Crimes Against Humanity


Just a reminder: messing with another country’s civilian power grid is a crime against humanity.

Not that that’s going to slow the US government down, in the slightest. After all, the US has been warning for years about the danger of Chinese and Russian cyberspies in its power grid, and making dire threats of consequential “real world” military action against any nation so foolish as to contemplate such a thing.

Perhaps now some people will re-assess whether the US had any involvement in Venezuela’s power grid problems. [stderr] Maybe the Venezuelan grid was already tottering on the edge of collapse, and maybe it just needed a nudge. Having to disclaim culpability is one of the many downsides in letting people know that you have Chekhov’s gun and John Bolton’s the guy waving it around.

The New York Times reported Saturday that: [nyt]

The United States is stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin and a demonstration of how the Trump administration is using new authorities to deploy cybertools more aggressively, current and former government officials said.

We should probably assume that, for the NYT to report something like this, they’ve known about it for some times and negotiated with the government to bury the story until some time when it wasn’t going to influence the political landscape. Hey, look around! Now would be a great time, wouldn’t it? Surely that’s also a coincidence.

Advocates of the more aggressive strategy said it was long overdue, after years of public warnings from the Department of Homeland Security and the F.B.I. that Russia has inserted malware that could sabotage American power plants, oil and gas pipelines, or water supplies in any future conflict with the United States.

US: “He pushed me!”
Russia: “He pushed me first!”
US: “Yeah, but he was on my side of the couch!”
Russia: “I don’t see any line.”
US: “If he doesn’t stop I’m going to shoot him in the face with a rubber band.”
Russia: “I have two rubber bands!”

Sadly, there are no wise parents in the room to give these children a dose of “sit the fuck down shut the fuck up.” The US says none of the rules apply: [icrc]

First, because of its increasingly ubiquitous reliance on computer systems, civilian infrastructure is highly vulnerable to computer network attacks. In particular, a number of critical installations, such as power plants, nuclear plants, dams, water treatment and distribution systems, oil refineries, gas and oil pipelines, banking systems, hospital systems, railroads, and air traffic control rely on so-called supervisory control and data acquisition (or SCADA) systems and distributed control systems (DCS). These systems, which constitute the link between the digital and the physical worlds, are extremely vulnerable to outside interference by almost any attacker.

Second, the interconnectivity of the Internet poses a threat to civilian infrastructure. Indeed, most military networks rely on civilian, mainly commercial, computer infrastructure, such as undersea fibre optic cables, satellites, routers, or nodes; conversely, civilian vehicles, shipping, and air traffic controls are increasingly equipped with navigation systems relying on global positioning system (GPS) satellites, which are also used by the military. Thus, it is to a large extent impossible to differentiate between purely civilian and purely military computer infrastructure. As will be seen below, this poses a serious challenge to one of the cardinal principles of IHL, namely the principle of distinction between military and civilian objects.

Moreover, even if military and civilian computers or computer systems are not entirely one and the same, interconnectivity means that the effects of an attack on a military target may not be confined to this target. Indeed, a cyber attack may have repercussions on various other systems, including civilian systems and networks, for instance by spreading malware (malicious software) such as viruses or worms if these are uncontrollable. This means that an attack on a military computer system may well also damage civilian computer systems, which, in turn, may be vital for some civilian services such as water or electricity supply or the transfer of assets.

I’ve been involved in writing position statements like that, and it’s a complex time-consuming highly politicized process. Someone drafts the opinion then everyone pounces on it and edits it, then the original author repeatedly fixes the language and tries to keep it coherent. Eventually after months, you have a bland-seeming highly compressed policy statement like the one above. The point is: by the time it’s done there’s not a lot of disagreement and ambiguity left. The US has been consistently ignoring the fact that targeting another country’s power grid is a crime against humanity.

The response of the US is predictable: “it’s better than dropping a bunch of bombs on you, which is what we’ll do if you don’t shut up.” International humanitarian law is an attempt to restrain power, and US power accepts no restraint.

Thus, if an air defence system is put out of order by a cyber operation, if a cyber operation disrupts the functioning of an electrical grid, or if the banking system is disabled, this amounts to an attack. However, not all cyber operations directed at disrupting the functioning of infrastructure amount to attacks.

You can bet your ass that the US wants it both ways: it’s a crime against humanity if the Chinese do it to us, but it’s just a perfectly reasonable response against Russia. Note that, in order for this sort of scenario to obtain, it means that the US has already had to establish a control foothold in the Russian grid – exactly the same thing the US has been complaining that the Chinese and Russians have been trying to do. This is the neatest possible demonstration that hypocrisy is equal to exceptionalism.

As I mentioned before, when the US complains that someone is planning to do ${bad_thing} you can be pretty certain it means that the US is actually doing ${bad_thing} to someone else and that’s why they’ve only just now had a chance to think about it and realize that it’d be a ${bad_thing} if someone did it to us.

------ divider ------

By the way, it oughtn’t surprise anyone that power grid systems are pieces of shit, security-wise. They’re designed with the notion of saving costs, which means that they were usually built with lots of shortcuts in the design – a system designed for security would be much harder to build (and more expensive). The big problem is that a smart grid system is a messaging bus with a command/control architecture atop it. That usually means that the messages come from someplace (?devices, generators, etc) and are transmitted within the bus, to places that make automatic executive decisions based on those messages. That guarantees that message integrity of origin is going to be a big problem. It also means that message structure flaws are going to be a big problem. So: what happens if we inject spurious messages? What happens if we inject messages that are over or under-sized? What happens if we capture yesterday’s messages and re-inject them? (replay attack) These are basic attack-hypotheticals, if I were examining such a system’s design, I’d ask the designers how they built the system to resist those attacks. Computer programmers being how they are, I’d expect them to sit there with their jaws hanging and maybe one of the more energetic ones would say “we use Java and SSL so it’s secure.” That’s without the more subtle errors like considering if a cascading failure could be induced, or how the command/control interface’s users are authenticated and the integrity of their systems. Smart grid systems could have all the good design in the world but it’s pointless if the user is accessing it from a Windows desktop full of NSA, Chinese, and Russian malware.

I grabbed the picture above for some decoration and couldn’t help but laugh because it’s a from an article that’s all about what I just described in the preceeding paragraph. Apparently smart grid “smart meters” have a variety of messages that they send, which are completely trusted by the control plane. The paper I got the image from is hypothesizing that a denial of service attack via smart meters is reasonable – I’m more inclined to look for how to cause massive billing anomalies and I wonder how they disambiguate correct messages from spurious ones. [DCA]

Comments

  1. says

    International humanitarian law is an attempt to restrain power

    You sure? I mean, the USA seems to disagree with you about this. International humanitarian law is just a handy excuse that can be used each time the USA wants to start yet another war: “Those brown people over there are committing crimes against humanity, now let’s go and drop some bombs on their homes.”

  2. jrkrideau says

    Perhaps now some people will re-assess whether the US had any involvement in Venezuela’s power grid problems.

    I must say I have no reason to re-assess it. Given the timing of the outages I immediately assumed it was a US attack and have no reason to change my mind. If it had been a year before, then a system failure, possibly due to bad maintenance, would have been perfectly credible.

    Ah wait, the US is not attacking Argentia is it?

  3. says

    This looks like some kind of message to me, but I’m not clear on who’s sending the message, who they’re sending it to, or what it actually is. I just doubt that information like this could get into NYT without someone okaying it. Someone is benefitting, but it’s not clear to me who or how.

    The article mentions “current and former government officials”, but that could mean anything. Who is feeding this information to the NYT and why? Is this just saber-rattling, to get the Russians to back off? If so, why such a public article? Don’t they have more confidential channels? If the message is just to a small group, then why announce it to the world? So, it seems that this message (whatever it really is) was meant for a wide audience.

    Perhaps that’s part of the point. Perhaps the message is: “We’re done pretending we can’t (and don’t) do this kind of thing. Don’t rely on the idea that we won’t do something because it’ll be too obvious. We’re okay with being obvious. We’re okay with telling the whole world that we can and will do this.”

  4. Dunc says

    Perhaps the message is: “We’re done pretending we can’t (and don’t) do this kind of thing. Don’t rely on the idea that we won’t do something because it’ll be too obvious. We’re okay with being obvious. We’re okay with telling the whole world that we can and will do this.”

    The rest of the world already knows. The Russians definitely know. The only people that aren’t already perfectly clear about this are the American public.

  5. says

    Dunc@#7:
    The only people that aren’t already perfectly clear about this are the American public.

    That’s why we live in a hypersaturated solution of propaganda and chunks of fake news.

  6. says

    The article mentions “current and former government officials”, but that could mean anything. Who is feeding this information to the NYT and why? Is this just saber-rattling, to get the Russians to back off? If so, why such a public article?

    There is a really interesting interview in The Intercept with James Risen that touches on this. Basically, there is a great deal of information about the secret doings of government that newspapers learn through investigation and leaks, but they negotiate a time to release the information with the administration. Usually that means the administration wants the story buried (which often happens) but sometimes it buys then a year or two on the excuse that it will affect elections. Which is what it’s supposed to do except that the media are in on it.

    https://theintercept.com/2018/01/03/my-life-as-a-new-york-times-reporter-in-the-shadow-of-the-war-on-terror/

  7. avalus says

    Damn, add to the last comment: Why can’t the Great Old Ones eat the squirrelpeople and powerfetishists/faschos?

  8. jrkrideau says

    @ 6 LykeX
    Is this just saber-rattling, to get the Russians to back off?
    Could be, but if it is whoever is doing it apparently knows nothing about the Russians. It is not really smart to poke a grizzly bear with a stick.

    I think they are getting really annoyed with the US and they know the US cannot be trusted to keep any agreement.