This blog post is created by Chris Bronk, a Fellow in Information Technology Policy at the Baker Institute for Public Policy, Rice University.
First there was Stuxnet, a piece of computer code that is widely believed to have been specifically designed to instruct computers in the Iranian nuclear enrichment program to damage centrifuges necessary to produce fissile material and identified in 2010. Next, in 2011, came Duqu, a computer worm which appears to hold the capacity to remove and delete data from infected computer hosts. Now, the computer security community has its latest item of study, Flame, yet another piece of software designed to purloin data, perhaps including via the clandestine operation of onboard web cams found in many of the world’s personal computers.
Over the coming days and weeks, security experts will deconstruct Flame and explain what it can and can’t do. This work ongoing, it is also important to consider the politics of Flame, as they matter as much if not more. I suggest considering seven interrelated points on Flame that stretch from its discovery to the blitz of awareness regarding its existence.
1. News reports identify instances of Flame on computers in the Middle East, from Iran to the Palestinian Occupied Territories. Flame was quite possibly the malware detected in the Iranian petroleum refining and export complex at Kharg Island.
2. According to some reports, the Iranians brought Flame to the International Telecommunications Union (ITU), a body of the United Nations concerned with international telecom regulations issues, but interested in a broader role in Internet governance.
3. ITU officials tapped Kaspersky Lab, a Russian security company, to study Flame. The ITU could have shared Flame’s code with multiple security firms, the international Computer Emergency Response Team (CERT) community, or academic research institutions that study malware code and produce formal reports and proceedings on their analysis, but chose instead to use Kaspersky.
4. Kaspersky, based in Moscow, put out an FAQ on its findings on its website, not a full malware analysis report. While the FAQ is informative, it does not methodically walk through Flame’s software code and explain what subcomponents of the software do. Security researchers aren’t given the ability to see the proof of their work.
5. The Laboratory of Cryptography and Systems Security (CrySyS Lab) at the Budapest University of Technology and Economics did conduct a thorough analysis of sKyWIper, which Kaspersky later announced was an exact match to Flame and also the software identified as Flamer by the Iranian national CERT.
6. Now the politics. Once the Kaspersky press machine kicked on, the Iranians were quick to castigate Israel as Flame’s source. Arguments are now circulating on the Web that Flame’s code was written during the Jerusalem time working hours and not written on days of the Jewish Sabbath. Anyone who has developed software knows that working hours usually translate to whenever the coders feel like working, and often over very long stretches of time. This seems to be a stretch.
7. Now the ITU is about to issue its first ever cyber warning. This is advance of the organization’s major World Conference on International Communications which will take place in Dubai in December. The Dubai conference will detail how the ITU intends to expand its role in international Internet governance, a job currently undertaken by the International Corporation for Assigned Names and Numbers (ICANN) of Marina del Rey, California, a private, non-profit corporation.
All of this adds up to a story that is much more about international politics surrounding a piece of malware than the malware itself. Thanks to Stuxnet, the Internet Freedom agenda, and the Arab Spring, cyberspace is now political space and matters a great deal in international relations.