Two Historical Notes on Equation
Yesterday’s New York Times carried a story about how the United States has found a way to “permanently embed surveillance and sabotage tools in [targeted] computers and networks.”
If the reporting on Equation is to be believed, the scope and sophistication of the enterprise is truly breathtaking. But the particular technique—hiding malware in the firmware of a computer or router—is not new.
Published by The Lawfare Institute
in Cooperation With
Yesterday’s New York Times carried a story about how the United States has found a way to “permanently embed surveillance and sabotage tools in [targeted] computers and networks.”
If the reporting on Equation is to be believed, the scope and sophistication of the enterprise is truly breathtaking. But the particular technique—hiding malware in the firmware of a computer or router—is not new. Attacks on firmware have been around for a long time, and old-timers remember the Chernobyl virus of 1998, which attacked the BIOS firmware chip of many computers and turned a few hundred thousand of them into big paperweights.
The reason that such attacks are possible is that modern firmware is usually deployed with capabilities for remote reprogramming, because vendors want to be able to add new features or to fix bugs. There’s a relatively easy fix for the problem—a hardware switch that, when flipped, would prevent reprogramming of the basic chip. But vendors have been reluctant to incur that expense in the absence of customer demand, and installing such a switch would make remote reprogramming (i.e., upgrades) much more inconvenient.
[Note added later - Steve Bellovin elaborates on the issues involved with even adding a switch. And he's right. Nothing is ever simple, and I was wrong to imply that above.]
A second historical note on Equation may be a Washington Post op-ed written in February 2010 by a former director of the NSA, Mike McConnell, in which he wrote that “preemptive strategies might be required before. . . adversaries launch a devastating cyber-attack. We preempt such groups by degrading, interdicting and eliminating their leadership and capabilities to mount cyber-attacks. . .”
Think about what would be required to preempt an attack—specifically, about the necessary presence on adversary machines. Preemption means to attack before the adversary has struck, and to degrade and eliminate the adversary’s capabilities for doing so. The only way to achieve that goal—when hostile capabilities might be located on any one of an adversary’s systems—is to be present on as many adversary machines as possible in advance. And planting malware in non-obvious places would certainly be a part of maintaining a continuing presence.
Is Equation a part of such an effort? I have no inside knowledge, and readers thoughts are welcome.
Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.
