courtesy by: Good Offices Group of European Lawmakers, box 2580, 1211 Geneva 2
research contributed by: EDA & Bundesarchiv, Bern; ETH Zurich; Irina Gerassimova, UN Library Geneva
 url: - related e-books: .../NPT.htm ¦ .../scr255.htm ¦ .../nptswiss.htm ¦ .../nuclearsources.htm
.../britishgas.htm ¦ .../iran.htm ¦ .../jaffa.htm ¦ .../a2.htm ¦ .../ciaprisons.htm ¦ .../diamantball.htm ¦ .../vision.htm
tks 4 notifying errors, comments or suggestions to: ¦ +4122-7400362 - copyright

10.Jan 13   Cloud Computing: EU-Studie warnt vor NSA-Überwachung, Spiegel, Ole Reißmann
23 Oct 12   In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, NYT. NICOLE PERLROTH
21.Okt 12   Cyber-Angriff via Schweiz, Sonntags-Zeitung, Benno Tuchschmid
30 Aug 12   Software Meant to Fight Crime Is Used to Spy on Dissidents, NYT, NICOLE PERLROTH
16.Mär 12   US-Geheimdienst NSA baut riesiges Abhörzentrum, Spiegel, Richard Meusers
20 nov 11   Antoine Vitkine:La Guerre invisible, TSR 2
19 Nov 11   Surveillance Catalog: Document Trove Exposes Surveillance Methods, WSJ, Jennifer Valentino et al.
18 nov 11   «La cybersécurité est l’affaire de tous», La Liberté, Pascal Fleury
18 Nov 11   Jeffrey Carr: What is Cyber War Anyway?, the
10 Oct 11   Government Aims to Build a ‘Data Eye in the Sky’, NYT, JOHN MARKOFF
20 aoû 11  Qu'est-ce que la cyberguerre?,, Jeffrey Carr
1 juin 11   La cyberguerre a commencé, Nouvel Observatoire, Jean-Baptiste Naudet
15 Feb 11   Egypt Leaders Found ‘Off’ Switch for Internet, NYT JAMES GLANZ et al.
9.Feb 11   Wie die USA das Internet kontrollieren, Tages-Anzeiger, Reto Knobel
26 Jan 11   Stuxnet:From Bullets to Megabytes, MYT, RICHARD A. FALKENRATH
15 Jan 11   Israeli Test on Worm Called Crucial in Iran Nuclear Delay, NYT, WILLIAM J. BROAD  et al.
19 Nov 10   Worm Can Deal Double Blow to Nuclear Program, NYT, JOHN MARKOFF
18 Nov 10   Worm Was Perfect for Sabotaging Centrifuges, NYT, WILLIAM J. BROAD et al.
1 Nov 10   The Online Threat: Should we be worried about a cyber war?, The New Yorker, Seymour M. Hersh
1.Okt 10   NATO: Bündnis gegen Cyberattacken, Tages-Anzeiger
29 Sep 10   In a Computer Worm, a Possible Biblical Clue, NYT, JOHN MARKOFF et al.
27 Sep 10   Virus hits Iran nuclear programme, Financial Times, Daniel Dombey
26.Sep 10   A Silent Attack, but Not a Subtle One, NYT, JOHN MARKOFF
26.Sep 10   Der Trojaner: Rätselhaftes Schadprogramm Stuxnet, FAZ, Rüdiger Köhn
26.Sep 10   «Hier war ein Expertenteam am Werk», NZZ am Sonntag, Andreas Hirstein
23 Aug 10   Hacker’s Arrest Offers Glimpse Into Crime in Russia, NYT, ANDREW E. KRAMER
19 Jul 10   A hidden world, growing beyond control, Washington Post, Dana Priest et al.
18 Jul 10   Top Secret America, Washington Post investigation
27.Mai 10   Online-Durchsuchungen: Der Staat in deinem Computer, WOZ, Dinu Gautier
15 Mar 10   US Readies Cyberwar, Virtual Flag Terrorism,, Webster G. Tarpley
28 Feb 10   Mike McConnell on how to win the cyber-war we're losing, Washington Post, Mike McConnell
5 Feb 10   Google Asks Spy Agency for Help With Inquiry Into Cyberattacks, NYT, JOHN MARKOFF
29 May 09   Pentagon Plans New Arm to Wage Wars in Cyberspace, NYT, DAVID E. SANGER et al.
12 May 09   China blocks U.S. from cyber warfare, Washington Times, Bill Gertz
29 Mar 09   Vast Spy System Loots Computers in 103 Countries, NYT, John Markoff

March 29, 2009

Vast Spy System Loots Computers in 103 Countries

TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.

The newly reported spying operation is by far the largest to come to light in terms of countries affected.

This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.

Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.

The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed.

The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.

The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.

The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace. The F.B.I. declined to comment on the operation.

Although the Canadian researchers said that most of the computers behind the spying were in China, they cautioned against concluding that China’s government was involved. The spying could be a nonstate, for-profit operation, for example, or one run by private citizens in China known as “patriotic hackers.”

“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”

A spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”

The Toronto researchers, who allowed a reporter for The New York Times to review the spies’ digital tracks, are publishing their findings in Information Warfare Monitor, an online publication associated with the Munk Center.

At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans, are releasing an independent report. They do fault China, and they warned that other hackers could adopt the tactics used in the malware operation.

“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.”

In any case, it was suspicions of Chinese interference that led to the discovery of the spy operation. Last summer, the office of the Dalai Lama invited two specialists to India to audit computers used by the Dalai Lama’s organization. The specialists, Greg Walton, the editor of Information Warfare Monitor, and Mr. Nagaraja, a network security expert, found that the computers had indeed been infected and that intruders had stolen files from personal computers serving several Tibetan exile groups.

Back in Toronto, Mr. Walton shared data with colleagues at the Munk Center’s computer lab.

One of them was Nart Villeneuve, 34, a graduate student and self-taught “white hat” hacker with dazzling technical skills. Last year, Mr. Villeneuve linked the Chinese version of the Skype communications service to a Chinese government operation that was systematically eavesdropping on users’ instant-messaging sessions.

Early this month, Mr. Villeneuve noticed an odd string of 22 characters embedded in files created by the malicious software and searched for it with Google. It led him to a group of computers on Hainan Island, off China, and to a Web site that would prove to be critically important.

In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption.

Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared.

Through trial and error, the researchers learned to use the system’s Chinese-language “dashboard” — a control panel reachable with a standard Web browser — by which one could manipulate the more than 1,200 computers worldwide that had by then been infected.

Infection happens two ways. In one method, a user’s clicking on a document attached to an e-mail message lets the system covertly install software deep in the target operating system. Alternatively, a user clicks on a Web link in an e-mail message and is taken directly to a “poisoned” Web site.

The researchers said they avoided breaking any laws during three weeks of monitoring and extensively experimenting with the system’s unprotected software control panel. They provided, among other information, a log of compromised computers dating to May 22, 2007.

They found that three of the four control servers were in different provinces in China — Hainan, Guangdong and Sichuan — while the fourth was discovered to be at a Web-hosting company based in Southern California.

Beyond that, said Rafal A. Rohozinski, one of the investigators, “attribution is difficult because there is no agreed upon international legal framework for being able to pursue investigations down to their logical conclusion, which is highly local.”

Washington Times
May 12, 2009

China blocks U.S. from cyber warfare
Bill Gertz

China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies.

The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is preparing to wage cyberwarfare with the United States.

"We are in the early stages of a cyber arms race and need to respond accordingly," said Kevin G. Coleman, a private security specialist who advises the government on cybersecurity. He discussed Kylin during a hearing of the U.S. China Economic and Security Review Commission on April 30.

The deployment of Kylin is significant, Mr. Coleman said, because the system has "hardened" key Chinese servers. U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp.

"This action also made our offensive cybercapabilities ineffective against them, given the cyberweapons were designed to be used against Linux, UNIX and Windows," he said.

The secure operating system was disclosed as computer hackers in China - some of them sponsored by the communist government and military - are engaged in aggressive attacks against the United States, said officials and experts who disclosed new details of what was described as a growing war in cyberspace.

These experts say Beijing's military is recruiting computer hackers for its forces, including one specialist identified in congressional testimony who set up a company that was traced to attacks that penetrated Pentagon computers.

Chinese Embassy spokesman Wang Baodong declined immediate comment. But Jiang Yu, a Chinese Foreign Ministry spokesman, said April 23 that the reports of Chinese hacking into Pentagon computers were false.

"Relevant authorities of the Chinese government attach great importance to cracking down on cybercrimes," Ms. Jiang said. "We believe it is extremely irresponsible to accuse China of being the source of attacks prior to any serious investigation."

Mr. Coleman, a computer security specialist at Technolytics and a consultant to the director of national intelligence and U.S. Strategic Command, said Chinese state or state-affiliated entities are on a wartime footing in seeking electronic information from the U.S. government, contractors and industrial computer networks.

Mr. Coleman said in an interview that China's Kylin system was under development since 2001 and the first computers to use it are government and military servers that were converted beginning in 2007.

Additionally, Mr. Coleman said, the Chinese have developed a secure microprocessor that, unlike U.S.-made chips, is known to be hardened against external access by a hacker or automated malicious software.

"If you add a hardened microchip and a hardened operating system, that makes a really good solid platform for defending infrastructure [from external attack]," Mr. Coleman said.

U.S. operating system software, including Microsoft, used open-source and offshore code that makes it less secure and vulnerable to software "trap doors" that could allow access in wartime, he explained.

"What's so interesting from a strategic standpoint is that in the cyberarena, China is playing chess while we're playing checkers," he said.

Asked whether the United States would win a cyberwar with China, Mr. Coleman said it would be a draw because China, the United States and Russia are matched equally in the new type of warfare.

Rafal A. Rohozinski, a Canadian computer security specialist who also testified at the commission hearing, explained how he took part in a two-year investigation that uncovered a sophisticated worldwide computer attack network that appeared to be a Chinese-government-sponsored program called GhostNet, whose electronic strikes were traced to e-mails from Hainan island in the South China Sea.

GhostNet was able to completely take over targeted computers and then download documents and information. Some of the data stolen were sensitive financial and visa information on foreign government networks at overseas embassies, Mr. Rohozinski said.

The China-based computer network used sophisticated break-in techniques that are generally beyond the capabilities of nongovernment hackers, Mr. Rohozinski said.

Using surveillance techniques, the investigators observed GhostNet hackers stealing sensitive computer documents from embassy computers and nongovernmental organizations.

"It was a do-it-yourself signals intelligence operation," Mr. Rohozinski said of the network, which took over about 1,200 computers in 103 nations, targeted specifically at overseas Tibetans linked to the exiled Dalai Lama.

Mr. Rohozinski, chief executive officer of the SecDev Group and an advisory board member at the Citizen Lab at the Munk Center for International Studies at the University of Toronto in Ontario, said the GhostNet operation was likely part of a much bigger cyberintelligence effort by China to silence or thwart its perceived opponents.

A third computer specialist, Alan Paller, told the Senate Committee on Homeland Security and Governmental Affairs on April 29 that China's military in 2005 recruited Tan Dailin, a graduate student at Sichuan University, after he showed off his hacker skills at an annual contest.

Mr. Paller, a computer security specialist with the SANS Institute, said the Chinese military put the hacker through a 30-day, 16-hour-a-day workshop "where he learned to develop really high-end attacks and honed his skills."

A hacker team headed by Mr. Tan then won other computer warfare contests against Chinese military units in Chengdu, in Sichuan province.

Mr. Paller said that a short time later, Mr. Tan "set up a little company. No one's exactly sure where all the money came from, but it was in September 2005 when he won it. By December, he was found inside [Defense Department] computers, well inside DoD computers," Mr. Paller said.

A Pentagon official said at the time that Chinese military hackers were detected breaking into the unclassified e-mail on a network near the office of Defense Secretary Robert M. Gates in June 2007.

Additional details of Chinese cyberattacks were disclosed recently by Joel F. Brenner, the national counterintelligence executive, the nation's most senior counterintelligence coordinator.

Mr. Brenner stated in a speech in Texas last month that cyberactivities by China and Russia are widespread and "we know how to deal with these," including widely reported "Chinese penetrations of unclassified DoD networks."

"Those are more sophisticated, though hardly state of the art," he said. "Frankly, I worry more about attacks we can't even see, which the Russians are good at. The Chinese are relentless and don't seem to care about getting caught. And we have seen Chinese network operations inside certain of our electricity grids."

Mr. Brenner said there are minimal concerns about a Chinese cyberattack to shut down U.S. banking networks because "they have too much money invested here.

"Our electricity grid? No, not now. But if there were a dust-up over Taiwan, these answers might be different," he said.

Aggressive Chinese computer hacking has been known for years, but the U.S. government in the past was reluctant to detail the activities.

The CIA, for example, sponsored research in the late 1990s that sought to minimize Chinese cyberwarfare capabilities, under the idea that highlighting such activities would hype the threat.

Researcher James Mulvenon, for instance, stated during a 1998 conference that China's People's Liberation Army (PLA) "does not currently have a coherent [information warfare] doctrine, certainly nothing compared to U.S. doctrinal writings on the subject."

Mr. Mulvenon stated in one report that "while PLA [information warfare] capabilities are growing, they do not match even the primitive sophistication of their underlying strategies."

Mr. Mulvenon has since changed his views and has identified Chinese computer-based warfare as a major threat to the Pentagon.

Mr. Coleman said China's military is equal to U.S. and Russian military cyberwarfare.

"This is a three-horse race, and it is a dead heat," Mr. Coleman said.

The National University of China is the strategic adviser to the Chinese military on cyberwarfare and the Ministry of Science and Technology, he said.

Several computer security specialists recently sounded public alarm about the growing number of cyberattacks from China and Russia.

China, based on state-approved writings, thinks the United States is "already is carrying out offensive cyberespionage and exploitation against China," Mr. Coleman said.

In response, China is taking steps to protect its own computer and information networks so that it can "go on the offensive," he said.

Mr. Coleman said one indication of the problem was identified by Solutionary, a computer security company that in March detected 128 "acts of cyberagression" tied to Internet addresses in China.

"These acts should serve as a warning that clearly indicates just how far along China's cyberintelligence collection capabilities are," Mr. Coleman said.

A Pentagon spokesman, Air Force Lt. Col. Eric Butterbaugh, would not comment on Chinese cyberattacks directly but said "cyberspace is a war-fighting domain, critical to military operations: We must protect it."

The Pentagon's Global Information Grid is hit with "millions of scans" - not intrusion attempts - every day, Lt. Butterbaugh said.

"The nature of the threat is large and diverse, and includes recreational hackers, self-styled cybervigilantes, various groups with nationalistic or ideological agendas, transnational actors, and nation-states," he said. "We have seen attempts by a variety of state and nonstate sponsored organizations to gain unauthorized access to, or otherwise degrade, DoD information systems."

Air Force Gen. Kevin Chilton, commander of the U.S. Strategic Command, said May 7 that a joint cybercommand is needed under the Pentagon to better integrate military and civilian cybercapabilities and defenses. Gen. Chilton said he favors creating the joint command at Fort Meade, Md., where the National Security Agency is located. The command should be a subunit of Strategic Command, located at Offutt Air Force Base, Neb.

Mr. Gates said last month that the National Security Council is heading up a strategic review of U.S. cybercapabilties and is considering creating a subunified command within Strategic Command.

Pentagon spokesman Bryan Whitman said Mr. Gates has not decided on the subunified command to handle cyberwarfare issues and is waiting for the completion of the White House review of cyberwarfare and security issues, which is past due from the 60-day deadline imposed by Congress.

Mr. Gates "thought it would be prudent to wait for their work before looking at potential organization structures," Mr. Whitman said in an interview.

May 29, 2009

Pentagon Plans New Arm to Wage Wars in Cyberspace

WASHINGTON — The Pentagon plans to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare.

The military command would complement a civilian effort to be announced by President Obama on Friday that would overhaul the way the United States safeguards its computer networks.

Mr. Obama, officials said, will announce the creation of a White House office — reporting to both the National Security Council and the National Economic Council — that will coordinate a multibillion-dollar effort to restrict access to government computers and protect systems that run the stock exchanges, clear global banking transactions and manage the air traffic control system.

White House officials say Mr. Obama has not yet been formally presented with the Pentagon plan. They said he would not discuss it Friday when he announced the creation of a White House office responsible for coordinating private-sector and government defenses against the thousands of cyberattacks mounted against the United States — largely by hackers but sometimes by foreign governments — every day.

But he is expected to sign a classified order in coming weeks that will create the military cybercommand, officials said. It is a recognition that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use — as a deterrent or alongside conventional weapons — in a wide variety of possible future conflicts.

The White House office will be run by a “cyberczar,” but because the position will not have direct access to the president, some experts said it was not high-level enough to end a series of bureaucratic wars that have broken out as billions of dollars have suddenly been allocated to protect against the computer threats.

The main dispute has been over whether the Pentagon or the National Security Agency should take the lead in preparing for and fighting cyberbattles. Under one proposal still being debated, parts of the N.S.A. would be integrated into the military command so they could operate jointly.

Officials said that in addition to the unclassified strategy paper to be released by Mr. Obama on Friday, a classified set of presidential directives is expected to lay out the military’s new responsibilities and how it coordinates its mission with that of the N.S.A., where most of the expertise on digital warfare resides today.

The decision to create a cybercommand is a major step beyond the actions taken by the Bush administration, which authorized several computer-based attacks but never resolved the question of how the government would prepare for a new era of warfare fought over digital networks.

It is still unclear whether the military’s new command or the N.S.A. — or both — will actually conduct this new kind of offensive cyberoperations.

The White House has never said whether Mr. Obama embraces the idea that the United States should use cyberweapons, and the public announcement on Friday is expected to focus solely on defensive steps and the government’s acknowledgment that it needs to be better organized to face the threat from foes attacking military, government and commercial online systems.

Defense Secretary Robert M. Gates has pushed for the Pentagon to become better organized to address the security threat.

Initially at least, the new command would focus on organizing the various components and capabilities now scattered across the four armed services.

Officials declined to describe potential offensive operations, but said they now viewed cyberspace as comparable to more traditional battlefields. “We are not comfortable discussing the question of offensive cyberoperations, but we consider cyberspace a war-fighting domain,“ said Bryan Whitman, a Pentagon spokesman. “We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.”

Although Pentagon civilian officials and military officers said the new command was expected to initially be a subordinate headquarters under the military’s Strategic Command, which controls nuclear operations as well as cyberdefenses, it could eventually become an independent command.

“No decision has been made,” said Lt. Col. Eric Butterbaugh, a Pentagon spokesman. “Just as the White House has completed its 60-day review of cyberspace policy, likewise, we are looking at how the department can best organize itself to fill our role in implementing the administration’s cyberpolicy.”

The creation of the cyberczar’s office inside the White House appears to be part of a significant expansion of the role of the national security apparatus there. A separate group overseeing domestic security, created by President George W. Bush after the Sept. 11 attacks, now resides within the National Security Council. A senior White House official responsible for countering the proliferation of nuclear and unconventional weapons has been given broader authority. Now, cybersecurity will also rank as one of the key threats that Mr. Obama is seeking to coordinate from the White House.

The strategy review Mr. Obama will discuss on Friday was completed weeks ago, but delayed because of continuing arguments over the authority of the White House office, and the budgets for the entire effort.

It was kept separate from the military debate over whether the Pentagon or the N.S.A. is best equipped to engage in offensive operations. Part of that debate hinges on the question of how much control should be given to American spy agencies, since they are prohibited from acting on American soil.

“It’s the domestic spying problem writ large,” one senior intelligence official said recently. “These attacks start in other countries, but they know no borders. So how do you fight them if you can’t act both inside and outside the United States?”

John Markoff contributed reporting from San Francisco.

February 5, 2010

Google Asks Spy Agency for Help With Inquiry Into Cyberattacks


SAN FRANCISCO — Google has turned to the National Security Agency for technical assistance to learn more about the computer network attackers who breached the company’s cybersecurity defenses last year, a person with direct knowledge of the agreement said Thursday.

The collaboration between Google, the world’s largest search engine company, and the federal agency in charge of global electronic surveillance raises both civil liberties issues and new questions about how much Google knew about the electronic thefts it experienced when it stated last month that it might end its business operations in China, where it said the attacks originated. The agreement was first reported on Wednesday evening by The Washington Post.

By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”

The United States government has become increasingly concerned about the computer risks confronting energy and water distribution systems and financial and communications networks. Systems designated as critical infrastructure are increasingly being held to tighter regulatory standards.

On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists.

In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers. A number of computer security consultants who worked with other companies that experienced attacks similar to those of Google have stated that the surveillance system was controlled from a series of compromised server computers based in Taiwan. It is not clear how Google determined that the attacks originated in China.

A Google spokeswoman said the company was declining to comment on the case beyond what it published last month. An N.S.A. spokeswoman said, “N.S.A. is not able to comment on specific relationships we may or may not have with U.S. companies,” but added, the agency worked with “a broad range of commercial partners” to ensure security of information systems.

The agency’s responsibility to secure the government’s computer networks almost certainly was another reason Google turned to it, said a former federal computer security specialist.

“This is the other side of N.S.A. — this is the security service that does defensive measures,” said the specialist, James A. Lewis, a director at the Center for Strategic and International Studies. “It’s not unusual for people to go to N.S.A. and say ‘please take a look at my code.’ ”

The agreement will not permit the agency to have access to information belonging to Google users, but it still reopens long-standing questions about the role of the agency.

“Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group. On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.

Concerns about the nation’s cybersecurity have greatly increased in the past two years. On Tuesday, Dennis C. Blair, the director of national intelligence, began his annual threat testimony before Congress by saying that the threat of a crippling attack on telecommunications and other computer networks was growing, as an increasingly sophisticated group of enemies had “severely threatened” the sometimes fragile systems behind the country’s information infrastructure.

“Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication,” he told the committee.

The relationship that the N.S.A. has struck with Google is known as a cooperative research and development agreement, according to a person briefed on the relationship. These were created as part of the Federal Technology Transfer Act of 1986 and are essentially a written agreement between a private company and a government agency to work together on a specific project. They are intended to help accelerate the commercialization of government-developed technology.

In addition to the N.S.A., Google has been working with the F.B.I. on the attack inquiry, but the bureau has so far declined to comment publicly or to share information about the intrusions with Congress.

Washington Post     February 28, 2010

Mike McConnell on how to win the cyber-war we're losing
By Mike McConnell

The United States is fighting a cyber-war today, and we are losing. It's that simple. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking.

The problem is not one of resources; even in our current fiscal straits, we can afford to upgrade our defenses. The problem is that we lack a cohesive strategy to meet this challenge.

The stakes are enormous. To the extent that the sprawling U.S. economy inhabits a common physical space, it is in our communications networks. If an enemy disrupted our financial and accounting transactions, our equities and bond markets or our retail commerce -- or created confusion about the legitimacy of those transactions -- chaos would result. Our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy as well.

These battles are not hypothetical. Google's networks were hacked in an attack that began in December and that the company said emanated from China. And recently the security firm NetWitness reported that more than 2,500 companies worldwide were compromised in a sophisticated attack launched in 2008 and aimed at proprietary corporate data. Indeed, the recent Cyber Shock Wave simulation revealed what those of us involved in national security policy have long feared: For all our war games and strategy documents focused on traditional warfare, we have yet to address the most basic questions about cyber-conflicts.

