National Security

Private Security

How companies meddle in cyberwar.

On October 11, Defense Secretary Leon Panetta gave a speech on cyber threats -- "an issue at the very nexus of business and national security," he said. "Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure, and resilient global digital infrastructure." He's right: Businesses are interested and engaged -- but some in a different way he meant. A new front is emerging in cyber-warfare: Multinational corporations are standing up to governments that use the Internet for military purposes.

Last month, in an unprecedented move, the U.S.-based company Symantec, Russia-based Kaspersky Lab, the German CERT-Bund/BSI, and ITU-IMPACT published the results of their joint analysis of the cyber-espionage tool Flame that infected primarily computer systems in the Middle East. They show that parts of Flame had been active as early as 2006, collecting data in more than a dozen countries, and that it was likely produced by a government. According to Kaspersky Lab, "in June, we definitely confirmed that Flame developers communicated with the Stuxnet development team, which was another convincing fact that Flame was developed with nation-state backing," whereas Symantec more cautiously states that "this is the work of a highly organized and sophisticated group."

"For us to know that a malware campaign lasted this long and was flying under the radar for everyone in the community, it's a little concerning.... It's a very targeted attack, but it's a very large-scale attack," Vikram Thakur at Symantec points out. The discoveries over the last two years of Stuxnet, Duqu, Flame, and Gauss -- computer malware designed to spy and destroy -- provided a glimpse of how far states have advanced in using cyberspace for military purposes, shedding light on a cyber campaign that seems to have been waged largely unnoticed for years. Perhaps the embarrassment was a wake-up call -- some members of the industry now seem determined to step up their game.

It's clear that governments across the world are bolstering their cyberwarfare capabilities. "What we're looking at is a global cyber arms race," said Rear Admiral Samuel Cox, director of intelligence at U.S. Cyber Command. Earlier this year, Forbes reported that governments are buying key components of cyber-weapons from hackers on a shadow market. The New York Times reporting on Operation Olympic Games shed light on Stuxnet, the most sophisticated cyber-attack known to date, and fueled the debate about potential backlashes.

But there is a counterforce to the global cyber arms race: an entire industry built on identifying and neutralizing malware. In fact, two races are taking place simultaneously -- an arms and a disarmament race.

 

This disarmament race is driven by the Symantecs, McAfees, and Kasperskys of the world. These companies work day in and day out to identify malware and vulnerabilities in computer systems in order to develop solutions that they can sell. Once private security vendors expose a vulnerability, they issue a "patch" to disarm the cyber weapon. Microsoft, for example, patched its operating system after it was revealed that Stuxnet exploited a weakness in its software. (For a recent analysis of how Stuxnet worked, watch this excellent video of a presentation by Symantec Vice President Carey Nachenberg.) Stuxnet could have done a lot more damage had it not escaped the Natanz facility and continuing its destructive business undetected. This gives cyber-weapons a very short -- but also a very unpredictable -- half-life.

That is why these companies can be thought of as mine sweepers: They first identify a piece of malware lying dormant in a system, waiting to unleash its payload, and then work to defuse it. The analogy to mines is limited, of course. Stuxnet was not a mine waiting for someone to step on it: When it was discovered, it was actively in the process of causing damage. So unlike traditional mine sweepers, which usually only clean up the mess after militaries leave the battlefield, cyber mine sweepers are active in an ongoing conflict.

Originally, malware was mainly used by hacktivists and criminal hackers. Anti-virus companies emerged to protect companies and individual consumers against such threats. The software and patches they developed make the Internet more secure as a whole, whether the threat emanated from a criminal network or lone hacker. As more and more people accessed the Internet, their businesses grew beyond national borders, turning Symantec, McAfee, and Kaspersky into multinational companies. While the latter is in private hands, the former two are publicly traded companies with a fiduciary responsibility to their shareholders. 

Yet, the discovery of Flame, whose approach according to Symantec "fits the profile of military and intelligence operations," demonstrates the headache this anti-malware industry can also cause militaries and intelligence agencies. When Kaspersky went public with its knowledge of Flame on May 28, Flame's operators tried to shut the virus down -- sending a "kill module" with instructions to wipe systems clean of any trace of the malware. Yet, when "the domains went dark about an hour after news of the operation broke worldwide last Monday, suggesting the attackers were shutting down the mission, at least three infected machines in Iran, Iraq, and Lebanon were upgraded by the attackers with new versions of the malware after this occurred," according to Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab.

Curiously, this kill module also included instructions to delete itself afterward, which failed due to erroneous code. Similarly, another script to delete temporary files failed because of "a typo in the file path." As one astute blogger remarked, "The 'clean up and coding gaffes' sound like misinformation or the coders were really in a hurry. One run of the LogWiper script in a test environment would've quickly exposed the typos as the script would've barfed immediately." Perhaps the sloppiness was a result of the hide-and-seek game once Kaspersky Lab had uncovered the stealthy attackers.

Analysts also discovered that Flame seems to have been only one part of a set of four or five tools, but do not know details about the others. They were able to analyze Flame due to a simple mistake by the attackers: They "played with the server settings and managed to lock themselves out of it," says Costin Raiu, senior security researcher for Kaspersky. This is how researchers discovered the intruders had registered domains for the operation, which infected systems in several countries -- focusing on Iran and Sudan -- and collected a massive amount of data in the process.

But there are differences in the industry. The way the cyber-protection industry usually works is that companies try to identify threats first to gain a competitive advantage, and offer their solutions to anyone who pays: individual users, companies, and governments. They do this work without getting involved in politics -- but Eugene Kaspersky is taking a different stand. According to the New York Times, his lab is "using [its] integral role in exposing or decrypting three computer viruses apparently intended to slow or halt Iran's nuclear program to argue for an international treaty banning computer warfare."

Kaspersky's lab could prove to be a powerful tool to support his political agenda: It is one of the leading firms in the field, and also uses innovative techniques such as crowdsourcing to analyze malware. Thanks to the help of outside computer experts, for example, Kaspersky Lab eventually succeeded in analyzing a coding language used to program the computer virus Duqu.

The identification of Flame highlights how the world of computer virus detection is changing. Other organizations are starting to show an interest in this business: Flame was discovered after Kaspersky Lab had been asked by the ITU, a specialized agency of the United Nations, to find another piece of malware -- an approach the ITU has also pursued for the Gauss malware. According to ITU's staff, the two organizations "have a long-standing relationship, during which we've been actively collaborating on several cyber security projects and initiatives. For instance, Kaspersky is one of the key partners, together with companies such as Symantec, Microsoft, Trend Micro, F-secure, among others on the ITU-IMPACT initiative, a public private partnership comprising 142 countries, academia, industry and international organizations."

The industry is becoming smarter, too. Kaspersky Lab has actively used crowd-sourcing to analyze code that its research team could not decipher. Kaspersky and Symantec use honeypots -- a trap to gain information about an attacker and the malware. In Flame's case, Kaspersky worked with the domain registrar GoDaddy and OpenDNS to redirect traffic to a honeypot. The international cooperation is therefore only the most recent effort to catch up with governments. It also includes collaboration with computer emergency response teams (CERT) such as the German CERT-Bund involved in the examination of Flame. CERT-Bund's staff commenting on the recent joint analysis highlights that, "the cooperation is more on an individual rather than institutional basis."

There are obvious limitations to the industry's impact. It took months after Stuxnet had escaped from Natanz to be discovered by VirusBlokAda, a small firm in Belarus. In the case of Flame, Mikko Hypponen, chief research officer at the anti-virus company F-Secure, points out "all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general."

Interestingly, Hypponen's company did have samples of Flame's code in its possession before its identification, but they did not trigger any alarms. The virus was designed to be so stealthy that it avoided detection even by the industry's leaders. This shows that certain states are ahead in the race against the disarmament players: They can still outsmart the systems built by private industry. At the same time, Stuxnet and Flame have also shown that once the code is discovered, the industry will invest its resources to take it apart and analyze its various components.

Governments can use this process to their advantage by tipping the industry off to the existence of malware. States that might be subject to an attack -- but lacking in the capability to defend themselves -- could thereby tap into the resources of security firms to identify the cyber weapon. States that are not directly affected by a virus, but have a political interest to intervene as a third party, could also play a role.

It remains unclear what the unanticipated and unintended consequences of the military use of the Internet will be in the long run. Will other actors be able to copy the design of sophisticated malware such as Stuxnet or Flame? To what degree will the general trust in the Internet ecosystem be undermined by such activity? 

