Rise of mezzanine actors impossible to tie to states seen as major new issue for governments
The FT's excellent recent feature on Iran contains a proposed scenario for facilitating the 'infiltration' of Stuxnet into the Natanz reactor facility. Since, the authors state, the Natanz computers are not web-aligned, the virus had to be delivered in person to one of the systems operating on the intranet, probably by USB flashdrive. It's the most logical scenario but Stuxnet went on not just to infect the Natanz system, but computers worldwide, 60% of them in Iran, but many further afield, in the UK, China and the United States among many. It's estimated that 60 000 computers may now be infected. This suggests some sort of web exposure or a different mode of entry for the worm as it has obviously leaked from its intended source. Eloquent on the issue and outspoken, Ralph Langner has spoken at the recent TED conference, asserting his belief that Israel and America are behind Stuxnet. Mr Langner said that the project would have required "inside information", so detailed that "they probably knew the shoe size of the operator."
Picking up on a less well reported release, that of Germany's new cybersecurity strategy, Thomas Rid at the Kingsofwar blog. The document is interesting as a possible blueprint for government action in the future. It proposes the creation of two new bodies - a ten-man cyber defence centre and also a cyber security council as Rid terms it. Organizational Culture theorists would have a field day. Bureaucracy reigns supreme. This is followed by the proposal to create a codex that will serve as a doctrine for foreign policy. It's important for nation-states to take a lead on this issue and attempt to establish norms through which cyberwarfare can be outlawed, but how do you punish? The originators of Stuxnet have never been actually identified. If a cyberattack shut down a hospital where a political figure was being treated, killing many patients therein as a result and the attack originated from one country but the state denied all knowledge, how do you proceed?
The current issue of Survival, in tune to the prevailing current of fear, leads with cyber-threats. One article therein runs with the theme of governments outsourcing cybercrime to unnattributable third-parties. This theme is broadly enhanced and developed by the second article which links Mezzanine actors to states such as China and Iran. 'We are behind in the thinking and utilisation' seems to be the current perceived wisdom. This problem has been drifting around the sidelines for many years, for example, 'Cyber Attacks and International Law', Grove, Goodman and Lukasik', Survival (Autumn 2000), but without ever really identifying the statelessness of attacking through the World Wide Web. International Law is essentially based around notions of state interactions, cooperation and antagonism between actors bounded by geography. Al-Qaeda changed the idea of how Western military might respond to non-state actors, and this has been a struggle in itself - so-called Fourth Generation warfare being the issue of our day. At least al-Qaeda can in some manner be identified, through an ideological commitment, a brand, a visual web presence. Mezzanine cyberwarriors will not afford states the same luxury.
Purely technological, countering what have become known as Advanced Persistent Threats is featuring more heavily on the worldwide conference agenda. The "Advanced Persistent Threat" (APT) refers to advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government. Since software is imperfect, it exists with holes or spaces within which trojans can operate. Booz Allen have hosted a number of seminars and discussions on the subject: