Sunday, February 5, 2012

Cone of Silence Surrounds U.S. Cyberwarfare

Via Stars and Stripes (Oct 18, 2011) -

The burial at sea was just a few hours old when sources around Washington began to spill the tactics and objectives of the May 1 mission that killed Osama bin Laden. Quickly, a substantial picture of shadowy mission in Pakistan emerged.

But nearly two years after another operation that in terms of ingenuity and audacity might be considered the cyberwar equivalent of the bin Laden mission — the Stuxnet attack that destroyed crucial equipment in Iran’s nuclear program — the silence remains unbroken. Military and civilian leaders have steadfastly refused to confirm or deny U.S. involvement.

Classified, it seems, is the enduring reality of computer warfare.

Even though the Pentagon this year formally declared cyber a new domain of warfare equal in importance to land, sea and air, a murky blanket of secrecy covers not only its operations but its policies and doctrines. It’s a level of obfuscation that far outstrips that which surrounds U.S. conventional and nuclear capabilities.

[...]

No one has yet proven who perpetrated the Stuxnet malware operation that in late 2009 or early 2010 began to cause computers in the Natanz nuclear facility in Iran to go haywire. The worm may have set work back by several years in a program that the United States says is aimed at one day producing nuclear weapons with which to threaten its neighbors.

Though Western researchers and Iranian investigators alike point a finger at the United States, frequently alleging a U.S.-Israeli collaboration, U.S. officials will not comment.

Months before the attack was disclosed, Bumgarner, a retired U.S. Army special operations veteran, former intelligence officer and cyberwarrior, penned an article in an information warfare journal that, clearly, no one in Iran’s nuclear program read or took seriously. The article, titled “Computers as Weapons of War,” suggested that centrifuges used to refine nuclear fuel could be made to destroy themselves with the right kind of offensive cyberweapon. Soon after, that’s what happened. (Among its other effects, Stuxnet is also thought to have put a Russian-built Iranian nuclear power plant at risk of meltdown.)

Bumgarner says he wrote about the centrifuge vulnerability simply to show what can be accomplished. Many other U.S. opponents have similarly vulnerable systems, as does the United States, he said.

The key from the standpoint of the attacker is not to tip one’s hand, Bumgarner said. Obscuring precise capabilities gives you an edge, while revealing too much information weakens you.

“When it comes to cyberweapons, some of the things that you develop need to be held close to the vest,” he said. “If information about a specific cyberweapon leaks out, the adversary can adjust their defenses and your offensive capability will be diminished.”
The key for U.S. officials, and the thing that perhaps keeps their lips sealed in public, is knowing the line between healthy public discussion and tipping off adversaries to their own weaknesses.

“A conventional weapon can be effective for years, perhaps even decades,” he said. “A cyberweapon’s effectiveness might be measured in minutes until someone applies a patch or a new security filter.”

No comments:

Post a Comment