Stuxnet Debate Continues: How Should Cyberweapons Be Used?
When the revealing news regarding the Stuxnet computer worm came out, much controversy pursued as a result. David Sanger of the New York Times exposed the information as part of the much larger U.S. “Olympic Games” initiative and has now even written a book on it.
Since that time, information regarding another form of malware called Flame has also been uncovered and is said to be connected to Stuxnet, which has sparked even more debate. Questions pertaining to cybersecurity, the threat of cyberwarfare, cyber laws, and many others related to the Internet and its capabilities have all risen of late, leaving many people fearful.
According to Jon Lindsay, a research fellow with the University of California’s Institute on Global Conflict and Cooperation, Stuxnet and Flame both represent pieces of malware, but they are very different. Stuxnet, for example, is what he calls a cyber attack that was designed to destruct the normal operations of a uranium facility in Iran that has been suspected to be part of a nuclear initiative from the country.
Flame, on the other hand, is a form of espionage that may use some of the same types of vulnerabilities as a cyber attack would, but the payload, or the amount of damage it causes, determines the difference. Lindsay told us that Flame could get into a targeted computer and essentially do anything the computer does but from a remote location.
“Olympic Games wasn’t just Stuxnet,” he explained. ”Olympic Games was about creating a toolkit for both espionage and covert action, in this case employed against Iran.”
As to whether or not either of these efforts was successful, Lindsay went on to say that Flame, in particular, is hard to determine simply because of the nature of espionage. Unless there is a leak in information, the extent of its impact will not likely be known for many years.
Some data has been recovered on Stuxnet, but based on it, the impact does not seem to be too significant. As Lindsay explained, it’s important to distinguish between the centrifuges that were filled with hexafluoride gas and spinning, which means they’re producing, and those that are spinning and not filled.
“The breakage data actually shows that it was those that were spinning but not enriching that were broken,” he said. “So, oddly enough… it [Stuxnet] seems to have not attacked the centrifuges that were doing the most work.”
“Most experts that look at it,” Lindsay continued, “say the program was fairly well-recovered within a year, so [it was] really a minor effect.”
Another issue with the Stuxnet worm was the reports that, due to an error, it had gotten loose giving practically anyone the opportunity to access it. In the April 2012 edition of Smithsonian, U.S. cybersecurity advisor Richard Clarke expressed his concern over this saying, “If I’m right, the best cyberweapon the United States has ever developed, it then gave the world for free.”
Ralph Langer, who has been recognized for “solving Stuxnet,” has pushed this theory as well, but Lindsay believes that another interpretation could be that the worm proves just how hard it is to create such a weapon.
“Stuxnet reveals to an attacker that you need to be really, really good to figure out how to do this,” he pointed out. “You can’t use any of the same tricks because all of those holes have been patched, so you’re going to have to find new tricks, which means you’re going to have to be as good as the people that put that together.”
What’s more, there has been a lot of hype and fear surrounding cyberwarfare going forward. There has been talk of a “digital Pearl Harbor” occurring, which has many policymakers in Washington anxious to push through cybersecurity legislation. Senator Jay Rockefeller is one lawmaker that is aggressively advocating legislation, and in a hearing earlier this year, expressed the urgency of what could happen:
“The threat posed by cyber attacks is greater than ever, and it’s a threat not just to companies like Sony or Google but also to the nation’s infrastructure and the government itself,” Rockefeller said at a Senate Intelligence Committee hearing.
“Today’s cyber criminals have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on. Congress needs to act on comprehensive cybersecurity legislation immediately.”
We spoke with Jerry Brito of the Mercatus Center at George Mason University on this issue back in April, and according to him, a lot of the hype surrounding these cybersecurity concerns are being incredibly overblown. As he told us at that time, even though weapons such as Stuxnet could be dangerous, it didn’t result in mass casualties.
“There really is little evidence for us to believe that we are on the brink of real calamity,” said Brito.
There have also been some bills introduced to Congress that push for companies to have tighter security, but researchers such as Brito and Lindsay are skeptical of them. Also, on that note, the whole issue of cyberweapons being used at all has been questioned. Eugene Kaspersky of the security expert firm Kaspersky Lab and the man who reportedly discovered Flame suggested in a New York Times piece that an international treaty that would ban militaries and spy agencies from making viruses would solve the problems that these viruses cause.
According to Lindsay, such a treaty would really be “unenforceable.” Furthermore, he told us that, at this point, there is simply not enough information available to make such judgments or policies. He does believe cyber attacks and cyber espionage will continue and, more than likely, even advance.
“We will continue to see more and more cybercrime, but no cybercrime that massively brings down financial systems,” he said. “We will continue to see a rise in espionage, but it will continue to be like espionage always is – a very ambiguous instrument.”
However, until information is able to reveal what type of real threats lie ahead and the hype and hypothetical situations settle, he doesn’t think any action should be taken.
What’s your take? Are you fearful after the Stuxnet ordeal? Would you like the U.S. to take a more aggressive approach on cyber issues and even utilize cyberweapons more often? Let us know in the comments.