Digital Conflicts is a bi-weekly briefing on the intersections of digital culture, AI, cybersecurity, digital rights, data privacy, and tech policy.

Brought to you with journalistic integrity by Guerre di Rete, in partnership with the University of Bologna's Centre for Digital Ethics.

New to Digital Conflicts? Subscribe for free to receive it by email every two weeks.

N. 1 - 26 Jan 2024
Authors: Andrea Daniele Signorelli and Carola Frediani

Index:
- Stuxnet’s never-ending story
- GPS interference in the Baltic Sea
- EU AI Act final cut
- Cyber attacks in Ukraine
- Cultural organizations fear ransomware after the British Library
- Turkey and VPNs
- Spyware and Poland
- In brief

CYBER WEAPONS
The Dutch engineer who delivered Stuxnet

More than 15 years later, the story of Stuxnet (the malware that sabotaged the Iranian nuclear program, later dubbed the first "cyber weapon") continues to make headlines.
An investigation by the Dutch newspaper De Volksrant has indeed revealed the identity (and movements) of the Dutch spy who managed to infiltrate the Natanz uranium enrichment facility, introducing the malware that would eventually damage the centrifuges. However, according to the newspaper, the same AIVD – the Dutch intelligence agency which had organized the operation after meetings with the CIA – was not fully aware of the details. Even more in the dark about the implications were the country's politicians.

By 2019, an investigation by De Volksrant and Yahoo News had already revealed Dutch involvement in the sophisticated cyber-sabotage operation known as Operation Olympic Games (in which the United States and Israel were the main players, with Iran as the target).

Now, however, many more details have emerged. Firstly, the identity of the person who physically brought Stuxnet to Natanz, a site protected by extensive security measures and disconnected from the internet, has come to light. The AIVD decided to recruit an audacious Dutch engineer, Erik van Sabben, who lived in Dubai, worked for a transportation company that also did business with Iran, and had an Iranian wife. He was, in essence, a perfect cover. It was van Sabben who entered Natanz in 2007 and installed the equipment that introduced Stuxnet. The engineer died in a motorcycle accident in Dubai a few weeks after hastily leaving Iran at the end of 2008. There is no evidence to suggest that it was anything other than an accident, although, as Volksrant notes, "his sudden death after the operation raised questions among some intelligence service employees”.

It was the first time, at least as far as we know, that malware capable of damaging a crucial industrial facility was distributed by some countries against others. The geopolitical consequences of the Stuxnet sabotage were significant. Once the operation became known, other countries also began developing digital weapons, starting with Iran itself.

De Volkskrant claims that national politicians were unaware of the AIVD's intention to play such a role in sabotaging the Iranian nuclear program. Consequently, there have been no political considerations of the risks or legality of the operation. Even the AIVD agents involved in the operation were unaware that a digital weapon was concealed in the equipment destined for Natanz. On the other hand, former CIA director Michael Hayden has stated that he has "always liked working with the Dutch" and believes they are "good at their job".

The digital operations carried out by the Dutch did not, in fact, cease with Stuxnet. In 2014 and 2015, the AIVD breached the computers of the Russian hacker group known as Cozy Bear, witnessing in real-time the Russians infiltrating the networks of US Democrats (and alerting the FBI). Meanwhile, the Dutch police have been involved in numerous digital operations against criminal activity, infiltrating dark web black markets and dismantling cryptophone networks.
Books on Stuxnet: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, by Kim Zetter

GPS
Finland and Sweden report GPS interference in the Baltic Sea

According to the Finnish Transport and Communications Agency (Traficom), disruptions in GPS (Global Positioning System) navigation signals were detected in eastern and southeastern Finland around New Year’s Eve. The disruptions were reported by the GPSjam website, which provides information about GPS interference.

"Probably someone is jamming GPS," tweeted John Wiseman, the site administrator. "In this area, it’s usually thought to be of Russian origin. It might be harassment, or a military exercise. It’s usually not a critical safety issue for aircraft, but it is annoying and does remove a layer of safety. People on the ground are probably not even affected."