Time will tell. In the meantime, these companies constitute a new actor in international security to be reckoned with. As governments around the world are setting up military cyber-commands, drafting cyber-doctrines, and developing cyber-weapons, private security firms are standing ready to disarm them. The race is on: A few governments seem to be in the lead, but industry members are working hard to catch up. Buckle up.

Alexey SAZONOV/AFP/Getty Images

National Security

Will Iran Weather the Economic Storm?

The depreciation of the rial is unlikely to change Iran's foreign-policy calculations.

The conventional wisdom that the collapse of the Iranian rial will have disastrous consequences for the Islamic Republic has it wrong: On the contrary, it could be the best thing that has happened to the Iranian economy in years.

Iran is a classic case of the resource curse. OPEC founder Juan Pablo Pérez Alfonso, who served as Venezuela's oil minister, called oil "the devil's excrement" for the pernicious impact petroleum revenues had on his country's economy. The same is true for Iran, which faces the challenge of becoming a country that produces goods, not merely consumes them. Unfortunately, the current Iranian government shows few indications it will meet this challenge. Rather, history suggests that Tehran will instead persist in its populist policies, including its confrontation with the international community about its nuclear program.

From mistake to mistake

Iran's economy has historically been distorted and sluggish when oil prices have been high. The same is true this time around: Booming oil revenues have led to a rush of imports rather than higher domestic output. The IMF calculated that from 2005 to 2010 imports soared 50 percent -- from $43 billion to $67 billion -- while Iran's national output grew at the much more modest pace of 18 percent.

Iranian industry, meanwhile, has been hard hit by rising costs from domestic inflation, while competing imports were kept cheap by the government policy -- successful until late 2010 -- of keeping the rial steady. Propping up the rial may have fed national pride, and it certainly meant cheap consumer goods -- important factors for the populist Islamic Republic -- but it hurt domestic producers.

For years, the key factor that kept Iranian industry alive despite competition from cheap imports was the low cost of energy. With electricity and natural gas practically free, Iranian manufacturers had an important advantage over their foreign competitors. And many Iranian companies benefited from the low cost of shipping and travel -- byproducts of the low gasoline costs.

These advantages weren't cheap: The Iranian Central Bank concluded that, by 2007, the subsidies were costing Iran $88 billion a year, with Iran's energy costs at 10 percent or less of the international price. Using high oil revenues to subsidize energy was an expensive and inefficient way to help Iranians. A sounder policy would have been to invest in infrastructure, improve education, and make loans available for small businesses -- all policies followed by the Shah of Iran before the 1970s oil boom gave him grandiose ideas. As a result, Iran's economy in the 1960s grew as fast as China's has in the last decade.

As world oil prices rose after 2007, the burden of energy subsidies rose sharply. President Mahmoud Ahmadinejad, meanwhile, saw an opportunity to use these rising prices to his benefit. He made a shrewd political calculation: Rather than subsidizing gasoline and electricity used most heavily by the middle class, who detested him, he would raise energy prices to the global market price and use the money to send checks to the poor, who supported him.

That was his plan, but after the middle class rose in revolt after his contested 2009 reelection, he revised the scheme to send the checks to them too. And instead of phasing in the reform, he did it all at once in late 2010 by depositing rials in each household's bank account each month. To keep the cost of the subsidy reform within the bounds of what the government could afford, Ahmadinejad effectively jettisoned the substantial payments that were to have gone to industry to pay for shifting to more energy-efficient technology.

Iranian producers were now in a bind: The low energy prices that had been their competitive edge disappeared overnight. The government's response was a looser monetary policy, including providing easy credit to firms in no position to pay. According to Iran's Central Bank, the bank credit to the private sector went from 2.3 quadrillion rials in March 2010 (then worth about $250 billion) to 4 quadrillion in August 2012. Not entirely by coincidence, bank deposits (by far the biggest component of the money supply) rose over the same period from 2.1 quadrillion rials to 3.8 quadrillion. That was an 80 percent increase in bank deposits -- while over a similar period, the IMF says, real GDP rose 7 percent.

It does not take a genius to figure out what happens when 80 percent more money is chasing 7 percent more goods: price soar. The government reports that consumer prices rose 43 percent from March 2010 to April 2012; it has not published data for recent months, presumably because they show a further rise. If one accepts the official inflation figures, this means costs in Iran would have gotten ridiculously out of line with costs in competitor countries had the rial not lost value.

The rial's collapse means that Iranian firms may finally have a fighting chance against their foreign competitors. The wise policy would be to encourage the rial to fall even further, while tightening up on monetary policy to tamp down inflation. Of course, that would mean imposing pain on consumers, which goes against every instinct of the populists who run Iran's economic policy. Therefore, such a sound policy is unlikely. Indeed, there are no signs that the loose monetary policy is going to change. Even the ever optimistic IMF expects Iran's inflation to remain above 20 percent next year.

The irony is that the falling rial benefits the government more than anyone else. Most of Iran's exports are in the government's hands. With each dollar of exported oil now worth more rials, the government's rial revenue rises, offsetting at least in part the lower volume of exports. That extra revenue would put the authorities in a good position to help businesses invest in more energy-efficient technology and to create more jobs.

But that is not likely to happen. The government is much more likely to insist on selling dollars at an artificially low rate, on the theory that this keeps prices down. The real effect, however, is to generate high profits for the politically well-connected, who get access to foreign exchange at the preferential rates.

With low export volumes and an artificially low exchange rate, the government will face the worst of two worlds: low revenue and high costs. That could force budget cuts -- and those could have serious political consequences. On Oct. 9, Ahmadinejad spoke of cutting some items 25 percent and zeroing out others, and Chief of the Joint Staff Seyyed Hasan Firuzabadi warned that the military budget could be cut 10 percent. Soaring prices, rising unemployment, budget cutbacks, and rampant corruption are a recipe for popular anger, though the Islamic Republic's vigorous repressive apparatus may prevent it from translating into popular protest.

History suggests Iran will learn the wrong lesson

Iran's economic problems are made much worse by the public's worry that war is coming. Fear of war keeps investors from committing to new projects and leads consumers to seek safe havens for their assets, such as dollars. An obvious step to improve the economy would be to re-energize the negotiations over the nuclear impasse. And that may well happen. But history offers a word of caution.

Twice before, the Islamic Republic of Iran faced serious foreign exchange problems, arguably as bad as the current one. The first was when the price of oil collapsed in the mid-1980s. Iran's oil export earnings went from $21 billion in the 1983-1984 fiscal year to $6 billion in 1986-1987. Iran's response was to adopt draconian measures that cut imports from $18 billion to $11 billion. This was at a time when Iran was throwing waves of its own citizens at Iraqi forces in a vain effort to overrun that country -- we remember the Iraqi invasion of Iran in September 1980, but we often forget that Iraqi forces withdrew in June 1982 and Iran invaded Iraq the next month. Because war-related imports could not be cut, Iran appears to have taken the ax to civilian imports -- slashing them by more than 50 percent.

The loss of oil revenue was not enough to get Iran to accept a cease-fire. That came only later, when Iranian leaders feared the United States was joining the war and Iraq would fire chemical-tipped missiles at Iranian cities. In other words, difficult economic times did not bring a change in security policy -- the threat of much greater military force did.

The Islamic Republic faced its next severe economic challenge in the mid-1990s. After running up $14 billion in debts in a postwar burst from 1991 to 1994, Iran's bills were coming due just as U.S. President Bill Clinton's administration stepped up pressure on its allies not to lend to Iran, and then in 1995 it imposed comprehensive U.S. sanctions. Iran could have solved this problem by scaling back its support for terrorism and ending its vigorous efforts to undercut the then-vibrant Arab-Israeli peace talks. Instead, Tehran tightened its belt over the next three years to repay $8 billion in loans and leaned on Europe and Japan to reschedule $16 billion in loans coming due.

The austerity measures cut imports from $23 billion in the 1992-1993 fiscal year to $13 billion in 1994-1995, and they stayed at that level for the next fiscal year. In short, Iran preferred to cut imports almost in half rather than change its foreign policy.

Historical analogies are imperfect: Situations are different, the actors have changed, and so on. Nevertheless, the record suggests tempering one's optimism that economic pressure will bring Iran to change its populist policy stances -- either its pernicious domestic economic policy or its adventurist nuclear stance.

BEHROUZ MEHRI/AFP/Getty Images