Skip to Content
Uncategorized

How Obama Was Dangerously Naive About STUXNET and Cyberwarfare

A Times exposé suggests that the White House failed to consider how our own cyberweapons would be used against us.

If the New York Times’ comprehensive account of the birth of the STUXNET worm that slowed Iran’s efforts to enrich uranium tells us anything, it’s that the Obama administration was remarkably naive about the potential for the proliferation of the cyberweapons it was developing.

Ralph Lagner cracked the code of the Stuxnet worm aimed at Iran. (Photo: Steve Jurvetson)

Indeed, while discussions of the new territory the US was entering apparently took place in the White House, ultimately, an aide told the Times, the administration didn’t want to “develop a grand theory for a weapon whose possibilities they were still discovering.”

Then, in Summer 2010, an event the administration should have anticipated occurred: The STUXNET worm got loose and started replicating outside the Iranian enrichment plant that had been its target. In the wild, on the Internet, its was exposed for everyone to see.

And that, apparently, is when opportunistic hackers started to learn from it.

As outlined by Eric Gallant at Data Center Pro, STUXNET taught hackers that the “Industrial Control Systems” used in industrial production (think high-tech factories) and data centers were vulnerable to attack.

[Update: Ryan Ellis, a postdoc at Stanford whose research “focuses on contemporary debates about infrastructure security,” points out that “The vulnerability of SCADA and ICS systems was certainly well known well before the emergence of STUXNET. DHS, DOE, and NIST efforts targeting ICS and SCADA security have been going on for years.” So it’s more accurate to say that Stuxnet introduced a new code base into what had been an ongoing battle to secure these systems.]

1. Proliferation of STUXNET code, with unknown targets.

In September 2011, a new STUXNET-like worm called Duqu was discovered. While its target is unclear, it may be designed to steal data about an Industrial Control System, prior to an actual attack. (Such surveillance was integral to the successful disabling of the Natanz enrichment plant during the STUXNET attack.)

2. “Industrial-grade” control system malware almost revealed at a Dallas information security conference.

The researchers claimed, “We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state.”  SCADA manufacturer Siemens and the US Department of Homeland Security requested that the researchers not continue with the demonstration citing public safety concerns.

3. Industrial Control System hacking “toolkit” released.

In March 2011, Gleg, a Russian security firm offered for sale a software package known as The Agora SCADA+ Pack.  The software contained 22 modules exploiting 11 zero-day vulnerabilities.  The pack included data applicable to a wide variety of SCADA system manufacturer’s devices and software.

4. STUXNET code showed up in an “indestructible” zombie botnet that has infected millions of PCs.

This malware, known as TDL4, deploys a number of clever tricks to guarantee its own survival, including one borrowed straight from the world’s most sophisticated cyberweapon, Stuxnet.

The list of ways that STUXNET code originally developed by the US and Israel is being widely distributed, learned from and exploited goes on, and the full Data Center Pro post is worth reading if you want to understand how these attacks might eventually be carried out on the data centers on which the Internet and our financial infrastructure depends.

In general, the so-called SCADA (Supervisory Control and Data Acquisition) infrastructure of the US has been described as the “Achilles heel of critical infrastructure,” and Richard Clarke, former White House advisor on cyber security has asserted that China is already probing the US power grid.

The good news is that there are at least two reasons not to panic. The first is that it’s not yet clear just what impact these kinds of cyber attacks can have. Iran, for example, was slowed in its efforts, but that’s substantially different from the results of, say, a conventional bombing run on their enrichment facilities.

The second reason that we should temper our anxiety over cyber attacks is that there is a funny sort of asymmetry to cyber warfare. As is the case with anti-virus software, merely knowing that a threat exists can allow us to rapidly innoculate our systems against these threats. Whether or not we’re doing it is quite another question.

And that’s the one area where the Obama administration comes off as hopelessly naive in its conversations about the potential impact of the STUXNET worm: Didn’t it occur to anyone in the room that, once unleashed, this kind of attack would mean that every piece of critical computer-controlled infrastructure in the US would have to be evaluated, and forever-after upgraded, in order to defend against such an attack?

 Follow @Mims or get in touch

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.