FORBES: The Russian security company, Kaspersky Lab, recently contacted IMPACT, the global cybersecurity coordinating center run by the UN’s International Telecommunication Union (ITU), and reported that new variations of a malicious software known as Flame were capable of stealing large amounts of data from government and critical infrastructure systems. IMPACT (an acronym for the International Multilateral Partnership Against Cyber Threats), began working closely with Kaspersky and issued an alert to its 142 member countries. The United States, however, did not receive the alert because it is not a member of the global cyber center. In fact, the U.S. State Department has rebuffed the organization’s overtures to join and has blocked other U.S. government agencies that have tried to develop working relationships with IMPACT.
When pressed for reasons why, the Administration has offered diplomatic excuses, such as blacklisted countries Iran and Syria are members of IMPACT and interact with the cyber center. This reasoning is nonsensical since (1) the Internet is a global resource connected to 253 countries and territories, including Iran and Syria, (2) tracking and tracing Internet communications requires country-to-country cooperation, and (3) being a member of a center that has points of contact and relationships with these countries would allow the U.S. to benefit from the information while maintaining diplomatic distance with the countries themselves.
Other explanations, including the Administration’s belief that the ITU should not undertake “operational” activities, such as those performed by the cyber center, are equally vacuous. The ITU’s mandate for its activities, including IMPACT, was authorized pursuant to Resolutions from multilateral conferences in which the U.S. participated. The U.S.’s “our way or the highway” attitude in the important area of cybersecurity appears petulant instead of accepting of the fact that its viewpoint did not prevail in a multilateral vote. Moreover, as the Flame investigation shows, the Administration’s position potentially jeopardizes national and economic security interests, including the stability of the critical infrastructure businesses that are dependent upon critical cyber coordination when seconds matter.
A bit of background is helpful here. In 2008, Mohd Noor Amin, a Malaysian who is a British barrister and holds a legal degree from the U.K., recognized that national Computer Emergency Response Teams (CERTs) were inadequate to counter the growing sophistication of cyber threats. He obtained a grant of USD 13 million from the Malaysian government and established the first global coordination center. When John Grimes, then Assistant Secretary and CIO of DoD, learned of IMPACT in 2009 — even before it became a UN entity — he remarked, “This is something that is sorely needed and Dr. Amin has brilliantly filled an important international gap in cyber response and cooperation.” The organization’s initial advisory board included John Thompson, former chairman of Symantec, and Howard Schmidt, the former U.S. cyber czar.
In 2011, IMPACT became the operational arm of the ITU’s Global Cybersecurity Agenda. IMPACT established partner relationships with leading antivirus and security research companies, such as Kaspersky, Trend Micro, Symantec, F-Secure, and Microsoft, and receives daily feeds of threat information from around the globe, which can be correlated to obtain a broader threat picture. IMPACT also developed the largest global point-of-contact network for cyber coordination and established an alert system to simultaneously disseminate warnings and response information to its member countries. Within one year, 142 of the 193 member countries of the ITU joined IMPACT to take advantage of its cyber coordination assistance.
No country is an island on the Internet, and the U.S. cannot expect to be able to adequately respond to cyber attacks or malware infiltrations without the input and involvement of others around the globe. International cooperation and information sharing is critical when investigating cybercriminal activities and responding to malware. The U.S. Administration’s stonewalling of IMPACT has left the U.S. out in the cold at a time when the rest of the world has a laser focus on the Flame malware and the Kaspersky and IMPACT teams are working around the clock with global participants to corral the software and provide updated information.
In a conversation held yesterday with Dr. Amin, he noted that, “No one from the U.S. Government has contacted IMPACT about Flame.” Although the U.S. certainly can contact Kaspersky directly, that type of isolated input about an evolving cyber event has its limitations. Most importantly, it forces the U.S. to assemble data from various companies and governments outside the loop of coordinated activity. Dr. Amin observed that the Iranian CERT has been very actively interacting with IMPACT and antivirus companies, and this information would surely be useful to the Government. “We wish the U.S. would join IMPACT today,” Amin noted.
The U.S. is further disadvantaged by being perceived by some as not being a team player at the very time that it is being accused of developing and launching the Flame malware against Iranian nuclear facilities. The accusation carries more weight following David Sanger’s June 1, 2012 report inThe New York Times that Presidents George W. Bush and Obama knew of and approved a joint U.S.-Israeli plot from 2007-2010 to attack and disrupt Iranian nuclear facilities using the Stuxnet malware.
Perhaps more important than being out of the cyber coordination loop, is the how the U.S.’s attitude is being perceived by others in the international community. If the U.S. were a member of IMPACT and taking an active role in the investigation, it would be upholding its role as a global cybersecurity power. Instead, the U.S. appears as the shirking nation state quietly standing on the sidelines while being accused of engaging in cyberwarfare tactics. “People look to the U.S., Russia, and China for leadership and when the U.S. is absent, they will turn to the other two,” observes Dr. Amin.
The U.S. Administration’s failure to develop a strong foreign policy with respect to cybersecurity reveals a gross lack of attention at the highest levels of the U.S. Government to one of the country’s most vulnerable areas — the IT systems that underpin the functioning of our society and economy. This failure begins at basic strategy levels and extends to reckless disregard for the consequences of the risky covert Stuxnet operation and failure to secure classified information about the program. For example, in May 2011, government delegations from around the world gathered in Geneva for theWorld Summit on the Information Society (WSIS), one of the most important communications and technology conferences globally. Noticeably, the U.S. did not have a delegation present. Yet, it was during the WSIS event that the U.S. Administration chose to release its International Strategy for Cyberspace– from Washington, D.C. rather than Geneva. WSIS participants were dumbstruck. For the few private sector Americans who were present, including myself, it was embarrassing.
If in fact the Administration did authorize targeting Iranian nuclear systems with Stuxnet and/or Flame, it was a dangerous and reckless decision, especially since the U.S. Government has no idea how many computers in America may be infected with malware capable of being activated by Iran or one of its allies in retaliation. Such “backdoor” malware is capable of having enormous consequences to life and property. A similar CIA covert operation successfully destroyed a Soviet pipeline. In 1982, President Reagan approved a plan to transfer software used to run pipeline pumps, turbines, and valves to the Soviet Union that had embedded features designed to cause pump speeds and valve settings to malfunction. The plot was revealed in a 2004Washington Post article by David Hoffman in advance of its discussion in former Air Force Secretary Thomas C. Reed’s book, At the Abyss: An Insider’s History of the Cold War. Reed recalled to Hoffman that, “The result was the most monumental non-nuclear explosion and fire ever seen from space.” Unlike Stuxnet, however, the program remained classified for 22 years until the CIA authorized Reed to discuss it in his book. Sanger’s information came from loose-lipped persons involved with the Stuxnet operation.
Before pulling a trigger (or launching malware) a nation should assess its strengths and resources and its correlation of vulnerabilities, which, in 2012, includes understanding what an adversary can do when firing back using cyber capabilities. In addition, before launching covert operations, such as Stuxnet, a nation also should ensure that the secrecy of the intelligence operations can be maintained.
Conversations with Hill staffers indicate that Congress believes the State Department’s 2011 appointment of Coordinator for Cyber Issues has sufficiently addressed concerns about the lack of U.S. involvement in international cybersecurity matters. Clearly, this is narrow, wishful thinking. Congress needs to stop focusing on what it believes it should force businesses to do about cybersecurity and instead focus on what it should demand that the U.S. Government do to protect our critical infrastructure businesses and avoid retaliatory cyber attacks. The kind of reckless cyber diplomacy and foreign policy now at work has put our nation at risk and demonstrates cyber irresponsiblity, not cyber leadership.
 Disclosure: IMPACT briefly was a client of my firm, Global Cyber Risk LLC, in early 2011. Dr. Mohd Noor Amin, founder and chairman of IMPACT, asked me to set up unofficial meetings for him and senior IMPACT personnel with various U.S. Government agencies so they could open a dialogue and begin building relationships with these entities. The U.S. State Department contacted some of the Government personnel and told them not to meet with IMPACT, resulting in some meetings being cancelled.
 See, e.g., Resolutions from the 2010 World Telecommunication Development Conference held in Hyderabad, India in 2010: Resolution 45 (Rev. Hyderabad 2010), “Mechanisms for enhancing cooperation on cybersecurity, including countering and combating spam;” Resolution 69 (Hyderabad, 2010), “Creation of national computer incident response teams, particularly for developing countries, and cooperation between them;” and Resolution 130 (Rev. Guadalajara, 2010) “Strengthening the role of the ITU in building confidence and security in the use of information and communication technologies” from the 2010 Plenipotentiary Conference of the International Telecommunication Union held in Guadalajara, Mexico.