Platt Perspective on Business and Technology

Stuxnet and beyond – and even knowing when you have been compromised

Posted in business and convergent technologies, in the News by Timothy Platt on October 2, 2010

A few days ago I posted a note on the developing News story of Stuxnet and our increasing vulnerabilities to cyber warfare attack, with:

Stuxnet, Cyber Warfare and the Challenge of the Intelligent Infrastructure.

I also wrote of our increasing need for cooperation and for developing and using mechanisms for working together, and both to limit the likelihood of cyber attacks and to limit their impact when they do happen.

I decided to follow up on that when I started seeing News articles coming out about this event that to my thinking simply serve to support the disinformation that makes these weapons so damaging. When you examine the code to the Stuxnet computer worm in detail, some text string choices in the apparent source code could be interpreted to suggest that this particular malicious code may have come from Israel and its Intelligence services, and more particularly from its Unit 2800 – a division that reportedly focuses on issues related to cyber weapons and cyber warfare.

I may simply be naïve when I say this but I find it hard to believe that a sophisticated intelligence or counter-intelligence operation or its professionals would add religious references into their cyber weapon’s source code to help anyone who studies the code track it back to them. So I come to what is perhaps one of the key defining features of cyber warfare. When this is done effectively you do not know where the attack came from and you may not even know that an attack has happened, at least until very late in it or way after the fact.

If that attack is simply a covert penetration to obtain secret information a big part of its goal will probably be to insure that no one ever learns that anything even happened. After all, secret information rapidly looses value when its legitimate owners learn it is no longer secret as they then make every effort to render that knowledge obsolete and useless – and they take every possible effort to close off the access points that it was obtained through in the first place.

I cited the April, 2007 cyber-attacks on Estonia in my earlier posting and turn back to that event, already technically primitive as a denial of service attack when it happened. This was a crude, blunt force assault that required use of massive bandwidth and from multiple sources of a type most easily obtained through use of botnets – computers and networks of computers that are by definition not under the full control of the people making these attacks. But to this day there is still debate as to what actually happened, or who launched and managed this. Was this in whole or part government sponsored or supported or was it more strictly speaking an independent action by private citizens who happened to disagree with Estonian decisions to remove some public statuary and other monuments?

If it is possible and even relatively easy to mask the true source of even a ham-handed, blunt force attack that is carried out real-time over a significant period of time, how much easier is it to conceal the actual source of a more stealthy and quickly concluded attack? And with this I cite the events of May 6, 2010 known as the Flash Crash where the Dow Jones Industrial Average dropped some 600 points in seconds, leading to an overall drop of just under 1000 points in total.

Was this a concerted, organized attack or was this the more random consequence of a wrong combination of flaws simultaneously expressing themselves in certain automated trading systems and other financial market infrastructure components – an unplanned and completely unanticipated accident? We do not even know if this was an attack let alone who may have launched it if it was – and this was anything but a stealthy event. If just happened very quickly and then the immediately disruptive event was over with just its ripple effect consequences to play out.

In more conventional warfare if you are shot at the person holding the gun is probably the one who launched that particular attack. With botnets and proxy servers and anonymous servers (see for example anonymous P2P) to work through, the one thing you cannot be sure of is whether the counterpart to that person holding what seems to be the gun isn’t simply an intended victim too – as a target for a guided if misdirected response.

Was the launching and distribution of Stuxnet a cyber warfare attack? It probably was. Did this come from Israel? That is possible, but there are a lot of other nations and non-national organizations and groups who would also take a dim view on the prospect of Iran developing atomic weapons – and who also hold antipathy towards the state of Israel. This, of course, assumes that Iran was in fact the intended target and that the actual target was not some alternative that is currently seem more as having received collateral damage. (As an alternative, if Iran is building a uranium enrichment facility with the intention of building a bomb, it is all but certain they are looking for validated best practices and proven technologies for as much of this as possible, and that they are replicating entire systems where they can. Who did they get their precise computer systems hardware and software designs and set-ups from and are these sources using the same for their own weapons or other nuclear programs? Who may have been affected who has not publically acknowledged being damaged by this event? The possibilities here for alternative scenarios are not endless but there are a wide range of them and particularly if you include targets who would not admit they had been affected.)

And with this I turn back to the basic premise and the core conclusion I arrived at in my earlier posting on this event. And I focus on one point that I in effect tossed into that as if a side issue. I said that we have to work collaborative and for the common good with those who we would not traditionally or conventionally see as our allies. The very uncertainties inherit in this type of attack risk make that essential. Cyber attacks have wide ranging impact that cuts across conventional boundaries of shared common interest and concern, creating common needs and interests that affect all. And we cannot look to anything like our traditional adversaries or allies in determining where even the most publically overt attacks could come from – let alone the more covert ones that may be hidden and ongoing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: