Cyberspace – a game of two halves

No, the World Economic Forum does not publish blogs about football (soccer, to some of you), at least not yet. This is about the not so cold cyber war going on between the United States of America and the Islamic Republic of Iran. Allegedly, this started with Stuxnet, a customized malware discovered in July 2010. It targets Iranian nuclear power plants, supposedly causing months of delay in the Iranian nuclear programme. It was followed by FLAME, discovered in May 2012, a reconfigurable toolkit for information stealing from keyboard, screen, microphone, storage devices, network, USB – you name it. Again, Iran was the top target, with the Iranian oil ministry reporting that some of its facilities were affected.

The Iranian first goal came on 15 August 2012, at 11.08am, when a computer virus, called Shamoon, was released in the network of Aramco, the Saudi state-owned oil company. Shamoon replaced files on tens of thousands of PCs with the graphic of a burning American flag. The equalizer goal, using a similar attack, came a couple of weeks later targeting RasGas, a Qatari natural gas producer. Other goals are attributed to this match, with some surely yet to be discovered.

Why should we care? Why should someone on the Robotics and Smart Devices Council be blogging about this? Well, some malware are called viruses and bacteria for a reason; they cause headaches and are communicable (pandemic!). This makes cyber war similar to traditional biological warfare, with a twist (unfortunately!). Weapons development is cheaper, easier and faster. In most cases, weapons can be easily duplicated by others. No need for facilities visible by satellites or resources traceable by international monitoring agencies. Talk about weapons proliferation. And worse is that I am not sure how applicable are the Geneva conventions in cyber space! Not that anyone is abiding by Geneva conventions anyway, but still . . .

So what? Well, two words: “collateral damage”. Imagine the following what if scenarios: a malware disrupts the safety monitoring system of a nuclear power plant, causes the air traffic control network to be affected, disrupts supply chains, manipulates elections results (as if this had not occurred outside cyber space), targets implantable medical devices, brings down communication networks, reconfigures industrial controllers… You think some of these are far-fetched? Some have already occurred, although most not in the context of cyber war! Now imagine that nations are behind this, with the resources available to them and the level of sophistication we are already experiencing with Stuxnet, FLAME, and their mutations.

Questions that come to mind: how accepting are we of hackable “actionable” technologies (robots, smart devices, etc) to live with us; operate on us; drive our vehicles? Who is liable? Manufacturers, vendors, standardization organizations? What is the cost benefit of security?

The real question is, what can be done? Not really sure, but more of the following is needed: awareness and education of technology developers and users, cooperation and response (CERT), standardization (ITU-T, 3GPP, many others), legislation, and research (secure programming, hardening, detection, mitigation).

One thing is for sure, this is no game and it won’t end in 90 minutes.

Author: Imad Elhajj is Associate Professor at American University of Beirut, Lebanon and he is a member of the Global Agenda Council on Robotics and Smart Devices.

Image: An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory REUTERS/Jim Urquhart