What is the right strategy for this most modern of wars? Look to history. During the Cold War, when the United States faced an existential threat from the Soviet Union, we relied on deterrence to protect ourselves from nuclear attack. Later, as the East-West stalemate ended and nuclear weapons proliferated, some argued that preemption made more sense in an age of global terrorism.

The cyber-war mirrors the nuclear challenge in terms of the potential economic and psychological effects. So, should our strategy be deterrence or preemption? The answer: both. Depending on the nature of the threat, we can deploy aspects of either approach to defend America in cyberspace.

During the Cold War, deterrence was based on a few key elements: attribution (understanding who attacked us), location (knowing where a strike came from), response (being able to respond, even if attacked first) and transparency (the enemy's knowledge of our capability and intent to counter with massive force).

Against the Soviets, we dealt with the attribution and location challenges by developing human intelligence behind the Iron Curtain and by fielding early-warning radar systems, reconnaissance satellites and undersea listening posts to monitor threats. We invested heavily in our response capabilities with intercontinental ballistic missiles, submarines and long-range bombers, as well as command-and-control systems and specialized staffs to run them. The resources available were commensurate with the challenge at hand -- as must be the case in cyberspace.

Just as important was the softer side of our national security strategy: the policies, treaties and diplomatic efforts that underpinned containment and deterrence. Our alliances, such as NATO, made clear that a strike on one would be a strike on all and would be met with massive retaliation. This unambiguous intent, together with our ability to monitor and respond, provided a credible nuclear deterrent that served us well.

How do we apply deterrence in the cyber-age? For one, we must clearly express our intent. Secretary of State Hillary Rodham Clinton offered a succinct statement to that effect last month in Washington, in a speech on Internet freedom. "Countries or individuals that engage in cyber-attacks should face consequences and international condemnation," she said. "In an Internet-connected world, an attack on one nation's networks can be an attack on all."

That was a promising move, but it means little unless we back it up with practical policies and international legal agreements to define norms and identify consequences for destructive behavior in cyberspace. We began examining these issues through the Comprehensive National Cybersecurity Initiative, launched during the George W. Bush administration, but more work is needed on outlining how, when and where we would respond to an attack. For now, we have a response mechanism in name only.

The United States must also translate our intent into capabilities. We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options -- and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment -- who did it, from where, why and what was the result -- more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.

Of course, deterrence can be effective when the enemy is a state with an easily identifiable government and location. It is less successful against criminal groups or extremists who cannot be readily traced, let alone deterred through sanctions or military action.

There are many organizations (including al-Qaeda) that are not motivated by greed, as with criminal organizations, or a desire for geopolitical advantage, as with many states. Rather, their worldview seeks to destroy the systems of global commerce, trade and travel that are undergirded by our cyber-infrastructure. So deterrence is not enough; preemptive strategies might be required before such adversaries launch a devastating cyber-attack.

We preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks, and by creating a more resilient cyberspace that can absorb attacks and quickly recover. To this end, we must hammer out a consensus on how to best harness the capabilities of the National Security Agency, which I had the privilege to lead from 1992 to 1996. The NSA is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies. The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private -- and classified to unclassified -- to protect the nation's critical infrastructure.

We must give key private-sector leaders (from the transportation, utility and financial arenas) access to information on emerging threats so they can take countermeasures. For this to work, the private sector needs to be able to share network information -- on a controlled basis -- without inviting lawsuits from shareholders and others.

Obviously, such measures must be contemplated very carefully. But the reality is that while the lion's share of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry. Neither side on its own can mount the cyber-defense we need; some collaboration is inevitable. Recent reports of a possible partnership between Google and the government point to the kind of joint efforts -- and shared challenges -- that we are likely to see in the future.

No doubt, such arrangements will muddy the waters between the traditional roles of the government and the private sector. We must define the parameters of such interactions, but we should not dismiss them. Cyberspace knows no borders, and our defensive efforts must be similarly seamless.

Ultimately, to build the right strategy to defend cyberspace, we need the equivalent of President Dwight D. Eisenhower's Project Solarium. That 1953 initiative brought together teams of experts with opposing views to develop alternative strategies on how to wage the Cold War. The teams presented their views to the president, and Eisenhower chose his preferred approach -- deterrence. We now need a dialogue among business, civil society and government on the challenges we face in cyberspace -- spanning international law, privacy and civil liberties, security, and the architecture of the Internet. The results should shape our cybersecurity strategy.

We prevailed in the Cold War through strong leadership, clear policies, solid alliances and close integration of our diplomatic, economic and military efforts. We backed all this up with robust investments -- security never comes cheap. It worked, because we had to make it work.

Let's do the same with cybersecurity. The time to start was yesterday.

Mike McConnell was the director of the National Security Agency in the Clinton administration and the director of national intelligence during President George W. Bush's second term. A retired Navy vice admiral, he is executive vice president of Booz Allen Hamilton, which consults on cybersecurity for the private and public sector.

TARPLEY.netMarch 15, 2010

US Readies Cyberwar, Virtual Flag Terrorism
Webster G. Tarpley

Google is now preparing to leave China as a result of this company’s stubborn refusal to obey Chinese laws. Google is in effect demanding extraterritoriality and immunity to the legal norms of the host nation, a claim which goes back to the unequal treaties imposed by foreign imperialists, notably the British, on China starting in the 19th century. It is not surprising that the Chinese response to this arrogant interference in the internal affairs of a sovereign state has been stern.

We must also recall that Google was founded with the help of the US intelligence community, and is now acting as a virtual arm of the US National Security Agency, the electronic espionage department of the US government. Google-NSA’s arrogance and hypocrisy are unbearable, especially when we bear in mind the countless times that Google search engines have been used to suppress exposés of the US governments false flag operations, most notably 9/11, and other sensitive topics.

There are two sides to the conflict between Google-NSA and China. One is the Great Cyberwall erected by the Chinese government against attempts by the US-UK to capitalize on ethnic and social tensions inside China to launch a color revolution, CIA people power coup, or postmodern putsch. The other aspect is Google’s claim that hackers working for the Chinese government raided Google’s e-mail servers. The second charge has been formally denied by the Chinese.

Even as Google prepares to shut down its Chinese operations, something larger and more sinister is looming. The US Wall Street-controlled media are gearing up to educate the public about imminent cyberwarfare and cyber-conflict. We can sense that Andrew Marshall, the Pentagon’s infamous octogenarian Yoda of the Office of Net Assessment, is playing a key role behind the scenes. This effort was formally launched in May 2009 by none other than Obama, who announced a buildup of US cyberwar assets, illustrating his project with the claim that his own campaign websites had been hacked during the 2008 campaign, prompting him to seek the assistance of FBI, CIA, NSA and the rest.

One highlight of this US propaganda campaign has been a two-hour docudrama special recently repeated several times on CNN on Feb. 20-21, simulating a massive cyber attack on the United States, starting with cell phones and then taking over into computers.[1] The impact of this attack is to shut down telephone communications, followed by airports and rail services, and finally to knock out most of the US electrical power grid, causing panic and chaos. The simulation is presented in the form of a meeting of the National Security Council while the US is under attack. Several protagonists of the 9/11 cover-up were among the starring players, including Jamie Gorelick (playing the US Attorney General), John Negroponte (playing the Secretary of State), and Michael Chertoff (in the role of the National Security Council Director).

Another important sign of the times is a Feb. 28 op-ed in the Washington Post by Admiral Mike McConnell, who headed up the NSA under Clinton, and is now a top executive for Booz Allen Hamilton, one of the military consulting firms which claims to have the greatest expertise in matters of cyber warfare.[2] Admiral McConnell’s basic idea is that cyber war is now upon us, and that the US must respond using the experience of the Cold War as the relevant model.

The results of this campaign of preparatory propaganda can be summed up under four basic points.

One is the relentless exaggeration of what cyber warfare can actually do in its present state. The public is now expected to believe that computer viruses and denial of service attacks can be used to shut down phone service, cripple airports, prevent trains from running, sabotage nuclear reactors, and paralyze power grids over the quasi-totality of the United States. Many of these claims were launched in relatively obscure articles by CIA officials or Wall Street Journal writers. It is not at all clear that cyber warfare can do what these interested parties are alleging. Rather, the best intelligence estimate right now is that we are in the presence of a new wave of cynical and demagogic fear mongering, similar to the weapons of mass distraction charges made by the neocons against Iraq during the buildup of war hysteria in 2002-2003. The idea that cyber warfare can shut down electrical grids very likely belongs in the same category with Tony Blair’s ludicrous charge that Saddam Hussein had the ability to strike London in 45 minutes. It was a fantastic lie.

A second Leitmotiv is the transposition of the terminology and mindset of the Cold War and nuclear confrontation into the modern cyber arena. The CNN simulation works towards refurbishing notions of deterrence, retaliation, and first strike, dressing them up in the trendy jargon of the computer age. Notions of preventive attack and preemptive attack are also being revamped. One big difference which the propagandists do not point out is that, while nuclear war was considered an unthinkable last resort by most government officials, the new propaganda portrays cyberwarfare as not unthinkable at all, but something that can be indulged in with relative impunity.

Very important legal questions arise in this context. Does a cyber attack constitute an armed attack? Can a cyber attack be casus belli, grounds for issuing a declaration of war? Is escalation from computers to bombs legal? Can a cyber attack represent a threat to international peace and security for the purposes of the United Nations charter? Can a cyber attack be used to invoke article V of the NATO treaty, which calls for common defense?

A third aspect of the current media blitz is that a new cast of enemies is being groomed and brought onstage, even as the shadowy adversaries of yesterday are relegated to a less prominent position – at least as far as cyber-aggression is concerned. In the CNN simulation, there is some discussion of a possible role of “Al Qaeda” and “bin Laden” in the ongoing attack. But this idea is brusquely and almost scornfully dismissed with the reply that those guys are known to live in caves, and therefore could hardly have the equipment necessary to carry on cyber warfare, even though they might desire to do so. For the CNN producers and their intelligence community consultants, the targets are clear: Russia (specifically the city of Irkutsk), China, and Sudan are the three countries mentioned as sources of the cyber attacks shutting down the US economy. With this, we have gone far beyond the narrow confines of the Middle East to target the largest country in the world, the largest country in Asia, and the largest country in Africa. The new target list involves two great powers, and not simply Iraq or Iran. We can see bigger and more lunatic adventures being prepared by the US scenario writers.

The fourth unmistakable overtone of the current propaganda barrage is the danger we can sum up under the heading of virtual flag terrorism. The world of cyber warfare is so opaque and recondite for the average person, and solid confirmation of claims so hard to come by, that rogue bureaucrats in the US and British governments will be able to a surge virtually anything with little fear of being refuted. Google accuses China of hacking without offering any convincing proof, and China denies the charge. What is the average person to believe? What prevents hackers in league with invisible government rogue moles at the NSA from deliberately attacking US facilities, and then blaming it on China, thus ginning up a major international provocation with little risk of being caught?

If millions of people are plunged into the dark, if trains and airliners crash, if other disasters occur, it is child’s play to issue a communiqué blaming hackers in the service of the Russian, Chinese, Sudanese, the Iranians, or other governments. The governments accused can certainly issue denials, but it is not clear how such a charge could be convincingly refuted.

The CNN simulation includes a discussion of the difference between location and attribution, meaning that the mere fact that an attack is launched from the country’s territory does not mean that the government is responsible. “Location is not attribution,” intones Secretary of State Negroponte at one point. But we can already hear the voice of the inevitable neocon warmonger asserting à la Bush that no distinction must be made between the servers spreading a destructive virus and the government whose territory harbors those servers. For the neocon, location and attribution are sure to be the same. This opens the possibility of starting a conflict by infiltrating physical provocateurs onto the territory of the targeted nation, and letting them launch a cyber attack from there. Even easier, so-called botnets of captive computers commandeered by trojans and related viruses can be used to launch the attack.

It goes without saying that the beltway bandits and Pentagon contractors are eager to cash in on the lucrative contracts that are now in the offing. More broadly, cyber warfare can be used as a great alibi for purposes of avoiding civil liability in the age of underfunding and asset stripping. When we have the next crash in the Washington DC metro, the management and the National Transportation Safety Board can ignore decades of underfunding and simply blame everything on Russia, China, and the Sudan, and tell the families of the victims to go and sue those governments. It is therefore time to begin a campaign of counter-inoculation of international public opinion against this new set of ominous lies which is being foisted off on the world.    27.Mai 2010

Online-Durchsuchungen: Der Staat in deinem Computer
Von Dinu Gautier

Der Bund will mit heimlich eingeschleusten Trojanern Computer durchsuchen. Experten erklären, wie das funktioniert. Die  Piratenpartei droht mit einem Referendum.

Die Strafverfolgungsbehörden wollen künftig Trojaner auf die Computer von Verdächtigen schleusen dürfen. Mithilfe dieser  Überwachungsprogramme soll der Staat nicht nur verschlüsselte Mails oder verschlüsselte Internettelefonate (VoIP) mitverfolgen  können, sondern sich auch gleich auf der Festplatte der überwachten Personen umsehen dürfen. «Es kann auf das ganze  Datenverarbeitungsprogramm zugegriffen werden», so die offizielle Beschreibung.

Die neue Massnahme ist in einem Vernehmlassungsentwurf für ein überarbeitetes Bundesgesetz betreffend die Überwachung des Post- und Fernmelde¬verkehrs (Büpf) zu finden. Veröffentlicht wurde der Entwurf letzte Woche. Deutschschweizer Nachrichtenagenturen  und Medien haben die neue Massnahme bisher nicht bemerkt.

Dabei betont sogar das Bundesamt für Justiz (BJ) in seinen Erläuterungen, um welch heiklen Eingriff in die Privatsphäre der Betroffenen  es sich handelt: Mit dieser Technik könne auch auf Daten zugegriffen werden, welche nicht in Zusammenhang mit dem  Überwachungszweck stünden und «die zur Privat- oder sogar Intimsphäre gehören». Als Beispiele werden «Fotos», «Filme» sowie  «Korrespondenz» genannt.

Den geplanten Einsatz von Bundes¬trojanern rechtfertigt das Bundesamt für Justiz mit der zunehmend verschlüsselten Kommunikation  von Verdächtigten, sei dies per Mail oder VoIP-¬Telefonie (beispielsweise Skype), die mit herkömmlichen Methoden nicht überwachbar  sind. «Wir führen keine Statis¬tik darüber, wie viele Personen in der Schweiz verschlüsselte E-Mails verschicken», sagt Eva Zwahlen  vom Bundesamt für Justiz auf Nachfrage. Heutzutage würden aber zahlreiche Mailsysteme die Verschlüsselung standardmässig  ausführen.

Passwörter mitlesen
(Bundes-)Trojaner sind Programme, die unbemerkt auf dem Rechner (oder dem Mobiltelefon) der zu überwachenden Person laufen.  Einmal installiert, sind sie kaum zu entdecken. Übers Internet sendet der Trojaner Informationen an die Behörde. Diese erhält so  Zugriff auf alle Dateien, kann die Tastatureingaben mitlesen (wodurch sie zu Verschlüsselungspasswörtern kommt) oder das System  gar fernsteuern. Bei Laptops kann beispielsweise das Mikrofon eingeschaltet werden, was das unbemerkte Abhören von Gesprächen  im Raum ermöglicht, in dem der Laptop steht.

Patrick Rohner, beim BJ zuständig für die Büpf-Revision, redet nicht gerne von Trojanern: «Der Begriff ist negativ besetzt. Der Staat ist  ja kein Internetkrimineller, sondern handelt im Rahmen des Gesetzes.» Technisch sei mit den Programmen vieles möglich, räumt  Rohner ein. Die Aktivierung von Laptopmikrofonen etwa hält er nicht nur technisch, sondern dank des vorgeschlagenen Gesetzes  künftig auch juris¬tisch für möglich. Rohner betont aber, dass die Untersuchungsbehörden vor dem Einsatz der Trojaner verschiedene  Verfahrenshürden nehmen müssen.

Das unbemerkte Einschleusen von Trojanern auf den Computer oder das Mobiltelefon des Verdächtigten ist anspruchsvoll. Wie das  gehen könnte, erklärt ein IT-Experte mit Erfahrungen auf dem Gebiet. Er möchte anonym bleiben, nennen wir ihn Pit Schürmann: «Man  müsste zuerst mittels herkömmlicher Überwachung das Verhalten der Zielperson analysieren, um einen geeigneten Weg zu finden, ihr  den Trojaner unterzujubeln.» Getarnt als Freund der Person, könnte man ihr dann beispielsweise ein Computerspiel zusenden, in  welchem sich der Trojaner versteckt. «Eine weitere Möglichkeit ist die Installation vor Ort im Rahmen einer verdeckten  Polizeiaktion», so Schürmann.

Ruben Unteregger hat früher für die Schweizer Firma ERA IT Solutions gearbeitet. Bereits 2006 berichtete die «SonntagsZeitung», die  Firma habe im Auftrag des Bundes Trojaner zur Überwachung von Skype-Gesprächen entwickelt. Letzten Sommer hat Ruben  Unteregger Bausteine für solche Trojaner der Öffentlichkeit online zugänglich gemacht. Er geht davon aus, dass die Behörden zur  Einschleusung von Trojanern weniger die «klassischen Hackermethoden» verwenden würden, sondern auf die Mithilfe der Provider  zählten. «Nicht umsonst zwingt das neue Büpf diese ja zur Kooperation in diesem Punkt» (vgl. «Unternehmen zur Schnüffelei  gezwungen» weiter unten). Mithilfe der Provider könne man sich in den Datenstrom einklinken. Wolle der Nutzer ein Programm aus  dem Internet runter¬laden, könne man den Trojaner um das nachgefragte Programm herumwickeln, was eine «elegante Methode» und  nur mittelmässig aufwändig sei, so Unter¬egger. «So würden zudem Antivirenprogramme umgangen, da es sich ja um einen legitimen,  vom Benutzer initiierten Download handelt.»

Alles Kinderpornografie?
Für Viktor Györffy, Anwalt und Präsident von, hat der Einsatz von Trojanern einen grundsätzlich anderen Charakter  als die traditionelle Kommunikationsüberwachung. «Das ist, wie wenn Sie, statt die Briefe abzufangen und zu öffnen, den Schreibtisch aufbrechen und neben dem Büro gleich auch noch das Wohn- und das Schlafzimmer durchstöbern.» Man müsse sich bewusst sein, wie  zentral die Computer für die Menschen geworden sind. «In ihnen bilden sich sehr grosse Teile unseres Lebens ab.» Es handle sich hier  um einen «wahnsinnig einschneidenden Eingriff» in die Persönlichkeitsrechte eines Betroffenen, so Györffy.

Betroffen von Überwachungsmassnahmen (und damit auch von Trojaner¬angriffen) können Personen sein, bei denen der Verdacht  besteht, ein bestimmtes Delikt begangen zu haben. Die Liste der Delikte, für welche das Gesetz eine solche Überwachung zulässt,  verweist auf nicht weniger als 97 Strafartikel. Darunter Klassiker wie die Finanzierung einer terroristischen Organisation, verbotene  Pornografie oder Mitgliedschaft in einer kriminellen Organisation, aber auch schwerere Drogendelikte, Diebstahl, Veruntreuung,  Betrug, Sachbeschädigung mit hohem Schaden, unbefugte Datenbeschaffung, gewerbsmässiger Wucher, Drohung, Schreckung der  Bevölkerung oder Störung des Eisenbahnverkehrs, um nur einige Beispiele zu nennen.

Patrick Rohner vom BJ betont, dass der Trojanereinsatz nur «doppelt subsidiär» angewandt werden soll. Bereits die herkömmliche  Kommunikations¬überwachung werde nämlich nur bewilligt, wenn normale Untersuchungsmethoden nicht ausreichten. Nur wenn  auch die Kommunikationsüberwachung «erfolglos geblieben» sei, etwa wenn der Verdächtige Mails verschlüsselt, komme es zum  Einsatz der Trojaner. «Bei allen Kommunikationsüberwachungen gilt: Es braucht eine Bewilligung eines Gerichts», so Rohner. Beim  Trojaner¬einsatz «muss der Staatsanwalt zudem die Art der Daten, die er will, genau angeben». So soll vermieden werden, dass auf  Daten zugegriffen wird, die von vornherein nutzlos sind.

IT-Experte Pit Schürmann: «Ohne sich erst einmal durch die Dateien zu ackern, kann man sich kein abschliessendes Bild machen.» Es  gebe zwar Spezialprogramme, die zum Beispiel automatisiert Kinderpornografie finden würden, schliesslich könne aber nur ein  Mensch eine seriöse Durchsuchung garantieren. Viktor Györffy von «Sind die Dateien einmal durchschnüffelt, dann ist  die Privatsphäre bereits verletzt – egal, was dann weitergereicht wird und was nicht.»

Hohe Kosten
Bezüglich Aufwand rede man bei einem Trojanerangriff nicht von fünf Stunden, sondern eher von fünfzig Stunden Arbeit – «bei  Stundenansätzen von rund 250 Franken wird das schnell sehr teuer», sagt Pit Schürmann. Ruben Unteregger betont, dass man einen  Trojaner nicht einfach schreiben und dann ewig einsetzen könne. «Die Programme müssen ständig gepflegt und erweitert werden, um  mit der technischen Realität auf den Rechnern mitzuhalten.»

Patrick Rohner vom BJ zu den Kos¬ten: «Es ist teuer, weil es A-la-carte-Lösungen braucht. Die genauen Kosten kenne ich nicht. Wir  reden in einem Fall vielleicht von 10?000, in einem anderen vielleicht von nur 1000 Franken.» Die Kosten würden für die  Staatsanwälte ein weiterer Grund sein, diese Art der Überwachung sorgfältig zu prüfen, so Rohner.

Politischer Widerstand gegen die Büpf-Revision ist abzusehen. Zur Wehr setzen will sich etwa die Piratenpartei. Deren Präsident  Denis Simonet zur WOZ: «Nützt Aufklärung nichts, so halten wir uns die Möglichkeit offen, das Referendum zu ergreifen.» Simonet  weist darauf hin, dass laut Gesetzesentwurf nicht nur Verdächtige betroffen wären, sondern auch Leute aus dem engeren Umfeld der  Verdächtigten. «Man findet in jedem Umfeld jemanden, den man eines Deliktes verdächtigen kann.» Wichtig sei es, nun eine Debatte  über Überwachung an sich zu lancieren. «Schuldig ist man erst, wenn man verurteilt wurde», sagt der Piratenpräsident. «Das nennt  sich Unschuldsvermutung.»

Unternehmen zur Schnüffelei gezwungen
Heute bekommen Kommunikationsdienstleister für Überwachungen eine Entschädigung ausbezahlt. In der Praxis betrifft das vor allem  Telefon- und Mobilfunkdienstleister sowie Anbieter von Internetzugängen (Access-Provider). Letztere müssen seit April dieses Jahres  in der Lage sein, den gesamten Datenverkehr ihrer KundInnen bei Bedarf in Echtzeit mitzuschneiden, wie die WOZ letzten Sommer  enthüllte (siehe WOZ Nr. 29/09). Neu müssen die sogenannten Randdaten aller Internet-, Mobil- und TelefonnutzerInnen während  zwölf statt sechs Monaten gespeichert werden.

Die staatlichen Entschädigungen für Kommunikationsüberwachungen hingegen sollen wegfallen. Grössere Firmen protestieren bereits  dagegen. Gegenüber der «Aargauer Zeitung» sprach etwa die Cablecom von «Zusatzkosten im sechsstelligen Bereich». Die Swisscom  befürchtet, dass künftig auch die Anzahl der Behördenanfragen steigen wird.

Kommt der vorliegende Entwurf für das Gesetz zur Überwachung des Post- und Fernmeldeverkehrs (Büpf) durch, erweitert sich  zudem der Kreis jener beträchtlich, die auf eigene Kos¬ten die Überwachungsarbeit für den Staat erledigen müssen. Betroffen wären  neu alle sogenannten «reinen Serviceprovider», darunter auch Kleinstbetriebe oder Privatpersonen, die Speicherplatz für Webseiten  anbieten (Webhosting), sofern sie dies beruflich tun.

Das stellt gerade kleine Betriebe vor grosse Probleme: Silvan Gebhardt ist 23-jährig, Inhaber eines Start-up-¬Unternehmens in  Frauenfeld und spezialisiert auf Kommunikationslösungen für Unternehmen, die dank Gebhardts Firma OpenFactory über Internet¬ telefonie kommunizieren können. «Was dieses Gesetz von mir verlangt, kostet mich zwei bis drei Monatsumsätze – noch bevor  überhaupt eine Überwachung angeordnet wird.» Für seine GmbH mit zwei Angestellten sei dies «existenzbedrohend». Der  Jungunternehmer, der schon als Dreizehnjähriger IT-Dienstleistungen angeboten hat, sagt: «Sollte das Gesetz so durchkommen,  könnte ich es einfach ignorieren – und dabei eine Busse in ebenfalls existenzbedrohender Höhe riskieren.» Wer den Weisungen nicht  Folge leistet, kann laut Büpf-Entwurf mit bis zu 100 000 Franken gebüsst werden.

August 23, 2010

Hacker’s Arrest Offers Glimpse Into Crime in Russia

MOSCOW — On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service.

A screenshot from one of the Web sites of Vladislav A. Horohorin. Agence France-Presse — Getty Images

A video on the Web site of the hacker known as BadB promotes credit card fraud. He was arrested this month in France. And in real life, he was nearly as untouchable — because he lived in Russia.

BadB’s real name is Vladislav A. Horohorin, according to a statement released last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

He is expected to appear soon before a French court that will decide on his potential extradition to the United States, where Mr. Horohorin could face up to 12 years in prison and a fine of $500,000 if he is convicted on charges of fraud and identity theft. For at least nine months, however, he lived openly in Moscow as one of the world’s most wanted computer criminals.

The seizing of BadB provides a lens onto the shadowy world of Russian hackers, the often well-educated and sometimes darkly ingenious programmers who pose a recognized security threat to online commerce — besides being global spam nuisances — who often seem to operate with relative impunity.

Law enforcement groups in Russia have been reluctant to pursue these talented authors of Internet fraud, for reasons, security experts say, of incompetence, corruption or national pride. In this environment, BadB’s network arose as “one of the most sophisticated organizations of online financial criminals in the world,” according to a statement issued by Michael P. Merritt, the assistant director of investigations for the Secret Service, which pursues counterfeiting and some electronic financial fraud.

As long ago as November 2009, the United States attorney’s office in Washington, in a sealed indictment, identified BadB as Mr. Horohorin, a 27-year-old residing in Moscow with dual Ukrainian and Israeli citizenship.

But it was not until Aug. 7 this year that Mr. Horohorin, who was traveling from Russia to France, was detained on a warrant from the United States as he boarded a plane to return to Russia at an airport in Nice, in southern France.

The Secret Service released a statement on Aug. 11, when the indictment was unsealed. Max Milien, a Secret Service spokesman in Washington, said the agency could not comment about the decision to arrest Mr. Horohorin in France.

Olga K. Shklyarova, spokeswoman for the Russian bureau of Interpol, said no American law enforcement agency had requested Mr. Horohorin’s arrest in her country. “We never received such a request,” she said by telephone.

According to the Secret Service statement, Mr. Horohorin managed Web sites for hackers who were able to steal large numbers of credit card numbers that were sold online anonymously around the globe. Those buyers would do the more dangerous work of running up fraudulent bills.

The numbers were exchanged on Web sites called CarderPlanet — and — according to the Secret Service, and payment was made indirectly through accounts at a Russian online settlement system known as Webmoney, an analogue to PayPal.

Underscoring the nationalistic tone of much of Russian computer crime, one site featured a cartoon of the Russian prime minister, Vladimir V. Putin, awarding medals to Russian hackers. “We awaiting you to fight the imperialism of the U.S.A.” the site said, in approximate English.

Mr. Horohorin lived openly in Moscow. As a foreign citizen, he registered with the police, according to Dmitri Zakharov, a spokesman for the Russian Association of Electronic Communication, an industry lobby for legitimate Russian Internet businesses, who cited a database of such registries. A phone number for Mr. Horohorin was out of service Thursday.

Arrests in Russia for computer crimes are rare, even when hackers living in Russia have been publicly identified by outside groups, like Spamhaus, a nonprofit group in Geneva and in London that tracks sources of spam.

The F.B.I. in 2002 resorted to luring a Russian suspect, Vasily Gorshkov, to the United States with a fake offer of a job interview (with a fictitious Internet company called Invita), rather than ask the Russian police for help. To obtain evidence in the case, F.B.I. computer experts had hacked into Mr. Gorshkov’s computer in Russia. When this was revealed, Russian authorities expressed anger that the F.B.I. had resorted to a cross-border tactic.

Online fraud is not a high priority for the Russian police, Mr. Zakharov said, because most of it is aimed at computer users in Europe or the United States. “This is a main reason why spammers are not arrested,” he said.

Politics may also play a role. Vladimir Sokolov, deputy director of the Institute of Information Security, a Russian research organization, said the United States and Russia were still at odds on basic issues of computer security, although the differences were narrowing.

The United States tends to view computer security as a law enforcement matter. Russia has pushed for an international treaty that would regulate the use of online weapons by military or espionage agencies. Last year the United States opened talks on a treaty, but it has continued to press for closer law enforcement cooperation, Mr. Sokolov said.

Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals’ expertise or for allowing their networks of virus-infected computers to be used for political purposes — to crash dissident Web sites, perhaps.

Sometimes, the collateral damage for online business is immediate. A year ago, for example, hackers used a network of infected computers to direct huge amounts of junk traffic at the social networking accounts of a 34-year-old political blogger in Georgia, a country that fought a war with Russia in 2008. The attack, though, spun out of control and briefly crashed the global service of Twitter and slowed Facebook and LiveJournal, affecting tens of millions of computer users worldwide.

The Russian authorities have repeatedly denied that the state has any connection to such attacks. Spamhaus says 7 of the top 10 spammers in the world are based in the former Soviet Union, in Ukraine, Russia and Estonia.

More ominously, Western law enforcement agencies have traced a code intended for breaking into banking sites to Russian programming.

In 2007, Swedish experts identified a Russian hacker known only by his colorful sobriquet — the Corpse — as the author of a virus that logged keystrokes on personal computers to capture passwords for Nordea, a Swedish bank, and the accounts were drained of about $1 million.

For a time, these rogue programs were openly for sale on a Russian Web site. The home page displayed an illustration of Lenin making a rude gesture.

Since Mr. Horohorin’s arrest, the Web site has gone dark. But through Monday, at least, its CarderPlanet counterpart, the Russian site, was still open for business.

NZZ am Sonntag    26. September 2010

«Hier war ein Expertenteam am Werk»
Stuxnet, ein gefährlicher Computerwurm
 Von Andreas Hirstein

Erstmals befällt ein Computerschädling die digitalen Steuerungen von Industrieanlagen. In Zukunft könnten Kernkraftwerke und Chemieanlagen zum Ziel von Hackern werden.
Das Kernkraftwerk in Bushehr: ein Ziel von Hackern westlicher Geheimdienste? (Bild: Reuters)

Wovor Sicherheitsexperten seit Jahren warnen, das ist nun eingetreten: Erstmals ist ein Computerschädling aufgetaucht, der digitale Steuerungen von Industrieanlagen angreift. Solche Systeme haben in der Regel zwar keinen direkten Zugang zum Internet. Sie sind in allen Industriebranchen mittlerweile aber allgegenwärtig: Sie kontrollieren chemische Prozesse, steuern den Betrieb von Kraftwerken und elektrischen Netzen und die Druckmaschinen, die (hoffentlich) diesen Text aufs Papier bringen.

Von der neuartigen Schadsoftware betroffen sind Systeme der Firma Siemens, die in diesem Bereich Weltmarktführer ist und die daher bevorzugtes Ziel von Angriffen ist. Im Umlauf scheint Stuxnet, so der Name des Computerwurms, bereits seit vergangenem Jahr zu sein, entdeckt wurde er aber erst im Juni dieses Jahres von einem weissrussischen Antiviren-Software-Hersteller.

Interessant ist die geografische Verteilung der infizierten Windows-Rechner. Demnach scheint sich der Schädling vor allem in Iran zu verbreiten. Deshalb spekulieren Sicherheitsexperten, dass Stuxnet ein Werk des amerikanischen oder israelischen Geheimdienstes sein könnte und das iranische Nuklearprogramm sabotieren soll. Der Schädling solle entweder den Atomreaktor in Bushehr oder die iranischen Nuklear-Zentrifugen lahmlegen, wird gemutmasst. Doch für diese These gibt es bis jetzt keine Beweise.

(Bild: NZZ am Sonntag)

Komplexer Schädling
Stuxnet gilt als einer der komplexesten Computerschädlinge, die jemals entdeckt wurden. «Nach der von uns durchgeführten Analyse können wir feststellen, dass Stuxnet kein zufälliges Produkt eines Hackers sein kann», sagt Wieland Simon von Siemens. «Hier muss ein grösseres Expertenteam am Werk gewesen sein.» Offenbar waren Ingenieure aus ganz unterschiedlichen Bereichen beteiligt – neben Windows-Programmierern auch Fachleute der Automatisierungstechnik und von grossen Industrieanlagen. Nur ein solches Team ist in der Lage, einen Schädling zu programmieren, der nacheinander mehrere technisch sehr unterschiedliche Hürden überwindet.

Die Malware verbreitet sich im ersten Schritt über infizierte USB-Sticks. Verantwortlich dafür ist eine zuvor unbekannte Sicherheitslücke im Betriebssystem Windows: Allein das Betrachten des USB-Speichers genügt, um den Wurm zu aktivieren. Das Öffnen einer Datei oder Starten eines Programms ist nicht erforderlich. Microsoft hat diese Lücke am 8. August geschlossen.

Sobald sich der Wurm auf einem PC eingenistet hat, gilt sein eigentliches Interesse den sogenannten speicherprogrammierten Steuerungen (SPS). Dabei handelt es sich um spezialisierte Computer, die industrielle Prozesse überwachen und steuern. Sie messen Temperaturen, Drücke, elektrische Ströme und Spannungen und greifen korrigierend ein. Sie erfüllen diese Aufgaben autonom, folgen dabei aber den Regeln, die ihnen von einem PC mitgeteilt wurden. Ist dieser infiziert, kann es gefährlich werden.

Der Stuxnet-Wurm sucht auf einem infizierten PC nach speziellen Siemens-Programmen, die für die Kommunikation des PC mit den SPS zuständig sind. Wird er fündig, kann er den Datenverkehr beliebig manipulieren und – unbemerkt – die Programmierung der SPS verändern. Theoretisch kann der Schädling auf diese Weise Regeln definieren, die die Industrieanlage zerstören und dabei die Umwelt schädigen.

Auch mit ihren Schöpfern scheint die Malware kommunizieren zu wollen. «Stuxnet versucht, mit einem Server im Internet Kontakt aufzunehmen», sagt Wieland Simon. Allerdings sei dieser Server anscheinend nie aktiv gewesen, so dass keine Kommunikation zustande gekommen sei.

Bisher keine Schäden
Die Spekulationen, dass Iran das Ziel des Angriffs ist, konnte Siemens nicht bestätigen. «Wir waren weder direkt noch indirekt am Bau des Kernkraftwerks in Bushehr beteiligt», sagt Simon. Obwohl weltweit Zehntausende PC infiziert wurden, konnte der Schädling bisher nur auf 15 Industrieanlagen nachgewiesen werden, 5 davon in Deutschland. «Die übrigen Systeme befinden sich in Ost- und Westeuropa», sagt Simon, und in keinem Fall sei ein Kraftwerk betroffen gewesen. «Bisher sind keine Schäden aufgetreten», sagt Simon. Denn offenbar ist der Schädling nur gegen ganz spezifische Industrieanlagen gerichtet. Solange er nicht auf diese trifft, passiert gar nichts. Wie das Ziel des Wurms genau aussehen könnte, weiss Siemens laut eigenen Angaben aber nicht.

Für den Sicherheitsexperten Stefan Frei von der dänischen Firma Secunia ist der Stuxnet-Angriff keine Überraschung. «So etwas musste irgendwann kommen», sagt Frei. Ungewöhnlich findet er die hohe Komplexität des Schädlings, der gleich vier verschiedene Sicherheitslücken von Windows ausnutze. «Ein normaler Hacker würde kaum einen solchen Aufwand treiben.» Denn schon für das Wissen von einer Lücke und wie man sie ausnutzt, würden auf dem Schwarzmarkt im Internet bis zu 100 000 Dollar verlangt. Die Sicherheit von industriellen Steuerungen sei in der Vergangenheit vernachlässigt worden, meint Frei. «Man hat diese Systeme nicht als das gesehen, was sie sind: vernetzte und programmierbare Computer, deren Funktion von Hackern verändert werden kann.»

Frankfurter Allgemeine Zeitung    26.September 20010

Der Trojaner: Rätselhaftes Schadprogramm Stuxnet
In Iran sind offenbar 30.000 Rechner in Industrieanlagen mit dem Trojaner infiziert.
Über Beweggründe, Absichten und Schöpfer gibt es bislang nur Spekulationen.
Sicher ist aber, dass er über Siemens-Steuerungssoftware in die Systeme gelangt.
Von Rüdiger Köhn

Das iranische Atomkraftwerk Buschehr - die Regierung bestätigte einen Cyber-Angriff auf ihre Industrieanlagen

26. September 2010 Noch weiß niemand, was der mysteriöse Code „DEADF700“ bewirken wird. Er ist eines der letzten gesendeten Kommandos, die das rätselhafte Schadprogramm Stuxnet in Gang setzt. Iran hat am Samstag offiziell zugegeben, Ziel einer Attacke von Stuxnet gewesen zu sein. Ein Informationstechnik-Experte des iranischen Ministeriums für Bodenschätze sagte, dass 30.000 Rechner in heimischen Industrieanlagen mit dem Trojaner infiziert worden seien. Viele der Kontrollsysteme für die Industrieanlagen stammten von Siemens. Stuxnet greife speziell diese Systeme an und übermittle Daten ins Ausland.

Sollten diese Angaben stimmen, wäre das Land im Mittleren Osten Hauptadressat der Mitte Juli aufgedeckten gezielten Trojaner-Angriffe gegen Steuerprogramme industrieller Prozessanlagen. Zwei Drittel aller bislang bekannten Fälle der 45.000 befallenen industriellen Kontrollsysteme auf der Welt betreffen somit Iran. Noch immer ist unklar, wer und was hinter Stuxnet steht. Über Beweggründe, Absichten, Ziele und Schöpfer kann es nur Spekulationen geben, die Experten aufgrund von Plausibilitäten ableiten. Viele der Kontrollsysteme für die angegriffenen Industrieanlagen stammen von Siemens.

Stuxnet greift in Prozesse ein
Langner Communications, eine Hamburger Unternehmensberatung für sichere Industrienetze, hat die Schadsoftware Stuxnet entschlüsselt und festgestellt, dass der Code „DEADF700“ eines der letzten Kommandos ist, kurz bevor „irgendetwas in die Luft geht“. Der Trojaner manipuliert schnell laufende Prozesse wie Turbinen, die Zufuhr von Schmiermitteln oder Ölen in der industriellen Produktion. Es könnte in Raffinerien geschehen, in der Chemieindustrie oder Kernkraftwerken; etwa in dem gerade in Betrieb gegangenen Buschehr in Iran, das amerikanische Geheimdienstorganisationen sabotieren wollten, so eine der Spekulationen.

Sicher ist nur, dass Stuxnet über die Steuerungssoftware WinCC des Siemens-Konzerns ans Ziel gelangt. Das ist ein Visualisierungssystem, das ständig aktualisierte Prozessdaten grafisch anzeigt, in Leitständen mit großen Bildschirmen eines Kraftwerkes oder einer Raffinerie etwa. So soll eine effektive Kontrolle von Produktionsprozessen ermöglicht werden. Damit laufen alle notwendigen Daten eines komplexen Vorgangs über dieses System. Unter dem Namen Simatic ist es eines der meistverkauften Industrieprozesssysteme. Was das Betriebssystem Windows von Microsoft für die Computerwelt ist, ist Siemens WinCC für die Prozesstechnik. Deshalb nutzt Stuxnet diese Plattform und Windows gleich mit: Denn der Trojaner wird über einen USB-Stick in einen Computer installiert und nicht über das Internet.

Zum Thema
Iran bestätigt Cyber-Angriff durch „stuxnet“
Der Trojaner „stuxnet“: Der digitale Erstschlag ist erfolgt
Interview mit Viren-Spezialist: „Es werden Schwachstellen auf den Servern gesucht“
Conficker: Wer hat Angst vorm bösen Wurm?
Erschaffer und Ziel bleiben unbekannt
Iran bevorzugt die Siemens WinCC, die nicht unbedingt direkt vom deutschen Industriekonzern geliefert, sondern über Umwege beschafft werden. Dass es sich allerdings nicht um eine reine Siemens-Angelegenheit handelt, zeigte die Joe-Weiss-Fachtagung für industrielle Prozesssteuerung im amerikanischen Rockville in der vergangenen Woche, wo Stuxnet das Thema war. Alle Anbieter solcher Kontrollprodukte saßen dort, diskutierten und rätselten: die schwedisch-schweizerische ABB etwa, Rockwell und Emerson aus den Vereinigten Staaten, Mitsubishi und Hitachi aus Japan oder der südkoreanische Werkzeugmaschinenbauer Fanuc.

Simatic ist aber der industrielle Weltstandard, weshalb sich die Bemühungen der Abwehrmaßnahmen auf Siemens und Microsoft konzentrierten. Formal wurde der Verbreitungsweg am 8. August geschlossen: Siemens und Microsoft haben ein Antivirenprogramm entwickelt, wobei der Münchener Konzern schon seinen Simatic-Kunden eine Lösung am 22. Juli anbieten konnte. Der Virus wurde analysiert und ein Gegenmittel entwickelt. Das aber ändert nichts an der Tatsache, dass über Ursache, Erschaffer und Ziel weiterhin Unklarheit besteht. Auch die Tatsache, dass nur in den wenigsten Fällen der Trojaner ausfindig gemacht wurde, muss nicht beruhigen.

Nach Angaben eines Unternehmenssprechers wurde das Antivirenprogramm weltweit von 12.000 Kunden abgerufen. In nur 15 Fällen aber war eine Infektion mit Stuxnet festzustellen, fünf davon in Deutschland. Der Trojaner wurde vernichtet. Nach den Sicherheitsvorschriften kann der Trojaner auch nicht in ein Kernkraftwerk eindringen. Erstens ist Windows in den dortigen Leitwarten nicht zugelassen; zweitens gibt es keine Anschlussmöglichkeiten für USB-Sticks. Normalerweise, denn nicht ausgeschlossen ist nämlich, dass in der Peripherie und in Hilfssystemen außerhalb des Kernbereiches eines Atomkraftwerkes doch Windows-basierte Systeme angewendet werden. Selbst wenn diese nichts mit dem Betrieb des Kernkraftwerkes zu tun haben, besteht die Gefahr einer Verbindung, womit der Virus Zugang erhält.

Den Trojaner zu finden entspricht einem „Sechser im Lotto“
Siemens habe nur bis zu einem gewissen Punkt vordringen können, heißt es dort. Denn Stuxnet ist ein komplexes Gebilde mit eigenen Schutzmechanismen, damit er nicht entdeckt werden kann. Der Trojaner sucht sich eine ganz spezielle Konfiguration von Systemen, Mustern und Baugruppen, und das erfolgt gezielt über die Siemens WinCC. Das Auffinden genau dieser Konfiguration käme einem Sechser im Lotto gleich, sagt ein Unternehmenssprecher. Die vom Trojaner anvisierte Konstellation muss zudem aktiv sein, um sie zu finden. Das aber wird bislang vermieden.

Seit Anfang September seien keine neuen Fälle bekanntgeworden, betont Siemens. Und es habe auch bisher keine Auswirkungen auf das Geschäft mit den Siemens-Prozesssystemen gegeben. Wie auch. Das wäre das Gleiche, als würden die Kunden die Microsoft-Betriebssysteme nicht mehr kaufen, weil ständig Hacker-Angriffe erfolgen. Beruhigend ist das nicht. Experten sind überzeugt, dass Stuxnet längst sein Ziel erreicht hat. Es könne, wenn sein Schöpfer will, jederzeit eine Verbindung zum Zielsystem aufbauen. Auch das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat alles andere als Ermutigendes parat, was selbst Siemens und Microsoft verblassen lässt. Alle zwei Sekunden, sagt ein BSI-Sprecher, gebe es eine neue Variante von bestehenden Schadprogrammen oder Viren. Da würden die getroffenen Gegenmaßnahmen nicht mehr greifen. „DEADF700“ wartet noch.

September 26, 2010

A Silent Attack, but Not a Subtle One

Iran’s Natanz nuclear enrichment site is the focus of speculation about the intended target of a broad and unsubtle cyberattack. Majid Saeedi/Getty Images

AS in real warfare, even the most carefully aimed weapon in computer warfare leaves collateral damage. The Stuxnet worm was no different.

The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.

The malware was so skillfully designed that computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare. While there have been suspicions of other government uses of computer worms and viruses, Stuxnet is the first to go after industrial systems. But unlike those other attacks, this bit of malware did not stay invisible.

If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings. The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment. Computer security specialists are also puzzled by why it was created to spread so widely.

Global alarm over the deadly computer worm has come many months after the program was suspected of stealthily entering an Iranian nuclear enrichment plant, perhaps carried on a U.S.B. memory drive containing the malware.

Computer security specialists have speculated that once inside the factory and within the software that controls equipment, the worm reprogrammed centrifuges made by a specific company, Siemens, to make them fail in a way that would be virtually undetectable. Whether the program achieved its goal is not known.

Much speculation about the target has focused on the Iran nuclear plant at Natanz. In mid-July the Wikileaks Web site reported that it had learned of a serious nuclear accident at the plant. But international nuclear inspectors say no evidence of one exists.

The timing is intriguing because a time stamp found in the Stuxnet program says it was created in January, suggesting that any digital attack took place long before it was identified and began to attract global attention.

The head of the Bushehr nuclear plant in Iran said Sunday that the worm had affected only the personal computers of staff members, Reuters reported. Western nations say they do not believe Bushehr is being used to develop nuclear weapons. Citing the state-run newspaper Iran Daily, Reuters reported that Iran’s telecommunications minister, Reza Taghipour, said the worm had not penetrated or caused “serious damage to government systems.”

Siemens has said that the worm was found in only 15 plants around the world using its equipment and that no factory’s operations were affected. But now the malware not only is detectable, but also is continuing to spread through computer systems around the world through the Internet.

It is also raising fear of dangerous proliferation. Stuxnet has laid bare significant vulnerabilities in industrial control systems. The program is being examined for clues not only by the world’s computer security companies, but also by intelligence agencies and countless hackers.

“Proliferation is a real problem, and no country is prepared to deal with it,” said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: “All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it.”

The ability of Stuxnet to infiltrate these systems will “require a complete reassessment” of security systems and processes, starting with federal technology standards and nuclear regulations, said Joe Weiss, a specialist in the security of industrial control systems who is managing partner at Applied Control Solutions in Cupertino, Calif.

One big question is why its creators let the software spread widely, giving up many of its secrets in the process.

One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise.

While much has been made in the news media of the sophistication of Stuxnet, it is likely that there have been many other attacks of similar or even greater sophistication by intelligence agencies from many countries in the past. What sets this one apart is that it became highly visible.

Security specialists contrast Stuxnet with an intrusion discovered in the Greek cellphone network in March 2005. It also displayed a level of skill that only the intelligence agency of some foreign power would have.

A two-year investigation by the Greek government found an extremely sophisticated Trojan horse program that had been hidden by someone who was able to modify and then insert 29 secret programs into each of four telephone switching computers.

The spy system came apart only when a software upgrade provided by the manufacturer led to some text messages, sent from the system of another cellphone operator, being undelivered. The level of skill needed to pull off the operation and the targets strongly indicated that the culprit was a government. An even more remarkable set of events surrounded the 2007 Israeli Air Force attack on what was suspected of being a Syrian nuclear reactor under construction.

Accounts of the event initially indicated that sophisticated jamming technology had been used to blind the radar so Israeli aircraft went unnoticed. Last December, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source as raising the possibility that the Israelis had used a built-in kill switch to shut down the radar.

A former member of the United States intelligence community said that the attack had been the work of Israel’s equivalent of America’s National Security Agency, known as Unit 8200.

But if the attack was based on a worm or a virus, there was never a smoking gun like Stuxnet.

Kevin O’Brien contributed reporting from Berlin.

Financial Times    September 27, 2010

Virus hits Iran nuclear programme
By Daniel Dombey in Washington and agencies

Iran confirmed on Sunday that its nuclear programme had been affected by a mysterious computer virus, but sought to play down the impact.

Mahmoud Jafari, head of the Bushehr nuclear power plant, said the Stuxnet worm had only affected staff computers rather than the system running the reactor itself.

.“A team is inspecting several computers to remove the malware ... Major systems of the plant have not been damaged,” he told the official IRNA news agency.

But Iran’s state-run Mehr news agency reported that the IP addresses of 30,000 computer systems infected by the worm had also been detected.

Stuxnet, the first program designed to cause serious damage in the physical world, has hit an unknown number of power plants, pipelines and factories over the past year.

Since Iran has suffered most of the infections, questions have been raised about whether the virus is connected to western governments’ top secret sabotage campaign against Tehran’s nuclear programme.

Ashgear Zarean, deputy head of Iran’s Atomic Energy Agency, insisted that precautions had prevented the worm from hitting Bushehr.

“It is expected that the vigilance and skills of Iranian experts would once again thwart the cyber-warfare of the enemies,” he said

September 29, 2010

In a Computer Worm, a Possible Biblical Clue

Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.

Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. Nor is the Obama administration, which while talking about cyberdefenses has also rapidly ramped up a broad covert program, inherited from the Bush administration, to undermine Iran’s nuclear program. In interviews in several countries, experts in both cyberwar and nuclear enrichment technology say the Stuxnet mystery may never be solved.

There are many competing explanations for myrtus, which could simply signify myrtle, a plant important to many cultures in the region. But some security experts see the reference as a signature allusion to Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel.

“The Iranians are already paranoid about the fact that some of their scientists have defected and several of their secret nuclear sites have been revealed,” one former intelligence official who still works on Iran issues said recently. “Whatever the origin and purpose of Stuxnet, it ramps up the psychological pressure.”

So a calling card in the code could be part of a mind game, or sloppiness or whimsy from the coders.

The malicious code has appeared in many countries, notably China, India, Indonesia and Iran. But there are tantalizing hints that Iran’s nuclear program was the primary target. Officials in both the United States and Israel have made no secret of the fact that undermining the computer systems that control Iran’s huge enrichment plant at Natanz is a high priority. (The Iranians know it, too: They have never let international inspectors into the control room of the plant, the inspectors report, presumably to keep secret what kind of equipment they are using.)

The fact that Stuxnet appears designed to attack a certain type of Siemens industrial control computer, used widely to manage oil pipelines, electrical power grids and many kinds of nuclear plants, may be telling. Just last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program.

“What we were told by many sources,” said Olli Heinonen, who retired last month as the head of inspections at the International Atomic Energy Agency in Vienna, “was that the Iranian nuclear program was acquiring this kind of equipment.”

Also, starting in the summer of 2009, the Iranians began having tremendous difficulty running their centrifuges, the tall, silvery machines that spin at supersonic speed to enrich uranium — and which can explode spectacularly if they become unstable. In New York last week, Iran’s president, Mahmoud Ahmadinejad, shrugged off suggestions that the country was having trouble keeping its enrichment plants going.

Yet something — perhaps the worm or some other form of sabotage, bad parts or a dearth of skilled technicians — is indeed slowing Iran’s advance.

The reports on Iran show a fairly steady drop in the number of centrifuges used to enrich uranium at the main Natanz plant. After reaching a peak of 4,920 machines in May 2009, the numbers declined to 3,772 centrifuges this past August, the most recent reporting period. That is a decline of 23 percent. (At the same time, production of low-enriched uranium has remained fairly constant, indicating the Iranians have learned how to make better use of fewer working machines.)

Computer experts say the first versions of the worm appeared as early as 2009 and that the sophisticated version contained an internal time stamp from January of this year.

These events add up to a mass of suspicions, not proof. Moreover, the difficulty experts have had in figuring out the origin of Stuxnet points to both the appeal and the danger of computer attacks in a new age of cyberwar.

For intelligence agencies they are an almost irresistible weapon, free of fingerprints. Israel has poured huge resources into Unit 8200, its secretive cyberwar operation, and the United States has built its capacity inside the National Security Agency and inside the military, which just opened a Cyber Command.

But the near impossibility of figuring out where they came from makes deterrence a huge problem — and explains why many have warned against the use of cyberweapons. No country, President Obama was warned even before he took office, is more vulnerable to cyberattack than the United States.

For now, it is hard to determine if the worm has infected centrifuge controllers at Natanz. While the S-7 industrial controller is used widely in Iran, and many other countries, even Siemens says it does not know where it is being used. Alexander Machowetz, a spokesman in Germany for Siemens, said the company did no business with Iran’s nuclear program. “It could be that there is equipment,” he said in a telephone interview. “But we never delivered it to Natanz.”

But Siemens industrial controllers are unregulated commodities that are sold and resold all over the world — the controllers intercepted in Dubai traveled through China, according to officials familiar with the seizure.

Ralph Langner, a German computer security consultant who was the first independent expert to assert that the malware had been “weaponized” and designed to attack the Iranian centrifuge array, argues that the Stuxnet worm could have been brought into the Iranian nuclear complex by Russian contractors.

“It would be an absolute no-brainer to leave an infected USB stick near one of these guys,” he said, “and there would be more than a 50 percent chance of having him pick it up and infect his computer.”

There are many reasons to suspect Israel’s involvement in Stuxnet. Intelligence is the single largest section of its military and the unit devoted to signal, electronic and computer network intelligence, known as Unit 8200, is the largest group within intelligence.

Yossi Melman, who covers intelligence for the newspaper Haaretz and is at work on a book about Israeli intelligence over the past decade, said in a telephone interview that he suspected that Israel was involved.

He noted that Meir Dagan, head of Mossad, had his term extended last year partly because he was said to be involved in important projects. He added that in the past year Israeli estimates of when Iran will have a nuclear weapon had been extended to 2014.

“They seem to know something, that they have more time than originally thought,” he said.

Then there is the allusion to myrtus — which may be telling, or may be a red herring.

Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus. The guava fruit is part of the Myrtus family, and one of the code modules is identified as Guava.

It was Mr. Langner who first noted that Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.

“If you read the Bible you can make a guess,” said Mr. Langner, in a telephone interview from Germany on Wednesday.

Carol Newsom, an Old Testament scholar at Emory University, confirmed the linguistic connection between the plant family and the Old Testament figure, noting that Queen Esther’s original name in Hebrew was Hadassah, which is similar to the Hebrew word for myrtle. Perhaps, she said, “someone was making a learned cross-linguistic wordplay.”

But other Israeli experts said they doubted Israel’s involvement. Shai Blitzblau, the technical director and head of the computer warfare laboratory at Maglan, an Israeli company specializing in information security, said he was “convinced that Israel had nothing to do with Stuxnet.”

“We did a complete simulation of it and we sliced the code to its deepest level,” he said. “We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment.”

Mr. Blitzblau noted that the worm hit India, Indonesia and Russia before it hit Iran, though the worm has been found disproportionately in Iranian computers. He also noted that the Stuxnet worm has no code that reports back the results of the infection it creates. Presumably, a good intelligence agency would like to trace its work.

Ethan Bronner contributed reporting from Israel, and William J. Broad from New York.

Tages-Anzeiger    1.Oktober 2010

Bündnis gegen Cyberattacken
Die NATO soll sich nach Ansicht ihres Generalsekretärs Anders Fogh Rasmussen in Zukunft
nicht nur gegen militärische Angriffe, sondern auch gegen Attacken über das Internet gemeinsam verteidigen.

Vorbereitung gegen den Krieg im Internet: Mit der Abwehr von Internet-Angriffen geht NATO-Generalsekretär Anders Fogh Rasmussen insbesondere auf Forderungen osteuropäischer Mitgliedstaaten ein.

45'000 Computer von Stuxnet befallen
Computervirus mutierte mehrmals
Computerwurm wird zur globalen Bedrohung
Computerwurm Stuxnet: Spuren führen nach Israel
Bildstrecke Der Hackerreport "Die Welthauptstadt der Cyberterroristen"
Die NATO nimmt Attacken aus dem Internet ins Visier. Die Abwehr sogenannter Cyber-Angriffe ist nach Angaben von NATO-Diplomaten von Freitag Teil des neuen strategischen Konzepts des Bündnisses, welches der NATO-Gipfel im November in Lissabon verabschieden soll.

Generalsekretär Anders Fogh Rasmussen geht darin nach Presseinformationen auch auf deutsche Forderungen zur nuklearen Abrüstung ein. Die Diplomaten bestätigten einen Bericht der «Süddeutschen Zeitung» vom Donnerstag, wonach Internet-Attacken Teil des Konzepts sind, welches Rasmussen zu Wochenbeginn den 28 Bündnisstaaten vorgelegt hatte.

Bereits mehrere Attacken
Welche Gefahren aus dem Internet drohen, verdeutlicht der Computervirus Stuxnet, der jüngst in Rechnern von Industrieanlagen im Iran sowie in Indien, China, Pakistan und Indonesien auftauchte. Im schlimmsten Fall könnten Industrieanlagen zerstört werden, wenn ein Angreifer über das Virus die Kontrolle über sie übernimmt.

Mit der Abwehr von Internet-Angriffen geht NATO-Generalsekretär Rasmussen insbesondere auf Forderungen osteuropäischer Mitgliedstaaten ein. 2007 legten Hacker Server in Estland lahm, die Spur liess sich nach estnischen Angaben bis nach Russland zurückverfolgen. Die USA halten derzeit mit Beteiligung von zwölf europäischen Ländern eine Übung namens «Cyber Storm III» ab, welche eine gross angelegte Attacke auf die amerikanische Infrastruktur simuliert.

«Gute Basis für Gespräche»
Es sei aber falsch, das neue NATO-Konzept allein auf den Aspekt der Cyber-Angriffe zu reduzieren, warnte ein Diplomat. Die neue Strategie soll das alte Konzept von 1999 ablösen, das noch stark dem Geist der Jahre nach dem Kalten Krieg verhaftet ist. Das Dokument unterliegt strenger Geheimhaltung.

Bundesaussenminister Guido Westerwelle (FDP) hatte Rasmussens Vorschläge zu Wochenbeginn als «gute Basis für Gespräche» begrüsst. Der dänische Generalsekretär hofft, am 14. Oktober in Brüssel die Zustimmung der Aussen- und Verteidigungsminister aller 28 Bündnisländer zu erhalten. Nach Angabe eines Diplomaten dringen aber noch eine Reihe von Delegationen auf Textänderungen.

Forderung nach Abzug aller Nuklearsprengköpfe
Grundsätzlich umstritten ist zwischen den Bündnisländern, welche Rolle den Nuklearwaffen zukommen soll. Nach einem Bericht des «International Herald Tribune» vom Donnerstag geht Rasmussen in dem Konzept auf Westerwelles Ruf nach nuklearer Abrüstung ein. Details nannte das Blatt nicht.

Der von Westerwelle geforderte Abzug aller Nuklearsprengköpfe aus Europa ist im Bündnis umstritten. Die USA und auch Rasmussen hielten dies bisher für den falschen Weg und plädierten für die Beibehaltung eines Abschreckungspotenzials. Die Atommacht Frankreich will zudem verhindern, dass die NATO Einfluss auf ihr Arsenal bekommt. Schrittweiser Abzug aus Afghanistan

Das neue strategische Konzept basiert auf einem im Mai vorgelegten Bericht einer hochrangigen Arbeitsgruppe um die frühere US-Aussenministerin Madeleine Albright. Rasmussen kündigte bereits damals an, die NATO behalte sich auch künftig neue Einsätze ausserhalb ihres Bündnisgebietes nach dem Beispiel Afghanistans vor. Die Allianz habe aber nicht den Ehrgeiz, «Weltpolizist» zu werden.

Die NATO bereitet derzeit einen schrittweisen Abzug aus Afghanistan vor. Der Internationalen Afghanistan-Truppe (ISAF) unter Führung des Bündnisses gehören rund 120.000 Soldaten an. Die Zahl der Bundeswehr-Soldaten soll bis Ende Oktober zunächst noch einmal auf rund 5000 ansteigen. (rek/afp)

The New Yorker    November 1, 2010

Annals of National Security
The Online Threat: Should we be worried about a cyber war?
Some experts say that the real danger lies in confusing cyber espionage with cyber war.
by Seymour M. Hersh

On April 1, 2001, an American EP-3E Aries II reconnaissance plane on an eavesdropping mission collided with a Chinese interceptor jet over the South China Sea, triggering the first international crisis of George W. Bush’s Administration. The Chinese jet crashed, and its pilot was killed, but the pilot of the American aircraft, Navy Lieutenant Shane Osborn, managed to make an emergency landing at a Chinese F-8 fighter base on Hainan Island, fifteen miles from the mainland. Osborn later published a memoir, in which he described the “incessant jackhammer vibration” as the plane fell eight thousand feet in thirty seconds, before he regained control.

The plane carried twenty-four officers and enlisted men and women attached to the Naval Security Group Command, a field component of the National Security Agency. They were repatriated after eleven days; the plane stayed behind. The Pentagon told the press that the crew had followed its protocol, which called for the use of a fire axe, and even hot coffee, to disable the plane’s equipment and software. These included an operating system created and controlled by the N.S.A., and the drivers needed to monitor encrypted Chinese radar, voice, and electronic communications. It was more than two years before the Navy acknowledged that things had not gone so well. “Compromise by the People’s Republic of China of undestroyed classified material . . . is highly probable and cannot be ruled out,” a Navy report issued in September, 2003, said.

The loss was even more devastating than the 2003 report suggested, and its dimensions have still not been fully revealed. Retired Rear Admiral Eric McVadon, who flew patrols off the coast of Russia and served as a defense attaché in Beijing, told me that the radio reports from the aircraft indicated that essential electronic gear had been dealt with. He said that the crew of the EP-3E managed to erase the hard drive—“zeroed it out”—but did not destroy the hardware, which left data retrievable: “No one took a hammer.” Worse, the electronics had recently been upgraded. “Some might think it would not turn out as badly as it did, but I sat in some meetings about the intelligence cost,” McVadon said. “It was grim.”

The Navy’s experts didn’t believe that China was capable of reverse-engineering the plane’s N.S.A.-supplied operating system, estimated at between thirty and fifty million lines of computer code, according to a former senior intelligence official. Mastering it would give China a road map for decrypting the Navy’s classified intelligence and operational data. “If the operating system was controlling what you’d expect on an intelligence aircraft, it would have a bunch of drivers to capture radar and telemetry,” Whitfield Diffie, a pioneer in the field of encryption, said. “The plane was configured for what it wants to snoop, and the Chinese would want to know what we wanted to know about them—what we could intercept and they could not.” And over the next few years the U.S. intelligence community began to “read the tells” that China had access to sensitive traffic.

The U.S. realized the extent of its exposure only in late 2008. A few weeks after Barack Obama’s election, the Chinese began flooding a group of communications links known to be monitored by the N.S.A. with a barrage of intercepts, two Bush Administration national-security officials and the former senior intelligence official told me. The intercepts included details of planned American naval movements. The Chinese were apparently showing the U.S. their hand. (“The N.S.A. would ask, ‘Can the Chinese be that good?’ ” the former official told me. “My response was that they only invented gunpowder in the tenth century and built the bomb in 1965. I’d say, ‘Can you read Chinese?’ We don’t even know the Chinese pictograph for ‘Happy hour.’ ”)

Why would the Chinese reveal that they had access to American communications? One of the Bush national-security officials told me that some of the aides then working for Vice-President Dick Cheney believed—or wanted to believe—that the barrage was meant as a welcome to President Obama. It is also possible that the Chinese simply made a mistake, given the difficulty of operating surgically in the cyber world.

Admiral Timothy J. Keating, who was then the head of the Pacific Command, convened a series of frantic meetings in Hawaii, according to a former C.I.A. official. In early 2009, Keating brought the issue to the new Obama Administration. If China had reverse-engineered the EP-3E’s operating system, all such systems in the Navy would have to be replaced, at a cost of hundreds of millions of dollars. After much discussion, several current and former officials said, this was done. (The Navy did not respond to a request for comment on the incident.)

Admiral McVadon said that the loss prompted some black humor, with one Navy program officer quoted as saying, “This is one hell of a way to go about getting a new operating system.”

The EP-3E debacle fuelled a longstanding debate within the military and in the Obama Administration. Many military leaders view the Chinese penetration as a warning about present and future vulnerabilities—about the possibility that China, or some other nation, could use its expanding cyber skills to attack America’s civilian infrastructure and military complex. On the other side are those who argue for a civilian response to the threat, focussed on a wider use of encryption. They fear that an overreliance on the military will have adverse consequences for privacy and civil liberties.

In May, after years of planning, the U.S. Cyber Command was officially activated, and took operational control of disparate cyber-security and attack units that had been scattered among the four military services. Its commander, Army General Keith Alexander, a career intelligence officer, has made it clear that he wants more access to e-mail, social networks, and the Internet to protect America and fight in what he sees as a new warfare domain—cyberspace. In the next few months, President Obama, who has publicly pledged that his Administration will protect openness and privacy on the Internet, will have to make choices that will have enormous consequences for the future of an ever-growing maze of new communication techniques: Will America’s networks be entrusted to civilians or to the military? Will cyber security be treated as a kind of war?

Even as the full story of China’s EP-3E coup remained hidden, “cyber war” was emerging as one of the nation’s most widely publicized national-security concerns. Early this year, Richard Clarke, a former White House national-security aide who warned about the threat from Al Qaeda before the September 11th attacks, published “Cyber War,” an edgy account of America’s vulnerability to hackers, both state-sponsored and individual, especially from China. “Since the late 1990s, China has systematically done all the things a nation would do if it contemplated having an offensive cyber war capability,” Clarke wrote. He forecast a world in which China might unleash havoc:

Within a quarter of an hour, 157 major metropolitan areas have been thrown into knots by a nationwide power blackout hitting during rush hour. Poison gas clouds are wafting toward Wilmington and Houston. Refineries are burning up oil supplies in several cities. Subways have crashed in New York, Oakland, Washington, and Los Angeles. . . . Aircraft are literally falling out of the sky as a result of midair collisions across the country. . . . Several thousand Americans have already died.
Retired Vice-Admiral J. Michael McConnell, Bush’s second director of National Intelligence, has issued similar warnings. “The United States is fighting a cyber war today, and we are losing,” McConnell wrote earlier this year in the Washington Post. “Our cyber-defenses are woefully lacking.” In February, in testimony before the Senate Commerce, Science, and Transportation Committee, he said, “As a consequence of not mitigating the risk, we’re going to have a catastrophic event.”

A great deal of money is at stake. Cyber security is a major growth industry, and warnings from Clarke, McConnell, and others have helped to create what has become a military-cyber complex. The federal government currently spends between six and seven billion dollars annually for unclassified cyber-security work, and, it is estimated, an equal amount on the classified portion. In July, the Washington Post published a critical assessment of the unchecked growth of government intelligence agencies and private contractors. Benjamin Powell, who served as general counsel for three directors of the Office of National Intelligence, was quoted as saying of the cyber-security sector, “Sometimes there was an unfortunate attitude of bring your knives, your guns, your fists, and be fully prepared to defend your turf. . . . Because it’s funded, it’s hot and it’s sexy.”

Clarke is the chairman of Good Harbor Consulting, a strategic-planning firm that advises governments and companies on cyber security and other issues. (He says that more than ninety per cent of his company’s revenue comes from non-cyber-related work.) McConnell is now an executive vice-president of Booz Allen Hamilton, a major defense contractor. Two months after McConnell testified before the Senate, Booz Allen Hamilton landed a thirty-four-million-dollar cyber contract. It included fourteen million dollars to build a bunker for the Pentagon’s new Cyber Command.

American intelligence and security officials for the most part agree that the Chinese military, or, for that matter, an independent hacker, is theoretically capable of creating a degree of chaos inside America. But I was told by military, technical, and intelligence experts that these fears have been exaggerated, and are based on a fundamental confusion between cyber espionage and cyber war. Cyber espionage is the science of covertly capturing e-mail traffic, text messages, other electronic communications, and corporate data for the purpose of gathering national-security or commercial intelligence. Cyber war involves the penetration of foreign networks for the purpose of disrupting or dismantling those networks, and making them inoperable. (Some of those I spoke to made the point that China had demonstrated its mastery of cyber espionage in the EP-3E incident, but it did not make overt use of it to wage cyber war.) Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates.

Clarke’s book, with its alarming vignettes, was praised by many reviewers. But it received much harsher treatment from writers in the technical press, who pointed out factual errors and faulty assumptions. For example, Clarke attributed a severe power outage in Brazil to a hacker; the evidence pointed to sooty insulators.

The most common cyber-war scare scenarios involve America’s electrical grid. Even the most vigorous privacy advocate would not dispute the need to improve the safety of the power infrastructure, but there is no documented case of an electrical shutdown forced by a cyber attack. And the cartoonish view that a hacker pressing a button could cause the lights to go out across the country is simply wrong. There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines, with separate computer systems and separate security arrangements. The companies have formed many regional grids, which means that an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems. Decentralization, which alarms security experts like Clarke and many in the military, can also protect networks.

In July, there were reports that a computer worm, known as Stuxnet, had infected thousands of computers worldwide. Victims, most of whom were unharmed, were able to overcome the attacks, although it sometimes took hours or days to even notice them. Some of the computers were inside the Bushehr nuclear-energy plant, in Iran, and this led to speculation that Israel or the United States might have developed the virus. A Pentagon adviser on information warfare told me that it could have been an attempted “semantic attack,” in which the virus or worm is designed to fool its victim into thinking that its computer systems are functioning properly, when in fact they are not, and may not have been for some time. (This month, Microsoft, whose Windows operating systems were the main target of Stuxnet, completed a lengthy security fix, or patch.)

If Stuxnet was aimed specifically at Bushehr, it exhibited one of the weaknesses of cyber attacks: they are difficult to target and also to contain. India and China were both hit harder than Iran, and the virus could easily have spread in a different direction, and hit Israel itself. Again, the very openness of the Internet serves as a deterrent against the use of cyber weapons.

Bruce Schneier, a computer scientist who publishes a widely read blog on cyber security, told me that he didn’t know whether Stuxnet posed a new threat. “There’s certainly no actual evidence that the worm is targeted against Iran or anybody,” he said in an e-mail. “On the other hand, it’s very well designed and well written.” The real hazard of Stuxnet, he added, might be that it was “great for those who want to believe cyber war is here. It is going to be harder than ever to hold off the military.”

A defense contractor who is regarded as one of America’s most knowledgeable experts on Chinese military and cyber capabilities took exception to the phrase “cyber war.” “Yes, the Chinese would love to stick it to us,” the contractor told me. “They would love to transfer economic and business innovation from West to East. But cyber espionage is not cyber war.” He added, “People have been sloppy in their language. McConnell and Clarke have been pushing cyber war, but their evidentiary basis is weak.”

James Lewis, a senior fellow at the Center for Strategic and International Studies, who worked for the Departments of State and Commerce in the Clinton Administration, has written extensively on the huge economic costs due to cyber espionage from China and other countries, like Russia, whose hackers are closely linked to organized crime. Lewis, too, made a distinction between this and cyber war: “Current Chinese officials have told me that we’re not going to attack Wall Street, because we basically own it”—a reference to China’s holdings of nearly a trillion dollars in American securities—“and a cyber-war attack would do as much economic harm to us as to you.”

Nonetheless, China “is in full economic attack” inside the United States, Lewis says. “Some of it is economic espionage that we know and understand. Some of it is like the Wild West. Everybody is pirating from everybody else. The U.S.’s problem is what to do about it. I believe we have to begin by thinking about it”—the Chinese cyber threat—“as a trade issue that we have not dealt with.”

The bureaucratic battle between the military and civilian agencies over cyber security—and the budget that comes with it—has made threat assessments more problematic. General Alexander, the head of Cyber Command, is also the director of the N.S.A., a double role that has caused some apprehension, particularly on the part of privacy advocates and civil libertarians. (The N.S.A. is formally part of the Department of Defense.) One of Alexander’s first goals was to make sure that the military would take the lead role in cyber security and in determining the future shape of computer networks. (A Department of Defense spokesman, in response to a request to comment on this story, said that the department “continues to adhere to all laws, policies, directives, or regulations regarding cyberspace. The Department of Defense maintains strong commitments to protecting civil liberties and privacy.”)

The Department of Homeland Security has nominal responsibility for the safety of America’s civilian and private infrastructure, but the military leadership believes that the D.H.S. does not have the resources to protect the electrical grids and other networks. (The department intends to hire a thousand more cyber-security staff members over the next three years.) This dispute became public when, in March, 2009, Rodney Beckstrom, the director of the D.H.S.’s National Cybersecurity Center, abruptly resigned. In a letter to Secretary Janet Napolitano, Beckstrom warned that the N.S.A. was effectively controlling her department’s cyber operations: “While acknowledging the critical importance of N.S.A. to our intelligence efforts . . . the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.” Beckstrom added that he had argued for civilian control of cyber security, “which interfaces with, but is not controlled by, the N.S.A.”

General Alexander has done little to reassure critics about the N.S.A.’s growing role. In the public portion of his confirmation hearing, in April, before the Senate Armed Services Committee, he complained of a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.”

Alexander later addressed a controversial area: when to use conventional armed forces to respond to, or even preëmpt, a network attack. He told the senators that one problem for Cyber Command would be to formulate a response based on nothing more than a rough judgment about a hacker’s intent. “What’s his game plan? Does he have one?” he said. “These are tough issues, especially when attribution and neutrality are brought in, and when trying to figure out what’s come in.” At this point, he said, he did not have “the authority . . . to reach out into a neutral country and do an attack. And therein lies the complication. . . . What do you do to take that second step?”

Making the same argument, William J. Lynn III, the Deputy Secretary of Defense, published an essay this fall in Foreign Affairs in which he wrote of applying the N.S.A.’s “defense capabilities beyond the ‘.gov’ domain,” and asserted, “As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare.” This definition raises questions about where the battlefield begins and where it ends. If the military is operating in “cyberspace,” does that include civilian computers in American homes?

Lynn also alluded to a previously classified incident, in 2008, in which some N.S.A. unit commanders, facing penetration of their bases’ secure networks, concluded that the break-in was caused by a disabling thumb drive; Lynn said that it had been corrupted by “a foreign intelligence agency.” (According to press reports, the program was just as likely to be the product of hackers as that of a government.) Lynn termed it a “wakeup call” and a “turning point in U.S. cyber defense strategy.” He compared the present moment to the day in 1939 when President Franklin D. Roosevelt got a letter from Albert Einstein about the possibility of atomic warfare.

But Lynn didn’t mention one key element in the commanders’ response: they ordered all ports on the computers on their bases to be sealed with liquid cement. Such a demand would be a tough sell in the civilian realm. (And a Pentagon adviser suggested that many military computer operators had simply ignored the order.)

A senior official in the Department of Homeland Security told me, “Every time the N.S.A. gets involved in domestic security, there’s a hue and cry from people in the privacy world.” He said, though, that coöperation between the military and civilians had increased. (The Department of Homeland Security recently signed a memorandum with the Pentagon that gives the military authority to operate inside the United States in case of cyber attack.) “We need the N.S.A., but the question we have is how to work with them and still say and demonstrate that we are in charge in the areas for which we are responsible.”

This official, like many I spoke to, portrayed the talk about cyber war as a bureaucratic effort “to raise the alarm” and garner support for an increased Defense Department role in the protection of private infrastructure. He said, “You hear about cyber war all over town. This”—he mentioned statements by Clarke and others—“is being done to mobilize a political effort. We always turn to war analogies to mobilize the people.”

In theory, the fight over whether the Pentagon or civilian agencies should be in charge of cyber security should be mediated by President Obama’s coördinator for cyber security, Howard Schmidt—the cyber czar. But Schmidt has done little to assert his authority. He has no independent budget control and in a crisis would be at the mercy of those with more assets, such as General Alexander. He was not the Administration’s first choice for the cyber-czar job—reportedly, several people turned it down. The Pentagon adviser on information warfare, in an e-mail that described the lack of an over-all policy and the “cyber-pillage” of intellectual property, added the sort of dismissive comment that I heard from others: “It’s ironic that all this goes on under the nose of our first cyber President. . . . Maybe he should have picked a cyber czar with more than a mail-order degree.” (Schmidt’s bachelor’s and master’s degrees are from the University of Phoenix.)

Howard Schmidt doesn’t like the term “cyber war.” “The key point is that cyber war benefits no one,” Schmidt told me in an interview at the Old Executive Office Building. “We need to focus on that fact. When people tell me that these guys or this government is going to take down the U.S. military with information warfare I say that, if you look at the history of conflicts, there’s always been the goal of intercepting the communications of combatants—whether it’s cutting down telephone poles or intercepting Morse-code signalling. We have people now who have found that warning about ‘cyber war’ has become an unlikely career path”—an obvious reference to McConnell and Clarke. “All of a sudden, they have become experts, and they get a lot of attention. ‘War’ is a big word, and the media is responsible for pushing this, too. Economic espionage on the Internet has been mischaracterized by people as cyber war.”

Schmidt served in Vietnam, worked as a police officer for several years on a SWAT team in Arizona, and then specialized in computer-related crimes at the F.B.I. and in the Air Force’s investigative division. In 1997, he joined Microsoft, where he became chief of security, leaving after the 9/11 attacks to serve in the Bush Administration as a special adviser for cyber security. When Obama hired him, he was working as the head of security for eBay. When I asked him about the ongoing military-civilian dispute, Schmidt said, “The middle way is not to give too much authority to one group or another and to make sure that we share information with each other.”

Schmidt continued, “We have to protect our infrastructure and our way of life, for sure. We do have vulnerabilities, and we do talk about worst-case scenarios” with the Pentagon and the Department of Homeland Security. “You don’t see a looming war and just wait for it to come.” But, at the same time, “we have to keep our shipping lanes open, to continue to do commerce, and to freely use the Internet.”

How should the power grid be protected? It does remain far too easy for a sophisticated hacker to break into American networks. In 2008, the computers of both the Obama and the McCain campaigns were hacked. Suspicion fell on Chinese hackers. People routinely open e-mails with infected attachments, allowing hackers to “enslave” their computers. Such machines, known as zombies, can be linked to create a “botnet,” which can flood and effectively shut down a major system. Hackers are also capable of penetrating a major server, like Gmail. Guesses about the cost of cyber crime vary widely, but one survey, cited by President Obama in a speech in May, 2009, put the price at more than eight billion dollars in 2007 and 2008 combined. Obama added, referring to corporate cyber espionage, “It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to one trillion dollars.”

One solution is mandated encryption: the government would compel both corporations and individuals to install the most up-to-date protection tools. This option, in some form, has broad support in the technology community and among privacy advocates. In contrast, military and intelligence eavesdroppers have resisted nationwide encryption since 1976, when the Diffie-Hellman key exchange (an encryption tool co-developed by Whitfield Diffie) was invented, for the most obvious of reasons: it would hinder their ability to intercept signals. In this sense, the N.S.A.’s interests align with those of the hackers.

John Arquilla, who has taught since 1993 at the U.S. Naval Postgraduate School in Monterey, California, writes in his book “Worst Enemies,” “We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” Instead, many of those charged with security have adopted the view that “cyberspace can be defended with virtual fortifications—basically the ‘firewalls’ that everyone knows about. . . . A kind of Maginot Line mentality prevails.”

Arquilla added that America’s intelligence agencies and law-enforcement officials have consistently resisted encryption because of fears that a serious, widespread effort to secure data would interfere with their ability to electronically monitor and track would-be criminals or international terrorists. This hasn’t stopped sophisticated wrongdoers from, say, hiring hackers or encrypting files; it just leaves the public exposed, Arquilla writes. “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”

Schmidt told me that he supports mandated encryption for the nation’s power and electrical infrastructure, though not beyond that. But, early last year, President Obama declined to support such a mandate, in part, Schmidt said, because of the costs it would entail for corporations. In addition to the setup expenses, sophisticated encryption systems involve a reliance on security cards and on constantly changing passwords, along with increased demands on employees and a ceding of control by executives to their security teams.

General Alexander, meanwhile, has continued to press for more authority, and even for a separate Internet domain—another Maginot Line, perhaps. One morning in September, he told a group of journalists that the Cyber Command needed what he called “a secure zone,” a separate space within the Internet to shelter the military and essential industries from cyber attacks. The secure zone would be kept under tight government control. He also assured the journalists, according to the Times, that “we can protect civil liberties, privacy, and still do our mission.” The General was more skeptical about his ability to please privacy advocates when he testified, a few hours later, before the House Armed Services Committee: “A lot of people bring up privacy and civil liberties. And then you say, ‘Well, what specifically are you concerned about?’ And they say, ‘Well, privacy and civil liberties.’ . . . Are you concerned that the anti-virus program that McAfee runs invades your privacy or civil liberties?’ And the answer is ‘No, no, no—but I’m worried that you would.’ ”

This summer, the Wall Street Journal reported that the N.S.A. had begun financing a secret surveillance program called Perfect Citizen to monitor attempted intrusions into the computer networks of private power companies. The program calls for the installation of government sensors in those networks to watch for unusual activity. The Journal noted that some companies expressed concerns about privacy, and said that what they needed instead was better guidance on what to do in case of a major cyber attack. The N.S.A. issued a rare public response, insisting that there was no “monitoring activity” involved: “We strictly adhere to both the spirit and the letter of U.S. laws and regulations.”

A former N.S.A. operative I spoke to said, of Perfect Citizen, “This would put the N.S.A. into the job of being able to watch over our national communications grid. If it was all dot-gov, I would have no problem with the sensors, but what if the private companies rely on Gmail or to communicate? This could put the N.S.A. into every service provider in the country.”

The N.S.A. has its own hackers. Many of them are based at a secret annex near Thurgood Marshall International Airport, outside Baltimore. (The airport used to be called Friendship Airport, and the annex is known to insiders as the FANX, for “Friendship annex.”) There teams of attackers seek to penetrate the communications of both friendly and unfriendly governments, and teams of defenders monitor penetrations and attempted penetrations of U.S. systems. The former N.S.A. operative, who served as a senior watch officer at a major covert installation, told me that the N.S.A. obtained invaluable on-the-job training in cyber espionage during the attack on Iraq in 1991. Its techniques were perfected during the struggle in Kosovo in 1999 and, later, against Al Qaeda in Iraq. “Whatever the Chinese can do to us, we can do better,” the technician said. “Our offensive cyber capabilities are far more advanced.”

Nonetheless, Marc Rotenberg, the president of the Electronic Privacy Information Center and a leading privacy advocate, argues that the N.S.A. is simply not competent enough to take a leadership role in cyber security. “Let’s put the issue of privacy of communications aside,” Rotenberg, a former Senate aide who has testified often before Congress on encryption policy and consumer protection, said. “The question is: Do you want an agency that spies with mixed success to be responsible for securing the nation’s security? If you do, that’s crazy.”

Nearly two decades ago, the Clinton Administration, under pressure from the N.S.A., said that it would permit encryption-equipped computers to be exported only if their American manufacturers agreed to install a government-approved chip, known as the Clipper Chip, in each one. It was subsequently revealed that the Clipper Chip would enable law-enforcement officials to have access to data in the computers. The ensuing privacy row embarrassed Clinton, and the encryption-equipped computers were permitted to be exported without the chip, in what amounted to a rebuke to the N.S.A.

That history may be repeating itself. The Obama Administration is now planning to seek broad new legislation that would enable national-security and law-enforcement officials to police online communications. The legislation, similar to that sought two decades ago in the Clipper Chip debate, would require manufacturers of equipment such as the BlackBerry, and all domestic and foreign purveyors of communications, such as Skype, to develop technology that would allow the federal government to intercept and decode traffic.

“The lesson of Clipper is that the N.S.A. is really not good at what it does, and its desire to eavesdrop overwhelms its ability to protect, and puts at risk U.S. security,” Rotenberg said. “The N.S.A. wants security, sure, but it also wants to get to capture as much as it can. Its view is you can get great security as long as you listen in.” Rotenberg added, “General Alexander is not interested in communication privacy. He’s not pushing for encryption. He wants to learn more about people who are on the Internet”—to get access to the original internal protocol, or I.P., addresses identifying the computers sending e-mail messages. “Alexander wants user I.D. He wants to know who you are talking to.”

Rotenberg concedes that the government has a role to play in the cyber world. “We privacy guys want strong encryption for the security of America’s infrastructure,” he said. He also supports Howard Schmidt in his willingness to mandate encryption for the few industries whose disruption could lead to chaos. “Howard is trying to provide a reasoned debate on an important issue.”

Whitfield Diffie, the encryption pioneer, offered a different note of skepticism in an e-mail to me: “It would be easy to write a rule mandating encryption but hard to do it in such a way as to get good results. To make encryption effective, someone has to manage and maintain the systems (the way N.S.A. does for D.O.D. and, to a lesser extent, other parts of government). I think that what is needed is more by way of standards, guidance, etc., that would make it easier for industry to implement encryption without making more trouble for itself than it saves.”

More broadly, Diffie wrote, “I am not convinced that lack of encryption is the primary problem. The problem with the Internet is that it is meant for communications among non-friends.”

What about China? Does it pose such a threat that, on its own, it justifies putting cyber security on a war footing? The U.S. has long viewed China as a strategic military threat, and as a potential adversary in the sixty-year dispute over Taiwan. Contingency plans dating back to the Cold War include calls for an American military response, led by a Navy carrier group, if a Chinese fleet sails into the Taiwan Strait. “They’ll want to stop our carriers from coming, and they will throw whatever they have in cyber war—everything but the kitchen sink—to blind us, or slow our fleet down,” Admiral McVadon, the retired defense attaché, said. “Our fear is that the Chinese may think that cyber war will work, but it may not. And that’s a danger because it”—a test of cyber warfare—“could lead to a bigger war.”

However, the prospect of a naval battle for Taiwan and its escalation into a cyber attack on America’s domestic infrastructure is remote. Jonathan Pollack, an expert on the Chinese military who teaches at the Naval War College in Newport, Rhode Island, said, “The fact is that the Chinese are remarkably risk-averse.” He went on, “Yes, there have been dustups, and the United States collects intelligence around China’s border, but there is an accommodation process under way today between China and Taiwan.” In June, Taiwan approved a trade agreement with China that had, as its ultimate goal, a political rapprochement. “The movement there is palpable, and, given that, somebody’s got to tell me how we are going to find ourselves in a war with China,” Pollack said.

Many long-standing allies of the United States have been deeply engaged in cyber espionage for decades. A retired four-star Navy admiral, who spent much of his career in signals intelligence, said that Russia, France, Israel, and Taiwan conduct the most cyber espionage against the U.S. “I’ve looked at the extraordinary amount of Russian and Chinese cyber activity,” he told me, “and I am hard put to it to sort out how much is planning for warfare and how much is for economic purposes.”

The admiral said that the U.S. Navy, worried about budget cuts, “needs an enemy, and it’s settled on China,” and that “using what your enemy is building to justify your budget is not a new game.”

There is surprising unanimity among cyber-security experts on one issue: that the immediate cyber threat does not come from traditional terrorist groups like Al Qaeda, at least, not for the moment. “Terrorist groups are not particularly good now in attacking our computer system,” John Arquilla told me. “They’re not that interested in it—yet. The question is: Do vulnerabilities exist inside America? And, if they do, the terrorists eventually will exploit them.” Arquilla added a disturbing thought: “The terrorists of today rely on cyberspace, and they have to be good at cyber security to protect their operations.” As terrorist groups get better at defense, they may eventually turn to offense.

Jeffrey Carr, a Seattle-based consultant on cyber issues, looked into state and non-state cyber espionage throughout the recent conflicts in Estonia and Georgia. Carr, too, said he was skeptical that China or Russia would mount a cyber-war attack against the United States. “It’s not in their interest to hurt the country that is feeding them money,” he said. “On the other hand, it does make sense for lawless groups.” He envisaged “five- or six-year-old kids in the Middle East who are working on the Internet,” and who would “become radicalized fifteen- or sixteen-year-old hackers.” Carr is an advocate of making all Internet service providers require their customers to use verifiable registration information, as a means of helping authorities reduce cyber espionage.

Earlier this year, Carr published “Inside Cyber Warfare,” an account, in part, of his research into cyber activity around the world. But he added, “I hate the term ‘cyber war.’ ” Asked why he used “cyber warfare” in the title of his book, he responded, “I don’t like hype, but hype sells.”

Why not ignore the privacy community and put cyber security on a war footing? Granting the military more access to private Internet communications, and to the Internet itself, may seem prudent to many in these days of international terrorism and growing American tensions with the Muslim world. But there are always unintended consequences of military activity—some that may take years to unravel. Ironically, the story of the EP-3E aircraft that was downed off the coast of China provides an example. The account, as relayed to me by a fully informed retired American diplomat, begins with the contested Presidential election between Vice-President Al Gore and George W. Bush the previous November. That fall, a routine military review concluded that certain reconnaissance flights off the eastern coast of the former Soviet Union—daily Air Force and Navy sorties flying out of bases in the Aleutian Islands—were redundant, and recommended that they be cut back.

“Finally, on the eve of the 2000 election, the flights were released,” the former diplomat related. “But there was nobody around with any authority to make changes, and everyone was looking for a job.” The reality is that no military commander would unilaterally give up any mission. “So the system defaulted to the next target, which was China, and the surveillance flights there went from one every two weeks or so to something like one a day,” the former diplomat continued. By early December, “the Chinese were acting aggressively toward our now increased reconnaissance flights, and we complained to our military about their complaints. But there was no one with political authority in Washington to respond, or explain.” The Chinese would not have been told that the increase in American reconnaissance had little to do with anything other than the fact that inertia was driving day-to-day policy. There was no leadership in the Defense Department, as both Democrats and Republicans waited for the Supreme Court to decide the fate of the Presidency.

The predictable result was an increase in provocative behavior by Chinese fighter pilots who were assigned to monitor and shadow the reconnaissance flights. This evolved into a pattern of harassment in which a Chinese jet would maneuver a few dozen yards in front of the slow, plodding EP-3E, and suddenly blast on its afterburners, soaring away and leaving behind a shock wave that severely rocked the American aircraft. On April 1, 2001, the Chinese pilot miscalculated the distance between his plane and the American aircraft. It was a mistake with consequences for the American debate on cyber security that have yet to be fully reckoned.

November 18, 2010

Worm Was Perfect for Sabotaging Centrifuges

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

Changing the speed “sabotages the normal operation of the industrial control process,” Eric Chien, a researcher at the computer security company Symantec, wrote in a blog post.

Those fluctuations, nuclear analysts said in response to the report, are a recipe for disaster among the thousands of centrifuges spinning in Iran to enrich uranium, which can fuel reactors or bombs. Rapid changes can cause them to blow apart. Reports issued by international inspectors reveal that Iran has experienced many problems keeping its centrifuges running, with hundreds removed from active service since summer 2009.

“We don’t see direct confirmation” that the attack was meant to slow Iran’s nuclear work, David Albright, president of the Institute for Science and International Security, a private group in Washington that tracks nuclear proliferation, said in an interview Thursday. “But it sure is a plausible interpretation of the available facts.”

Intelligence officials have said they believe that a series of covert programs are responsible for at least some of that decline. So when Iran reported earlier this year that it was battling the Stuxnet worm, many experts immediately suspected that it was a state-sponsored cyberattack.

Until last week, analysts had said only that Stuxnet was designed to infect certain kinds of Siemens equipment used in a wide variety of industrial sites around the world.

But a study released Friday by Mr. Chien, Nicolas Falliere and Liam O. Murchu at Symantec, concluded that the program’s real target was to take over frequency converters, a type of power supply that changes its output frequency to control the speed of a motor.

The worm’s code was found to attack converters made by two companies, Fararo Paya in Iran and Vacon in Finland. A separate study conducted by the Department of Homeland Security confirmed that finding, a senior government official said in an interview on Thursday.

Then, on Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart.

In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed.

“It’s striking how close it is to the standard value,” he said.

The computer analysis, his Wednesday report concluded, “makes a legitimate case that Stuxnet could indeed disrupt or destroy” Iranian centrifuge plants.

The latest evidence does not prove Iran was the target, and there have been no confirmed reports of industrial damage linked to Stuxnet. Converters are used to control a number of different machines, including lathes, saws and turbines, and they can be found in gas pipelines and chemical plants. But converters are also essential for nuclear centrifuges.

On Wednesday, the chief of the Department of Homeland Security’s cybersecurity center in Virginia, Sean McGurk, told a Senate committee that the worm was a “game changer” because of the skill with which it was composed and the care with which it was geared toward attacking specific types of equipment.

Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.

Ralph Langner, a German expert in industrial control systems who has examined the program and who was the first to suggest that the Stuxnet worm may have been aimed at Iran, noted in late September that a file inside the code was named “Myrtus.” That could be read as an allusion to Esther, and he and others speculated it was a reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

Writing on his Web site last week, Mr. Langner noted that a number of the data modules inside the program contained the date “Sept. 24, 2001,” clearly long before the program was written. He wrote that he believed the date was a message from the authors of the program, but did not know what it might mean.

Last month, researchers at Symantec also speculated that a string of numbers found in the program — 19790509 — while seeming random, might actually be significant. They speculated that it might refer to May 9, 1979, the day that Jewish-Iranian businessman Habib Elghanian was executed in Iran after being convicted of spying for Israel.

Interpreting what the clues might mean is a fascinating exercise for computer experts and conspiracy theorists, but it could also be a way to mislead investigators.

Indeed, according to one investigator, the creation date of the data modules might instead suggest that the original attack code in Stuxnet was written long before the program was actually distributed.

According to Tom Parker, a computer security specialist at Securicon LLC, a security consulting firm based in Washington, the Stuxnet payload appeared to have been written by a team of highly skilled programmers, while the “dropper” program that delivered the program reflected an amateur level of expertise. He said the fact that Stuxnet was detected and had spread widely in a number of countries was an indicator that it was a failed operation.

“The end target is going to be able to know they were the target, and the attacker won’t be able to use this technique again,” he said.

John Markoff contributed reporting.

November 19, 2010

Worm Can Deal Double Blow to Nuclear Program

The German software engineer who in September was the first to report that a computer worm was apparently designed to sabotage targets in Iran said Friday that the program contained two separate “digital warheads.”

The malicious program, known as Stuxnet, is designed to disable both Iranian centrifuges used to enrich uranium and steam turbines at the Bushehr nuclear power plant, which is scheduled to begin operation next year, said the engineer, Ralph Langner, an industrial control systems specialist based in Hamburg, Germany.

His analysis adds further detail to a report by researchers at the Symantec Corporation, an American computer security company, which concluded that the software code was intended to induce fluctuations in the rotational speed of motors, by taking over a power device known as a frequency converter.

“It’s an awful complex code that we are looking at,” said Mr. Langner, who has spent several months studying the program, which was discovered by a Russian antivirus company in June, after the company received complaints from Iranian customers. The link between the worm and an Iranian target was first made at an industrial systems cybersecurity conference in the Washington area on Sept. 20 by Mr. Langner.

In a statement Friday on his Web site, he described two different attack modules that are designed to run on different industrial controllers made by Siemens, the German industrial equipment maker. “It appears that warhead one and warhead two were deployed in combination as an all-out cyberstrike against the Iranian nuclear program,” he wrote.

In testimony before the Senate on Wednesday, federal and private industry officials said that the Iranian nuclear program was a probable target, but they stopped short of saying they had confirming evidence. Mr. Langner said, however, that he had found enough evidence within the programs to pinpoint the intended targets. He described his research process as being akin to being at a crime scene and examining a weapon but lacking a body.

The second code module — aimed at the nuclear power plant — was written with remarkable sophistication, he said. The worm moves from personal computers to Siemens computers that control industrial processes. It then inserts fake data, fooling the computers into thinking that the system is running normally while the sabotage of the frequency converters is taking place. “It is obvious that several years of preparation went into the design of this attack,” he wrote.

When asked about Mr. Langner’s new analysis, Eric Chien of Symantec said the company’s researchers had also seen evidence of a second attack module, but that the module was disabled in the version of Stuxnet they studied.

Mr. Langner is among a small group of industrial control specialists who warned that the widespread distribution of the Stuxnet code could lead to disaster. Equipment made by Siemens and its competitors is used around the globe to manage virtually all of the world’s transportation, power distribution and communications systems.

Joe Weiss, managing partner at Applied Control Systems, a consulting firm based in the Silicon Valley that organized the conference in September, said he was concerned that computer security organizations were not adequately conveying the potential for serious industrial sabotage that Stuxnet foretells.

“I just want the lights to stay on and water flowing, and people not dying,” he said.

January 15, 2011

Israeli Test on Worm Called Crucial in Iran Nuclear Delay

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program.

In recent days, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s efforts had been set back by several years. Mrs. Clinton cited American-led sanctions, which have hurt Iran’s ability to buy components and do business around the world.

The gruff Mr. Dagan, whose organization has been accused by Iran of being behind the deaths of several Iranian scientists, told the Israeli Knesset in recent days that Iran had run into technological difficulties that could delay a bomb until 2015. That represented a sharp reversal from Israel’s long-held argument that Iran was on the cusp of success.

The biggest single factor in putting time on the nuclear clock appears to be Stuxnet, the most sophisticated cyberweapon ever deployed.

In interviews over the past three months in the United States and Europe, experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009.

Many mysteries remain, chief among them, exactly who constructed a computer worm that appears to have several authors on several continents. But the digital trail is littered with intriguing bits of evidence.

In early 2008 the German company Siemens cooperated with one of the United States’ premier national laboratories, in Idaho, to identify the vulnerabilities of computer controllers that the company sells to operate industrial machinery around the world — and that American intelligence agencies have identified as key equipment in Iran’s enrichment facilities.

Seimens says that program was part of routine efforts to secure its products against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which is part of the Energy Department, responsible for America’s nuclear arms — the chance to identify well-hidden holes in the Siemens systems that were exploited the next year by Stuxnet.

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The attacks were not fully successful: Some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. Nor is it clear the attacks are over: Some experts who have examined the code believe it contains the seeds for yet more versions and assaults.

“It’s like a playbook,” said Ralph Langner, an independent computer security expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone who looks at it carefully can build something like it.” Mr. Langner is among the experts who expressed fear that the attack had legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.

Officially, neither American nor Israeli officials will even utter the name of the malicious computer program, much less describe any role in designing it.

But Israeli officials grin widely when asked about its effects. Mr. Obama’s chief strategist for combating weapons of mass destruction, Gary Samore, sidestepped a Stuxnet question at a recent conference about Iran, but added with a smile: “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”

In recent days, American officials who spoke on the condition of anonymity have said in interviews that they believe Iran’s setbacks have been underreported. That may explain why Mrs. Clinton provided her public assessment while traveling in the Middle East last week.

By the accounts of a number of computer scientists, nuclear enrichment experts and former officials, the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British.

The project’s political origins can be found in the last months of the Bush administration. In January 2009, The New York Times reported that Mr. Bush authorized a covert program to undermine the electrical and computer systems around Natanz, Iran’s major enrichment center. President Obama, first briefed on the program even before taking office, sped it up, according to officials familiar with the administration’s Iran strategy. So did the Israelis, other officials said. Israel has long been seeking a way to cripple Iran’s capability without triggering the opprobrium, or the war, that might follow an overt military strike of the kind they conducted against nuclear facilities in Iraq in 1981 and Syria in 2007.

Two years ago, when Israel still thought its only solution was a military one and approached Mr. Bush for the bunker-busting bombs and other equipment it believed it would need for an air attack, its officials told the White House that such a strike would set back Iran’s programs by roughly three years. Its request was turned down.

Now, Mr. Dagan’s statement suggests that Israel believes it has gained at least that much time, without mounting an attack. So does the Obama administration.

For years, Washington’s approach to Tehran’s program has been one of attempting “to put time on the clock,” a senior administration official said, even while refusing to discuss Stuxnet. “And now, we have a bit more.”

Finding Weaknesses
Paranoia helped, as it turns out. Years before the worm hit Iran, Washington had become deeply worried about the vulnerability of the millions of computers that run everything in the United States from bank transactions to the power grid.

Computers known as controllers run all kinds of industrial machinery. By early 2008, the Department of Homeland Security had teamed up with the Idaho National Laboratory to study a widely used Siemens controller known as P.C.S.-7, for Process Control System 7. Its complex software, called Step 7, can run whole symphonies of industrial instruments, sensors and machines.

The vulnerability of the controller to cyberattack was an open secret. In July 2008, the Idaho lab and Siemens teamed up on a PowerPoint presentation on the controller’s vulnerabilities that was made to a conference in Chicago at Navy Pier, a top tourist attraction.

“Goal is for attacker to gain control,” the July paper said in describing the many kinds of maneuvers that could exploit system holes. The paper was 62 pages long, including pictures of the controllers as they were examined and tested in Idaho.

In a statement on Friday, the Idaho National Laboratory confirmed that it formed a partnership with Siemens but said it was one of many with manufacturers to identify cybervulnerabilities. It argued that the report did not detail specific flaws that attackers could exploit. But it also said it could not comment on the laboratory’s classified missions, leaving unanswered the question of whether it passed what it learned about the Siemens systems to other parts of the nation’s intelligence apparatus.

The presentation at the Chicago conference, which recently disappeared from a Siemens Web site, never discussed specific places where the machines were used.

But Washington knew. The controllers were critical to operations at Natanz, a sprawling enrichment site in the desert. “If you look for the weak links in the system,” said one former American official, “this one jumps out.”

Controllers, and the electrical regulators they run, became a focus of sanctions efforts. The trove of State Department cables made public by WikiLeaks describes urgent efforts in April 2009 to stop a shipment of Siemens controllers, contained in 111 boxes at the port of Dubai, in the United Arab Emirates. They were headed for Iran, one cable said, and were meant to control “uranium enrichment cascades” — the term for groups of spinning centrifuges.

Subsequent cables showed that the United Arab Emirates blocked the transfer of the Siemens computers across the Strait of Hormuz to Bandar Abbas, a major Iranian port.

Only months later, in June, Stuxnet began to pop up around the globe. The Symantec Corporation, a maker of computer security software and services based in Silicon Valley, snared it in a global malware collection system. The worm hit primarily inside Iran, Symantec reported, but also in time appeared in India, Indonesia and other countries.

But unlike most malware, it seemed to be doing little harm. It did not slow computer networks or wreak general havoc. That deepened the mystery.

A ‘Dual Warhead’
No one was more intrigued than Mr. Langner, a former psychologist who runs a small computer security company in a suburb of Hamburg. Eager to design protective software for his clients, he had his five employees focus on picking apart the code and running it on the series of Siemens controllers neatly stacked in racks, their lights blinking.

He quickly discovered that the worm only kicked into gear when it detected the presence of a specific configuration of controllers, running a set of processes that appear to exist only in a centrifuge plant. “The attackers took great care to make sure that only their designated targets were hit,” he said. “It was a marksman’s job.”

For example, one small section of the code appears designed to send commands to 984 machines linked together.

Curiously, when international inspectors visited Natanz in late 2009, they found that the Iranians had taken out of service a total of exactly 984 machines that had been running the previous summer.

But as Mr. Langner kept peeling back the layers, he found more — what he calls the “dual warhead.” One part of the program is designed to lie dormant for long periods, then speed up the machines so that the spinning rotors in the centrifuges wobble and then destroy themselves. Another part, called a “man in the middle” in the computer world, sends out those false sensor signals to make the system believe everything is running smoothly. That prevents a safety system from kicking in, which would shut down the plant before it could self-destruct.

“Code analysis makes it clear that Stuxnet is not about sending a message or proving a concept,” Mr. Langner later wrote. “It is about destroying its targets with utmost determination in military style.”

This was not the work of hackers, he quickly concluded. It had to be the work of someone who knew his way around the specific quirks of the Siemens controllers and had an intimate understanding of exactly how the Iranians had designed their enrichment operations. In fact, the Americans and the Israelis had a pretty good idea.

Testing the Worm
Perhaps the most secretive part of the Stuxnet story centers on how the theory of cyberdestruction was tested on enrichment machines to make sure the malicious software did its intended job.

The account starts in the Netherlands. In the 1970s, the Dutch designed a tall, thin machine for enriching uranium. As is well known, A. Q. Khan, a Pakistani metallurgist working for the Dutch, stole the design and in 1976 fled to Pakistan.

The resulting machine, known as the P-1, for Pakistan’s first-generation centrifuge, helped the country get the bomb. And when Dr. Khan later founded an atomic black market, he illegally sold P-1’s to Iran, Libya, and North Korea.

The P-1 is more than six feet tall. Inside, a rotor of aluminum spins uranium gas to blinding speeds, slowly concentrating the rare part of the uranium that can fuel reactors and bombs.

How and when Israel obtained this kind of first-generation centrifuge remains unclear, whether from Europe, or the Khan network, or by other means. But nuclear experts agree that Dimona came to hold row upon row of spinning centrifuges.

“They’ve long been an important part of the complex,” said Avner Cohen, author of “The Worst-Kept Secret” (2010), a book about the Israeli bomb program, and a senior fellow at the Monterey Institute of International Studies. He added that Israeli intelligence had asked retired senior Dimona personnel to help on the Iranian issue, and that some apparently came from the enrichment program.

“I have no specific knowledge,” Dr. Cohen said of Israel and the Stuxnet worm. “But I see a strong Israeli signature and think that the centrifuge knowledge was critical.”

Another clue involves the United States. It obtained a cache of P-1’s after Libya gave up its nuclear program in late 2003, and the machines were sent to the Oak Ridge National Laboratory in Tennessee, another arm of the Energy Department.

By early 2004, a variety of federal and private nuclear experts assembled by the Central Intelligence Agency were calling for the United States to build a secret plant where scientists could set up the P-1’s and study their vulnerabilities. “The notion of a test bed was really pushed,” a participant at the C.I.A. meeting recalled.

The resulting plant, nuclear experts said last week, may also have played a role in Stuxnet testing.

But the United States and its allies ran into the same problem the Iranians have grappled with: the P-1 is a balky, badly designed machine. When the Tennessee laboratory shipped some of its P-1’s to England, in hopes of working with the British on a program of general P-1 testing, they stumbled, according to nuclear experts.

“They failed hopelessly,” one recalled, saying that the machines proved too crude and temperamental to spin properly.

Dr. Cohen said his sources told him that Israel succeeded — with great difficulty — in mastering the centrifuge technology. And the American expert in nuclear intelligence, who spoke on the condition of anonymity, said the Israelis used machines of the P-1 style to test the effectiveness of Stuxnet.

The expert added that Israel worked in collaboration with the United States in targeting Iran, but that Washington was eager for “plausible deniability.”

In November, the Iranian president, Mahmoud Ahmadinejad, broke the country’s silence about the worm’s impact on its enrichment program, saying a cyberattack had caused “minor problems with some of our centrifuges.” Fortunately, he added, “our experts discovered it.”

The most detailed portrait of the damage comes from the Institute for Science and International Security, a private group in Washington. Last month, it issued a lengthy Stuxnet report that said Iran’s P-1 machines at Natanz suffered a series of failures in mid- to late 2009 that culminated in technicians taking 984 machines out of action.

The report called the failures “a major problem” and identified Stuxnet as the likely culprit.

Stuxnet is not the only blow to Iran. Sanctions have hurt its effort to build more advanced (and less temperamental) centrifuges. And last January, and again in November, two scientists who were believed to be central to the nuclear program were killed in Tehran.

The man widely believed to be responsible for much of Iran’s program, Mohsen Fakrizadeh, a college professor, has been hidden away by the Iranians, who know he is high on the target list.

Publicly, Israeli officials make no explicit ties between Stuxnet and Iran’s problems. But in recent weeks, they have given revised and surprisingly upbeat assessments of Tehran’s nuclear status.

“A number of technological challenges and difficulties” have beset Iran’s program, Moshe Yaalon, Israel’s minister of strategic affairs, told Israeli public radio late last month.

The troubles, he added, “have postponed the timetable.”

January 26, 2011

From Bullets to Megabytes

STUXNET, the computer worm that last year disrupted many of the gas centrifuges central to Iran’s nuclear program, is a powerful weapon in the new age of global information warfare. A sophisticated half-megabyte of computer code apparently accomplished what a half-decade of United Nations Security Council resolutions could not.
Mark Pernice

Israeli Test on Worm Called Crucial in Iran Nuclear Delay (January 16, 2011)
25 Years of Digital Vandalism (January 27, 2011)

This new form of warfare has several implications that are only now becoming apparent, and that will define the shape of what will likely become the next global arms race — albeit one measured in computer code rather than firepower.

For one thing, the Stuxnet attack highlights the ambiguous boundaries of sovereignty in cyberspace. Promoting national security in the information age will, from time to time, cause unpredictable offense to the rights and interests of innocent people, companies and countries.

Stuxnet attacked the Iranian nuclear program, but it did so by maliciously manipulating commercial software products sold globally by major Western companies. Whoever launched the assault also infected thousands of computers in several countries, including Australia, Britain, Indonesia and the United States.

This kind of collateral damage to the global civilian realm is going to be the norm, not the exception, and advanced economies, which are more dependent on advanced information systems, will be at particular risk.

What’s more, offensive and defensive information warfare are tightly, insidiously coupled, which will significantly complicate military-industrial relations.

The expertise needed to defend against a cyberattack is essentially indistinguishable from that needed to make such an attack. The Stuxnet programmers are reported to have exploited proprietary information that had been voluntarily provided to the American government by Siemens, that German company that makes data-and-control programs used in nuclear power facilities — including Iran’s.

Siemens did this to help Washington build up its ability to fend off cyberattacks. Will Siemens and other companies think twice next time the American government calls? Probably. Whether it’s true or not, as far as the rest of the world is concerned, the United States is now in the business of offensive information warfare, along with China, Israel and Russia, among others.

It’s not hard to imagine, then, the splintering of the global information technology industry into multiple camps according to their willingness to cooperate with governments on security matters. We can already see this happening in the telecommunications industry, where companies promote their products’ resistance to government intrusion. At the same time, other companies might see an advantage to working closely with the government.

Stuxnet also raises sticky and perhaps irresolvable legal questions. At present there is no real legal framework for adjudicating international cyberattacks; even if victims could determine who was responsible, their governments have few options outside of diplomatic complaints and, perhaps, retaliation in kind. An international entity that could legislate or enforce an information warfare armistice does not exist, and is not really conceivable.

A similar question exists within the United States. Under American law the transmission of malicious code is in many cases a criminal offense. This makes sense, given the economy’s reliance on information networks, the sensitivity of stored electronic data and the ever-present risk of attack from viruses, worms and other varieties of malware.

But the president, as commander in chief, does have some authority to conduct offensive information warfare against foreign adversaries. However, as with many presidential powers to wage war and conduct espionage, the extent of his authority has never been enumerated.

This legal ambiguity is problematic because such warfare is far less controllable than traditional military and intelligence operations, and it raises much more complex issues of private property, personal privacy and commercial integrity.

Therefore, before our courts are forced to consider the issue and potentially limit executive powers, as they did after President Harry Truman tried to seize steel plants in the early 1950s, Congress should grant the White House broad authority to wage offensive information warfare.

By explicitly authorizing these offensive operations in appropriate, defined circumstances, a new statute would strengthen the president’s power to provide for the common defense in cyberspace. Doing so wouldn’t answer all the questions that this new era of warfare presents. But one thing is sure: as bad as this arms race will be, losing it would be even worse.

Richard A. Falkenrath, a principal of the Chertoff Group, an investment advisory firm, is a former deputy commissioner for counterterrorism for the New York Police Department and deputy homeland security adviser to President George W. Bush.

Tages-Anzeiger    9.Februar 2011

Wie die USA das Internet kontrollieren
In Ägypten hätten die USA die Internetsperre locker aufheben können –
wenn sie denn nur gewollt hätten.
Von Reto Knobel

John Arquilla ist der Mann, der (in Zusammenarbeit mit dem Wissenschafter David Ronfeldt) den Begriff «Cyberwar» erfunden hat. In einer Studie aus dem Jahr 1993 berichteten die beiden US-Amerikaner über das Potenzial von kriegerischen Auseinandersetzungen im Internet. Kriege, so seine Überzeugung, werden sich künftig primär um die Dominanz über Informationen und Kommunikationswerkzeuge drehen.

Experte Arquilla arbeitete unter anderem für die Denkfabrik und Pentagon-Beratungsfirma Rand Corporation und ist seit 18 Jahren Professor am Information Operations Center an der Naval Postgraduate School im kalifornischen Monterey, einer von der United States Navy geführten Hochschule. Ein Mann, auf den Politik und die amerikanischen Medien hören – so auch dieser Tage.

Obamas leere Worte
Der Hintergrund: Ende Januar wurde in Ägypten für ein paar Tage das Internet abgestellt, um die Mobilisierungsfähigkeit der aufmüpfigen Bevölkerung einzuschränken. Bis zu 95 Prozent der Einheimischen waren plötzlich offline. Der Protest des Westens liess nicht lange auf sich warten. US-Präsident Obama etwa kritisierte die Machthaber und forderte die sofortige Wiederherstellung freier Informationen.

Das Regime zeigte sich bekanntlich wenig beeindruckt. Weniger bekannt ist: Laut John Arquilla wäre es nicht schwierig gewesen, die Deaktivierung sowohl der Mobilfunk-Dienste als auch des Offline-Status im Nilland rückgängig zu machen. In einem «Wired»-Artikel mit dem Titel «Die USA haben technische Mittel, um das Internet in Diktaturen wieder zum Laufen zu bringen» schreibt der Professor im Dienste des Pentagons: «Was das Militär abdrehen kann, kann es auch wieder aufdrehen.»

Die fliegenden Funkzellen
Ohne auf die technischen Details einzugehen, präzisiert Arquilla, dass es sowohl «über satelliten- als auch nichtsatellitengestützte Anlagen» für seine Regierung möglich sei, «die Zugangspunkte zur Verfügung zu stellen, damit die Leute wieder online sein können». Er habe Kenntnis von geheim gehaltenen Flugzeugen, die nur durch Überfliegen eines Gebietes WLAN-Verbindung herstellen können. Selbst Drohnen könnten als fliegende Funkzellen umgerüstet werden, um kleinere Gebiete fliegend in ein UMTS-Netz umzuwandeln.

«Act of war»
Weiter wäre es den USA ohne Weiteres möglich gewesen, das Land über das Satellitennetzwerk des US-Militärs wieder ins weltweite Kommunikationsnetz einzubinden.

Aquilla weiss allerdings, dass eine solche Aktions seitens der Vereinigten Staaten von der ägyptischen Regierung als schwere Einmischung (wörtlich: «Act of war») interpretiert worden wäre. «Die amerikanischen Streitkräfte», schliesst John Aquilla, «haben grosse Erfahrung im Wiederaufbau von Kommunikationsstrukturen». Aber es sei sehr schwierig zu handeln, wenn sich die Regierung dagegen sträube – ein Land internetfähig zu machen sei «weniger ein technisches als ein politisches Problem». (

February 15, 2011

Egypt Leaders Found ‘Off’ Switch for Internet

Epitaphs for the Mubarak government all note that the mobilizing power of the Internet was one of the Egyptian opposition’s most potent weapons. But quickly lost in the swirl of revolution was the government’s ferocious counterattack, a dark achievement that many had thought impossible in the age of global connectedness. In a span of minutes just after midnight on Jan. 28, a technologically advanced, densely wired country with more than 20 million people online was essentially severed from the global Internet.

The blackout was lifted after just five days, and it did not save President Hosni Mubarak. But it has mesmerized the worldwide technical community and raised concerns that with unrest coursing through the Middle East, other autocratic governments — many of them already known to interfere with and filter specific Web sites and e-mails — may also possess what is essentially a kill switch for the Internet.

Because the Internet’s legendary robustness and ability to route around blockages are part of its basic design, even the world’s most renowned network and telecommunications engineers have been perplexed that the Mubarak government succeeded in pulling the maneuver off.

But now, as Egyptian engineers begin to assess fragmentary evidence and their own knowledge of the Egyptian Internet’s construction, they are beginning to understand what, in effect, hit them. Interviews with many of those engineers, as well as an examination of data collected around the world during the blackout, indicate that the government exploited a devastating combination of vulnerabilities in the national infrastructure.

For all the Internet’s vaunted connectivity, the Egyptian government commanded powerful instruments of control: it owns the pipelines that carry information across the country and out into the world.

Internet experts say similar arrangements are more common in authoritarian countries than is generally recognized. In Syria, for example, the Syrian Telecommunications Establishment dominates the infrastructure, and the bulk of the international traffic flows through a single pipeline to Cyprus. Jordan, Qatar, Oman, Saudi Arabia and other Middle Eastern countries have the same sort of dominant, state-controlled carrier.

Over the past several days, activists in Bahrain and Iran say they have seen strong evidence of severe Internet slowdowns amid protests there. Concerns over the potential for a government shutdown are particularly high in North African countries, most of which rely on a just a small number of fiber-optic lines for most of their international Internet traffic.

A Double Knockout
The attack in Egypt relied on a double knockout, the engineers say. As in many authoritarian countries, Egypt’s Internet must connect to the outside world through a tiny number of international portals that are tightly in the grip of the government. In a lightning strike, technicians first cut off nearly all international traffic through those portals.

In theory, the domestic Internet should have survived that strike. But the cutoff also revealed how dependent Egypt’s internal networks are on moment-to-moment information from systems that exist only outside the country — including e-mail servers at companies like Google, Microsoft and Yahoo; data centers in the United States; and the Internet directories called domain name servers, which can be physically located anywhere from Australia to Germany.

The government’s attack left Egypt not only cut off from the outside world, but also with its internal systems in a sort of comatose state: servers, cables and fiber-optic lines were largely up and running, but too confused or crippled to carry information save a dribble of local e-mail traffic and domestic Web sites whose Internet circuitry somehow remained accessible.

“They drilled unexpectedly all the way down to the bottom layer of the Internet and stopped all traffic flowing,” said Jim Cowie, chief technology officer of Renesys, a network management company based in New Hampshire that has closely monitored Internet traffic from Egypt. “With the scope of their shutdown and the size of their online population, it is an unprecedented event.”

The engineers say that a focal point of the attack was an imposing building at 26 Ramses Street in Cairo, just two and a half miles from the epicenter of the protests, Tahrir Square. At one time purely a telephone network switching center, the building now houses the crucial Internet exchange that serves as the connection point for fiber-optic links provided by five major network companies that provide the bulk of the Internet connectivity going into and out of the country.

“In Egypt the actual physical and logical connections to the rest of the world are few, and they are licensed by the government and they are tightly controlled,” said Wael Amin, president of ITWorx, a large software development company based in Cairo.

One of the government’s strongest levers is Telecom Egypt, a state-owned company that engineers say owns virtually all the country’s fiber-optic cables; other Internet service providers are forced to lease bandwidth on those cables in order to do business.

Mr. Cowie noted that the shutdown in Egypt did not appear to have diminished the protests — if anything, it inflamed them — and that it would cost untold millions of dollars in lost business and investor confidence in the country. But he added that, inevitably, some autocrats would conclude that Mr. Mubarak had simply waited too long to bring down the curtain.

“Probably there are people who will look at this and say, it really worked pretty well, he just blew the timing,” Mr. Cowie said.

Speaking of the Egyptian shutdown and the earlier experience in Tunisia, whose censorship methods were less comprehensive, a senior State Department official said that “governments will draw different conclusions.”

“Some may take measures to tighten communications networks,” said the official, speaking on the condition of anonymity. “Others may conclude that these things are woven so deeply into the culture and commerce of their country that they interfere at their peril. Regardless, it is certainly being widely discussed in the Middle East and North Africa.”

Vulnerable Choke Points

In Egypt, where the government still has not explained how the Internet was taken down, engineers across the country are putting together clues from their own observations to understand what happened this time, and to find out whether a future cutoff could be circumvented on a much wider scale than it was when Mr. Mubarak set his attack in motion.

The strength of the Internet is that it has no single point of failure, in contrast to more centralized networks like the traditional telephone network. The routing of each data packet is handled by a web of computers known as routers, so that in principle each packet might take a different route. The complete message or document is then reassembled at the receiving end.

Yet despite this decentralized design, the reality is that most traffic passes through vast centralized exchanges — potential choke points that allow many nations to monitor, filter or in dire cases completely stop the flow of Internet data.

China, for example, has built an elaborate national filtering system known as the Golden Shield Project, and in 2009 it shut down cellphone and Internet service amid unrest in the Muslim region of Xinjiang. Nepal’s government briefly disconnected from the Internet in the face of civil unrest in 2005, and so did Myanmar’s government in 2007.

But until Jan. 28 in Egypt, no country had revealed that control of those choke points could allow the government to shut down the Internet almost entirely.

There has been intense debate both inside and outside Egypt on whether the cutoff at 26 Ramses Street was accomplished by surgically tampering with the software mechanism that defines how networks at the core of the Internet communicate with one another, or by a blunt approach: simply cutting off the power to the router computers that connect Egypt to the outside world.

But either way, the international portals were shut, and the domestic system reeled from the blow.

The Lines Go Dead
The first hints of the blackout had actually emerged the day before, Jan. 27, as opposition leaders prepared for a “Friday of anger,” with huge demonstrations expected. Ahmed ElShabrawy, who runs a company called EgyptNetwork, noticed that the government had begun blocking individual sites like Facebook and Twitter.

Just after midnight on Jan. 28, Mahmoud Amin’s iPhone beeped with an alert that international connections to his consulting company’s Internet system had vanished — and then the iPhone itself stopped receiving e-mail. A few minutes later, Mr. ElShabrawy received an urgent call telling him that all Internet lines running to his company were dead.

It was not long before Ayman Bahaa, director of Egyptian Universities Network, which developed the country’s Internet nearly two decades ago, was scrambling to figure out how the system had all but collapsed between the strokes of 12 and 1.

The system had been crushed so completely that when a network engineer who does repairs in Cairo woke in the morning, he said to his family, “I feel we are in the 1800s.”

Over the next five days, the government furiously went about extinguishing nearly all of the Internet links to the outside world that had survived the first assault, data collected by Western network monitors show. Although a few Egyptians managed to post to Facebook or send sporadic e-mails, the vast majority of the country’s Internet subscribers were cut off.

The most telling bit of evidence was that some Internet services inside the country were still working, at least sporadically. American University in Cairo, frantically trying to relocate students and faculty members away from troubled areas, was unable to use e-mail, cellphones — which were also shut down — or even a radio frequency reserved for security teams. But the university was able to update its Web site, hosted on a server inside Egypt, and at least some people were able to pull up the site and follow the emergency instructions.

“The servers were up,” said Nagwa Nicola, the chief technology officer at American University in Cairo. “You could reach up to the Internet provider itself, but you wouldn’t get out of the country.” Ms. Nicola said that no notice had been given, and she depicted an operation that appeared to have been carried out with great secrecy.

“When we called the providers, they said, ‘Um, hang on, we just have a few problems and we’ll be on again,’ ” she said. “They wouldn’t tell us it was out.”

She added, “It wasn’t expected at all that something like that would happen.”

Told to Shut Down or Else
Individual Internet service providers were also called on the carpet and ordered to shut down, as they are required to do by their licensing agreements if the government so decrees.

According to an Egyptian engineer and an international telecom expert who both spoke on the condition of anonymity, at least one provider, Vodafone, expressed extreme reluctance to shut down but was told that if it did not comply, the government would use its own “off” switch via the Telecom Egypt infrastructure — a method that would be much more time-consuming to reverse. Other exchanges, like an important one in Alexandria, may also have been involved.

Still, even major providers received little notice that the moves were afoot, said an Egyptian with close knowledge of the telecom industry who would speak only anonymously.

“You don’t get a couple of days with something like this,” he said. “It was less than an hour.”

After the Internet collapsed, Mr. ElShabrawy, 35, whose company provides Internet service to 2,000 subscribers and develops software for foreign and domestic customers, made urgent inquiries with the Ministry of Communications, to no avail. So he scrambled to re-establish his own communications.

When he, too, noticed that domestic fiber-optic cables were open, he had a moment of exhilaration, remembering that he could link up servers directly and establish messaging using an older system called Internet Relay Chat. But then it dawned on him that he had always assumed he could download the necessary software via the Internet and had saved no copy.

“You don’t have your tools — you don’t have anything,” Mr. ElShabrawy said he realized as he stared at the dead lines at his main office in Mansoura, about 60 miles outside Cairo.

With the streets unsafe because of marauding bands of looters, he decided to risk having a driver bring $7,000 in satellite equipment, including a four-foot dish, from Cairo, and somehow he was connected internationally again by Monday evening.

Steeling himself for the blast of complaints from angry customers — his company also provides texting services in Europe and the Middle East — Mr. ElShabrawy found time to post videos of the protests in Mansoura on his Facebook page. But with security officials asking questions about what he was up to, he did not dare hook up his domestic subscribers.

Then, gingerly, he reached out to his international customers, his profuse apologies already framed in his mind.

The response that poured in astonished Mr. ElShabrawy, who is nothing if not a conscientious businessman, even in turbulent times. “People said: ‘Don’t worry about that. We are fine and we need to know that you are fine. We are all supporting you.’ ”

October 10, 2011

Government Aims to Build a ‘Data Eye in the Sky’

More than 60 years ago, in his “Foundation” series, the science fiction novelist Isaac Asimov invented a new science — psychohistory — that combined mathematics and psychology to predict the future.

Now social scientists are trying to mine the vast resources of the Internet — Web searches and Twitter messages, Facebook and blog posts, the digital location trails generated by billions of cellphones — to do the same thing.

The most optimistic researchers believe that these storehouses of “big data” will for the first time reveal sociological laws of human behavior — enabling them to predict political crises, revolutions and other forms of social and economic instability, just as physicists and chemists can predict natural phenomena.

“This is a significant step forward,” said Thomas Malone, the director of the Center for Collective Intelligence at the Massachusetts Institute of Technology. “We have vastly more detailed and richer kinds of data available as well as predictive algorithms to use, and that makes possible a kind of prediction that would have never been possible before.”

The government is showing interest in the idea. This summer a little-known intelligence agency began seeking ideas from academic social scientists and corporations for ways to automatically scan the Internet in 21 Latin American countries for “big data,” according to a research proposal being circulated by the agency. The three-year experiment, to begin in April, is being financed by the Intelligence Advanced Research Projects Activity, or Iarpa (pronounced eye-AR-puh), part of the office of the director of national intelligence.

The automated data collection system is to focus on patterns of communication, consumption and movement of populations. It will use publicly accessible data, including Web search queries, blog entries, Internet traffic flow, financial market indicators, traffic webcams and changes in Wikipedia entries.

It is intended to be an entirely automated system, a “data eye in the sky” without human intervention, according to the program proposal. The research would not be limited to political and economic events, but would also explore the ability to predict pandemics and other types of widespread contagion, something that has been pursued independently by civilian researchers and by companies like Google.

Some social scientists and advocates of privacy rights are deeply skeptical of the project, saying it evokes queasy memories of Total Information Awareness, a post-9/11 Pentagon program that proposed hunting for potential attackers by identifying patterns in vast collections of public and private data: telephone calling records, e-mail, travel data, visa and passport information, and credit card transactions.

“I have Total Information Awareness flashbacks when things like this happen,” said David Price, an anthropologist at St. Martin’s University in Lacey, Wash., who has written about cooperation between social scientists and intelligence agencies. “On the one hand it’s understandable for a nation-state to want to track things like the outbreak of a pandemic, but I have to wonder about the total automation of this and what productive will come of it.”

Iarpa officials declined to discuss the research program, saying they are prohibited from giving interviews until contract awards are made later this year.

A similar project by their military sister organization, the Defense Advanced Research Projects Agency, or Darpa, aims to automatically identify insurgent social networks in Afghanistan.

In its most recent budget proposal, the defense agency argues that its analysis can expose terrorist cells and other stateless groups by tracking their meetings, rehearsals and sharing of material and money transfers.

So far there have been only scattered examples of the potential of mining social media. Last year HP Labs researchers used Twitter data to accurately predict box office revenues of Hollywood movies. In August, the National Science Foundation approved funds for research in using social media like Twitter and Facebook to assess earthquake damage in real time.

The accessibility and computerization of huge databases has already begun to spur the development of new statistical techniques and new software to manage data sets with trillions of entries or more.

“Big data allows one to move beyond inference and statistical significance and move toward meaningful and accurate analyses,” said Norman Nie, a political scientist who was a pioneering developer of statistical tools for social scientists and who recently formed a new company, Revolution Analytics, to develop software for the analysis of immense data sets.

Some scientists are skeptical. They cite the Pentagon’s ill-fated Project Camelot in the 1960s, which also explored the possibility that social science could predict political and economic events, but was canceled in the face of widespread criticism by scholars.

The project focused on Chile, with the goal of developing methods for anticipating “violent changes” and offering ways of averting possible rebellions. It led to an uproar among social scientists, who argued that the study would compromise their professional ethics.

In recent years, however, academic opposition to military financing of research has faded. Since 2008, a Pentagon project called the Minerva Initiative has paid for an array of studies, including research at Arizona State University into political opponents of radical Muslims and a University of Texas study on the effects of climate change on African political stability.

Social scientists who cooperate with the research agencies contend that, on balance, the new technologies will have a positive effect.

“The result will be much better understanding of what is going on in the world, and how well local governments are handling the situation,” said Sandy Pentland, a computer scientist at the M.I.T. Media Laboratory. “I find this all very hopeful rather than scary, because this is perhaps the first real opportunity for all of humanity to have transparency in government.”

But advocates of privacy rights worry that public data and the related techniques developed in the new Iarpa project will be adapted for clandestine “total information” operations.

“These techniques are double-edged,” said Marc Rotenberg, president of the Electronic Privacy Information Center, a privacy rights group based in Washington. “They can be used as easily against political opponents in the United States as they can against threats from foreign countries.”

And some computer scientists expressed skepticism about efforts to predict political instability with indicators like Web searches.

“I’m hard pressed to say that we are witnessing a revolution,” said Prabhakar Raghavan, the director of Yahoo Labs, who is an information retrieval specialist. He noted that much had been written about predicting flu epidemics by looking at Web searches for “flu,” but noted that the predictions did not improve significantly on what could already be found in data from the Centers for Disease Control and Prevention.

“You can look at search queries and divine that flu is about to break out,” he said, “but what our research has highlighted is that many of these new methods don’t add a huge lift.”

Other researchers are far more optimistic. “There is a huge amount of predictive power in this data,” said Albert-Laszlo Barabasi, a physicist at Notre Dame who specializes in network science. “If I have hourly information about your location, with about 93 percent accuracy I can predict where you are going to be an hour or a day later.”

Still, the ease of acquiring and manipulating huge data sets charting Internet behavior causes many researchers to warn that the data mining technologies may be quickly outrunning the ability of scientists to think through questions of privacy and ethics.

There is also the deeper question of whether it will be possible to discern behavioral laws that match the laws of physical sciences. For Isaac Asimov, the predictive powers of psychohistory worked only when it was possible to measure the human population of an entire galaxy.

Wall Street Journal    19 November 2011

Where governments get their tools
The Surveillance Catalog

Random DocumentDocuments obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.

The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country.

The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month. Read more about the documents.

Document Trove Exposes Surveillance Methods

Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.
The techniques described in the trove of 200-plus marketing documents, spanning 36 companies, include hacking tools that enable governments to break into people's computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country. The papers were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month.

Intelligence agencies in the U.S. and abroad have long conducted their own surveillance. But in recent years, a retail market for surveillance tools has sprung up from "nearly zero" in 2001 to about $5 billion a year, said Jerry Lucas, president of TeleStrategies Inc., the show's operator.

Critics say the market represents a new sort of arms trade supplying Western governments and repressive nations alike. "The Arab Spring countries all had more sophisticated surveillance capabilities than I would have guessed," said Andrew McLaughlin, who recently left his post as deputy chief technology officer in the White House, referring to the Middle Eastern and African nations racked by violent crackdowns on dissent.

The Surveillance Catalog
 How the 'Off the Shelf' Surveillance Industry Has Grown
The Journal this year uncovered an Internet surveillance center installed by a French firm in Libya and reported that software made by Britain's Gamma International UK Ltd., had been used in Egypt to intercept dissidents' Skype conversations. In October, a U.S. company that makes Internet-filtering gear acknowledged to the Journal that its devices were being used in Syria.

Companies making and selling this gear say it is intended to catch criminals and is available only to governments and law enforcement. They say they obey export laws and aren't responsible for how the tools are used.

Trade-show organizer Mr. Lucas added that his event isn't political. "We don't really get into asking, 'Is this in the public interest?'" he said.

TeleStrategies holds ISS World conferences world-wide. The one near Washington, D.C., caters mainly to U.S., Canadian, Caribbean and Latin American authorities. The annual conference in Dubai has long served as a chance for Middle Eastern nations to meet companies hawking surveillance gear.

The global market for off-the-shelf surveillance technology has taken off in the decade since 9/11. WSJ's Jennifer Valentino-DeVries explains some of the new methods governments and law enforcement are using to monitor people.
Many technologies at the Washington-area show related to "massive intercept" monitoring, which can capture vast amounts of data. Telesoft Technologies Ltd. of the U.K. touted its device in its documents as offering "targeted or mass capture of 10s of thousands of simultaneous conversations from fixed or cellular networks." Telesoft declined to comment.

California-based Net Optics Inc., whose tools make monitoring gear more efficient, presented at the show and offers a case study on its website that describes helping a "major mobile operator in China" conduct "real-time monitoring" of cellphone Internet content. The goal was to help "analyze criminal activity" as well as "detect and filter undesirable content," the case study says.

Net Optics' CEO, Bob Shaw, said his company follows "to the letter of the law" U.S. export regulations. "We make sure we're not shipping to any countries that are forbidden or on the embargo list," he said in an interview.

Among the most controversial technologies on display at the conference were essentially computer-hacking tools to enable government agents to break into people's computers and cellphones, log their keystrokes and access their data. Although hacking techniques are generally illegal in the U.S., law enforcement can use them with an appropriate warrant, said Orin Kerr, a professor at George Washington University Law School and former computer-crime attorney at the Justice Department.

The documents show that at least three companies—Vupen Security SA of France, HackingTeam SRL of Italy and Gamma's FinFisher—marketed their skill at the kinds of techniques often used in "malware," the software used by criminals trying to steal people's financial or personal details. The goal is to overcome the fact that most surveillance techniques are "useless against encryption and can't reach information that never leaves the device," Marco Valleri, offensive-security manager at HackingTeam, said in an interview. "We can defeat that."

Representatives of HackingTeam said they tailor their products to the laws of the country where they are being sold. The firm's products include an auditing system that aims to prevent misuse by officials. "An officer cannot use our product to spy on his wife, for example," Mr. Valleri said.

Mr. Valleri said HackingTeam asks government customers to sign a license in which they agree not to provide the technology to unauthorized countries.

Vupen, which gave a presentation at the conference on "exploiting computer and mobile vulnerabilities for electronic surveillance," said its tools take advantage of security holes in computers or cellphones that manufacturers aren't yet aware of. Vupen's marketing documents describe its researchers as "dedicated" to finding "unpatched vulnerabilities" in software created by Microsoft Corp., Apple Inc. and others. On its website, the company offered attendees a "free Vupen exploit sample" that relied on an already-patched security hole.

Vupen says it restricts its sales to Australia, New Zealand, members and partners of the North Atlantic Treaty Organization and the Association of Southeast Asian Nations. The company says it won't sell to countries subject to international embargoes, and that its research must be used for national-security purposes only and in accordance with ethical practices and applicable laws.

The documents for FinFisher, a Gamma product, say it works by "sending fake software updates for popular software." In one example, FinFisher says intelligence agents deployed its products "within the main Internet service provider of their country" and infected people's computers by "covertly injecting" FinFisher code on websites that people then visited.

The company also claims to have allowed an intelligence agency to trick users into downloading its software onto BlackBerry mobile phones "to monitor all communications, including [texts], email and BlackBerry Messenger." Its marketing documents say its programs enable spying using devices and software from Apple, Microsoft, and Google Inc., among others. FinFisher documents at the conference were offered in English, Arabic and other languages.

A Google spokesman declined to comment on FinFisher specifically, adding that Google doesn't "tolerate abuse of our services."

An Apple spokeswoman said the company works "to find and fix any issues that could compromise [users'] systems." Apple on Monday introduced a security update to iTunes that could stop an attack similar to the type FinFisher claims to use, namely offering bogus software updates that install spyware.

Microsoft and Research In Motion Ltd., which makes BlackBerry devices, declined to comment.

The documents discovered in Egypt earlier this year indicated that Gamma's Egyptian reseller was offering FinFisher systems there for about $560,000. Gamma's lawyer told the Journal in April that it never sold the products to Egypt's government.

Gamma didn't respond to requests for comment for this article. Like most companies interviewed, Gamma declined to disclose its buyers, citing confidentiality agreements.

Privacy advocates say manufacturers should be more transparent about their activities. Eric King of the U.K. nonprofit Privacy International said "the complex network of supply chains and subsidiaries involved in this trade allows one after the other to continually pass the buck and abdicate responsibility." Mr. King routinely attends surveillance-industry events to gather information on the trade.

At the Washington and Dubai trade conferences this year, which are generally closed to the public, Journal reporters were prevented by organizers from attending sessions or entering the exhibition halls. February's Dubai conference took place at a time of widespread unrest elsewhere in the region. Nearly 900 people showed up, down slightly because of the regional turmoil, according to an organizer.

Presentations in Dubai included how to intercept wireless Internet traffic, monitor social networks and track cellphone users. "All of the companies involved in lawful intercept are trying to sell to the Middle East," said Simone Benvenuti, of RCS SpA, an Italian company that sells monitoring centers and other "interception solutions," mostly to governments. He declined to identify any clients in the region.

In interviews in Dubai, executives at several companies said they were aware their products could be abused by authoritarian regimes but they can't control their use after a sale. "This is the dilemma," said Klaus Mochalski, co-founder of ipoque, a German company specializing in deep-packet inspection, a powerful technology that analyzes Internet traffic. "It's like a knife. You can always cut vegetables but you can also kill your neighbor." He referred to it as "a constant moral, ethical dilemma we have."

—Paul Sonne contributed to this article.
Write to Jennifer Valentino DeVries at, Julia Angwin at and Steve Stecklow at

Read more:

The documents fall into five general categories: hacking, intercept, data analysis, web scraping and anonymity. Below, explore highlights related to each type of surveillance, and search among selected documents.
 Above, a still image from a marketing video by FinFisher touting the company's surveillance technology. Click "play" to learn more about what these documents reveal.

