“The intent was that the failures should make them feel they were stupid, which is what happened.”
The future of warfare is digital. Why risk the lives of thousands when you can thwart the ambitions of your enemies and damage their economies with code? The Stuxnet worm, created through the cooperation of the American and Israeli governments, seriously damaged Iran’s uranium enrichment capabilities and set back their nuclear program by at least a year.
However, as President Obama himself worried, the use of government-sanctioned cyber warfare has opened up a Pandora’s Box whose ramifications may yet affect the lives of millions of people around the world. And no one is more vulnerable to this new frontier of digital warfare than the United States.
In 2009, workers at the Natanz nuclear facility in Iran began to notice weird anomalies. Centrifuges spun out of control, slowed, and then shut down, seemingly at random. Scientists and technicians at the facility were at a loss to explain what was happening. As soon as they thought they had fixed the problem, the process would repeat itself somewhere else. By the time the Iranians had isolated the problem and replaced the destroyed centrifuges (possibly as many as 1000 centrifuges, some 10-20% of the total at Natanz), the damage had been done: several workers had been sacked, man hours lost, and the enrichment program set back, if only temporarily.
Not long after these events, cyber security experts in Belarus isolated the Stuxnet worm. They discovered that this nearly invisible software had been designed specifically to attack Siemens industrial hardware and software. How the computers at Natanz had become infected with the virus remained a mystery, but most researchers speculated that it must have been introduced through infected flash drives. Due to the specificity and complexity of the worm, researchers agreed that only a foreign government with deep pockets and technical know-how could have designed Stuxnet. And because the worm had targeted Iran, the likely culprits were Israel and the United States.
So it came as no surprise last week when The New York Times ran an article implicating both the American and Israeli governments in the creation and use of the Stuxnet worm. According to David E. Sanger, the author of the book from which the article is taken, President Obama expressed deep reservations about what unleashing the Stuxnet worm might mean for the future of warfare. He compared this dilemma to that of the Truman administration and their decision to use atomic weaponry in Japan. By using Stuxnet to target a foreign government, the U.S. would usher in a new era of warfare with terrifying and far-reaching consequences.
In the last week, experts revealed another malware program of similar complexity to Stuxnet, called Flame. Flame has stunned cyber security experts because of its ability to mimic Microsoft Windows software. It tricks users into installing the program to spy on users and steal their data. Like Stuxnet, Flame’s design suggests that it was designed and disseminated by a wealthy government or corporation. And like Stuxnet, Flame eluded detection for months, possibly even years. The Israeli government has already officially denied culpability.
While Flame has dominated discussions in certain quarters, it warrants wider consideration. Flame is not just another destructive malware program, but proof that the era of cyber warfare has dawned. It’s easy enough to dismiss an isolated case like Stuxnet, but Flame reveals a pattern of attacks specifically targeting a single entity: Iran.
If the United States government was worried about the ramifications of cyber warfare before Stuxnet, they must now be on high alert. America’s infrastructure is now fair game. Energy grids, banks, record-keeping servers are suddenly vulnerable in ways that we never could have imagined before.
In 2009, security expert Bruce Schneier blew off what he considered fear mongering by the government and the media. “Honestly, I think the threat is overblown.” He goes on: “The risks today are due more to errors than to malicious intent.” Fast forward to 2012 and one realizes just how much has changed in the intervening three years. Government-designed malware like Stuxnet and Flame are the forerunners to future cyber threats, some of which may be directed at America’s aging and vulnerable infrastructure.
The idea that nation states will become embroiled in the creation and dissemination of targeted malware should frighten you. While such attacks are bloodless, they may eventually lead to total chaos. Were portions of the U.S. power grid shut down, even if temporarily, it could do untold damage. Air traffic control would effectively cease operations. Critical services, like hospitals and call centers, would shut down.
But what is the actual likelihood that such an attack could even happen? In 2009, as Schneier pointed out, the idea was far-fetched – an effort to gain public interest and support for major cyber defense measures. However, malware programs may only become more sophisticated in the coming years. Destabilizing efforts from Iran itself, as well as from other sectors like Russia and China, may become commonplace. Efforts need to be made now to secure America’s infrastructure from possible attack. The idea of blowback, that our own policies will come back to hurt us in a more virulent form, seems more and more likely.
In a speech yesterday at Tel Aviv University, Eugene Kaspersky, the software expert who discovered Flame, warned the audience of the dangers of this new cyber warfare. “My message is: Stop doing that before it’s too late. The ideas are spreading too fast. There is a genie in a bottle.” That genie could be the diffusion of ever more complex and malicious malware. This malware could, like a real virus, spread quickly beyond its region of origin to infect computer systems around the world. That is a nightmare scenario perhaps, but one that looks increasingly plausible. “I’m afraid that that cyber-boomerang may get back to you,” Kaspersky warned his audience of Israelis. Words to live by. I only hope that it’s not too late.