Schneier on Security
A blog covering security and security technology.
« FBI and the Future of Wiretapping |
| Using Language Patterns to Identify Anonymous E-Mail »
March 11, 2011
Video Interview with Me
This three-part video interview with me was conducted at the RSA Conference last month.
Posted on March 11, 2011 at 1:11 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A good series of interviews. You made some good points.
A couple points from my view.
I agree with your notion of a "Cyberspace Treaty" as being valuable even if it's honored mostly in the breach. As long as there are discussions about what should be allowed and not allowed in "cyber-espionage" and "cyberwar", at least some awareness is built into those activities which might serve as a brake on more dangerous activities by states.
Where this falls down is precisely in the case of something like Stuxnet. You said that we can't really be sure who was behind Stuxnet because of "false flag" operations, mentioning China as a possible suspect (no doubt because it has the technical capability).
I've followed the Iran nuclear crisis very closely for several years now and it's clear to me that China is not a suspect for Stuxnet (absent some weird aberration in their command structure - which as you suggested is potentially a problem in this area.)
The ONLY likely suspects for Stuxnet - assuming at least that the target was indeed the Iranian nuclear energy program, and not, for example, the Indian nuclear weapons program (in which case China would definitely be a suspect, as well as Pakistan) - are, in order, Israel, the US, the EU, and perhaps Saudi Arabia or Pakistan. I omit Russia, China, and most of the rest of the world as not having the motivation because virtually all of them have no problem with Iran's nuclear program.
The point is that you can have an active treaty between the larger powers - the US, China, Russia, the EU - on cyberwar. But when you have a situation in which one or more of those countries, or smaller countries with high motivations like Israel, 1) view it as in their national security interests, or 2) view it as in their economic interests, to engage in these things, especially against countries with little retaliatory capability, they're likely to happen anyway.
And that opens the door to such attacks "breaking out", as you noted. Stuxnet is the perfect example here, because as we know it attacked systems in India and elsewhere as well as Iran. How it moved between countries should be a matter of extreme concern and investigation if it was intended solely to attack one country.
And especially when those "national security interests" are in fact "national - or more correctly, corporate - economic interests" - as is the case in the US - these sorts of attacks are going to be done outside the context of any treaty.
Iran is the perfect test case because the obvious justification for this attack was its alleged nuclear weapons program. However, both Israel and the US KNOW that Iran does not have, and except for a probably forged laptop and some probably misinterpreted SIGINT intercepts, has never had a nuclear weapons development and deployment program (as opposed to a possible nuclear weapons research program intended merely to learn weapons design).
Stuxnet allowed two nations to attack another sovereign state primarily to put pressure on that state for other reasons. The only logical motivations for Stuxnet are 1) to prevent Iran from even having a "Japan Option" for nuclear weapons (meaning the technical capability and enough LEU lying around to "breakout" and make nukes at some point in the future, a la Japan), or 2) to attack Iran's nuclear energy program as part of an overall intent to destabilize and overthrow the regime.
Stuxnet was not needed based on the available intelligence about Iran's nuclear program not being a nuclear weapons program. So Stuxnet therefore was created either for other reasons or because someone at a lower level of authority believed it was needed because of an alleged nuclear weapons program.
This suggests that Stuxnet was designed and implemented by Israel and/or the US on a lower level than the highest command authority. This is a danger as you correctly noted. In this case, Iran had little or no retaliation capability. But we still had a "breakout" that threatened systems in India and elsewhere.
And now we have reversed engineered - or at least decompiled - versions floating around as a result of the HBGary hack.
So I would say there needs to be not only a "Cyberwar Treaty", but also within nations a top-down control of the development and dissemination of such weapons in the same manner that nuclear weapons development are controlled from the highest level.
But this still won't stop certain nations with essentially bad intentions from developing and deploying them.
The irony is that it probably won't be nations like Iran or China doing it, but the so-called "democracies" like the US and Israel doing it allegedly to "protect the world" from non-existent threats but in reality for their own reasons - precisely like the Iraq war.
A good interview, but short, though to the point. Thanks Bruce.
Slightly off topic (but hey where's the squid ;)
We talk about cyber warfare between super power states.
However less is said about countries divided...
North and South Korea have been effectivly seperated since the Korean war effectivly (for the North) over a life time ago.
