Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Calls US Stuxnet Cyberattack a 'Destabilizing and Dangerous' Action

Posted by timothy on from the excuse-me-while-I-pluck-out-your-eye dept.

alphadogg writes "Revelations by The New York Times that President Barack Obama in his role as commander in chief ordered the Stuxnet cyberattack against Iran's uranium-enrichment facility two years ago in cahoots with Israel is generating controversy, with Washington in an uproar over national-security leaks. But the important question is whether this covert action of sabotage against Iran, the first known major cyberattack authorized by a U.S. president, is the right course for the country to take. Are secret cyberattacks helping the U.S. solve geopolitical problems or actually making things worse? Bruce Schneier, whose most recent book is 'Liars and Outliers,' argues the U.S. made a mistake with Stuxnet, and he discusses why it's important for the world to tackle cyber-arms control now."

9 of 351 comments (clear)

  1. So, they have found the proof? by Robert+Zenz · · Score: 3, Interesting

    Is there really proof that it was the U.S.? I mean besides that awesome author who has 7 sources which want to stay hidden and that "Of course it was the U.S.!" attitude...

    1. Re:So, they have found the proof? by AHuxley · · Score: 4, Interesting

      http://www.theatlanticwire.com/global/2012/06/israeli-spies-want-credit-stuxnet/53354/
      Others want their expertise to rank with the NSA it seems :)

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:So, they have found the proof? by Maximum+Prophet · · Score: 4, Interesting

      Deterrence is a weasel word. The word you're looking for is "Fear"...

      No, Arthur C. Clarke talked about this w.r.t. technology. There are fears that are destabilizing, and fears that stabilize. If your "enemy" thinks that you are going to come to him and take his stuff, that fear destabilizes, weapons escalation is destabilizing. If your "enemy" has good intelligence, and knows that your weapons are secure and non-mobile, that fear is stabilizing, he knows he's safe now, but if he attacks those weapons are available.
      To paraphase Mr. Clarke, more nuclear bombs, destabilizing. More spy satellites, stabilizing.

      That sad part of the human existence, is that if your "enemy" doesn't fear you in the least, and has no reason to believe you will oppose him, he *will* come and take your stuff.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
  2. I Think You Missed the Point by eldavojohn · · Score: 5, Interesting

    How could contributing to the spread of clever computer-intrusion technologies(both with things like Stuxnet, and with the pernicious habit of doing business with the sort of slimy vulnerability-sellers whose customers want to exploit, not patch, them), possibly be a bad idea for a country whose citizens, businesses, government, and R&D capabilities are overwhelmingly dependent on computerized infrastructure?

    I have to disagree with you here. To ensure that your businesses and citizens and government and infrastructure are sound, you should always be investigating modes for attacks and publishing them. My logic is that if the United States Government is able to develop this, then so is China's, Russia's, India's, etc so get it out in the open already. In fact, your claim almost seems to advocate security through obscurity. If you want to ensure that people aren't pilfering data without your knowledge, publish your exploits and what you see as "contributing to the spread of clever computer-intrusion technologies" could just as well be seen as "telling SCADA and other makers to pull their heads out of their asses and fix this." Also, your statements can apply to every single country now, even third world countries are largely dependent on networking hardware to function.

    The reason this is a "destabilizing and dangerous" action was because it was effective -- not because the US Government secretly given hackers a bunch of ways to hack every computer ever made. Also, the US kind of lost the "moral high ground" now when someone hacks their nuclear facilities with the intent of disabling our capabilities. Use an effective cyber attack against a nation state that does not have similar capabilities ... "destabilizing and dangerous" is a definition of what you can expect the repercussions to be.

    --
    My work here is dung.
    1. Re:I Think You Missed the Point by fuzzyfuzzyfungus · · Score: 5, Interesting

      I apologize if I wasn't clear; but my point was that possessing electronic offense and improving electronic defense are directly at odds with one another(and, as you note, we are hardly the only country with a supply of adequately smart geeks.)

      If you want to use an attack, you need a vulnerability. If you want to use an attack against a really clueful adversary, you may need a really juicy vulnerability, a set of zero-days(as with Stuxnet) or that nifty code-signing trick with Flame, or the like. This is where the trouble starts:

      Your attack people now have a direct interest in keeping certain vulnerabilities unfixed. Since much of the world's software is widely used, and has a reasonably publicly visible update process, there is no viable way to sneak out some kind of 'Important vulnerability fix for Win32 systems in the US only'. Either you keep the bug secret, leaving your own people vulnerable, in the hopes that you can hit the other guy before he discovers the problem, or you protect everyone from that vulnerability by getting it fixed.

      Having US 'national security' types researching vulnerabilities is a good thing; but only if they do so with the intent of getting them fixed(US-CERT vulnerability reporting, for instance, makes us stronger.) That is how you 'get it in the open'. Things like Stuxnet and Flame were based on vulnerabilities that were kept in the dark(during which time they could have been used against us) for as long as possible.

      It's not that I advocate security through obscurity(quite the opposite, in fact), it's that in order to possess good offensive tools you must, necessarily, have knowledge of vulnerabilities that you are concealing. You had to discover them in order to build your attack system, you have to hide them in order to preserve its effectiveness. That's the problem. Possession of useful offensive capabilities implies that you are condemning everyone, your own people included, to security-by-obscurity.

  3. Re:Obama's Record by Mitchell314 · · Score: 5, Interesting

    Normally I'd agree with you, but in this case bytes is better than bullets, IMO. If the future of warfare is more about breaking machines and less about killing people, well it is a step up.

    --
    I read TFA and all I got was this lousy cookie
  4. No enforceable treaty is possible on this. by anwyn · · Score: 3, Interesting
    There is no way to prove whether a nation is engaged in offensive cyber warfare. It will always be possible to say those things were done by criminals and malefactors. "The secretary will disavow all knowledge of your actions." If those leaks had happened in China, the leakers would be shot and their families billed for the bullets. Therefore, if a treaty is signed, it will be a one-way treaty partially enforceable in the West only.

    It would be colossally foolish to sign such a treaty.

    I can not imagine such a treaty being ratified.

    Therefore, baton down the hatches a storm is coming.

  5. Nobody ever won a war by following rules by Overzeetop · · Score: 4, Interesting

    The pacific portion of WWII ended because we annihilated two cities - civilians and all - and threatened to to turn the island of Japan into a wasteland. War sucks, and shouldn't need to exist, but it does. Good? Bad? Think of it this way - do you want to be the country that doesn't have nuclear weapons because they're "against the rules," or do you want to have them because - rules or not - people are much less likely to fuck with you if they know you can destroy them?

    --
    Is it just my observation, or are there way too many stupid people in the world?
  6. Re:Yes, and? by GodfatherofSoul · · Score: 4, Interesting

    That's not entirely the modern problem. We had relations relatively stabilized under Clinton. When Bush II adopted the PNAC world view, severed our relations with NK and Iran, declared his axis of evil, then scaled his foreign policy based on access to nuclear weapons, that basically told every two-bit dictator on the planet that a nuclear arsenal is "U.S. Invasion"-bane. That completely contradicted the message we've been trying to communicate to 3rd world countries for 50 years; nuclear weapons are expensive, hard to secure, dangerous, incite regional arms races, and an irreversible strategic choice.

    The new mantra (as perceived around the world) is the US wants nukes and doesn't want you to have them just in case we want to change your leadership. This is all a part of the horrible damage to our image that probably won't ever be righted.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!