In cyberspace, a good offense is NOT always the best defense

Stuxnet shows cyber war is trickier than it may seem

Analysts in government and industry are learning more about the complex Stuxnet worm, a sophisticated and apparently purposely-built cyber weapon designed to attack specific automated industrial control systems. But we still don’t know who built it and what its target is.

We can make guesses about its target — Iranian nuclear fuel enrichment plants — and from that can guess about its origins — the United States or Israeli military. But Dean Turner, director of the Global Intelligence Network at Symantec, which is doing research on the malware, cautioned a Senate hearing this month that such speculation was just that — speculation.

What we do know about Stuxnet is that it is a perfect illustration of the dangers of offensive cyber warfare. Targets are too difficult to identify in cyberspace and cyber weapons are too difficult to control to make them effective tools for legitimate warfare. This will not stop criminals, terrorists or some nations from using them, of course, but U.S. cyberwar policy should focus on defending itself against these attacks rather than launching offensive operations.

Stuxnet is a serious piece of malware. By all accounts it is the product of a well-financed team that had the time and resources to gather detailed intelligence about its target and craft a complex program to seek it out, observe it and sabotage it.

Recent research has found that Stuxnet seeks out frequency converter drives made by two specific vendors in Finland and Iran to control the power and speed of a motor. Symantec, in a recent blog posting, said Stuxnet is designed to observe the frequencies at which its target operates for a time, and then reprogram the controller to change the speeds.

“Modification of the output frequency essentially sabotages the automation system from operating properly,” the posting states.

The frequency converters being targeted could be used in a variety of processes, but the high frequencies in which they were designed to operate narrows the range of their practical application. Symantec does not speculate about the process Stuxnet is designed to interrupt, but notes that drives of this type are “regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

We get more hints about the target from the fact that about 60 percent of Stuxnet infections worldwide are in Iran and infections appear to have begun there.

But it did not stop there. Symantec has reported about 44,000 infections of Stuxnet worldwide, 1,600 of them in the United States. This is disturbing. Here we have what appears to be the cyber equivalent of smart bomb, targeted at a specific piece of equipment controlling a specific process, and it has spread around the world from an Iranian nuclear facility, which is probably not the most networked of environments.

We do not know if Stuxnet was developed and launched by the United States, an ally, or indeed by any other nation in the world. We might never know. But it shows that even the most sophisticated worm is not a smart weapon. It is more like turning a cobra loose in a room. Or, given the way Stuxnet has propagated, like turning loose a pair of rabid rabbits.

Many will decry as naïve the suggestion that we should limit our cyberwar activities to defense. They will say that we have to be tough and fight fire with fire. That is unwise if you are unable to control the fire. Eschewing offensive actions, at least until we are capable of effectively controlling them and of identifying and isolating the targets they will attack, does not mean giving up. We need and should have a robust defense. And that does not always mean an offense.


Reader Comments

Tue, Jan 4, 2011 Karl Garth Cyberia

One does, occasionally, fight fire with fire (controlled backfires along the projected path, to reduce the fire's fuel supply) by choice, but not in any way that provides a fruitful analogy with CyberWar. (new para) One can imagine a poorly controlled cyberattack that was intended to have the effect that an EMP would have on, say, electical transmission control systems, but escaped the limited area that it was targeted at and went global. Literally billions of people could die -- for example, by running out of potable water. (new para) Another possibility for the source of Stuxnet might be a major power field-testing a new attack by targeting a small power incapable of hitting back effectively -- say, China testing it on Iran and then, if it is successful, holding it in reserve to use against the USA. That scenario is ominous because, once warned, all major powers would gin up a crash program to counter it; such a short shelf-life would make it pointless unless it was intended for near-term actual use.

Wed, Dec 8, 2010

44,000 worldwide and 1,600 in the US. Those are trivial numbers--acceptable collateral damage by anyone's standard. In fact, what actual physical DAMAGE has these 44,000 infections caused outside of IRAN? None that I've ever seen reported. In fact, I'd argue that Stuxnet has proven that offensive cyber warfare is effective and justifiable. Given the choice between cyber warfare and conventional warfare--I'd pick cyber everytime. Which would you choose?

Tue, Dec 7, 2010 Hillery

Although often compared to either conventional kinetic weapons, or to nukes, cyberwarfare is better compared to CBW - chem & bio war. In those cases, the agent, once released, does not discriminate its targets. And if the winds shift, or the bug mutates, all in it's path are in deep ... Those who advocate offensive use of automated cyber tools - worms, etc., should pause and rethink. And we should all remember that offensive cyberwarfare does not exclusively mean using worms or bots. Oh, and to (hopefully) kill one more bad analogy, one doesn't fight fire with fire by choice. You fight fire with a fire suppressant.

Tue, Nov 30, 2010 Rob Lewis

Ironically, the side that develops defensive capability first (to self-protect) can then take advantage of the cobra and release it.

Tue, Nov 30, 2010 compugeek

Let's see ... 44,000 infections worldwide, 1600 in the US, all with unknown effects. There certainly aren't that many uranium enrichment operations going on. Balance that against NOT having to go drop actual explosive bombs in order to cripple or delay the Iranian nuclear program. Are you making the case FOR using offensive cyber weapons when the stakes are high?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above