Well as some people know the US has been trying to forment trouble with the North ever since and untill very recently the war has been of words screamed across the nomans land of the demilaterized zone.
And then a South Korean vessel supposadly got torpedoed by the North (how ever the evidence is to put it bluntly not entirely convincing based on the peculiar behaviour leading upt to the event and subsiquently.
Well more recently the South carried out live firing excercises with US participation and fired toward the North from strongly disputed waters.
The result this time was the North retaliated and shelled a disputed island.
The North have made it abundently clear that they believe they where on the target list for stuxnet and have very clearly shown they have a couple of thousand centrifuges up and running in full production at the site of their old now decommissioned plutonium plant.
They made it abundantly clear what the yeild is but refused in any to show the inspector they had invited the control room.
Well very recently there are stories of GPS being wiped out in the south by the north (however some of the stories don't hang together unless their are agents from the north with equipment in the south...
Any way there have also been reports of "cyber-attacks" as well
Have a look at the South Korean perspective (/hype) as well as the links at the bottom of the page,
I suspect that relations between the North and South are rapidly deteriorating and unfortunatly US foot prints are all over it.
I suspect that things are building up rather more than they have in the past the reasons are unclear.
However what is clear is the US has repeatedly made promises about fuel oil and other resources in return for North Korean co-operation however when the North have co-operated the US has renaged on the deals.
It is well known that the North has a reliable delivery system with atleast a 600KM range (and may be twice that) and had got to the point of launching test systems four space bourn platforms.
It is believed that the north has sufficient plutonium and other nuclear material to make upwards of ten crude but viable nuclear weapons.
I would say the situation bears watching quite closely over the next few months, to see if it pushes into conventional warfare or not.
@Clive Robinson, not trying to take anything away from Japan, but the possibility of a nuclear leak might not do good things with north/south Korea if that conflict happens
off-topic: The TSA is going to re-test airport full-body Xray scanners after maintenance records on some of the scanners showed radiation levels were 10 times higher than expected.
"not trying to take anything away from Japan, but the possibility of a nuclear leak might not do good things..."
I think from what has been said there has already been a nuclear leak from one of the reactor halls. What is not clear is what caused the explosion.
It is not unknown around here that I am not particularly fond of or even in favour of most of the nuclear reactor types we have. More so as they actually destroy a resource (uranium) that we have little or no hope of replenishing. Nor do we have any viable plans for dealing with the longterm waste (ie 250,000years). The oldest human technology on the planet that still does what it was designed and built to do is effectivly the Egyptian pyramids at around 4000years and we realy have no clue as to how they were built (yes I know there are stone circles etc but would you call them useful technology?). Of the other technology of the time surviving which we know sufficient about is beer and wine making...
We don't even know how to reliably make a battery that will still work after 100years to provide telemetry from within the sealed concrete sarcophaguses we glibly talk about.
And here we are just a handfull of years into the use of Japans nuclear reactors and many have failed due to not unexpected earthquakes that may well re occur between 5 and 10 thousand years.
I suspect there will be a lot of people asking questions over the next few months about if we should actually push forwards with the nuclear reactor designs many European and other Nations around the world are dusting off in preperation to use.
@Clive Robinson, supposed they have a design TRAGIA ,the uranium is in fused with Zericrom(spelling, sum Hydrogen thingy), to make it smart/idiot proof. When it starts heating up the metal above slows down the release of neutrons, cooling it down automatic even with no water in there. I think it was small units not plant sizes though.
Is England thinking about build re-breeds, the waste changes some element below uranium to uranium, with a small amount of Plutonium left over.
Good book about it. Orion, nuke powered space ship. and Jerry Pournelle(A step farther out)
Clive: Agree about North Korea. I've been watching that along with the Iran situation.
The distinguishing feature between the two is that it's not NK's nukes that deter the US from starting a war there, but the NK's massive conventional military. They have old hardware, but plenty of it. Not to mention somewhere between 120,00 to 200,000 Special Forces troops who are seriously bad dudes. The Pentagon has wargamed another war with the North and concluded the US would sustain 50,000 casualties in the first ninety days.
One of the problems is that the current head of South Korea is big on "reunification" on his terms, and some people consider him more dangerous than the North's leader as a result. Couple that with Obama's ham-handed foreign policy and there is indeed a risk of escalating tensions.
As for Japan, they've had problems controlling their nuclear technology in the past, even without the earthquakes, IIRC. Now they've lost control of TWO at the same time. And once explosions start occurring, that is definitely not a good sign. It means that not only are they venting radioactive steam, now its radioactive smoke.
@Clive Robinsonm ,shit my internet connection is getting cut off
"... my internet connection ..."
I have similar probs I use an LG android phone that has a slide out keyboard but unfortunatly a buggy keyboard driver. It occasionaly take s a real walk on the wild side others it just stops either way it needs an anoying hard reboot including sometimes taking the battery out....
With regards TRIGA reactors and their uranium-zirconium-hydride (UZrH) fuel, the reactors are used mainly for the "excess neutron production for research". Thus I'm not sure what it's characteristics are for efficient electricity production in terms of MW(e)/gram.
Most electrical power generation is by turbine and frequently this is driven by steam or super heated steam which you would be lucky to get 40% efficient convertion out of. And this is of course preceaded in the case of "water" reactors with one or two other thermal loops and their inefficiencies and those of the heat exchangers. So some nuclear reactors are lucky to reach 25% conversion which is not good.
Turbine technology like other heat engines tends in practice to be more efficient the higher the temprature differential and in practice the easiest way to do this is to change the turbine working fluid to something like a super heated light atomic gas in the 500-1000 degree range. Hydrogen has been tried in some powerstations but has some distinct disadvantages. The next gas down which has the advantage of not only being effectivly inert is helium it also has other usefull properties when used to circulate through the core of a nuclear reactor. In practice this means that single thermal loop reactor designs are possible with the attendent efficiency increases.
TRIGA fuel has as you noted some rather benifficial advantages as does TRISO fuel. One of the proposals for Gen IV reactors is the graphite moderated gas cooled Very High Temprature Reactors (VHTR) such as the graphite prism/sphear designs.
One such design is the "pebble bed reactor" which on paper looks like an excellent idea. However the two built in Germany have had operational difficulties and both have long since been closed down.
Other Gen IV designs are touted as having advantages such as burning long half life by products so that the waste hazzard is reduced from multi millennia to multi decades.
However all the designs are effectivly "theoretical" and are unlikley to be built in my life time, whilst our pressing energy needs have already started so many politicos are looking at "quick and dirty" as are the likes of a number of non permanent UN security council member countries (Iran, North Korea, Pakistan, etc).
There is also another problem with theoretical designes usually the prototypes have issues both unexpected technological (think Winscale fire) or human operator (Chernoble) or a combination of both (Germany's thorium pebble bed reactor at the time of Chernoble).
As has been noted by the well respected nuclear engineer David Lochbaum (Director of the Union of Concerned Scientists Nuclear Safety program) nuclear accidents usually happen as a combination of new designs and human failing...
So currently "you pays your money and makes your choice" "with fingers crossed". Only in the West it's very short term thinking Politico's rolling the dice.
China for instance has plans to build something like 90 pebble bed reactors, whilst South Korea is pushing forward with third generation fussion research...
@ Richard Steven Hack,
"One of the problems is that the current head of South Korea is big on "reunification" on his terms and some people consider him more dangerous than the North's leader as a result."
From a 20,000ft perspective re-unification or atleast the lowering of the board would be benifficial to both halves of Korea.
The Noth has both manpower and some resources which the South lacks, whilst the South has technology and finance the North lacks.
Ideologicaly however the two peoples have spent what is effectivly three or more generations appart. And in that time the South has gone from almost third world aggrarian based with a poor population in the low millions to one ot the worlds larget exporters. In many respects the North has gone backwards as a society. The divide is worse than Germany and the re-unification will not currently be by the will of the people but by the respective political incumbents.
There is also another issue German re-unification was possible not just because of the collapse of the East German political system, but importantly by the collapse of the old CCCP and it's inability to dictate to it's satellite buffer states. This is not true of China that appears to be moving from strength to strength economically, technologically but importantly militarily.
Although China is no match for US forces, unlike the US they are very likley to back the North against the South when push come to shove and the US is currently militarily overstreached currently and could not commit to such an action.
Worse it might well provoke China to act against the likes of Taiwan to further secure it's borders. Japan is unlikley to want to get involved in any way shape or form with either side. Likewise most other nations in that area are likley to be of help to the US.
