Aviation Week (via Matthew Aid) reports: As it winds down its role in Afghanistan, where strategic rivalry in another era was called “The Great Game,” the U.S. Defense Department has been suiting up for the next big round of conflict: cyberwarfare.

The Pentagon has been racheting up the rhetoric gradually, with former Defense Secretary Leon Panetta warning of a cyber-Pearl Harbor and more and more officials publicly acknowledging cyberwarfare.

This year, the Pentagon has firmed up plans to skim approximately 4,000 operational and intelligence experts from the uniformed services to field the now more than 100 teams that will play both digital offense and defense against enemies seeking to attack the U.S. and its vital computer networks.

Some teams are already being fielded, although officials will not say exactly how many or where they are located. A Pentagon press officer said a number of teams are “prioritized” to be operational by the end of September. More will be added in the next few years.

In all, 13 National Mission Teams will conduct “full-spectrum cyber operations” to defend against threats to the nation and its critical infrastructure; 27 Combat Mission Teams will provide support to the nine combatant commands, “and when authorized,” will offer cyber options and capabilities to consider. Commanders then will determine how best to integrate them into contingency plans as targets are assessed and determinations made on how to best defeat or neutralize, said Air Force Lt. Col. Damien Pickart.

Additionally, 68 Cyber Protection Teams will focus on safeguarding Defense Department information networks, Pickart told Aviation Week in an e-mail. When directed, the Cyber Protection Teams, which officials had not previously discussed in public forums, may also support other U.S. government networks and the nation’s critical infrastructure, he added. [Continue reading…]

NBC News reports: Cybersecurity experts tell NBC News that the [Stuxnet] attack may not have done as much damage to the Iranian nuclear effort — which Tehran insists is geared toward developing nuclear energy, not weapons — as was initially reported in some media accounts.

And it has raised the stakes in the race to create online weaponry.

Iranian Ambassador Hossein Moussavian, in a Feb. 21 appearance at the Center for National Security at Fordham Law School, said the attack prompted Tehran to make development of its own cyberwar capability a priority.

“The U.S., or Israel, or the Europeans, or all of them together, started war against Iran,” he said. “Iran decided to have…to establish a cyberarmy, and today, after four or five years, Iran has one of the most powerful cyberarmies in the world.”

Scott Borg, a U.S.-based cybersecurity expert, said that while Iran may be exaggerating its offensive capabilities, there is no doubt that it has developed a “serious capability” to wage cyberwar.

“It’s exaggerating the present capabilities,” he said, “but it’s working toward the future.”

As an example, Borg and U.S. officials note that when the U.S. leveled new sanctions on Iranian banks last year, U.S. banks suddenly came under attack – apparently from Iran itself or its hired proxies.

The Guardian reports: Barack Obama has ordered his senior national security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks, a top secret presidential directive obtained by the Guardian reveals.

The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”.

It says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.

The directive also contemplates the possible use of cyber actions inside the US, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.

The aim of the document was “to put in place tools and a framework to enable government to make decisions” on cyber actions, a senior administration official told the Guardian.

The administration published some declassified talking points from the directive in January 2013, but those did not mention the stepping up of America’s offensive capability and the drawing up of a target list.

Obama’s move to establish a potentially aggressive cyber warfare doctrine will heighten fears over the increasing militarization of the internet.

The directive’s publication comes as the president plans to confront his Chinese counterpart Xi Jinping at a summit in California on Friday over alleged Chinese attacks on western targets.

Even before the publication of the directive, Beijing had hit back against US criticism, with a senior official claiming to have “mountains of data” on American cyber-attacks he claimed were every bit as serious as those China was accused of having carried out against the US. [Continue reading…]

Jeffrey T Richelson and Malcom Byrne write: At a time when Chinese malware is targeting America’s computer infrastructure and U.S.-Israeli worms (e.g., Stuxnet) have reportedly attacked Iranian centrifuges, a recently declassified item from the National Security Agency (NSA) offers a little history on how at least one part of the U.S. government foresaw its role in the growing field of “Information Warfare.”

This short item from a classified NSA publication reveals that as far back as 1997 the super-secret agency was tasked with finding ways not just to listen in on our enemies (the NSA’s usual stock-in-trade), but actually to attack hostile computer networks. The document proclaimed that “the future of warfare is warfare in cyberspace,” and it sketched out how tomorrow’s “Information Warriors” would think, act, and fight on the new digital battlefield.

The NSA’s involvement in cybersecurity is an outgrowth of its longtime role in ensuring communications and information security for various components of the government and private sector, in addition to its need to guarantee the security of the computers it has relied on heavily for decades. Its role in computer-network exploitation — of gathering electronic “data at rest” — is a natural extension of its decades-old role of gathering “data in motion” via signals intelligence. [Continue reading…]

International Herald Tribune: Britain’s intelligence services, working alongside security experts from private companies, are setting up a secret control center in London to combat what the head of the country’s domestic spy agency has described as “astonishing” levels of cyberattacks.

The existence of the so-called Fusion Cell was due to be confirmed on Wednesday in a statement on the government’s strategy to boost information sharing in an expanding cyberwar against online attackers.

A team of security analysts at an undisclosed location will monitor attacks on large screens and provide details in real-time of who is being targeted, according to the BBC.

The British initiative, which also includes the creation of a social network-style web portal to facilitate information exchange, is the latest in a series of international measures to combat what is seen as the growing threat of cyberattacks to both business and government networks.

President Obama last month signed an executive order to increase information sharing about cyberthreats between the government and private companies.

“We have seen a steady ramping up of cybersecurity threats,” Mr. Obama said in a recent interview. “Some are state sponsored, some are just sponsored by criminals.”

Jonathan Evans, the outgoing head of MI5, Britain’s domestic intelligence agency, made a similar point ahead of last year’s London Olympic Games.

“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said in a rare interview. “The extent of what is going on is astonishing.”

The victims are said to include big companies. The BBC said one major London listed company had lost the equivalent of $1.2 billion as a result of a cyberattack from a hostile state. [Continue reading…]

Reuters reports: The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country’s private, civilian-run infrastructure.

As a result, more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks.

Under last month’s White House executive order on cybersecurity, the scans will be driven by classified information provided by U.S. intelligence agencies – including data from the National Security Agency (NSA) – on new or especially serious espionage threats and other hacking attempts. U.S. spy chiefs said on March 12 that cyber attacks have supplanted terrorism as the top threat to the country.

The Department of Homeland Security will gather the secret data and pass it to a small group of telecommunication companies and cybersecurity providers that have employees holding security clearances, government and industry officials said. Those companies will then offer to process email and other Internet transmissions for critical infrastructure customers that choose to participate in the program.

The discovery that an early version of Stuxnet was in development in 2005, suggests that work on the computer worm may have begun soon after the U.S. received Libya’s P-1 centrifuges in January 2004.

In September 2005, Dennis Ruddy, a general manager at the Department of Energy’s Oak Ridge nuclear facilities said: “There’s a lot of interest in the things that we brought back from Libya because a lot of them, looking at them, measuring the tolerances, setting them up and operating them, to a certain extent tells us how close people are to be able to get a system that can work all the way to bomb-grade material.”

Within two weeks of Ruddy’s statement appearing in the Knoxville News Sentinel, he had been relieved of his duties and lost his security clearance.

Ars Technica: Researchers have uncovered a never-before-seen version of Stuxnet. The discovery sheds new light on the evolution of the powerful cyberweapon that made history when it successfully sabotaged an Iranian uranium-enrichment facility in 2009.

Stuxnet 0.5 is the oldest known version of the computer worm and was in development no later than November of 2005, almost two years earlier than previously known, according to researchers from security firm Symantec. The earlier iteration, which was in the wild no later than November 2007, wielded an alternate attack strategy that disrupted Iran’s nuclear program by surreptitiously closing valves in that country’s Natanz uranium enrichment facility. Later versions scrapped that attack in favor of one that caused centrifuges to spin erratically. The timing and additional attack method are a testament to the technical sophistication and dedication of its developers, who reportedly developed Stuxnet under a covert operation sponsored by the US and Israeli governments. It was reportedly personally authorized by Presidents Bush and Obama.

