Pages

1 July 2023

Cyber Security: Threats from Within and Without

Ruairí Fahy

A stacked, one-sided panel discussed the issue of Cyber Security at the Government’s Consultative Forum on Security Policy. As Ruairí Fahy outlines, the make-up of the panel meant that important viewpoints were not heard and the conclusions that can be drawn from it are highly limited.

The “Consultative Forum on International Security Policy” has been called out as a “stitch-up” as the views of those chosen to speak on the panels mostly support further Irish integration with projects and operations led by NATO and PESCO.

On many panels this makes the conversations almost worthless as the views of those on the panel align, but there is little or no agreement with those who have weren’t given a place to outline their position in the debate on basic facts that underline the spread of war and violence or what is needed to move towards peace.

In the case of the “New and emerging threats: Cyber security” panel, the objective facts put forward as to what the perceived threats are and how to defend against them are likely agreeable to those on the panel, to most software engineers and to those who would describe themselves as anti-war and against growing militarism. However, the lack of anti-war voices weakens the debate and limits the value of the conclusions that can be drawn from it.

Since the facts surrounding cyber threats and causes are widely accepted I’ll highlight some of the more interesting points of difference brought up during overviews by panellists and in response to questions from the floor.
“What would the AI answer be to Irish neutrality?”

Chris Johnson of the UK National Cyber Advisory Board said he fears that “within 10 years it will be almost impossible to buy high level munitions without machine learning in them. Does neutrality provide you with sufficient defence against adversaries that are equipped with these sorts of weapons?”

A letter making similar claims about the perceived threats of machine learning, or Artificial Intelligence as it’s described in companies’ marketing material, was signed by the CEOs and senior figures within some of the world’s most highly funded companies developing machine learning tools.

For all their talk these companies have not agreed to stop working on tools that they believe are a threat to all of humanity. If they truly believe that there’s a threat and won’t stop of their own accord the question of security isn’t one of starting a new arms race but of states using their coercive arms of police and courts to shut them down.

A recent report claimed that a simulation run by the US military using machine learning equipped drones resulted in the drone killing its operator who was limiting the drone from its primary objective of wanton slaughter. When trained not to harm its operator, it attacked the communication tower instead so that the operator could not interfere with its primary mission.

While the report is sensationalised, it is reasonable to fear the future development of these weapons. Yet there has been no call for them not to be built in the first place, which sets up the ground for an arms race as states try to compete with new, more lethal weapons. This is already beginning in the US with the CHIPs act as they are trying to shorten their supply chains for building weapons. The EU is planning a similar onshoring fearing the same supply chain issues.

The crux of the problem with the makeup of this panel is that at no stage does it deal with the negative impacts that these cyber tools of control are having on populations within the recognised borders of states. The conversation is limited to development of AI surveillance for national defence but ignores how these tools are almost always joint projects between states and companies designed to subjugate their own population or to subjugate a population under occupation by the state. They could easily be turned on their own population as police departments buy equipment designed for militaries to maintain existing hierarchies and inequalities.
Cyber Weapons

Panellist Caitríona Heinl, Executive Director of the Azure Forum for Contemporary Security Strategy said “a number of states are developing out capabilities for military purposes and the use of cyber in future conflicts is becoming more likely… the capacities and resources of States across the world are different and what this means is that it increases risks for all states.”

One of the most famous cyber attacks on another nation’s infrastructure is the Stuxnet worm attack on Siemens controllers. Beginning in 2007, a cyber weapon attacked Iranian centrifuges which were being used to refine Uranium. It’s generally accepted that the weapon was developed jointly by the USA and Israel, with Germany providing critical documentation for the hardware, built by German company Siemens, that was used during the attack.

While the attack was judged to have been a success in that it was deployed and damaged some of Iran’s equipment it still had little effect on their ability to create enriched Uranium. In the end it wasn’t cyber warfare that ended Iran’s nuclear ambitions but the less sexy discussions and diplomacy that led to an agreement that Iran would not develop nuclear weapons in exchange for relief from sanctions.

The choice to build a cyberweapon involves finding an exploit in a piece of critical infrastructure and not informing the creators of the vulnerability so they can fix it. This choice puts everybody at risk. The risk is amplified if the knowledge of the existence of the exploit gets out or if the weapon gets deployed and reverse-engineered by the victim of the attack.

And with Stuxnet it was reverse-engineered! Iran retooled the worm to attack businesses and infrastructure in the US, Israel and Saudi Arabia. Microsoft also identified viruses using one of the exploits developed as part of the Stuxnet worm in its 2016 Microsoft Digital Defense Report targeting civilian systems around the world nearly 10 years after it was initially deployed as a weapon.

The HSE ransomware attack has been used repeatedly throughout the forum as an example of a cyberattack by Russia, implying the state when it was carried out by private actors. In a retrospective report on the attack it is noted for the “relative simplicity of the attack” and that there “were known weaknesses and gaps in key cybersecurity controls”. If a hospital was keeping drugs stored in an unlocked storage room they would absolutely fail a HIQA inspection but the IT systems where the initial infection was recognised but not acted on there isn’t any equivalent regulator.

