Controversies in Military Ethics & Security Policy
Interview with Felix FX Lindner, Hacker
What do you think is the biggest threat from cyberwarfare? What do you think was the biggest threat to data security and data protection in 2014?
I think the biggest threats arise from a lack of understanding among many of the people who are in positions of responsibility. As a result, just a few people determined the media narrative and political agenda in 2013 and 2014. Unfortunately, objective discussions about data security strategies are as rare as they are urgently needed.
What are the dangers of cyberwarfare, primarily for the military, but also for the civilian population and for businesses?
The main issue in all three areas is a blinkered obsession with computerization. We can’t safeguard our existing computer systems and networks, yet everywhere we keep on integrating an ever greater number of more deeply networked computers – whether in weapons systems or supply infrastructure for electricity, water and gas. In many cases the benefit is illusory at best, whereas the added dangers are very real.
Cyberattacks could disable weapons systems such as anti-aircraft missiles. Why isn’t this done more often?
For one thing, the necessary knowledge and personnel with the corresponding skills are thin on the ground. As long as conventional means are available to achieve the same effect, it is not worth using this scare resource. Also, because of their lack of specialist knowledge, the decision-makers in the military and government have a justified fear of secondary effects, which they are unable to assess.
Could cyberattacks be a way of containing current conflicts (Syria/Ukraine)?
Cyberattacks are not suited to this purpose. Offensive means are generally not the right way to defuse conflicts.
Supposing I was Defense Secretary, should I spend money on cyber weapons or cybersecurity, or would it be better to spend money on conventional weapons?
The decision should be the result of an overall security policy strategy, which a Defense Secretary hopefully has.
Developing offensive capabilities on a par with those of other countries is certainly essential, since the fifth domain is not going to simply disappear again. And just as you can’t order an air force on Amazon and have it show up the next day, cyber offensive forces require many years of training before they are ready for deployment.
Cybersecurity, as it is called, requires more of an integrated policy approach.
What does it take to disable a country’s infrastructure?
In terms of a cyberattack – all it takes is a few capable attackers with a lack of scruples and enough money to pay for them. But if you’re not in any rush, extensive privatization is also a very effective method.
The cyber weapons Stuxnet and Flame created a stir. They were used to spy on and attack the Iranian nuclear weapons program. What was particularly dangerous about that?
The collateral damage was particularly dangerous, and not the immediately obvious damage. Take Flame, for example. A cryptographic signature was generated so that it looked as if the file came from Microsoft. This circumvented many security checks that are essential for a whole series of protection measures in computer security. The method still works today, but it’s not easy to just replace the protection measures. As a result, the whole world is more vulnerable than it was before.
Demystification of cyberwarfare – it is often said that no such thing exists and that it is not new. At our Berlin panel discussion, in response to the claim that malicious software wears no uniform, you said that military attacks in the Internet wore more of a uniform than Russian soldiers in the Crimea. What did you mean by that?
Nearly all states place little hope in the medium-term availability of defensive measures, and are therefore focusing on offensive means. Accordingly, the aim is to show everyone else what they can do, as a kind of show of force. The hope is to achieve a certain level of deterrence. But for that to work, it has to be obvious who planned and carried out the attack. So not much is concealed.
How much cyber power does China or Russia have in comparison with the United States?
China and Russia have about the same offensive strength as the United States, although each in somewhat different form.
Who are the current cyber superpowers?
Google, China, Russia and the United States.
So countries that produce computers themselves have a good chance of being or becoming a cyber superpower. What are the chances for Germany at the moment? After Zuse, do we still matter in the world of computer technology?
No, Germany doesn’t play an important role any more. It’s a shame especially because the skills are available, but they aren’t used.
How do cyber attackers operate? How do they go about attacking a country, corporations, businesses, the government, or the intelligence services?
They’re a bit like burglars: they collect background information, scout out the target, try the doors and windows, choose their tools, then break in. Unlike burglars, instead of making their getaway, they barricade themselves inside the building as inconspicuously as possible.
What defense mechanisms exist to guard against intruders? Shouldn’t we build our own computers?
Yes, we really should build our own computers. If, unlike everyone else, we also accepted product liability for these computers, while they would be significantly more expensive, they would also be a massive export hit.
Is there a sure-fire way to prevent cyberattackers, such as reverting to typewriters?
If you want to keep a secret, you shouldn’t put it on a computer nowadays.
Let’s look to the year ahead. Nation states increasingly attacking each other with malicious software. The respective private sectors are affected and activists too will continue to use the Internet for their own purposes. What is the absolute worst-case scenario for Germany? And what scenario could rapidly become reality?
Unfortunately there are many. But I believe that you shouldn’t make any instructions publicly available.
How can you prevent any of those scenarios?
An overall policy debate would be a good start.
