Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (55 page)

Just as we had failed in the past to invest in the physical infrastructure of our roads, bridges, and railways, we had failed to invest in the security of our digital infrastructure, Obama said. Cyber intruders, he warned, had already probed our electrical grid, and in other countries had plunged entire cities into darkness. “This status quo is no longer acceptable,” he said, “not when there’s so much at stake.”
¹

How ironic his words turned out to be a year later when Stuxnet was discovered spreading in the wild, and the public learned that the United States had not only violated the sovereign space of another nation in an aggressive cyberattack, but in doing so had invited similar attacks upon vulnerable US systems in retaliation.

While Obama and other officials sounded the alarm about adversaries lurking in US systems and laying the groundwork for future attacks against the power grid, US military and intelligence agencies had been penetrating foreign systems in Iran and elsewhere, building stockpiles of digital weapons, and ushering in a new age of warfare, all without public discussion about the rules of engagement for conducting such attacks or the consequences of doing so. Perhaps it was knowledge of what the United States was doing in Iran and elsewhere that prompted the president’s urgent warnings about the risks to US systems.

Michael V. Hayden, who was director of the CIA during the time Stuxnet was developed and unleashed, told a reporter after the digital weapon was exposed that “somebody had crossed the Rubicon” in unleashing it.
²
That somebody, it turned out, was the United States. And, as noted, where the United States led, others would follow.

Today there’s a surge among nations around the world to expand existing cyber capabilities or build new ones. More than a dozen countries—including China, Russia, the UK, Israel, France, Germany, and North Korea—have digital warfare programs or have announced plans to build one. China began developing its offensive operations in the late ’90s, at the same time the United States made its first forays into this new fighting domain. Even Iran is developing a cyberwarfare program. In 2012, Ayatollah Ali Khamenei announced the creation of a defensive and offensive cyber program and told a group of university students that they should prepare for the coming age of cyberwarfare with Iran’s enemies.
³

As for the United States, the Defense Department’s Cyber Command currently has an annual budget of more than $3 billion and plans to increase its workforce fivefold, from 900 people to 4,900—covering both defensive and offensive operations.
⁴
The Defense Advanced Research Projects Agency, or DARPA, has also launched a $110 million research project called Plan X to develop cyberwarfare technologies to help the Pentagon dominate the digital battlefield. The technology wish list includes a continuously updated mapping system to track every system and node in cyberspace in order to chart the flow of data, identify targets to attack, and spot incoming assaults. The Pentagon also wants a system capable of launching speed-of-light strikes and counterstrikes using preprogrammed scenarios so that human intervention won’t be necessary.
⁵

Of all the nations that have a cyberwarfare program, however, the United States and Israel are the only ones known to have unleashed a destructive cyberweapon against another sovereign nation—a nation with whom it was not at war. In doing so, it lost the moral high ground from which to criticize other nations for doing the same and set a dangerous precedent for legitimizing the use of digital attacks to further political or national security goals.

“This was a good idea,” Hayden told
60 Minutes
about Stuxnet. “But I also admit this was a big idea too. The rest of the world is looking at this and saying, ‘Clearly, someone has legitimated this kind of activity as acceptable.’ ”
⁶

Digital assaults could now be considered a viable option by other states for resolving disputes.

Civil War general Robert E. Lee said famously that it was a good thing war was so terrible, “otherwise we should grow too fond of it.”
⁷
The horrors and costs of war encourage countries to choose diplomacy over battle, but when cyberattacks eliminate many of these costs and consequences, and the perpetrators can remain anonymous, it becomes much more tempting to launch a digital attack than engage in rounds of diplomacy that might never produce results.

But the digital weapon didn’t just launch a new age of warfare, it altered the landscape for all cyberattacks, opening the door to a new generation of assaults from state and nonstate actors that have the potential to cause physical damage and even loss of life in ways never before demonstrated. “My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms,” Symantec’s Kevin Haley wrote of the post-Stuxnet future.
⁸
LoveLetter, the Conficker worm,
and even the Zeus banking Trojan would become quaint reminders of the days when attacks were simpler and, by comparison, more innocent.

Stuxnet was a remarkable achievement, given its sophistication and single-minded focus. But it was also remarkably reckless. Because like the atomic bombs detonated over Hiroshima and Nagasaki, it introduced the use of a powerful technology that will have consequences for years to come. Kennette Benedict, executive director of the
Bulletin of the Atomic Scientists
, noted several parallels between Stuxnet and the first atomic bombs in an article she wrote for that publication about the lack of foresight that went into developing and unleashing both technologies. In both cases, government and scientific leaders raced to develop the weapons for the United States out of fear that adversaries would create and unleash them first. The long-term consequences of dropping the atomic bombs were also as poorly understood in the 1940s as the consequences of unleashing digital weapons are today—not only with regard to the damages they would cause, but to the global arms race they would create. “We have come to know how nuclear weapons can destroy societies and human civilization,” Benedict wrote. “We have not yet begun to understand how cyberwarfare might destroy our way of life.”

And in another parallel with atomic bombs, despite alarm bells sounded about their use, the United States continued to develop first atomic weapons and now digital ones without public discussion about how they should be used or their impact on global security and peace.
⁹
How ironic then, Benedict noted, “that the first acknowledged military use of cyberwarfare is ostensibly to prevent the spread of nuclear weapons. A new age of mass destruction will begin in an effort to close a chapter from the first age of mass destruction.”

