Recently the U.S. Secretary of Defense made an ominous prediction: “There is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack.”
Leon Panetta was not alone in his assessment of threats to the United States.
FBI Director Robert Mueller has said, “I do believe that the cyberthreat will equal or surpass the threat from counterterrorism in the foreseeable future.”
A ticking clock
And Mike Rogers, the chairman of the Intelligence Committee in the House of Representatives has warned, “We will suffer a catastrophic cyberattack. The clock is ticking.”
Cyberterrorism is not a new concept, but it is not one widely discussed, understood, or even feared by most Americans. We seem much more concerned – justifiably so – about another massive physical attack like 9/11.
The weapon exists
What’s even more worrisome, is that the virus that could wreak such havoc has already been developed, tried and found successful in another part of the world. Worse yet, that malware can be copied by others, may have already been done so, and could be repurposed and used for just a couple million dollars.
That cost is obviously not a factor by a large terrorist group or a failed country’s regime wanting to exact revenge on America.
The latest and most sophisticated “worm” or malware is called Stuxnet and was discovered accidentally in 2010 as it was attacking the controlling computer in Iran’s nuclear uranium enrichment facility.
That attack had been underway for a year before discovery and had rendered thousands of the plant’s centrifuges – devices used to enrich uranium – useless. Estimates are that Iran’s nuclear production process was set back several years as a result.
A new era
Retired Gen. Mike Hayden told reporter Steve Kroft on 60 Minutes, “We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction and, in this case, physical destruction in someone else’s critical infrastructure.” That infrastructure could be nuclear plants, massive electrical power grids, water treatment plants, air traffic control facilities, and so on.
As former director of both the CIA and national security, Hayden should know what he’s talking about. He left the CIA in 2009 and refused to speculate to Kroft on any possible CIA involvement.
Although no one has taken responsibility for developing Stuxnet, the only two countries with the capability and motives for damaging Iran’s nuclear efforts in this way seem to be the United States and Israel.
Not surprisingly, neither country’s intelligence agencies are taking responsibility for it.
Stuxnet is unlike the millions of other computer viruses in existence. It is not designed to steal passwords or individual identities, and it isn’t out to unleash its attack on all the computers it infects. Instead, it was designed to target and infect one particular computer and to perform a specific task in that computer.
The computer is the main one at Iran’s Natanz nuclear enrichment plant, and the task was to cause the plant’s centrifuges to spin much faster than they were designed to do, destroying them in the process. If left unchecked, Stuxnet could totally halt the plant’s ability to enrich uranium.
According to Wired Magazine, Stuxnet uses a rare “zero-day” exploit to spread the virus in a computer.
“Zero-days are the hacking world’s most potent weapons: they exploit vulnerabilities in software that are yet unknown to the software maker or antivirus vendors,” writes Kim Zetter. “They’re also exceedingly rare: it takes considerable skill and persistence to find such vulnerabilities and exploit them. Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.”
Another difference between Stuxnet and other computer worms is that this one masked the fact that it even existed. Generally, when a virus attacks a computer, the user is the first to realize it. Not so with Stuxnet. It is left free to do its damage without being readily detected.
In the case of Stuxnet, it was doing its work in the Natanz computer for a year before a computer security firm in Belarus discovered it. By then, thousands of the nuclear enrichment plant’s centrifuges had been destroyed and needed to be replaced.
If all the concern over Stuxnet were related to its ability to halt Iran’s nuclear enrichment program, few in the world would be concerned at all. It would be hard to find any Americans, in fact, who wouldn’t cheer its development.
A reusable weapon
The problem is that a cyberweapon – in this case the Stuxnet malware – doesn’t destroy itself when it is used in the way a missile, bomb, or rocket would. A cyberweapon does its damage and continues to live on.
That means the weapon is still available for use by anyone who can access it.
“There are those out there who can take a look at this, study it and maybe even attempt to turn it to their own purposes,” Gen. Hayden said.
The phrase, “unintended consequences” was used more than once by the sources. In short, it could be used against the United States.
A genie named Pandora
So the genie appears to have escaped the bottle, although repurposing and using it would require a lot of intelligence and a lot of work.
Ralph Langner, a German industrial security expert, said, “You don’t need many billions; you just need a couple of millions. And this would buy you a decent cyberattack, for example, against the U.S. power grid. (And you can access it) on the Internet.
Pesky thing, that Pandora’s Box.