When hackers boast of their exploits, they often claim that they had only the good of the victim at heart – no matter what kind of mischief they’ve been up to. They usually innocently say that they are exposing how they accomplished whatever remarkable invasion or feat merely to help improve security of a site or system by exposing its flaws.
The team that invented the Stuxnet virus has never publicly claimed that (or anything else for that matter), but they could if they so desired. Because that is apparently exactly what’s happened. And not only that, the clever people who deployed the virus to make the world safer may well have put all of us at greater risk than ever before.
The story of the Stuxnet virus may be the perfect application of the Law of Unintended Consequences to cyberwar. Like Murphy’s Law, this axiomatic principle points out how human efforts often have unforeseen effects that are quite perversely the opposite of what was desired.
Of course, since nobody associated with the creation of the virus has ever spoken out, no one knows who exactly is behind it or what their exact plans were. However, in the history computer viruses, Stuxnet holds a unique place – for it is the first virus that is a true weapon.
Weaponized code
Stuxnet was not designed to steal cash or information but to create real-world sabotage. It was malware specifically engineered to destroy Iran’s high-speed centrifuges used in enriching uranium. So this virus is an actual weapon as much as a land mine.
Since Stuxnet was discovered three years ago, it has been carefully studied and analyzed by security experts around the world. They looked at what kinds of machines were infected, their locations, and what the virus actually did. They took it apart, carefully dissecting it line by line, function by function. They found that the virus was remarkably complex and as as carefully made for its purpose as a bullet.
The famous Russian security firm Kaspersky Labs declared Stuxnet was so intricate it had to have been made with state support. Suspected from the start to be a creation of US or Israel defense teams, or both working together, last summer it’s origin as a joint project of both governments was finally confirmed – long after it had escaped into the wild.
Stuxnet is a highly sophisticated bundle of code that came in at least 5 versions. It was believed to have successfully degraded the Iranian atomic effort, actually destroying machines. It did so by commandeering the industrial control systems of high-speed gas centrifuges used to separate out the more easily fissionable uranium isotope. By taking over these SCADA controls, the virus secretly changed speeds randomly to the point of physically destroying the devices.
And it has returned more than once. On Christmas Day last year, the Iranians announced yet another outbreak, this time in the southern part of the country. They’re probably still dealing with the headaches.
Crossing the line
According to NATO legal experts, Stuxnet was probably an illegal act of force. They could not agree, however, whether or not it was serious enough to be considered an act of war demanding a physical response from Iran or as a legitimate act of self-defense to prevent the Islamic Republic from developing nuclear weapons by wrecking their labs.
However, a British think tank recently claimed that the overall effect of the cyberattack was actually to help the Iranian program. The Royal United Services Institute published a report saying that as a result the Iranians redoubled their efforts, reexamine their whole operation, and fixed a number of vulnerabilities. As a result, they were thought to be producing 40% more enriched uranium than before in an even stronger, more determined program.
But wait, there’s more. That might be the least of the cyberspooks’ worries, for Stuxnet is now loose in the world. How this happened is puzzling, for the code was highly targeted. It was not designed to attack PCs or spread across the Internet, so it is debatable how – or even if it truly escaped.
The point is, however, that at the very least, knowledge of the virus and how it worked spread around the planet. Much of it was freely shared by security experts and posted on the Internet. So by now, every hacker in their chat rooms and every terrorist in his cave should be well aware that critical industrial equipment that our civilization depends on may be vulnerable to electronic sabotage. And nobody needs to put on a suicide vest to do it.
These industrial control systems, called SCADA (Supervisory Control And Data Acquisition), run everything from power grids to water and sewer works to big air conditioning systems. Though robust, as Stuxnet has shown, they are not that secure.
Imagine, then, what a real-time, full-scale cyberwar could do. Real-world systems may be shut down or impaired randomly or in concert. It may take months to repair the damage – plenty of time for a war begun online to go physical in a big way. Infrastructure that we rely on without thinking could get as dodgy as in the Third World or worse. Things could get messy. We just don’t know.
And so the Law of Unintended Effects comes full circle. The attempt to delay or even stop Iranian nuclear programs not only sped it up substantially, it demonstrated both the power and limits of cyber attacks. The long-term prospects of world peace were probably not well-served.
However, there’s one more ironic twist. For all is not grim, at least not for the cyberwarriors. If nothing else, they’ve secured their own budgets for years to come. Perhaps it was inevitable that infrastructure would be targeted someday, and maybe it was best that it happened this way. Or maybe not.
Have the cyberspies prevented or enabled a “cyber Pearl Harbor“? Time will tell.