Is Stuxnet The First Shot In A Cyberwar?6:42 PM EST Fri. Jun. 01, 2012
The New York Times is reporting alleged ties between the Stuxnet worm and the presidential administrations of both George W. Bush and Barack Obama. Such a connection raises discussion in the IT industry about whether a cyberwar is being waged in an effort to prevent Iran from developing nuclear weapons.
According to the article in the June 1 edition of the New York Times, the U.S. government began the initiative in 2006 when sanctions against Iran bore limited results and Israel pondered the possibility of conventional military strikes against Iranian facilities that were allegedly developing nuclear capabilities. Code-named “Olympic Games,” the cyber campaign was discovered in 2010 when a programming error enabled the code to escape onto the Internet. The worm was subsequently dubbed, “Stuxnet” by the security community. With a potentially limited window or ongoing success, the attacks continued and, eventually, roughly 1,000 centrifuges, necessary for the Iranian nuclear effort, were temporarily disabled by Stuxnet, according to the paper.
This is presumably the first time that the United States has used this type of initiative against a foreign government. And while Iran has consistently denied that its nuclear program goes beyond peaceful energy production, the potential of a nuclear-weaponized Iran has struck fear in much of the western world.
Still, it remains debatable as to whether these alleged incidents would qualify as cyberwar.
“Calling it a cyberwar is a misnomer,” Pete Lindstrom, vice president, research, Spire Security told CRN. “This type of thing is more like cyber-espionage. Even though they took out 1,000 centrifuges, that's not what the battle is really all about. But it's pretty clear that we have to start caring more about that sort of thing, particularly when it comes to protecting the infrastructure. This is a shot across the bow, and security folks need to pay attention.”
Other security professionals, however, see this development as a much larger event.
“It had seemed fairly obvious that the U.S. was behind Stuxnet because there were just enough circumstances pointed in that direction,” said Andrew Storms, director of security operations at nCircle. “But it's totally different to have it confirmed. This changes war completely, and carries with it a lot of ramifications that we are only beginning to understand.”
Storms says that in the past, the U.S. has always relied on developing superior conventional weapons that could not be matched by potential adversaries. But in the area of cyberwar, that advantage is no longer valid once the first “shot” is fired.
“In conventional warfare, the technology was at least somewhat preserved,” he said. “When the bullets hit you, you couldn't exactly turn those bullets around and shoot them back. But in order for it to be effective, malware needs to land on the systems of the target. And when that happens, it can be disassembled and reprogrammed and launched back at the attacker.”
NEXT: The U.S. Government's Role Moving Forward, The Impact On The World
If these capabilities are known to exist, nCircle’s Storms wonders why the government is not doing more to protect key infrastructure in the United States. But, he also tells CRN that cyberweapons also carry with them a unique obstacle to defense.
“If you proactively develop defenses to prevent your own cyberweapons from being used against you, then it's very likely that those defenses will eventually leak onto the Internet, as well. So building the defensive component will often mitigate the effectiveness of the weapon in your own hands. It's a very difficult position if you're going to dabble in this kind of warfare.”
The international ramifications of this report can also be quite profound, given that the United States has been an outspoken critic when corporate intellectual property is illegally exploited by foreign nationals.
“On the one hand this gives the Chinese and the Russians the justification to point the finger at the United States and call us hypocritical,” said Richard Bejtlich, chief security officer of Mandiant, an Alexandria, Virginia-based consultancy. “But because Stuxnet is used against nuclear weapons program, I see that as a legitimate target.”
Bejtlich points out that our relationship with Iran has been marked by a variety of different types of sanctions plus a U.S.-led drumbeat in support of international economic pressure that could lead to Iranian retaliation. But Bejtlich stops short of the term “cyberwar,” in favor of “cyber conflict” as the more fitting alternative.
“I've worried about the Iranians because as we tighten the vice around them, it could inspire the Iranians to retaliate,” Bejtlich told CRN. “Do they have the capability to respond with a cyber attack? I tend to look at what their patriotic hackers can do, and we've seen the government's actions against dissidents in Iran, using different cyber exploits. So while I don't worry about Iran being an immediate threat for cyber attack, I do see them developing that capability.”
In addition, there is at least circumstantial evidence to suggest that the Flame worm that has been in the news for the past several days is, in effect, a technological cousin of Stuxnet. In the circumstances surrounding Flame, the targets have been almost exclusively focused in East Asia.
NEXT: Will This Cyberwar Impact The Channel?
All of this begs the question about how this impacts corporate networks and the channel partners who build and support those networks.
"I don't see a direct problem for corporate America so far, unless you are a target of one of the Iranian programs," Mandiant’s Bejtlich said. "So if you work in one of these industries where the Iranians are trying to get data or support to further their nuclear program where there military program is, then, yes, you are at risk, but you’ve also been at risk for some time."
Channel partners tend to agree that while IT managers are interested in learning about these developments, they only rarely engage escalated security measures unless something in particular has happened to them.
"We can talk to them until they are blue in the face, but few take heed," said Harold Mann, president of Mann Consulting, a San Francisco based channel partner. "You have to continue the anecdotal story as though they were on an IV drip. In the beginning they see it as paranoid doom and gloom, but over time they realize the need to protect their data, and they start to make some changes."