Assurances for the deployment of cyber-weapons need to be developed
February 6, 2011
An international Internet security conference in Munich is due to be told today that better assurances for the proper deployment of cyber-weapons need to be quickly developed and treated with the highest priority.
The very influential 'EastWest Institute' is due to present proposals for the cyberspace equivalent of the Geneva convention at the Munich Security Conference, which has included a debate on cyber-security on its agenda for the first time this year.
Delegates to the conference include U.K. Prime Minister David Cameron, German Chancellor Angela Merkel, U.S. Secretary of State Hillary Clinton and Russian Foreign Minister Sergei Lavrov.
The discussion on rules for cyber-conflict follows months after the infamous Stuxnet worm was blamed for infecting industrial control systems and sabotaging centrifuges at controversial Iranian nuclear facilities. Some have described the malware as the world's first cyber-weapon though cyber-espionage in many guises has undoubtedly been practiced by intelligence agencies across the world for many years.
Computer systems underpin the delivery of essential services, including utilities and telecoms as well as banking and government services. Critical national infrastructure systems are most commonly privately held, at least in the U.S. and Europe.
And although attacks against various critical systems are commonplace, they also tend to be low level information-stealing or denial of service (DoS) exploits. Many independent experts in cyber-security dismiss talk of cyberwar as hype – driven more by the marketing departments of US security contractor giants seeking a new market in cyberspace than by reality on the ground.
Others argue that cyberwarfare or information warfare risks are all too real and illustrated by the denial of services attacks that blitzed Estonia off the web and the Operation Aurora assaults against Google and other high-tech firms as well as Stuxnet, a strain of malware that might inspire other forms of malware that attack industrial control kits, perhaps indiscriminately.
The rules of cyberwarfare seek to establish protected domains – such as hospital and schools – that are off limits for attack. Proportionality in response to attacks and identifying the source of attacks is also likely to enter the debate.
British government sources told the BBC that they were not convinced of the need for a treaty governing conflict in cyberspace, while they conceded the need for a discussion on proportional response – and, more particularly, on attributing the source of attack.
It is far more difficult to identify the source of a cyber-assault, which can easily be launched from networks of compromised PCs in third-party countries, than the origins of a conventional military assault, which is often proceeded by the gathering of troops and tanks.
Government sources told BBC Newsnight "How strongly should a country or state respond to an attack when you do not know who did it, where they did it from or what their original intention was in the first place? In conventional military terms these questions are easier to answer – not so in the cyber-world."
More similar conferences are expected to be held in the coming months, not just in the E.U. but also in Asia and the United States.
In July 2010, Siemens said it has concocted a program it is making available for detecting and disinfecting malware and viruses attacking its complex power-grid management software.
Siemens' software also controls critical oil & gas refineries and manufacturing plants. The German enginerring firm warns that customers who use the infected software could have the devastating effect of disrupting whole power grids in the U.S., Canada, South America, Europe and Asia.
Siemens began distributing SysClean, a malware and virus scanner made by Trend Micro. It has been updated to remove StuxNet, a worm that spreads by exploiting two separate security flaws in Siemens's SCADA (supervisory control and data acquisition) software and every supported version of Microsoft Windows.
“As each plant is individually configured in a very unique method, we cannot rule out the possibility that removing the malware may affect your plant in any way," the Siemens advisory said.
The company also advised customers to keep the scanner updated at all times because “there are already some new derivative versions of the original virus around, and we are trying our best to mitigate these and other security issues.”
Recently, Siemens has come under blistering criticism for not removing the security vulnerability two years ago, when, according to Wired.com, the default password threat first came to light.
So far, StuxNet has infected the engineering environment of at least one unidentified Siemens customer, and has since been eliminated, Siemens said.
The company added that there are no known infections of production plants to this day, but warns that there's always the possibility that some could be discovered in the near future.
The worm spreads whenever a system running Siemens's SCADA software is attached to an infected USB stick. The attacks use a recently documented vulnerability in the Windows shortcut feature to take control of customer's personal computers in the workplace. Once there, the worm takes advantage of default passwords in WinCC, the security-prone, problematic SCADA software provided by Siemens.
Late yesterday, Siemens said it has updated WinCC to fix the security vulnerability. For its part, Microsoft has issued a stop-gap fix but hasn't said yet if and when it plans to patch the the Windows security flaw.
Chris Wysopal, CTO of application security tools firm Veracode says “Siemens has put their own customers at risk with this egregious vulnerability in their software. Worse, is all the many customers from around the world who purchased the software not knowing of any of its many security risks."
"Software customers that are operating SCADA systems on critical infrastructure such as power grids, oil and gas refineries or their factories with the WinCC software had a duty to their customers to not purchase this troublesome software without proper security testing. It is obvious now that no security tests were ever performed on SCADA before putting it in place in the field-- not by Siemens itself and not by the customer. This is totally unacceptable,” added Wysopal.
Source: The EastWest Institute.
You can link to the Internet Security web site as much as you like.