On Sarin And Cyberwar
The horror that unfolded Tuesday after the Assad regime dropped sarin nerve gas on the city of Khan Sheikhun, Syria, was like a nightmare from the past. Writing 100 years ago, the WWI poet Wilfred Owen described similar scenes of asphyxiating agony:
“But someone still was yelling out and stumbling, And flound’ring like a man in fire or lime . . . Dim, through the misty panes and thick green light, As under a green sea, I saw him drowning… ….If you could hear, at every jolt, the blood Come gargling from the froth-corrupted lungs, Obscene as cancer, bitter as the cudOf vile, incurable sores on innocent tongues….”
— Wilfred Owen, “Dulce et Decorum Est”
Those lines are hard to read. And the videos from Tuesday’s attack are hard to watch, particularly if you have a personal connection to the region, as I do (I was born in Beirut). But they are facts, tragic entries in the global register of human-on-human atrocities.
The events this week also provided a condensed view of the past, present and future of weapons technology. Assad’s attack on Tuesday used sarin gas, an old technology dating from 1938 (but no less horrible for being old). The U.S. response on Thursday used Tomahawk missiles, a tech dating from the 1970s. And the most instructive glimpse of what the future will hold came in the form of the (intended or unintended) symbolism of the timing of the U.S. announcement: right after President Trump’s dinner with Chinese president Xi Jinping.
The U.S. has accused China numerous times over the years of cyberespionage and hacking. In 2010, Google reported targeted attacks on its corporate infrastructure coming out of China. Since then, 34 other companies have been hacked in a similar manner, including Symantec, Yahoo and Adobe. China has also accused the U.S. of engaging in its own form of cyberhacking.
The point is not that China is a lone bad actor in this new world of cyberwar, but that, going forward, technically sophisticated sovereign states will increasingly turn to hacking, rather than brute physical force, to achieve their aims.
And cyber attacks can cause real physical damage. One example is the Stuxnet worm, allegedly co-developed by the U.S. and Israel, which damaged Iran’s sophisticated uranium enrichment centrifuges in 2010. Imagine that being a connected to a self-driving car, and the threat only gets more personal.
Indeed, the proliferation of Internet-connected devices only increases the likelihood of such attacks. Gartner estimates that 6.4 billion IoT devices were in use last year, and by 2019 that number will be 21 billion. IoT devices, by nature, either hold or are connected to massive amounts of personal and corporate data. Despite this, IoT devices are notoriously insecure. Forrester Research noted that IoT security is in its “creation phase” and lacks established quality controls or standards.
On October 21, 2016, the DNS provider Dyn suffered the largest distributed denial-of-service attack in history. The attack severely impaired hundreds of Internet services, including those run by technically sophisticated companies like Amazon and Netflix. The source of the attack was a botnet coordinated through 100,000 Mirai malware-infected ioT devices.
It turned out that the chips in these devices, many of which were made by Chinese company XiongMai Technologies, had security vulnerabilities that left them open to attack. Whether this vulnerability was a bug or a feature — whether they were purposely designed to be hackable — has still not been determined.
We live in a time of jarring contrasts, in which unprecedented human achievement shares the stage with common human barbarity. The irony is that, even while we’re busy inventing the future, we’re still dragging unwanted pieces of that past along with us. The lizard brain just won’t let go.
Perhaps this dilemma is best understood as a choice, one expressed by Elliot in the show “Mr. Robot“: I only need to press one key to run the exploit. Or I can press another and disable the entire plan.”
Originally published at www.mediapost.com.