新闻来源:www.nytimes.com
原文地址:Opinion | Israel’s Pager Attacks Have Changed the World
新闻日期:2024-09-22
以色列最近对黎巴嫩真主党的大胆袭击事件,导致数百台传呼机和双向无线电设备爆炸,夺去了至少37条生命,鲜明地揭示了网络安全专家多年来一直在警告的威胁:我们计算机化设备的国际供应链使我们面临脆弱性,而目前我们缺乏有效的防御手段。
尽管这些致命行动令人震惊,但执行过程中使用的方法并无特别新颖之处。以色列——其是否参与此事并未确认——入侵国际供应链并在这类装置中嵌入塑料炸药的技术,已经存在多年。新变化在于以色列将它们以如此毁灭性的、极度公开的方式结合起来,凸显了未来大国竞争在和平时期、战争以及两者之间的灰色地带的图景。
目标不仅限于恐怖分子。我们的电脑面临威胁,越来越多的家庭设备也是如此——如冰箱、家用恒温器以及轨道上的许多其他有用之物。危险无处不在。
这次行动的核心——将塑料炸药植入传呼机和无线电设备——自2001年理查德·雷德(The Shoe Bomber)试图在飞机上点燃一些炸弹以来,便构成了恐怖主义风险的一部分。这就是所有机场扫描器的设计目标——无论是您在安检处看到的那些还是后来对行李进行扫描的扫描器。哪怕只有一点量也能造成惊人的破坏。
第二个元素——通过个人设备执行暗杀行动——也不是最近发明的新手段。以色列曾在1996年对哈马斯炸弹制造者和2000年对法塔赫活动家采取过这种方式,两者都死于遥控引爆的自制手机中。
最后但同样复杂的一个环节——攻击国际供应链以大规模破坏设备——是美国自己也做过的事情,目的不同。国家安全局拦截在途中传输的通信设备并进行修改,并非出于破坏目的而是用于窃听。根据斯诺登文件中的信息,该机构曾对打算运往叙利亚电信公司的思科路由器进行过此类操作。想必这并非该机构唯一采取此类行动的方式。
创建一个伪装公司来欺骗受害者也算不上是一个新的花样。据报道,以色列成立了一家空壳公司以生产并向真主党销售装有炸药的设备。而在2019年,美国联邦调查局建立了一家公司向罪犯出售被认为是安全的手机——并非为了暗杀他们而是用于窃听和随后逮捕他们。
结论:我们的供应链易受攻击,这意味着我们同样易受攻击。任何参与高科技供应链的人或团体都有可能颠覆通过其中传输的设备。这种颠覆可用于窃听、破坏或在命令下失效,甚至更难以实现的是,用于杀死目标。
与互联网连接的个人设备——尤其是使用频率高的美国等国家中的设备——特别容易受到攻击。2007年,爱达荷州国家实验室证明了通过网络攻击可能导致高压发电机爆炸。2010年,人们认为由美以两国共同开发的计算机病毒摧毁了伊朗核设施的离心机。2017年解密的中情局文件提及了远程入侵汽车的可能性——维基泄密称这种技术可以用于实施“几乎难以察觉的暗杀”。这不仅仅是理论上的概念:在2015年的《连线》记者驾驶过程中,允许黑客遥控控制他的汽车——他们在他行驶在路上时关闭了引擎。
世界已经开始对这一威胁做出调整。许多国家愈发警惕购买来自不信任国别通信设备。美国及其他国家禁止中国华为的大型路由器,担心它们可能被用于监听——甚至更糟的情况下,在敌对升级中被远程禁用。2019年有轻微恐慌源于可能改变其乘客聆听方式的中国制造地铁列车。
不仅仅针对已完成产品的关注,十多年前美军调查了使用来自中国的零部件在设备中带来的安全风险。2018年的《华尔街日报》报道揭示了美国调查人员指控中国对计算机芯片进行修改以窃取信息的事实。
应对这些和类似攻击的方法似乎并不明显。我们的高科技供应链是复杂且国际化的。对于哈里发党来说,由于这种现象在正常情况下并不会引起任何警觉,因此设备从匈牙利一家公司购买,再由台湾提供给他们,这是完全可以接受的——大多数美国人的电子设备都是从海外采购来的,包括苹果手机,其零件来自数十个国家,在中国组装。
这是一个难以解决的问题。我们无法想象华盛顿会通过立法要求苹果手机完全在中国生产,成本太高,且国内无能力制造这些产品。我们的供应链已经深深、不可逆转地国际化了,要改变这一状况需要将全球经济拉回至上世纪80年代的水平。
那么接下来会发生什么呢?对于哈里发党而言,其领导人和作战人员不再能够信任与网络连接的设备——这可能是袭击的主要目标之一。世界必须等待以观察此攻击带来的长期影响,以及该组织将会如何回应。
但是现在这一界限已经跨越,其他国家几乎肯定会开始考虑这种策略是否合法,可能在战争中使用这种策略对抗军队或在战争前夕对平民进行攻击。而对于像美国这样的发达国家而言尤其脆弱,只是因为拥有大量可被利用的易受攻击设备的数量众多。
原文摘要:
Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.
Though the deadly operations were stunning, none of the elements used to carry them out were particularly new. The tactics employed by Israel, which has neither confirmed nor denied any role, to hijack an international supply chain and embed plastic explosives in Hezbollah devices have been used for years. What’s new is that Israel put them together in such a devastating and extravagantly public fashion, bringing into stark relief what the future of great power competition will look like — in peacetime, wartime and the ever expanding gray zone in between.
The targets won’t just be terrorists. Our computers are vulnerable, and increasingly, so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.
The core component of the operation — implanting plastic explosives in pagers and radios — has been a terrorist risk since Richard Reid, the so-called shoe bomber, tried to ignite some on an airplane in 2001. That’s what all of those airport scanners are designed to detect — both the ones you see at security checkpoints and the ones that later scan your luggage. Even a small amount can do an impressive degree of damage.
The second component, assassination by personal device, isn’t new, either. Israel used this tactic against a Hamas bomb maker in 1996 and a Fatah activist in 2000. Both were killed by remotely detonated booby-trapped cellphones.
The final and more logistically complex piece of Israel’s plan — attacking an international supply chain to compromise equipment at scale — is something that the United States has done itself, though for different purposes. The National Security Agency has intercepted communications equipment in transit and modified it, not for destructive purposes but for eavesdropping. We know from a Snowden document that the agency did this to a Cisco router destined for a Syrian telecommunications company. Presumably, this wasn’t the agency’s only operation of this type.
Creating a front company to fool victims isn’t even a new twist. Israel reportedly created a shell company to produce and sell explosive-laden devices to Hezbollah. In 2019, the F.B.I. created a company that sold supposedly secure cellphones to criminals — not to assassinate them, but to eavesdrop on and then arrest them.
The bottom line: Our supply chains are vulnerable, which means that we are vulnerable. Anyone — any country, any group, any individual — that interacts with a high-tech supply chain can potentially subvert the equipment passing through it. It could be subverted to eavesdrop. It could be subverted to degrade or fail on command. And, although it’s harder, it can be subverted to kill.
Personal devices connected to the internet — and countries in which they are in high use, such as the United States — are especially at risk. In 2007, the Idaho National Laboratory demonstrated that a cyberattack could cause a high-voltage generator to explode. In 2010, a computer virus believed to have been developed jointly by the United States and Israel destroyed centrifuges at an Iranian nuclear facility. A 2017 dump of C.I.A. documents included statements about the possibility of remotely hacking cars, which WikiLeaks asserted can be used to carry out “nearly undetectable assassinations.” This isn’t just theoretical: In 2015, a Wired reporter allowed hackers to remotely take over his car while he was driving it. They disabled the engine while he was on a highway.
The world has already begun to adjust to this threat. Many countries are increasingly wary of buying communications equipment from countries they don’t trust. The United States and others are banning large routers from the Chinese company Huawei because we fear that they could be used for eavesdropping and — even worse — disabled remotely in a time of escalating hostilities. In 2019 there was a minor panic over Chinese-made subway cars that could possibly have been modified to eavesdrop on their riders.
It’s not just finished equipment that is under the scanner. More than a decade ago, the U.S. military investigated the security risks of using Chinese parts in its equipment. In 2018, a Bloomberg report revealed U.S. investigators had accused China of modifying computer chips to steal information.
It’s not obvious how to defend against these and similar attacks. Our high-tech supply chains are complex and international. It didn’t raise any red flags to Hezbollah that the group’s pagers came from a Hungary-based company that sourced them from Taiwan, because that sort of thing is perfectly normal. Most of the electronics Americans buy come from overseas, including our iPhones, whose parts come from dozens of countries before being pieced together primarily in China.
That’s a hard problem to fix. We can’t imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn’t have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.
So what happens now? As for Hezbollah, its leaders and operatives will no longer be able to trust equipment connected to a network — very likely one of the primary goals of the attacks. And the world will have to wait to see if there are any long-term effects of this attack, or how the group will respond.
But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds. It could be deployed against a military during a war, or against civilians in the run-up to a war. And developed countries like the United States will be especially vulnerable, simply because of the sheer number of vulnerable devices we have.
