UPDATE: One of the perils of group-blogging is that while you’re having deep thoughts your pals are doing the same. Looks like Thomas hit the ‘publish’ button before I did. In case you have not yet read his piece start there with Stuxnet.
For any KOW readers who don’t get the reference get thee hence to Amazon and educate thyself. I knew all these years reading science-fiction would pay off eventually! As most of you will be aware because it is all over the news someone designed and released a computer worm called Stuxnet in order, apparently, to sabotage the industrial control systems of Iranian nuclear facilities. The web is alive with speculation about who did it, how, who the target really is, why, and much else, which as a non-techie I am following with a mixture of extreme interest and mild confusion. What does it mean? Well, according to Eugene Kaspersky, CEO of Kaspersky Labs it is really quite portentous:
This malicious program was not designed to steal money, send spam or grab personal data. This piece of malware was designed to sabotage plants, to damage industrial systems. I am afraid this is the beginning of a new world. Twenty years ago we were faced with cybervandals, ten years ago we were faced with cybercriminals, I am afraid now it is a new era of cyberwars and cyberterrorism.
I think that maybe he is right that this is very significant. To date, we have seen no examples yet of pure cyberterrorism or cyberwar, although some have warned of ‘blended‘ cyber and terror attacks, and hacking by state and non-state groups for espionage and profit is increasingly prevalent (see this recent report on Cyber-Probing: The Politicization of Virtual Attack here) but Stuxnet is different. And it raises some difficult to answer questions.
For instance, is it really war? If so, who is it against? Iran seems to be centred in the crosshairs but machines are infected all over the place, as you can see from the Microsoft link above. For that matter who is the author of the attack? Israel would seem to be the consensus culprit on the logic of the cui bono principle as well as estimations of national capability. And yet credible cases are being made, if you care to read through the voluminous chatter, for the United States (motive plus capability), or Britain or France (capability and maybe motive), or Russia (capability, particularly knowledge of the Bushehr nuclear plant which they built, though motive?), China (hey, why not?), or Iran itself (yes, implausible, I merely note it to indicate the scope of rumour-mongering). Thus, not to belabor the point, I think that one thing which we can conclude from the episode so far is more confirmation of the inherent ambiguity, the plain weirdness, of cyber as an operating environment. Perhaps to insiders things are clearer; from my perspective though it would seem that dear old Carl Von’s ‘fog of war’ is still thick, thick, thick in the Information Age.
Another important thing which strikes me is the role of intelligence in this endeavour. The major reason that fingers are pointing at a state actor as the author of the worm, aside from its ‘sophistication’ (on which more anon), is that whoever designed it needed to have some pretty serious intelligence-gathering capability; the worm works by exploiting some pretty rare and valuable things, including four ‘zero day’ codes (don’t ask me) and at least two legitimate certificates (ditto); it evidently targets industrial systems which although running on generic Siemens software are sui generis in practice (in other words, if you want to do something specific to a specific facility you need some high-grade info on that specific facility); and, the systems it targets are air-gapped (i.e., not connected to the web) and therefore the worm needs to be introduced mechanically, someone literally needed to plug an infected device (presumably a USB stick) into it. My point here is not the specifics (of which I have already confessed ignorance) but rather something which the study of the history of war and strategy tells us, which is that new techniques, weapons and systems are always really only significant when used in combination with other instruments. Combination of effect is a basic principle–that’s what puts an opponent in an insoluble position, in the crux of the scissors as it were: rapid, direct-fire weapons represent a tricky tactical problem; but machine guns plus mortars and guns plus barbed wire and mines etc., represent a problem that is an order of magnitude more wicked. In other words, don’t see in ‘cyberwar’, if that is really what this is an example of, something which is new and therefore distinct from war as such; this may be a new device in the arsenal, a new line of operation, what have you, but it is not a new form of war that stands alone from war as we know it.
Which, if you think about it, raises another question: if the way in which any really sophisticated power conducts an attack is with a combination of instruments all working in parallel or sequence toward the achievement of an objective, what is the next step? When does the other shoe drop? After all the Israeli air attack on Syrian nuclear facility some years ago was, it is speculated, preceded by a cyberattack which shut down a part or all of the Syrian air defence network. Perhaps the next step, whatever it was meant to be, has been compromised by the discovery of Stuxnet. On the other hand, perhaps the discovery of Stuxnet (which apparrently was not difficult) was expected and is irrelevant to what happens next–the damage, whatever it was, is already done, this is just the tip of the ideberg, etc. For that matter, perhaps the next step already happened and we just haven’t heard about it because the Iranians don’t want to admit it and the perpetrators don’t care to brag. It’s impossible to know, really, from the outside; it just seems to me logical that a really clever attack would not be a one-off but a rolling sequence of actions.
And finally on the matter of the worm’s sophistication, a premise upon which much of the rumination above rests, it bears noting that some analysts have pointed out that maybe it’s not actually that smart after all:
The malware was so skillfully designed that computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare. While there have been suspicions of other government uses of computer worms and viruses, Stuxnet is the first to go after industrial systems. But unlike those other attacks, this bit of malware did not stay invisible.
If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings. The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment. Computer security specialists are also puzzled by why it was created to spread so widely.
To conclude then, well, what can we conclude? Not much, at present; we need to keep watching and not assume that the story is over because there are so many loose threads, so many questions to be answered, so much fog where clarity is needed for good judgement to be rendered. Still, I can’t help but think that some watershed has been passed, that Stuxnet of September 2010 will be remembered rather in the way we do the aerial bombings of civilian centres by Zeppelin airships–not as particularly strategically significant at the time but as a harbinger of what is still to come.
{ 1 trackback }
{ 10 comments… read them below or add one }
What does the word or acronym “Stuxnet” mean and who named it?
Hype of Stuxnet war targeting Iran debunked using certain data:
http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers
Apparently, India and Indonesia may have been harder hit than Iran, with Russia and Azerbaijan’s infections on the rise.
…and somewhere in Seoul, little 12 year old Kim is rolling on his bedroom floor, laughing his ass off at all the excitement that his school project is generating…
I am absolutely no expert on “it security” and nowhere near this level, however I don’t think the 12 year old South Korean dude is responsible.
Most experts quoted her on KoW and in all those articles in the newspapers etc. state that this requires a high level of knowledge, professionalism and money.
Reading through this
http://support.automation.siemens.com/WW/llisapi.dll?aktprim=0&lang=en&referer=%2fWW%2f&func=cslib.csinfo&siteid=cseus&groupid=4000003&extranet=standard&viewreg=WW&nodeid0=10805583&objaction=csopen
I know (even though I am not an expert) that some hacker kiddie can’t have done it. Very precise knowledge of plant operation and configuration were needed in addition to the right hacking skills.
It is interesting to see how many newspapers tap onto the whole cyberwar theme, although it seems that the worm was introduced via the supply chain (The German weekly newspaper Die Zeit reports it came via Russian supply companies….maybe that’s why russian infections on the rise?) and actually avoided the internet and any intercepting and passing on of data.
It’s my first comment here and I would like to thank all the KoW contributors for the nice blog.
Hi tt, and a warm welcome from me.
With that out of the way, I realise that I’m not known for my regular attempts at humour here at KoW, but I do try on the odd occasion (perhaps your response is the reason why I leave humour to those more capable of it).
I obviously realise that this was not a 12 year old kiddie (at least, we do not think so), but there are two salient points that I would like to raise:
a. The media is completely unequipped to deal with a story of this nature. The reporters know even less than what you do, yet unlike you, they will not admit it. Remember the Y2K ‘bug’? How your vacuum cleaner was going to stop hoovering at midnight? Same guys, same knowledge of the subject matter.
b. Large software vendors often confuse obscurity with security. These terms are not synonymous and it remains a major criticism of crypt-analysts (crackers) of large enterprise software. As for hacking skills? The foremost of these is something called “social engineering”, something that Steve Mitnick claims as the most valuable skill of any hacker… the beauty is, you do not even need a keyboard. As for the rest? A lot of patience, the same attributes as a tester and the desire to break things.
Hi Quintin,
thanks for the reply….clarifies a lot! I totally agree with you on a). As I said I am absolute no expert on anything that is remotely related to the computer/it/cyber/system/whatever security -and that is why I probably confuse terminology- but I think even for me it is safe to say that the extensive reporting on it has been mostly very poor and contradicting at times.
Still I think it is a rather fascinating topic. Not sure too what extent it is being blown out of proportion now, but it is interesting to see how the issue has been causing quite a stir in security circles for quite some time and seems to get broader attention. I guess the Stuxnet incident could be an important one….but then again I am very far from being an expert.
Shurely Kevin Mitnick?
By the way, don’t be mistaken about the Y2k bug: if there hadn’t been industrial levels of fixing, then a number of utility companies (among others) would have had major IT system failures, with some severe consequences. Just because some journalists took the possible problems beyond their understanding doesn’t change that.
Thanks Ed, you are right on the first account. Brain-freeze
I’m new to the blog and enjoy the content. To add to your question “[i]s it really war” I believe that official doctrine of what constitutes an attack needs to be redefined. I know that in the U.S. newer weapons systems are heavily reliant on software (the F-22 has something like 1.7 million lines of code; JSF 5.6 million), and if a virus were to penetrate and disable the system’s operating platform, this would not, technically speaking, be an attack (i.e. nothing was blown up.) I believe NATO is addressing this as well–what is considered an attack on a member country. At any rate, if this was covered in other postings I apologize for duplication.
Good Morning,
If the infection route came through Russian supply companies, could it be this was infact a form of E-Chernobyl? i.e invented by the East for use elsewhere, or even for use between Eastern Industrial competitiors, either state or private sector (these worlds are somewhat merged) and the whole thing has blown up accidentally.
For example: A Govt develops Stuxnet for as an insurance policy to gain control of an enemy/foe/competitors major industrial complex if it ever needed to. It leaks out. Ends up in the Russian Defence Industry. Does what it does best and spreads like wildfire. It will envitably hit Iran, and Bushehr and with all likelihood Natanz also.
If given access to the correct trade information, it would be relatively easy to to track it back to source. (Particularly when judging the rate of infections and the given countries involved (and more imporantly not involved – a certain country is surrounded by infections of its trade partners, but not infected itself?!?)) One could almost make an educated guess now!
Question is Who is the main trading hub connecting Russia, Indonesia, Iran, etc etc etc?