Recent news reports describing a U.S. role in a cyberattack against Iran’s nuclear program will cost the United States dearly, warned the chairman of the House Permanent Select Committee on Intelligence.
The reports, which said the U.S. and Israel were behind the Stuxnet cyberworm that sabotaged Iran’s uranium processing plants in 2009, started “a very dangerous speculation game that we are all going to pay the price for,” said Rep. Mike Rogers, Michigan Republican.
His comments underline growing concern among some U.S. security officials and private-sector specialists about blowback from the Stuxnet attack itself - like retaliation from Iran, or the proliferation of cyberattacks against the kind of computer-controlled machinery for operations such as factories and city water systems.
U.S. officials are so concerned that the president and his Cabinet recently rehearsed responses to a Stuxnet-type strike that destroys vital infrastructure such as the power grid.
In public, U.S. officials have declined to comment about Stuxnet, and did so for this article.
That is not surprising, said former White House cybersecurity official Marcus H. Sachs.
“Deniability is one of the strategic advantages” of cyberwarfare, Mr. Sachs said, adding that it is easy for hackers to hide their tracks and leave false trails, and hard to prove who was behind an attack.
“Don’t believe everything you read in the papers,” Mr. Rogers said last week during a Bloomberg government conference, referring to reports about the U.S.-Israeli development of Stuxnet in the New York Times and later The Washington Post.
He said U.S. policymakers generally avoid offensive cyberoperations because they are aware of the vulnerability of critical infrastructure such as the power grid, oil pipelines and refineries, and the telephone system - all of which can be attacked over the Internet.
“We don’t want to throw that first punch and then not be able to take the first punch back,” Mr. Rogers said.
The problem is that no matter who threw it, the first punch has landed, and it was a very public knockout.
Stuxnet crippled Iran’s capability for enriching uranium by causing the centrifuges used in the process to spin faster and faster until they flew to pieces. The program also concealed the fact that this was happening from the scientists running the enrichment process by feeding them fake data.
Since the discovery of Stuxnet in June 2010, security researchers have identified two other pieces of malicious software associated with it and likely written by the same team: Duqu and Flame. All three programs are highly sophisticated, employing multiple previously undiscovered software security holes.
Regardless of who was behind Stuxnet, the attack called worldwide attention to the vulnerabilities of much industrial control software (ICS) - the kind of computer-controlled machinery that Stuxnet attacked, said Benjamin A. Powell, a lawyer and former top attorney for the U.S. director of national intelligence.
“There are a huge number of ICS systems accessible via the Internet,” he said. “Stuxnet’s discovery put the security vulnerabilities of ICS systems in the spotlight.”
ICS systems ran the centrifuges at Iran’s secret uranium enrichment plant at Natanz. They also run the water and power systems, transportation and telecommunications networks that every modern city on the planet relies upon.
Since so many cybersecurity researchers have turned their attention to ICS systems in the wake of Stuxnet, hundreds if not thousands of vulnerabilities have been identified in every conceivable brand and type of the software. Many of these have been published - after the vendors that sell the systems affected were given time to fix them.
Many of them are comparatively simple to exploit. As The Times reported in 2010, cybersecurity researcher Dillon Berefsford, working in his bedroom during his spare time, spent only a few months and few hundred dollars to devise a way to hack one widely used ICS system.
ICS “was not designed to be secure,” said Ralph Langner, who first analyzed Stuxnet. “It was never supposed to be accessible from the Internet.”
Last year, the Department of Homeland Security and the FBI warned that hacker group Anonymous or environmental protesters might launch cyberattacks on ICS systems in oil refineries or other energy-sector targets as part of their campaign to stop the Keystone XL pipeline.
So far, the threat of terrorists, hacker activists or crime syndicates attacking ICS has remained theoretical. That is perhaps in part because the consequences of such an attack are so huge as to deter criminals, said David Marcus, director of security research at McAfee Labs.
“This stuff makes even the bad guys nervous,” Mr. Marcus said. “You’ve got to figure the response [to a mass-casualty attack on infrastructure] would be an order of magnitude greater than” that to run-of-the-mill financial cybercrimes.
There also are practical barriers to ICS attacks that make even relatively simple hacks difficult to fully exploit - to destroy equipment invisibly to its operators as Stuxnet did, for instance, requires detailed inside knowledge of the system.
For now, said Mr. Sachs, nations remain the only entities with the resources to carry out the most damaging kinds of cyberattacks - those that could disrupt or even destroy power, water or transportation systems in major cities.
“This is not easy stuff,” said Mr. Sachs. “If it was easy, everyone would be doing it. There’s a lot of actors out there who’d love to do it to each other - India and Pakistan to name but two.”
• Shaun Waterman can be reached at 123@example.com.
Please read our comment policy before commenting.