Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (56 page)

“Cyber, in my modest opinion, will soon be revealed to be the biggest revolution in warfare, more than gunpowder and the utilization of air power in the last century,” Israeli Maj. Gen. Aviv Kochavi has said.
²⁰

But cyberweapons have limited use. If tightly configured to avoid collateral damage in the way Stuxnet was, each one can be deployed only against a small set of targets without being reengineered. And unlike a bunker-busting bomb or stealth missile, a cyberweapon can instantly become obsolete if the configuration of a target system or network changes.
“I am not aware of any other weapons systems in the history of warfare that can be disabled by their targets with a click of a mouse button,” Marcus Ranum notes.
²¹
And any time a cyberweapon gets exposed, it isn’t just that weapon that gets burned, but any other weapons that use the same novel techniques and methods it employed. “At this point, we can be sure that anyone who builds a gas centrifuge cascade is going to be a little bit more careful about their software than usual,” said Thomas Rid, a war studies scholar at King’s College, London.
²²

But another problem with digital weapons is that they can be difficult to control. A good cyberweapon should operate in a predictable manner so that it has a controlled impact and produces expected results each time it’s deployed, causing little or no collateral damage. It needs precision design so that it executes only on command or automatically once it finds its target; and it should be recallable or have a self-destruct mechanism in case conditions change and a mission needs to be aborted. Andy Pennington, the former Air Force weapons system officer cited in an earlier chapter, likens an uncontrollable cyberweapon to a biological agent out of control. “If you don’t have positive control over the weapon … you don’t have a weapon, you’ve got a loose cannon. We created conventions and said we’re not going to use biological and chemical warfare weapons, because we do not have accurate targeting, we do not have access control, they’re not recallable and they’re not self-destruct-capable.”
²³

Stuxnet had some controls built into it, but lacked others. It was a targeted, precision weapon that unleashed its payload only on the specific systems it was designed to attack. And it had a time-release mechanism so that it initiated its sabotage only when certain conditions on the target machines were met. But once unleashed, Stuxnet couldn’t be recalled, and it had no self-destruct mechanism—it only had an infection kill date that
prevented it from spreading beyond a certain date three years in the future. And although the earliest versions of Stuxnet had limited spreading capabilities, the March 2010 version was clearly a “loose cannon,” albeit a defused one, since although it spread uncontrollably to thousands of machines that weren’t its target, it didn’t sabotage them.

Would other digital weapons be as well designed or as lucky, though? Collateral damage in cyberspace has a longer reach than in the physical realm. A bomb dropped on a target might cause collateral damage, but it would be local. Computer networks, however, are complex mazes of interconnectivity, and a cyberweapon’s path and impact once unleashed aren’t always predictable. “We do not yet have the ability to scope collateral damage for all cyberattacks,” Jim Lewis of the Center for Strategic and International Studies has noted. “For attacks that disable networks, there could be unpredictable damage not only to the target, but also to noncombatants, neutrals or even the attacker, depending upon the interconnections of the target network or machine. This makes the political risk of unintended consequences unpredictable (an attack on a Serbian network, for example, damages NATO allies’ commercial activities) and carries with it the risk of escalating a conflict (an attack on North Korea damages services in China).”
²⁴

DESPITE THE APPARENT
march toward digital warfare that Stuxnet initiated, it’s fair to ask what the likelihood is that a catastrophic digital event will ever occur. Defense Secretary Leon Panetta has said the United States is in a “pre-9/11 moment,” with adversaries plotting and preparing for the right opportunity to launch destructive cyberattacks on its systems. But Thomas Rid has called cyberwarfare “more hype than hazard”—the “shiny new thing” that has caught the attention of militaries like a gleaming new train set opened on Christmas morning. In reality, he thinks,
it will have much less impact than people imagine.
²⁵
Any future use of digital weapons will likely be as an enhancement to conventional battle, not as a replacement for it. Critics of digital doomsayers also point to the fact that no catastrophic attack has occurred to date as evidence that the warnings are overblown.

