Schneier on Security
A blog covering security and security technology.
« Another New AES Attack |
| Eve Ensler on Security »
July 31, 2009
More fearmongering. The headline is "Terrorists could use internet to launch nuclear attack: report." The subhead: "The risk of cyber-terrorism escalating to a nuclear strike is growing daily, according to a study." In the article:
The claims come in a study commissioned by the International Commission on Nuclear Non-proliferation and Disarmament (ICNND), which suggests that under the right circumstances, terrorists could break into computer systems and launch an attack on a nuclear state triggering a catastrophic chain of events that would have a global impact.
Without better protection of computer and information systems, the paper suggests, governments around the world are leaving open the possibility that a well-coordinated cyberwar could quickly elevate to nuclear levels.
In fact, says the study, "this may be an easier alternative for terrorist groups than building or acquiring a nuclear weapon or dirty bomb themselves".
Though the paper admits that the media and entertainment industries often confuse and exaggerate the risk of cyberterrorism, it also outlines a number of potential threats and situations in which dedicated hackers could use information warfare techniques to make a nuclear attack more likely.
Note the weasel words: the study "suggests that under the right circumstances." We're "leaving open the possibility." The report "outlines a number of potential threats and situations" where the bad guys could "make a nuclear attack more likely."
Gadzooks. I'm tired of this idiocy. Stop overreacting to rare risks. Refuse to be terrorized, people.
Posted on July 31, 2009 at 6:00 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm going to start a bottled water business, and provide "New Clear" to the world!
That should get peoples attention :-)
Under the right circumstances, terrorists could let a butterfly flap it's wings, letting the disturbance ripple outwards, creating changes in the flow of the upper atmosphere. These create pockets of higher air pressure acting at lenses that deflect cosmic rays that then change the state of nuclear power plant control computers, thusly leading to a nuclear detonation and the end of the world.
Please excuse me while I barf in the guardians general direction.
I saw this movie, but I didn't think the WOPR was connected to the internet. Good grief.
Of course there’s the mandatory fireball / mushroom cloud picture at the top of the page. I don’t think we’ll ever see a time when risks are rationally judged. Our brains are just not designed for the modern world. There will always be unreasoned, irrational, highly emotional stories like this. It’s a sad fact, but fearmongering is in our nature.
If newspapers with these headlines didn't sell so well, the media wouldn't be encouraged to find anything they can use to generate them.
Refusing to consume media would go a long way towards "refusing to be terrorized".
If you want a good read of the real protections nukes have, try reading chapter 11 of Security Engineering by Ross Anderson. The first edition version of the chapter is available at http://www.cl.cam.ac.uk/~rja14/Papers/SE-11.pdf - there are a LOT of safeguards in place. As for other countries, the USA has been generous in sharing its control technologies with them, so they know only a few people in each country could actually launch nukes against the USA.
...and it turns out that the whole article was actually just a review of the movie Dr. Strangelove.
Chris K., John, emacs 23 was released with the butterfly mode -- there's your terrorism risk right there! Open source is making their lives easier!
"Stop overreacting to rare risks"
I wish everyone thought like that. Even if crazy security mesaure are put in place to stop a 1 in a million attack, there will be another 1 in a million attack that could be used that will be just as effective. If we keep implementing measures to stop crazy "what if"'s we will eventually be living in a complete police state.
Utter FUD - go team media!
In 1958 the USAF's classified evaluation was that the USSR had over 150 nuclear-capable missiles. That was the basis of the famous "missile gap" that became the subject of such extreme anxiety during the Kennedy administration that (among other things) it shook loose the funding for Apollo. In reality, the USSR had four (4) such missiles in 1961 - three years later.
When George W Bush invaded Iraq, the declared reason was to prevent Saddam Hussein from using his arsenal of "weapons of mass destruction". After the invasion, it was established that Iraq, in fact, had no WMDs at all.
And today, we are assured by the government-backed media that Iran will pose a deadly nuclear threat any day now. (As we have been assured for at least five years).
These are just three obvious cases that come to mind, but the strategy of exaggerating external threats has been used continuously since WW2. Its basis is simple and obvious: tell the citizens that the government (obviously the only reliable source of information) knows of a deadly threat, and they must all fall into line and obey orders. Anyone who cavils or criticizes can then be depicted as obstructionist at best, and an enemy agent at worst.
If you are the government, what's not to like about this strategy? Well, apart from the fact that it relies on systematic lying, and is apt to trigger unnecessary wars from time to time - it fits the classic pattern of "crying wolf".
One day, there may emerge a genuine threat. But no one will believe a word the government says about it.
I think this article is great. You would have to be really daft to think that this sort of scenario would be likely. Having been made to think once, you might be more likely to think the next time.
Yes, it is ridiculous for policy wonks to ride on the back of terrorism when making these sorts of pronouncements.
Of course, their overarching point is that the more nuclear weapons we have stockpiled, and the more countries become nuclear weapon capable, the greater chance of a terrible accident (or forced accident) occurring.
We've come pretty close a few times (didn't Russia nearly launch a full attack once based on bad radar data showing ICBMs coming over the pole?) and those are just the times that were noticed and reported to non-military types. There are more than a few nuclear weapons (unarmed, we are told) rolling around at the bottom of the ocean, too.
I'm with the policy wonks on their main argument: no one is smart or lucky enough to stockpile nuclear weapons. In terms of risk analysis, simply having a military industrial state with access to nuclear weapons is quite risky.
I find this comforting, in a parochial way. Every time I feel that the U.S. media has cornered the market in gullible, breathless, sensationalist journalism, along comes the Guardian to show us how the pros do it.
It's remarkable what they can be gulled into publishing. Just bait the hook with an alarmist report or press release from some official-sounding source, be it never so wacky, and you can reel them right in.
"Hello, Mr. bin Laden. Would you like to play a nice game of Global Thermonuclear War?"
The Guardian published that? Good grief. I'd like to think that it was a temporary aberration on the part of a otherwise reputable newspaper.
Mind you, the dear old Grauniad's "Technology" section is pretty lame these days. Except, of course, when it features one of Bruce's essays.
This story demonstrates the importance of turning off the "nukes over IP" service that comes installed out-of-the-box with Vista. (To be safe, you should also block ports 235 and 239.)
Reminds me of this old Weekly World News article: http://bit.ly/3Fc04U
That's right folks; hackers can modify your CPU, and change it's molecular structure so it has the explosive potential of a large hand grenade. :P
(didn't Russia nearly launch a full attack once based on bad radar data showing ICBMs coming over the pole?)
Nope. that was us. BMEWS "saw" the moon rising and "thought" the returns from it were associated with later outbound pulses.
(For suitably loose definitions of "saw", "thought", and your "nearly" :-)
Some guy named Nyquist may have had a little chat with them after that. :-)
@Anonymous Reader: "The threat here is that we get in a crisis, and a cyber-attack happens, it gets traced back to the country we're having trouble with (or just blamed on them without any forensic research), and then we launch."
Or the actual source of the attack is obscured and it gets traced to a country that is actually not involved at all. We don't verify the integrity of the information, and we launch a physical attack against the wrong country. That would be a great way to start a war.
"Governments can be stupidly paranoid. This problem is all the internets' fault."
>didn't Russia nearly launch a full attack once based on bad radar data showing ICBMs coming over the pole.
Yes. Generally, it takes longer to determine that the launches are real or imaginary than it would take for real missiles to deliver exploding nukes over the target. Consequently, every officer who's been in this situation has been relieved of command afterwards.
Why not go for the more traditional approach and have the butterfly flap its wings and cause a hurricane?
OMG: Perhaps Katrina vs. New Orleans was a terrorist attack!
