In cyberspace, a good offense is NOT always the best defense
Stuxnet shows cyber war is trickier than it may seem
Analysts in government and industry are learning more about the complex Stuxnet worm, a sophisticated and apparently purposely-built cyber weapon designed to attack specific automated industrial control systems. But we still don’t know who built it and what its target is.
We can make guesses about its target — Iranian nuclear fuel enrichment plants — and from that can guess about its origins — the United States or Israeli military. But Dean Turner, director of the Global Intelligence Network at Symantec, which is doing research on the malware, cautioned a Senate hearing this month that such speculation was just that — speculation.
What we do know about Stuxnet is that it is a perfect illustration of the dangers of offensive cyber warfare. Targets are too difficult to identify in cyberspace and cyber weapons are too difficult to control to make them effective tools for legitimate warfare. This will not stop criminals, terrorists or some nations from using them, of course, but U.S. cyberwar policy should focus on defending itself against these attacks rather than launching offensive operations.
Stuxnet is a serious piece of malware. By all accounts it is the product of a well-financed team that had the time and resources to gather detailed intelligence about its target and craft a complex program to seek it out, observe it and sabotage it.
Recent research has found that Stuxnet seeks out frequency converter drives made by two specific vendors in Finland and Iran to control the power and speed of a motor. Symantec, in a recent blog posting, said Stuxnet is designed to observe the frequencies at which its target operates for a time, and then reprogram the controller to change the speeds.
“Modification of the output frequency essentially sabotages the automation system from operating properly,” the posting states.
The frequency converters being targeted could be used in a variety of processes, but the high frequencies in which they were designed to operate narrows the range of their practical application. Symantec does not speculate about the process Stuxnet is designed to interrupt, but notes that drives of this type are “regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
We get more hints about the target from the fact that about 60 percent of Stuxnet infections worldwide are in Iran and infections appear to have begun there.
But it did not stop there. Symantec has reported about 44,000 infections of Stuxnet worldwide, 1,600 of them in the United States. This is disturbing. Here we have what appears to be the cyber equivalent of smart bomb, targeted at a specific piece of equipment controlling a specific process, and it has spread around the world from an Iranian nuclear facility, which is probably not the most networked of environments.
We do not know if Stuxnet was developed and launched by the United States, an ally, or indeed by any other nation in the world. We might never know. But it shows that even the most sophisticated worm is not a smart weapon. It is more like turning a cobra loose in a room. Or, given the way Stuxnet has propagated, like turning loose a pair of rabid rabbits.
Many will decry as naïve the suggestion that we should limit our cyberwar activities to defense. They will say that we have to be tough and fight fire with fire. That is unwise if you are unable to control the fire. Eschewing offensive actions, at least until we are capable of effectively controlling them and of identifying and isolating the targets they will attack, does not mean giving up. We need and should have a robust defense. And that does not always mean an offense.