But others argue that no passenger jets had been flown into skyscrapers, either, before 9/11. “I think to … say it’s not possible, it’s not likely, is really way too early. All sorts of things could happen over the next couple of years,” says Jason Healey, head of the Cyber Statecraft Initiative at the Atlantic Council in Washington, DC, who was an original member of the military’s first cyber taskforce. “As more systems get connected to the internet, and cyberattacks progress from simply disrupting ones and zeros to disrupting things made of concrete and steel, things will change, and the days when no one has died from a cyberattack or the effects of a cyberattack will be over.”
²⁶

Some think the threat is overblown because most actors capable of pulling off an attack would be dissuaded by the risk of a counterstrike. In fact, some wondered after Stuxnet was discovered if it had been intentionally burned by Israel or the United States to send a message to Iran and other countries about the digital attack capabilities of these two countries. The fact that it had remained undetected for so long and was only discovered by an obscure antivirus firm in Belarus led some to believe that Stuxnet had not been discovered so much as disclosed. Gen. James Cartwright, former vice chairman of the Joint Chiefs of Staff—the man said to have played a large role in the Olympic Games operation in the United States—was in fact an advocate of making declarations about US cyber capabilities in the service of deterrence.

“For cyber deterrence to work,” Cartwright said in 2012, “you have to believe a few things: One, that we have the intent; two, that we have the capability; and three, that we practice—and people know that we
practice.”
²⁷
Cartwright has since been investigated by the Justice Department for suspicion of leaking classified information about Stuxnet to the
New York Times
, though as of this writing he has not been charged with any wrongdoing and has denied the allegations.

But while deterrence of this sort might work for some nations—as long as they believe an attack could be attributed to them—irrational actors, such as rogue states and terrorist groups, aren’t deterred by the same things that deter others. “The day a terrorist group gets cyberattack capabilities, they will use them,” Jim Lewis told Congress in 2012.
²⁸

Lewis expects that in the future, limited digital conflicts that disrupt military command-and-control systems may arise between the United States and Russia or China, but these countries likely will not attack critical infrastructure, “because of the risk of escalation.” But once countries like Iran and North Korea acquire cyberattack capabilities, a strike against civilian targets in the United States will be more likely. As US forces strike targets in their countries, they will feel “little or [no] constraint against attacking targets in ours,” he wrote in a 2010 paper.
²⁹
And threats of retaliation made by the United States to deter such attacks would have little effect on such groups since “their calculus for deciding upon an attack is based on a different perception of risks and rewards,” he noted. Likewise, as smaller countries and non-state insurgents acquire the digital means to strike distant targets, “disruptions for political purposes and even cyber attacks intended to damage or destroy could become routine,” he says. The Taliban in Afghanistan or Al-Shabaab in Somalia have little chance of launching a conventional retaliatory strike against the US homeland, but when they eventually acquire, or hire, the ability to launch effective cyberstrikes, this will change. “These strikes will be appealing to them as it
creates the possibility to bring the war to the U.S. homeland,” Lewis notes. Although they may not acquire the ability to pull off massive attacks, “harassment attacks” aimed at specific targets like Washington, DC, Lewis says, will certainly be within their means, and depending on the severity of the attack or its cascading effects, essential systems and services could be lost for extended periods of time.

With cyberweapons in the hands of others, the United States may also find itself having to recalculate the risk of blowback when planning conventional attacks, Lewis notes. In 2003, US forces invading Iraq met with little resistance, but what if Iraq had possessed cyberweapons that it launched in retaliation? “These would not have changed the outcome of the invasion but would have provided a degree of vengeance [for Iraq],” he says.
³⁰

