This is quite important for the current debates we're having. If you look at the news media, or the Hacker News front page for that matter, you stumble upon articles accusing China and Russia to hack into foreign governments regularly. Similarly, China and other asian countries are often accused of adding backdoors to their hardware (e.g., routers, switches, telco equipment). The only* backdoors ever found in hardware were found in hardware build by US-based companies. And, of course, Stuxnet is the first example of governments (USA and Israel) attacking a foreign country's critical infrastructure with a "digital weapon." I'm not sure how to feel about that.
*I'm not sure this is still true today
---
Let me add that, when it comes to topics like this one we should probably stick to what we know for sure. Figuring out if code is a backdoor or a bug is already hard enough (not always though). The same goes for attacks. Governments accuse each other of doing a lot of things, and fortunately, sometimes they even admit that they make these claims up.
Oh and please don't take my word for any of this. There are well known and respected people who speak very openly about these topics on conferences like CCC, DEFCON, etc.
I know how I feel about it: I would much rather wars were fought with code and robots than with tanks and bayonets. And I would rather those than CBRN weapons!
Certain countries were going to neutralize that facility. Had to, for survival reasons. The only real question is . . . how? They could have picked a full-scale war. They could have precision-bombed the facility. They could have assassinated the workers. These solutions have all been chosen in the past, in similar scenarios. By comparison with the other options available, Stuxnet achieved the goal in an extremely civilized manner, with no loss of life.
They say the purpose of war is to kill people and break things, but really it isn't -- it's to accomplish objectives, to make people do what you want. The killing and breaking is really just a way to make objectives happen. And the better targeted your weapons are, the better you can make what you want to happen happen with less and less extra mess. Cyberweapons are some of the best targeted things ever dreamed of in the history of warfare. You can disable infrastructure without going within miles of harming a human on either side, military or otherwise. I am a big fan.
To give a concrete example of your excellent point:
You could hack into missile guidance systems and have the missiles all route to the Pacific ocean -- having the boards fritz-out is a MUCH less powerful weapon, blowing up the factory for missiles is much less powerful than that. I'm sure if Stuxnet could make the machinery seem to work but not give them good enough materials to build anything worthwhile, (1) those engineers would have done that, and (2) the public would still not know about it.
This is perhaps the best argument for cyber-weapons, too (the intelligence/espionage element): it inverts the incentives. You build a gun, I need a better gun. You have a bomb, I need a bigger bomb that kills more people and destroys more and more. But cyber-weapons? Best cyber-weapons change the very least possible to accomplish the actual objective.
Breaking the ENIGMA, for instance, didn't change every single tactical choice for the Allies. To do so would eliminate a large portion of the benefits.
The drawback is that they require systematic vulnerabilities to work; therefore the rhetoric for state-sponsored malware demands systems deliberately be left vulnerable to attack, either by failing to fix vulnerabilities found or deliberately inserting them (as in by backdoors)
This has a global effect. The "enemy" uses the same things you do. A weapon to attack them demands weaknesses in everyone's armour, including your own.
They are so easily reverse-engineered and repurposed to attack you or third parties, so easily developed by low-budget or non-state actors, and so easily misattributed, that they exhibit all the same essential properties as biological weapons.
I think state-sponsored malware should be banned, by international treaty, and I say this as someone with expertise in the field.
So, let's tease out a couple ideas here, that way I can address your core idea at its best.
>They are so easily reverse-engineered and repurposed to attack you
You probably meant just third parties here. No one is checking government machine's patch level and demanding an explanation -- if they have the exploit they probably patched any vulnerable systems before they used it.
> I think state-sponsored malware should be banned, by international treaty
So, espionage is largely _already_ banned by international treaty, including fairly specific rules about how, if you are a soldier down behind enemy lines you can escape using a disguise but not if you are a spy (I hope this conveys how bizarre international law is, the idea that if a spy is caught that their use of a disguise will play a factor in their fate).
Suffice it to say, you want a "soft ban", because you want them to not be used in reality (not just that you don't want them used in threat gestures, etc. -- plus you can't really rely on international law for things like this, as we've seen by recent NSA leaks as well as Merkel's response to learning she was personally wiretapped).
----
Most importantly: you have an argument that is too general. You could make _precisely the same argument_ in defense of banning pistols in any wars. (1) enemy is symmetrically offensive; (2) if there exist defenses, your opponent is likely to use them; (3) this leaves you largely unprotected to isomorphic attacks for all useful versions of this weapon (soldiers can still die from gunshot wounds); (4) similar technology can be devised by your opponents; (5) guns can be developed by low-budget or non-state actors; (6) direct attribution for gun crime is difficult (about half of murders in the US go unsolved, and that's not in a war zone).
So governments paying for pistols is too dangerous and should be "soft banned" or banned by international treaty.
I believe you have a more complex belief that would provide for much better discussion (subject matter experts typically do). Would you mind expanding on your ideas and sharing?
> I would much rather wars were fought with code and robots than with tanks and bayonets.
I don't mind Robot Wars either, but last time I checked we have plenty of robots killing nothing but people.
> Certain countries were going to neutralize that facility. Had to, for survival reasons.
Really? I'm pretty sure Iran's nuclear facilities are operating and everybody in the region is still alive and kicking.
I don't mean to offend you, but when you use phrases like "had to" and "for survival reasons" the argument is pretty much over anyway. Furthermore, even if it were true, chances are you and me wouldn't know about it.
I had to read your comment a few times to make sure I was getting the gist of it correctly. Here's what I understood: you are advocating cyber warfare, and are a big fan of it. I understand your point about handling the situation with no loss of life. Great. But advocating war, even if it's cyber war? Wow.
Have you given a thought to this scenario: while deploying the virus, they made a mistake in their code, that leads to a nuclear meltdown causing an explosion, destroying millions of lives and causing a worldwide phenomenon.
Or how about the drone version cyber warfare mentioned by one of the commenters below?
Or let's say the stuxnet virus fell into the hands of a malicious party and they modified it to take down the national grid. Can you imagine the number of accidents that would cause?
Or maybe I'm just a fool and totally misunderstood your comment.
I'm not advocating warfare. Of course, peace is always best, when you can get it.
You can't always get it, though.
Nations have conflicts and need to resolve them. In descending order of preference, I would prefer they resolve them via diplomacy, economic warfare, cyberwarfare, covert targeted operations, conventional warfare, total warfare.
I am glad cyberwarfare exists, because -- unpleasant as it is or could be -- if a nation is trying to accomplish something it thinks is worth the pain of something further down the list, it gives a more civilized way of getting it done.
In a more general sense, war not at the absolute bottom of my list. Horrible as it is, I am glad it exists, because tyranny can be worse.
Not at all. I don't see human history as a fall from peace so much as a struggle upward from a constant state of tyranny and war.
There are whole civilizations now that haven't known tyranny for generations. Where the last invasion is almost out of living memory. Where they try to only go to war for good, moral reasons.
I mean, to come back to the main topic . . . these days, we sometimes settle serious, international disputes by breaking each others' machines.
Sad? No sir. The 21st century is pretty damn awesome by historical standards.
Stuxnet didn't work though. Sure, it very likely damaged some of Iran's Uranium enrichment centrifuges and set their program back by months perhaps, but those months have passed. Iran has a fully capable Uranium enrichment infrastructure. They have the enrichment capacity to build bombs within a matter of months at most. All they need to do is take their existing Uranium stockpiles and run it through their existing enrichment infrastructure. Claims that it would be "oh so difficult" for them to build bombs are Iranian propaganda at best.
Iran has been very savvy here. They've built the capacity to become a nuclear weapons power on a moment's notice without actually putting weapons in service or having nuclear weapons tests. So far they've avoided the worst negative consequences of acquiring nuclear weapons.
You know, this is an example of the sort of vacuous insult that I don't expect to see on HN -- or at least, didn't expect to see a few years ago. Every time I come by here, I'm disappointed afresh by the community, and I find myself visiting and participating less and less frequently. :(
I disagree with a lot of what you said, and can give you a serious response if you want one -- but from your tone, I strongly suspect you don't.
What upsets me the most is that these kind of personal attacks delegitimise the entire argument (which happens to be my argument too). Fortunately, there still are a couple of people here who know the difference between "not condemning" and "advocating."
You think so? I've had discussions on the topic of warfare off and on throughout the time I've been on HN, and they're usually pretty respectful. Indeed, I think that's one of the unique things about this place.
For example, a couple years ago, I had a discussion about drone warfare -- https://news.ycombinator.com/item?id=4957015 -- that covered very similar conceptual ground. I thought it was pretty civil.
Indeed, I would have thought the technologization of warfare was something of general interest to this community, and a legitimate topic of discussion -- being at the intersection of technology and interesting changes in the way the world works. I didn't think it was just stupid politics, but that can be a landmine...
His comment can only be read as "advocating warfare and violence as a solution to nation-state conflicts" if the reader injects it.
If we can add a layer of conflict-resolution between open diplomacy and global thermonuclear war, there's something to be said for the fact that it may provide additional margin before greater escalation occurs.
That's not advocating for war/or violence, that's just responsible conflict-resolution.
It'd be just as fallacious as my saying anyone opposed to cyber warfare must prefer that we cut to the chase and nuke the globe.
You can oppose cyber warfare but also prefer it to something you oppose even more.
I tried chasing down a few of the links mentioned in the comments of https://www.schneier.com/blog/archives/2008/01/nsa_backdoors..., but I hit some dead ends and lack time to give you further detail. Sorry about that. As far as I can tell, the original report comes from Der Spiegel.
I 'heard' that stuxnet was responsible for fouling fukushima (scrambling reactor controls) and similarly beta tested at a US reactor in the south somewhere... but I 'heard' it on the interwebs
I'm not sure how relevant this is given that people claim the purpose of Stuxnet was to attack Iran's nuclear facilities. Facilities like that usually aren't allowed to install software updates anyway. The reason is certification. They install certified software on a machine, and then it gets locked away and nobody is allowed to touch it. Then again, I don't know if this is true for Iran as much as it is for western countries.
I have lost the ability to read a long piece. I feel frustrated when I go to the news site and I am presented with a 'narrative' that seems to hide the real information. I need a paragraph that tells me straight forward what this weapon is about, not a long, obfuscated narrative. It's my fault, I'm not complaining.
I think I know why you're getting down-voted, but it's an interesting and real issue.
If you go a while, mostly digesting only tiny chunks of information, your brain optimizes around that and eventually becomes bad at dealing with longer narratives. (Aside: sometimes those narratives are worthwhile, other times they seem like they're just filler to make editors and publishers happy. But that's beside the point.)
It's also something we seem to be losing as a society.
The good news is, at least in my own experience, it's a skill we can develop (and it's closely related to attention span). When I buckle down and read complex texts for non-Internet periods of time (20-30 minutes), I quickly regain my speed and comprehension. But I find it important to deliberately exercise that part of my brain.
I second that whole-heartedly. Sometimes google/ddg/wikipedia gives the paragraph you are talking about:
> Stuxnet is a computer worm that was discovered in June 2010. It was designed to attack industrial Programmable Logic Controllers or PLCs. PLCs allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems, the majority of which reside in Europe, Japan and the US.
Now I know what the hack Stuxnet is. Quite interesting but I'm not feeling like going into details - time saved.
*I'm not sure this is still true today
---
Let me add that, when it comes to topics like this one we should probably stick to what we know for sure. Figuring out if code is a backdoor or a bug is already hard enough (not always though). The same goes for attacks. Governments accuse each other of doing a lot of things, and fortunately, sometimes they even admit that they make these claims up.
Oh and please don't take my word for any of this. There are well known and respected people who speak very openly about these topics on conferences like CCC, DEFCON, etc.