Traficom reassured that GPS disturbances would not affect flight safety, because, as reported by the Finnish public TV website Yle, aircraft are equipped with alternative navigation systems. A researcher known online under the pseudonym Markus Jonsson claims to have identified the geographical origin of the interference by examining the flight data that reported GPS problems, identifying, as reported by the Finnish newspaper Iltalheti, three possible locations: Kaliningrad, Poland, or Denmark. Kaliningrad is the capital city of the Russian exclave of the same name, located between Lithuania and Poland.

Jukka Savolainen, the director of the European Center of Excellence for Countering Hybrid Threats in Finland, also believes it is highly likely that Russia is behind the interference, as reported by the Estonian public TV website.
The activity continued into January, according to the Swedish public television SVT. "Between December 18 and 26, we received a total of about five reports," said Johan Westin, an inspector at the Swedish Transport Agency. Disturbances occurred mainly at night in southern Sweden and the southeastern Baltic Sea.

The Swedish Military Intelligence and Security Service, MUST, is analyzing the incidents, which coincided with the announcement of a Russian Navy exercise in Kaliningrad, aiming to disrupt "enemy navigation and telecommunications".
The Norwegian Civil Aviation Authority, LFV, is also monitoring the situation.

AI AND EUROPE
The European AI Act is the spearhead of global regulation

The final approval of the AI Act, the European regulation on artificial intelligence, is expected in the first half of 2024. "Although most AI applications will get a free pass from the AI Act," writes the MIT Tech Review, "companies developing foundation models and applications that are considered to pose a 'high risk' to fundamental rights, such as those meant to be used in sectors like education, health care, and policing, will have to meet new EU standards. In Europe, the police will not be allowed to use the technology in public places, unless they get court approval first for specific purposes such as fighting terrorism, preventing human trafficking, or finding a missing person."

As with the GDPR, the European example will "set the de facto global standard, shaping the way the world does business and develops technology. The EU successfully achieved this with its strict data protection regime, the GDPR, which has been copied everywhere from California to India. It hopes to repeat the trick when it comes to AI”.
"In the United States, legislators will continue to build upon the executive order issued by President Biden last October, aiming for increased transparency and the establishment of new standards”.

”Next year will build on the momentum of 2023, and many items detailed in Biden’s executive order will be enacted. We’ll also be hearing a lot about the new US AI Safety Institute, which will be responsible for executing most of the policies called for in the order," MIT Tech Review writes.

China is also gearing up to implement the law on artificial intelligence announced last June. According to the Chinese Academy of Social Sciences, the new law will propose a "national AI office" to oversee AI development in China, demand a yearly independent "social responsibility report" on foundation models, and establish a "negative list" of AI areas with higher risks that companies cannot research without government approval.

Another region that might introduce new regulations related to artificial intelligence is Africa. "The African Union is likely to release an AI strategy for the continent early in 2024, meant to establish policies that individual countries can replicate to compete in AI and protect African consumers from Western tech companies."

Has facial recognition control been weakened?

However, after the agreement reached in the political trilogue in December, the AI Act has entered the intricate phase of the technical trilogue, where the processing of details will make the difference. The official final text of the law is not yet available, but POLITICO has obtained a draft.
According to the analysis (via newsletter) by the digital rights NGO Access Now, this draft reveals ambiguous room for manoeuvre and the risk that some of the safeguards and rights provided for in the law could be weakened.
”As it stands, it would allow police to use facial recognition for identifying suspects in existing video footage without a judge’s approval", writes the NGO.

The AI Act technical negotiations and the leak

As reported on X by journalist Luca Bertuzzi, the final text of the AI Act was shared with EU countries on January 21, while formal adoption at the ambassador level (i.e., COREPER) is scheduled for February 2. A very tight timeline prevents national delegates from analyzing the entire text, forcing them to focus on key points. France is attempting to delay the vote at COREPER in order to secure some concessions. If it fails to find allies and form a blocking minority, France will continue to exert pressure to influence the AI law's implementation.

What about general-purpose AI?

Wired Italy has analyzed the leaked draft. In terms of general-purpose AI systems, trained through a huge amount of data, such as GPT-4, developers need to ensure that content is recognisable as generated by an AI. Users need to know if they are interacting with a chatbot. And deepfake content must be labelled as such (through systems such as watermarking).

The regulation sets a threshold to identify high-impact systems, which have a greater impact on the population and have to meet stricter obligations. The value, as stated in December, is a computing power of 10^25 FLOPs (floating point operations per second, a measure of computer performance).
At present, only OpenAI's GPT-4, Google's Gemini and a few Chinese models would meet this requirements, says Wired Italy.

High-impact AI models will have to apply ex-ante rules on cybersecurity, transparency of training processes and sharing of technical documentation before reaching the market. Below them are all the other foundational models, such as the French Mistral and the German Aleph Alpha. In this case, the AI Act is triggered when developers commercialise their products. Open source models are excluded.

Video: The EU AI Act Explained

AI AND ELECTIONS
OpenAI takes precautions ahead of the election year

In anticipation of the 2024 elections in various countries, OpenAI is taking steps to identify AI-generated content. OpenAI has announced that early this year it will implement a system to increase transparency about the history of images generated by DALL-E 3, which will encode details about the origin of the content (using the digital credentials of the Coalition for Content Provenance and Authenticity – C2PA).
OpenAI also claims to be testing another system, a provenance classifier for images, to detect those generated by DALL-E.

OpenAI has stated that it will not allow people to use its tools to create applications for political campaigns and lobbying. It will also prohibit the creation of chatbots pretending to be real individuals (e.g., candidates) or institutions (such as local administrations). Applications that discourage people from participating in democratic processes by distorting the representation of electoral mechanisms (for example, when and how people will vote, and who has the right to vote) or discouraging voting itself will also not be allowed.
See also: The WashPost

CYBERWARFARE/UKRAINE WAR
Cyber attacks in the Ukraine war
Meanwhile, cyber attacks on critical infrastructure have become increasingly common. During the war in Ukraine, for example, several such incidents were observed.

On December 12th, a cyber attack targeted Ukraine's largest telecommunications provider, Kyivstar. Its 24 million Ukrainian subscribers and another million domestic internet service customers were cut off from communications for days. Around 30% of PrivatBank's cashless payment terminals ceased to function.

Many users had to purchase SIM cards from other operators due to the attack. Additionally, the Ukrainian anti-aircraft alarm system was disrupted, leading to alarms not functioning in some cities. The group Solntsepyok claimed responsibility for the operation, releasing screenshots purportedly showing the breach of Kyivstar's digital infrastructure. According to the Ukrainian state agency for cybersecurity, the SSSCIP, Solntsepyok is believed to be a cover for the Russian military intelligence agency GRU.

Illia Vitiuk, head of the cybersecurity department at the Ukrainian Security Service (SBU), stated in an interview with Reuters that the attack wiped out "almost everything," including thousands of virtual servers and PCs. Vitiuk described it as perhaps the first example of a cyberattack that "completely destroyed the core of a telecommunications operator." "This attack is a message, a big warning, not only to Ukraine but to the whole Western world, to understand that no one is actually untouchable," he added.

However, in early January, Ukrainian hackers decided to counterattack. A group known as Blackjack, believed to be linked to Ukrainian services, breached a Moscow-based TV and internet provider, M9 Telecom, leaving some residents of the capital without connectivity. The internet connectivity monitoring service Netblocks corroborated the impact of the attack. According to a source familiar with the operation, as reported by Reuters, the action was a retaliation for the Kyivstar attack.
Ukrinform, a Ukrainian media outlet, also covered the incident.

PROPAGANDA / AI / WAR
How to weaponize greeting videos

Let's stay with the war in Ukraine, but shift our focus to propaganda and disinformation. A December report from Microsoft highlighted a new low-tech tactic: using the services of a celebrity video messaging app to repurpose original content.

To understand what we’re talking about, we first need to explain what Cameo is. It is an app that allows users to purchase a custom-recorded video message from a celebrity. This video can be sent as a gift to someone, providing them with personalized greetings or motivational messages from their favorite artists or personalities.

Microsoft reported that some American celebrities, such as Elijah Wood, Dean Norris, Kate Flannery, and John McGinley, seemingly recorded videos addressed to an individual named Vladimir, urging him to seek help for substance abuse. These same videos were then used and altered to make it appear that the invitation was directed at Vladimir Zelensky. Subsequently, these messages circulated on social media as a propaganda weapon. Whoever is orchestrating this is unknown, but the goal seems clear.

