If the New York Times’ comprehensive account of the birth of the STUXNET worm that slowed Iran’s efforts to enrich uranium tells us anything, it’s that the Obama administration was remarkably naive about the potential for the proliferation of the cyberweapons it was developing.
Indeed, while discussions of the new territory the US was entering apparently took place in the White House, ultimately, an aide told the Times, the administration didn’t want to “develop a grand theory for a weapon whose possibilities they were still discovering.”
Then, in Summer 2010, an event the administration should have anticipated occurred: The STUXNET worm got loose and started replicating outside the Iranian enrichment plant that had been its target. In the wild, on the Internet, its was exposed for everyone to see.
And that, apparently, is when opportunistic hackers started to learn from it.
As outlined by Eric Gallant at Data Center Pro, STUXNET taught hackers that the “Industrial Control Systems” used in industrial production (think high-tech factories) and data centers were vulnerable to attack.
[Update: Ryan Ellis, a postdoc at Stanford whose research “focuses on contemporary debates about infrastructure security,” points out that “The vulnerability of SCADA and ICS systems was certainly well known well before the emergence of STUXNET. DHS, DOE, and NIST efforts targeting ICS and SCADA security have been going on for years.” So it’s more accurate to say that Stuxnet introduced a new code base into what had been an ongoing battle to secure these systems.]
1. Proliferation of STUXNET code, with unknown targets.
In September 2011, a new STUXNET-like worm called Duqu was discovered. While its target is unclear, it may be designed to steal data about an Industrial Control System, prior to an actual attack. (Such surveillance was integral to the successful disabling of the Natanz enrichment plant during the STUXNET attack.)
2. “Industrial-grade” control system malware almost revealed at a Dallas information security conference.
The researchers claimed, “We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state.” SCADA manufacturer Siemens and the US Department of Homeland Security requested that the researchers not continue with the demonstration citing public safety concerns.
3. Industrial Control System hacking “toolkit” released.
In March 2011, Gleg, a Russian security firm offered for sale a software package known as The Agora SCADA+ Pack. The software contained 22 modules exploiting 11 zero-day vulnerabilities. The pack included data applicable to a wide variety of SCADA system manufacturer’s devices and software.
4. STUXNET code showed up in an “indestructible” zombie botnet that has infected millions of PCs.
This malware, known as TDL4, deploys a number of clever tricks to guarantee its own survival, including one borrowed straight from the world’s most sophisticated cyberweapon, Stuxnet.
The list of ways that STUXNET code originally developed by the US and Israel is being widely distributed, learned from and exploited goes on, and the full Data Center Pro post is worth reading if you want to understand how these attacks might eventually be carried out on the data centers on which the Internet and our financial infrastructure depends.
In general, the so-called SCADA (Supervisory Control and Data Acquisition) infrastructure of the US has been described as the “Achilles heel of critical infrastructure,” and Richard Clarke, former White House advisor on cyber security has asserted that China is already probing the US power grid.
The good news is that there are at least two reasons not to panic. The first is that it’s not yet clear just what impact these kinds of cyber attacks can have. Iran, for example, was slowed in its efforts, but that’s substantially different from the results of, say, a conventional bombing run on their enrichment facilities.
The second reason that we should temper our anxiety over cyber attacks is that there is a funny sort of asymmetry to cyber warfare. As is the case with anti-virus software, merely knowing that a threat exists can allow us to rapidly innoculate our systems against these threats. Whether or not we’re doing it is quite another question.
And that’s the one area where the Obama administration comes off as hopelessly naive in its conversations about the potential impact of the STUXNET worm: Didn’t it occur to anyone in the room that, once unleashed, this kind of attack would mean that every piece of critical computer-controlled infrastructure in the US would have to be evaluated, and forever-after upgraded, in order to defend against such an attack?