Cyber-War!

Tabula

November 8-14, 2010

David J. Smith*
“Electronic warfare against Iran,” an unnamed Iranian intelligence source told the New York Times.
We shall probably never know the details or the extent of it, but apparently last summer, something
went askew with the computer-controlled processes in the Islamic Republic’s nuclear programs.
Then, Belarusan security experts discovered that Stuxnet—a super-cyber-weapon—had wormed its
way into some of Iran’s most sensitive computers. Considered alongside the Russian cyber-attacks
against Estonia in 2007 and Georgia in 2008, Stuxnet’s appearance signals that cyber-warfare is as
much a contemporary reality as social networking.

By now, Stuxnet has been parried by most computer users—in October, Microsoft patched the
operating system vulnerabilities that Stuxnet exploited. But its discovery last summer heralded a new
generation of malware.

Stuxnet did not steal bank account information, erase hard drives or lasso personal computers into a
spam-generating botnet. It was a targeted weapon—if it did not find what it sought on your computer,
it discreetly moved on. Its target was a particular programmable logic controller—PLC—made by the
German company Siemens. PLCs control industrial processes that require precise timing.

When Stuxnet found a targeted PLC, it injected its own code into it, concealing itself and the
alterations it made. This caused the PLC to misdirect the controlled process—too fast or too slow;
early or late; too much or too little.

Stuxnet’s authors are thoroughly familiar with industrial processes and with the targeted Siemens
PLC—and they are master malware designers. But the worm accessed closed networks by exploiting
lax security—an infected flash drive plugged into a USB port.

Once into a network, Stuxnet made its way by exploiting four so-called “zero-day vulnerabilities.” In
other words, Stuxnet designers found and used four gaps in the Microsoft operating system before
Microsoft found and patched them—most worms exploit only one such vulnerability. It also updated
itself by checking back with file servers in Denmark and Malaysia and by peer-to-peer file-sharing
when it bumped into another version of itself.

It may have taken a team of experts six months to design Stuxnet in a sophisticated facility at
tremendous cost. This, along with the apparent absence of any practical criminal application, leads
some experts to speculate that Stuxnet may have been the work of some nation state.

Although the Iranian Government downplays the impact of Stuxnet, it admits a high infection rate,
and some of its nuclear facilities are known to be controlled by Siemens PLCs. Iran’s Russian-built
Bushehr nuclear power plant or its Natanz nuclear enrichment facility could be the kind of targets that
would justify the effort, time and expense of launching Stuxnet. All this has led to speculation that
America or Israel was behind Stuxnet. Of course, America and Israel are blamed for just about
everything, so Stuxnet’s attribution and target remain speculative.

What is not speculative is the debut of a new generation of malware that is targeted, sophisticated,
expensive and purpose-built, not borrowed or rented from the world of cyber-crime. The super-cyber-
weapon is reality.
And, just as precision-guided munitions exist alongside traditional artillery and tanks, super-cyber-
weapons will exist alongside the simpler cyber weapons that are rooted in cyber-crime.

Moreover, just as artillery and tanks have been steadily improved, expect increasing sophistication in
the kind of attacks that Russia directed against Estonia and Georgia. As Georgian Security Analysis
Center Senior Associate Khatuna Mshvidobadze pointed out in a report that is now part of the NATO
Strategic Concept bibliography, “The cyber-attacks against Georgia represented improvements over
the techniques used against Estonia in the spring of 2007.” Russia is surely not alone in analyzing the
2008 cyber-campaign to devise improvements.

Moreover, we should expect strides not only in computer methods and efficiency but in the
psychology, sociology and economics of attacks.

Future attacks may be targeted and stealthy, aimed at producing a single, devastating result such as
crippling a nuclear facility. Or they could be used in conjunction with a wider attack, for example,
blanking the radar screens of an air defense system. This could mask an isolated air attack on a
particular facility such as Israel’s 2007 strike at a suspected Syrian nuclear facility. However, such a
move could also be part of a broader war that incorporates cyber-attacks to blind the target
government, prevent it from broadcasting accurate information, delay international response, damage
morale, disrupt the economy and blunt any defense.

Of course, surprise, deception, sabotage, severed communications, psychological operations,

economic disruption—that is, war—are as old as humankind. Cyber-space is a new dimension for
warfare, just as the sea, air and outer space once were. However, beyond its considerable technical
challenges, the cyber dimension presents at least two unique features.

One is that it reverses the traditional roles of government and private industry in war. In the cyber
dimension, most targets belong to private companies; cyber aggressors and cyber defenders will be
mostly civilians. This calls for an unprecedented partnership between government and industry.
Experts from around the world will gather this week in Tbilisi to discuss just this.

Another unique feature is that cyber defense requires uncommon cooperation among like-minded
countries. For western countries, NATO—of course, in conjunction with others—is the organization
that has the resources and six-decade tradition of international cooperation and interoperability. The
alliance’s new Strategic Concept, due to be approved at the NATO Lisbon Summit later this month,
will no doubt seriously address cyber-defense. Will it be enough?

The next super-worm—and more—is already out there!

*David J. Smith is Director, Georgian Security Analysis Center, Tbilisi, and Senior Fellow, Potomac
Institute for Policy Studies, Washington.