As with states linking up with companies to implement technologies of surveillance and control there are also links or tacit support of companies who distribute malware. This is most obvious in countries under heavy sanctions like Russia, Iran and North Korea where they can use these methods to get access to foreign currency. With their economies partially or totally decoupled from the West these states show a lack of interest in policing private enterprise that carries out cybercrime internationally as they’re unlikely to face much additional punishment for not tracking down and jailing the hackers. Cybercrime expert Misha Glenny, explained in 2018, “Russian law enforcement and the FSB in particular have a very good idea of what is going on and they are monitoring it, but as long as the fraud is restricted to other parts of the world they don’t care.”

When it comes to these hacks, whether ransomware or wipers, Richard Parker, Vice President of Cyber Security at Dell Technologies was bluntly honest “With ransomware it’s no more about how do we prevent it, it’s accepting that is going to happen, it’s really looking at how are you going to respond when it happens… [additionally] how are you protecting all your data if you have your key assets and you’re backing up your data are you able to recover it pretty quickly, or is it going to take weeks”. Of course, it helps that Richard is more familiar with this pitch, as Dell sell a product to handle recovery from such an attack.
The war comes home

Companies that build surveillance tools are getting closer and closer to states and in many cases there’s a revolving door between companies and state bodies. Israel in particular is becoming one of the world’s largest exporters of military and cyber weapons, with few questions over who uses them or how.

Worse still, the effectiveness of these weapons must be proven as part of the marketing for their sale to other states. In Israel’s case that means using them to oppress and murder Palestinians. For the US, Afghanistan served as a test bed for 20 years. Here in Ireland throughout the 70s and 80s, the UK developed its weapons and tactics to suppress people in Northern Ireland who were fighting against their treatment as second-class citizens.

Israeli cyber weapon company, NSO Group, now blacklisted by the US for providing spyware to countries which used them against the US, sold a tool to any government that would turn a blind eye to their occupation of Palestine. The tool allows intelligence services or governments to spy on journalists, human rights defenders, members of the opposition, or anybody that a state would want to surveil.

On a positive note, moderator, Richard Browne, director of the National Security Centre (NCSC) made it clear that “we have a very robust export control regime…. and the usual complaint we get is that it’s overly onerous and it doesn’t allow people [to] export to who they want to export… The complaint we get from third parties is we’re overly restrictive.” Which later in the panel was reiterated by most members that this robust export control should remain.

For Ireland to maintain its neutrality it’s critical that we avoid exporting any technology or products that help with further militarisation anywhere on the planet. But not only should we not allow weapons for state surveillance and control to be developed here, we should also avoid using public money to buy them because many are “dual-purpose” technologies that exist to maintain or entrench inequalities.

These technologies include but aren’t limited to surveillance in the guise of parking enforcement (quietly defeated as it couldn’t be justified under the GDPR), expanded CCTV under the guise of litter control, facial recognition technology (temporarily halted), where existing deployments have been shown to enforce class and racial biases, and opposition to the weakening of End-To-End Encryption.

While these may seem to fall under “civilian infrastructure”, the reality is that the people in control of them have the ability to exert additional force over those under their watch. Any attempt to add in tools to reduce the privacy of individuals risks the security of everyone, especially in the case of an invasion or cyber attack by foreign intelligence services.
Separate civilian and military infrastructure

One of the most important issues raised was by Brigadier General Seán White, who said, “a key lesson from the war really is the segregation of military and civilian infrastructure potentially to have better security for Military and Civilian Networks.”

As the debate about Ireland’s neutrality continues, and as support for it stays high, it’s important we question the use of Ireland’s resources for the support of military operations of other countries.

Currently Data Centres consume 18% of Ireland’s electricity while also putting increased pressure on the Gas Network and Water Network, making our transition from using fossil fuels for electricity more difficult.

There are no limitations on what operations are run on data centres here in Ireland. There’s no guarantee that Amazon doesn’t run surveillance operations for the NSA as part of the secretive $10 billion contract it received for cloud services. Likewise, Google has a share of a $9 billion contract to provide cloud computing for the Pentagon. Microsoft has secured a nearly $22 billion contract for battlefield Virtual Reality. There were internal protests within all of these companies when these contracts were awarded as workers didn’t want to take part in increasing militarism.

With more principled workers leaving rather than having their work used for military purposes, we should be looking at a separation of military and civilian infrastructure, especially in the area of data processing.

One of the reasons for this is that with the intertwining of digital services into all aspects of our lives, people protesting against an unjust war or unjust surveillance would need to destroy processing capacity that massively affects civilian uses just to get at those they perceive have no, or negative social value.

In the USA in the 60s and 70s military computing infrastructure was mostly separate from the limited civilian uses that were available at the time. In opposition to being drafted to fight in Vietnam and the wanton murder of Vietnamese people, Americans chose to destroy computers that were being used to design weapons, plan military operations and organise the draft. Following a bombing of a HP facility, company founder Bill Hewlett wrote, “As the company grows larger, it is a more attractive target for sabotage, theft and violence.” and responded by building new security fences around the facility. This has been the general response from companies like HP who were founded as critical parts of the military supply-chain and were still receiving money from Israel for operating surveillance technology to help uphold apartheid until at least 2020.

Here in Ireland a similar separation of military and civilian infrastructure allowed the “Raytheon 9” to occupy and destroy equipment in the Raytheon facility as a way to protest Raytheon weapons being used to commit war crimes.

Following his acquittal for the occupation, veteran Civil Rights campaigner, Eamonn McCann said, “The jury has accepted that we were reasonable in our belief that: the Israel Defence Forces were guilty of war crimes in Lebanon in the summer of 2006; that the Raytheon company, including its facility in Derry, was aiding and abetting the commission of these crimes; and that the action we took was intended to have, and did have, the effect of hampering or delaying the commission of war crimes.”

Additional protests created risk to Raytheon of further disruption ultimately leading to them leaving Derry.

The separation of military and civilian processing infrastructure is extremely important for countries to hold their governments in check without inflicting undue harm on their fellow citizens. We also need to address the issue of there being no digital “commons” and all citizens having, what for many people, is their main method of communication mediated through a private company. This means having the knowledge to deploy and maintain networks and servers securely and openly to develop digital systems citizens can trust, and not ones that are subject to surveillance dragnets.
What if companies don’t want to be secure?

In his introduction to the panel Richard Browne, described the corporatised nature of the cyber space, “in Air or Space or Maritime the domain is publicly owned, it’s accessible to all, it’s a public commons, but in cyber the domain is owned by private companies for the very most part. It is in wires owned by companies, it is in IT systems owned by companies or governments, it’s out there so the state cannot simply insert itself into that process, it has to do so carefully legally and in a very appropriate fashion.”

There is a defeatist attitude as there are means for governments to introduce laws and a regulatory environment similar to the NCT but for digital systems, which could at least reduce the surface area of attack from known exploits.

Under the GDPR there is some pressure on companies to treat data security or integrity as a core competency of their organisation, but this is simply a market mechanism. The majority of the fines companies have received are a “cost of doing business” and unfortunately GDPR isn’t being used as a way for workers to argue for data minimization against calls from above to create large datasets of personal information.

Even with a regular analysis of digital systems by an impartial regulator, it is tough to secure systems. You can’t necessarily just buy your way to a secure digital environment. Workers need to be trained in the practice of a security culture since most cyber attacks begin with human error.

Just this month a type of hack known as a “supply-chain attack” affected hundreds if not thousands of companies across the world, including the HSE, although in a much less serious way than the ransomware attack in 2021. A file transfer program called “MoveIT” suffered an attack from an SQL injection that allowed the hackers to extract files from hundreds, if not thousands of corporate and government targets. “SQL Injection” attacks are almost non-existent in software written in the last 10 years due to lessons learned from past vulnerabilities. The problem is that we have legacy tools initially built years ago that can retain weaknesses to hacks that were common decades ago as developers either don’t have the time or don’t feel comfortable modifying security critical parts of systems.

Any digital system that makes use of a compromisable system becomes as weak as the least secure part of its system or network. Outsourcing, centralisation and a move to Software as a Service (where the software seller maintains the data on their servers) makes companies that are likely to hold sensitive data from many companies and public institutions more enticing for attackers to target. The large flood of money from investors into tech firms and a silicon valley culture of “move fast and break things” has created a digital minefield of exploitable tools from companies who rarely if ever considered the security of the data they hold.

The danger of another critical vulnerability like “Heartbleed”, which left nearly 20% of websites vulnerable to data theft, only grows as digital systems become more prevalent and control more parts of our lives. States and companies need to practise data minimisation, this is, not collecting data that isn’t needed (unlike the government’s efforts to illegally impose the Public Services Card).

Rather than a military led operation like NATO’s “Cooperative Cyber Defense Center of Excellence”, of which Ireland is a member, a civilian alternative is needed, funded with public money to share the development, auditing and hardening costs of critical tools which are often maintained by just one person in their evenings and weekends. The “National Vulnerability Database” already exists for sharing possible avenues of attack and coordinating the release of fixes. The danger with a military led version is that a vulnerability may be withheld for use against the enemies of countries not part of the cyber sharing alliance, leading to avoidable suffering for citizens.
Conclusion

This is a broad area and this response still only scratches the surface of the issue. At the opening of the panel, it was recognised that “cyber is in everything”. However, it is clear that limiting the panel to speakers who were, for the most part, politically aligned, with only 4 hours of discussions over 2 panels, meant that the issues could not be properly dealt with.

The discussion has taken place in the context of ever increasing state surveillance, increasing cooperation between tech companies and states, and increasingly draconian methods of population control, both domestically and for people who live under occupation.

By rejecting the calls for a citizens assembly, Irish people have been done a disservice as the conversion has been limited to discussions of how an “enemy” can affect us, but ignored the risks that government policy is already creating for us.

No comments:

Post a Comment