When growing up as a child I played all of the requisite games that young kids play like lawn darts. It is a marvel that I ever survived that one. Another game that the kids in the neighborhood played a lot of was the game of “war”. In retrospect, after everything I have learned in the intervening years it is a marvel to me that we sought that out as a favored past time.
Flash forward to today. Now those same kids grew up and some of moved into the security space. When I moved into information security as a career I must admit I never thought that I might one day be viewed as a legitimate military target. Yes, I just said that. At the FIRST Conference in Berlin today, Mikko Hypponen delivered his keynote and one of the subjects was exactly that. You, as a security practitioner, are fair game according to the rules of war.
Under the Geneva Convention’s Protocol I, article 52, it says the following '"In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage”’ this is the commonly accepter version of what is a military objective.
I’ll bet that one is a new thought for you. As Mikko said during his keynote “I didn’t sign up for this”. I’m right there with him. I never signed up to be a “legitimate military target”. To be entirely honest that thought never once crossed my mind when I first got into this field. I remember years ago when kids defaced websites and posted their wins on sites like Alldas, Attrition and so on. That was the worst thing that we had to worry about back then. Now, we find nation states deploying tools like Duqu or Cozyduke against other countries.
How did security practitioners and organizations become legitimate military targets? Well, by virtue of the fact that they provide security services and products as well as research. The militaries of your respective countries all use security services that you may or may not contribute to as a result of work that you do.
Let’s look at incident where Kaspersky disclosed that they had been compromised by Duqu 2.0.
Kaspersky wasn’t the only victim of Duqu 2.0. Based on data the company collected from its customers, the attackers also struck a series of hotels and conference venues, each of them a location where members of the UN Security Council met in the past year to negotiate Iran’s nuclear program. That program is a recurring interest for the attackers behind the Duqu code, which shouldn’t come as a big surprise. The US and Israel reportedly were behind Stuxnet, but various researchers have long suspected that Israel alone was behind the Duqu code. The focused spying on the nuclear negotiations, from which Israel was excluded, would seem to support this theory.
Frightening perspectives. But, I want to highlight one key point. Espionage is not the same thing as cyber warfare. Too often I read about missives from talking heads in various governments that this sort of activity is an act of war…no, it is not but, we are all still potentially targets.