The Stuxnet virus that successfully crippled Iran’s nuclear weapons program in June 2010 was a confirmation and demonstration of the increasing abilities and sophistication of cyberwarfare tactics, according to University sources familiar with the subject.
Eran Kahana, a fellow at the Stanford Center for Computers and the Law, described the Stuxnet attack as unique in its complexity.
The virus is “cleverer than anything we’ve ever seen,” he said, adding that the attack utilized “unprecedented target acquisition.”
Stuxnet targeted Siemens Industry, Inc. industrial equipment most commonly used in the uranium enrichment processes. The virus used four previously unknown flaws in the Windows operating system to reprogram the equipment, and is considered to have set back Iran’s nuclear program by five years. The virus’ objective was so clearly defined to the point that it seems “very unlikely that it was designed to do anything else,” according to Kahana.
Professor John Mitchell of the Computer Science Department said that Stuxnet marked a new breed of viruses, as it was designed to attack physical infrastructures rather than obtain information from the target system, and because it showed the extent to which complex systems–such as Iran’s nuclear program–are vulnerable to concerted, determined and well-resourced attacks.
While the complexity of the virus would complicate attempts to replicate Stuxnet, Mitchell said that the virus’ reproduction and adaptation would be “possible with only limited resources.” In recent months, several examples of malicious software that shared coding and behavioral characteristics with Stuxnet have been uncovered.
Kahana noted that the complexity and objective of the virus made it likely that Stuxnet’s creators had at least co-operated with nation-states — and that they may have been implementing state policy. Western nations such as the United States, United Kingdom and Israel currently possess the most advanced cyberwarfare capabilities–with intelligence agencies in these countries frequently collaborating on cyber tactics–but competing nations, such as China and Russia, have been quick to invest heavily in the field.
Both China and Russia have been accused of deploying cyberwarfare tactics against foreign governments, with Russia allegedly launching a 2007 cyberattack on Estonia that crippled not only government systems but also private entities, such as banks and newspapers.
The Pentagon announced in May 2011 that cyberattacks against the United States would be considered acts of war, against which the United States could retaliate fully. However, the U.S. government is still formulating a comprehensive policy towards cyberwarfare and has thus far publicly focused on defensive measures. The existing policy has “more to do with political views than [current] technologies,” Mitchell said, who believes it will inevitably be developed further.
Mitchell noted that the proliferation of cyberwarfare tactics might lead to widespread industrial espionage initiated by private firms and nation-states alike, and the anonymity of cyberspace might encourage states to leverage new resources on behalf of domestic firms.
The recent discovery of a keylogger virus on U.S. military drone control systems–while apparently not an incident that endangers critical information–demonstrates what some consider to be underinvestment in cybersecurity by the United States.
The virus records the communication between drone pilots and troops on the ground; the servers that control the drones, however, run disconnected from the Internet, thus limiting the virus’ ability to disseminate any information it acquires. Military network specialists have not been able to remove the virus, even after system-wide restarts and memory erasure, which are likely caused by self-regenerating measures programmed into the virus and a lack of defensive mechanisms built into the military systems.
The United States’ vulnerability to cyberattack remains to be seen, according to Mitchell. Even with an advanced intelligence community seeking to defeat cyberwarfare tactics, certain civilian sectors–such as electricity and water supply networks–may be at particular risk of cyberattacks, especially after the Stuxnet attack exposed vulnerabilities that would allow malicious programs to take control of physical equipment.
Complicating attempts to defend against cyber attacks is the “evolving arms race” to find new means of delivering viruses to target systems, Mitchell said. While both the Stuxnet virus and the keylogger virus found on drone networks were likely introduced by flash drives, hackers continue to find means of delivery designed to avoid defense mechanisms built into current systems.
Even as cybersabotage and cyberwarfare become more effective, governments struggle to define to define acceptable cybertactics and targets.
“There are ongoing efforts to regulate cyberwarfare,” Kahana said.
While cyberwarfare is likely to be more broadly utilized in the future, any such attacks suffer from limitations of technology.
“Cyberwarfare doesn’t directly kill people,” Mitchell said. And thus, it may become more commonly deployed either as a precursor or complement to physical force.
Even if the United States possesses the requisite capabilities to mount a cyberattack, it may be unwilling to do so. Cyberattacks on the Qaddafi regime as part of the NATO intervention were rejected, according to an Oct. 17 New York Times story, on the ground that such actions risked “breaking the glass ceiling” on a new kind of warfare. Additionally, the time required to prepare such an attack and the risk of disclosing America’s cyberwarfare capabilities may make such forms of intervention unappealing.
Nevertheless, for cases such as the Iranian nuclear program, cyberwarfare offers a “cleaner” option–one without the risk of collateral damage–for decision makers. Kahana described the Stuxnet attack as a model for future interventions, with the targeting of a nation-specific program a “good example of it being used responsibly,” and potentially a way to preclude costlier conflicts.