Recent revelations about the Stuxnet worm have changed the way we think about cyber attacks.
It is remarkable for a number of reasons. It is the first known worm to target exclusively industrial control systems that are used in factories, power plants, chemical facilities, and other large systems. In the most dramatic scenario, the worm could give hackers control of a power plant to blackmail its owners or cause a catastrophic failure. Since there haven’t been exploding power plants exploding or bursting dams, it’s reasonable to assume Stuxnet was not used for the nightmare scenario. Only the attacker knows what it wanted to achieve and how successful it was.
Attribution in a cyber attack is extremely difficult, so the origins may never be known. It could have been a cyber militia acting in the interest of a state or a hacker group raising awareness of SCADA vulnerabilities.
The worm is very sophisticated. For technical details of the worm, see Symantec’s decription. While some are speculating that the sophisticated worm must be the product of a government, Symantec estimates that fewer than ten people in six months could produce the worm. Technical analysis is best left for the technologists, but when it comes to cyber, sophistication and government rarely co-exist. Cyber expertise resides in commercial entities or organized criminal enterprises, not intelligence services.
Despite its sudden appearance in the media, the worm is not new. It was first publicly discussed in June by a Belarus-based company and the US government Cyber Emergency Response Team issued an advisory in July. Forensic analysis suggests that it was developed in 2009, which should dispel rumors that the worm was released to retaliate against President Ahmadinejad’s comments at the United Nations. The worm’s time in the wild also suggests that attacks are slow and methodical; the attack required a person to introduce the worm via a USB flash drive.
At this point, it appears that the preponderance of infections is in Iran, which has fueled speculation that Stuxnet must have been designed to target its nuclear facilities (this ignores that in July, the preponderance of infections were in India). It is unlikely that definitive proof would be uncovered to support this guess, but a more interesting part of the story for me is the 40 percent of infections that occurred outside of Iran. Simply, a cyber attack that exploits vulnerabilities in Microsoft Windows and Siemens industrial control systems (like Stuxnet did) dramatically improves the likelihood of fratricide. If a future war were to include a Stuxnet-like attack, a level of care resembling a biological device would have to be exercised.
Stuxnet is likely to be the most studied worm in cyber history and much remains to be learned both from a technical perspective and a national security perspective over the next several months. However, it does represent another call to action to improve cybersecurity, but balance must be found between technical security and human behavior. Major General Rhett Hernandez, Incoming Commanding General, U.S. Army Forces Cyber Command recently testified before The House, “The first line of defense in cyberspace is the user. To operate effectively, we must change our culture.”
If a non-state actor (state-sponsored or not) is implicated, then Stuxnet represents one of the many non-state challenges that can bring the world’s government’s together. Countries are formalizing military roles in cyberspace, but non-state actors pose the greatest challenge. Like terrorism, illicit trafficking, and piracy, cyber challenges fit within the panopoly of non-traditional threats that occupy national security thinking today. Cooperation is the key to success.
Derek S. Reveron, an Atlantic Council contributing editor, is a Professor of National Security Affairs and the EMC Informationist Chair at the U.S. Naval War College in Newport, Rhode Island. The views expressed are his own and do not reflect those of the Navy or the U.S. government.