Reliable Security Information
The shady and the low of US virus war

You can count there being no end to the hypocrisy of the US national security complex, aka "the self-licking ice cream cone." It looks in the mirror, sees its own menacing face, grins and runs screaming that it's seen someone else preparing to attack.


So now we have the news of the US virus war program being used to justify the argument that others, Iran included, are readying cyberattacks on us. Digital 9/11s.


It takes a special kind of low and shady character to do this so smoothly. And a special lousy mainstream press not to point it out.


A good working example, from The Hill, yesterday:


The revelation that the United States used a computer virus to damage Iranian nuclear facilities has added urgency to a push in Congress for cybersecurity legislation.


Top administration officials, such as National Security Agency Director Keith Alexander and Homeland Security Secretary Janet Napolitano, have long argued that the nation is at risk of suffering a devastating cyber attack ...

Paul Wolfowitz, a former Deputy Secretary of Defense under President Bush, said he hopes the news of the attack would "put some added urgency" on Congress to pass cybersecurity legislation.


"Maybe it will raise awareness," Wolfowitz said. "I hope we don't have to wait for the cyber-equivalent of 9/11 before people realize that we're vulnerable ..."


"I hope the urgency with which we must treat cybersecurity issues is becoming clear to policymakers," Rep. Jim Langevin (D-R.I.) said. "Putting aside the anonymous sources in that story, we know that foreign adversaries are developing capabilities to harm us and our interests in cyberspace. We must be proactive in strengthening our cyber defenses now, before a major attack, and this requires comprehensive cybersecurity legislation."


Yes, it takes mucho gall to twist the American virus war against Iran around until it's a convenience for claims that others are about to launch "devastating" attacks and that we should immediately beef up cybersecurity.


It's so rotten to the core the eyes water just scanning it.


As for Paul Wolfowitz, he's certainly a man for the job. Everyone will remember (although the Hill chooses not to recover the ground) him as one of the disgraced architects of the pre-emptive war to find non-existent WMDs in Iraq. His name, as it turns out, is not to difficult to find associated with a singularly unpraiseworthy description -- like this -- through Google.


Quoting further:


[Adam Segal], a fellow at the Council on Foreign Relations, said the attack may actually undermine the moral authority of the U.S. government.


"If the U.S. is trying to get the owners of critical infrastructure to agree to certain standards for security, and it turns out we're creating the malware to attack it, it becomes slightly more difficult," he said.


Slightly more difficult is a bit of an understatement. The situation is untenable and I'll explain why much better than anyone can at some now obsolete hideout of the swells.


Our national malware writers have created an environment where the objective is to discover and keep secret security vulnerabilities so that they may be exploited in ongoing and future attacks. This is anathema to the international computer security model which spends considerable time and money researching and finding holes so they can be patched.


You can't have both operations existing side by side. It's indefensible and a conflict of interest. However, arms manufacturing companies have no problems with such things. They will only be too happy to provide defense and offense at the same time, with one operation discovering flaws and keeping them secret and another operation, allegedly, doing the opposite.


But, internationally, how can you trust such a business? You can't.


The anti-virus companies know this. So do most computer security companies, I would think. In fact, at the beginning of the a-v industry, and I've written about this, there was always a suspicion among a hard core of conspiracy minded people that the anti-virus industry wrote viruses to help grease its business. It did not although one minor company did hire the hacker who wrote the virus that knocked the US Secret Service's network off-line in 1993 to write cures for his viruses.


And I'll give you a link to this historical item in a moment. It's a good illustration of the badness of such a situation.


Anyway, the US academy has been charged with training people in computer security and it is these programs which will furnish graduating students, some of whom may be hired by arms manufacturers/contractors to write malware. In fact, they have probably already trained people presently working in the US virus war program.


In such cases the computer security academics will be put in the same hard position as anti-virus companies. Some of them will know they have readied people who are producing state-sponsored malware.


Maybe some will be OK with it. But some will find it ethically troubling just as many scientists don't want money from DARPA because they believe it will largely result in things that make the world a worse place.


In other words, the US has created an untenable situation for itself. It has cultivated a poison tree and wants everyone else to trust the fruit.


Once again, we are shamed by the national security infrastructure and our leadership for reasons of short term, short-sighted, often just plain venal business gain.


This is hardly new. Unfortunately it's been the on the record of standard behavior for the last dozen years, at least.




Here's the item on a virus-writer hired by a small anti-virus firm to write cures for his computer viruses, back in 1992.


The virus-writer, nicknamed Priest, had produced a computer virus called Satan Bug. In 1993, Satan Bug crashed the network of the US Secret Service, which saw fit to visit the hacker and quiz him on the matter. That story is here.


The incident led to a job offer from a minor anti-virus firm, a job that eventually could not be supported.


The hacker was hired to write cures for a virus he created that was infecting computers.


Excerpted:


Looking over [his] virus once more, Priest sardonically concluded that his disinfector made it clear the hacker had made [it] a little too easy to remove from infected systems ...


The US Secret Service began monitoring the hacker again ...


The entire business relationship of a famous virus writer at an anti-virus company proved totally unworkable. Paranoia escalated, trust was impossible. Priest was a hot potato. He was eventually let go.


The rest of the incident is here.


It boils down to a matter of trust. You've sacrificed all confidence and moral high ground in the argument for security for cyberspace when it is revealed you were or are working assiduously, in secret, to subvert it.


Viruses are now glibly described as directed, untraceable, eminently deniable weapons.


This is way too simplistic. Computer viruses splatter. They glitch, wind up where they shouldn't be, are copied by others and always lead to more compounding trouble.


While anti-virus software developers and others are still talking about the difficulty of attribution in virus attacks, there will come a time -- just as there has in the past with regards to a handful of other famous virus writers -- when they find out who, specifically, is behind the code from a national program.


Now eyes and ears are open for any clues, any leaked or captured information from the US virus war machine.


Everyone who writes viruses slips up sooner or later and someone in the international or domestic anti-virus business may eventually have a name, or names. When they get them they should immediately publicize the information.




Originally published at Dick Destiny blog. About the author.

 
Subscribe to SitRep:
GlobalSecurity.org SitRep RSS Feed GlobalSecurity.org SitRep ATOM Feed