Now We Know: Stuxnet R US
By KARL STEPHAN, Consulting Engineer, Texas State University, San Marcos
Almost a year ago in this space, I wrote about a sophisticated new computer virus  called Stuxnet which had apparently done considerable physical damage to almost a thousand uranium-enrichment centrifuges in Iran in 2010. At the time, it wasn’t clear who designed Stuxnet, although guesses were that either Israel or the U.S. was responsible.
Well, on June 1, 2012, the New York Times published excerpts from an upcoming book that confirms those suspicions, and goes into a lot more details. It turns out that Stuxnet was only one of several cyberattacks that originated with a project called “Olympic Games” that began during the presidency of George W. Bush, who encouraged his successor Obama to continue it. Obama took Bush’s advice and persisted with the program even after the Stuxnet virus escaped "into the wild," which is how the computer-security community learned about it a year ago.
There are two related ethical concerns that these latest revelations highlight. One has to do with U.S. participation in cyberwarfare generally. And the other has to do with the fact that someone in the current administration spilled so many beans about what we were doing.
Cyberattacks are following a well-trodden path down which earlier forms of militarily useful technology passed decades or even centuries ago: telegraphy, radio, aviation, and nuclear weapons, to name a few. The trend is from discovery to initial, usually rather amateurish, experimentation, and then to serious funding and adoption by all sides in a conflict. With regard to cyberwarfare, we are now beyond the amateurish-experimentation phase and well into serious adoption by at least one side: the U.S. and Israel, which turns out to have collaborated closely with the U.S. in the Stuxnet project for both technical and diplomatic reasons. If history is any guide, we can now anticipate a cyberwarfare counterattack by one or more of our enemies sooner or later.
This is made especially likely because cyberattacks turn out to be pretty cost-efficient. Software experts examining the Stuxnet virus at the time it was first found estimated that it was fairly cheap to develop, under a million dollars. The latest revelations in the Times show that this may have been an underestimate, because the CIA went to the trouble of building a working model of part of Iran’s nuclear facility using the identical machines that were the target of the attack, in order to be sure it would work. Still, it was cheap compared to a full-scale airstrike with cruise missiles, for example.
Cheapness cuts both ways. The U.S. isn’t the only country with sharp computer whizzes willing to develop evil viruses to mess up critical infrastructure. Stuxnet was highly specialized to do a specific kind of damage to only one facility, but virus-writers worldwide have highjacked its innards to do other malicious things since then. It is not beyond the realm of possibility to imagine someone taking the basic Stuxnet format and designing a virus to, say, whack out an industrial controller commonly used to regulate the speed of steam turbines in power plants. I’m not knowledgeable about the degree of sophistication of power-plant software or the tightness of their security measures, but I’m sure it varies from place to place, and while some on-the-ground collaboration was needed for the attack on Iran, that might not be necessary for some forms of virus attack. The point here is that with its vast array of computer-dependent infrastructure, the U.S. is very vulnerable to just the kind of cyberattack we mounted against Iran.
Which brings up the second ethical concern: did we have to go so public with all the details of what our responsibility was in Stuxnet? Critical information about decryption technology used in World War II was kept in the dark for decades. I would expect the kind of details we read in the Times to come to light someday, but less than two years after the attack? Perhaps this is a deliberate ploy to warn counterattackers that yes, we can do this and you’d better watch out. But because cyberattacks rely on lapsed vigilance and poor security measures (the Stuxnet actually got into the target network through a carelessly used flash drive someone carried into the secure facility), it seems like telling our enemies all the details of our attacks and responsibility for them, will just make them all the more cautious and less likely to fall for such things in the future. In other words, if you’re going to fight a war with secret stuff, blowing the secret doesn’t seem like a good idea.
At the risk of sounding excessively political, one could speculate that the publicity about Stuxnet was another attempt to show the present administration in a “tough-guy” mode, consistent with recent revelations about how the President himself personally authorizes every drone attack on targets that have included a U.S. citizen in at least one instance. These drone attacks have drawn criticism from the President’s own party, notably former President Jimmy Carter. Like cyberattacks, drone strikes are, in the short term, a “no-risk” mode of warfare that carries no domestic downside in terms of U.S. casualties incurred during the attacks. But an older code of conduct in the battlefield would view the kind of button-pushing fight we are presently engaged in as morally suspect, if not downright cowardly.
It was close to inevitable that cyberwarfare would take its place along more conventional means of fighting a military conflict. But now that we have told the world we’re doing it, we should not cry foul if some fine day our own computer systems fall victim to a low-budget, focused attack that could do even more damage than ours did to the Iranian uranium facility.
Sources: The New York Times report on the Olympic Games efforts appeared online on June 1, 2012 at http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html .
President Carter’s criticism of drone strikes as being violations of human rights appeared in the same publication on June 24, 2012 at