Free Markets, Free People

cyber security


If you can’t kill Iran’s nuclear weapons program with bombs, try a worm

I don’t know if you’ve been keeping up with the story about the cyber attack on the Iranian nuclear facilities, but it is both interesting and important.

"Stuxnet" is the name of a worm that has apparently been introduced somehow into the system that controls the Iranian nuclear processes – specifically at those facilities thought to be focused on producing nuclear weapons. This is no ordinary malware worm, but an extremely sophisticated and targeted one which is apparently causing some real havoc in Iran.

Iran admitted Monday, Sept. 27 it was under full-scale cyber terror attack. The official IRNA news agency quoted Hamid Alipour, deputy head of Iran’s government Information Technology Company, as saying that the Stuxnet computer worm “is mutating and wreaking further havoc on computerized industrial equipment.”

Stuxnet was no normal worm, he said: “The attack is still ongoing and new versions of this virus are spreading.”

The mutation continues to infect and infest the Iranian systems causing all sorts of problems.  Experts say that such sophistication would require “the backing of a nation-state” to put it together.  I have a sneaking suspicion I know who it is, and this is their answer to whether or not bombing the facility is feasible.  Uh, no – but when you can do this, why do that?

Here are a couple of backgrounders on the story – here and here.  This is going to be an interesting one to watch.

~McQ


Proposed Legislation Would Give President Expanded Power Over Internet

For all the whining and complaining about the Bush executive branch expanding its power, it appears now the Senate, at least in the guise of one Senator Jay Rockefeller, can’t wait to expand this president’s power.

In this case, the expansion of power is in the name of “cyber security”. And FYI, “cyber” is defined as anything having to do with the Internet, telecommunications, computers, or computer networks. Proposed is the following which is actually a rewrite of a previous attempt:

The new version would allow the president to “declare a cybersecurity emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

Vague language, expanded power, expanded control – all the things with which any civil liberties watchdog would be concerned. When Rockefeller and Republican Olympia Snowe introduced the original bill, this was their declared reason:

“We must protect our critical infrastructure at all costs–from our water to our electricity, to banking, traffic lights and electronic health records,” Rockefeller said.

Yes we must, but it isn’t clear why government could do that better than private firms who would have just as invested an interest in security as would the government or why such security must be extended to the entire “non-governmental computer networks”, i.e. the internet.

Proponents liken the power to literally shut down the internet in an emergency to the power President Bush exercised to ground all aircraft in the wake of the 9/11 attacks.

Really? Given the state of cyber security, we couldn’t be much more precise than that?

Probably the most controversial language begins in Section 201, which permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.” The White House is supposed to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government.

“The language has changed but it doesn’t contain any real additional limits,” EFF’s Tien says. “It simply switches the more direct and obvious language they had originally to the more ambiguous (version)…The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There’s no provision for any administrative process or review. That’s where the problems seem to start. And then you have the amorphous powers that go along with it.”

“Shall share?” For all intents and purposes, that makes those “private networks” so identified as anything but private. And, arbitrarily, just about any or all networks could be designated “critical” couldn’t they?

Cnet gives us the translation of what that means:

If your company is deemed “critical,” a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.

How could that possibly be abused?

Again, we see the expansion of government power in a way which intrudes, imposes regulation and, in the end, controls. While “cyber security” is certainly important, it can be managed in a much less controlling and intrusive way than this. Like the health care insurance reform bill, this is one which needs to be torn up and the entire process started over again.

~McQ