Langner – The last line of cyber defense

Everybody who has studied cyber warfare has heard the theory that offense would have an advantage over defense. While this is often used in a technical/tactical sense and can be debated (as I will show later), it certainly is true in politics. While cyber offense is sexy and has easy access to juicy budgets, cyber defense is boring, advocated by few, and has to get along on sparse resources. Such disproportion became clear yet another time last week in a speech by US secretary of defense Leon Panetta. Read more »

This week on my way to Istanbul I stopped in Bonn to attend the first German Cyber Security Summit where eighty C-level executives from large German corporations discussed cyber threats and how to address them. I was invited to brief participants from critical infrastructure on cyber attack scenarios. The discussion that followed culminated in the expressed desire to have a telephone hotline to a government entity that could be called in case of disaster – a “Cyber GSG-9”. The GSG-9 is a German counter-terrorism unit that was established after the model of the Israeli Sayeret Matkal. The unit became famous in 1977 after their successful rescue of hostages from a hijacked Lufthansa airliner in Somalia. Read more »

Next month Ralph will speak at the following venues in the Middle East:

Sep 4, Tel Aviv: INSS International Conference on Cyberspace and National Security

Ralph will talk on Cyber-Physical Attacks and National Security. The conference features a rather unique lineup of Stuxnet expertise as General Michael Hayden and General Amos Yadlin will also be speaking. Hayden was CIA director from 2006 to 2009, and Yadlin headed Aman (Israel Military Defense Intelligence) from 2006 to 2010.

Sep 13, Istanbul: ICT Summit Eurasia

Ralph will give a keynote address in the Cyber Warfare track of the summit.

In a new book titled Spies against Amargeddon, Dan Raviv and Yossi Melman report some previously unknown details about Operation Olympic Games. The authors support David Sanger’s reporting that Siemens built the complex instrumentation and control systems in Natanz (and, as an aside, also acknowledge the role of INL in Stuxnet’s development). However, different from Confront and Conceal, Raviv and Melman report that Siemens cooperated with Israel and the US in the development of the worm in an arrangement facilitated by the German BND (Bundesnachrichtendienst). Quote: “The directors of Siemens may have felt pangs of conscience, or were simply reacting to public pressure, as newspapers pointed out that it was Iran’s largest trading partner in Germany.” (Page 10)

If Raviv and Melman are correct, it would support our hypothesis from Oct 7, 2010 that the United States and Israel didn’t act alone but with the help of a Third Man – with German nationality. It’s not very difficult to imagine that the German government might have given the Munich-based corporation some incentive and legal immunity for helping to cripple the very same systems that they reportedly had installed and maintained for the Islamic Republic. For decades, Siemens enjoyed an intimate relationship with the BND simply because of their telecommunications business. A conscious involvement in the operation could also explain the bizarre tidbit that back in August 2010, Siemens’ top management gave direct order to the company’s own CERT to stop analyzing Stuxnet.

As a side note, the fact that considerable detail on this operation of historical proportions was leaked can now be explained easier by keeping in mind how many different organizations were involved: Pentagon, NSA, CIA, US Department of Energy (INL, ORNL), HaMossad, Aman (Israel Defence Force Intelligence Service), BND (Bundesnachrichtendienst), plus employees of a private company (Siemens). Our earlier estimate that around fifty people would have been involved now appears like a gross miscalculation.

Credits to Larry Constantine for pointing out Spies against Amargeddon

Several people asked me to comment on Confront and Conceal as there appear to be some more or less obvious technical inaccuracies in the book’s much-qouted Stuxnet chapter. However, exposing those would be nitpicking and misleading. In respect to Confront and Conceal, the question is not what experts in critical infrastructure protection can tell journalism; it’s what we can learn from the latter. The impact of David Sanger’s book is equivalent to an earthquake shaking the supposedly solid ground that the industry used to operate upon.

Read more »

Last Sunday CBS aired an enhanced recut of their “60 Minutes” Stuxnet episode. It can be acessed here.

The New York Times asked me to provide some opinion on the big picture of cyber attacks as reflected in David Sanger‘s Olympic Games piece, most notably in the closing paragraph. My statement can be found here. Mikko Hypponen also provided his view.

Ralph Langner

David Sanger is by far the best informed journalist on the Iranian nuclear program that I have talked to, and he has summarized his reporting on Stuxnet in a piece that appeared in The New York Times. The big picture that David paints is a must-read for everyone interested in cyberwar and is at large consistent with our own research results. One technical detail that makes little sense is the theory that Stuxnet broke out of Natanz rather than into due to a software bug introduced by the Isrealis;  this sounds like an attempt (of one of the sources) to put the blame for a non-anticipated side effect of a design feature on somebody else.

What does make a lot of sense is the aspect of psychological warfare that is highlighted in the article. The virus operates so stealthy that many of its effects will have been attributed to operator error. Uranium enrichment is a slow process that is in large parts controlled by manual input, even with digital controllers installed. We had already discussed internally that more than once, operators would have been fired or worse. Ultimately it might have become difficult to recruit people willing to take the risky job.

After reading the article, cynic observers of US politics who use to criticize US government agencies for lack of cooperation could conclude that Stuxnet made it finally happen: NSA, CIA, DoD and DoE are joining forces to create a historically new type of super-weapon, orchestrated by a President who at least is “aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s”. According to the article’s closing paragraph, Obama was aware of the risk of backfire. While this is good to know, it should be noted that US critical infrastructure and chemical plants are still as vulnerable to copycat attacks as two years ago, when the worm was discovered and early warnings were given.

Ralph Langner

Recently Ralph talked at S4 in Miami about technical details of Stuxnet’s attack code. If you’re interested in what type of material we’re looking at for our Stuxnet analysis, and how we obtained that material, watch the 45’ video recording here. Be advised though that things get very technical.

Highlights include:

Identifying Stuxnet’s target with 100% confidence / Why Stuxnet’s source code is not needed for substantial copycat attacks / Details on attacker strategy (“not a Pentagon job”).

Last December Ralph talked about cyber weapons in front of 300 CEOs, scientists and luminaries like Nassim Taleb at Zurich Minds. See the 18 minute video recording here.