tag:theconversation.com,2011:/africa/topics/stuxnet-8108/articlesStuxnet – The Conversation2021-06-29T20:38:53Ztag:theconversation.com,2011:article/1622192021-06-29T20:38:53Z2021-06-29T20:38:53ZWith cyberattacks growing more frequent and disruptive, a unified approach is essential<figure><img src="https://images.theconversation.com/files/408907/original/file-20210629-13-1epba76.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6000%2C3428&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyberwarfare will require new defensive measures by government and corporations.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>Cyberwarfare consists of co-ordinated <a href="https://www.jstor.org/stable/43995904">attacks of mass disruption (AMD)</a>. In the June summit between U.S. and Russian presidents Joe Biden and Vladimir Putin, cyberwarfare was a topic of discussion. While the Biden-Putin summit appears to be “<a href="https://www.washingtonpost.com/politics/2021/06/16/biden-putin-live-updates/">quite constructive</a>,” cyberwarfare remains perplexing to politicians. </p>
<p>Attacks of mass disruption are similar to the latest ransomware attacks on <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">SolarWinds and Colonial Pipeline</a> — imagine several co-ordinated similar attacks. For the time being, organizations should prepare for increasing disruptions and data losses caused by ransomware.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable – why national cyber defense is a 'wicked' problem</a>
</strong>
</em>
</p>
<hr>
<p>Attacks of mass disruption may not cause massive casualties, but nations could lose their ability to function and respond to adversaries, economies can be crippled and governments may be undermined. The <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">2015 cyberattack on Ukraine</a> presented a scenario of grounding a nation using a well co-ordinated <a href="https://ieeexplore.ieee.org/document/7752958">cyberattack</a>.</p>
<p>The <a href="https://doi.org/10.1016/j.tej.2017.02.006">lessons are clear</a> — the impact of cyberattacks is too serious to ignore and pre-planned contingencies may be the only thing that works to address them.</p>
<h2>Cyberattack losses</h2>
<p>In 2020, <a href="https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/">IBM estimated US$1.5 billion losses in known observed cyberattacks</a>.</p>
<p>Over the past two decades, two factors have contributed to the possibility of cyberwarfare. First is the <a href="https://www.pewresearch.org/internet/2019/10/28/5-leading-concerns-about-the-future-of-digital-life/">increased reliance</a> on digital infrastructure and systems. Second is the continuous <a href="https://theconversation.com/growth-in-data-breaches-shows-need-for-government-regulations-127600">increase in damages</a> inflicted by criminal or state-based cyberattacks. </p>
<p>These provide sufficient justification for experts to <a href="https://www.dni.gov/files/PE/Documents/6---2017-AEP_The-Future-of-Ransomware-and-Social-Engineering.pdf">sound the alarm</a> <a href="https://www.belfercenter.org/publication/strategic-advantage-why-america-should-care-about-cybersecurity">on cybersecurity</a>.</p>
<p>Other factors increase the risks even more. The complexity of the modern economy and its supply chains create an environment of highly impactful disruptions. Attacks of mass disruption on seemingly irrelevant but well-selected entities — like infrastructure companies — could trigger a domino effect that causes disruptions and economic losses far beyond the scale of the target.</p>
<p>Russia used U.S. cyberinfrastructure to <a href="https://www.cfr.org/backgrounder/russia-trump-and-2016-us-election">influence the 2016 election</a>. In May 2021, there were attacks on <a href="https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html">software developer SolarWinds Inc.</a>, <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">oil infrastructure company Colonial Pipeline</a> and <a href="https://www.bbc.com/news/world-us-canada-57318965">JBS, the world’s largest meat supplier</a>.</p>
<p>Currently, most cyberattacks originating from Russia use known tactics like email phishing, <a href="https://www.cisa.gov/ransomware-alerts-and-tips">ransomware-as-a-service</a> and poor password practices.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Xes6ZgV1Iww?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The Wall Street Journal looks at how the U.S. can protect itself against cyberattacks.</span></figcaption>
</figure>
<h2>Treaty challenges</h2>
<p>A <a href="https://csrc.nist.gov/glossary/term/zero_day_attack">zero-day vulnerability</a> occurs the first time the vulnerability is exploited, like when the malicious program Stuxnet was <a href="https://ieeexplore.ieee.org/document/9390103">successfully used as a digital “dirty bomb” to curb Iranian nuclear ambition</a>. </p>
<p>The U.S. is known to exploit hardware vulnerabilities through highly sophisticated, maintaining the the upper hand in the ability to perform silent attacks.</p>
<p>Calls to bring governments together to <a href="https://www.wilsoncenter.org/sites/default/files/media/documents/publication/arms_control_in_cyberspace.pdf">sign a treaty similar to other arms-control treaties</a> have mounted lately. To address the complexities of cyberwarfare, <a href="https://www.belfercenter.org/publication/world-needs-arms-control-treaty-cybersecurity">political scientist Joseph Nye</a> and <a href="https://www.washingtonpost.com/opinions/the-world-needs-an-arms-control-treaty-for-cybersecurity/2015/10/01/20c3e970-66dd-11e5-9223-70cb36460919_story.html">others have proposed a nuclear-like treaty</a>, in particular, due to the ability of nuclear treaties to precisely spell out details.</p>
<p>Most efforts to control attacks of mass disruption have either led to <a href="https://thediplomat.com/2018/08/did-the-obama-xi-cyber-agreement-work/">limited scope agreements</a>, or completely fallen apart before they were signed.</p>
<p>Unfortunately, cyberattacks do not use observable weapons that can be monitored for compliance. Further, the fine line between criminal and state-based attacks could be hard to distinguish. An attack on a gas pipeline or a meat-packing facility may appear criminal, but can trigger serious chain events beyond the immediate targets. </p>
<p>The rapid technological changes and advances in cyberattacks make it hard to predict the strategies of future attacks of mass disruption in order to address them in a treaty.</p>
<h2>Protecting against attacks</h2>
<p>Most attacks of mass disruption exploit vulnerabilities that are easy to fix by maintaining <a href="https://www.nist.gov/blogs/taking-measure/identify-protect-detect-respond-and-recover-nist-cybersecurity-framework">normal digital hygiene</a> and a vigilant attitude to email phishing and password management. </p>
<p>Organizations need to get serious about those practices because, like COVID-19, vigilant proactive precautions can lessen the problem to a great extent.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="four government officials seated in front of a row of flags" src="https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Government officials provided an update on the cyberattacks that affected the Canada Revenue Agency in August 2020.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Sean Kilpatrick</span></span>
</figcaption>
</figure>
<p>Protective measures can be imposed through national legislation. A national debate is required to develop consensus on the level of government intervention and the levels of protections for different data types. This should result in a call for strong legislation forcing organizations to maintain high levels of security like off-site backups and <a href="https://www.europeanleadershipnetwork.org/wp-content/uploads/2020/06/Cyber-arms-control.pdf">other protective measures</a>.</p>
<p>Deep vulnerabilities embedded deep into hardware and operating systems, on the other hand, cannot be mitigated by normal digital hygiene. The U.S. has the upper hand on those vulnerabilities, hence, the cybersecurity arms balance is tilted in favour of the U.S.</p>
<p>Historically, nations do not settle arms race until a <a href="https://www.britannica.com/topic/mutual-assured-destruction">mutual assured destruction situation</a> presents itself. Russian cyberattacks could be viewed as an attempt to reach this point. Until we get <a href="https://www.state.gov/wp-content/uploads/2020/10/T-paper-series-Cybersecurity-Format-508.pdf">closer to the mutual assured destruction point</a>, do not expect an international treaty anytime soon. Instead, expect more cyberattacks and data losses. Organizations and governments need to get serious and buckle up — it’s going to be a rough ride.</p><img src="https://counter.theconversation.com/content/162219/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Yasser Morgan receives funding from NSERC-DG</span></em></p>Co-ordinated cyberattacks can create massive disruptions to infrastructure and supply chains. New treaties are needed to prevent cyberwarfare, but it’s challenging to predict technological advances.Yasser Morgan, Professor, Engineering, University of ReginaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1298442020-01-16T18:38:26Z2020-01-16T18:38:26ZUS and Iran have a long, troubled history<figure><img src="https://images.theconversation.com/files/310315/original/file-20200115-134764-71x1uk.jpg?ixlib=rb-1.1.0&rect=0%2C233%2C6490%2C2841&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/american-flag-iranian-political-map-shape-1610522878">Benny Marty/Shutterstock.com</a></span></figcaption></figure><p>Relations between the United States and Iran have been fraught for decades – at least since the U.S. helped overthrow a democracy-minded prime minister, Mohammed Mossadegh, in August 1953. The U.S. then supported the long, repressive reign of the shah of Iran, whose security services brutalized Iranian citizens for decades.</p>
<p><iframe id="KMqX1" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/KMqX1/1/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>The two countries have been particularly hostile to each other since Iranian students took over the U.S. Embassy in Tehran in November 1979, resulting in, among other consequences, <a href="https://www.state.gov/iran-sanctions/">economic sanctions</a> and the <a href="https://theconversation.com/how-countries-in-conflict-like-iran-and-the-us-still-talk-to-each-other-129591">severing of formal diplomatic relations</a> between the nations. Since 1984, the U.S. State Department has listed Iran as a “<a href="https://www.state.gov/state-sponsors-of-terrorism/">state sponsor of terrorism</a>,” alleging the Iranian government provides terrorists with <a href="https://2009-2017.state.gov/j/ct/rls/crt/2013/224826.htm">training, money and weapons</a>. </p>
<p>Some of the major events in U.S.-Iran relations highlight the differences between the nations’ views, but others arguably presented real opportunities for reconciliation.</p>
<iframe src="https://cdn.knightlab.com/libs/timeline3/latest/embed/index.html?source=1lbZCBLjB3WGNLuiO7_pUiMfahVbpzoJTU-Wkqh_DWG0&font=Default&lang=en&initial_zoom=1&height=650" width="100%" height="650" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen="" frameborder="0"></iframe>
<h2>1953: US overthows Mossadegh</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=825&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=825&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=825&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1037&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1037&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310082/original/file-20200114-151825-1buge0n.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1037&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Mohammed Mossadegh.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:Mohammed_Mossadegh_in_middle_age.jpg">Wikimedia Commons</a></span>
</figcaption>
</figure>
<p>In 1951, the Iranian Parliament chose a new prime minister, Mohammad Mossadegh, who then led lawmakers to vote in favor of <a href="https://www.cbsnews.com/news/bp-and-iran-the-forgotten-history">taking over the Anglo-Iranian Oil Company</a>, expelling the company’s British owners and saying they wanted to turn oil profits into investments in the Iranian people. The U.S. feared disruption in the global oil supply and worried about Iran falling prey to Soviet influence. The British feared the loss of cheap Iranian oil. </p>
<p>Unable to settle the dispute, President Dwight Eisenhower decided it was best for the U.S. and the U.K. to get rid of Mossadegh. Operation Ajax, <a href="https://www.nytimes.com/2000/04/16/world/secrets-history-cia-iran-special-report-plot-convulsed-iran-53-79.html">a joint CIA-British operation</a>, convinced the shah of Iran, the country’s monarch, to dismiss Mossadegh and drive him from office by force. Mossadegh was replaced by a much more Western-friendly prime minister, <a href="https://archive.nytimes.com/www.nytimes.com/library/world/mideast/041600iran-cia-index.html?_r=0">hand-picked by the CIA</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=397&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=397&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=397&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=499&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=499&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310071/original/file-20200114-151844-12qrf5n.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=499&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Demonstrators in Tehran demand the establishment of an Islamic Republic.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Watchf-Associated-Press-International-News-IRAN-/7598c27645984aa982d79f639e2b9986/18/0">AP Photo/Saris</a></span>
</figcaption>
</figure>
<h2>1979: Revolutionaries oust the shah, take hostages</h2>
<p>After <a href="https://www.theperspective.com/subjective-timeline/politics/us-iran-relations-ww2-hostage-crisis/">more than 25 years</a> of relative stability in U.S.-Iran relations, the <a href="https://www.rferl.org/a/iran-politics-revolution/29752729.html">Iranian public had grown unhappy</a> with the social and economic conditions that developed under the dictatorial rule of Shah Mohammad Reza Pahlavi. </p>
<p>Pahlavi enriched himself and used American aid to fund the military while many Iranians lived in poverty. Dissent was often violently quashed by <a href="https://www.washingtonpost.com/archive/politics/1977/05/09/savak-a-feared-and-pervasive-force/ad609959-d47b-4b7f-8c8d-b388116df90c/">SAVAK, the shah’s security service</a>. In January 1979, <a href="https://apnews.com/343d87fdb960424e9ec0f4a90dc64fcb">the shah left Iran</a>, ostensibly to seek cancer treatment. <a href="https://www.history.com/this-day-in-history/ayatollah-khomeini-returns-to-iran">Two weeks later, Ayatollah Ruhollah Khomeini returned from exile</a> in Iraq and led a drive to abolish the monarchy and proclaim an Islamic government.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=431&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=431&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=431&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=542&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=542&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310075/original/file-20200114-151834-l4t7a7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=542&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Iranian students at the U.S. Embassy in Tehran show a blindfolded American hostage to the crowd in November 1979.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Iran-Hostage-Crisis-Timeline/298028f123e3417bad960911275bd097/41/0">AP Photo, File</a></span>
</figcaption>
</figure>
<p>In October 1979, <a href="https://www.nytimes.com/1981/05/17/magazine/why-carter-admitted-the-shah.html">President Jimmy Carter agreed to allow the shah</a> to come to the U.S. to seek advanced medical treatment. Outraged Iranian students <a href="https://www.nytimes.com/1979/11/05/archives/teheran-students-seize-us-embassy-and-hold-hostages-ask-shahs.html">stormed the U.S. Embassy</a> in Tehran on Nov. 4, taking 52 Americans hostage. That convinced Carter to sever U.S. diplomatic relations with Iran on April 7, 1980. </p>
<p>Two weeks later, the U.S. military launched a mission to rescue the hostages, but <a href="https://www.theatlantic.com/magazine/archive/2006/05/the-desert-one-debacle/304803/">it failed, with aircraft crashes in the Iranian desert</a> killing eight U.S. servicemembers.</p>
<p>The shah died in Egypt in July 1980, but the hostages weren’t released until Jan. 20, 1981, after 444 days of captivity. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=402&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=402&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=402&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=505&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=505&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310079/original/file-20200114-151839-1toy017.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=505&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An Iranian cleric, left, and an Iranian soldier wear gas masks to protect themselves against Iraqi chemical-weapons attacks in May 1988.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/an-iranian-clergyman-wearing-a-turban-and-gas-mask-stands-news-photo/104045722">Kaveh Kazemi/Getty Images</a></span>
</figcaption>
</figure>
<h2>1980-1988: US tacitly sides with Iraq</h2>
<p>In September 1980, <a href="http://news.bbc.co.uk/2/hi/middle_east/4260420.stm">Iraq invaded Iran</a>, an escalation of the two countries’ regional rivalry and religious differences: Iraq was governed by Sunni Muslims but had a Shia Muslim majority population; <a href="https://www.pewresearch.org/fact-tank/2014/06/18/the-sunni-shia-divide-where-they-live-what-they-believe-and-how-they-view-each-other/">Iran was led and populated mostly by Shiites</a>. </p>
<p>The U.S. was concerned that the conflict would limit the flow of Middle Eastern oil and wanted to ensure the conflict didn’t affect its close ally, Saudi Arabia.</p>
<p>The U.S. <a href="https://foreignpolicy.com/2013/08/26/exclusive-cia-files-prove-america-helped-saddam-as-he-gassed-iran/">supported Iraqi leader Saddam Hussein</a> in his fight against the anti-American Iranian regime. As a result, the U.S. mostly turned a blind eye toward Iraq’s <a href="https://nsarchive2.gwu.edu/NSAEBB/NSAEBB82/iraq24.pdf">“almost daily” use of chemical weapons</a> against Iran. </p>
<p>U.S. officials moderated their usual opposition to those illegal and inhumane weapons because the U.S. State Department did not “<a href="https://nsarchive2.gwu.edu/NSAEBB/NSAEBB82/iraq25.pdf">wish to play into Iran’s hands</a> by fueling its propaganda against Iraq.” In 1988, <a href="https://www.history.com/topics/middle-east/iran-iraq-war">the war ended in a stalemate</a>, with a combined total of more than 500,000 military deaths and 100,000 civilians dead on both sides.</p>
<h2>1981-1986: US secretly sells weapons to Iran</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=860&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=860&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=860&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1080&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1080&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310081/original/file-20200114-151834-1nysw20.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1080&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Lt. Col. Oliver North is sworn in to testify before Congress about a U.S. deal to sell weapons to Iran, in breach of an embargo, and use the money to support rebels in Nicaragua.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Watchf-AP-A-DC-USA-APHS-Iran-Contra-North/6873ba10cf0d45d6ac31f6063ad350d0/90/0">AP Photo/Lana Harris</a></span>
</figcaption>
</figure>
<p>The U.S. <a href="https://www.belfercenter.org/sites/default/files/files/publication/Iran%20Sanctions.pdf">imposed an arms embargo</a> after Iran was designated a state sponsor terrorism in 1984. That left the Iranian military, in the middle of its war with Iraq, desperate for weapons and aircraft and vehicle parts to keep fighting. </p>
<p>The Reagan administration <a href="https://www.nytimes.com/1991/12/08/world/iran-pipeline-hidden-chapter-special-report-us-said-have-allowed-israel-sell.html">decided that the embargo would likely push Iran</a> to seek support from the Soviet Union, the U.S.’s rival in the Cold War. Rather than formally ending the embargo, U.S. officials agreed to <a href="https://www.nytimes.com/1991/12/08/world/iran-pipeline-hidden-chapter-special-report-us-said-have-allowed-israel-sell.html">secretly sell weapons to Iran</a> starting in 1981. Later, the transactions were justified as incentives to help Iran persuade militants to release <a href="https://www.nytimes.com/1988/11/27/books/arms-for-hostages-plain-and-simple.html">U.S. hostages being held in Lebanon</a>. </p>
<p>The last shipment, of anti-tank missiles, was in October 1986. In November of that year, a Lebanese magazine exposed the deal. That revelation sparked the Iran-Contra scandal in the U.S., in which Reagan’s officials were found to have collected money from Iran for the weapons, and <a href="https://www.nytimes.com/1987/07/10/world/iran-contra-hearings-boland-amendments-what-they-provided.html">illegally sent those funds to anti-socialist rebels</a> – the Contras – in Nicaragua.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=409&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=409&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=409&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=514&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=514&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310083/original/file-20200114-151867-1rhhgcv.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=514&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">At a mass funeral for 76 of the 290 people killed in the shootdown of Iran Air 655, mourners hold up a sign depicting the incident.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Watchf-AP-I-IRN-APHS166203-USS-Vincennes-Iran-A-/cb6c1e3b2e77457b97c5e10a9f225a81/7/0">AP Photo/CP/Mohammad Sayyad</a></span>
</figcaption>
</figure>
<h2>1988: US Navy shoots down Iran Air flight 655</h2>
<p>On the morning of July 8, 1988, the USS Vincennes, a guided missile cruiser patrolling in the international waters of the Persian Gulf, <a href="https://slate.com/news-and-politics/2014/07/the-vincennes-downing-of-iran-air-flight-655-the-united-states-tried-to-cover-up-its-own-destruction-of-a-passenger-plane.html">entered Iranian territorial waters</a> while in a <a href="https://www.cnn.com/2020/01/10/middleeast/iran-air-flight-655-us-military-intl-hnk/index.html">skirmish with Iranian gunboats</a>. </p>
<p>Either during or just after that exchange of gunfire, the Vincennes crew mistook a passing civilian Airbus passenger jet for an Iranian F-14 fighter. They shot it down, killing all 290 people aboard. </p>
<p>The U.S. called it a “<a href="https://www.jag.navy.mil/library/investigations/VINCENNES%20INV.pdf">tragic and regrettable accident</a>,” but Iran believed the plane’s downing was intentional. In 1996, the U.S. agreed to pay US$131.8 million in compensation to Iran.</p>
<h2>1997-1998: The US seeks contact</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310085/original/file-20200114-151880-s8yzsx.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Iranian President Mohammad Khatami.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/istanbul-turkey-november-12-iranian-reformist-276222344">Prometheus72/Shutterstock.com</a></span>
</figcaption>
</figure>
<p>In August 1997, a moderate reformer, Mohammad Khatami, won Iran’s presidential election. </p>
<p>U.S. President Bill Clinton sensed an opportunity for improved relations between the two countries. He <a href="https://www.washingtonpost.com/wp-srv/inatl/longterm/iran/stories/iran010998.htm">sent a message to Tehran</a> through the Swiss ambassador there, proposing direct government-to-government talks. </p>
<p>Shortly thereafter, in early January 1998, Khatami gave an interview to CNN in which he expressed “<a href="http://www.cnn.com/WORLD/9801/07/iran/interview.html">respect for the great American people</a>,” denounced terrorism and recommended an “exchange of professors, writers, scholars, artists, journalists and tourists” between the United States and Iran. </p>
<p>However, Supreme Leader Ayatollah Ali Khamenei didn’t agree, so not much came of the mutual overtures as Clinton’s time in office came to an end. In 2000, U.S. Secretary of State Madeleine Albright spoke to the U.S.-based American-Iranian Council and <a href="https://1997-2001.state.gov/statements/2000/000317.html">acknowledged the government’s role in the 1953 ouster of Mossadegh</a>, but punctuated her remarks with criticism of Iranian domestic politics. </p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=399&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=399&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=399&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=501&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=501&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310088/original/file-20200114-93792-nwnm70.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=501&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">President George W. Bush delivers the 2002 State of the Union address.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:President_Bush_at_State_of_the_Union.jpg">Eric Draper/White House/Wikimedia Commons</a></span>
</figcaption>
</figure>
<p>In his <a href="https://www.washingtonpost.com/wp-srv/onpolitics/transcripts/sou012902.htm">2002 State of the Union address</a>, President George W. Bush characterized Iran, Iraq and North Korea as constituting an “Axis of Evil” supporting terrorism and pursuing weapons of mass destruction, straining relations even further.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=227&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=227&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=227&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=285&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=285&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310095/original/file-20200114-151887-11s0sgv.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=285&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Inside these buildings at the Natanz nuclear facility in Iran, technicians enrich uranium.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Associated-Press-International-News-Iran-IRAN-NUCLEAR/16101ec8c3e4da11af9f0014c2589dfb/139/0">AP Photo/Vahid Salemi</a></span>
</figcaption>
</figure>
<h2>2002: Iran’s nuclear program raises alarm</h2>
<p>In August 2002, an exiled rebel group announced that <a href="https://www.iranwatch.org/library/international-organization/international-atomic-energy-agency-iaea/other-iaea-document/irans-nuclear-power-profile-iaea">Iran had been secretly working on nuclear weapons</a> at two installations that had not previously been publicly revealed. </p>
<p>That was a violation of the terms of <a href="https://www.armscontrol.org/factsheets/nptfact">the Nuclear Nonproliferation Treaty</a>, which Iran had signed, requiring countries to disclose their nuclear-related facilities to international inspectors. </p>
<p>One of those formerly secret locations, Natanz, housed centrifuges for enriching uranium, which could be used in civilian nuclear reactors or enriched further for weapons. </p>
<p>Starting in roughly 2005, U.S. and Israeli government cyberattackers together reportedly targeted the Natanz centrifuges with a custom-made piece of malicious software that <a href="https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html">became known as Stuxnet</a>.</p>
<p>That effort, which <a href="https://www.jpost.com/Iranian-Threat/News/Stuxnet-virus-set-back-Irans-nuclear-program-by-2-years">slowed down Iran’s nuclear program</a> was <a href="https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html">one of many U.S. and international attempts</a> – mostly unsuccessful in the long term – to curtail Iran’s progress toward building a nuclear bomb.</p>
<h2>2003: Iran writes to Bush administration</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=350&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=350&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=350&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=440&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=440&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310090/original/file-20200114-151887-y4iwpm.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=440&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An excerpt of the document sent from Iran, via the Swiss government, to the U.S. State Department in 2003, appears to seek talks between the U.S. and Iran.</span>
<span class="attribution"><a class="source" href="https://www.scribd.com/document/170613340/2003-US-Iran-Roadmap-proposal">Washington Post via Scribd</a></span>
</figcaption>
</figure>
<p>In May 2003, senior Iranian officials <a href="http://www.mideastweb.org/log/archives/00000467.htm">quietly contacted the State Department</a> through the Swiss embassy in Iran, seeking “a dialogue ‘in mutual respect,’” addressing four big issues: nuclear weapons, terrorism, Palestinian resistance and stability in Iraq.</p>
<p>Hardliners in the Bush administration <a href="https://archive.org/stream/ABCNews19781979/Libya-FT-1990-to-2007-c.txt">weren’t interested in any major reconciliation</a>, though Secretary of State Colin Powell favored dialogue and other officials had met with Iran about al-Qaida.</p>
<p>When Iranian hardliner Mahmoud Ahmadinejad was elected president of Iran in 2005, the opportunity died. The following year, <a href="http://mideastweb.org/ahmadinejad_letter_to_bush.htm">Ahmadinejad made his own overture to Washington</a> in an 18-page letter to President Bush. The letter was widely dismissed; a senior State Department official told <a href="https://dornsife.usc.edu/cf/faculty-and-staff/faculty.cfm?pid=1006509">me</a> in profane terms that it amounted to nothing.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=325&fit=crop&dpr=1 600w, https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=325&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=325&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=409&fit=crop&dpr=1 754w, https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=409&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/310091/original/file-20200114-151829-5e9mj8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=409&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Representatives of several nations met in Vienna in July 2015 to finalize the Iran nuclear deal.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/minoritenplatz8/19067069963/">Austrian Federal Ministry for Europe, Integration and Foreign Affairs/Flickr</a></span>
</figcaption>
</figure>
<h2>2015: Iran nuclear deal signed</h2>
<p>After a decade of unsuccessful attempts to rein in Iran’s nuclear ambitions, the Obama administration undertook a direct diplomatic approach beginning in 2013.</p>
<p><a href="https://www.nytimes.com/2015/04/04/world/middleeast/an-iran-nuclear-deal-built-on-coffee-all-nighters-and-compromise.html">Two years of secret, direct negotiations</a> initially bilaterally between the U.S. and Iran and later with other nuclear powers culminated in the <a href="https://www.armscontrol.org/factsheets/JCPOA-at-a-glance">Joint Comprehensive Plan of Action</a>, commonly referred to as the Iran nuclear deal. </p>
<p>The deal was signed by Iran, the U.S., China, France, Germany, Russia and the United Kingdom in 2015. It severely limited Iran’s capacity to enrich uranium and mandated that <a href="https://www.armscontrol.org/factsheets/JCPOA-at-a-glance">international inspectors monitor and enforce Iran’s compliance</a> with the agreement. </p>
<p>In return, Iran was granted relief from international and U.S. economic sanctions. Though the inspectors regularly certified that Iran was abiding by the agreement’s terms, in May 2018 President Donald Trump withdrew the U.S. from the agreement.</p>
<h2>2020: US drones kill Iranian Maj. Gen. Qassem Soleimani</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=382&fit=crop&dpr=1 600w, https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=382&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=382&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=480&fit=crop&dpr=1 754w, https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=480&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/309158/original/file-20200108-107249-1x27m50.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=480&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An official photo from the Iranian government shows Maj. Gen. Qassem Soleimani, who was killed in a Jan. 3 drone strike ordered by President Trump.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/file-photo-dated-september-18-2016-shows-iranian-news-photo/1191356889">Iranian Supreme Leader Press Office/Anadolu Agency via Getty Images</a></span>
</figcaption>
</figure>
<p>On Jan. 3, 2020, on the orders of President Trump, an American drone fired a missile that killed Maj. Gen. Qassem Soleimani, leader of <a href="https://www.nbcnews.com/news/world/who-are-iran-s-secretive-quds-forces-n1110156">Iran’s elite Quds Force</a>, as he prepared to leave the Baghdad airport. <a href="https://www.aljazeera.com/news/2020/01/qassem-soleimani-iran-elite-quds-force-leader-200103033905377.html">Soleimani is described</a> by analysts as the second most powerful man in Iran after Supreme Leader Ayatollah Khamenei.</p>
<p>At the time, the Trump administration asserted that he was directing an imminent attack against U.S. assets in the region, but <a href="https://www.nytimes.com/2020/01/12/us/politics/trump-suleimani-explanations.html">officials have not provided clear evidence</a> to support that claim.</p>
<p>Iran <a href="https://www.nytimes.com/2020/01/07/world/middleeast/iran-fires-missiles-us.html">responded by launching ballistic missiles</a> that hit two American bases in Iraq. As Iran entered a heightened state of alert, preparing for a possible U.S. retaliation, <a href="https://www.nytimes.com/2020/01/10/world/middleeast/missile-iran-plane-crash.html">it accidentally shot down</a> a commercial Ukrainian airliner departing Tehran for Kyiv, killing all 176 people aboard.</p>
<p>[ <em>Insight, in your inbox each day.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=insight">You can get it with The Conversation’s email newsletter</a>. ]</p><img src="https://counter.theconversation.com/content/129844/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jeffrey Fields receives funding from the MacArthur Foundation and the Carnegie Corporation of New York.</span></em></p>Some of the major events in US-Iran relations highlight the differences between the nations’ views, but others presented real opportunities for reconciliation.Jeffrey Fields, Associate Professor of the Practice of International Relations, USC Dornsife College of Letters, Arts and SciencesLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1250812019-10-16T17:02:56Z2019-10-16T17:02:56ZThe Cold War 2.0 between China and the US is already a virtual reality<p>As President Xi Jinping celebrated the 70th anniversary of the People’s Republic of China with a <a href="https://www.theguardian.com/world/2019/oct/01/china-celebrates-70-years-military-parade-xi-jinping-hong-kong">massive military parade</a>, the United States president threatened to raise <a href="https://www.reuters.com/article/us-usa-trade-china/china-us-kick-off-new-round-of-tariffs-in-trade-war-idUSKCN1VM0V9">taxes on Chinese products</a>. </p>
<p>In the meantime, belligerent cyber activity is ramping up, mirroring the trade war between China and the United States. Could this multiply and bring about our worst fear – a conventional war? Every day, statements from US and Chinese leaders highlight just how far apart these two countries are ideologically and politically, and the extent of their economic and military rivalry.</p>
<p>History has taught us how this type of confrontation often ends. Speaking of the rivalry between Sparta and Athens, the <a href="https://daily.jstor.org/can-the-u-s-and-china-avoid-the-thucydides-trap/">Athenian historian Thucydides</a> predicted that a dominant nation, seeing its supremacy seemingly threatened by a rising power, would settle the question by war. Thucydides’ escalation theory makes us fear the worst for the US-China cold war, a war currently being fought in cyberspace.</p>
<h2>From Estonia to Stuxnet</h2>
<p>The <a href="https://www.bbc.com/news/39655415">Russian cyberspace attack on Estonia in 2007</a> was a wake-up call to all developed states. Russian hackers, using a simple <a href="https://en.wikipedia.org/wiki/Denial-of-service_attack">denial-of-service attack</a>, were able to cripple the Baltic state for several days. The functioning of its government, ministries, banks, hospitals, telecommunications companies and media were effectively paralysed.</p>
<p>Before and after, techniques such as unit attacks (to extract information) or the use of vulnerabilities (to penetrate networks and computers) have been used on a smaller scale, but in highly effective ways. For instance, the United States and Israel developed <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Operation Stuxnet</a> to slow down the Iranian nuclear programme by remotely damaging uranium-enrichment centrifuges through a complex attack involving, inter alia, a computer virus.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/LqDqD1tpl_E?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">‘The secret history of the Stuxnet’ (Recode Media, Alex Gibney).</span></figcaption>
</figure>
<h2>New cyberwar doctrines</h2>
<p>Aware of the growing potential of cyberattacks, as witnessed by the Estonian incident, the United States and China have been steadily formulating their <a href="https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf/">cyberwar strategies</a>, and developing the organisations, procedures and weapons to deliver them.</p>
<p>The Obama administration’s cyber strategy was primarily defensive. Under Donald Trump, the strategy, has become <a href="https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf">more pro-active</a>, in line with his supremacist vision. The shift in tone between the military and cyber strategies under the Obama and Trump administrations mirrors the rise in tensions between the US and China. This cyberwarfare, or Cold War 2.0, is based on the development of technical and human resources, intelligence gathering, sabotage and influence operations.</p>
<p>The resources deployed for cyber warfare have been increasing on both sides. The home of giant digital companies and with the <a href="https://www.sipri.org/databases/milex">world’s biggest military budget</a>, the US undeniably has great cyber firepower. In 2009, the federal government created a new military command centre, the <a href="https://www.cybercom.mil/">US Cyber Command</a> (operational since 2010), which now employs more than <a href="https://www.fifthdomain.com/dod/cybercom/2018/05/17/cyber-commands-cyber-warriors-hit-key-milestone/">6,000 experts</a>.</p>
<h2>China’s “Strategic Support Force”</h2>
<p>On its side, China can count on the <a href="https://media.defense.gov/2019/May/02/2002127082/-1/-1/1/2019_CHINA_MILITARY_POWER_REPORT.pdf">Third Department of the People’s Army</a>, the specialised internal cyber-security forces, and several technology companies. In 2015, Beijing created a counterpart to the US Cyber Command Centre, <a href="https://www.dia.mil/Portals/27/Documents/News/Military%20Power%20Publications/China_Military_Power_FINAL_5MB_20190103.pdf">the Strategic Support Force</a>, which brings together the resources of the People’s Army in the field of cyber, space and electronic warfare.</p>
<p>Cases of espionage between the two countries have multiplied as, for example, the <a href="https://thediplomat.com/2015/01/new-snowden-documents-reveal-chinese-behind-f-35-hack/">theft of the plans of the US F-35 military aircraft</a>, which miraculously turned into the Shenyang FC-31, after <a href="https://economictimes.indiatimes.com/news/defence/america-says-chinas-fifth-generation-jet-fighter-j-31-stolen-from-its-f-35/articleshow/49762382.cms">Chinese spies allegedly stole the US plans</a>. The Cold War 2.0 also targets economic interests. In 2012, former FBI director Robert Mueller commented that there are only two types of companies: <a href="https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies">those that have been hacked and those that will be</a>.</p>
<p>Since then, <a href="https://www.cnbc.com/2019/09/23/chinese-theft-of-trade-secrets-is-on-the-rise-us-doj-warns.html">more than 80% of economic espionage cases</a> against the United States have been linked to China. For example, hackers linked to the Chinese Ministry of State Security, hacked the Marriott Group over a period of four years, in the process stealing the personal data of some <a href="https://theconversation.com/marriott-data-breach-500-million-times-concerned-109063">500 millions of their customers</a>.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/8Y5Vbp6qQRI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Operation “Aurora” decrypted on CNNet.</span></figcaption>
</figure>
<h2>Sabotage and influence</h2>
<p>Physical sabotage is also part of the cyberwar. In 2017, using their digital arsenal, the US managed <a href="https://www.businessinsider.com/us-hack-north-korea-missile-system-2017-4">to defeat the attempted fire of North-Korean missiles, loyal allies of China</a>.</p>
<p>According to the Cartwright doctrine (after US General James Cartwright), to be effective, a cyber-strategy must have an operational component backed up, in some instances, by messages to <a href="https://www.wsj.com/articles/cyberespionage-experts-want-to-know-whos-exposing-chinas-hacking-army-1538478001">warn adversaries of incurred risks and reveal enemy threats</a>.</p>
<p>Influence and destabilisation are important objectives of the Cold War 2.0. During the 2009-2010 <a href="https://www.wired.com/2010/01/operation-aurora/">“Aurora” cyberattack</a>, China allegedly targeted 34 American companies, undermining flagship US companies such as Northrop Grumman, Dow Chemical and Google. Will the next step be a <a href="https://comprop.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/09/CyberTroop-Report19.pdf">Chinese digital propaganda action</a> in the US presidential election or other allied democracies? China has already shown its capacity for hacking accounts or spreading misinformation in the media during <a href="https://www.independent.co.uk/life-style/gadgets-and-tech/news/telegram-down-hack-china-hong-kong-protests-messaging-app-a8956691.html">recent unrest in Hong Kong</a>.</p>
<p>The Cold War 2.0 is a kind of guerrilla warfare characterized by continued digital skirmishing between the United States and China, together with a threatening proliferation of intelligence-gathering activities, sabotage and influence. Given that both are have nuclear weapons, it is now paramount that these two countries avoid Thucydides’ escalation trap.</p><img src="https://counter.theconversation.com/content/125081/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bertrand Venard is Professor at Audencia (France) and at the University of Oxford (UK). He is supervising a major research project about cybersecurity behaviour, funded by the European Union (Project Number : 792137).</span></em></p>China and the United States are not at war, but cyberspace has created opportunities for intelligence gathering, influence and sabotage that are already taking place.Bertrand Venard, Professor, AudenciaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/876622017-12-07T17:00:25Z2017-12-07T17:00:25ZDNA has gone digital – what could possibly go wrong?<figure><img src="https://images.theconversation.com/files/198162/original/file-20171207-25358-14upyz5.jpg?ixlib=rb-1.1.0&rect=514%2C0%2C3225%2C2355&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Modern advances come with new liabilities.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/innovative-technologies-science-medicine-mixed-media-530127004">Sergey Nivens/Shutterstock.com</a></span></figcaption></figure><p>Biology is becoming increasingly digitized. Researchers like us use computers to analyze DNA, operate lab equipment and store genetic information. But new capabilities also mean new risks – and biologists remain largely unaware of the potential vulnerabilities that come with digitizing biotechnology.</p>
<p>The emerging field of cyberbiosecurity explores the whole new category of risks that come with the increased use of computers in the life sciences.</p>
<p>University scientists, industry stakeholders and government agents have begun gathering to discuss these threats. We’ve even hosted FBI agents from the Weapons of Mass Destruction Directorate here at Colorado State University and previously at Virginia Tech for <a href="https://source.colostate.edu/fbi-gets-synthetic-biology-crash-course-csu/">crash courses</a> on synthetic biology and the associated cyberbiosecurity risks. A year ago, we participated in a U.S. Department of Defense-funded <a href="https://globalbiodefense.com/2017/01/05/cyberbiosecurity/">project to assess</a> the security of <a href="https://www.peccoud.org/security-of-biomanufacturing/">biotechnology infrastructures</a>. The results are classified, but we disclose some of the lessons learned in <a href="http://www.cell.com/trends/biotechnology/fulltext/S0167-7799(17)30276-7">our new Trends in Biotechnology paper</a>.</p>
<p>Along with co-authors from <a href="https://ncr.vt.edu/discovery/research_development_team.html">Virginia Tech</a> and the <a href="https://engineering.unl.edu/bpdf/bpdf-management/">University of Nebraska-Lincoln</a>, we discuss two major kinds of threats: sabotaging the machines biologists rely on and creating dangerous biological materials.</p>
<h2>Computer viruses affecting the physical world</h2>
<p>In 2010, a nuclear plant in Iran experienced mysterious equipment failures. Months later, a security firm was called in to troubleshoot an apparently unrelated problem. They found a malicious computer virus. The virus, called <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet</a>, was telling the equipment to vibrate. The malfunction shut down a third of the plant’s equipment, stunting development of the Iranian nuclear program. </p>
<p>Unlike most viruses, Stuxnet didn’t target only computers. It attacked equipment controlled by computers. </p>
<p>The marriage of computer science and biology has opened the door for amazing discoveries. With the help of computers, we’re decoding the human genome, creating organisms with new capabilities, automating drug development and revolutionizing <a href="https://www.fda.gov/Food/FoodScienceResearch/WholeGenomeSequencingProgramWGS/">food safety</a>. </p>
<p>Stuxnet demonstrated that cybersecurity breaches can cause physical damages. What if those damages had biological consequences? Could bioterrorists target government laboratories studying infectious diseases? What about pharmaceutical companies producing lifesaving drugs? As life scientists become more reliant on digital workflows, the chances are likely rising.</p>
<h2>Messing with DNA</h2>
<p>The ease of accessing genetic information online has democratized science, enabling amateur scientists in community laboratories to tackle challenges <a href="https://www.npr.org/sections/health-shots/2015/07/15/422935288/biohackers-aim-to-make-homebrew-insulin-but-dont-try-it-yet">like developing affordable insulin</a>. </p>
<p>But the line between physical DNA sequences and their digital representation is becoming increasingly blurry. Digital information, including <a href="http://dnasec.cs.washington.edu/dnasec.pdf">malware</a>, can now be <a href="https://theconversation.com/storing-data-in-dna-brings-nature-into-the-digital-universe-78226">stored and transmitted via DNA</a>. The J. Craig Venter Institute even created an entire <a href="https://doi.org/10.1126/science.aad6253">synthetic genome</a> watermarked with encoded links and hidden messages. </p>
<p>Twenty years ago, genetic engineers could only create new DNA molecules by stitching together natural DNA molecules. Today scientists can use chemical processes to produce synthetic DNA. </p>
<p>The sequence of these molecules is often generated using software. In the same way that electrical engineers use <a href="http://science.sciencemag.org/content/352/6281/aac7341">software to design computer chips</a> and computer engineers use <a href="https://doi.org/10.1093/nar/gkp361">software to write computer programs</a>, genetic engineers use software to design genes. </p>
<p>That means that access to specific physical samples is no longer necessary to create new biological samples. To say that all you need to create a dangerous human pathogen is internet access would be an overstatement – but only a slight one. For instance, in 2006, a journalist used publicly available data to order a fragment of <a href="https://www.theguardian.com/world/2006/jun/14/terrorism.topstories3">smallpox DNA</a> in the mail. The year before, the Centers for Disease Control used published DNA sequences as a blueprint to <a href="https://doi.org/10.1126/science.1119392">reconstruct the virus responsible for the Spanish flu</a>, one of the deadliest pandemics of all time.</p>
<p>With the help of computers, editing and writing DNA sequences is almost as easy as manipulating text documents. And it can be done with malicious intent.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/198006/original/file-20171206-894-1kkw80o.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Participants in CSU’s workshop for the FBI got hands-on training in the techniques of biotechnology.</span>
<span class="attribution"><a class="source" href="https://source.colostate.edu/fbi-gets-synthetic-biology-crash-course-csu/">Anne Manning</a>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>First: Recognize the threat</h2>
<p>The conversations around cyberbiosecurity so far have largely focused on doomsday scenarios. The threats are bidirectional.</p>
<p>On the one hand, computer viruses like Stuxnet could be used to hack into digitally controlled machinery in biology labs. DNA could even be used to deliver the attack by encoding <a href="http://dnasec.cs.washington.edu/dnasec.pdf">malware</a> that is unlocked when the DNA sequences are translated into digital files by a sequencing computer.</p>
<p>On the other hand, bad actors could use software and digital databases to design or reconstruct pathogens. If nefarious agents <a href="https://theconversation.com/researchers-carefully-protect-dangerous-pathogens-but-how-secure-are-all-their-data-44391">hacked into sequence databases</a> or digitally designed novel DNA molecules with the intent to cause harm, the results could be catastrophic.</p>
<p>And not all cyberbiosecurity threats are premeditated or criminal. Unintentional errors that occur while translating between a physical DNA molecule and its digital reference are common. These errors might not compromise national security, but they could cause costly delays or product recalls. </p>
<p>Despite these risks, it is not unusual for researchers to order samples from a collaborator or a company and never bother to confirm that the physical sample they receive matches the digital sequence they were expecting. </p>
<p>Infrastructure changes and new technologies could help increase the security of life science workflows. For instance, voluntary <a href="https://doi.org/10.1038/nbt.1802">screening guidelines</a> are already in place to help DNA synthesis companies screen orders for known pathogens. Universities could institute similar mandatory guidelines for any outgoing DNA synthesis orders. </p>
<p>There is also currently no simple, affordable way to confirm DNA samples by whole genome sequencing. Simplified protocols and user-friendly software could be developed, so that screening by sequencing becomes routine. </p>
<p>The ability to manipulate DNA was once the privilege of the select few and very limited in scope and application. Today, life scientists rely on a global supply chain and a network of computers that manipulate DNA in unprecedented ways. The <a href="https://engr.source.colostate.edu/cyberbiosecurity-protecting-life-sciences/">time to start thinking</a> about the security of the digital/DNA interface is now, not after a new Stuxnet-like cyberbiosecurity breach.</p><img src="https://counter.theconversation.com/content/87662/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jean Peccoud holds shares in GenoFAB, LLC a company that could be perceived to benefit from this publication. He has received funding the Department of Defense, the Department of Justice, and the National Science Foundation to support security research. </span></em></p><p class="fine-print"><em><span>Jenna E. Gallegos does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Biologists’ growing reliance on computers advances the field – but comes with new risks. The first step toward improved cyberbiosecurity is increasing awareness of possible threats.Jenna E. Gallegos, Postdoctoral Researcher in Chemical and Biological Engineering, Colorado State UniversityJean Peccoud, Professor, Abell Chair in Synthetic Biology, Colorado State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/584762016-05-11T10:10:44Z2016-05-11T10:10:44ZAmerica is ‘dropping cyberbombs’ – but how do they work?<figure><img src="https://images.theconversation.com/files/121418/original/image-20160505-19844-aoq5sp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Inside the U.S. Army's Cyber Operations Center at Fort Gordon, Georgia.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/army-cyber/17871494565">Army-Cyber/flickr</a></span></figcaption></figure><p>Recently, United States Deputy Defense Secretary Robert Work publicly confirmed that the Pentagon’s Cyber Command was “<a href="http://www.nytimes.com/2016/04/25/us/politics/us-directs-cyberweapons-at-isis-for-first-time.html">dropping cyberbombs</a>,” taking its ongoing battle against the Islamic State group into the online world. Other American officials, <a href="https://www.whitehouse.gov/the-press-office/2016/04/13/statement-president-progress-fight-against-isil">including President Barack Obama</a>, have discussed offensive cyber activities, too.</p>
<p>The American public has only glimpsed the country’s alleged cyberattack abilities. In 2012 The New York Times revealed the first digital weapon, <a href="http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html">the Stuxnet attack</a> against Iran’s nuclear program. In 2013, former NSA contractor Edward Snowden released a <a href="http://www.theguardian.com/world/2013/jun/07/obama-china-targets-cyber-overseas">classified presidential directive</a> outlining America’s approach to conducting Internet-based warfare. </p>
<p>The terms “cyberbomb” and “cyberweapon” create a simplistic, if not also sensational, frame of reference for the public. Real military or intelligence cyber activities are less exaggerated but much more complex. The most basic types are off-the-shelf commercial products used by companies and security consultants to test system and network security. The most advanced are specialized proprietary systems made for exclusive – and often classified – use by the defense, intelligence and law enforcement communities.</p>
<p>So what exactly are these “cyberbombs” America is “dropping” in the Middle East? The country’s actual cyber capabilities are classified; we, as researchers, are limited by what has been made public. Monitoring books, reports, news events and congressional testimony is not enough to separate fact from fiction. However, we can analyze the underlying technologies and look at the global strategic considerations of those seeking to wage cyber warfare. That work allows us to offer ideas about cyber weapons and how they might be used.</p>
<h2>A collection of capabilities</h2>
<p>A “cyberbomb” is not a single weapon. Rather, cyberweapons are collections of computer hardware and software, with the knowledge of their potential uses against online threats. Although frequently used against Internet targets such as websites and forums, these tools can have real-world effects, too. Cyberattacks have <a href="https://foreignpolicy.com/2014/03/03/hack-attack/">disrupted cellphone networks</a> and <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">tricked computers controlling nuclear centrifuges</a> into functioning differently from how they report their status to human operators. A simulated attack has shown how an enemy can remotely <a href="https://www.schneier.com/blog/archives/2007/10/staged_attack_c.html">disrupt electric power generators</a>.</p>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=429&fit=crop&dpr=1 600w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=429&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=429&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=539&fit=crop&dpr=1 754w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=539&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=539&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Training military personnel on cyberwarfare tactics.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:US_Navy_070712-N-9758L-058_Matt_Inaki,_computer_network_defender_coach-trainer_of_SPAWAR_Systems_Center_San_Diego,_shows_how_to_monitor_the_activity_of_a_network_to_Air_Force_Staff_Sgt._Daryl_Graham_and_Information_Systems_Tech.jpg">MC3 Michael A. Lantron/U.S. Navy</a></span>
</figcaption>
</figure>
<p>The process of identifying potential targets, selecting them and planning “cyberbomb” attacks includes not only technological experts but military strategists, researchers, policy analysts, lawyers and others across the <a href="http://watson.brown.edu/costsofwar/files/cow/imce/papers/2011/The%20Military-Industrial%20Complex%20Revisited.pdf">military-industrial complex</a>. These groups constantly analyze technology to develop the latest cyber weapons and tactics. They also must ensure the use of a given “cyberbomb” aligns with national interests, and follows national and international laws and treaties.</p>
<p>For example, as part of their counterterrorism efforts, electronic intelligence services (such as the <a href="https://www.nsa.gov/">American NSA</a> and <a href="https://www.gchq.gov.uk/">British GCHQ</a>) routinely collect items like real names, user IDs, network addresses, Internet server names, online discussion histories and text messages from across the Internet. Gathering and analyzing these data could use both classified and unclassified methods. The agencies could also conduct <a href="http://www.hackersforcharity.org/ghdb/">advanced Google searches</a> or mine The Internet Archive’s <a href="https://archive.org/web/">Wayback Machine</a>. This information can be linked with other data to help identify physical locations of <a href="http://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz">target computers or people</a>. Analysts can also observe interconnections between people and infer the types and strengths of those relationships. </p>
<p>This information can clue intelligence analysts in to the existence of previously undiscovered potential Internet targets. These can include virtual meeting places, methods of secure communications, types of phones or computers favored by the enemy, preferred network providers or vulnerabilities in their IT infrastructures. In some cases, cyberattacks need to be coordinated with spies or covert agents who must carry out physical aspects of the plan, especially when the electronic target of a “cyberbomb” is hard to reach – such as the computers inside the Iranian nuclear facility targeted by the Stuxnet worm.</p>
<p>Cyberattack purposes can vary widely. Sometimes, a government entity wants to simply monitor activity on a specific computer system in hopes of gaining additional intelligence. Other times, the goal is to place a hidden “backdoor” allowing the agency to secretly take control of a system. In some cases, a target computer will be attacked with the intent of disabling it or preventing future use by adversaries. When considering that kind of activity, planners must decide whether it’s better to leave a site functional so future intelligence can be collected over the long term, or to shut it down and prevent an adversary from using it in the near term.</p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=399&fit=crop&dpr=1 600w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=399&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=399&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=501&fit=crop&dpr=1 754w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=501&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=501&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Integrating cyber warfare with boots on the ground.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/army-cyber/22224758158/in/photostream/">Army-Cyber/flickr</a></span>
</figcaption>
</figure>
<p>Although not strictly a “cyber” attack, “cyberbombing” also might entail the use of decades-old electronic warfare techniques that <a href="http://spectrum.ieee.org/aerospace/military/electromagnetic-warfare-is-here">broadcast</a> electromagnetic energy to (among other things) disrupt an adversary’s wireless communications capabilities or computer controls. Other “cyberbombing” techniques include modifying or creating false images on an enemy’s radar screens ahead of an air attack, such as <a href="https://www.wired.com/2007/10/how-israel-spoo/">how Israel compromised</a> Syria’s air defense systems in 2007. These may be done on their own or to support more traditional military operations.</p>
<p>Finally, using an electromagnetic pulse (EMP) weapon to disrupt and/or disable all electronic circuits over a wide area – such as a city – could be considered the “Mother of All Cyber Bombs.” As such, its effect would be felt both by enemy forces and local (likely) noncombatant citizens, all of whom suddenly would be unable to obtain fresh water and electricity, and find their local hospitals, banks and electronic items ranging from cars to coffee pots unable to function. Depending on the heat and blast from the bomb’s detonation, some people might not notice – though those dependent on electronic medical devices like pacemakers probably would feel effects immediately. EMP is commonly associated with nuclear weapons, but even using nonnuclear EMP devices in a populated area would presumably cause enough “collateral damage” that it would violate international laws.</p>
<h2>Fighting against nongovernment groups</h2>
<p>In addition to the above techniques, and particularly when fighting opponents that are not foreign governments – such as ISIS – a unique type of “cyberbombing” seeks to target the online personas of terror group leaders. In this type of attack, one goal may be to tarnish their online reputations, such as publishing <a href="http://www.nbcnews.com/feature/edward-snowden-interview/exclusive-snowden-docs-show-british-spies-used-sex-dirty-tricks-n23091">manipulated images</a> that would embarrass them. Or, cyber weaponry may be used to gain access to systems that could be used to <a href="http://www.slate.com/articles/news_and_politics/war_stories/2016/04/we_re_dropping_cyberbombs_on_isis_what_that_means.html">issue conflicting statements or incorrect orders to the enemy</a>.</p>
<p>These types of “cyberbombs” can create psychological damage and distress in terrorist networks and help disrupt them over time. The United Kingdom’s JTRIG (Joint Threat Research Intelligence Group) within GCHQ <a href="https://theintercept.com/2014/02/24/jtrig-manipulation/">specializes in these tactics</a>. Presumably similar capabilities exist in other countries.</p>
<h2>Making cyberwar public</h2>
<figure class="align-left ">
<img alt="" src="https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=750&fit=crop&dpr=1 600w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=750&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=750&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=943&fit=crop&dpr=1 754w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=943&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=943&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Deputy Secretary of Defense Robert Work.</span>
<span class="attribution"><a class="source" href="http://www.defense.gov/About-DoD/Biographies/Biography-View/Article/602787/robert-o-work">U.S. Department of Defense</a></span>
</figcaption>
</figure>
<p>Until recently, few nations publicly admitted planning or even thinking about waging offensive warfare on the Internet. For those that do, the exact process of planning a digital warfare campaign remains a highly guarded military and diplomatic secret. </p>
<p>The only people announcing their cyberattacks were assorted <a href="https://theconversation.com/how-anonymous-hacked-donald-trump-56794">hacktivist groups such as Anonymous</a> and the self-proclaimed “<a href="http://arstechnica.com/information-technology/2016/04/as-us-drops-cyber-bombs-isis-retools-its-own-cyber-army/">Cyber-Caliphate</a>” supporting ISIS. By contrast, the most prominent cyber-attack waged by a nation-state (<a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">2011’s Stuxnet</a>) – allegedly attributed to the United States and Israel – was never officially acknowledged by those governments. </p>
<p>Cyber weapons and the policies governing their use likely will remain shrouded in secrecy. However, the recent public mentions of cyber warfare by national leaders suggest that these capabilities are, and will remain, prominent and evolving ways to support intelligence and military operations when needed.</p><img src="https://counter.theconversation.com/content/58476/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career.</span></em></p><p class="fine-print"><em><span>Anupam Joshi receives or has received funding from a variety of federal and industrial sources for his research in cybersecurity such as NSF, DoD, NSA, NIST, MITRE, IBM, Northrop Grumman, Microsoft etc.
He is a member of the Maryland Cybersecurity Council.</span></em></p>The country’s actual offensive cyber capabilities remain shrouded in the classified world. But what is public is enough to discuss potential cyber weapons and how they might be used.Richard Forno, Cybersecurity lecturer & internet researcher, University of Maryland, Baltimore CountyAnupam Joshi, Professor, Department of Computer Science & Electrical Engineering , University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/437162015-07-10T03:34:13Z2015-07-10T03:34:13ZAustralia could become a leader in cybersecurity research<figure><img src="https://images.theconversation.com/files/87885/original/image-20150709-10879-11msbt8.jpg?ixlib=rb-1.1.0&rect=354%2C75%2C2067%2C1774&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cybersecurity is becoming increasingly important.</span> <span class="attribution"><span class="source">nikcname/Flickr</span>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p><em>This article is part of our series on the <a href="http://www.science.gov.au/scienceGov/news/Pages/PrioritisingAustraliasFuture.aspx">Science and Research Priorities</a> recently announced by the Federal Government. You can read the introduction to the series by Australia’s Chief Scientist, Ian Chubb, <a href="http://theconversation.com/australias-chief-scientist-on-getting-our-research-priorities-right-43833">here</a>.</em></p>
<hr>
<p><strong>Alex Zelinsky</strong><br>
<em>Chief Defence Scientist, Defence Science and Technology</em></p>
<p>The national science and research priorities have been developed with the goal of maximising the national benefit from research expenditure, while strengthening our capacity to excel in science and technology. </p>
<p><a href="https://theconversation.com/au/topics/cybersecurity">Cybersecurity</a> has been identified as a research priority due to Australia’s increasing dependence on cyberspace for national well-being and security. Cyberspace underpins both commercial and government business; it is globally accessible, has no national boundaries and is vulnerable to malicious exploitation by individuals, organised groups and state actors. </p>
<p>Cybersecurity requires application of research to anticipate vulnerabilities, strengthen cyber systems to ward off attacks, and enhance national capability to respond to, recover from, and continue to operate in the face of a cyber-attack.</p>
<p>Cyberspace is a complex, rapidly changing environment that is progressed and shaped by technology and by how the global community adopts, adapts and uses this technology. Success in cyberspace will depend upon our ability to “stay ahead of the curve”. </p>
<p>Research will support the development of new capability to strengthen the information and communications systems in our utilities, business and government agencies against attack or damage. Investment will deliver cybersecurity enhancements, infrastructure for prototype assessment and a technologically skilled workforce.</p>
<p>Accordingly, priority should be given to research that will lead to: </p>
<ol>
<li><p>Highly secure and resilient communications and data acquisition, storage, retention and analysis for government, defence, business, transport systems, emergency and health services </p></li>
<li><p>Secure, trustworthy and fault-tolerant technologies for software applications, mobile devices, cloud computing and critical infrastructure</p></li>
<li><p>New technologies for detection and monitoring of vulnerabilities and intrusions in cyber infrastructure, and for managing recovery from failure.</p></li>
</ol>
<hr>
<p><strong>Andrew Goldsmith</strong><br>
<em>Director of the Centre for Crime Policy and Research, Flinders University</em></p>
<p>Sensible science and research on cybersecurity must be premised upon informed, rather than speculative, “what if”, analysis. Researchers should not be beholden to institutional self-interest from whichever sector: government; business; universities; or security/defence agencies.</p>
<p>We need to be clear about what the cybersecurity threat landscape looks like. It is a variable terrain. Terms such as “cyber-terrorism” tend to get used loosely and given meanings as diverse as the <a href="https://theconversation.com/au/topics/stuxnet">Stuxnet</a> attack and the use of the internet by disenchanted converts to learn how to build a pipe bomb.</p>
<p>We need to ask and answer the question: who has the <a href="https://ccdcoe.org/publications/2012proceedings/2_6_Dunn%20Cavelty_TheMilitarisationOfCyberspace.pdf">interest and the capability to attack us and why</a>?</p>
<p>References to “warfare” can be misleading. A lot of what we face is not “war” but espionage, crime and political protest. More than two decades into the lifecycle of the internet, we have not yet had an electronic Pearl Harbour event.</p>
<p>Cybersecurity depends upon human and social factors, not just technical defences. We need to know our “enemies” as well as ourselves better, in addition to addressing technical vulnerabilities.</p>
<p>We should be sceptical about magic bullet solutions of any kind. Good defences and secure environments depend upon cooperation across units, a degree of decentralisation, and built-in redundancy. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/87992/original/image-20150710-24068-1aeu5tu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Cybercrime is a growing problem, and it’ll take concerted efforts to prevent it escalating further.</span>
<span class="attribution"><span class="source">Brian Klug/Flickr</span>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span>
</figcaption>
</figure>
<hr>
<p><strong>Jodi Steel</strong><br>
<em>Director, Security Business Team at NICTA</em></p>
<p>Cybersecurity is an essential underpinning to success in our modern economies. </p>
<p>It’s a complex area and there are no magic bullet solutions: success requires a range of approaches. The national research priorities for cybersecurity highlight key areas of need and opportunity.</p>
<p>The technologies we depend on in cyberspace are often not worthy of our trust. Securing them appropriately is complex and often creates friction for users and processes. Creation of secure, trustworthy and fault-tolerant technologies – security by design – can remove or reduce security friction, improving overall security posture. </p>
<p>Australia has some key capabilities in this area, including cross-disciplinary efforts. </p>
<p>The ability to detect and monitor vulnerabilities and intrusions and to recover from failure is critical, yet industry reports indicate that the average time to detect malicious or criminal attack is around six months. New approaches are needed, including improved technological approaches as well as collaboration and information sharing. </p>
<p>Success in translating research outcomes to application – for local needs and for export – will be greater if we are also able to create an ecosystem of collaboration and information sharing, especially in the fast-moving cybersecurity landscape. </p>
<hr>
<p><strong>Vijay Varadharajan</strong><br>
<em>Director, Advanced Cyber Security Research Centre at Macquarie University</em></p>
<p>Cyberspace is transforming the way we live and do business. Securing cyberspace from attacks has become a critical need in the 21st century to enable people, enterprises and governments to interact and conduct their business. Cybersecurity is a key enabling technology affecting every part of the information-based society and economy. </p>
<p>The key technological challenges in cybersecurity arise from increased security attacks and threat velocity, securing large scale distributed systems, especially “systems of systems”, large scale secure and trusted data driven decision making, secure ubiquitous computing and pervasive networking and global participation. </p>
<p>In particular, numerous challenges and opportunities exist in the emerging areas of <a href="https://theconversation.com/au/topics/cloud-computing">cloud computing</a>, <a href="https://theconversation.com/au/topics/internet-of-things">Internet of Things</a> and <a href="https://theconversation.com/au/topics/big-data">Big Data</a>. New services and technologies of the future are emerging and likely to emerge in the future in the intersection of these areas. Security, privacy and trust are critical for these new technologies and services. </p>
<p>For Australia to be a leader, it is in these strategic areas of cybersecurity that it needs to invest in research and development leading to new secure, trusted and dependable technologies and services as well as building capacity and skills and thought leadership in cybersecurity of the future. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/87886/original/image-20150709-10889-1oo52e3.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">As more information is stored in the cloud, we need to be mindful of how to protect it from attack.</span>
<span class="attribution"><span class="source">FutUndBeidl/Flickr</span>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<hr>
<p><strong>Craig Valli</strong><br>
<em>Director of Security Research Institute at Edith Cowan University</em></p>
<p>ICT is in every supply chain or critical infrastructure we now run for our existence on the planet. The removal or sustained disruption of ICT as a result of lax cybersecurity is something we can no longer overlook or ignore. </p>
<p>The edge between cyberspace and our physical world is blurring with destructive attacks on physical infrastructure already occurring. The notion of the nation state, and its powers and its abilities to cope with these disruptions, are also significantly being challenged. </p>
<p>The ransacking of countries’ intellectual property by cyber-enabled actors is continuing unabated, robbing us of our collective futures. These are some of the strong indicators that currently we are getting it largely wrong in addressing cybersecurity issues. We cannot persist in developing linear solutions to network/neural security issues presented to us by cyberspace. We need change.</p>
<p>The asymmetry of cyberspace allows a relatively small nation state to have significant advantage in cybersecurity, Israel being one strong example. Australia could be the next nation, but not without significant, serious, long-term, collaborative investments by government, industry, academy and community in growing the necessary human capital. This initiative is hopefully the epoch of that journey. </p>
<hr>
<p><strong>Liz Sonenberg</strong><br>
<em>Professor of Computing and Information Systems, and Pro Vice-Chancellor (Research Collaboration and Infrastructure) at University of Melbourne</em></p>
<p>There are more than two million actively trading businesses in Australia and more than 95% have fewer than 20 employees. Such businesses surely have no need for full-time cybersecurity workers, but all must have someone responsible to make decisions about which IT and security products and services to acquire. </p>
<p>At least historically, new technologies have been developed and deployed without sufficient attention to the security implications. So bad actors have found ways to exploit the resulting vulnerabilities. </p>
<p>More research into software design and development from a security perspective, and research into better tools for security alerts and detection is essential. But such techniques will never be perfect. Research is also needed into ways of better supporting human cyberanalysts – those who work with massive data flows to identify anomalies and intrusions. </p>
<p>New techniques are needed to enable the separation of relevant from irrelevant data about seemingly unconnected events, and to integrate perspectives from multiple experts. Improving technological assistance for humans requires a deep understanding of human cognition in the complex, mutable and ephemeral environment of cyberspace. </p>
<p>The cybersecurity research agenda is thus only partly a technical matter: disciplines such as decision sciences, organisational behaviour and international law all must play a part. </p>
<hr>
<p><strong>Sven Rogge</strong><br>
<em>Professor of Physics and Program Manager at the Centre for Quantum Computation & Communication Technology at UNSW</em></p>
<p>Cybersecurity is essential for our future in a society that needs to safeguard information as much as possible for secure banking, safe transportation, and protected power grids.</p>
<p><a href="https://theconversation.com/au/topics/quantum-computing">Quantum information technology</a> will transform data communication and processing. Here, quantum physics is exploited for new technologies to protect, transmit and process information. Classical cryptography relies on mathematically hard problems such as factoring which are so difficult to solve that classical computers can take decades. Quantum information technology allows for an alternative approach to this problem that will lead to a solution on a meaningful timescale, such as minutes in contrast to years. Quantum information technology allows for secure encoding and decoding governed by fundamental physics which is inherently unbreakable, not just hard to break.</p>
<p>Internationally, quantum information is taking off rapidly underlined by large government initiatives. At the same time there are commercial investments from companies such as Google, IBM, Microsoft and Lockheed Martin.</p>
<p>Due to long term strategic investments in leading academic groups Australia remains at the forefront globally and enjoys a national competitive advantage in quantum computing and cybersecurity. We should utilise the fact that Australia is a world leader and global player in quantum information science to provide many new high technology industries for its future.</p>
<hr>
<p><strong>Read more in our Science and Research Priorities series</strong></p>
<p><a href="https://theconversation.com/the-future-of-manufacturing-in-australia-is-smart-agile-and-green-43645">The future of manufacturing in Australia is smart, agile and green</a></p>
<p><a href="https://theconversation.com/on-the-road-research-can-improve-transport-across-australia-43643">On the road: research can improve transport across Australia</a></p>
<p><a href="https://theconversation.com/research-priority-make-australias-health-system-efficient-equitable-and-integrated-43547">Research priority: make Australia’s health system efficient, equitable and integrated</a></p><img src="https://counter.theconversation.com/content/43716/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alex Zelinsky is the Chief Defence Scientist of the Department of Defence; research within Defence Science and Technology is Government funded.</span></em></p><p class="fine-print"><em><span>Andrew Goldsmith receives funding from the Australian Research Council.</span></em></p><p class="fine-print"><em><span>Craig Valli is Research Director of the Australian Cyber Security Research Institute. He has received funding from NSST/PMC, European Union FP7 Program, NCRIS and various Australian agencies. Craig is a Fellow of the Australian Computer Society.</span></em></p><p class="fine-print"><em><span>National ICT Australia is funded by the Australian Government as represented by the Australian Research Council and the Department of Communications through the ICT Centre of Excellence program.</span></em></p><p class="fine-print"><em><span>Liz Sonenberg receives funding from the Australian Research Council and has conducted joint projects with DSTO scientists.</span></em></p><p class="fine-print"><em><span>Sven Rogge receives funding from the Australian Research Council.</span></em></p><p class="fine-print"><em><span>Vijay Varadharajan receives funding from Australian Research Council, NSST/PMC</span></em></p>Online infrastructure and business are becoming increasingly important, as is our need to focus research efforts on securing them from cyber-attack.Alex Zelinsky, Chief Defence Scientist, Defence Science and Technology OrganisationAndrew Goldsmith, Strategic Professor of Criminology, Flinders UniversityCraig Valli, Director of Security Research Institute, Edith Cowan UniversityJodi Steel, Director, Security Business Team, Data61Liz Sonenberg, Professor, Computing and Information Systems, and Pro Vice-Chancellor (Research Collaboration and Infrastructure), The University of MelbourneSven Rogge, Professor of Physics, UNSW SydneyVijay Varadharajan, Director: Advanced Cyber Security Research Centre, Macquarie UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/431412015-06-15T13:10:45Z2015-06-15T13:10:45ZWhen secret government talks are hacked it shows no one is secure in the connected age<figure><img src="https://images.theconversation.com/files/84879/original/image-20150612-1475-vned7m.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The end of privacy?</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Hotel rooms aren’t as private as they used to be. <a href="http://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks">Recent reports</a> suggest luxury hotels may have been targeted by national intelligence services trying to spy on negotiations over Iran’s nuclear programme.</p>
<p>The talks weren’t bugged in the traditional way of hiding microphones in the room. Instead, hackers infected hotel computers with a computer virus that its discoverers say may have been used to gather information from the hotels’ security cameras and phones.</p>
<p>The virus was discovered by cyber-security firm Kaspersky Labs when the company itself was infected by a sophisticated worm known as Duqu2. Kaspersky went about investigating which other systems around the world might have been attacked. Among the huge range of systems they checked, thousands of hotel systems were analysed. Most of these had not been subjected to an attack, but three luxury European hotels had also been hit by Duqu2.</p>
<p>Each was compromised before hosting key negotiations between Iran and world leaders regarding the country’s nuclear programme. Having <a href="http://www.theguardian.com/world/2015/mar/24/israel-spied-on-us-over-iran-nuclear-talks">previously been accused</a> by the US of spying on the talks, Israel – which was not involved in the discussions – is now <a href="http://bit.ly/1e8qxXB">under suspicion of </a>(and denies) deploying the virus.</p>
<h2>Hacking a hotel room</h2>
<p>Of course, full details of exactly what information has been leaked will take some time to understand. As we saw when <a href="https://theconversation.com/credibility-at-risk-in-sony-hacking-scandal-1038">Sony was hacked</a>, further revelations are likely to emerge over time. What is apparent is that parts of the worm were designed to compress video, and others to collect communications data from phones and Wi-Fi networks.</p>
<p>Many hotels, especially luxury ones, use computerised camera surveillance and have many other sensor devices collecting and transmitting data, such as smart TVs. The fact that these three hotels were all scheduled to hold very sensitive talks before being attacked by highly sophisticated malware is unlikely to be a coincidence. </p>
<p>There are a number of ways the worm could have been spread to the hotel computer systems. Viruses can, of course, be sent as attachments to emails and often spread in this way. Up-to-date security software can stop most known viruses. But in cases such as this, where the malware and the vulnerability it exploits were previously unknown, the virus is not detected and so can infect the machine. </p>
<p>Another possibility is that an employee or contractor or someone masquerading as such could have infected a machine at the hotels. Duqu2 is thought to be related to the <a href="https://theconversation.com/stuxnet-is-scary-but-human-safety-should-come-first-18576">virus Stuxnet</a>, which brought down Iranian nuclear facilities and was spread, at least in part, through USB drives used by people working in the nuclear industry. Coincidentally, it is thought the infected USBs were likely to have been picked up from in hotels in India and Iran.</p>
<p>We are now living in a highly connected world that is increasingly dominated by smart devices and the so-called internet of things, where many objects and appliances gather data and are connected to the internet. These devices have all types of sensor and actuators and can be controlled remotely and without human intervention.</p>
<h2>No escape</h2>
<p>If these devices are controlled by someone other than the owner, they can be used to pass interesting information to the person in control. <a href="http://www.bbc.co.uk/news/technology-30121159">Last year</a>, a Russian website streamed data from over 500 internet-connected video devices, including baby monitors. Accessing these devices didn’t even require advanced malware. Instead, hackers abused the failure of the devices’ owners to set a complex password in order to gain control.</p>
<p>Numerous actors, from terrorists to cyber-criminals have an interest in accessing information from governments, companies and individuals. But <a href="https://theconversation.com/redefining-privacy-in-the-age-of-edward-snowden-21891">Edward Snowden</a>, who leaked details of the US and UK’s official data-capture programme, revealed just how much nation states also have a thirst for information, using both targeted and more blanket attacks to provide intelligence. </p>
<p>Clearly, in such a “smart” world, we need to get better at protecting access to our systems and devices, and that includes ensuring that the users smarten up too. This means not only ensuring our anti-virus software, firmware on our hardware, and operating systems are fully up-to-date, but also that we take care ourselves using USB devices or opening unknown attachments.</p>