CYBERCRIME
Attack on the British Library raises alarm for cultural organizations

The main catalog of the British Library, containing over 36 million records, has returned online after a cyber attack in October. However, it will only be available in "read-only" format for now. The library's CEO warned that the full restoration of all services will be a gradual process, as reported by the BBC.

In October, the British Library went offline following a severe ransomware attack (which encrypts documents to demand a ransom, often threatening to publish stolen data). After the library refused to pay a £600,000 extortion, the cybercriminals (the Rhysida gang) released hundreds of thousands of stolen files, including customer and staff data.

In recent days, it has also emerged that the library "will be now forced to spend about 10 times that amount rebuilding most digital services at an estimated cost of £6mn-£7mn," writes the Financial Times, "... consuming a sizeable proportion of the £16.4mn in unallocated reserves".  Months after the cyber attack, users continue to face disruptions. The online catalog was unavailable for months, and library activities have been slowed down.

In December, The New Yorker wrote: "For those who rely on the collections of the British Library (BL), and more broadly, on its distribution of free digital information to the British educational system, the consequences of the cyberattack have been dire. Outside the Maps Room, which offers access to four and a half million documents, going back to the 15th century, a display read, 'Disruption to certain services is now expected to persist for several months.' Inside, the reading room was empty except for two security guards and a librarian standing on a chair (it was impossible to hand over precious materials without electronic monitoring). 'It's like this all day,' one of the guards said. He thought the library might be up and running by Easter.”

This is not the first time that a significant cultural institution has been challenged by a severe cyberattack. As noted by The Art Newspaper, between 2022 and 2023 institutions such as the Metropolitan Museum of Art in New York, the Toronto Public Library, and the Museum für Naturkunde in Berlin also fell victim to ransomware attacks.

This incident at the British Library has alarmed many cultural organizations relying on digital technology for reservation systems, collection management, and documentation. "Museums, galleries and archives have been urged to tighten their cybersecurity," wrote the Museums Association in December.
Read also: On the matter of the British Library cyber incident - by Ciaran Martin

CENSORSHIP
Turkey has blocked several VPNs

According to documents reviewed by the Financial Times, a month ago, the Turkish Information Technologies and Communications Authority (BTK) ordered Internet service providers to limit access to 16 VPN services, including TunnelBear, Surfshark, and CyberGhost.
Meanwhile, X has stated that it has "taken measures" against 15 posts following a court order because, if it had not complied, it would have risked a ban. The Financial Times essentially corroborates what was reported weeks earlier by DW, which listed Proton, Ipvanish, and Cyberghost among the blocked VPNs.
Here’s a list of the 16 VPNs.

SPYWARE
Poland, the new parliament wants an investigation into Pegasus

The Polish parliament has declared its intention to set up a committee of inquiry to investigate the alleged use of the Pegasus spyware by the previous government, led by the Law and Justice Party (PiS), "which is suspected of having spied on opposition politicians and magistrates critical of its administration", according to Euractiv.
The new government, led by former European Council President Donald Tusk, took over from PiS in December after the electoral victory.

IN BRIEF

EU & Quantum
The EU should support more funding initiatives targeted to deep tech and quantum technologies, according to founders and strategists working within the quantum field in France. (Euractiv)

Fixing AI
This London based startup is trying to build new AI architectures that fix a lot of the big problems around trust and reliability of today’s latest models.(Sifted)

European Silicon Valley?
The UK government wants to turn Cambridge into “Europe’s Silicon Valley.” But the city has different ideas. (Politico Europe)

Thank you for reading.

Guerre di Rete is a non-profit Italian information project on the points of convergence and collision between digital culture, surveillance, privacy, online censorship, artificial intelligence, human rights, politics and labour. Launched in 2018 as a weekly newsletter, it has more than 13,000 subscribers. The project expanded in 2022 with a news website, and in 2024, thanks to the support of the University of Bologna, with the English edition of the newsletter - Digital Conflicts. Digital Conflicts is curated for an international audience and with a European perspective.