Threats to Cyber Security aren't just from foreign adversaries

By rejecting the calls for a citizens assembly, Irish people have been done a disservice as the conversion has been limited to discussions of how an "enemy" can affect us but ignored the risks that government policy is already creating for us.

Threats to Cyber Security aren't just from foreign adversaries
Photo by Rob Martin / Unsplash

The "Consultative Forum on International Security Policy" was called out as a "stitch-up" due to the views of those chosen to speak on the panels mostly supporting further Irish integration with projects and operations led by NATO and PESCO.

On many panels this makes the conversations almost worthless as the views of those who are on the panel align but there is no agreement on objective facts with those who haven't been given a similar platform in the debate. In the case of the "New and emerging threats: Cyber security" panel however, the objective facts put forward as to what the perceived threats are and how to defend against them are likely agreeable to those on the panel, most software engineers and those who would describe themselves as in opposition to war, and growing militarism, but the lack of those voices weakens the debate and limits the value of conclusions that can be drawn from it.

Since these facts are mostly accepted I'll highlight some of the more interesting points of difference brought up during overviews by panellists and in response to questions from the floor.

"What would the AI answer be to Irish neutrality?"

Chris Johnson of the UK National Cyber Advisory Board said he fears that "within 10 years it will be almost impossible to buy high level munitions without machine learning in them. Does neutrality provide you with sufficient defence against adversaries that are equipped with these sorts of weapons?"

A letter making similar claims about the perceived threats of machine learning, or Artificial Intelligence as it's described in companies' marketing material, was signed by the CEOs and senior figures within some of the world's most highly funded companies developing machine learning tools.

For all their talk these companies have not agreed to stop working on tools that they believe are a threat to all of humanity. If they truly believe that there's a threat and won't stop of their own accord the question of security isn't one of starting a new arms race but of state's using their coercive arms of police and courts to shut them down.

In a report claiming a simulation run by the US military using machine learning equipped drones by the US military resulted in the weapon killing its operator who was limiting the drone from its primary objective of wanton slaughter.

While the report is sensationalised, it's reasonable to fear the future development of these weapons but there has been no call for them not to be built in the first place which sets up the ground for an arms race as states try to compete with new more lethal weapons. This is already beginning in the US with the CHIPs act as they are trying to shorten their supply chains for building weapons with the EU planning a similar onshoring.

Here is the crux of the problem with the makeup of this panel, at no stage does it deal with the negative impacts that these cyber tools of control are having on populations within the recognised borders of states. The conversation is limited to developing them for national defence but ignores how these tools can arise out of subjugation of local populations or get turned on local populations as police departments buy equipment designed for militaries.

Cyber Weapons

Panellist Catiríona Heinl, Executive Director of the Azure Forum for Contemporary Security Strategy said "a number of states are developing out capabilities for military purposes and the use of cyber in future conflicts is becoming more likely... the capacities and resources of States across the world are different and what this means is that it increases risks for all states."

One of the most famous cyber attacks on another nation's infrastructure is the Stuxnet worm attack on Siemens controllers. Beginning in 2007 a cyber weapon attacked Iranian centrifuges which were being used to refine Uranium. It's generally accepted that the weapon was developed jointly by the USA and Israel, with Germany providing critical documentation for the hardware that was hacked.

Ultimately the attack was judged to have been a success in that it was deployed and damaged some of Iran's equipment but still had little effect on their ability to create enriched Uranium. In the end it wasn't cyber warfare that ended Iran's nuclear ambitions but the less sexy discussions and diplomacy leading to an agreement that Iran would not develop nuclear weapons in exchange for relief from sanctions.

In this instance the weapon was turned on another nation, the pattern of development for the weapon and the danger involved in finding an exploit in a piece of critical infrastructure and not informing the creators so they can fix it and avoid more widespread harm, puts everybody at risk. This risk is amplified if the knowledge of the existence of the exploit gets out or if the weapon gets deployed and reverse-engineered by the victim of the attack.

And with Stuxnet it was reverse-engineered! Iran retooled the worm to attack businesses and infrastructure in the US, Israel and Saudi Arabia and Microsoft identified hacks using one of the exploits developed as part of the Stuxnet worm in its 2016 Microsoft Digital Defense Report targeting civilian systems around the world nearly 10 years after it was initially deployed as a weapon.

The HSE ransomware attack is noted for the "relative simplicity of the attack" and that there " were known weaknesses and gaps in key cybersecurity controls". If a hospital was keeping drugs stored in an unlocked storage room they would absolutely fail a HIQA inspection but the IT systems where the initial infection was recognised but not acted on there isn’t any equivalent regulator.

As with states linking up with companies to implement technologies of surveillance and control there are also links between companies distributing malware, especially in countries like Russia, Iran and North Korea where they can use these methods to get access to foreign currency and evade sanctions, but there's also a lack of interest in private enterprise carrying out cybercrime internationally as cybercrime expert Misha Glenny, said in 2018, "Russian law enforcement and the FSB in particular have a very good idea of what is going on and they are monitoring it, but as long as the fraud is restricted to other parts of the world they don’t care."

Overall, when it comes to these hacks whether ransomware or wipers Richard Parker, Vice President of Cyber Security at Dell Technologies was bluntly honest "With ransomware it's no more about how do we prevent it it's accepting that is going to happen it's really looking at how are you going to respond when it happens... [additionally] how are you protecting all your data if you have your key assets and you're backing up your data are you able to recover it pretty quickly or is it going to take weeks". Of course, it helps that Richard is more familiar with this pitch as Dell sell a product to handle recovery from such an attack.

The war comes home

Companies building surveillance tools are getting closer and closer to states and in many cases there's a revolving door between companies and state bodies and vice-versa, especially in Israel which is becoming one of the world's largest exporters of military and cyber weapons, with few questions over who uses them or how.

Worse still the proof of these weapons effectiveness must be proven to help market them to other states. In Israel's case that means using them to oppress and murder Palestinians. For the US, Afghanistan served as a test bed for 20 years. Here in Ireland throughout the 70s and 80s the UK developed its weapons and tactics to suppress people in Northern Ireland who were fighting against being second-class citizens.

Israeli cyber weapon company, NSO Group, now blacklisted by the US for providing spyware to countries which used them against the US, sold a tool to any government that would turn a blind eye to their occupation of Palestine. The tool allows intelligence services or governments to spy on journalists, human rights defenders, members of the opposition, anybody who a state that will ignore murder and oppression in exchange for weapons would want to surveil really.

On a positive note, moderator, Richard Browne, director of the National Security Centre (NCSC) made it clear that "we have a very robust export control regime.... and the usual complaint we get is that it's overly onerous and it doesn't allow people export to who they want to export... The complaint we get from from third parties is we're overly restrictive." Which later in the panel was reiterated by most members that this robust export control should remain.

For Ireland to maintain its neutrality it's critical that we avoid exporting and technology or products that help with further militarisation anywhere on the planet but not only should we not allow weapons for state surveillance and control to be developed here we should also avoid using public money for their development because many are "dual-purpose" technologies that exist to maintain or entrench inequalities.

These technologies include but aren't limited to surveillance in the guise of parking enforcement (quietly defeated as it couldn't be justified under the GDPR), expanded CCTV under the guise of litter control, facial recognition technology, (temporarily halted) where existing deployments have been shown to enforce class and racial biases and opposition the weakening of End-To-End Encryption.

While these may seem to fall under "civilian infrastructure" the reality is that the people in control of them have the ability to exert additional force over those under their watch. Any attempt to add in tools to reduce the privacy of individuals risking the security of everyone, especially in the case of an invasion or cyber attack by foreign intelligence services.

Separate civilian and military

One of the most important issues raised was by Brigadier General Seán White, who said, "a key lesson from the war really is the segregation of military and civilian infrastructure potentially to have better security for Military and Civilian Networks."

As the debate about Ireland's neutrality continues, and as support for it stays high it's important we question the use of Ireland's resources for the support of military operations of other countries.

Currently Data Centres consume 18% of Ireland's electricity while also putting increased pressure on the Gas Network and Water Network, making our transition from using fossil fuels for electricity more difficult.

There are no limitations on what operations are run on data centres here in Ireland. There's no guarantee that Amazon doesn't run surveillance operations for the NSA as part of the secretive $10 billion contract it received for cloud services, or Google which has a share of a $9 billion contract to provide cloud computing for the Pentagon and Microsoft which has secured a nearly $22 billion contract for battlefield Virtual Reality. There were internal protests within all of these companies when these contracts were awarded as workers didn't want to take part in increasing militarism.

With more principled workers leaving rather than having their work used for military purposes we should be looking at a separation of military and civilian infrastructure, especially in the area of data processing.

One of the reasons for this is that with the intertwining of digital services into all aspects of our lives, people protesting against an unjust war or unjust surveillance would need to destroy processing capacity that massively affects civilian uses just to get at those they perceive have no, or negative social value.

In the USA in the 60s and 70s military computing infrastructure was mostly separate from the limited civilian uses that were available at the time. In opposition to being drafted to fight in Vietnam and the wanton murder of Vietnamese people, Americans chose to destroy computers that were being used to design weapons, plan military operations and organise the draft. Following a bombing of a HP facility, company founder Bill Hewlett wrote, "As the company grows larger, it is a more attractive target for sabotage, theft and violence." and responded by building new security fences around the facility. This has been the general response from companies like HP who were founded as critical parts of the military supply-chain and was still receiving money from Israel for operating surveillance technology for implementing apartheid until at least 2020.

Here in Ireland a similar separation of military and civilian infrastructure allowed the "Raytheon 9" to occupy and destroy equipment in the Raytheon facility as a way to protest Raytheon weapons being used to commit war crimes.

Following his acquittal for the occupation, veteran Civil Rights campaigner, Eamonn McCann said, "The jury has accepted that we were reasonable in our belief that: the Israel Defence Forces were guilty of war crimes in Lebanon in the summer of 2006; that the Raytheon company, including its facility in Derry, was aiding and abetting the commission of these crimes; and that the action we took was intended to have, and did have, the effect of hampering or delaying the commission of war crimes."

Additional protests created risk to Raytheon of further disruption ultimately leading to them leaving Derry.

The separation of military and civilian processing infrastructure is extremely important for countries to hold their governments in check without inflicting undue harm on their fellow citizens. We also need to address the issue of there being no digital "commons" and all citizens having, what for many people is, their main method of communication mediated through a private company. This means having the knowledge to deploy and maintain networks and servers securely and openly to develop digital systems citizens can trust and not ones that are subject to surveillance dragnets.

What if companies don't want to be secure?

In his introduction to the panel Richard Browne, described the corporatised nature of the cyber space, "in Air or Space or Maritime the domain is publicly owned it's accessible to all it's a public commons but in cyber the domain is owned by private companies for the very most part it is in wires owned by companies it is in IT systems owned by companies or governments it's out there so the state cannot simply insert itself into that process it has to do so carefully legally and in a very appropriate fashion."

There is a defeatist attitude as there are means for governments to introduce laws and a regulatory environment similar to the NCT but for digital systems to at least reduce the surface area of attack from known exploits.

Under the GDPR there is some pressure on companies to treat data security or integrity as a core competency of their organisation but this is simply a market mechanism since the majority of the fines companies have received are a "cost of doing business" and unfortunately isn't being used as a way for workers to argue for data minimization against calls from above to create large datasets of personal information.

Even with a regular analysis of digital systems by an impartial regulator, it is tough to secure systems as you can't necessarily just buy your way to a secure digital environment as workers need to be trained in the practice of a security culture since most cyber attacks begin with human error.

Just this month a type of hack known as a "supply-chain attack" affected hundreds if not thousands of companies across the world, including the HSE, although in a much less serious way than the ransomware attack in 2021. A file transfer program called "MoveIT '' suffered an attack from an SQL injection that allowed the hackers to extract files from hundreds, if not thousands of corporate and government targets. "SQL Injection'' attacks are almost non-existent in software written in the last 10 years due to lessons learned from past vulnerabilities. The problem is that we have legacy tools initially built years ago that can retain weaknesses to hacks that were common decades ago as developers either don't have the time or don't feel comfortable modifying security critical parts of systems.

Any digital system that makes use of a compromisable system becomes as weak as the least secure part of its system or network. Outsourcing, centralisation and a move to Software as a Service (where the software seller maintains the data on their servers) makes companies that are likely to hold sensitive data from many companies and public institutions more enticing for attackers to target. The large flood of money from investors into tech firms and a silicon valley culture of "move fast and break things" has created a digital minefield of exploitable tools from companies who rarely if ever considered the security of the data they hold.

The danger of another critical vulnerability like "Heartbleed", which left nearly 20% of websites vulnerable to data theft, only grows as digital systems become more prevalent and control more parts of our lives. States and companies need to practise data minimisation, this is, not collecting data that isn't needed (unlike the government's efforts to illegally impose the Public Services Card).

Rather than a military led operation like NATO's "Cooperative Cyber Defense Center of Excellence", of which Ireland is a member, a civilian alternative is needed, funded with public money to share the development, auditing and hardening costs of critical tools which are often maintained by just one person in their evenings and weekends. The "National Vulnerability Database" already exists for sharing possible avenues of attack and coordinating the release of fixes. The danger with a military led version is that a vulnerability may be withheld for use against the enemies of countries not part of the cyber sharing alliance which can lead to avoidable suffering for citizens.

Conclusion

It's a broad area and this response still only scratches the surface of the issue but it's clear that limiting the panel to speakers who were mostly aligned with only 4 hours of discussions over 2 panels when it was recognised that "cyber is in everything" at the opening of the panel there is nowhere near enough time for the issues to be properly dealt with.

By rejecting the calls for a citizens assembly, Irish people have been done a disservice as the conversion has been limited to discussions of how an "enemy" can affect us but ignored the risks that government policy is already creating for us.