Over at wired they list 51 conspiracy theories that don't exist but probably should. I suspect number 7 is true: "The government has secretly taken over all aluminum foil manufacturers to embed transmitters in every roll because for a while there, they weren’t able to read our minds.". how else could they come up with this stuff?
@Peter, that's the one I was thinking of. My take-away from that story is that one human actually disregarded policy, procedure and fail-safes in order to halt a launch sequence.
Three thoughts on the matter,
1, In a world run by accountants "anything" and I do mean "anything" can happen in the name of "efficiency". The stranger and less sense it makes the more likley it is to be done...
2, I thought the "silly story season" due to a "slow news summer" was not due till August, obviously th Grauniad has been disturbed by the changable weather we have been having the past few days.
3, And something that realy has made me wonder if the pain killers are making me halucinate which is Bruce saying,
So on the assumption I'm in "cloud cookoo land" how about a spot "summer silly season" disaster senario competition?
With simple rules,
1, It has to actually be possible.
2, It has to sound so far off the wall that it sounds impossable.
3, It must have an insane cost accounting / saving element as it's justification.
4, It must have a scare potential to frighten even the most jaded red nosed hack out of their underware...
5, extra points for using "Douglas Adams" logic.
Nope. that was us. BMEWS "saw" the moon rising and "thought" the returns from it were associated with later outbound pulses.
Fortunatly since the target didn't appear to move in the right way people soon realised what was happening.
Terrorist have tried to engineer the heart of gold improbability drive, all they have to do to carry out an attack is to calculate how improbable it is and it will instantly occur. Our only luck is that they are bad mathematicians.
I should should specify how the terrorist improbability drive works: The terrorist think up some attack, then calculates the improbability of the attack actually succeeding. This improbability is inverted once published on the internet leading to a conspiracy craze. This eventually causes the west to launch the attack themselves on home soil.
Yes, I do mean inverted: Using this mechanism a clever attack may succeed a billion out of one times!
Well we should immediately legislate against storing documents anywhere other than in the "My documents" Folder. How else are you going to mitigate against this risk.
It's pronounced "nu-cu-lar." Sheesh.
I just wrote the tech liaison at the Guardian. This resurgence of yellow journalism really pisses me off. It reminds me of an article I clipped from the Weekly World News some time ago (http://www.geeksaresexy.net/wp-content/uploads/2008/05/computer_bomb.jpg). What's worse is that there are bloggers who are allowed to post under the banner of newspapers like the LA Times or the Wall Street Journal (http://latimesblogs.latimes.com/booster_shots/2009/07/nipple-medicine.html) who clearly don't do their research. Meh, it's only ethics, right? Welcome to the 21st century.
A study of views voiced down at the pub.
There's a word that you don't hear nearly enough.
@Ganely " I didn't think the WOPR was connected to the internet"
Nah one of our contractors in sunnyvale screwed up and left a network avaliable via PSTN. (sound familar?)
Anonymous reader made a point I intended. Current military thinking includes response with kinetic kill. While that shouldn't include
nuclear escalation people in the heat of conflict need cool judgement. And judgement is a volatile.
But after reading the article and trying to get a bead on ICNND agenda (An Australian / Japanese gov't disarmament working group - they are legit, official and with a decided disarm agenda.)
I think I see their point. If you can feed in disinformation that the machines believe is real then they act. And if a military has implemented a wargames paradigm where people don't make decisions this could be a risk if you are able to break into their communication channels.
That's a big if. The US/UK/china/israel/India and Russia I'd trust to keep their comms secret from everyone but each other. The French I don't know, Pakistan is questionable, NKorea doesn't have a hackable footprint I'm aware of. AND there would have to be launch vehicles that are ready to launch so that leaves out India/Pakistan/China and NKorea (possibly Israel).
Hackers triggering a nuclear launch when the nation state has to put the missle in the silo, fuel it, aim it and launch it?
It does seem thin but i have yet to read the report and put it into an attack tree.
@G. Bush: Plagiarist! I said it first!
@J. Carter: Great minds think alike, eh?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.