The cat is out of the bag: The United States is the first known country to carry out a sustained cyber attack with the intent of destroying another country’s infrastructure. Earlier today, The New York Times’ David Sanger confirmed America’s role in developing Stuxnet, the computer worm deployed against Iran’s nuclear facilities in coordination with the Israeli government. In interviews with curent and former American, European, and Israeli officials, Sanger outlined the Obama administration’s decision to use the sophisticated virus, code-named Olympic Games, which was originally developed by the Bush administration.
Clearly, There’s a Lot of ‘Daylight’ Between U.S. and Israel For cyber security experts, the coming-out party of Stuxnet in 2010, after it malfunctioned and spread across the world, was a worrying event. The code itself is 50 times bigger than your ordinary computer worm and, unlike most viruses, is capable of hijacking industrial facilities like nuclear reactors or chemical plants. With its release, anyone could download and manipulate the Stuxnet code for their own purposes. But now, with America’s role confirmed, the fear is that a red target hangs on its back. What if Stuxnet was used against the U.S.?
The U.S. and Israel Are Lousy Exercise Partners The prospect has long worried Sean McGurk, former director of Homeland Security’s national cybersecurity operations center. Not only has the Stuxnet technology been instantly democratized but it’s also highly susceptible to being reverse engineered. In March, he aired his concerns with 60 Minutes’ Steve Kroft, before America’s role in creating Stuxnet was confirmed: Kroft: Sounds a little bit like Pandora’s box. McGurk: Yes. Kroft: Whoever launched this attack– McGurk: They opened up the box. They demonstrated the capability. They showed the ability and the desire to do so. And it’s not something that can be put back. Kroft: If somebody in the government had come to you and said, “Look, we’re thinking about doing this. What do you think?” What would you have told them?
McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code. What sort of unintended consequences? According to McGurk, it has given countries “like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations.” Those types of installations include U.S. nuclear power reactors, electric companies, and other industrial facilities controlling everything from chemicals to baby formula, according to McGurk. And he’s not the only one worrying. In 2010, Dean Turner, director of the Global Intelligence Network at Symantec Corp., told a Senate hearing that the “real-world implications of Stuxnet are beyond any threat we have seen in the past.” According to the Associated Press, he said the virus’s risks go beyond industrial infrastructure and include the loss of sensitive intellectual property data, which can be silently stolen. So who would be able to carry out such an attack?
Apparently, quite a few people. Ralph Langner, a German expert on industrial control systems, told Kroft in March that even non-state actors could use such technologies. Langner: You don’t need many billions, you just need a couple of millions. And this would buy you a decent cyberattack, for example, against the U.S. power grid. Kroft: If you were a terrorist group or a failed nation state and you had a couple of million dollars, where would you go to find the people that knew how to do this? Langner: On the Internet. There were obviously powerful incentives to use the Stuxnet virus, which according to The Times succeeded in destroying 1,000 to 5,000 centrifuges. And of course, ever since the virus went public in 2010, the risk of a third-party using Stuxnet technology for ill has existed. However, with the confirmation that the U.S. broke the cyber threshold, the novelty of using cyberwarfare to attack another country’s critical infrastructure is gone. Should we expect Iran to refrain from striking back? As PC World’s David Jeffers writes, “We now have to deal with the Internet equivalent of a mustard gas or Agent Orange leak that has the potential to affect us all.” It’s undoubtedly a scary thought.