David E. Sanger -- The perfect weapon ======================================= There is one cheery note in Sanger's book. He mentions that another way to view the use of cyber weapons is as an alternative to the use of armed military conflict. We'd rather, after all, that belligerent nations use computers and the Internet rather than guns and bombs, wouldn't we? Well, yes, but that's only true if those opposing sides are not destroying critical infrastructure, not causing dams to fail, not bringing down the electrical grid, and not interfering in ways that threaten life and safety. Everything else is mostly downhill and more worrisome. It can be argued that the Stuxnet worm was one of those operations that was preferable to armed conflict. Perhaps it set back Iran's efforts to build atomic weapons, and thus delayed military action between the U.S.A. and Iran. I'd like to know a little more than Sanger tells us about hacking a server and breaking into a network and siphoning off data once you've broken in. I'm a computer programmer, and I'd like to understand a little more about what is going on. I don't need to know how to do it, but I want to understand how it is possible, if for no other reason than to protect myself and my network and my computers from those cyber operations. Of course, that kind of information is highly classified. The closest that Sanger gets to telling us is that there was an incident where someone scattered some USB drives around a parking lot and waited for workers at that installation to pick one up and insert it into a computer connected to the network. But, even there I don't know how that USB drive was able to get malware into a computer and onto a network. Or, maybe it's best that I don't know what can hurt me. But, there is plenty that we do learn from "The perfect weapon". For example: (1) It's likely that the NSA (National Security Agency) is into our VPNs (virtual private networks). (2) The NSA is sucking in (collecting is the polite term, I suppose) lots of data from commercial sources, so they're getting *our* data I'm sure. (5) the NSA has court approved, if limited, access to Google and Yahoo accounts of millions of Americans. And, don't forget that this access is likely increasing and acquiring new capabilities even as we think about it. (4) We are in, for better or worse, a golden age of computer surveillance. It's both that we, corporations and governments, actually, have the tools to do the collecting, but also that they have the tools to make use of that data. Online data collection and data analysis are increasingly being taught in computer science schools and departments. So, you can be sure that those tools and techniques are becoming more and more available, and the people who know how to use them are becoming more prevalent. If you want to learn it on your own, search the Web for "python data science". Python is a high level programming language that is being used more and more for data analysis and AI. For some tools, these are good places to start: https://www.scipy.org/index.html, https://www.scipy.org/about.html. Also, keep in mind that part of the value of having access to our data and to the data of corporations and governments depends on that access being secret. So, without doubt there is plenty of surveillance that we do not know about. Sanger claims that this is what was so revelatory about the information exposed by Edward Snowden: that the NSA has units that are breaking into secured networks around the world. And, because the use of cyber weapons by, e.g., the U.S. government is so secret, we have never had public discussion about what should be allowed and what should not. Aggressive military actions against a foreign nation in a time of peace are illegal, according to some sort of international law. But, what about aggressive *cyber* operations? Is that OK? Is it perhaps just as aggressive? Many cyber operations are done *by* the military, after all. Sanger reports on those by the U.S. government against Iran and North Korea. Maybe we should be more honest with ourselves and face the idea that the U.S.A. is in a state of cyber war with Iran and North Korea, and possibly even low level war with Russia and China. We'll also have to face the idea that cyber warfare trends inherently toward escalation. The cyber tools that are effective today, will no longer be as effective tomorrow when counter measures and tools have been developed. So, governments, are in a continual state of competition to develop newer and more sophisticated tools, tools that are unknown to and not understood by their enemies. And, it's not just the cyber tools that the government is using today; it's also that each government has to be prepared to go into a state of more active war with the use of cyber offensive tools that they have not yet actively employed. So, we have no idea and no knowledge about the capabilities of the U.S. government to destroy another nation's power grid, communications systems, transportation systems, air defense systems, or any other capabilities that might be thought to be needed during a conflict. One thought that is only slightly reassuring is that planning and preparing for these kinds of destructive capabilities requires a huge amount of resources and can only be done at an immense cost. So, hopefully, not very many actors on the global stage (nation states and global corporations) are doing it. Again, information about what our government is doing in this regard is classified, so there is no way to know what kind of offensive capabilities, or even defensive capabilities, are being created. So, given that we are justified in worrying about clandestine cyber operations on *their* networks (where "their" refers to almost anybody), how confident should you be that the mobile phone, manufactured in China or South Korea, is not hacking into your local wireless network and sending data through a back door to some remote cyber operations unit? And, since the U.S.A. government does not release information on what it has discovered about China's hacking and aggressive cyber operations, whether intelligence gathering or offensive operations, we really have no idea what is happening to us. Remember that the U.S.A. government does not want China to know what our intelligence agencies know about what China does (in the way of cyber activities) for fear that they would learn and use more sophisticated methods that we cannot track or crack. So, even if the U.S.A. government knows we are being hacked, they might not do anything to protect us. Of course, it could be worse. You could be living in China. Not only does China conduct serious cyber intelligence operations against its own citizens, but it has also pressured Western global corporations and news organizations into complying with its (China's) censorship rules. What's more, and here is an irony for you, China is likely sending some of its citizens to computer science programs in schools in the U.S.A. to learn cyber techniques to use against us. We can only imagine whether North Korea, in turn, sends people to schools in China to learn learn cyber technologies that were learned in the U.S.A., and then likely improved upon. And, if you start worrying about China's cyber operations, Sanger has equally serious worries to give about Russia's. If China's cyber operations are (mostly) self-seeking, Russia's are downright malicious. Sanger provides a lengthy chapter on that. We might be worried, for example, that Russian hackers might have skewed the results of our last presidential election away from Clinton and in favor of Trump. But even if they had failed to help Trump win, they had succeeded in discrediting Clinton so seriously that she would have governed as a significantly weakened president. And, Trump's claims that the election was going to be rigged certainly helped that effort, whether Trump did so in collusion with Russian operatives or because of threats of blackmail from any of them really does not matter that much, since it was so much in line with their interests. And, then, there are all the worries that we might have as private citizens, both in terms of how much and which information is being collected about each of us and also how and in what ways we are each being manipulated during our online activities. Unfortunately, it is exactly the kind of information that many of us feel we should be able to keep private that is also the information needed to track down threatening activities by possible terrorists. And, analogously but perhaps less worrisome to some of us, the information collected by corporations for marketing purposes is also information that can be used to help us use the Internet and the Web in more convenient ways, so that we are seduced into complacency in that area, too. Then there is pornography -- how much and which of our data do we want to have reviewed and policed? Our public Web pages but not our posts to social media? Our posts to social media but not our emails? Perhaps I should be allowed to have pictures of a very young, unclothed child if I'm that child's parent, but not otherwise. The more content we have and the more ways we have to produce that content, the more issues we will face. Sanger gives us plenty to worry about. One problem that I found especially troubling was the consequences of having corporations do much of the work to develop cyber tools on contract with the U.S.A. government. Those who work in those corporations on those tools are likely cleared for work by the corporations themselves. So, we have to wonder how hard it would be for evil doers to gain access to the data and code and tools that are used for cyber operations. Obviously, it is not just our government that we can and should worry about, there are corporations, too, both those which are working on contract for the U.S. government and also corporations that are collecting data and conducting cyber operations for their own financial gain. We can expect to see more and more work done to, for example, mislead us into purchasing and using corporate products. Some things that might give us some small amount of protection from corporations, at least when the are helping the U.S. government with cyber operations is that (1) the employees of many corporations are pushing back against cooperation with the government and (2) these corporations, because many of the are multinational, perhaps do not feel much loyalty to, for example, the U.S. government, and might push back against demands by the U.S.A. government to conduct cyber operations against U.S. citizens. As China's cyber capabilities improve, the Chinese government has become better at using those capabilities both for domestic surveillance and for coercion. We can hope that the same efforts are not being used in free countries, although the tension between privacy and freedom from interference, on the one hand, and the need to protect citizens and infrastructure, on the other hand, is there. Two dramatic TV series, whose local is Australia and the Australian government, deal with this. Look for "Pine Gap" and "Secret City" on Netflix. Sanger is not only talking about cyber operations. He also discusses psychological operations, often those that employ cyber technology. For more on that, you may also want to read "Messing with the enemy", by Clint Watts. Also see my review: `Clint Watts -- Messing with the enemy`_. And, since everybody is doing this kind of cyber intelligence gathering and data collecting etc., or soon will be, you may also want to read "The Age of Surveillance Capitalism", by Shoshana Zuboff. 03/12/2019 .. vim:ft=rst:fo+=a: