rest are now developing plans to address DOS attacks. Further, segregation of mission critical systems – in the instant case, the transaction network of the credit card companies – helps to insulate the business from the effects if an attack, either by brute force (DOS) or malicious insertion.

Finally, the business community here and abroad has to look toward a new way to put disincentives in place to discourage malicious hacking and taking an approach akin to the “broken windows” policy taken in New York City during Mayor Giuliani’s tenor. The “broken windows theory,” articulated by James Q. Wilson and George L. Kelling, says that by maintaining order against low level threats not only helps prevent these threats, but also prevents an escalation into more serious crime. This includes not only the hacker themselves, but enabling sites and servers. It may seem draconian to bring the long arm of the law to bear on teenage or 20-something pranksters, but the lack of consequences sends a distinct message to the underground hacking community: “we do not take this seriously.” Security that relies on the “fortress” approach to defending corporate assets works well right up to the time the assailant uses a bigger weapon. Addressing the problem aggressively while the attacks are small is a more successful longer term strategy.