TSR 2    20 novembre 2011

La Guerre invisible

Rencontre avec Antoine Vitkine à propos de son documentaire "La guerre invisible", un film à découvrir dimanche 20 novembre 2011 sur TSR2.
"Finie l'époque des hackers solitaires, aujourd'hui, les hackers sont devenus des militaires au service des Etats et qui mènent la guerre de demain, dans des centres ultra-secrets dotés de centaines de millions de dollars de budget... Après la terre, la mer, l'air, la guerre est entrée dans une nouvelle dimension : le cyberespace, une guerre mondiale. Les USA, le Canada, la France en ont déjà été victimes. Ce film raconte cette guerre souterraine, qui dessine les contours de notre avenir : il raconte les dessous du virus israélien Stuxnet qui a durement mis à mal le programme nucléaire iranien, la cyberguerre russe contre l'Estonie et la Géorgie, menée grâce à des botnets, ces réseaux de centaines de milliers d'ordinateurs piratés à travers le monde, la cyberguerre froide entre les Etats-Unis et la Chine et ses offensives et contre-offensives...

Un membre de l'appareil de Défense américain nous expliquera ainsi comment les Chinois ont implanté des « bombes informatiques » dans le réseau électrique des Etats-Unis, en guise d'intimidation. Enfin, nous nous interrogerons sur les changements stratégiques que produit la cyberguerre : faut-il répondre par des moyens conventionnels à une cyber- attaque? Quel ennemi frapper si celui qui attaque se cache grâce à l'anonymat de l'informatique? Faut-il seulement se défendre contre les cyber-armes, ou également développer des capacités d'attaques? Bref, jusqu'où tout cela ira-t-il?"

L'article "La cyberguerre a commencé", paru dans le Nouvel Observatoire le 1er juin 2011
"Qu'est-ce que la cyberguerre?", un article paru le 20 août 2011 sur le site

SPIEGEL Online    16.März.2012 | 16:04 Uhr

US-Geheimdienst NSA baut riesiges Abhörzentrum
Von Richard Meusers

National Security Agency (NSA). AFP

Mit Milliardenaufwand entsteht die bisher umfassendste Infrastruktur zur Überwachung in den USA. Außerdem im Überblick: Indische Provider müssen vorgebliche Piraterieseiten blocken und Vorsicht vor neuem Android-Trojaner.

Unter dem harmlosen Namen "Utah Rechenzentrum" entsteht im gleichnamigen US-Bundesstaat das größte Abhörzentrum der USA. Wie "Wired" berichtet, soll die Anlage im September 2013 in Betrieb gehen und damit den Schlussstein einer während der letzten Dekade errichteten Überwachungsarchitektur bilden. Als Bauherr und Betreiber firmiert der US-Geheimdienst NSA, der mit dem Zwei-Milliarden-Projekt möglichst jede erreichbare Kommunikation auswerten will.

Egal, auf welchem Wege die Daten beschafft werden, Funk, Satellit oder Kabel, sie sollen in der beim ländlichen Kaff Bluffdale gelegenen Anlage zusammenfließen. Das Material wird dabei alle Arten der Kommunikation umfassen, den kompletten Inhalt privater E-Mails genauso wie der von Telefonaten und selbst Inhalte von Google-Suchen. Außerdem plane die NSA auch sonstige Datenspuren auszuwerten, die jeder Bürger tagtäglich hinterlasse, vom Parkscheinen bis hin zum Kassenbon beim Buchhändler. Mit offen zur Verfügung stehendem Material wollten sich die NSA-Analysten jedoch nicht begnügen.

Wie ein leitender Geheimdienstmann "Wired" gesteckt habe, sollten in der Schnüffelzentrale auch gängige Verschlüsselungen geknackt werden. Dazu bedarf es natürlich der entsprechenden Rechenpower, seit einiger Zeit wird daher im Geheimen an der Errichtung eines Superrechners gewerkelt, der einen Petaflop, eine Billiarde Operationen pro Sekunde erledigen kann. Einmal mehr mache das Kürzel NSA, das eigentlich für National Security Agency steht, seinem informellen Motto alle Ehre: Never say anything, nie etwas sagen.

August 30, 2012

Software Meant to Fight Crime Is Used to Spy on Dissidents

Morgan Marquis-Boire, left, and Bill Marczak have been looking at the use of computer espionage software by governments. Keystone

SAN FRANCISCO — Morgan Marquis-Boire works as a Google engineer and Bill Marczak is earning a Ph.D. in computer science. But this summer, the two men have been moonlighting as detectives, chasing an elusive surveillance tool from Bahrain across five continents.

What they found was the widespread use of sophisticated, off-the-shelf computer espionage software by governments with questionable records on human rights. While the software is supposedly sold for use only in criminal investigations, the two came across evidence that it was being used to target political dissidents.

The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men said they discovered mobile versions of the spyware customized for all major mobile phones.

But what made the software especially sophisticated was how well it avoided detection. Its creators specifically engineered it to elude antivirus software made by Kaspersky Lab, Symantec, F-Secure and others.

The software has been identified as FinSpy, one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes.

The market for such technologies has grown to $5 billion a year from “nothing 10 years ago,” said Jerry Lucas, president of TeleStrategies, the company behind ISS World, an annual surveillance show where law enforcement agents view the latest computer spyware.

FinSpy is made by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.

“This is dual-use equipment,” said Eva Galperin, of the Electronic Frontier Foundation, an Internet civil liberties group. “If you sell it to a country that obeys the rule of law, they may use it for law enforcement. If you sell it to a country where the rule of law is not so strong, it will be used to monitor journalists and dissidents.”

Until Mr. Marquis-Boire and Mr. Marczak stumbled upon FinSpy last May, security researchers had tried, unsuccessfully, for a year to track it down. FinSpy gained notoriety in March 2011 after protesters raided Egypt’s state security headquarters and discovered a document that appeared to be a proposal by the Gamma Group to sell FinSpy to the government of President Hosni Mubarak for $353,000. It is unclear whether that transaction was ever completed.

Martin J. Muench, a Gamma Group managing director, said his company did not disclose its customers. In an e-mail, he said the Gamma Group sold FinSpy to governments only to monitor criminals and that it was most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”

In May, Mr. Marquis-Boire, 32, of San Francisco, and Mr. Marczak, 24, of Berkeley, Calif., volunteered to analyze some suspicious e-mails sent to three Bahraini activists. They discovered all the e-mails contained spyware that reported back to the same command-and-control server in Bahrain. The apparent use of the spyware to monitor Bahraini activists, none of whom had any criminal history, suggested that it had been used more broadly.

Bahrain has been increasingly criticized for human rights abuses. This month, a 16-year-old Bahraini protester was killed in what activists said was a brutal attack by security forces, but which Bahrain’s government framed as self-defense.

The findings of the two men came as no surprise to those in the field. “There has been a clear increase in the availability of penetrating cyberattack tools,” said Sameer Bhalotra, President Obama’s former senior director for cybersecurity who now serves as the chief operating officer of Impermium, a computer security firm. “These were once the realm of the black market and intelligence agencies. Now they are emerging more and more. The problem is that it only requires small changes to apply a surveillance tool for attack, and in this case it looks like dissidents were targeted.”

Since publishing their findings, Mr. Marquis-Boire and Mr. Marczak have started receiving malware samples from other security researchers and from activist groups that suspected they may have been targets. In several cases, the two found that the samples reported back to Web sites run by the Gamma Group. But other samples appeared to be actively snooping for foreign governments.

A second set of researchers from Rapid7, of Boston, scoured the Internet for links to the software and discovered it running in 10 more countries. Indeed, the spyware was running off EC2, an cloud storage service. Amazon did not return requests for clarification, but Mr. Marczak and Mr. Marquis-Boire said the server appeared to be a proxy, a way to conceal traffic.

Mr. Marquis-Boire said a Turkmenistan server running the software belonged to a range of I.P. addresses specifically assigned to the ministry of communications. It is the first clear-cut case of a government running the spyware off its own computer system. Human Rights Watch recently called Turkmenistan one of the “world’s most repressive countries” and warned that dissidents faced “constant threat of government reprisal.”

Ms. Galperin of the Electronic Frontier Foundation said, “Nobody in their right mind would claim it is O.K. to sell surveillance to Turkmenistan.”

The Gamma Group would not confirm it sold software to Turkmenistan. A military attaché at the Turkmenistan Embassy in Washington refused to comment.

Mr. Muench, who for the last month has repeatedly denied that the researchers had pinpointed the company’s spyware, sharply reversed course Wednesday.

In a statement released less than an hour after the researchers published their latest findings, Mr. Muench said that a Gamma Group server had been broken into and that several demonstration copies of FinSpy had been stolen.

By Thursday afternoon, several of the FinSpy servers began to disappear, Mr. Marczak said. Servers in Singapore, Indonesia, Mongolia and Brunei went dark, while one in Bahrain briefly shut down before reincarnating elsewhere. Mr. Marquis-Boire said that as he traced spyware from Bahrain to 14 other countries — many of them “places with tight centralized control” — he grew increasingly worried about the people on the other end.

Four months in, he sounds like a man who wants to take a break, but knows he cannot just yet: “I can’t wait for the day when I can sleep in and watch movies and go to the pub instead of analyzing malware and pondering the state of the global cybersurveillance industry.”

Sonntags-Zeitung    21.Oktober 2012

Cyber-Angriff via Schweiz
Attacke auf den Iran mit dem Spionage-Virus Flame lief über Schweizer Server
Von Benno Tuchschmid

Bern     Im Cyberspace ist aus dem kalten Krieg zwischen dem Iran und dem Westen längst ein heisser geworden. Nun ist klar: Die Cyber-Angriffe auf den Iran mit dem Schadprogramm Flame liefen auch über die neutrale Schweiz.

Die Melde- und Analysestelle für Informationssicherung des Bundes (Melani) bestätigt gegenüber der SonntagsZeitung, dass Teile der Kontrollinfrastruktur des Schadprogramms in der Schweiz registriert waren. «Wir haben sofort reagiert und den betroffenen Server in Zusammenarbeit mit dem Provider vom Netz genommen», sagt Max Klaus, Stellvertretender Leiter von Melani. Die zuständigen Behörden seien informiert worden. «Weitere Abklärungen dazu sind im Gange», sagt Klaus. Zum Zeitpunkt der Abschaltung und zum Standort des Servers macht Klaus keine Angaben. Neben der Schweiz sollen auch Hongkong, Vietnam, die Türkei, Deutschland und England als Server-Standorte gedient haben.

Der Cyberkrieg ist eines der geheimnisvollsten Kapitel in der Auseinandersetzung zwischen den USA und dem Iran: Ende Mai hatte das auf Sicherheitssoftware spezialisierte Unternehmen Kaspersky Lab ein Schadprogramm entdeckt. Name: Flame. Ein Programm als Waffe im Kampf gegen das Atomprogramm der Mullahs. Eng verwandt mit dem Stuxnet-Virus, der im Juni 2010 entdeckt wurde. Entwickelt wurde Flame mit dem Ziel, iranische Systeme auszuspionieren. Urheber: unbekannt. Experten ordnen die Attacken israelischen und amerikanischen Geheimdienstkreisen zu.

Gemäss Kaspersky Lab liefen die Angriffe über einen sogenannten C&C-Server. Diese Art Server nimmt in der Steuerung eines Schadprogramms eine zentrale Funktion ein: Er sendet Updates an die Ableger des Spionageprogramms, und er speichert die erbeuteten Daten. Im Fall von Flame waren diese verschlüsselt, sodass nur die Flame-Entwickler sie decodieren konnten.

Laut Marco Preuss, Virenanalyst bei Kaspersky Lab, gibt es zwei Wege, einen Kontrollserver einzurichten. Entweder die Programmierer hacken sich in ein System ein und errichten den Server klandestin. Diese Vorgehensweise ist gemäss Preuss vor allem bei Kriminellen verbreitet. «Unsere Analysen haben ergeben, dass für Flame Server unter falschen Angaben angemietet wurden», sagt Preuss.

Hinweise deuten auf einen verbotenen Nachrichtendienst
Auch Myriam Dunn Cavelty, Cyberwar-Spezialistin beim Center for Security Studies an der ETH Zürich, sagt: «Kriminelle suchen sich den Standort für ihre Kontrollinfrastruktur zufällig aus, staatliche Organisationen mieten Infrastruktur meist an.» Mit anderen Worten: Mit grösster Wahrscheinlichkeit hat sich eine Person in der Schweiz aktiv mit der Einrichtung beschäftigt. Laut Insidern beim Bund deutet damit vieles auf einen verbotenen Nachrichtendienst hin. Wer im Fall Flame an der Einrichtung eines C&C-Servers in der Schweiz beteiligt war, ist unbekannt. «Wir wissen nicht, ob hinter dem Server auch eine Schweizer Person steht», sagt Klaus. Klar ist jedoch, dass Cyberattacken für die Neutralität der Schweiz ein Problem darstellen. Der Nachrichtendienst des Bundes nennt staatlich gesteuerte Cyberspionage im Sicherheitsbericht 2012 als Gefahr für die Schweiz.

Für Laurent Goetschel, Experte für Schweizer Aussenpolitik am Europa-Institut der Universität Basel, ist es allerdings schwierig, der Schweiz beim Flame-Virus etwas vorzuwerfen. Dies, weil die Schweiz erst nachträglich von der Aktion erfuhr. Er sagt aber auch: «Cyberwar stellt die Schweizer Neutralität im Kriegsfall vor ganz neue Probleme. Das wird uns in Zukunft weiter beschäftigen.»

October 23, 2012

In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back

Saudi Aramco’s Khurais plant. A cyberattack wiped out data on three-quarters of Aramco’s PCs. Agence France-Presse/Getty Images

The hackers picked the one day of the year they knew they could inflict the most damage on the world’s most valuable company, Saudi Aramco.

On Aug. 15, more than 55,000 Saudi Aramco employees stayed home from work to prepare for one of Islam’s holiest nights of the year — Lailat al Qadr, or the Night of Power — celebrating the revelation of the Koran to Muhammad.

That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

Leon Panetta, secretary of defense for the United States, called the attack a "significant escalation of the cyber threat." Alex Wong/Getty Images

United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as “a significant escalation of the cyber threat.” In the Aramco case, hackers who called themselves the “Cutting Sword of Justice” and claimed to be activists upset about Saudi policies in the Middle East took responsibility.

But their online message and the burning flag were probably red herrings, say independent computer researchers who have looked at the virus’s code.

Immediately after the attack, Aramco was forced to shut down the company’s internal corporate network, disabling employees’ e-mail and Internet access, to stop the virus from spreading.

It could have been much worse. An examination of the sabotage revealed why government officials and computer experts found the attack disturbing. Aramco’s oil production operations are segregated from the company’s internal communications network. Once executives were assured that only the internal communications network had been hit and that not a drop of oil had been spilled, they set to work replacing the hard drives of tens of thousands of its PCs and tracking down the parties responsible, according to two people close to the investigation but who were not authorized to speak publicly about it.

Aramco flew in roughly a dozen American computer security experts. By the time those specialists arrived, they already had a good handle on the virus. Within hours of the attack, researchers at Symantec, a Silicon Valley security company, began analyzing a sample of the virus.

That virus — called Shamoon after a word embedded in its code — was designed to do two things: replace the data on hard drives with an image of a burning American flag and report the addresses of infected computers — a bragging list of sorts — back to a computer inside the company’s network.

Shamoon’s code included a so-called kill switch, a timer set to attack at 11:08 a.m., the exact time that Aramco’s computers were wiped of memory. Shamoon’s creators even gave the erasing mechanism a name: Wiper.

Computer security researchers noted that the same name, Wiper, had been given to an erasing component of Flame, a computer virus that attacked Iranian oil companies and came to light in May. Iranian oil ministry officials have claimed that the Wiper software code forced them to cut Internet connections to their oil ministry, oil rigs and the Kharg Island oil terminal, a conduit for 80 percent of Iran’s oil exports.

It raised suspicions that the Aramco hacking was retaliation. The United States fired one of the first shots in the computer war and has long maintained the upper hand. The New York Times reported in June that the United States, together with Israel, was responsible for Stuxnet, the computer virus used to destroy centrifuges in an Iranian nuclear facility in 2010.

Last May, researchers discovered that Flame had been siphoning data from computers, mainly in Iran, for several years. Security researchers believe Flame and Stuxnet were written by different programmers, but commissioned by the same two nations.

If American officials are correct that Shamoon was designed by Iran, then clues in its code may have been intended to misdirect blame. Shamoon’s programmers inserted the word “Arabian Gulf” into its code. But Iranians refer to that body of water as the Persian Gulf and are very protective of the name. (This year, Iran threatened to sue Google for removing the name Persian Gulf from its online maps.)

After analyzing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco’s network. The virus could have been carried on a USB memory stick that was inserted into a PC.

Aramco’s attackers posted blocks of I.P. addresses of thousands of Aramco PCs online as proof of the attack. Researchers say that only an Aramco employee or contractor with access to the company’s internal network would have been able to grab that list from a disconnected computer inside Aramco’s network and put it online.

Neither researchers nor officials have disclosed the names of the attackers involved. Saudi Aramco said in a statement that it was inappropriate to comment amid an investigation. The company further stated that it does not comment on rumor or speculation.

American intelligence officials blame Iran for a similar, subsequent attack on RasGas, the Qatari natural gas giant, two weeks after the Aramco attack. They also believe Iran engineered computer attacks that intermittently took America’s largest banks offline in September, and last week disrupted the online banking Web sites of Capital One and BB&T.

Multiple requests for comment from Iran’s interests office in Washington and to Iran’s mission to the United Nations in New York brought no response.

The finger-pointing demonstrates the growing concern in the United States among government officials and private industry that other countries have the technology and skill to initiate attacks. “The Iranians were faster in developing an attack capability and bolder in using it than we had expected,” said James A. Lewis, a former diplomat and cybersecurity expert at the Center for Strategic and International Studies. “Both sides are going through a dance to figure out how much they want to turn this into a fight.”

More than two months after the Aramco attack, the company continues to deal with the aftermath. Still, this month employees were not able to gain access to their corporate e-mail and internal network for several days. Until the company’s executives decide its systems are secure, employees can no longer access Aramco’s internal network remotely.

The attack, intelligence officials say, was a wake-up call. “It proved you don’t have to be sophisticated to do a lot of damage,” said Richard A. Clarke, the former counterterrorism official at the National Security Council. “There are lots of targets in the U.S. where they could do the same thing. The attacks were intended to say: ‘If you mess with us, you can expect retaliation.’ ”

SPIEGEL Online    10. Januar 2013, 15:59 Uhr

Cloud Computing
EU-Studie warnt vor Überwachung durch die USA
Von Ole Reißmann

NSA-Zentrale in Maryland: EU-Forscher warnen vor weitreichender Überwachung durch US-Behörden.  AFP

Wie sicher ist Cloud Computing? Forscher warnen in einer Studie im Auftrag des EU-Parlaments eindringlich vor Datentransfers in die USA: Behörden könnten Europäer heimlich und ganz legal überwachen.

Hamburg - US-Behörden können sich heimlich Zugriff auf die Daten europäischer Nutzer bei Cloud-Anbietern wie Google, Facebook oder Dropbox verschaffen. Davor warnt ein Gutachten des Centre D'Etudes Sur Les Conflits und des Centre for European Policy Studies, das vom EU-Parlament in Auftrag gegeben wurde. Die Abgeordneten des Ausschusses für bürgerliche Freiheiten, Justiz und Inneres wollten wissen, ob mit der Zunahme von Cloud Computing auch ein Anstieg von Cyber-Kriminalität einhergehe und ob Handlungsbedarf besteht.

Der besteht laut der Studie "Fighting Cyber Crime and Protecting Privacy in the Cloud" (PDF-Datei) tatsächlich, aber weniger wegen erhöhter Kriminalität. Viel dramatischer sei der Verlust über die Kontrolle der Daten, wenn diese zum Beispiel auf den Servern von US-Anbietern liegen. US-Ermittler können demnach bei einem Gericht einen geheimen Beschluss beantragen und die ausländischen Nutzer überwachen.

Die Sicherheitsgesetze zur Terrorabwehr, die nach dem 11. September 2001 eingeführt wurden, machten es möglich. Mit dem Patriot Act wurden Ermittlern umfassende Abhöraktionen erlaubt, das zunächst befristete Gesetz wurde später dauerhaft verlängert. Während zumindest über die Folgen dieses Gesetzes in der Europäischen Union öffentlich debattiert wurde, sei das bei einem weiteren Gesetz schon nicht mehr der Fall gewesen.

Privatsphäre nicht für Europäer
So wird die Massenüberwachung von Europäern durch den Foreign Intelligence Surveillance Amendment Act (FISAA) von 2008 ermöglicht. In der Europäischen Union gebe es für die Möglichkeit der politischen Massenüberwachung überhaupt kein Bewusstsein, so die Autoren der Studie: Die USA würden überwachen, die Europäische Union sich nicht um den Schutz der Rechte ihrer Bürger kümmern.

Sie empfehlen den Parlamentariern deshalb, sich um Rechtssicherheit beim Cloud Computing zu kümmern. Ihnen wird nahegelegt, mit den USA in Verhandlungen zu treten, damit das Menschenrecht auf Privatsphäre auch für europäische Staatsbürger gelte. Außerdem sollten deutliche Warnungen vorgeschrieben werden: Denn wenn Cloud-Daten von der EU in die USA überführt werden, würden diese dem dortigen Überwachungsapparat ausgesetzt. Das müsse jedem Betroffenen mitgeteilt werden.

Das Online-Magazin "Slate", das am Dienstag über die EU-Studie berichtete, zitiert den US-Botschafter bei der Europäischen Union, William Kennard. Demnach versuchte er im vergangenen Jahr, die Sorgen vor einer Totalüberwachung durch US-Behörden zu zerstreuen. Es gebe rechtliche Vorkehrungen, um die Privatsphäre von Einzelpersonen zu schützen.

Warnung vor NSA-Rechenzentrum
Die Autoren der Studie hat das offenbar nicht beruhigt. Sie verweisen unter anderem auf das gigantische Rechenzentrum, das derzeit vom US-Geheimdienst NSA errichtet wird. Auch den Vortrag eines ehemaligen NSA-Mitarbeiters, des Whistleblowers William Binney, auf der Hackerkonferenz "Hope" in New York im vergangenen Sommer führen sie an. Ende Dezember hatte Binney auf dem Kongress des Chaos Computer Clubs in Hamburg vor der US-Überwachung gewarnt.

Der Bericht wurde im Dezember vorgelegt und könnte nun als Vorlage für die EU-Datenschutzreform dienen. Derzeit verhandeln EU-Kommission und EU-Parlament die Neuordnung des Datenschutzes in Europa. In der Studie geben die Forscher des in Belgien beheimateten Centre D'Etudes Sur Les Conflits detailliert Hinweise zu aktuellen Regularien hinsichtlich des Datenschutzes und des grenzüberschreitenden Datenaustauschs.

Eine weitere Idee der Forscher: Bis zum Jahr 2020 könne man doch dafür sorgen, dass wenigstens 50 Prozent der EU-Dienste auf Cloud-Computern unter vollständiger rechtlicher Kontrolle der Europäischen Union liefen.