Thursday, September 23, 2010

If you want to get press mention Iran

Over the last couple of days there's been a lot of noise about the Stuxnet worm. Most of that noise has been because of the claim that it was designed to attack the Iranian nuclear reactor at Bushehr and speculation that the worm was written by Israel. Unfortunately, that part covers up the most interesting part of the story: this worm was really sophisticated and designed to attack industrial control systems that could have real-world impact.

But the mentioning Iran strategy has worked for many people in the past, see the Scacco/Beber affair and the Haystack mess. (Hmm. I've complained about bogus information about Iran enough that it's starting to look like I'm an Iranian agent :-).

Put aside the target of Stuxnet and there's a much more interesting side to the story. Stuxnet really does look like it could have been created by a nation to attack someone. i.e. it could be that Stuxnet is a weapon. Oddly, the press is reporting people saying things like:

"What we're seeing with Stuxnet is the first view of something new that doesn't need outside guidance by a human – but can still take control of your infrastructure," says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy's Idaho National Laboratory. "This is the first direct example of weaponized software, highly customized and designed to find a particular target."

Perhaps it's the first example of this in the wild (although I doubt that also), but it's not something that's gone unimagined. In fact, Richard Clarke wrote a fascinating book on the subject called Cyber War: The Next Threat to National Security and What To Do About It in which he details exactly this type of virus attacking industrial control systems.

He even mentions that the US tested the ability to destroy a turbine via software from the Internet. He writes:

To test whether a a cyber warrior could destroy a generator, a federal government lab in Idaho set up a standard control network and hooked it up to a generator. In the experiment, code named Aurora, the test's hackers made it into the control network from the Internet and found the program that sends rotation speeds to the generator. Another keystroke and the generator would have severely damaged itself.

(Aside: the book is fascinating as it combines technical information like that with policy recommendations). And it does mention that this sort of cyber-attacking has been going on for years. Clarke's book relates the story of the Siberian pipeline sabotage by the CIA.

The oddest part of the Stuxnet story is that claim that it's attacking Iran. There doesn't seem to be much presented evidence of this. There's nothing in the story about how Stuxnet picks the systems it attacks to suggest that it knows the fingerprint of some system in Iran. The only evidence appears to be a map that Microsoft produced of Stuxnet infections showing that there were lots in India, Indonesia and Iran. I suppose the Iran narrative is the most interesting.

No one should be surprised that a computer worm or hacking could damage equipment in the real world. But I suppose they are. Perhaps Stuxnet will be a wake up call and make people realize that cyberwar is actual war: i.e. it can have the same effects as so-called kinetic weapons like bombs.

And here's the danger with cyberweapons: they are a form of asymmetric warfare. Some countries are more vulnerable to cyberattack than others. For example, the US is most vulnerable because of the density of computer networks and computer control systems and lack of control inside computer networks for cultural reasons. On the other hand, China is less vulnerable because they can monitor their entire Internet, cut it off, and take control. Thus cyberwar is advantageous for China over the US.

Clarke's book expands on that theme and talks about how to deal at a policy level with this threat.

PS There are two papers about Stuxnet at the Virus Bulletin 2010 conference next week. These are last minute submissions and should have gory details. Let's wait until then to really understand what it is and is not. The papers are An in depth look at Stuxnet and Unraveling Stuxnet.

1 comment:

htomfields said...

You can learn more about Idaho National Laboratory's security programs at http:/