Despite the parallels, there is at least one crucial difference between the atomic bombs of the 1940s and Stuxnet. The bar was high for someone to build or obtain a nuclear weapon—or any conventional missile
and bomb, for that matter. But cyberweapons can be easily obtained on underground markets or, depending on the complexity of the system being targeted, custom-built from scratch by a skilled teenage coder, a task made simpler by the fact that every cyberweapon carries the blueprints for its design embedded within it. When you launch a cyberweapon, you don’t just send the weapon to your enemies, you send the intellectual property that created it and the ability to launch the weapon back against you.
¹⁰
It would be comparable to a scenario where, if in 1945, it wasn’t just radioactive fallout that rained down from the bombs onto Hiroshima and Nagasaki but all of the scientific equations and schematics for constructing them as well.

The nations, of course, that are most at risk of a destructive digital attack are the ones with the greatest connectivity. Marcus Ranum, one of the early innovators of the computer firewall, called Stuxnet “a stone thrown by people who live in a glass house.”
¹¹

Stuxnet was proof that a digital attack, consisting of nothing more than binary commands, could achieve some of the same destructive results as a conventional bomb. But it also showed how even a powerful nation like the United States, with unmatched air and sea defenses, could be vulnerable to a similar assault from adversaries who never had to venture beyond their borders to launch an attack. As Mike McConnell, the former
director of national intelligence, told a US Senate committee in 2011, “If the nation went to war today, in a cyberwar, we would lose. We’re the most vulnerable. We’re the most connected. We have the most to lose.”
¹²

The targets most in danger from a digital attack in the United States are not just military systems but civilian ones—transportation, communication, and financial networks; food manufacturing and chemical plants; gas pipelines, water, and electric utilities; even uranium enrichment plants.
¹³
“We now live in a world where industrial control systems can be attacked in the event of a crisis,” Stewart Baker, former DHS assistant secretary has said. “We do not have a serious plan for defending our industrial control systems even though our entire civil society depends on it.”
¹⁴

Critical infrastructure has always been a potential target in times of war. But civilian infrastructure in the United States has long enjoyed special protection due to the country’s geographical distance from adversaries and battlefields. That advantage is lost, however, when the battlefield is cyberspace. In a world of networked computers, every system is potentially a front line. There are “no ‘protected zones’ or ‘rear areas’; all are equally vulnerable,” Gen. Kevin Chilton, commander of the US Strategic Command, told Congress.
¹⁵

The laws of war prohibit direct attacks on hospitals and other civilian infrastructure unless deemed a necessity of war, with military leaders subject to war crimes charges should they violate this. But the protections
provided by law crumble when attribution is a blur. Since a hack from a cyber army in Tehran or Beijing can be easily designed to look like a hack from Ohio, it will be difficult to distinguish between a nation-state attack launched by Iran and one launched by a group of hackers simply bent on random mayhem or civil protest. Stuxnet was sophisticated and came with all the hallmarks of a nation-state attack, but not every attack would be so distinguishable.
¹⁶

Some have argued that nation-state attacks would be easy to spot because they would occur in the midst of existing tension between nations, making the identity of the aggressor clear—such as the volley of denial-of-service attacks that disabled government websites in Georgia in 2008 in advance of a Russian invasion of South Ossetia. But even then it would be easy for a third party to exploit existing tension between two nations and launch an anonymous attack against one that appeared to come from the other in order to ignite a combustible situation.
¹⁷

In November 2013, Israel held a simulated exercise at Tel Aviv University that illustrated the difficulties of identifying an attacker, particularly when third parties enter a conflict with the intention of escalating
hostilities between others. Using what were described as extreme but realistic scenarios, the war game pitted Iran and Iran-backed Hezbollah in Lebanon and Syria against Israel, and began with a series of simulated physical skirmishes against Israel that escalated into cyberattacks that threatened to pull the United States and Russia into the conflict to defend their allies.

The simulation began with an explosion at an offshore drilling platform, with rockets lobbed over the border from Lebanon into Northern Israel and blasts in Tel Aviv, and was followed by network disruptions that paralyzed a hospital in Israel. The cyberattacks were traced to an Iranian server, but Iran denied responsibility, insisting the Israelis were trying to put the blame on it in order to generate Western support for a strike against Tehran. Then the network attacks spread to the United States, forcing Wall Street trading to halt and shutting down air traffic control at JFK Airport. The White House declared a state of emergency after two planes crash-landed and killed 700 people. This time the attacks were traced first to a server in California, but then, puzzlingly, to Israel.

When the game ended, Israel was preparing to launch physical attacks against Hezbollah in Syria and Lebanon—over the cyberattacks attributed to them and Iran—and tensions between the United States and Israel had risen to a dangerous boil over questions about who was responsible for the cyberattacks against the United States.
¹⁸
“If we hadn’t stopped when we did, the entire region could have been engulfed in flames,” said Haim Assa, the game-theory expert who designed the exercise.

The simulation was instructive to participants on a number of levels. The United States “realized how difficult if not impossible it is to ascertain the source of attack,” retired US Army Gen. Wesley Clark, who participated
in the exercise, said. And an Israeli official noted “how quickly localized cyber events can turn dangerously kinetic when leaders are ill-prepared to deal in the cyber domain.” To this end, they learned that the best defense in the digital realm is not a good offense but a good defense, because without a properly defended critical infrastructure, leaders were left with little room to maneuver in their decision making when an attack occurred. When civilian systems were struck and citizens were killed, leaders were under pressure to make quick decisions, often based on faulty and incomplete conclusions.
¹⁹

IT’S EASY TO
see why militaries and governments are embracing cyberweapons. Aside from offering anonymity and a perceived reduction in collateral damage, cyberweapons are faster than missiles, with the ability to arrive at their destination in seconds, and can be tweaked on the fly to combat counterdefenses. If a zero-day vulnerability gets patched, attackers can draw from a reserve of alternative exploits—as Stuxnet’s developers did—or change and recompile code to alter its signatures and thwart detection.