Summary: This is an interesting yet puzzling week for cyberwar-watchers. There are several news stories that paint a gruesome picture of the US’ intents and capabilities. Let’s look at them and see what they tell us. Or you can wait. Eventually this weaknesses will become front-page news, followed by the inevitable blue-ribbon commissions.
Article deleted at author’s request.
Other publications by Ranum:
- “The Problem with Cyberwar“, Rear Guard Security
(5) For More Information see the other posts in this series about cyberwar
The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:
- Cyberwar: a Whole New Quagmire. Part 1: The Pentagon Cyberstrategy, 2 September 2011
- “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
- Conflating Threats, 14 September 2011
- About Stuxnet, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
- Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
- About Attribution (identifying your attacker), 21 October 2011
- You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
.
.
Do you feel the Iranian claims are true about how the drone came down? Im sure Russian and China are involved in this as well.
I said “alleged” – it’s possible the Iranians are lying. But I think it explains one puzzle, namely how the drone landed more or less intact.
You’re “sure” the Chinese and Russians are involved? Based on what? Because Washington says they are sneaky and red and yellow? Methinks someone has been listening to propaganda again.
According to Debka, Iranians spoofed the GPS signal by hacking into the US communications satellite.
You would be better off getting your news from children’s chalk drawings on sidewalks than reading Debkafile. For details see Does reading Debkafile make us smarter, or dumber?, 15 June 2008.
No worse than such “respectable” source like the Economist
Considering Debkafile as “no worse” than the Economist is sad. Pitiful, disconnected from reality.
My post gave a long list of made up stories on Debkafile. Perhaps deliberate disinformation by Israel intelligence. Perhaps just for fun and profit. Anyone paying attention could write similar posts every month, sometimes every week.
The Economist did not become one of the world’s leading news magazines by writing such stuff. They make errors, like everybody in the news and analysis business — but at a low rate.
Well Im sure they are providing Iran with expertise in the cyber warfare arena that and to steal our sensitive technology like they have been doing since the Cold War began.
In the previous thread about drones you also made such assertions and showed similar certainty. But you’re not offering any facts (other than that you are “sure”) Argument by repeated assertion is unconvincing and I’m not going to keep asking you about the basis for your being “sure”.
Most of the discussion about this drone incident has revolved around whether Iran could use this drone as a prototype to develop drones of its own.
I find how they brought it down to be far more important.
And now that they have it, they can they presumably can probe it for further flaws which might enable them to develop additional attacks against other drones.
I agree. For example, if the drones are using the same encryption key for their command/control, then it may have been compromised (depending on the version of the drone it may or may not use encryption for its video-feed, but supposedly they all encrypt the command channel)
In the previous drone-thread I posted (http://fabiusmaximus.wordpress.com/2011/10/08/29486/) “OldSkeptic” offered an important comment, namely that eventually a hunter-killer drone will be developed, and then the large slow drones will disappear fairly quickly from the skies. I think he is correct; we can wonder whether the current flaws in the drones really matter, if they are rapidly obsoleted.
Marcus-
I need to urge a little caution about accepting the Iranian version of the drone loss without more evidence. I don’t think your scenario is impossible. I think more testing needs to be done to determine how our drones might be jammed or hacked.
But the simple fact is, drones crash… a lot. Anyone can read USAF Accident Investigation Board accounts of Class A Mishaps and get an idea of how these missions are run, and why crashes occur. Mostly its pilot error, but communication module failures do happen. In the case of a total comm failure (no send or receive), Predators are programmed to go into a spin and crash. I don’t know if the same is true of the RQ-170, but it seems plausible. Engine and flight control failure could also precipitate a spin. Why that might matter: The Sentinel is a tailless flying wing, poorly damped in yaw and prone to flat spins. If the rotational velocity is high enough, the aircraft might descend like a maple seed and land mostly intact… probably very badly damaged, but good enough for a photo op.
Another point, briefly: We don’t actually know what level of technology the RQ-170 contains. People assume it must be advanced because its “secret.” I have doubts.
The Iranians do have a reason to lie about this. They may have done much less than what they claim, or nothing.
I enjoy your posts a great deal in any case, keep em coming.
Thanks for your comment. A couple of my friends were involved in the early designs of some of the drones so I know a fair bit about them – enough to make the Iranian story sound like it was possible; certainly there are plenty of reasons on both sides to lie.
One of the interesting questions I had was why the encrypted military GPS wouldn’t have been used; that would have made the claimed attack impossible. It’s possible, however, that the drones were not using P/Y code receivers for fear that the keys might get exposed. That’s actually plausible, as well – I suspect more information will come out over time.
I’ve heard some truly bizzare theories on the other side – that perhaps the drone was deliberately lost, in hopes that it could be used to carry software viruses into Iranian military networks when the Iranians try to analyze it. That particular plot-theme sounds suspiciously like “Independence Day II” and I’m skeptical. I’ve also heard concerns that the Iranians will reverse engineer the drones – which would be rather pointless since capitalism is working on the market and there is already a lively market for drone-mongers.
As Rich Rosen used to say: “many things are possible, but very few actually happen.”
At this point the one thing I am fairly sure of is that someone’s got a lot of egg on their face, and it isn’t the Iranians. We should expect to see various face-saving gestures and probably demands for (what else?) more money to improve our drones.
Re: Those bizarre theories- They struck me as being like the squealing you’d hear if you told a gym full of kindergarteners that Santa got eaten by a bear. Technology and especially “stealth” are religious icons to the military fanboys. But it got me thinking about “Operation Mincemeat” i.e. “The Man Who Never Was,” and I have a technical question:
More than just encrypting important stuff on these easily-lost machines, why not include some false information and booby traps in the software too? Or is that already done? Mincemeat was so successful that the Germans wouldn’t even believe the real information that dropped in their laps afterwards.
There really isn’t any interesting information that could be stuck into a drone that would make much sense for disinformation, other than crypto-keys for the command/control channel and/or military GPS. But for those to work, they’d have to be actual useable keys, which would make them valuable property indeed.
If one wished to attempt disinformation, it sounds like the best place to plant it would be by putting it on one of the DoD’s top secret networks. That way you could be pretty sure it would eventually leak into hostile hands. (wince) And it would be somewhat credible, that way.
re: (1) worms in the military bureaucracy – poorly designed legacy network?
not a surprise that a dysfunctional bureaucracy has been incapable of designing and implementing good network security architecture.
according to analysis on public IT security blogs, some of the big defense contractors, such as Lockheed, are doing much better.
the problem of how to take the IT security success of the Lockheeds into the government side is of course a human/political problem. given the dysfunctional organizational characteristics typical of government bureaucracies, one has to ask if any tendency toward “reform” leadership is being demonstrated along the lines of epistemic sophistication? or, are greed, turf wars and ego inflation driving the paradigm?
the USA is a declining empire. the culture spreads rot and spiritual-psychological pathologies (Habermas “systems colonize lifeworld”). the military has long served the interests of that decline, increasingly to the detriment of honoring the original mission of the defense of a democratic republic. the increasing prevalence of careerism and other organizational psychopathies within the defense establishment have been previously documented on the FM blog.
it seems unlikely that the defense establishment will become agile or adaptive to the threat of attacks on its IT security infrastructure at a high level of sophistication in the near future.
(oversight/accountability is compromised due to the usual political corruption and dysfunction in congress, etc., as both liberals and conservatives slide toward totalitarianism.)
re: “not a surprise that a dysfunctional bureaucracy has been incapable of designing and implementing good network security architecture. ”
similarly, the military bureaucracy has been incapable of designing proper financial and accounting systems. one sees regular stories in the mainstream media about how the DOD does not know where large amounts of money are being spent. Or why articles of clothing made in China are being issued by the military to soldiers. etc.
“2014 Audit Requirement Removed from Defense Policy Bill”, Congressional Quarterly, December 2011
Their marketing departments say they are. The big beltway bandits are the ones who are building the government’s networks – they’re certainly more competent than the government agencies.
In the case of the contractors, however, they are tasked to do what their customer wants. So what do you think happens when an agency tells the contractor to do something ill-advised? Yep. The problem with outsourcing is that in order to effectively manage an outsourcer, you have to have the skills in-house to do the work in-house, otherwise the outsourcers will front-load unnecessary tech into the solution, or the client will make unreasonable demands.
Just for one example (perhaps this has changed since 2007 when I got this information…) some tremendous percentage of the USMC network’s traffic was porn. I personally don’t care about that, but the situation is telling – I think it was General Dynamics running the USMC network at the time – they could have done a lot to cut back on that – but were told not to, “for morale reasons.” Again, I don’t care about porn, but there’s a security problem with it: a lot of malware drive-bys are on porn sites since they tend to be poorly managed and people who get tagged by a drive-by from a porn site tend to not run to their IT department saying, “I was surfing at mosteroticteenboys.com and my computer blue-screened then booted up and acted funny.”
If you can’t do a thing, you cannot manage someone else doing it for you. Unless you know at least the bare-bones of a problem-space you can only rely on trusting your provider, which always means you’re more vulnerable than you otherwise would be.
Don’t know about marketing. Lockheed was tageted in an advanced persistent threat (APT), and the attack failed. For other readers: background on APTs in general {see Wikipedia}
In that case, Lockheed was protecting its very high value internal assets, which it is motivated to protect because they are sold to the government(s). So Lockheed is considered to be the “hardest” target in the world according to analysts in the IT security blogosphere. They have the organizational and technical sophistication necessary to thwart APTs to a high degree of success. Transferring that sort of capability to a highly dysfunctional government bureaucuracy (which is part of a crumbling national “state capitalist” imperium) seems somewhat hopeless and futile. But, as you say, as long as a lot of money is involved, a great rumbling will commence as the vast “beltway bandit” contracting machine lurches forward into oblivion.
It would be interesting to know if any legitimate IT security reformers exist on the government side of the defense establishment, and if so, have their efforts been allowed the thrive?
My guess is that the atmosphere created by appalling anti-whitsleblower controversies such as the Thomas Drake/Thinthread “espionage” case is such that there is little motivation for reforms within the system.
“The Secret Sharer – Is Thomas Drake an enemy of the state?“, by Jane Mayer, New Yorker, 23 May 2011 — excerpt:
Also see: “The Espionage Act: Why Tom Drake was indicted“,CBS News, 22 May 2011.
Private companies have now gotten into the game of designing and deploying surveillance trojans and rootkits. Indeed, they appear to be doing it for governments. Of course it’s only a matter of time before private parties (gang members? white supremists? terrorists?) get their hands on these things and reverse-engineer ’em and start infecting the government’s communications to surveil them.
See FinFisher: For all your intrusive surveillance needs.
Of course, the real killer app for this sort of software is…Orwellian surveillance of all of a government’s own citizens. Viz., the German police trojan and of course the Carrier IQ cellphone rootkit which the FBI now admits is uses for “law enforcement purposes” but the details of which the FBI declines to dilate upon.
Yet another example of how nation-states are getting hollowed out and rendered impotent in the face of increasingly super-empowered corporate entities and private individuals. How long before political campaigns start deploying reverse-engineered Carrier IQ rootkits and FinSpy trojans against their political oppositions and leaking the results during political campaigns…?
Pretty interesting analysis of the drone, here: IN-DEPTH PHOTO ANALYSIS OF THE SUPPOSED RQ-170 SENTINEL DRONE IN IRANIAN HANDS, AviationIntel.com, 9 December 2011.
I never bought the argument that it was probably a fake drone, but apparently some people want to believe it’s all misinformation.
“2012 Predictions: Defense Dept. Shows its Cyber-Attack Cards; Hackers Penetrate Hardware“, National Defense magazine, 28 December 2011 — Opening:
Thanks for the update. The “Related Content” articles were also interesting.
Color me shocked: DoD discloses that the drone captured by Iran was not flying in Afghanistan at all; it was a CIA drone monitoring Iranian nuclear activities. A straightforward lie or bureaucratic confusion, which do you think?
“Crashed drone was looking at Iran nuclear sites“, CNN, 15 December 2011 — Excerpt:
Cyberwar Is the New Yellowcake“, Jerry Brito and Tate Watkins, Wired, 14 February 2012 — Conclusion:
The US propaganda mills never stop — enemies everywhere, threatening our very survival. Producing this stream of misinformation provides lucrative employment for many of America’s best and brightest. Unfortunately fact-checking and debunking it does not pay well. Or at all. And so we become increasingly ignorant and easiy manipulated.
Today’s example: “Cyber Attacks Can Spark Real Wars“, Richard A. Clarke, op-ed in the Wall Street Journal, 16 February 2012 — “The U.S. and Israel are not ready for a sophisticated cyber attack from the likes of Iran and China.”
Mr. Clarke, who served three presidents as a senior White House national security official, now serves on the board of the Middle East Institute. He is the author of “Cyber War: The Next National Security Threat and What to Do About It” (Ecco, 2010).
(1) “Think Again: Cyberwar“, Thomas Rid, Foreign Policy, March/April 2012 — “Don’t fear the digital bogeyman. Virtual conflict is still more hype than reality.”
Thomas Rid, reader in war studies at King’s College London, is author of Cyber War Will Not Take Place.
(2) Rebuttal: “Cyberwar Is Already Upon Us“, John Arquilla, Foreign Policy, March/April 2012 — But can it be controlled?”
John Arquilla is chairman of the U.S. Naval Postgraduate School defense analysis department.
“U.S. accelerating cyberweapon research“, Washington Post, 18 March 2012 — Excerpt:
The Pentagon is accelerating efforts to develop a new generation of cyberweapons capable of disrupting enemy military networks even when those networks are not connected to the Internet, according to current and former U.S. officials.
The possibility of a confrontation with Iran or Syria has highlighted for American military planners the value of cyberweapons that can be used against an enemy whose most important targets, such as air defense systems, do not rely on Internet-based networks. But adapting such cyberweapons can take months or even years of arduous technical work.
When U.S. military planners were looking for ways to disable Libya’s air defense system before NATO’s aerial attacks last year, they discussed using cybertechnology. But the idea was quickly dismissed because no effective option was available, said current and former U.S. officials.
They estimated that crafting a cyberweapon would have taken about a year, including the time needed to assess the target system for vulnerabilities.
“We weren’t ready to do that in Libya,” said a former U.S. official, who spoke on the condition of anonymity because of the sensitivity of the discussions. “We’re not ready to do that now, either.”
Today’s propaganda. Read and fear! “Everyone Should Pay for Cyber Defense “, Wall Street Journal, 22 April 2012 — “The threat to companies and critical public works is grave enough that protection is a national responsibility.” Opening:
The United States is vulnerable to cyberattacks by unfriendly nations and nonstate actors. Attacks through the Internet are now stealing billions of dollars of intellectual property from American businesses. Internet attacks can also bring down such critical infrastructure as the electricity supply, the air-traffic system and the stock market. Congress can and should act to protect us from this widespread and increasing danger.
The attackers use computer programs to look for openings in the computer systems of companies. They also send seemingly harmless emails to company employees which, when opened, provide entry to the company’s internal networks. The attackers may be foreign governments or the foreign companies that those governments assist. Governments or terrorist groups that lack the technical capability to mount such attacks can now buy the services of skilled hackers who will do it for them.
Internet attacks on critical infrastructure can create a threat to national security even before they inflict any actual damage. A foreign enemy that gains access to the computer control systems of U.S. companies can embed malicious computer code by which the hacker can cause that system to malfunction. A foreign government that has planted such malware in the electricity system of a major U.S. city could credibly threaten to trigger it at a time when the U.S. acts to protect interests or allies abroad. That threat could block the use of our military capability.
Fortunately, the U.S. National Security Agency has the technical ability to recognize most malware coming through cyberspace from around the world. It can block suspicious messages and scan for potentially destructive malware. The NSA’s technology is not foolproof but it could stop a large fraction of the dangerous Internet messages aimed at America. …
“Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet“, New York Times, 23 April 2012 — Excerpt:
Iran disconnected several of its main Persian Gulf oil terminals from the Internet on Monday, local news media reported, as technicians were struggling to contain what they said were intensifying cyberattacks on the Oil Ministry and its affiliates.
Iranian officials said the virus attack, which began in earnest on Sunday afternoon, had not affected oil production or exports, because the industry is still primarily mechanical and does not rely on the Internet. Officials said they were disconnecting the oil terminals and possibly some other installations in an effort to combat the virus. “Fortunately our international oil selling division has not been affected,” said a high-level manager at the Oil Ministry who asked not to be mentioned for security reasons. “There is no panic, but this shows we have shortcomings in our security systems.”
There were some reports that the virus had forced widespread Internet shutdowns. “The ministry has disconnected all oil facilities, operations and even oil rigs from the Internet to prevent this virus from spreading,” said another Oil Ministry official who asked to remain anonymous, because he was not authorized to speak publicly about the attack. “Everybody at the ministry is working overtime to prevent this.” His assertion about the extent of the shutdowns could not be independently verified.
… While officials here emphasize that both production and sales of oil are continuing as normal, the semiofficial Mehr News Agency said that the attack was intensifying and that access to the internal communications systems of most prominent oil and gas companies had been intentionally cut. A special crisis center has been set up where experts from across the country are assisting in the fight against the virus, it quoted one such specialist working for the Oil Ministry as saying.
“NATO Faced with Rising Flood of Cyberattacks“, der Spiegel, 26 April 2012 — Summary: