When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 5 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

“You are the military industrial of the United States, the most dangerous body of men at the present in the world, for you not only implement our disastrous policies but are an overwhelming lobby for them, and you expand and rigidify the wrong use of brains, resources, and labor so that change becomes difficult. Most likely the trends you represent will be interrupted by a shambles of riots, alienation, ecological catastrophes, wars, and revolutions, so that current long-range planning, including this conference, is irrelevant.” Paul Goodman (1967)[i]

The speech above by Paul Goodman was delivered first as an address to a gathering of the elite of the war industries and later reprinted. While the critical part of this quotation for our purposes is “the wrong use of brains, resources, and labor,” (one topic of today’s post) I thought it important to quote the entire context because it puts forth a perspective that challenges, rather than assumes, the presupposition of constant national readiness for conflict; thus, it represents a viewpoint that is uncommonly heard in the debate over cyber-combat.

Last time, we discussed the dangers and inevitability of escalation in an era of sanctified cyber-conflict. This time, we will consider several additional consequences which are also worth avoiding.

Real and Opportunity Costs to Society

A permanent state of war carried on by computer is wasteful of society’s resources. That it consumes huge sums of real dollars is relatively obvious. I have already (in Post #3) talked at length about the vast cybersecurity-industrial complex which has emerged in response to real and perceived cyber-threats. The real dollar amounts are classified, but most estimates put them at least at $10 billion. Alas, that does not even include the sums spent by commercial enterprises on securing their systems from state-sponsored cyber-attack and espionage; these numbers would be even more difficult to quantify.

Supporters of the military-industrial complex have argued through the decades that conventional war can have a positive effect on the advance of technology, at least in certain areas, such as aerospace, rocket technology, guidance systems, radar, and so on. I won’t attempt to refute that proposition here. However, cyber-weapon development is essentially wasteful and non-productive. It serves only to exploit flaws in existing systems, not to develop new and more advanced technologies. Cyber-defense technologies–which perhaps include such fields as cryptography and new forms of biometric security that need to be developed in response to constant cyber-attack techniques–may represent areas which are advanced by the parry and thrust cyber-attack-and-defend.

However, less obvious than the direct cost is cyber-conflict’s cost in human talent, productivity, and CPU cycles. Thousands, if not hundreds of thousands, of very intelligent people are trained upon the essentially non-productive goals of devising cyber-attacks and defending against them. For example, a recent news story details how the Department of Defense has built a “National Cyber Range” so that operatives can simulate and defend against massive cyber-attacks. Human talent and effort spent in this way has an opportunity cost which ultimately impacts society’s ability to solve other problems. Human beings, so occupied, are not developing new businesses, improving networking speeds or connectivity technology, or writing useful software. No, they are engaged in what is essentially a game–only this game has not even the benefit of recreation.

Even CPU time is wasted. Computers loaded with viruses bog down, wasting both electricity and the time and energy of the person who owns the computers. However, a more subtle point is that, in a “cyber-war world” computers engaging in relentless attack, defense, and monitoring demand massive CPU resources. It is difficult to think of a better example than the NSA’s more than $50 billion effort to capture, record, and analyze the entire traffic of the Internet for up to five years.[ii] While the NSA effort is really cyber-eavesdropping, and hence is somewhat orthogonal to cyber-combat, it is a paragon of society’s resources put to wasteful use. Imagine, if you can, what scientific research, business and industry could do with the surplus computing power that is currently used to intercept, monitor, and record the traffic of the entire Internet.

Erosion of the U.S. Moral Position

Another casualty of our choice to use cyber-weaponry like Stuxnet is our moral position as champions of international law and diplomacy, and as protectors of a free and open internet. It is easy to see why this would be true, and to some extent, we’ve already discussed this unfortunate consequence in prior postings. Saber-rattling about how we would use conventional weapons to counterattack against another nation’s cyberattacks is difficult to reconcile with our own use of these weapons against Iran. It is difficult to convincingly muster moral outrage at attacks which target our power grid when we ourselves have just attacked another country using similar techniques. It is also implausible to target China, for example, for possible state-sponsored espionage using commercial telecom equipment when we conducted espionage with “Flame.”

It does not help our moral position that the U.S. broke several of its own laws in creating and deploying Stuxnet. The U.S. government violated the spirit of the Computer Fraud and Abuse Act, current U.S. law, by accessing and modifying data on a computer, albeit not on a computer inside the United States.  It also likely violated several international laws, and would have violated several proposed laws, such as the Cybersecurity Act, had it passed Congress this year.

Perhaps even more troublingly, U.S. or Israeli operatives (or their agents) likely stole valid digital certificates from the physical offices of a company in Taiwan in order to digitally “sign” the Stuxnet code. This signing process allows the code to seem like valid software to Windows and gives the code heightened security privileges on the machine.[iii] The government would, of course, claim a valid national security purpose for each of these crimes, but it is relatively clear that such acts diminish our credibility when we wag our finger at hackers and other perpetrators of online crimes.

Unexpected Technical Consequences

The release of computer viruses into the wild—even those which were originally written to be targeted at particular computers only—creates a number of risks.  Stuxnet was written to spread via USB stick transfer and over local area networks because the technical exploits used are only really effective in limited environments where the computers have a high degree of trust with one another. Most viruses today, in contrast, spread by using an insecure web server to inject the virus via a browser vulnerability on the machine of a website visitor.

Stuxnet was never meant to be deployed outside of a small network of facilities in Iran, yet it somehow managed to infect over 100,000 computers worldwide. While there is no evidence that it did any damage to computers it was not designed to damage, it still spread. Despite the isolation of the targets, Stuxnet’s creators still lost control of it.

A related danger is that advanced cyber-weapons will be captured, dissected, and their methods used in unintended ways by a rogue third parties, such as criminal organizations or terrorists. The Conficker worm, which infected millions of computers worldwide in 2008-2009, is an example. It had five variants (A-E), each of which were modified to adapt when the exploited vulnerabilities were patched. Strangely, no one could tell what Conficker’s botnet army was really intended to do until variant E, when it was apparently sold to criminal organizations. They put the botnet to use by turning infected machines into email spamming zombies, or trying to trick people into buying “cures” for $50 in response to fake infection warnings. While that was thankfully a relatively innocent use for a powerful piece of malware, it aptly demonstrates the potential of a virus to be used in ways other than intended.

Next Time

Next time, we will examine the impact of increasing militarization of the Internet and how it changes the Internet itself, human freedom, and human life in general.

[i] Paul Goodman, A Causerie at the Military-Industrial (Oct., 1967).

[ii] See generally JAMES BAMFORD, THE SHADOW FACTORY (2008).

[iii] Stolen certificates were used because a certificate authenticates the identity of the signer, which the author of malware could hardly do.


~ by K. Miller on October 30, 2012.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: