Reliable Security Information

Stuxnet: Great cyberweapon or cyberfizzle?

Chalk the excitement over Stuxnet up to the enjoyment some network security experts get from imagining themselves to be experts in everything, which in this case, is Iran's race to the bomb. It's a human thing. One gets attention on a hot story of audacious premise. The exciting tale has left the world forever changed!

Until the next time, in about two to three months, when the world is forever changed again.

But do go to the site which relates the Stuxnet narrative's central thesis, that of Ralph Langner.

Langner's discussion is an interesting one and often compelling.

But "hack of the century" is the type of overused phrase that won't get you a lot of mileage in circles not inclined to believe absolutely everything published about global malware. Or cyberwar.

Langner knows the technical side and makes a reasonable argument as to the amount of effort put into the Stuxnet bug. He argues that it was created by a national intelligence/defense program. And the obvious insinuation for this story has been Israel, although other countries are not ruled out.

However, the discussion goes a bit to far -- understandably, in linking circumstantial news -- that Iran's nuclear program has progressed slower than expected -- and Stuxnet.

There is no proof that anything went bang or failed catastrophically in a nuclear reactor or even a a centrifuge cascade. Other equally or more plausible explanations exist for any perceived slow down, if there is one, in an Iranian nuclear weapons program.

Still, if one takes the broad leap and grants that a virtual effect of some kind was achieved, Stuxnet still has had an indiscernible effect to everyone not already in on the story.

Years ago, I said publicly that I thought governments would try to write malware and pursue cyberwar. I had no real idea how long ago this was until some digging through old digital news records was done.

It was all the way back in 1995.

At the time, it was for a Voice of America news broadcast, and this is what I said, something I've repeated from time to time in many other discussions:

"[The author] is skeptical that offensive military operations will work very well in cyberspace.

"For years, Mr. Smith has been writing a newsletter on computer break-ins . . . He says Pentagon officials are overstating the danger from computer hackers and intruders.

"Nevertheless, [Smith] expects the United States and many other nations to try to create 'cyber-attack' forces: 'I think it is likely that people will try, I think it is unlikely they will have any impact'...

"[Smith] said] the idea that small groups of people, armed only with keyboards, could seriously hurt a powerful military force belongs in Hollywood -- not the battlefield."

To this I'd only add that the lack of substantial proof of success in offensive malware operations has never stopped anyone in the cyberwar/cybersecurity business of insisting just the opposite. That's the way things have always been. It's bedrock law.

However, Iran's nuclear program won't be stopped by a piece of malware aimed at controller software in its factories.

And the liabilities of employing something like Stuxnet are now fairly obvious.

The most glaring being that such a thing is immediately seized upon and pulled apart by the worldwide distributed network of computer security researchers. And second, that even granting for a moment that it was designed to be directed at Iran, the intelligence requirements for it to be solely limited to that were still way too great to limit its spread to that country. (Another law: As soon as a graf like this is published, one starts getting e-mails on how easy it is to do just that.)

In any case, over the weekend David Sanger of the New York Times wrote:

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target -- the infection has also been reported in Indonesia, Pakistan, India and elsewhere -- a disproportionate number of computers inside Iran appear to have been struck ...

Another ramification is the identification of the originating country. If the country of origin is already an international pariah, then it doesn't matter if Stuxnet is pinned on such a nation. Or if such a nation is implicated.

As a thought experiment, assume for a minute that Stuxnet is a part of a US program, instead of Israel's.

In terms of national security and unilateral action, everyone already thinks the US acts rashly and can be reliably depended upon to behave with little regard for others. Even when this is not so, that's how people think.

So at this point, there's no longer much of a downside to unleashing something like Stuxnet.

Even if a national program were to execute something so poorly the backfire would sweep over the originating country's civilian systems. (That's certainly progress, of a perverse kind.)

It would just be yet another example of some team or some agency thinking, perhaps reasonably, that it's godly and beyond reach.

As mentioned at the beginning, Stuxnet as a super cyber weapon is a fine story. The hype behind it is predictable, even logical. Paradoxically, one of the famous journalists usually always among the first to exaggerate such things -- John Markoff of the New York Times -- gave it, what was for him, a mild reception.

Markoff's second paragraph, from his New York Times piece on the 27th:

The most striking aspect of the fast-spreading malicious computer program -- which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project -- may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.

All of the old anti-virus programmers, as far back as the late Eighties and Nineties, would have told anyone the same. In fact, they told stories like it about various computer viruses many times, the only difference being the wherewithal didn't yet exist to aim them roughly over a global network.

In essence, once a piece of replicating malware is released into the world, no matter how "smart" its creator(s) are said to be ("smart" being a relatively elastic and debatable term, depending on who you're consulting), it's effectively liable to wind up where least expected, no matter how fiendishly programmed. And to never do quite all that's expected of it although, indeed, it may become very famous.

If one gets back to nuclear fuel cycles and national bomb programs for a moment, it should be remembered that uranium can be enriched, and an atom bomb made, entirely without the use of Siemens software and globally networked computers.

Entire libraries of books exist on the matter.

And people who have devoted professional careers to the study of nuclear proliferation can give entire classes on what can go wrong inside a bomb program. Without ever getting to software problems and malware.

There are many things in the material world which can effect the progress of a bomb-making program, not the least of which are easily understood hurdles like inexperience, subpar skills and interference with access to essentials and properly engineered machinery.

In August, prior to Stuxnet news, the New York Times reported:

It is unclear whether the problems that Iran has had enriching uranium are the result of poor centrifuge design, difficulty obtaining components or accelerated Western efforts to sabotage the nuclear program ...

For most of this year, Iran has added relatively few centrifuges -- the machines that spin uranium at supersonic speed, enriching it -- to its main plant at Natanz. Only about half of those installed are operating, according to the International Atomic Energy Agency ...

The public explanation by American officials is that the centrifuges are inefficient and subject to regular breakdowns. And while Iranian officials have talked about installing more advanced models that would be more efficient and reliable, only a few have been installed.

"Either they don't have the machines, or they have real questions about their technical competence," [one expert told the Times].

Any of these explanations are as likely, perhaps even greatly moreso, than Stuxnet.

This post was published in an earlier version at Dick Destiny blog.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed