Almost a year ago in this space, I wrote about a
sophisticated new computer virus called Stuxnet which had apparently done
considerable physical damage to almost a thousand uranium-enrichment
centrifuges in Iran in 2010. At
the time, it wasn’t clear who designed Stuxnet, although guesses were that
either Israel or the U. S. was responsible.
Well, on June 1 of this year, the New York Times published
excerpts from an upcoming book that confirms those suspicions, and goes into a
lot more details. It turns out
that Stuxnet was only one of several cyberattacks that originated with a
project called “Olympic Games” that began during the presidency of George W.
Bush, who encouraged his successor Obama to continue it. Obama took Bush’s advice and persisted
with the program even after the Stuxnet virus escaped “into the wild,” which is
how the computer-security community learned about it a year ago.
There are two related ethical concerns that these latest
revelations highlight. One has to
do with U. S. participation in cyberwarfare generally. And the other has to do with the fact
that someone in the current administration spilled so many beans about what we
were doing.
Cyberattacks are following a well-trodden path down which
earlier forms of militarily useful technology passed decades or even centuries
ago: telegraphy, radio, aviation,
and nuclear weapons, to name a few.
The trend is from discovery to initial, usually rather amateurish, experimentation,
and then to serious funding and adoption by all sides in a conflict. With regard to cyberwarfare, we are now
beyond the amateurish-experimentation phase and well into serious adoption by
at least one side: the U. S. and
Israel, which turns out to have collaborated closely with the U. S. in the
Stuxnet project for both technical and diplomatic reasons. If history is any guide, we can now
anticipate a cyberwarfare counterattack by one or more of our enemies sooner or
later.
This is made especially likely because cyberattacks turn out
to be pretty cost-efficient.
Software experts examining the Stuxnet virus at the time it was first
found estimated that it was fairly cheap to develop, under a million
dollars. The latest revelations in
the Times show that this may have
been an underestimate, because the CIA went to the trouble of building a
working model of part of Iran’s nuclear facility using the identical machines
that were the target of the attack, in order to be sure it would work. Still, it was cheap compared to a
full-scale airstrike with cruise missiles, for example.
Cheapness cuts both ways. The U. S. isn’t the only country with sharp computer whizzes
willing to develop evil viruses to mess up critical infrastructure. Stuxnet was highly specialized to do a
specific kind of damage to only one facility, but virus-writers worldwide have
highjacked its innards to do other malicious things since then. It is not beyond the realm of possibility
to imagine someone taking the basic Stuxnet format and designing a virus to,
say, whack out an industrial controller commonly used to regulate the speed of
steam turbines in power plants. I’m
not knowledgeable about the degree of sophistication of power-plant software or
the tightness of their security measures, but I’m sure it varies from place to
place, and while some on-the-ground collaboration was needed for the attack on
Iran, that might not be necessary for some forms of virus attack. The point here is that with its vast
array of computer-dependent infrastructure, the U. S. is very vulnerable to
just the kind of cyberattack we mounted against Iran.
Which brings up the second ethical concern: did we have to go so public with all
the details of what our responsibility was in Stuxnet? Critical information about decryption
technology used in World War II was kept in the dark for decades. I would expect the kind of details we
read in the Times to come to light
some day, but less than two years after the attack? Perhaps this is a deliberate ploy to warn counterattackers
that yes, we can do this and you’d better watch out. But because cyberattacks rely on lapsed vigilance and poor
security measures (the Stuxnet actually got into the target network through a
carelessly used flash drive someone carried into the secure facility), it seems
like telling our enemies all the details of our attacks and responsibility for
them, will just make them all the more cautious and less likely to fall for
such things in the future. In
other words, if you’re going to fight a war with secret stuff, blowing the
secret doesn’t seem like a good idea.
At the risk of sounding excessively political, one could
speculate that the publicity about Stuxnet was another attempt to show the
present administration in a “tough-guy” mode, consistent with recent
revelations about how the President himself personally authorizes every drone
attack on targets that have included a U. S. citizen in at least one
instance. These drone attacks have
drawn criticism from the President’s own party, notably former President Jimmy
Carter. Like cyberattacks, drone
strikes are, in the short term, a “no-risk” mode of warfare that carries no
domestic downside in terms of U. S. casualties incurred during the
attacks. But an older code of
conduct in the battlefield would view the kind of button-pushing fight we are
presently engaged in as morally suspect, if not downright cowardly.
It was close to inevitable that cyberwarfare would take its
place along more conventional means of fighting a military conflict. But now that we have told the world we’re
doing it, we should not cry foul if some fine day our own computer systems fall
victim to a low-budget, focused attack that could do even more damage than ours
did to the Iranian uranium facility.
Sources: The New York Times report on the
Olympic Games efforts appeared online on June 1, 2012 at http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html. President Carter’s criticism of drone
strikes as being violations of human rights appeared in the same publication on
June 24, 2012 at
http://www.nytimes.com/2012/06/25/opinion/americas-shameful-human-rights-record.html.
My blog “Stuxnet and the Future of
Cyberwarfare” was posted July 24, 2011.
No comments:
Post a Comment