Platt Perspective on Business and Technology

From stuxnet to heartbleed – the operational side of national cybersecurity and its issues 1

Posted in business and convergent technologies, in the News by Timothy Platt on July 30, 2014

This is my 16th installment in an occasional series that I have not added to since August 2011, on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 with my final installment in it up to now available as Stuxnet – a more detailed analysis of its code and update on this still unfolding story.) And this posting is also a direct continuation of Part 27: thoughts concerning the emerging Obama cyber-doctrine 2 of my series Learnable Lessons from Manning, Snowden and Inevitable Others.

And to more fully connect this new installment to its background context, I quote here from the end note for Part 25 of my Learnable Lessons series where I first stated that I would be switching back to this series to continue its narrative thread:

• I said at the end of its Part 24 that I would more fully discuss “the issues of credibility of US companies for their ability to safeguard personal and confidential information about their customers and potential customers that they have gathered.” And I added that I would “also look further into the impact that these surveillance programs and their disclosure have had on telecommunications companies and on online businesses in general. I will do that, … taking a much more operational approach to the topics of national security in an information age, with the gathering and use of zero-day attack vulnerabilities by government agencies, among other cyber resources as they seek to surreptitiously gather, manipulate and disseminate online information. And in anticipation of that I will at least briefly discuss the Olympic Games program that created and launched stuxnet itself. The discussion to come from this is complex and it holds wide ranging importance and for both the public and private sectors and for businesses and individuals.”

First some connecting background: when I wrote my earlier installments to this now-reinitiated series, I focused on how cyber-weapons such as stuxnet can be and will be used in “asymmetric conflicts where one competing side holds what amounts to overwhelming military advantage if only conventional arms are considered, but where stealth and misdirection provided by cyberspace-based approaches can give strength to a seemingly weaker opponent.” And I wrote about how these weapons would be deployed even from countries that hold significant conventional military capabilities and strengths when direct and overt conflict would carry an unacceptably high price but where it was determined that action was required. Cyber-vulnerabilities, in that are increasingly seen as potential critical systems targets in any such context and circumstance.

And in that context, I wrote about how it can be all but impossible to know with certainty where a weapon such as stuxnet was produced or by whom and certainly when it is still freshly emerging into general awareness from its use in an attack. And I begin this series continuation with a confession; I had already learned about Operation Olympic Games and how it was the most likely source of stuxnet as a weapon, when I was writing about how difficult it can be to really, fully know where a cyber-attack has been launched from. And in this case, the fact that the United States was running a cyber-weapons development project called Olympic Games created a compelling potential source of plausible deniability and misdirection if another nation and its cyber-weapons programs had developed and launched this particular targeted malicious code. So I acknowledge that this US-based program is a credible and even likely source for stuxnet, but in the cyber-conflict arena there is always going to be at least a measure of uncertainty as to source and at times even as to intended target of a cyber-weapon.

That said as background to prior postings and older series, I begin to move forward again.

• I am going to discuss the issues of sources and methods, and why it is so important to safeguard them.
• And then I will discuss the use of zero-day attack vulnerabilities as closely held national intelligence secrets.
• And in that, I will discuss both stuxnet with its four until then publically unknown zero-day attack vulnerabilities, and heartbleed as a newly publicized zero-day vulnerability. And in this context, I will explicitly discuss the issues that I pointed out as next topics of discussion, as noted in the first bullet point at the top of this posting.

I will begin this collectively four point discussion thread in my next series installment, with this posting serving primarily as a connector for establishing a clearer line of continuity in my ongoing cybersecurity discussions. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time 2 and also see the reference listings at the top of this installment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: