Chechnya. Estonia. Georgia. In recent years, military powers have waged cyberwarfare with increasing frequency, on an ever-larger number of fronts. Even here in the U.S., we've been subject to attack, including the July 2009 "botnet" assaults on websites run by U.S. stock exchanges NYSE Euronext and Nasdaq OMX, and on the Pentagon, NSA, and State Department.
But turnabout is fair play, and in 2009, America apparently started fighting back -- and winning.
For years, the White House has wrung its hands about the difficulty of disrupting an Iranian nuclear weapons program that's widely dispersed, deeply buried, and heavily bomb-proofed. Then, American "cyberwarriors" allegedly hit upon a solution: Zap them with an e-bug. In collaboration with Israeli security agencies, a New York Times report asserts, we designed a computer "worm" designated "Stuxnet," reportedly the "most sophisticated" computer worm ever designed. Stuxnet was built for exactly one purpose: Locate Siemens
It worked. After worming its way into one of Iran's centrifuge labs last year, Stuxnet has already been credited with destroying as many as 20% of Iran's nuclear centrifuges, and setting back Iran's nuke program by as much as five years. According to one commentator, "It was a marksman's job." One shot, one kill, no collateral damage.
A marksman with a machine gun
But while we aimed at only one target, Stuxnet didn't stay stuck on it. Already, the worm has leaked out of Iran and into Symantec's
According to this month's issue of Popular Science, Stuxnet can now be found on "hundreds of thousands of computers in at least 155 countries." The good news: Since it's so highly targeted at Iranian centrifuges, Stuxnet doesn't seem capable of harming anyone else. The bad news: It might not stay that way.
According to independent computer security expert Ralph Langner, once you've captured Stuxnet and managed to decode the worm, "it's like a playbook… Anyone who looks at it carefully can build something like it."
Pandora's worm
In other words, we might have struck a blow for truth, justice, and the American (or Israeli) way with Stuxnet. But we may also have provided an instruction manual to help enemy hackers build their own hi-tech cyberworms.
Describing the danger that Stuxnet, or derivations thereof, will eventually be turned around and used to attack U.S. industrial machines, PopSci rates Stuxnet a "7" (out of 10) on this month's "Folly Meter" of neat-ideas-that-we-never-should-have-tried. And in an eminently quotable warning, the magazine opines, "Many cybersecurity wonks are thoroughly freaked out."
Offense leads to defense
Congrats to the cyberwarrior team on the "away win." But in a perverse boon to America's defense industry, it's now it's more urgent than ever that the folks who invented "Stuxnet 1.0" rush home and start playing defense against a potential Stuxnet 2.0.
Perhaps tipped off to the escalated threat meter, the Obama Administration launched operation "Perfect Citizen" last year, an effort to improve monitoring of Internet security threats that builds on cybersecurity promises made (but not fulfilled) back in the Bush II administration. Raytheon
That's great news for defense investors -- if the government comes through on its promises to make a serious investment in bolstering national cyber security defenses, and if the much-ballyhooed defense cuts don't give short shrift to "virtual" threats. But our response cannot end there. Remember that while Iran's government runs its nuclear program, a Stuxnet-like attack in the U.S. would more likely target private, industrial companies like energy utilities, electricity distributors, or chemical concerns.
Foolish final thought
While any serious effort to make America's Internet secure must begin with government computer networks, private companies will need the bulk of the upgrades, albeit perhaps with taxpayer assistance. If that's the case, I'd think that companies like Symantec (which first captured Stuxnet "in the wild"), McAfee (now owned by Intel
Profit-pinched companies won't want to spend to secure their networks, but the government may require them to do it. The threat is real, it's growing, and thanks to Stuxnet, we may just have made it worse.