Also significant, version 0.5 shows that its creators were some of the same developers who built Flame, the highly advanced espionage malware also known as Flamer that targeted sensitive Iranian computers. Although researchers from competing antivirus provider Kaspersky Lab previously discovered a small chunk of the Flame code in a later version of Stuxnet, the release unearthed by Symantec shows that the code sharing was once so broad that the two covert projects were inextricably linked.

“What we can conclude from this is that Stuxnet coders had access to Flamer source code, and they were originally using the Flamer source code for the Stuxnet project,” said Liam O’Murchu, manager of operations for Symantec Security Response. “With version 0.5 of Stuxnet, we can say that the developers had access to the exact same code. They were not just using shared components. They were using the exact same code to build the projects. And then, at some point, the development [of Stuxnet and Flame] went in two different directions.” [Continue reading…]

Fred Kaplan writes: The New York Times’ front-page report this week that the Chinese army is hacking into America’s most sensitive computer networks from a 12-story building outside Shanghai might finally persuade skeptics that the threat of “cyber warfare” isn’t the fevered fantasy of Richard Clarke, the producers of Die Hard 4, or the generals at the ever-growing U.S. Cyber Command. Alas, it’s real.

But what is the threat? Few of those in the know believe that some fine day, out of the blue, China will zap the programs that run our power grids, gas lines, waterworks, or banking systems, sending our economy — and much else — into a tailspin. Even if the Chinese could pull off such a feat with one keystroke, it’s hard to imagine what they’d accomplish, especially since their fortunes are wrapped up with our own.

The more worrisome threat is subtler: that the Chinese (or some other powers) will use their ability to wreak cyberhavoc as leverage to strengthen their position, and weaken ours, in a diplomatic crisis or a conventional war.

For instance, in a brewing conflict over Taiwan or the South China Sea (areas where China has asserted claims aggressively in recent years), would an American president respond with full military force if he knew that the Chinese would retaliate by turning out all the lights on the Eastern Seaboard?

A familiar concept in strategic war games is “escalation-dominance.” The idea is that victory goes to the player who can take a conflict to the next level of violence in a way that inflicts enormous damage on his opponent but very little on himself. The expected outcome of the next round is so obvious that the opponent decides not to escalate; the dominant player thus controls the subsequent course of the battle and possibly wins the war.

Real war is messier than war games. Escalation holds risks all round. The two sides might have different perceptions of which one is dominant. Or the dominant side might miscalculate the opponent’s strategic priorities. For instance, China might think the American president values uninterrupted electricity on the East Coast more than a free, independent Taiwan — but that thought might be mistaken.

Still, leaders in war and crisis do take these kinds of factors into account. Many surrenders in history have been prompted less by the damage already absorbed than by fears of the damage to come.

And China is not the only foe or rival whose calculations are complicating this new cyber world. Iran is another. Last summer, all of a sudden, a computer virus nicknamed Shamoon erased three-quarters of the Aramco oil company’s corporate files, replacing much of it with images of a burning American flag. It is widely believed that the Iranians planted the “kill switch” in retaliation for the U.S.-Israeli Stuxnet virus that disabled the centrifuges in their nuclear program.

The implicit message sent not only to the United States but also, and perhaps more importantly, to its Arab commercial partners: Don’t mess with us, or we will mess with you. The Shamoon virus is now regarded as the hint of another consequence that we’d likely face in the aftermath of a military strike on Iran’s nuclear facilities. Will it deter such a strike or serve as the final straw in a pile of risks that deters us from striking (or deters the West’s Arab allies from playing whatever part they might play in an attack)? Hard to say, but the Iranians probably intended the virus to have that effect. [Continue reading…]

MIT Technology Review reports: Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven’t been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability because the software makers have had no time to develop a fix, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.

Since then, more Stuxnet-like malware has been uncovered, and it’s involved even more complex techniques (see “The Antivirus Era Is Over”). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones. [Continue reading…]