Even security experts who keep a close watch on such things never saw anything quite like the Stuxnet cyberattack of last summer. Although they had identified and overcome lots of computer worms and viruses, they were stunned by Stuxnet’s potency, and by its purpose: to wreak economic havoc by disabling power generators and other infrastructure related to industrial production.
Stuxnet’s origins remain mysterious, but its mechanics have been closely studied. Herbert (Hugh) Thompson, chief security strategist at New York–based consulting firm People Security, describes Stuxnet as “intricate, well put together, very targeted by people who knew what they were doing.” The attack was aimed at Iran’s power grid, specifically to disrupt the country’s suspected nuclear weapons development.
Any more details that emerge about Stuxnet may pale next to its significance as what technology people call a “game changer” — something on the order of the Internet-bred computer viruses of the 1980s and ’90s, but with as-yet-unforeseen military and geopolitical implications.
Mikko Hypponen, a leading cyberthreat tracker who is chief research officer of Helsinki, Finland–based F-Secure Corp., says “hundreds of thousands of euros and man-decades” were probably needed to aim Stuxnet specifically at industrial control systems. Yet the worm also inflicted collateral damage on hundreds of thousands of ordinary home and office computers. And so the next Stuxnet-like event could pass into the realm of a general, uncontained threat to entire networks and economies.
Hypponen and other analysts have only hesitantly invoked the specter of cyberwarfare. It’s not mere science fiction to military and intelligence strategists, but neither has there been solid evidence of any country attacking another’s communications infrastructure as part of a purposeful, hostile action. Some of what looks like cyberwarfare may just be espionage, though possibly state-sponsored.
Stuxnet has begun to dispel that caution. People Security’s Thompson sees it as a possible “peek into nation-state-level cyberoffense.”
Stewart Baker, a Washington-based partner at law firm Steptoe & Johnson and a former National Security Agency and Department of Homeland Security official, wrote on his blog, Skating on Stilts, that “Stuxnet clearly establishes the likelihood of cyberwar in the future.” He believes “governments won’t ignore the military advantage to be gained from cutting off electric power in its adversary’s territory.”
There are other causes for concern outside the military sphere. As Stuxnet came to light, so did the WikiLeaks affair, a violation of document security protocols that set off a wave of “hacktivism” by sympathizers using hacking techniques to retaliate against credit card companies and others that cut WikiLeaks out of their payment systems.
Meanwhile, there is no end to the malicious attacks on companies and networks that have become all too routine over the years. According to Cisco Systems, web malware increased 139 percent between 2009 and 2010.
To former U.S. counterterrorism chief and White House cybersecurity adviser Richard Clarke, author of the 2010 book Cyber War: The Next Threat to National Security and What to Do About It, everything is connected: “The difference between cybercrime, cyberespionage and cyberwar is a couple of keystrokes,” Clarke has said, calling for “a broad public dialogue about cyberwar.”
Does this bring the corporate sector, presumably already competent at maintaining cyberdefenses, into the realm of cyberwarfare? That would require thinking offensively as well as defensively, for which the private sector may not be fully equipped.
There are critical differences between random hacking and “angry mobs,” and a highly engineered weapon like Stuxnet, notes Carl Herberger, head of security solutions at Radware in Mahwah, New Jersey. But any entity in the line of fire may have to consider forms of retaliation, and under certain circumstances, he says, “offensive tools will propagate.”
Attorney Baker sympathizes with that view but says war analogies can be misleading. A company going on the offensive could face legal liability for collateral damage. Then again, offensive capability can have a deterrent effect. Clearly, cyberwarfare raises strategic questions different from those of the more familiar competitive battleground, and if another virulent threat materializes, there won’t be a lot of time to figure out how to react.
Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.
