Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (59 page)
Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
There have been conflicting reactions to some of the
Tallinn Manual
’s conclusions. Martin Libicki, an expert on cyberwarfare with the RAND corporation, questions the wisdom of allowing cyber conflicts to be resolved with kinetic attacks. He wonders if it wouldn’t be wiser to apply “Las Vegas rules” to cyberwarfare so that what happens in cyberspace stays in cyberspace. “Your escalation potential, if you go to the kinetic realm than if you stay in the cyber realm, is much greater,” he says. “So a rule that says you can only match cyber with cyber puts a limit on your topside risk.”
60
Lotrionte, however, says the method of a counterattack doesn’t matter, since escalation is controlled by the fact that a counterattack must be both necessary and proportional. “Necessary means you have to determine that
there is no other way to resolve this threat,” she says. “You can’t talk, you can’t sanction or call on the Security Council. If there is any other way to stop these attacks, you have to use that, and not use of force. That’s how you stop escalation.”
61
Others point out the difficulty of applying the conventional laws of war to the cyber realm, where attribution is a problem. The Law of Armed Conflict requires that an attacker be identified to conduct a counterstrike. Though attribution in a digital attack can sometimes be determined—through intelligence means if not forensic ones—the anonymous nature of cyberattacks makes responding quickly to an attack, while the threat is current, complicated to say the least.
“Smoking guns are hard to find in the counterterrorism environment; smoking keyboards are that much more difficult,” Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University told Congress. Cyberspace, he said, “is made for plausible deniability.”
62
If all of this wasn’t enough to complicate the issue of cyberwarfare, there are further problems having to do with the lack of a clear understanding about what constitutes a cyberweapon. In the kinetic world, a weapon is something that damages, destroys, kills, or injures, which is something very different from an espionage tool. But Gary Brown notes that so many activities in cyber are carried out by “a guy sitting at a keyboard typing commands” and doing everything from installing malware and destroying data, to destroying and damaging a system or damaging equipment the system controls. “Does that mean that the software or technique we used to get access to the system turned into a weapon?” he asks. “That would mean everything [is a weapon]. It’s a very complicated issue. I don’t feel like we have a very good handle on it.”
Brown says the lack of clarity about what constitutes a digital weapon and what constitutes attack activity as opposed to espionage raises the risk of escalated responses, since the same techniques and tools used for espionage and damaging attacks in the digital realm can be indistinguishable to the victim.
63
“Traditional espionage is less likely to be escalatory because it was better understood,” he says. “Even if you cut through border-fence wire and tiptoed into an office and stole files … it doesn’t look like we we’re starting a war.… In cyber, if somebody got access to a critical system, maybe to the nuclear command-and-control … maybe they’re just looking around. Or maybe they’re planning to disable it and launch a nuclear attack.… It’s that kind of escalation that worries me.”
Clearly Stuxnet and the prospect of digital warfare has raised a host of issues that have yet to be adequately addressed. And if it seems the United States is late in getting around to looking at them, it’s not the only one. “There are countries [in Europe] that are not even close to writing rules,” says Lotrionte.
IN THE YEARS
since Stuxnet was first exposed, a lot has changed—not just for the military but for malware hunters. For the researchers who spent so much time disassembling and analyzing Stuxnet—and its accompanying spy tools—deciphering the malware was an incomparable thrill that stretched the boundaries of virus research. But it also irrevocably changed the parameters of their profession by imbuing it with a degree of risk and politicization it had never known before.
In one of his team’s final assessments of Stuxnet, Symantec’s Eric Chien wrote that whether Stuxnet would usher in a new generation of
real-world attacks that targeted critical infrastructure or was just a once-in-a-decade phenomenon, they couldn’t say. But he was clear about his preference. It was the type of threat, he said, “we hope to never see again.”
Thankfully, as of this book’s publication there has been no sign yet of the counterstrikes against industrial control systems that Ralph Langner warned about, nor have there been signs of any other types of comparable digital attacks launched by the United States or anyone else. Stuxnet still holds the distinction of being the only known case of cyberwarfare on record. But that can change at any time, now that Pandora’s digital box has been opened.