Is it possible to disable an airport using a simple computer? Can you give us a rough estimate of how many people you think would know how to do that?
Definitely a few thousand people around the world.
Some voices are getting louder: scaremongering and demanding information. What do you think manufacturers of software and hardware products should be doing to improve computer security?
It would be nice if the manufacturers would finally be honest with politicians. Endless new promises about the next miracle product don’t get us anywhere. Admitting that the absence of liability on their part is the core problem would make a massive difference. Policymakers won’t just go and demand that they accept this liability, since no-one wants to ruin SAP & co. But unfortunately the current charlatanry is too lucrative to give up voluntarily.
According to Thomas Ried, cyberwar is just a clever strategy by security firms, since in his opinion it doesn’t really exist. What do you think about Ried’s theory?
Using a term like “cyberwar” is an excellent way to promote sales of the next miracle product. But that doesn’t explain the hundreds of soldiers and hordes of specialists in the defense industries in various countries who are engaged with the issue of offensive capacities, nor the large sums in the corresponding budgets. Ried describes a symptom, not the disease.
What is your assessment of the general security situation for German businesses?
I think that German businesses are extremely exposed. We are an export country that specializes in process and production knowledge. So, unlike raw materials, our export goods are perfectly suited to being stolen (i.e. copied) from our computers, without us noticing.
Analysts calculate that targeted hacker attacks cause millions of euros of damage each year. Do you think that the majority of CIOs and IT managers are currently able to implement correct and useful protective measures?
No, partly because CEOs make it the IT manager’s responsibility, as if the CEO had nothing to do with it.
Will security be sacrificed for convenience in the future? With Internet access in German army barracks, how safe from hackers is an e-mail address in the German army?
Security is always being sacrificed for the sake of convenience or vanity. Businesses made major efforts over many years to create a halfway reliable infrastructure with BlackBerry – and then CEOs wanted iPhones instead.
The security of an e-mail within the German army is something can easily be tested. Unfortunately that hardly ever happens, because no-one wants to hear the answer they’re afraid of.
Experts claim that not a single cyberattack has taken place to date. And yet cyberwarfare is discussed time and again. Is this a strategy by security firms, marketing experts and media analysts, and is cyberwar actually not real?
Whether cyberattacks have taken place is a question of definitions, which is why it is disputed. But we are definitely seeing a continuous increase in activities by nation states. Sorry to say that’s not marketing, however much I wish it was.
What makes a good professional hacker?
Integrity, passion, specialist knowledge and skills, and knowing when to stop.
Should hackers fear for their lives, and how timid are the intelligence services?
It is something of a rarity to hear about violent deaths with a possible connection to the intelligence services. More frequently, hackers who have worked for criminal organizations are found dead once the job is done.
Below the threshold of an armed conflict, what kinds of regulation are needed?
As mentioned earlier, I think the greatest need is to introduce product liability for hardware and software, at least when the products are supplied to the state or to the military. As long as it’s more profitable to sell completely defective merchandise, so that you can then sell the next version as well, there is no money to be made in secure computers, so no-one makes them.
A question about the extent and threat of surveillance. What would you say to a head of government who uses the Google e-mail service Gmail, surfs the Web with the Google browser Chrome, and uses a smartphone with the Google operating system Android?
I would ask why he or she wastes taxpayers’ money on ministries for defense, espionage and counter-espionage, since this behavior makes a mockery of them. I would also be interested to know how far their oath of office is compatible with a complete, negligent surrender of the state to a transnational superpower.
NATO experts published the Tallinn Manual in 2013, a guide that examines how international law should be applied to cyberwarfare, for example. Does this manual have any significance for hackers?
No, those are policy issues.
Google/Apple/Microsoft – to what extent are these companies a danger to personal and national security?
Google’s control over the entire Internet should occupy a prominent position in questions of national security.
What international cyber protection laws do we need?
We should establish international rules that leave control over the Internet in the hands of democratic countries, even though they are a minority of all countries in the world.
And what product security legislation such as product liability do we need to ensure the security of computers and software?
Full product delivery (not a license) and corresponding product liability for software acquired by the German federal government and army is the first and most important step. After chaotic beginnings, you will see a dramatic rise in quality, security included.
As a purely hypothetical question, in the event of a cyberattack, would you hack for Germany in a camouflage suit?
I help various countries to better defend their infrastructure. So far I’ve never needed a camouflage suit to do that.
Questions by Gertrud Maria Vaske, chief editor of “Ethics and Armed Forces”
Felix FX Lindner
Felix FX Lindner hacked BlackBerry, the network of Cisco, and the energy supply of a German town. He is a well-known expert in the computer security community. Over the last decade he has presented his research at conferences around the world and made it freely available on the Internet. He is the founder as well as technical and research head of Recurity Labs GmbH, a high-end security consulting and research team that specializes in code analysis and the design of secure systems and protocols.