Listen to the story.
Marco Werman: So, some optimism there that a nuclear deal with Iran is within reach. But at the same time, we’re hearing increasingly that the US and Iran are targeting each other with cyberweapons. That’s what a newly disclosed 2013 National Security Agency document says. To learn more, we turn to Alan Woodward. He’s a cybersecurity expert and advisor to Europol.
Alan Woodward: What the document that’s come out has shown really is that they’re making contingency plans. What happens if the talks don’t work? What else could we do? A lot of these code-based weapons have a great deal of attraction for countries, for different states to use them because they have this whole element of plausible deniability. We still don’t really know, for example, who launched Stuxnet--everybody assumes it was some or all of the United States, Israel, the British--but actually nobody really knows.
Werman: If we don’t know where these attacks are coming from, does that mean that other countries could potentially stir the pot?
Woodward: Oh, absolutely.
Werman: Have we seen that in action?
Woodward: Well, we believe we have. It’s quite interesting, they’re called “false flag operations.” Let’s suppose Country A wants Countries B and C to take it against each other and they might launch an attack against one of them but make it look like it was the other. It’s actually horribly easy to do--write your code in Russian or Chinese, or launch it from a site that seems to be well-known as being used by one of those countries and all of a sudden you get circumstantial evidence--even though it’s not a smoking gun, circumstantial evidence starts to build up. And you have what’s called confirmation bias; if you’re already slightly anti the other country and there’s some circumstantial evidence where it starts to look like it was them, then you’re going to start believing it really was them.
Werman: The problems with tracing the origins of any virus--once you launch a cyberattack, is there anything to prevent a target from reverse-engineering the weapon or whatever software was used and then use it against you?
Woodward: Oh, no, unfortunately absolutely not and it’s a real danger. It has a lot of attraction because of this plausible deniability, but at the same time it’s like biological warfare. If you can capture the germ, you can grow it yourself and throw it back. Indeed, we saw with Stuxnet very quickly, you can go onto Youtube now and find videos of how to re-engineer Stuxnet and send it back against some enemy. We have actually seen Iran re-engineering some of these things, or we believe it’s Iran, and launching them back out. So, that is one of the huge dangers. You launch a code-base weapon, it’s not like bombs and bullets, you’re giving it to the enemy at the same time as using it.
Werman: What are the risks of waging cyberattacks, or cyber espionage, right now with these talks going on in Geneva?
Woodward: In some ways, I think it’s the fact that it’s out in the public domain now that is the real danger. I suppose I find that the most disappointing and, in many ways, some of what’s happening with the Snowden documents now are they’re going well beyond helping with things that might be in the public interest. They’re actually damaging countries like the US and the UK in their attempts to conduct foreign policy, because part of conducting foreign policy is always collecting intelligence. You really want to know what cards the other guy is holding whilst you’re playing poker with him.
Werman: Are you saying that a lack of transparency can actually be a valuable thing?
Woodward: I think so, yes, because in some ways the fact that this enters the public domain is the stick, it gives the other side the stick to beat you with. They know it goes on, they’d give their teeth to do it themselves if they had the capability, and indeed you can see that they are trying to do it themselves. It’s also a way of conducting asymmetric warfare as it’s called and it’s a great way of leveling the playing field, this type of espionage, because you only need to put 30 clever guys in a room with some laptops and you can probably reproduce a lot of the same things.
Werman: US touts itself as the strongest military on the planet. Do you think Iran has those 30 clever guys in a room with laptops to challenge the US on the cyber front?
Woodward: We know they do because they’ve said they have. They formed a unit all the way back when things like Stuxnet were happening. They said quite publicly “We see this as a way of leveling out the playing field and we’re going to do it.”
Werman: Cybersecurity expert Alan Woodward, a professor at the University of Surrey. Great to speak with you, thank you.