Федеральная разведывательная служба Германии (BND) сформировала новое подразделение, которое должно охранять государственные службы и промышленные предприятия от компьютерного шпионажа. Шеф немецкой разведки Герхард Шиндлер (Gerhard Schindler) сообщил, что стране угрожает опасность со стороны китайских и российских хакеров, и получил «добро» на формирование нового подразделения.
По мнению экспертов, BND будет сложно найти достаточное количество профессионалов, которые захотят работать на правительство, так что все 130 вакансий нового киберотдела не удастся быстро заполнить, сообщает журнал Der Spiegel [http://bit.ly/Xbw85n].
Многие немецкие хакеры имеют анархистские политические взгляды и не склонны к сотрудничеству с правительством, поэтому трудно найти готовых профессионалов даже на относительно высокую зарплату. Журнал сообщает, что агенты Федеральной разведывательной службы уже развернули деятельность в некоторых университетах, пытаясь завербовать студентов старших курсов.
Государственный отряд хакеров в Германии будет на порядок меньше, чем аналогичные структурные подразделения в США и Китае. Например, в Америке предполагается формирование нескольких специализированных бригад в составе подразделения Cyber Command, которое находится в ведении Минобороны США. Отдельные бригады будут осуществлять оборонительные операции, а другие — атакующие операции. Командование планирует довести численность подразделения до 5000 человек в течение ближайших лет [http://www.xakep.ru/60019/].
По информации немецкой разведки, в китайских хакерских подразделениях уже сейчас работают до 6000 человек.
«Россия проводит такую же агрессивную политику, но там государственные хакеры замаскированы под видом коммерческой фирмы», — пишет журнал Spiegel, ссылаясь на слова Шиндлера. Если директор BND действительно такое сказал, то он может намекать на подразделение Global Research and Expert Analysis Team (сокращенно — GREAT) «Лаборатории Касперского», которое тесно сотрудничает с ФСБ по вопросам киберпреступности [http://www.xakep.ru/59038/].
Health scare: Much hospital equipment uses software that can be vulnerable to viruses.
Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.
While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.
Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.
In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.
As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.
«I find this mind-boggling,» Fu says. «Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.»
The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.
«It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,» Olson said during the meeting, referring to high-risk pregnancy monitors. «Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.»
The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.
Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. «We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can’t be used, or they become compromised to the point where their values are adjusted without the software knowing,» he said. He explained that when a machine becomes clogged with malware, it could in theory «miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm.»
Often the malware is associated with botnets, Olson said, and once it lodges inside a computer, it attempts to contact command-and-control servers for instructions. Botnets, or collections of compromised computers, commonly send spam but can also wage attacks on other computer systems or do other tasks assigned by the organizations that control them (see «Moore’s Outlaws«).
In September, the Government Accountability Office issued a report warning that computerized medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue. The GAO report focused mostly on the threat to two kinds of wireless implanted devices: implanted defibrillators and insulin pumps. The vulnerability of these devices has received widespread press attention (see «Personal Security» and «Keeping Pacemakers Safe from Hackers«), but no actual attacks on them have been reported.
Fu, who is a leader in researching the risks described in the GAO report, said those two classes of device are «a drop in the bucket»: thousands of other network-connected devices used for patient care are also vulnerable to infection. «These are life-saving devices. Patients are overwhelmingly safer with them than without them. But cracks are showing,» he said. (Fu wasTechnology Review’sInnovator of the Year in 2009.)
Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don’t offer updates, Fu says. And such reporting is not required unless a patient is harmed. «Maybe that’s a failing on our part, that we aren’t trying to raise the visibility of the threat,» Olson said. «But I think we all feel the threat gets higher and higher.»
Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel’s problems to be widely shared. «This is a very common profile,» he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. «This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this,» he said.
In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA’s 2009 guidance, regulations make system changes difficult to accomplish: «In order to go back and update the OS, with updated software to run on the next version, it’s an onerous regulatory process.»
Olson said that in his experience, GE Healthcare does offer software patches and guidance on keeping devices secure, but that not all manufacturers have the same posture. He added that the least-protected devices have been placed behind firewalls. But to do that with all a hospital’s software-controlled equipment would require more than 200 firewalls—an unworkable prospect, he said.
John Halamka, Beth Israel’s CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that «could not be patched due to [regulatory] restrictions.» He said, «No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network.»
He added: «Many CTOs are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements.»
Fu says that medical devices need to stop using insecure, unsupported operating systems. «More hospitals and manufacturers need to speak up about the importance of medical-device security,» he said after the meeting. «Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there.»
For Op-Ed, follow@nytopinion and to hear from the editorial page editor, Andrew Rosenthal, follow@andyrNYT.
THE decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.
There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.
Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.
This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.
Until recent revelations by The New York Times’s David E. Sanger, there was no definitive proof that America was behind Stuxnet. Now computer security experts have found a clear link between its creators and a newly discovered virus called Flame, which transforms infected computers into multipurpose espionage tools and has infected machines across the Middle East.
The United States has long been a commendable leader in combating the spread of malicious computer code, known as malware, that pranksters, criminals, intelligence services and terrorist organizations have been using to further their own ends. But by introducing such pernicious viruses as Stuxnet and Flame, America has severely undermined its moral and political credibility.
Flame circulated on the Web for at least four years and evaded detection by the big antivirus operators like McAfee, Symantec, Kaspersky Labs and F-Secure — companies that are vital to ensuring that law-abiding consumers can go about their business on the Web unmolested by the army of malware writers, who release nasty computer code onto the Internet to steal our money, data, intellectual property or identities. But senior industry figures have now expressed deep worries about the state-sponsored release of the most potent malware ever seen.
During the cold war, countries’ chief assets were missiles with nuclear warheads. Generally their number and location was common knowledge, as was the damage they could inflict and how long it would take them to inflict it.
Advanced cyberwar is different: a country’s assets lie as much in the weaknesses of enemy computer defenses as in the power of the weapons it possesses. So in order to assess one’s own capability, there is a strong temptation to penetrate the enemy’s systems before a conflict erupts. It is no good trying to hit them once hostilities have broken out; they will be prepared and there’s a risk that they already will have infected your systems. Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive and can lead to the uncontrolled spread of malware.
Until now, America has been reluctant to discuss regulation of the Internet with Russia and China. Washington believes any moves toward a treaty might undermine its presumed superiority in the field of cyberweaponry and robotics. And it fears that Moscow and Beijing would exploit a global regulation of military activity on the Web, in order to justify and further strengthen the powerful tools they already use to restrict their citizens’ freedom on the Net. The United States must now consider entering into discussions, anathema though they may be, with the world’s major powers about the rules governing the Internet as a military domain.
Any agreement should regulate only military uses of the Internet and should specifically avoid any clauses that might affect private or commercial use of the Web. Nobody can halt the worldwide rush to create cyberweapons, but a treaty could prevent their deployment in peacetime and allow for a collective response to countries or organizations that violate it.
Technical superiority is not written in stone, and the United States is arguably more dependent on networked computer systems than any other country in the world. Washington must halt the spiral toward an arms race, which, in the long term, it is not guaranteed to win.
Misha Glenny, a visiting professor at the Columbia University School of International and Public Affairs, is the author of “DarkMarket: Cyberthieves, Cybercops and You.”