Discover the crisis starting point

The CNN News Story:

CNN-Tech – November 14, 2021: “QANALOG – Towards A Technology 9/11?

A group acting under the name QANALOG has threatened to severely disrupt activities of a number of leading technology companies, public entities and even governments worldwide.

A CNN staff news story with contributions by Aïsha Samadi, John LeRoy and Lorne Meyers.

According to a 19-page memorandum which was leaked earlier this week to news agencies Al Jazeera, TASS and Reuters, as well as to media outlets CNN and FOX News in the US, an organisation labelled “QANALOG” claims that it plans cyber-physical attacks on a host of all-size targets in the US, Europe and South-East Asia. Only last week, shortly after the Times of India news desk received an unverified phone call by a person claiming membership in QANALOG, a fire-sale type attack targeting the city of Delhi could be stopped after it had produced only limited effects on the megalopolis’ public transport system, with the city nonetheless claiming 195 people dead and 459 injured in the incident.

A source close to the matter told CNN’s John LeRoy, that the US government was “in the possession of conclusive evidence it was ready to share with allies that a number of recent terrorist acts are attributable to QUANALOG”. And the source to quote last month’s Bay Area fibre optic black-out, multiple micro drone swarms having approached airports and other critical infrastructures in Australia, Japan, Canada and Italy, the short-range anti-tank missile attacks on medium voltage substations in Norway and Germany, using NLAW weapons systems stolen earlier in this year from NATO arsenals in Luxembourg and the UK, the 45 seconds server break-down (the exact cause of which being unknown at the time of writing) at NASDAQ one week ago, as well as the combined DDoS and ransomware attacks over the past 9 months on a number of groups and entities of the healthcare sector in the Netherlands, Switzerland, South Korea and New Zealand, among which, most prominently pharma giant PROTOXX, one of the leading labs in Covid 19 vaccine research. A DIA official expressed concern that the list of potential target sites and systems published by QANALOG contained “a cherry-pick of strategic locations, among which an impressive number of “FPCON Bravo”[1] sites or their civil equivalents in the US and in allied countries”, operated by both private and public entities, which would urgently require a terrorist attack focussed update to their safety and security procedures: data centres, utility grids, airports, government buildings, etc.

According to an Interpol “most wanted” list of persons and organisations, QANALOG is among the top 5, despite it being, at least to the public, the “new kid on the block”. “However”, says Jacob Carlinas, a security expert, “the organisation has a familiar DNA. While the real motivations of the organisation remain obscure like its sources of funding, outside the Darknet – maybe they are into bitcoin trade or oil or stuff”, says Carlinas, “QANALOG’s decentralised structure – the organisation claims 9 key people on 4 continents with thousands of sleepers and copycats – and its multi-layer attacks – purely physical, literally “brute force” & sometimes slow burn destruction of infrastructure combined with medium to large scale cyber-attacks, possibly already relying on quantum and AI to scale the attacks and cover their tracks and their retreat reminds me of a terrorist network which made the news post-9/11. The frightening part, says Carlinas, is that combination of “stupid-simple” with “outstandingly smart” in their ops. That’s a hard combination to come to terms with!” According to Carlinas, the organisation’s maxim is thus to be taken very seriously: “N-I-S – No-one Is Safe!”

The Reactions:

USA: In response to the QANALOG memorandum, during yesterday’s National Security Briefing in the White House, the President’s National Security adviser Jeremiah Bolt has suggested that, in order to strengthen the US’ counterterrorist investigation capabilities, all US entities operating outside the United States and storing data that could concern or be of interest to the US in that context be obliged, to mirror such data in a datacentre on US soil. Interviewed by CNN, Deputy speaker of the House John McClusky [D, DE] said the House could consider supporting such a measure to the extent US security interests were at stake. At the signing ceremony of the new presidential decree, the President said he was considering granting access to such data to law enforcement and governmental services in charge of national security and defence, echoing a suggestion by the NSC and the Department of Homeland Security.

EU: In a statement to journalists attending a “Meet the Press” in the European Commission’s press room in Brussels, Commission Vice President Jean-Pierre de la Burderie, while pointing to the forthcoming “Communication on an EU Strategy for a more effective fight against Cyber-terrorism”, and while greeting initiatives against terrorism in general and cyber-terrorism and cyber-crime in particular, contested in very strong terms the competency of the US to unilaterally regulate data sovereignty above and outside any coordination with the European Union. De la Burderie reflected in his statement on the position the US would take if, in response to what he considers a breach of the European Data Sovereignty principles, the EU would move towards “GDPR based retaliation, taking the form of a narrow scrutiny by the Commission of the wheelings and dealings of American companies active within the EU, specifically as regards data storage, data protection and data access.”

IRELAND: The Irish DPO Karen Mulberry said she was confident with the ongoing GDPR-compliance of Ireland based GAFAS. She warned the EU of a more than counterproductive storm in the teapot & stressed that Ireland would not fall into the trap of a post-election purely partisan manoeuvre of the US President.

NATO/N: At a NATO Defence Ministers’ Meeting in Brussels, Norwegian Defence Minister Axel Lund proposed a “data embassy/data freeport” [sic] type intermediary solution to the US companies concerned by the new regulation. Lund offered that Norway could take the lead in a negotiated approach to the subject with the US government.

California: Within hours of the signing of the presidential decree, the State of California launched a PR campaign in major US and international media, claiming its California Consumer Privacy Act, entered into force on January 1, 2020, to be in full conformity with GDPR.

Luxembourg: The Luxembourg Minister of Foreign Affairs, chairing an EU Council of Ministers, after uttering a silent but meanwhile proverbial “m…-alors”, calls the US Ambassador in Luxembourg for an explanatory exchange on the US regulation and its potential impact on the European-US political and economic relations.

Certain experts at a conference in Luxembourg cast doubt on a decentralised organisation’s capabilities to have recourse to top-level quantum technology and AI in a global cyber-physical criminal endeavour – “Those technologies and their level of sophistication do not go well with Molotov cocktails, weapons of war, and cable cutting chainsaws!”

[1] FPCON Bravo is an alarm level in the US Armed Forces applying when an increased or more predictable threat of terrorist activity exists. FPCON stands for Force Protection Condition


LU-CIX as organiser of the Luxembourg Internet Days WEB Event 2020 [“LID2020”] has chosen to place the event within the scope of an international crisis scenario, allowing the members of the 6 panels to take place during LID2020 to act as crisis team and address the scenario from the individual panel-specific point of view.

The scenario is a pure work of fiction and not meant to describe any state or evolution in the technological, political, economical, social or human field. While real persons or events may have served as inspiration, the story, all names, characters, and incidents portrayed in the scenario are fictitious. No identification with actual persons (living or deceased), places, buildings, companies, products or services  is intended or should be inferred.

Positions taken or statements made by individuals during the event as speaker, panel member or part of the audience are the positions and opinions of that individual person and reflect by no means the positions or opinions of LU-CIX or its members and neither LU-CIX nor its members shall bear any liability with regard to such positions or opinions.


Also good to read: