Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Link

Metadata in Context – An Ontological and Normative Analysis of the NSA’s Bulk Telephony Metadata Collection Program

Abstract:

In the aftermath of the Snowden revelations, the National Security Agency (NSA) responded to fears about warrantless domestic surveillance programs by emphasizing that it was collecting only the metadata, and not the content, of communications. When justifying its activities, the NSA offered the following rationale: because data involves content and metadata does not, a reasonable expectation of privacy extends only to the former but not the latter. Our paper questions the soundness of this argument. More specifically, we argue that privacy is defined not only by the types of information at hand, but also by the context in which the information is collected. This context has changed dramatically. Defining privacy as contextual integrity we are able, in the first place, to explain why the bulk telephony metadata collection program violated expectations of privacy and, in the second, to evaluate whether the benefits to national security provided by the program can be justified in light of the program’s material costs, on the one hand, and its infringements on civil liberties, on the other hand.

A terrific paper from Paula Kift and Helen Nissenbaum.

Link

Covernames Versus Code / Strategy Versus Tactics

From the New York Times:

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

While the revelation of code facilitates a more immediate kind of repurposing and attack, I think that the Shadow Brokers have tended to reveal tactical information versus the strategic information released by Snowden. Few have done the requisite work to actually pull together the comprehensive narratives that emerge in the Snowden documents and, instead, have focused on specific programs or tools. Those few of us who have comprehensively analyzed his documents, however, now possess insights into strategic thinking, decision making, and resource allocation of the Five Eyes intelligence agencies. The long term value of such information is just as, if not more, valuable than code drops.

Quote

The difficult project of establishing meaningful oversight would be aided by a deeper appreciation by all sides of the surveillance debates that their adversaries are generally acting in good faith. Too often it seems that we occupy parallel universes. In the first, the U.S. intelligence community operates in a framework so regulated and constrained that it should be the envy of the world, not the target of its scorn. No intelligence agency in the world can match our respect for rules and laws. In the second, the U.S. surveillance state has outgrown legal restraints and allowed its surveillance activities to be driven by technological capabilities. It developed and deployed a global system of mass surveillance without the knowledge or consent of the public, and it is sitting on massive databases of private information that constitute a genuine threat to free societies.

We should acknowledge the possibility that both of these pictures are largely accurate. The intelligence community is staffed by honorable public servants who have an abiding respect for the Constitution. And history gives us reason to be concerned that information collected for one purpose will likely be put to other purposes, particularly in the aftermath of a terrorist attack or other national trauma. We might even elect a president who has no regard for the rule of law.

Ben Wizner, ACLU

The question of how to draft a system of secret rules while simultaneously ensuring that the actors solely operate within the realm of the rules continues to vex policymakers, academics, politicians, and lawyers. What definitely seems to not work is maintaining a veil of secrecy over the baseline set of rules themselves, to say nothing of cloaking the interpretations of those rules in their own layers of secrecy.

Link

Imagine if Donald Trump Controlled the NSA

Wired:

And exactly what could a President Trump do with the NSA? First, Hennessey says, there’s the question of what he could undo: He could, for instance, rescind the executive actions of President Obama aimed at reforming the NSA after Snowden’s revelations. Presidential Policy Directive 28, for example, issued in 2014, was designed to ensure that the NSA’s signals intelligence branch wouldn’t use its powers to promote American business interests or suppress political dissent abroad, and that it would minimize its invasion of the privacy of not just Americans but also non-Americans whenever possible. Trump could also defang or coopt the executive branch’s Privacy and Civil Liberties Oversight Board, which opposed and helped to end the NSA’s mass collection of Americans’ cell phone records last year.

More fundamentally, Hennessey and other former NSA staffers worry that Trump could redefine the priorities of the NSA’s foreign intelligence mission. He could, for instance, refocus American spying efforts to take the agency’s eyes off Russia and instead target that country’s adversaries, like Georgia, Ukraine, or even the European Union. Given Trump’s murky financial ties to Russia, it’s still not clear how he would approach its authoritarian government if he were to take power. “Trump has indicated he has unusual views about Vladimir Putin as an individual and Russian activity around the world that’s very problematic for the security interests of the US,” Hennessey says. “We shouldn’t underestimate the importance of the intelligence community’s high level priorities and the ability of the president to shift them.”

Despite what people believe, the NSA is significantly restrained in some of its activities as compared to its compatriots. As an example, there is still no evidence that the NSA conducts economic espionage for the purpose of enhancing specific American business’ interests. The United States does conduct economic espionage for trading and global threat assessments, but not to share the collected information with domestic businesses. A Trump presidency could change that and, in the course, truly blend best-of-class government surveillance with nationalist economic policies. While that might sound appealing to Americans it could also initiate a full-scale trade war…and one where the people of the world would likely come out far poorer.

Link

More Thoughts on the Yahoo Scan

Macy Wheeler:

To sum up: ex-Yahoo employees want this story to be about the technical recklessness of the request and Yahoo’s bureaucratic implementation of it. Government lawyers and spooks are happy to explain this was a traditional FISA order, but want to downplay the intrusiveness and recklessness of this by claiming it just involved adapting an existing scan. And intelligence committee members mistakenly believed this scan happened under Section 702, and wanted to make it a 702 renewal fight issue, but since appear to have learned differently.

This is the definitive summarization of what Yahoo! (likely) did when they monitored all of their customers’ emails for the US government. Well worth the read for its content and, also, to see what goes into a critical media evaluation of an unfolding intelligence-related series of news stories.

Link

Partnership between NSA and telecoms pose both security and privacy risk, experts say

Partnership between NSA and telecoms pose both security and privacy risk, experts say:

Speculation remains as to whether the programs still exist, but as Cohn said: “The story that [these documents] tell is [the NSA is] just grabbing more, and more, and more, and more. Nothing in this six-year span is of them getting anything less. [So our] best guess is that trajectory continued.”

Christopher Parsons, postdoctoral fellow, Citizen Lab at the Munk School of Global Affairs, seconded Cohn’s thoughts and expressed surprise that no documents have indicated any change in programs.

Even if Americans aren’t exactly concerned about their data, per se, Parsons reminded that beyond losing its citizens’ trust, the U.S. government loses diplomatic credibility through these leaked documents. The government can’t argue for a free and open internet if it monitors foreigners and its own citizens, he said.

“If you use the internet, and the data goes through the U.S., the government is spying on it,” he said.

Link

New Mass Surveillance Laws Come to Canada, France, and the United Kingdom, as the NSA May Have Its Wings Clipped | VICE News

New Mass Surveillance Laws Come to Canada, France, and the United Kingdom, as the NSA May Have Its Wings Clipped:

Canada’s Anti-Terrorism Act is just one step away from becoming law, with its controversial information-sharing and secret police powers still intact. France’s cyber-snooping bill is facing broad political support. And the United Kingdom’s nanny state law has been in effect for months, despite protestations of a coalition of anti-spying activists.

Christopher Parsons, postdoctoral fellow at the University of Toronto’s Citizen Lab, said that while neutering the Patriot Act might impede how Americans’ data gets scooped up, nobody should expect these changes will do much to kneecap the NSA’s mass spying regime.

“I think they can do it anyway,” Parsons told VICE News, pointing to Executive Order 12333 — the directive issued by Ronald Reagan that first permitted the NSA to spy on foreign soil.

“In an era of cloud computing, there is a strong argument to be made that even after that section of the Patriot Act goes away, where and when Americans’ data flows across international boundaries, it can be collected anyway,” he said.

And while the NSA’s ability to collect data within the United States might be “slightly diminished,” other American agencies with mandates to surveil domestic threats could simply take over.

Parsons says the emerging relationship between Washington and its Five Eyes partners – Canada, the United Kingdom, Australia and New Zealand — is evolving into something much more advanced.

“All the various signals intelligence agencies have become increasingly sophisticated in, not just their ability to collect data, but also their ability to share data with one another,” Parsons said.

 

Quote

L’Agence nationale de sécurité américaine (NSA) tente de tracer la carte du trafic des communications de plusieurs entreprises mondiales, dont le géant des télécommunications canadien Rogers et la Banque Royale du Canada (RBC), selon un document secret, a rapporté le Globe and Mail mardi.

«C’est une préparation du champ de bataille, afin de pouvoir l’investir plus tard, croit Christopher Parsons, un chercheur de l’université de Toronto interrogé par le quotidien. Il s’agit d’observer l’entrée et la sortie des communications d’un réseau et de dire “Okay, voici les endroits où nous devons entrer.”»

Rogers et RBC disent n’avoir aucune raison de croire que leurs systèmes informatiques ou données de clients ont été compromises. «Si une telle surveillance a réellement lieu, nous trouverions cela très troublant», a néamoins affirmé Patricia Trott, porte-parole pour Rogers.

* La NSA espionnerait les communications de Rogers et RBC

Link

NSA trying to map Rogers, RBC communications traffic, leak shows

NSA trying to map Rogers, RBC communications traffic, leak shows :

The U.S. National Security Agency has been trying to map the communications traffic of corporations around the world, and a classified document reveals that at least two of Canada’s largest companies are included.

Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab, who reviewed the leaked document with The Globe, said the activity described could help determine useful access points in the future: “This is preparing the battlefield so it could later be used.

“This is … watching communications come in and out of a network and saying, ‘Okay, these are the places we need to go in.’”