Security: A code explodes – News Clipping from The Financial Times – October 1, 2010 – By James Blitz, Joseph Menn and Daniel Dombey
Sitting in his office in Hamburg, Ralph Langner, a German information technology specialist, recalls the moment when he came across the Stuxnet computer worm. “I have to tell you, my jaw dropped,” he says. “I have been in the computer consultancy business for 20 years. I have always warned clients that something like this might appear. But I did not expect that I would end up seeing something so sophisticated, so aggressive, so dangerous.”
Stuxnet is a malicious software code that was first noticed around the world four months ago. Today, it is causing alarm not just to IT experts such as Mr Langner but also to security strategists and governments. Among them is the Iranian regime, whose nuclear programme – seen as one of the most serious threats to global security – may have been severely hit.
For years, governments have been aware of the threat from cybercrime and cyberwarfare. The Pentagon has gone public on how hackers regularly break into its systems and try to steal secrets. Governments have seen, too, how one actor – almost certainly Russia – carried out large-scale cyberattacks on Estonia and Georgia in 2007 and 2008 respectively, severely disabling their communication networks for brief periods.
But the emergence of Stuxnet (its name is derived from keywords buried in the code) takes worries about cyberwarfare to a different plane. For the first time, an as yet unknown group has developed and deployed software that can spread on its own and enter computer systems linked to a real world target – a factory, a refinery, a nuclear power plant. It is designed to take control of, then attack, the facility in question. “It is absolutely directed to destroy something or to blow something up. It is, in effect, a cybermissile,” says Mr Langner, one of the first people to reveal the worm’s full potential as a weapon.
Stuxnet was discovered by a security company in Belarus, since when experts have tracked it closely. In August, Microsoft stated that more than 45,000 computers worldwide had been affected. Analysts then established that it was targeted specifically on an obscure type of industrial control computer made by the German company Siemens, and used to manage oil pipelines, power grids and nuclear plants across the world.
During the past 10 days, however, the target and motive have become clearer. Symantec, a US technology company, has reported that 60 per cent of computers penetrated are in Iran. Last weekend, Tehran conceded that the worm has infected Siemens systems at its civilian light-water nuclear reactor at Bushehr, which it hopes will shortly be fully operational.
Iran’s admission intensifies speculation about who created Stuxnet and why. Its sophistication and detail – and the fact that it has been configured to attack very few types of industrial plant – leads experts to believe only a government could have deployed it. Some point the finger at Israel, which has poured huge resources into Unit 8200, its secret cyberwarfare operation. Israel believes Iran’s nuclear programme is aimed at building a bomb and is therefore an existential threat. The discovery deep inside the worm of the word “Myrtus” – a name used for Queen Esther, one of the leading figures of biblical Jewish history – is seen by some as a possible clue to its origins.
But two other nations – the US and Britain – have serious worries about Iran. They too have bodies – Washington’s Department of Defense and National Security Agency and Britain’s GCHQ – that have established elaborate cyberoffensive operations. Some wonder whether they could be the source too.
Intelligence experts have also been trying to fathom what the impact of the Stuxnet operation has been. Iran insisted this week that no “major systems” at Bushehr have been damaged, though there is no independent verification of this. Meanwhile, as Hamid Alipour of the Iranian government’s Information Technology Company said this week: “The attack is still ongoing and new versions … are spreading.”
Others are trying to work out why Israel or any other state would target Bushehr. “Anyone attacking a nuclear reactor in this way is being irresponsible because you could cause immense environmental damage,” says Mark Fitzpatrick of the International Institute for Strategic studies. “Besides, Iran’s civil nuclear power plant at Bushehr is not the west’s concern.” The more interesting question, he says, is whether Stuxnet has penetrated Natanz, the uranium enrichment plant at the heart of fears that Tehran is moving closer to building a nuclear weapon. “If that were the case, it could be very significant.”
Stuxnet is prompting wider questions, however. The big concern is whether its emergence heralds a dangerous era of cyberwarfare, one in which states and even terrorists could deploy malicious codes with the aim of sowing mass destruction. “What we have here is no longer a movie-plot scenario but a real attempt to sabotage industrial control systems,” says Eric Chien, an expert on the worm at Symantec. “It may cause a lot of other people to realise they could potentially deploy it.” Rick Caccia of ArcSight, a cybersecurity consultancy, agrees: “We are going to see more attacks on infrastructure where major damage is done. It is an area to be very concerned about.”
To get a deeper sense of what is at stake, Mr Langner explains how Stuxnet operates. First, he says, its creators need access to the network at the plant site they wish to attack. Critical infrastructure, such as Bushehr, is nearly always detached from the internet, making online attacks impossible. In the case of Bushehr, he says, the worm would probably have been placed on USB sticks that a foreign intelligence agency might have secretly planted with the Russian engineers helping build the reactor. “There would have been no need for the foreign intelligence agency to tell [them] the USB sticks were infected,” he suggests. “It would be enough to smuggle the infected USB sticks into the Russians’ computer supplies.”
Once the sticks are inserted into terminals, two things happen, he says. First, the worm takes control of the computer it is attached to. “Then,” says Mr Langner, “you get the really nasty stuff. Stuxnet can gain access to the industrial controllers at the plant, items of computerised equipment that operate pumps, valves and other machinery.” It is then unstoppable. “Even if engineers discover the worm and disconnect their laptops, it is programmed to continue operating.”
How do western governments view the emergence of such a threat? In Washington, there have been longstanding concerns over cybersecurity. Until now, the main worry – prompted in part by China’s attack on Google’s systems 18 months ago – has been that hackers can steal corporate or government secrets. There have also been fears about the proliferation of low-level cybercrime, in which property such as bank details are stolen. This week, for example, scores of people in the US and the UK were charged over an alleged scheme to steal millions of dollars from bank accounts.
But the Stuxnet worm has galvanised fears that the bigger threat facing the west is full-scale cyberwarfare, in which major infrastructure is destroyed. As General Keith Alexander, head of the Pentagon’s new Cyber Command centre to defend the Pentagon, said recently, a worm such as Stuxnet could cause “tremendous damage”.
Until now, Washington’s biggest effort to prevent a major attack on the US has been focused on defending the military. This week, the Pentagon set up a Cyber Command centre to protect its own infrastructure. US leaders are signalling that they also intend to do more to defend the private sector. Gen Alexander told Congress last week that “we need to come up with a more dynamic or active defence” and that he was working with the White House on such a plan.
But many are doubtful about the government’s assurances when it comes to defending private institutions. “Logically, it’s our job to protect the nation’s private infrastructure,” says Richard Clarke, a former anti-terrorism chief. “The fact that the government has no policy – except to defend the government – won’t stand the light of day.”
Senior military figures are also warning about the exposure of western power plants and water systems. “Those systems are very much wide open,” Maj Gen Richard Webber of the US Air Force said recently.
One issue of particular concern to governments is whether the major powers – the US, China and Russia – could come together ban the use of cyberoffensive assets. The idea would be to establish “rules of the game” of the kind that limit nuclear proliferation.
“We know that we could do bad things to their electrical grid, and they could do bad things to our electrical grid and neither side wants that to happen,” says a former official in the administration of Barack Obama.
However, recent attempts led by the White House to push for such agreements have foundered. Suspicions that Israel, a long-time US ally was the originator of Stuxnet, will do little to revive them.
Above all, one of the big problems with establishing such rules is that it is almost impossible to trace the origin of a cyberassault. As William Lynn, the US deputy secretary of defence, said recently: “Where you have difficulties with attribution, it’s hard to guarantee assured retaliation because you don’t know who to retaliate against.”
These big questions about cyberwarfare – how nations can defend themselves and regulate the weaponry – are certain to dominate debates on global security in the next decade. The immediate mystery to be cleared up, however, is what Stuxnet has done behind Iran’s wall of secrecy. If it has inflicted serious damage and set back the nuclear programme, there will be delight in the US, Israel and Europe at the undermining of such a serious security threat.
But there would be limits to the rejoicing. For such a success would signal that a terrifying chapter in the history of warfare has begun.