If I was Obama I would consider the fuel oil to be very cheap in comparison to the potential alternatives and would be busy "making good" to as it where pour oil on those troubled North/South waters before they become a tempest.
However neither I nor my Korean friends are on the ground out there (though some were last month). And although I don't currently have an armchair to be a warrior from it would be easy to make an incorrect estimate of the situation.
That said, like you my Korean friends and I will be keeping a close eye on things (and our fingers crossed).
Opps a few corrections...
Odd I did read through it before pressing post but...
1st para, "board" should be "border".
5th para, "currenly militarily" should be "militarily".
6th para, "likely" should be "not likely".
I hope that's all the important ones...
With regards the TSA and Rapiescan scanners in the USA Today report, the following caused the short hairs on my neck to rise,
"The TSA is responsible for the safety of its own X-ray devices. The U.S Food and Drug Administration has said it does not routinely inspect airport X-ray machines because they are not considered medical devices The TSA's airport scanners are exempt from state radiation inspections because they belong to a federal agency"
Who watches the watchers...
Such lack of oversight with medical radiological devices caused quite a few patients to receive considerable over doses to their considerable harm in the US in the past...
It looks like Japan has lost three nuclear sites on the north east coast and with them 20% of the countries electrical power.
One consequence of this is other utilites (water gas comms) will be critically effected by this.
Sadly Japan has through a natural disaster of, off shore earthquake and consiquent tsunami and critical flooding suffered the equivalent of a "doomsday scenario" that some of the "cyber-warfare" proponents have been talking about.
In the UK the press have already started pulling out nuke scientists to make comment, I suspect the same will be happening in the US.
However in short order the consiquences of the loss of power is going to bring up "cyber-warfare" and I suspect you will get called "to make comment" at some point over the next week.
As for the secondary effect on Japanese. industry in that area I'm not sure what's there, however with 20% loss of generating capacity all of Japanse industry is likley to suffer in a major way. Some stock market types are already muttering about "back into global recession" I'd keep an eye on the European stock markets early (your time) tomorow and see what happens.
Good interview. I'm slowly starting to move towards Bruce's position that there may be good reasons after all for policy makers to get serious about debating the concept of cyberwar, its definition and its rules of engagement. Not just for the dialog only, but also to find common ground criteria to differentiate between cyberwar, cyber-espionage and cybercrime.
With the word becoming increasingly popular and hyped, it's just gonna be a matter of time before reich-wing politicians will try and usurp it into their daily conversation to strike even more fear into the heart of gullible citizens. Even if there was dialog only and potential treaties hard to enforce, it would be a good thing if all actors - state and non-state alike - could agree to the meaning of the word before we all start accusing each other of an act that has a different meaning depending on where you stand. The Romans were also but too keen to resort to treason if they couldn't pin something else onto someone they needed to get rid of.
On a related sidenote, I am a bit surprised that with regards to Stuxnet, nobody is mentioning the fact that now-retired Israeli general Gabi Ashkinadze recently took credit for that operation.
@ Dirk Praet,
"I am a bit surprised that with regards to Stuxnet, nobody is mentioning the fact that now-retired Israeli general Gab Ashkinadze recently took credit for that operation."
I think it was mentioned in passing on one of the many Stuxnet related pages on this blog.
However the way the claim was made (supposadly in his retirment claim to fame video) has caused a number of people to be cautious about the veracity of the claims.
Especialy with other odd claims of Israeli involvment such as providing test facilities to the US, it just does not hang together.
The simple fact is for most of the world the finger points at the US and it's war against it's list of "Axis of Evil countries" and a few others that had Pakistan's "rouge father of nuclear tech" AQ Khan's technology not just Iran.
And even if it was not the US targeting these countries some of them (North Korea) certainly have demonstrated that they belive they were targeted by the US.
And that view perhaps is more important than the limited benifit stuxnet might have achieved.
It appears that in the rush to write it up as a success against "Iranian WMD threat" in the US that many, have forgoton that countries not just those that are seen as unfriendly to the US and or Israel have serious asperations to nuclear technology.
Many nations regard the command of nuclear technology as a National Security issue for reasons other than weapons. Oil and gas are running out and coal and other fossil fuels have a very large "carbon footprint attached". For instance most European nations are dusting down the shelved plans of nuclear energy plants.
Thus many outside of the US have seen stuxnet as a significant covert attack by the US attack against another nations sovereignty, in an effort to bring an independent nation into "vassal status" such that it's resources could be plundered (as with the Iraq war).
That is they regard Stuxnet as a potential first "military" step by the US in a covert war on "energy rights". Where control of a nations energy supply via access to fuel and technology will be used for political ends. And thus for many small countries make all the difference between being an industrialised first world and not even an agrarian third world country....
And they have good reason to think that way, we have already see some super powers using energy as an extension of state influance (see what Russia has been upto with gas etc).
And from a historical perspective we have wars over "water rights" that pre-date written history that are still effectivly going on to this day (have a look at the course of major rivers in the middle east and Africa and where dams etc have been placed, especialy where funded by the World Bank).
India for instance historicaly had seen many water rights conflicts in its past and was thus only to aware of what energy independence was worth and grabbed at it which every way they could (see the history of their nuclear development).
Britain gave back Hong Kong to China with hardly a murmer why?
As Margret Thatcher clearly pointed out to Journolists China controled the water supply and could (and had) turned it of as and when they felt like it. Likewise some electrical power.
Israel activly uses the control of energy and water to various parts of the occupied territories for exactly this reason.
Thus to many people outside of the cosy first world nations know first hand what sort of slavery results from having others control your needed resources of energy and water.
Currently many countries know that fossil fuels are not viable in the longterm and it could take 20-30years to develop a viable alternative by which time fossil fuel oil would very likely be 2000-4000 USD a barrel if it's even available and synthetic oils from biomass likewise very expensive and carefully controled as it would be viaing with food supplies for the 8 billion or so people on the planet.
Some see nuclear plants on sea boarders as a way not only to produce energy but also utilise the 75% heat loss as a way to provide large scale desalination that would alow many arrid areas to be used for food production.
Others see high temprature reactors as a way to effectivly crack hydrogen out of water to provide a replacment fuel for motor cars and the like. And surprisingly a more efficient way to transport energy than overhead power lines. That is you use a nuclear reactor to provide piplined hydrogen gas to conventional existing gas fired power stations or much more efficient very high temprature turbine generating plant.
I totally agree on the strategic importance of nations controlling their own energy needs and supplies. However much I abhor the concept of a theocracy or islamic califate under sharia, Iran is well in its rights to pursue a nuclear energy program and I yet have to see any form of conclusive evidence that they are actively developing nuclear strike capability. Ever since the WMD lies about Saddam's Iraq, I'm treating any such allegations with some serious skepsis, especially when the accused party is part of the so-called "axis of evil".
That said, and drifting a bit off-topic, I also remain totally inconvinced of nuclear energy in it's current incarnation being a valid alternative for fossil fuels. As long as technology cannot provide viable solutions to nuclear waste disposal and potential core meltdowns, it's just like playing with fire knowing only too well that it is just a matter of time before sooner or later the house burns down. Although the nuclear lobby is doing its very best to promote its product as "cheap", "green energy" and "the only alternative to fossil fuels", I am not buying it. Unlike certain others (see yesterday's article in the Register @ http://www.theregister.co.uk/2011/03/14/... ), the recent events in Japan have definitely not contributed to changing my mind on the issue.
Perhaps I'm biased, living in a densely populated area less than 20 miles away from several reactors where any Fukushima-like event would imply evacuation of about 907,000 people on a total of about 11 million, and in a country where 51% of all electricity produced is of nuclear origin. In addition to that, production is entirely in the hands of one monopolist foreign player (the French GDF-Suez Group) that has managed to keep any other producers off the market and which our totally incompetent government has been unable to regulate in any way to the point that a recent study has shown that we will be facing shortages in the near future, allowing the b*st*rds to raise their prices even more on top of the 20% increase they already billed us last year.
Call me an old hippie, but it is totally beyond me that oil and nuclear lobbies have now already managed for about fifty years to successfully block research, development, implementation and acceptance of renewable energy which in my opinion is the only viable long-term solution to the planet's energy needs. Oil reserves are running out. And uranium reserves aren't infinite either.
PS While writing, I just received several NHK tweets of an explosion at reactor 2 and a 10,000x increase in radiation levels.
what would calcium carbonate do to the nuclear reactor?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.