The cyber war threat has been grossly exaggerated

28 Jun 2010

Why Now?

The cyberwar has started.

On June 8th 2010, IQ² debated the threat of cyberwar in Washington. Right on queue, Stuxnet has has emerged as the smoking worm (a “worm” in this context is a computer virus that makes copies of itself using the resources of the network it finds itself on, exploiting “wormholes” bridging one system to another). We almost certainly are in the era of cyberwar. Stuxnet has infected industrial control systems all over the world, but most especially in Iran and China. The worm is unusually complicated and seems to be very targeted. There is little doubt that it was built by a state intelligence organisation, and there are hints of Israeli involvement within the code. Variable names seem to point to the story of Esther, the Queen of Persia in the reign of Xerxes. In the biblical story, Queen Esther, an undercover Jew, saves her people from genocide by clever infiltration.

Anatomy of an offensive worm

Modern industrial equipment, from whole factories to individual machines inside them, are controlled by Programmable Logic Devices (PLDs) – bare-bones computers that are very good at monitoring the state of the environment they are in and responding in strictly controlled, conditional ways. Siemens, the German engineering giant and a leader in PLDs, uses a Microsoft/Windows derived system for controlling PLDs which go on to control the turbines, the motors, the pneumatic networks, the valves, the power grids, the heaters and all the fauna of manufacturing – including centrifuge machines for uranium enrichment – that Siemens supplies around the industrialised and emerging world. Stuxnet is designed to infect these Siemens systems.

If you control the PLD, you can determine how the machines function – or fail to function, if that is your goal. Turbines can be made to spin to breaking point; shut-down routines can be programmed to happen at the wrong temperatures or with the wrong queues. Indeed, once a PLD has been re-programmed, it is very hard to be confident how the complete system will behave at all. It was fear of PLD crashes that made the Millennium bug so frightening.

PLDs will often not be connected to the internet. They cannot be used by humans for browsing, although more and more control systems do operate over large distances using networks, and sometimes over the internet itself. Like an old-fashioned computer virus spread through diskettes, Stuxnet appears to infect industrial systems through USB keys, the ubiquitous memory sticks that engineers everywhere use to update systems, copy files, take back-ups. The infection at Iranian nuclear enrichment facilities is hypothesised to have come from Russian contractors sharing USB sticks between their laptops and on-site PLDs.

Stuxnet is extremely sophisticated and unlikely to be the work of disaffected teenagers in their bedrooms. It is written in many programming languages. It mutates. It identifies the piece of machinery on which it is running and behaves differently on different machines. Already, it is suspected of having turned an Indian TV satellite into a useless hunk of interplanetary metal. It probably took five man years to develop.

So it seems quite possible that Iran’s nuclear program have been specifically targeted in an offensive act of cyberwar. Is this the start of an arms race? And what happens when Stuxnet-like technology gets into the hands of those disaffected teenagers, of extremist groups and resentful governments? What responses are possible, and which are desirable? Will the machines which promised to liberate us from menial and repetitive tasks end up enslaving us in a web of security?

Listen to the IQ² debate on these big picture questions. Jonathan Zittrain, at 00:01:30 is particularly clear-headed and persuasive: we should not play down the threat if we want to preserve both liberty and safety.

Event information:

It could be the greatest strategic irony of the last twenty years: the American lead in digital technologies – upon which their financial, communications and defence systems are built, and upon which they depend – may also represent a serious American Achilles heel. The sophistication of their mobile phone networks, of the GPS system that guides air traffic, even of the networked command-and-control that drives their power grids, may be without rival. But it also provides one great big and sprawling target to enemies determined to discover the choke points that can cripple America in a time of war.

At least that’s the scenario as described in various, and increasingly alarmed media accounts, especially in the wake of incidents like the hacking of Google last year, by digital assailants often described (without clear confirmation) as being based in China.America might have to contemplate fighting the next war with both hands tied behind their backs because a canny enemy has figured out how to shut them down electronically.

Alarming – but possibly, also, alarmist? Can America really be that vulnerable? Is their digital undergirding really that exposed, especially given that the Internet itself – the foundation of all this critical connectedness – was itself initially developed as a military undertaking? Even if their enemies – state enemies or terrorists – manage to cause damage in one corner of American cyberspace, don’t we have enough redundancy built in to protect them? As one technology writer has put it, this is one of those topics where the internet press likes to get worked up into a lot of “heavy breathing.”

So which is it? Is America at existential risk in the event of a well coordinated cyber attack, and if so, are they taking measures to protect themselves? Or will the first cyber war be a war they are already positioned not only to survive, but to win?

Thank you to IQ² US for allowing us to use this video.

Speakers for the motion

Bruce Schneier

Cryptographer and computer security specialist
Marc Rotenberg

Executive Director, Electronic Privacy Information Center (EPIC)

Chair

John Donvan

Correspondent for ABC News

Speakers against the motion

Jonathan Zittrain

Professor of law, Harvard Law School
Mike McConnell

Executive Vice President and leader of the National Security Business, Booz Allen Hamilton