Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (60 page)

BOOK: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
9.28Mb size Format: txt, pdf, ePub

36
Dennis Fisher, “Nation-State Attackers Are Adobe’s Biggest Worry,” ThreatPost, a security blog published by Kaspersky Lab, September 20, 2011, available at
threatpost.com/nation-state-attackers-are-adobes-biggest-worry-092011/75673
.

37
Speaking to the Senate Committee on Appropriations, “Cybersecurity: Preparing for and Responding to the Enduring Threat,” June 12, 2013, available at
defense.gov/home/features/2013/0713_cyberdomain/docs/Alexander,_General_Keith_Testimony_6.12.13_Cybersecurity_Hearing.pdf
.

38
All quotes from Hayden here and next page come from author interview in February 2014.

39
The President’s Review Group on Intelligence and Communications Technologies, “Liberty and Security in a Changing World” (report, December 12, 2013), 37. The report is available at
whitehouse.gov/sites/default//files/docs/2013-12-12_rg_final_report.pdf
.

40
Clarke was speaking at the RSA Security Conference in San Francisco in February 2014.

41
“Advance Questions for Vice Admiral Michael S. Rogers, USN, Nominee for Commander, United States Cyber Command,” available on the Senate Armed Services Committee website at
armed-services.senate.gov/imo/media/doc/Rogers_03-11-14.pdf
.

42
David E. Sanger, “Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say,”
New York Times
, April 12, 2014.

43
Kim Zetter, “Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA,”
Wired.com
, April 15, 2014.

44
Soghoian was speaking at the Personal Democracy Forum in June 2012 in New York.

45
Author interview, 2014.

46
Lotrionte was with the CIA prior to 2002, followed by positions as counsel to the president’s foreign intelligence advisory board at the White House and a position as legal counsel for the Senate Select Committee on Intelligence. She left government in 2006 around the time Stuxnet was being proposed and prepared.

47
Stephen Cobb, “The Negative Impact on GDP of State-Sponsored Malware Like Stuxnet and Flame,” We Live Security blog, June 13, 2012, available at
blog.eset.com/2012/06/13/impact-on-gdp-of-state-sponsored-malware-like-stuxnet-and-flame
.

48
William A. Owens, Kenneth W. Dam, and Herbert S. Lin, (eds.), “Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities,” National Academies Press, 2009, available at:
steptoe.com/assets/attachments/3785.pdf
.

49
Ellen Nakashima, “List of Cyber-Weapons Developed by Pentagon to Streamline Computer Warfare,”
Washington Post
, May 31, 2011.

50
Lolita Baldor, “Pentagon Gets Cyberwar Guidelines,” Associated Press, June 22, 2011, available at
usatoday30.usatoday.com/news/military/2011-06-22-pentagon-cyber-war_n.htm
.

51
Glenn Greenwald and Ewen MacAskill, “Obama Orders US to Draw Up Overseas Target List for Cyber-Attacks,”
Guardian
, June 7, 2013. Presidential Policy Directive 20 was issued in October 2012, according to the paper.

52
All quotes from Lin in this chapter come from an author interview in January 2014.

53
“International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World,” The White House, May 2011, available at
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf
.

54
Siobhan Gorman and Julian E. Barnes, “Cyber Combat: Act of War,”
Wall Street Journal
, May 30, 2011.

55
Carroll, “Cone of Silence.”

56
Michael N. Schmitt, general editor,
Tallinn Manual on the International Law Applicable to Cyber Warfare
, NATO Cooperative Cyber Defence Centre of Excellence, available at
ccdcoe/org/249.html
.

57
Many in the media and government have called the denial-of-service attacks against Estonian websites cyberwarfare, but they don’t qualify as such. The attacks, launched by a botnet of 85,000 machines in 2007, persisted for three weeks and, at their peak, bombarded nearly sixty websites, knocking Estonia’s largest bank offline as well as government sites. But when Estonia pointed the finger at Russia as the source of the attacks and sought help from NATO by attempting to invoke the collective self-defense agreement under Article 5 of the North Atlantic Treaty Organization, it was rebuffed. NATO determined that the attack did not constitute an armed attack under the treaty. The problem lay in the fact that the EU and NATO had not previously defined the obligations of its member states in the event of a cyberattack against one of them. NATO had also not defined a cyberattack as a clear military action, therefore Article 5 did not automatically come into play. Under Article 5 “an armed attack against one or more [members] in Europe or North America shall be considered an attack against them all.” In the event of such an attack, each member is expected to “assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.”

Estonian prime minister Andrus Ansip challenged NATO’s conclusion, however, asking, “What’s the difference between a blockade of harbors or airports of sovereign states and the blockade of government institutions and newspaper websites?” (See Thomas Rid, “Think Again: Cyberwar,”
Foreign Policy
, February 27, 2012, available at
foreignpolicy.com/articles/2012/02/27/cyberwar
.) The question is a valid one that has not been adequately resolved. If blocking commercial shipments can be an act of war, would thwarting e-commerce be the equivalent in cyberspace? And what kind of response would it merit? In 2010, NATO attempted to resolve the question by concluding that if an ally were hit with a cyberattack, NATO would help defend the victim’s networks, but the assistance fell short of offering to help a victim conduct a counterattack.

58
Author interview with Brown, February 2014.

59
Harold Koh, former legal adviser to the State Department, speaking at the US CyberCom Inter-Agency Legal Conference at Fort Meade in September 2012, asserted that the government’s position was that a use of force was the same as an armed attack. “In our view, there is no threshold for a use of deadly force to qualify as an ‘armed attack’ that may warrant a forcible response.” See
state.gov/s/l/releases/remarks/197924.htm
.

60
Author interview with Libicki, October 2012.

61
All quotes from Lotrionte come from author interview, February 2014.

62
Cilluffo was speaking at a hearing on the “Iranian Cyber Threat to the US Homeland” for a Joint Subcommittee Hearing of the Committee on Homeland Security, April 26, 2012, available at
gpo.gov/fdsys/pkg/CHRG-112hhrg77381/pdf/CHRG-122hhrg77381.pdf
.

63
Brown has written a paper on the issue. See Gary D. Brown and Andrew O. Metcalf, “Easier Said Than Done: Legal Reviews of Cyber Weapons,”
Journal of National Security Law and Policy
, published by Georgetown Law, February 12, 2014, available at
jnslp.com/wp-content/uploads/2014/02/Easier-Said-than-Done.pdf
.

ACKNOWLEDGMENTS

When I first began writing about Stuxnet after its discovery in the summer of 2010, there was no way to know where it would lead. It wasn’t until months later, after the Symantec researchers and Ralph Langner’s team dug into it further, that it became clear that there was a larger story that needed to be told—not only about the attack on Iran’s centrifuges and the discovery of the world’s first digital weapon but about the security community and its changing nature at the dawn of the era of cyber warfare. It’s a cliché to say that something is a game-changer, but Stuxnet really is. Everything in malware that occurred prior to its appearance might well be labeled BS—Before Stuxnet—since the code that came before it represented simpler, more innocent times when the motives and ambitions of attackers were more straightforward and easier to discern.

If Stuxnet was a challenge to decipher, the writing of this book was equally so. Combining a narrative structure with complex technical details and a political-historical context that was as convoluted as the code, while still offering a compelling read and doing justice to the intense labor that researchers invested in their analysis of the code, was not an easy task, especially when the subject of that narrative turned out to be a moving target.

As I began the book in earnest in early 2012, everything we thought we knew about Stuxnet had to be revised as one new discovery after another
was made—first with Duqu, then with Flame, and then, in early 2013, with the unveiling of Stuxnet 0.5, the first known version of the digital weapon to be found. And the target is still moving today.

Stuxnet, and its ancillary espionage tools, were the state of the art at the time they were developed and unleashed, but that state has no doubt been surpassed by other digital tools developed in its wake that have yet to be detected and may not be for many years.

While the writing of this book was difficult, it was made easier by the enormous help and support I received from many people.

The book would not have been possible without the encouragement and support of my agent, David Fugate, who first reached out to me in 2007 following the publication of a three-part series I wrote for
Wired
about the digital underground of carding forums and the fascinating community of bank card thieves that inhabit them. Though I decided not to expand that series into a book, David remained in touch over the next few years, periodically reaching out to say he was still interested in collaborating and asking if I had any project in mind.

Throughout the proposal process and the writing of this book, he remained a steadfast supporter, providing valuable feedback and the seasoned perspective of a publishing veteran while lending the right amount of encouragement when needed the most. He’s the kind of advocate every writer should have in his or her corner.

In addition to David, my editor at Crown/Random House, Julian Pavia, played a great role in helping to shape the book and keep it on path. This was a difficult project to wrangle, but Julian did it with grace and patience, even as the content unexpectedly changed and deadlines passed. Additionally, Julian did a masterful job of streamlining the technical details to balance the narrative flow and refine my sometimes jagged prose.

I’d also like to thank Kim Silverton, editorial assistant at Random House, for her timely and helpful feedback on the manuscript during the editing phase, as well as the publicity and marketing teams—Sarah Breivogel, executive publicist at Random House, Sarah Pekdemir, senior
marketing manager, and Jay Sones, director of marketing at Crown—for their enthusiastic backing of the book.

The book would not exist, however, without all of the talented researchers who did the hard work of deciphering Stuxnet and its arsenal of tools and who provided me with untiring assistance to help me get the details right. These include Sergey Ulasen of VirusBlokAda and now Kaspersky Lab, and Oleg Kupreev of VirusBlokAda, who sounded the first alarm and got the rest of the world to take note of the strange code discovered in Iran.

They also include, of course, the brilliant and hard-working team at Symantec—Eric Chien, Liam O’Murchu, and Nicolas Falliere—whose curiosity, persistence, and skill provided the most important pieces of the Stuxnet puzzle and ensured that the code would not pass quietly into obscurity. The three of them were extremely generous with their time and endured many rounds of questions in the midst of busy schedules to share their views and expertise.

I cannot express enough gratitude to them and to the equally brilliant and tireless global research and analysis team at Kaspersky Lab—Costin Raiu, Aleks Gostev, Roel Schouwenberg, Kurt Baumgartner, Vitaly Kamluk, and the rest of the company’s global group of researchers–who impressed me repeatedly with their skill and devotion to chasing down the tiniest details of very complex attacks, even though working with them often involved 6 a.m. phone calls on my end to accommodate the time difference with Eastern Europe. I’m particularly grateful to Costin for going beyond the call of duty, sometimes at the expense of time with his family, and for his remarkable wisdom, memory, and attention to detail, which helped me keep track of the many maddening facts that grew more extensive with each new discovery.

I’m also very grateful to Greg Funaro and Ryan Naraine at Kaspersky Lab who had an uncanny ability to anticipate what I needed before I knew I needed it and who had an unwavering commitment to leaving no question unanswered. Ryan’s former job as a top security journalist,
combined with his technical expertise, made him the perfect liaison with the research team.

In addition to the Symantec and Kaspersky research teams, the story of Stuxnet could not be told without the work of Ralph Langner and his colleagues Ralf Rosen and Andreas Timm. Ralph’s passion for Stuxnet kept it alive in the press and brought it to the attention of mainstream media, while his extensive knowledge of industrial control systems helped the public understand Stuxnet’s broader implications for the security of critical infrastructure. I’m grateful for the many hours he spent with me on the phone and in person to help me make sense of Stuxnet’s broader context. His frank and straightforward manner cut to the heart of the issues and ensured that the public could not dismiss or overlook the importance of Stuxnet. I’m also grateful to Ralf Rosen for the time he gave to speak to me about their work on Stuxnet and for reviewing some of the completed text for accuracy.

Similarly, Boldizsár Bencsáth was immensely generous with his time and expertise, providing kind and invaluable assistance that helped me unravel a few mysteries and understand the ways in which all of the attacks were connected.

Other books

High Country Bride by Jillian Hart
Snapped (Urban Renaissance) by McKinney, Tina Brooks
Rumble Fish by S. E. Hinton
Madball by Fredric Brown
The Virgin's War by Laura Andersen
A Slip of the Keyboard by Terry Pratchett
Will Shetterly - Witch Blood by Witch Blood (v1.0)