News Stay informed about the latest enterprise technology news and product updates.

Stuxnet details should prompt call to action over cyberwarfare impact, not words

Security experts have warned about the potential problems caused by military cyberstrikes. Experts say cyberwarfare is difficult to plan and worse, it puts innocent people at risk.

Stuxnet was part of a secret joint U.S.-Israeli cyberattack operation which began with approval by the Bush Administration and continued with the nod from the Obama White House, according to a detailed account of the attack written by David Sanger in a report published today in the New York Times.

To put the pieces of the Stuxnet puzzle together, Sanger conducted interviews with unnamed sources involved with the Stuxnet operation dubbed “Olympic Games.”  While it confirms a lot of speculation about the nation-states behind the Stuxnet worm, it also raises a lot of questions about cyberwarfare and its use by a sitting president. Should members of Congress have been notified of the operation? Were any U.S. citizens put at risk?

Even well planned military cyberstrikes go wrong

A 2009 study by the nonprofit research firm RAND Corp. urged the United States not to invest in offensive cyberweapons. It is too difficult to predict the outcome of an attack, making strategic planning a guessing game, according to the report’s author, Martin C. Libicki. “Predicting what an attack can do requires knowing how the system and its operators will respond to signs of dysfunction and knowing the behavior of processes and systems associated with the system being attacked,” Libicki wrote. Indeed, according to the Times story, Stuxnet clearly caused some disruption, but it was anyone’s guess as to how far it set back Iran’s nuclear program.

Even worse, Sanger’s account of the operation detailed a major coding error that enabled the offensive malware to escape into the wild. This led to its detection and analysis by antimalware vendors. Indeed there were facilities in the United States using the Siemens systems that the worm could have sought out. While the threat was minimal – Stuxnet still would have to get through the buffer zone isolating a facility from the Internet – those quoted in Sanger’s story said it was easy to get through the Iranian facility’s buffer zone using a simple thumb drive. I’ve heard of penetration testers using this trick to great success: dropping thumb drives in areas throughout a targeted organization to see if any curious employees would insert the device into their computer.  “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand,” according to an unnamed official referring to how Stuxnet was planted at the underground uranium enrichment site in Natanz, Iran.

If that’s the case then the operation certainly could have put U.S. citizens at risk right here on our own soil. It also has the potential to fan the flames of retaliation or similar offensive cyberwarefare operations from our adversaries. We’ve already encountered reports that government agencies and even critical infrastructure facilities, such as power plants have been penetrated in some way.

Network security luminary Marcus Ranum, CSO of Tenable Network Security, told SearchSecurity about his concern over militarized cyberspace and even outlined the problem caused by the Stuxnet-like strikes.

Critical infrastructure protection

I wrote about a 2010 report by the Center for Strategic and International Studies (CSIS), which consisted of a global survey of more than 600 IT pros at critical infrastructure facilities. The main finding was that systems that run power plants, manage the distribution of hazardous chemicals and help monitor water treatment plants are in a dire need of stronger safeguards. The survey found that those facilities are under a constant barrage of attacks. A U.S.-China Economic Review Commission report last October cited a significant attack targeting U.S. Satellites. The examples go on and on.

But the problem goes beyond the potential threat to power plants and oil and chemical refineries. Earlier this year researchers demonstrated a theoretical attack targeting the systems that control the locking mechanisms at a prison. Imagine the chaos that would cause if cybercriminals were to target the prison system.

There is plenty of recognition of the seriousness of the problem, but very little transparency of where the nation stands on protecting critical assets, said Andy Purdy, chief cybersecurity strategist at CSC, and a member of the team that developed the U.S. National Strategy to Secure Cyberspace in 2003. In an interview I had with Purdy at the 2012 RSA Conference, Purdy cited some progress, but admitted that the lack of transparency leaves very little information for authorities to track the progress the nation is making in protecting critical systems. Purdy cited substantial federal funding being invested into SCADA system security, the progress of the Industrial Control Systems CERT and several plans and reports outlining the role of the public and private sector in protecting critical systems, digital identities for Internet users and the role ISPs should play in controlling customers with compromised systems.

Perhaps security luminary Dan Geer is thinking ahead to disaster recovery after a cyberstrike. He speaks incessantly at security conferences and summits about the need for system redundancy and manual processes to help lessen the disruption and chaos when Internet connected systems fail.  Not only do we need redundant systems and manual processes, but we need skilled people who know how they function, Geer says.

Stuxnet details conclusion

The details about the planning operation behind Stuxnet should be a reminder that military action, whether physical or digital, needs to be thoroughly vetted or else innocent citizens could be inadvertently put at risk. It should be a call to action for stricter oversight of the security of critical infrastructure both publicly or privately owned. It’s amazing to me that despite all of the increased rhetoric about better protecting the nation’s critical infrastructure there has been very little evidence of progress. Just words.


Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

This: "A 2009 study by the nonprofit research firm RAND Corp. urged the United States not to invest in offensive cyberweapons." Sorry, but the study did not urge the US to not invest in cyber warfare - nor did the link to it on this website state such a thing. The report, stated clearly that cyber warfare should be used sparingly and only as a part of other offensive weapons, such as disarming the enemy. The reason: due to the unknowns, like what users due given faults and such, any cyber attack would have only temporary success and the bag of tricks can be depleted (which I think I can argue is false in the specific case of stuxnet - if might be impossible to do the last hack a second time, but in the end it's just about gaining access and so long as someone has to be allowed access, that access can be broken). Additionally, from the report, using it against an enemy in retaliation to their perceived cyber warfare is especially hazardous due to the problems inherent in finding where the attacks truly originated from. So instead of using the potential of cyber warfare as a retaliatory tool against perceived cyber attacks, we should seek out the perpetrators and try them in court as criminals. With that - no where does it read "the US should refrain from investing in offensive cyber warfare capabilities" or any other such non-sense. Probably because it would be ridiculous to not seek out such on an offensive weapon for quite a few very logical reasons, such as the ability to delay nuclear program building without bombs. Or stealing secrets without directly risking the lives of Americans (or is Mugabe's email secret?). Or how about using this weapon as a supplement to regular warfare (not saying we should be in or not in any conflict we are currently in, but war is likely to happen again - if we're involved.... why wouldn't we use this along with other weapons?). Or the idea that one should research this simply due to the fact it is likely to be used against us and knowing what is possible is helpful to defend against it. Beyond that, it's a logical paradox for any critical analysis to leave any option off the table. Given the shear potential for cyber warfare, any analysis from any reasonable organization would suggest investment in this. & as Rand is a very respectable organization, and as such, did not urge the US to not invest in offensive cyber warfare as it is represents a viable option under the right circumstances (stuxnet possibly one of them). It would be an anathema to who they are to ignore any option. & trust at this point - I'm confused.... as the Rand study seems unnecessary to the underlying points being made, which correct me if wrong, but are: "All military action should be thoroughly vetted to minimize collateral damage to innocent populations" and "our infrastructure security is lacking" If those are the main points, both could be stated and proved without adding the Rand report at all... But since it was added - I think the way in which it is currently described to be very misleading.