<p>We are seeing <a href="http://www.theguardian.com/technology/2014/oct/29/major-cyber-attacks-internet-experts">an increase</a> in political groups compromising the systems of companies, governments and individuals, as well as attacks for notoriety or financial gain. No system is beyond being a target, no matter how small or large.</p><img src="https://counter.theconversation.com/content/43141/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Carsten Maple does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Israel is suspected of spying on Iran’s nuclear talks using a virus to hack the devices that are all around us.Carsten Maple, Professor of Cyber Systems Engineering, University of WarwickLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/377742015-02-19T15:36:26Z2015-02-19T15:36:26ZMalware infecting hard disk firmware remained hidden for 15 years – but who’s responsible?<figure><img src="https://images.theconversation.com/files/72496/original/image-20150219-28194-1ocqvrz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Picking off hard drive manufacturers, one by one.</span> <span class="attribution"><span class="source">Kaspersky Lab</span></span></figcaption></figure><p>It sometimes seems that whenever security researchers discover some new exploit or malware that allows the monitoring of remote computers, the finger is quickly pointed at the US intelligence agencies. </p>
<p>Security firm Kaspersky has <a href="http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage">recently revealed</a> a complex malware developed by a group called <a href="http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/">Equation</a>. Although its report made no mention of the US National Security Agency, subsequent <a href="http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216">news reports</a> held it responsible anyway.</p>
<p>This seems to follow the logic that, as Equation’s malware uses techniques similar to Stuxnet, if Stuxnet was developed by the NSA then Equation’s must also have been developed by the NSA. But despite everything that’s been written about Stuxnet’s origins, there’s no conclusive proof tying it to the NSA, or anyone else.</p>
<p>Such breathless headlines unfortunately obscure how interesting this <a href="http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/">new suite of malware</a> is – not least that it isn’t new, but dates back to 2001. That is eons in technological terms. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=351&fit=crop&dpr=1 600w, https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=351&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=351&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=441&fit=crop&dpr=1 754w, https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=441&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/72497/original/image-20150219-28187-1n0h4x3.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=441&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A family of malware evolving over more than a decade.</span>
<span class="attribution"><span class="source">Kaspersky Lab</span></span>
</figcaption>
</figure>
<h2>Hard drive attack</h2>
<p>What’s also interesting is the way the attackers hid the malware: by embedding the malicious code into the <a href="http://www.webopedia.com/TERM/F/firmware.html">firmware</a> (hard-coded software) built into hard disk drives found in practically every computer. Not just drives from one manufacturer, but almost all the mainstream brands – perhaps even the one that powers the computer on which you read this now. Why is this important? It means you could wipe the entire drive, reinstall your computer’s software from scratch – <a href="http://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html">and still be infected</a>. </p>
<p>The only more attractive hiding place for an attacker is the firmware that is required to start the computer, the BIOS, but viruses that attack the BIOS have been around for decades and hardware has been adapted in defence. On the other hand, looking at hard drive firmware and adopting defences against tampering with it just hasn’t been on the agenda, a fact that has allowed this malware to go undetected for so long.</p>
<h2>An updated, evolving threat</h2>
<p>And it’s not just that the attackers were able to work out how to embed their malware in the drives’ firmware; they appear also to have been able to update it with improved versions. This would require updating (“flashing”) not just the malware but the original firmware code too, without which the drive wouldn’t function. This is considered <a href="https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf">technically advanced even today</a> – yet someone seems to have developed the capability to do so more than 10 years ago. This is technically impressive.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/HitPEFU7EVY?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A new meaning to installing ‘on’ my hard drive.</span></figcaption>
</figure>
<p>So the fact that such an advanced technique was deployed so long ago prompts us to wonder what else is out there that we don’t know about? It’s not as if this is the first such discovery: <a href="https://theconversation.com/new-cyber-attack-model-helps-hackers-time-the-next-stuxnet-21985">Stuxnet</a>, <a href="https://theconversation.com/flame-a-weapon-of-the-us-led-cyberwar-or-corporate-spyware-7423">Flame</a>, <a href="https://theconversation.com/introducing-regin-one-of-the-most-sophisticated-espionage-bugs-ever-discovered-34616">Regin</a> and now Equation, all of which appear to have been active for many years. To paraphrase Oscar Wilde: to miss one piece of malware looks like misfortune, to miss four looks like trend.</p>
<h2>Pointing the finger</h2>
<p>It is easy, as we see from some of the headlines, to attribute blame based upon circumstantial evidence such as those who was attacked. However, this assumes that a state actor is responsible – and that only certain countries have the wherewithal to develop such a capability. Yet, as the video above demonstrates, one individual with skills and time <a href="http://spritesmods.com/?art=twitter1943&page=4">was able to do much the same</a>.</p>
<p>One of the extraordinary things about cyber warfare and cyber espionage is how it has levelled the playing field between adversaries who might be hugely unequal in other ways. With a relatively small team and modest budget anyone could potentially develop very clever software. Cyberspace is the ideal platform to wage asymmetric warfare. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=375&fit=crop&dpr=1 600w, https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=375&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=375&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=471&fit=crop&dpr=1 754w, https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=471&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/72479/original/image-20150219-28191-1ng1tmy.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=471&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Pointing the finger of blame based on who was targeted is not conclusive.</span>
<span class="attribution"><span class="source">Kaspersky Lab</span></span>
</figcaption>
</figure>
<p>The reports of all these threats – Regin, Stuxnet, Flame, and others – carry the assumption that a government is responsible. It’s not an unreasonable assumption considering that the software’s primary function is espionage. But while nation states are the consumers of intelligence gathered in this way, it doesn’t mean that their agencies are responsible – there is an active market for such information, which means there is a commercial motivation for others to collect it. </p>
<p>Criminal hackers steal personal information to sell on the black market to those who would commit fraud. They might equally gather data of interest to governments and law enforcement and sell it to them. In many ways it is a classic market: with limitless demand there will always be those willing to supply.</p>
<p>In any event, it’s worth reading the full range of reports available and forming your own judgement. Like reading only a single newspaper, the likelihood is that the news is reported with a particular slant – such as blaming the NSA. And while you can be sure of very little when it comes to final attribution of these attacks, you can be sure that individual reports carry their own bias. If you are able, it is worth concentrating on the technical detail as that is where you’re more likely to find the truth. </p>
<p>And expect to hear more such stories in the future – after all, if malware can be hidden so succesfully 10 years ago imagine what’s possible today.</p><img src="https://counter.theconversation.com/content/37774/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alan Woodward does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Mystery malware capable of hiding itself in a hard drives’ internal electronics has been revealed, having spread worldwide for more than a decade.Alan Woodward, Visiting Professor , University of SurreyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/357732014-12-22T13:43:22Z2014-12-22T13:43:22ZIf South Korea’s nuclear plant staff are vulnerable, then so are the reactors<p><a href="http://www.technologyreview.com/featuredstory/401112/claude-shannon-reluctant-father-of-the-digital-age/">Claude Shannon</a>, who many consider the father of modern information theory, <a href="https://archive.org/stream/bstj28-4-656">wrote a paper</a> in 1949 in which he pointed out that security should never be based upon your enemy’s ignorance of how your system is built. This is known today as the mantra: “There is no security through obscurity”. Does it matter then that a <a href="http://www.bbc.co.uk/news/world-asia-30572575">South Korean nuclear plant was hacked</a> and plans of the complex stolen? That rather depends on what happens next.</p>
<p>As it is South Korea that’s the subject of this latest attack everyone tends to assume it must have had something to do with North Korea. With a target as sensitive as a nuclear power plant, not unreasonably people are asking if safety could be compromised by a cyber attack. Could hackers cause the next Chernobyl or Three Mile Island? The South Korean authorities have sought to reassure the public, making it clear that no “core systems” – those computers that control the reactor and safety systems – were compromised.</p>
<p>If it was North Korea – and there is no evidence it was – then one might imagine it was actually the technical details and blueprints of a modern nuclear reactor that was the intended target. But sadly there is secondary security implication: the plans reveal the role of the human operators in running the reactor, and when it comes to hacking into critical infrastructure it is people that are the weakest link.</p>
<h2>Weakest link in the chain</h2>
<p>For example, when Iran’s nuclear reprocessing plant at Natanz was hacked with the infamous <a href="http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet</a> virus, it should not have been possible as the computers affected were not connected to the outside world. There was a very distinct “air gap” maintained between the reactor computer controllers and any other network. But that air gap was relatively easy to bridge, by leaving <a href="https://theconversation.com/is-your-usb-stick-the-enemy-30375">USB sticks</a> where curious people would find them, plug them in, and transfer the virus to the systems.</p>
<p>Imagine that – now you know which computers operate a nuclear power plant, and who uses them, which departments they work in, and at what times. Suddenly it’s possible to design a very targeted attack on the operators themselves, aimed at fooling them into breaching their own security. Information about people and processes that operate a technology is as valuable to a hacker as knowledge of the technology itself. Not only did Stuxnet damage equipment, it caused the computers to falsely report that all was well to the operators. It doesn’t take much imagination to see how the same could happen to a nuclear power plant – with devastating consequences.</p>
<p>And so although it’s great to hear that the plant operators are running safety drills I really hope they make sure that their security drills include the vital triad of <a href="http://www.iienet2.org/Details.aspx?id=24456">people, processes and technology</a>.</p>
<h2>The ‘soft target’ of civilian infrastructure</h2>
<p>This again points to an important and infrequently discussed problem, the vulnerability of critical national infrastructure. Cyber-attacks like these are a great way of levelling the playing field: why invest in massively expensive nuclear weapons programmes if you can simply shut down your enemies’ power, gas, water, and transportation systems? Increasingly more and more infrastructure is connected to the internet, with all the security risks that entails.</p>
<p>And many of these systems – hardware and software – are old, updated far less frequently than a desktop computer at home or at work. Computer security flaws that may have ceased to be a problem in data centres or on desktops years ago might still affect an embedded system running a gas pump, sluice gate or electricity sub-station somewhere. </p>
<p>The UK government at least has been on the case for some time, having established the Centre for the Protection of National Infrastructure (<a href="http://www.cpni.gov.uk/">CPNI</a>) to focus on infrastructure resilience to cyber-attacks. Bringing together various government agencies and businesses, it has made significant progress in at least establishing what might be vulnerable, which is the first step in knowing where to focus your efforts. </p>
<p>There is no room for complacency, however, as every day more systems become internet-connected, and more security vulnerabilities are discovered. This trend of attaching everything and anything to the internet – such as with the growing <a href="https://theconversation.com/explainer-the-internet-of-things-16542">Internet of Things</a>, but not limited to that – is embraced even more enthusiastically in Europe and the US. Take a look at search engines like <a href="https://www.shodan.io/">Shodan</a> or <a href="https://thingful.net/">Thingful</a> which show locations of online devices, and see just how widespread the Internet of Things has already become.</p>
<p>This problem will not go away. It is a fact now and will only grow in the future. Security is possible only by including people and processes as well as technology. And anyone who relies solely on security through obscurity is doomed to fail.</p><img src="https://counter.theconversation.com/content/35773/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alan Woodward does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Claude Shannon, who many consider the father of modern information theory, wrote a paper in 1949 in which he pointed out that security should never be based upon your enemy’s ignorance of how your system…Alan Woodward, Visiting Professor , University of SurreyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/236282014-02-24T15:25:40Z2014-02-24T15:25:40ZSouth Korea’s cyber-war ambitions could backfire badly<figure><img src="https://images.theconversation.com/files/42381/original/sh5w67d4-1393249549.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">What's worse than an enemy with a gun? An enemy with malicious code.</span> <span class="attribution"><span class="source">Niall Carson/PA Archive/Press Association Images</span></span></figcaption></figure><p>South Korea has made a suprisingly public announcement that it plans to develop cyber-weapons for <a href="http://www.bbc.co.uk/news/technology-26287527">potential use against North Korea</a>. The decision to make its plans known is baffling and the potential consequences of taking hostilities online are deeply troubling. </p>
<p>When the Iranian nuclear processing plant at Natanz was hit with Stuxnet it marked a new stage in modern warfare. Stuxnet was the first code-based weapon ever used and by the time it was discovered in 2010, it had ruined almost a fifth of the Natanz centrifuges and caused so much disruption that the Iranian nuclear programme is yet to fully recover.</p>
<p>For those with a vested interest in seeing the Iran’s nuclear ambitions fail, Stuxnet appeared to be a major success. But the law of unintended consequences has resulted in some very troubling repercussions from the attack on Natanz, which makes it all the more surprising that South Korea wants to take a similar path.</p>
<p>From a purely technical perspective, Stuxnet was truly impressive. It targeted a particular class of computer called a Supervisory Control And Data Acquisition (<a href="http://whatis.techtarget.com/definition/SCADA-supervisory-control-and-data-acquisition">SCADA</a>) system. The virus was able not only to disrupt Iran’s centrifuges so that they ran at incorrect speeds, but also report back to the power plant controllers that everything was fine. While it caused havoc by making highly sensitive systems operate erratically, those in charge had no idea anything was wrong.</p>
<p>The SCADA systems attacked by Stuxnet were a particular range made by Siemens, which were known to be used in the Natanz facility. That means the attack was probably highly targeted. It appeared to be the code equivalent of the type of smart bomb you see on the TV. It was able to take out the bad guys without any messy collateral damage.</p>
<p>But that’s fiction. The reality is that “surgical strikes” often do have collateral impact and so did Stuxnet. In fact, Stuxnet’s collateral impact continues to be felt today, years after the original attack. The reason is simple: SCADA systems are used in just about every form of <a href="https://theconversation.com/stuxnet-is-scary-but-human-safety-should-come-first-18576">critical infrastructure</a> we need in modern life, from our power stations to water processing plants to transportation control systems. And the versions produced by Siemens are among the most commonly used SCADA systems.</p>
<p>By releasing a code-based weapon like Stuxnet, the <a href="http://abcnews.go.com/blogs/headlines/2013/07/edward-snowden-u-s-israel-co-wrote-cyber-super-weapon-stuxnet/">still unidentified attackers</a> did something quite different to launching a missile in Iran. Rather than exploding on impact, the weapon stayed intact.</p>
<p>When you use a weapon against an adversary and it is not destroyed, you have effectively given it the weapon to re-use elsewhere. So it was no great surprise when copies of Stuxnet became available around the world and it soon became possible to watch a YouTube video showing how to modify the code to attack your chosen SCADA system. It took only slightly longer for derivatives of Stuxnet to appear and the sons of Stuxnet were easier to use and faster to deploy. Weaponry has a horrible habit of evolving quickly and code-based weapons are even easier to improve than most.</p>
<h2>Hi, we’re the enemy</h2>
<p>One thing that Stuxnet did have was plausible deniability. It was impossible to determine who had developed it. Fingers have been pointed at the US and Israel for many years but, even to this day, accusations about who attacked Irean are based on little more than hearsay and speculation.</p>
<p>Code-based weapons are not like nuclear weapons in that they do not require vast, expensive facilities to develop the raw materials. All you need is a group of clever people and relatively modest computing facilities. Unlike nuclear weapons, they are within the reach of most industrialised countries, and quite a few developing nations. A small rogue state could launch an attack against a militarily powerful nation, cause significant damage and no one need ever know it was behind the attack.</p>
<p>So it is particularly strange that South Korea has made its intentions public. Any attack on the North will now automatically be blamed on the South, thereby ratcheting up tension and possibly leading to armed confrontation. It’s the one move I really can’t understand.</p>
<p>The US believes a cyber-attack should be treated as <a href="http://www.nytimes.com/2011/06/01/us/politics/01cyber.html">an act of war</a> and would like to reserve the right to retaliate using good old-fashioned bombs and bullets if the time comes. This is quite reasonable in many ways, given how serious a code-based weapon could be. An enemy need not bomb a country into submission anymore, it could simply turn off the power and water. No country – the US included – could survive that for long. Unless you threaten real physical retribution against an aggressor, there is a danger that someone will try their luck. Although, all this of course assumes you know who to launch reprisals against. Iran still doesn’t.</p>
<p>Why then would South Korea threaten such action against North Korea so openly? Obviously it doesn’t want the North to develop nuclear weapons as it has no such weaponry itself. What’s more, a Stuxnet-like attack could be seen as justified because it will supposedly affect only the nuclear facilities engaged in developing nuclear weapons.</p>
<p>But South Korea has a far more advanced critical national infrastructure than North Korea. If the North picks up the code-based weapon used to attack it and uses it to retaliate, very serious damage could be caused in the South, not least in financial terms.</p>
<p>The threat of North Korea developing nuclear weapons is certainly frightening but it is still not even clear if it has the resources needed to do it. And even then, it knows that using a nuclear weapon against the South or anyone else would be national suicide. It is more likely to have the resources needed to re-use a cyber-weapon. South Korea could knock out a half-baked nuclear programme but what it can expect in retaliation could be far worse. </p><img src="https://counter.theconversation.com/content/23628/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alan Woodward does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>South Korea has made a suprisingly public announcement that it plans to develop cyber-weapons for potential use against North Korea. The decision to make its plans known is baffling and the potential consequences…Alan Woodward, Visiting Professor , University of SurreyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/185762013-11-26T06:25:20Z2013-11-26T06:25:20ZStuxnet is scary, but human safety should come first<figure><img src="https://images.theconversation.com/files/36059/original/6ch5v2xt-1385382843.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Safety first, but which kind of safety?</span> <span class="attribution"><span class="source">peretzp</span></span></figcaption></figure><p>Critical national infrastructure keeps our water and electricity flowing, our payments running and our manufacturing and distribution moving. This infrastructure faces a new threat in the form of cyber-attacks, but in seeking to protect power stations from computer attacks, we may be taking our eye off the ball when it comes to more traditional safety concerns.</p>
<p>Much infrastructure relies on automated technology typically referred to as industrial control systems (ICS). These systems allow our physical environment to be affected by computers. They open valves, generate power, and sort parcels for delivery; all to meet our demands.</p>
<p>As the computers controlling these systems are becoming increasingly connected with other computer networks, and more importantly, the internet. These new connections provide access routes for attackers to probe and enter systems, potentially causing large scale disruption to the services we depend so heavily on. </p>
<p>This situation is made more severe by the long lifespan of industrial equipment. Many legacy devices are still in use which lack protection for the modern era. The recent <a href="http://www.wired.co.uk/news/archive/2013-10/17/holes-that-open-power-stations-to-hacking">discovery of 25 vulnerabilities</a> on the devices that interconnect legacy and modern equipment in power stations is testament to this.</p>
<p>Fortunately, we have not yet seen significant disruption, but one particularly high profile case has shown all industries that use control systems that they might be a target in the future and that they need to prepare for potential attacks.</p>
<h2>The Stuxnet legacy</h2>
<p>In 2010, a piece of malicious software called Stuxnet was used to attack and disrupt the operation of uranium enrichment facilities in Iran, causing millions of pounds worth of damage and delaying the enrichment programme by several years.</p>
<p>It worked by spreading itself over the internet, infecting ordinary Microsoft Windows computers, as it searched for its target - a specific type of industrial control system component that was only produced in Iran and Finland. Once it found its targets, Stuxnet was then able to modify their operating parameters to dangerous conditions, while hiding this behaviour from the operators that supported the system. While Stuxnet has not been attributed to a specific attacker, there are numerous <a href="http://abcnews.go.com/blogs/headlines/2013/07/edward-snowden-u-s-israel-co-wrote-cyber-super-weapon-stuxnet/">suspicions</a> as to where the malware was developed.</p>
<p>Stuxnet was scary for anyone using control systems. For the first time significant physical damage happened as a result of malware. </p>
<p>Since Stuxnet, industries producing and relying on control systems to automate their business have invested heavily in cyber defence, developing new technologies to protect these important infrastructures. Work so far has almost wholly been directed towards managing risks surrounding the protection of information, in a process known as information assurance. But that has implications for protecting infrastructure in other ways.</p>
<h2>Fail-safe vs fail-secure</h2>
<p>Industrial control systems have traditionally used a “fail-safe” design. If a system stops operating correctly, it shuts down to minimise damage to the environment and loss of life. Operations at a water treatment facility will shut down when water tankers reach dangerous capacity limits, for example. </p>
<p>Most information assurance approaches, on the other hand, advocate a “fail-secure” design methodology. When a system is attacked, mechanisms spring into action to prevent your information from falling into the wrong hands.</p>
<p>But these security goals are potentially at odds with one another. If a system fails and the first priority is to protect information, the shut down may cause the system to go into a dangerous state. If a wind turbine begins rotating dangerously fast and an automated system moves to shut it down, a fail-secure system may see this as anomalous or malicious behaviour, preventing the shutdown with potentially catastrophic consequences.</p>
<p>While you do need to protect the information held in control systems, in the event of an attack this should always be secondary to the protection of life and the environment.</p>
<h2>Safe and secure</h2>
<p>A counter-movement is emerging to try to reconcile the two approaches, ensuring that both people and information are protected if an attack occurs. Advocates would like to see industry taking a “functional assurance” approach. In the event of an attack, a system would enter both fail-safe and fail-secure modes. </p>
<p>The functional assurance concept goes beyond a simple concept of “on” or “off” in the face of an attack. Internet connected systems are under constant attack and must still carry on functioning. If an internet connected control system were to shut down every time it were attacked, it would never be on, so we need to start thinking about how to keep the systems running in the face of concentrated digital onslaught.</p>
<p>The aftermath of Stuxnet led to the development of security standards and guidance documents that specifically target industrial control systems. However, a survey has found that these documents are probably inadequate for helping operators to achieve functional assurance. The importance of safety was frequently highlighted, but is largely treated as a separate issue. Little attention is devoted to their complex inter-dependency, in particular the capability of failing both safely and securely.</p>
<p>Industry and governments are yet to work out how to deliver functional assurance, but they need to make progress. Industrial control system technologies are increasingly found not only in critical infrastructure, but in our personal environments, as we move towards living in smart cities. That means anything from traffic lights to home security could be attacked. Personal safety is at stake but we want to make our infrastructure work more efficiently, which makes the balance between protecting data and protecting people more important than ever.</p><img src="https://counter.theconversation.com/content/18576/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Daniel Prince does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Critical national infrastructure keeps our water and electricity flowing, our payments running and our manufacturing and distribution moving. This infrastructure faces a new threat in the form of cyber-attacks…Daniel Prince, Associate Director Security Lancaster, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.