Today as I was reading the revelations about how the Obama administration released the Stuxnet virus I was reminded of the martial arts 101 class on throwing weapons. The first rule of throwing weapons (ie knife,sai,spear) is you don’t throw it at your opponent unless it’s absolutely necessary. The reason why is if you miss or don’t take out your enemy they can pick up your weapon and use it against you. This is a basic theory that is ancient.
Then I saw this article and thought I should post it for us to discuss.
If the New York Times’ comprehensive account of the birth of the STUXNET worm that slowed Iran’s efforts to enrich uranium tells us anything, it’s that the Obama administration was remarkably naive about the potential for the proliferation of the cyberweapons it was developing.
Indeed, while discussions of the new territory the US was entering apparently took place in the White House, ultimately, an aide told the Times, the administration didn’t want to “develop a grand theory for a weapon whose possibilities they were still discovering.”
Then, in Summer 2010, an event the administration should have anticipated occurred: The STUXNET worm got loose and started replicating outside the Iranian enrichment plant that had been its target. In the wild, on the Internet, its source code was exposed for everyone to see.
And that, apparently, is when opportunistic hackers started to learn from it.
As outlined at Data Center Pro, STUXNET taught hackers that the “Industrial Control Systems” used in industrial production (think high-tech factories) and data centers were vulnerable to attack:
- Proliferation of STUXNET code, with unknown targets.
In September 2011, a new STUXNET-like worm called Duqu was discovered. While its target is unclear, it may be designed to steal data about an Industrial Control System, prior to an actual attack. (Such surveillance was integral to the successful disabling of the Natanz enrichment plant during the STUXNET attack.)
â??Industrial-gradeâ?? control system malware almost revealed at a Dallas information security conference.
The researchers claimed, â??We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state.â?? SCADA manufacturer Siemens and the US Department of Homeland Security requested that the researchers not continue with the demonstration citing public safety concerns.
Industrial Control System hacking “toolkit” released.
In March 2011, Gleg, a Russian security firm offered for sale a software package known as The Agora SCADA+ Pack. The software contained 22 modules exploiting 11 zero-day vulnerabilities. The pack included data applicable to a wide variety of SCADA system manufacturerâ??s devices and software.
STUXNET code showed up in an “indestructible” zombie botnet that has infected millions of PCs.
This malware, known as TDL4, deploys a number of clever tricks to guarantee its own survival, including one borrowed straight from the world’s most sophisticated cyberweapon, Stuxnet.
The list of ways that STUXNET code originally developed by the US and Israel is being widely distributed, learned from and exploited goes on, and the full Data Center Pro post is worth reading if you want to understand how these attacks might eventually be carried out on the data centers on which the Internet and our financial infrastructure depends.
In general, the so-called SCADA (Supervisory Control and Data Acquisition) infrastructure of the US has been described as the “Achilles heel of critical infrastructure,” and Richard Clarke, former White House advisor on cyber security has asserted that China is already probing the US power grid.
The good news is that there are at least two reasons not to panic. The first is that it’s not yet clear just what impact these kinds of cyber attacks can have. Iran, for example, was slowed in its efforts, but that’s substantially different from the results of, say, a conventional bombing run on their enrichment facilities.
The second reason that we should temper our anxiety over cyber attacks is that there is a funny sort of asymmetry to cyber warfare. As is the case with anti-virus software, merely knowing that a threat exists can allow us to rapidly innoculate our systems against these threats. Whether or not we’re doing it is quite another question.
And that’s the one area where the Obama administration comes off as hopelessly naive in its conversations about the potential impact of the STUXNET worm: Didn’t it occur to anyone in the room that, once unleashed, this kind of attack would mean that every piece of critical computer-controlled infrastructure in the US would have to be evaluated, and forever-after upgraded, in order to defend against such an attack?