09.28.10

Great cyberweapon or cyberfizzle?

Posted in Crazy Weapons, Cyberterrorism at 3:36 pm by George Smith

On Stuxnet, yes, I’ve seen the stories.

But do go to the site of the German researcher propagating its central thesis, Ralph Langner.

Langner’s discussion is an interesting one and often compelling.

But “hack of the century” is the type of overused phrase that won’t get you a lot of mileage in circles not inclined to believe absolutely everything published about global malware. Or cyberwar.

Langner knows the technical side and makes a reasonable argument
as to the amount of effort put into the Stuxnet bug. He argues that it was created by a national intelligence/defense program. And the obvious insinuation for this story is Israel, although other countries are not ruled out.

However, the discussion goes a bit to far — understandably, in linking circumstantial news — that Iran’s nuclear program has progressed slower than expected — and Stuxnet.

There is no proof that anything went bang or failed catastrophically in a nuclear reactor or even a a centrifuge cascade. Other equally or more plausible explanations exist for any perceived slow down, if there is one, in an Iranian nuclear weapons program.

Still, if one takes the broad leap and grants that a virtual effect of some kind was achieved, Stuxnet still has had an indiscernible effect to everyone not already in on the story.

Years ago, I said publicly that I thought governments would try to write malware and pursue cyberwar. I had no real idea how long ago until I started digging up some old digital news records.

It was all the way back in 1995.

At the time, it was for a Voice of America news broadcast, and this is what I said, something I’ve repeated from time to time in many other discussions:

“George Smith is skeptical that offensive military operations will work very well in cyberspace.

“For years, Mr. Smith has been writing a newsletter on computer break-ins . . . He says Pentagon officials are overstating the danger from computer hackers and intruders.

“Nevertheless, [Smith] expects the United States and many other nations to try to create ‘cyber-attack’ forces: ‘I think it is likely that people will try, I think it is unlikely they will have any impact.’

“Mr. Smith says armies in Bosnia and the Gulf War faced computer problems, including viruses. He says they coped with them in much the same way they coped with flat tires on vehicles, or worn out parts on aircraft.

“[Smith] said] the idea that small groups of people, armed only with keyboards, could seriously hurt a powerful military force belongs in Hollywood — not the battlefield.”

To this I’d only add that the lack of substantial proof of success in offensive malware operations won’t stop anyone in the business of insisting just the opposite.

However, Iran’s nuclear program also won’t be stopped by a piece of malware aimed at controller software in its factories.

And the liabilities of employing something like Stuxnet are now fairly obvious.

The most glaring being that such a thing is immediately seized upon and pulled apart by the worldwide distributed network of computer security researchers. And second, that even granting for a moment that it was designed to be directed at Iran, the intelligence requirements for it to be solely limited to that were still way too great to limit its spread to that country.

Wrote David Sanger at the New York Times over the weekend:

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

Another ramification is the identification of the ioriginating country. If the country of origin is already an international pariah, then it doesn’t matter if Stuxnet is pinned on such a nation.

As a thought experiment, assume for a minute that Stuxnet is a part of a US program, not Israel’s.

In terms of national security and unilateral action, everyone already thinks the US acts rashly and can be reliably depended upon to behave with little regard for others.

At this point, there’s no longer much of a downside to using something like Stuxnet.

Even if a national program were to execute something so poorly the backfire would sweep over the originating country’s civilian systems. (That’s certainly progress, of sorts.)

It would just be yet another example of some team or some agency thinking, perhaps reasonably, that it’s godly and beyond reach.

And we’ve already had a few of those.

Bruce Ivins and the lack of professional diligence at Fort Detrick, in the world of real things as opposed to virtual, coming to mind.

Stuxnet as a super cyber weapon is a hot, sexy story. The hype behind it is predictable, even logical. Paradoxically, one of the famous journalists usually the first to exaggerate such things — John Markoff of the New York Times — gave it, what was for him, a mild reception.

Markoff’s second paragraph, from the 27th:

The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.

All of the old anti-virus programmers, as far back as the late Eighties and Nineties, would have told anyone the same. In fact, they told stories like it about various computer viruses many times, the only difference being the wherewithal didn’t yet exist to aim them roughly over a global network.

In essence, once a piece of replicating malware is released into the world, no matter how “smart” (that being a relatively elastic term) its creator(s), it’s effectively liable to wind up where least expected, no matter how exactingly programmed.

If we get back to nuclear fuel cycles and national bomb programs for a moment, it should be remembered that uranium can be enriched, and an atom bomb made, entirely without the use of Siemens software and globally networked computers.

Entire libraries of books exist on the matter.

And people who have devoted professional careers to the study of nuclear proliferation can give entire classes on what can go wrong inside a bomb program. Without ever getting to software problems and malware. There are many things in the material world which can effect the progress of a bomb-making program, not the least of which are easily understood hurdles like inexperience, subpar skills and interference with access to essentials and properly engineered machinery.

In August, prior to Stuxnet news, the Times reported:

It is unclear whether the problems that Iran has had enriching uranium are the result of poor centrifuge design, difficulty obtaining components or accelerated Western efforts to sabotage the nuclear program …

For most of this year, Iran has added relatively few centrifuges — the machines that spin uranium at supersonic speed, enriching it — to its main plant at Natanz. Only about half of those installed are operating, according to the International Atomic Energy Agency. So far, Iran has produced about 5,730 pounds, enough, with considerable additional enrichment, to produce roughly two weapons.

The public explanation by American officials is that the centrifuges are inefficient and subject to regular breakdowns. And while Iranian officials have talked about installing more advanced models that would be more efficient and reliable, only a few have been installed.

“Either they don’t have the machines, or they have real questions about their technical competence,??? Mr. Samore said.

Some of Iran’s enrichment problems appear to have external origins. Sanctions have made it more difficult for Iran to obtain precision parts and specialty metals.

Any of these explanations are as likely, perhaps even greatly moreso, than Stuxnet.

---

keys: cyberwar, cybersecurity, cyberterrorism, cybersabotage

Update: Some typos corrected.

Permalink