If there are disagreements about the likelihood of digital attacks against critical infrastructure occurring, there are also disagreements over the level of damage that such attacks can cause. Leon Panetta and others have warned about digital Pearl Harbors and cyber 9/11s that will strike fear throughout the land. But others note that the kind of digital destruction envisioned by the doomsayers isn’t as easy to pull off as it seems. Conducting a disruptive attack that has long lasting effects “is a considerably more complex undertaking than flying an airplane into a building or setting off a truck full of explosives in a crowded street,” notes W. Earl Boebert, a former cybersecurity expert at Sandia National Laboratories, whose job in part was to research such scenarios. Networks and systems can be brought down, but they can also be brought back up relatively quickly. “Considerable planning is required to raise the probability of success to a point where a rational decision to proceed can be made,” he writes.
³¹
Though one can argue that the 9/11 attacks required at least as much
planning and coordination as a destructive cyberattack would require, a well-planned digital assault—even a physically destructive one—would likely never match the visual impact or frightening emotional effect that jets flying into the Twin Towers had.

DESPITE THE RISKS
and consequences of using digital weapons, there has been almost no public discussion about the issues raised by the government’s offensive operations. Critics have pointed out that the Obama administration has been more open about discussing the assassination of Osama bin Laden than discussing the country’s offensive cyberstrategy and operations. When questions about the rules of engagement for digital attacks were raised during the confirmation hearing for Gen. Keith Alexander to be made head of US Cyber Command in 2010, Alexander refused to address them in public and said he would only answer in a closed session.
³²
And although there are numerous doctrinal manuals in the public domain that cover conventional warfare, the same is not true for digital warfare. Even some who have built their careers on secrecy have noticed the extreme secrecy around this issue. “This may come as a surprise, given my background at the NSA and CIA and so on, but I think that this information is horribly over-classified,” former CIA and NSA director Gen. Michael Hayden has said. “The roots to American cyberpower are in the American intelligence community, and we frankly are quite accustomed
to working in a world that’s classified. I’m afraid that that culture has bled over into how we treat all cyber questions.”
³³

Without more transparency, without the willingness to engage in debate about offensive operations, there is little opportunity for parties who don’t have a direct interest in perpetuating operations to gauge their success, failure, and risks.

“Stuxnet let the genie out of the lamp in terms of how you could do this kind of attack. You can now target all kinds of other devices,” says one former government worker. “Where does it end? It doesn’t seem like there’s any oversight of these programs. Sadly, the scientists are not pulling back the reins. They’re excited that someone is giving them money to do this research. I don’t think I ever saw anyone question what was being done. I don’t think there was a lot of consciousness about it.”

There have been no public discussions about the repercussions of the digital arms race launched by Stuxnet, or about the consequences of releasing weapons that can be unpredictable and can be turned back against the United States.

In a report to Congress in 2011, the intelligence community noted that the defenders of computer networks in the United States are perpetually outgunned by attackers and can’t keep pace with the changing tactics they deploy. Exploits and exploitation methods evolve too quickly for detection methods and countermeasures to keep up, a problem that will only grow worse as nations develop and deploy increasingly sophisticated attack methods. Until now, the evolution of computer attacks has been driven by innovations in the criminal underground, but this will change as nation-state attacks like Stuxnet and Flame begin to drive future advancements. Instead of government hackers learning novel techniques from the underground, the underground will learn from governments. And as countermeasures for digital weapons are developed, the need to produce even more advanced weapons will grow, pushing further innovations in
weaponry. One US official has referred to Stuxnet as a first-generation weapon, on par with “Edison’s initial light bulbs, or the Apple II,” suggesting that more sophisticated designs have already replaced it.
³⁴

The criminal underground will benefit from the wealth of government-funded research and development put into digital weapons and spy tools, as they already have done from Stuxnet and the arsenal of tools used in conjunction with it. After Duqu was discovered in 2011, for example, exploits attacking the same font-rendering vulnerability that it attacked showed up in various readymade toolkits sold in the criminal underground. Within a year after Duqu used it, it was the most commonly targeted vulnerability that criminals used to surreptitiously install banking Trojans and other malware on machines.
³⁵
But even when non-state hackers can’t replicate a sophisticated government attack bit-for-bit, they can still learn and benefit from it, as shown by Microsoft’s discovery that it would have taken just three days for criminal hackers to pull off a low-rent version of the Windows Update hijack that Flame performed.