1
“Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” May 29, 2009, available at
whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure
. The claim that cyber intruders have plunged foreign cities into darkness has been repeated often by many officials, but has been disputed—though this hasn’t prevented officials from continuing to repeat it. The claim was first made by CIA senior analyst Tom Donahue while speaking at a conference for cybersecurity professionals in 2008: “We have information that cyberattacks have been used to disrupt power equipment in several regions outside the US,” he said. “In at least one case, the disruption caused a power outage affecting multiple cities.” He also said the intrusions were “followed by extortion demands.” (See Thomas Claburn, “CIA Admits Cyberattacks Blacked Out Cities,”
InformationWeek
, January 18, 2008, available at
informationweek.com/cia-admits-cyberattacks-blacked-out-cities/d/d-id/10635137
.) Donahue never named the country where the attacks occurred, but in 2009
60 Minutes
identified it as Brazil, asserting that a 2007 blackout in Espirito Santo that left 3 million people without power was caused by hackers. (See “Cyber War: Sabotaging the System,”
60 Minutes
, November 6, 2009, available at
cbsnews.com/news/cyber-war-sabotaging-the-system-06-11-2009
.) Others have claimed Donahue was referring to a 2005 outage in Brazil instead. According to two sources I spoke with in 2009 who were interviewed by
60 Minutes
for their story, the newsmagazine sent a producer to Brazil to try to verify the hacker/extortion claim but was never able to do so, though viewers weren’t told this. The Brazilian government disputed the claim after the
60 Minutes
show aired, pointing to a lengthy report about the 2007 outage that attributed it to soot and equipment failure. Furnas, the Brazilian energy company that experienced the blackouts, is a customer of Marcelo Branquinho, who operated the only ICS security firm in Brazil at the time. Branquinho told me there was no evidence the blackout was caused by anything but equipment failure. “We have full access to the documentation and [government reports investigating] what happened on these two blackouts,” he told me in October 2011, referring to both the 2005 and 2007 incidents. “There is no single evidence that hacking activity happened here. Both events were due to hardware problems, not software problems.” What’s more, he says the substation that was affected in the 2007 blackout was not even an automated SCADA system that could be controlled by hackers. “It was only hardware, so it couldn’t be hacked anyway,” he says. “I’m not saying that we can’t be hacked. We can be hacked; it’s pretty easy. I believe that most of the electric installations—not only here, but worldwide—have very weak security if you compare them with a bank, for example, that has some good level of security infrastructure. But … in this case, the evidence tells us that we weren’t hacked.” It’s possible the stories about the hacker blackout have been confused with a real cyberextortion incident that occurred in 2005 or 2006 but that had nothing to do with a blackout. Brazil’s director of Homeland Security Information and Communication told
Wired.com
that in this case, attackers breached an administrative machine at a government agency using a default password and deleted files on the machine. They also left a ransom note for return of the data. But the incident involved no power outage. See Marcelo Soares, “WikiLeaked Cable Says 2009 Brazilian Blackout Wasn’t Hackers, Either,”
Wired.com
, December 6, 2010, available at
wired.com/2010/12/brazil-blackout
.
2
David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,”
New York Times
, June 1, 2012.
3
“Iran’s Supreme Leader Tells Students to Prepare for Cyber War,”
Russia Today
, February 13, 2014, available at
rt.com/news/iran-israel-cyber-war-899
.
4
Ellen Nakashima, “Pentagon to Boost Cybersecurity Force,”
Washington Post
, January 27, 2013.
5
Ellen Nakashima, “With Plan X, Pentagon Seeks to Spread U.S. Military Might to Cyberspace,”
Washington Post
, May 30, 2012.
6
Interview with Michael V. Hayden, in “Stuxnet: Computer Worm Opens New Era of Warfare,”
60 Minutes
, CBS, originally aired June 4, 2012, available at
cbsnews.com/8301-18560_162-57390124/stuxnet-computer-worm-opens-new-era-of-warfare/?tag=pop;stories
.
7
Speaking in 1862 after the Battle of Fredericksburg.
8
Kevin Haley, “Internet Security Predictions for 2011: The Shape of Things to Come,” Symantec blog, November 17, 2010, available at
symantec.com/connect/blogs/internet-security-predictions-2011-shape-things-come
.
9
Kennette Benedict, “Stuxnet and the Bomb,”
Bulletin of the Atomic Scientists
, June 15, 2012, available at
thebulletin.org/stuxnet-and-bomb
.
10
There are ways to lessen this risk by carefully encrypting digital weapons to prevent random parties who get hold of the code from reverse-engineering it. A digital weapon has to decrypt itself in order to engage its payload once it finds the system it’s targeting, but the keys for doing this don’t have to be inside the weapon itself, as they were with Stuxnet. Instead, the better design is the one that Gauss used, which employed a complex encryption scheme that used the actual configuration of the system it was targeting to generate the decryption key. Gauss only delivered and decrypted its payload once it found this specific configuration. This won’t work, of course, if the configuration on the targeted system changes, thereby defusing the digital weapon, but it will work in cases where the configuration of a system isn’t likely to change. See the discussion of Gauss on
this page
. Also, to limit a digital weapon’s exposure once it is decrypted on the system it’s targeting, it could be designed to self-destruct upon completing its mission so that it won’t linger on a system longer than necessary. This won’t work for all weapons, however. Stuxnet needed to remain on a system for a long time to achieve its aim, for example. But it will work for other weapons that do their damage quickly.
11
Marcus Ranum, “Parsing Cyberwar—Part 4: The Best Defense Is a Good Defense,” published on his Fabius Maximus blog, August 20, 2012, available at
fabiusmaximus.com/2012/08/20/41929
.
12
Grant Gross, “Security Expert: US Would Lose Cyberwar,” IDG News Service, February 23, 2010, available at
computerworld.com/s/article/9161278/Security_expert_U.S._would_lose_cyberwar
.
13
Though Siemens control systems aren’t as widely used in the United States as they are in other parts of the world, the control systems that dominate facilities in the United States operate under the same design principles with some of the same flaws. An attacker would simply need to study the systems to find ways to attack them, which a number of security researchers have already done in the years since Stuxnet was released.
14
Gerry Smith, “Stuxnet: U.S. Can Launch Cyberattacks but Not Defend Against Them, Experts Say,”
Huffington Post
, June 1, 2012, available at
huffingtonpost/com/2012/06/01/stuxnet-us-cyberattack_n_1562983.html
.
15
Prepared statement to the Strategic Forces Subcommittee of the House Committee on Armed Services, for a hearing on March 17, 2009, available at
gpo.gov/fdsys/pkg/CHRG-111hhrg51759/html/CHRG-111hhrg51759.htm
.
16
In August 2012, a destructive virus called Shamoon struck machines at Saudi Aramco, Saudi Arabia’s national oil and natural gas company, and wiped all the data from more than 30,000 machines—an attack that provided a stark reminder of how any machine on the internet can become ground zero for destruction in a political dispute and how difficult it can be to determine attribution afterward. The virus didn’t just wipe data from the machines, it replaced every file on them with one containing an image of a burning US flag—though a bug in the code prevented the flag image from fully unfurling on infected machines. Instead, only a snippet of the image appeared when files were opened; the rest of the image was blank. US officials accused Iran of masterminding the attack, though offered no proof to back the claim. The attack may have been launched by Iran as retaliation for the Wiper attack that erased data from machines at the Iranian Oil Ministry and the Iranian National Oil Company four months earlier, or it may have been retaliation for Stuxnet, aimed at a US ally that was less capable of attacking back. Or it may simply have been the work of hacktivists opposed to US foreign policy in the Middle East (a group of hackers calling themselves the Cutting Sword of Justice took credit for the attack). It might even have been a “false flag” operation launched by another country to make it look like the perpetrator was Iran (NSA documents released by Edward Snowden disclose that the UK sometimes uses false flag operations to pin blame on third parties).
17
In August 2008, armies of computers with Russian IP addresses launched distributed denial-of-service attacks that knocked Georgian government and media websites offline, thwarting the government’s ability to communicate with the public. The timing of the attacks, right before the Russian invasion of South Ossetia, was proof enough for many that the digital campaign was part of the military offensive.
18
The simulation designers revealed in the end that the bewildering web of attributions behind the cyberattacks had been a key part of their strategy. Under their plan, it was al-Qaeda that had actually launched the initial attacks against Israel in the hope of escalating tensions between Israel and the Iran-backed Hezbollah in Lebanon. But it was Iran that launched the attacks on the United States. The latter were done in a way to make it look as if Israel had launched with the intention of framing Iran for them. The US was supposed to think that Israel had played the ultimate dirty trick—launching an attack against the United States in order to point the finger at Iran and drum up US support for an Israeli airstrike against Tehran.
19
Barbara Opall-Rome, “Israeli Cyber Game Drags US, Russia to Brink of Mideast War,”
Defense News
, November 14, 2013, available at
defensenews.com/article/20131114/DEFREG04/311140020/Israeli-Cyber-Game-Drags-US-Russia-Brink-Mideast-War
.
20
“Israel Combats Cyberattacks, ‘Biggest Revolution in Warfare,’ ” UPI, January 31, 2014, available at
upi.com/Business_News?Security-industry/2014/01/31/Israel-combats-cyberattacks-biggest-revolution-in-warfare/UPI-24501391198261/
.
21
Marcus Ranum, “Parsing Cyberwar—Part 3: Synergies and Interference,” published on his Fabius Maximus blog, August 13, 2012, available at
fabiusmaximus.com/2012/08/13/41567
.
22
Thomas Rid, “Think Again: Cyberwar”
Foreign Policy
, March/April 2012.
23
Author interview with Andy Pennington, November 2011.
24
James A. Lewis, “Cyberwar Thresholds and Effects,”
IEEE Security and Privacy
(September 2011): 23–29.
25
Rid, “Think Again: Cyberwar.”
26
This and other quotes from Healey come from author interview, October 2013.
27
Julian Barnes, “Pentagon Digs In on Cyberwar Front,”
Wall Street Journal
, July 6, 2012.
28
James A. Lewis in testimony before the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, March 16, 2012, available at
homeland.house.gov/sites/homeland.house.gov/files/Testimony%20Lewis.pdf
.
29
James A. Lewis, “Thresholds for Cyberwar,” Center for Strategic and International Studies, September 2010, available at
csis-org/publication/thresholds-cyberwar
.
30
Ibid.
31
W. Earl Boebert, “A Survey of Challenges in Attribution,” Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for US Policy. Published by the National Academy of Sciences at
na.edu/catalog/12997.html
.
32
Rules of engagement are the military orders that take into consideration international law and US policy to draw up a single document that the military uses to conduct its operations. There are rules of engagement for different operations, since the rules will change whether it’s a peacekeeping mission in Bosnia or an aggressive invasion of Iraq. Separately, there is an overarching set of rules of engagement that applies to the military’s day-to-day operations. These latter standing rules, which are mostly classified, include cyber. According to Gary Brown, who was legal counsel for US Cyber Command from 2009 to 2012, these standing rules were being rewritten during his time with the command and he said in 2014 that he still didn’t know if they were completed. The military was using the second version of the rules that were finished in 2005, known as the Bravo version when he was there. The third version, known as Charlie, should have been finished in 2010, but still wasn’t completed when Brown left in 2012. The Bravo version addressed cyber, but only in broad terms. Version Charlie is supposed to address it in more specific terms.
33
Chris Carroll, “Cone of Silence Surrounds U.S. Cyberwarfare,”
Stars and Stripes
, October 18, 2011, available at
stripes.com/news/cone-of-silence-surrounds-u-s-cyberwarfare-1.158090
.
34
David E. Sanger, “America’s Deadly Dynamics with Iran,”
New York Times
, November 5, 2011.
35
Duqu was publicly exposed in September 2011, and although Microsoft patched the font-rendering flaw it exploited, by late 2012 “attacks against this single vulnerability had skyrocketed,” Finnish security firm F-Secure noted in its 2013 annual report. This vulnerability alone “accounted for an amazing 69 percent of all exploit-related detections report.” See page 36 of “Threat Report H1 2013,” F-Secure, available at
f-secure.com/static/doc/labs_global/Research/Threat_Report_H1_2013.pdf
.