The gist of this column lately has been that threats of “cyberwarfare” waged through the public Internet are the stuff of Hollywood schlock and patriotic pulp fiction. But there are other ways to wage electronic war, and they tend to be more terrifying precisely because they’re tougher to fight.
Siemens announced in July that a malicious bit of code called Stuxnet could spread on USB thumb drives and try to lift industrial secrets from its clients around the world. It’s the first large-scale worm of its kind, an act of sophisticated industrial espionage that indicates the real future of electronic warfare.
“Stuxnet,” according to PCWorld, “marks the first time that someone has targeted the factory floor” with a software virus.
The Munich-based Siemens corporation specializes in “automated systems,” from fire alarms to robotic factories to power grids. This worm in particular went after a Siemens industrial software suite called WinCC. A company spokesman said WinCC is used by “thousands” of plant managers worldwide, and the worm reportedly found its way — without causing major damage — into 14 plants in Germany, Indonesia, India, North America, the United Kingdom and (primarily) Iran.
None of the infections spread through the public Internet, and the reason cyberwar scenarios over the Web may remain the stuff of fiction is that vital networks like nuclear power plants can be kept well away from the Internet – meaning safe from remote, and presumably foreign, hackers. Yes, Estonia suffered a massive denial-of-service attack in 2007, probably from Russian nerds, and some important Estonian government sites went down, but such a denial-of-service attack will probably not cause a disaster, say, in a nuclear power plant.
Michael Scott Moore complements his standing feature in Miller-McCune magazine with frequent posts on the policy challenges and solutions popping up on the other side of the pond.
What could cause a nuclear disaster is an inside job. A spy could infect a power plant’s control system with a bug on a USB drive, just as a soldier with security clearance and a CD-ROM marked “Lady Gaga” can sneak out thousands of classified military documents. Or perhaps establish a “digital beachhead,” as occurred in 2008 when a flash-drive-launched virus infected the Department of Defense.
Alternatively, the author of a worm like Stuxnet could find a way to install it on a USB stick bound for certain machines. (Siemens reportedly sends software license keys to its clients on USB sticks.)
No one is sure where Stuxnet originated, but cyberwarfare experts have been predicting similar attacks for years. WinCC is so-called SCADA software (“supervisory control and data acquisition”), and a SCADA attack could, in theory, shut down a power grid or hand essential controls to an outside user.
“It could be very valuable to a nation-state for war-like espionage,” Reuters quoted Randy Abrams, a researcher at a security firm called ESET, which studied Stuxnet. “It could be very valuable to terrorist organizations.”
Happily, this kind of intrusion still requires the old-fashioned presence of a human being, what older generations would have called a spy. It’s just that a spy can now cause unheard-of mayhem. A military leak is one thing; the airing of 91,000 military documents relating to the war in Afghanistan, useful as they might be to the public discourse, must have blindsided American generals – who in turn started crafting tighter security known as Cyber Insider Threat.
The glimmer of light is that neither Stuxnet nor the Wikileak sensation could have been perpetrated by some clever kid with just a broadband connection. The threat of massive cyberwarfare or terrorism over the Web, for now, is small, so average Internet users don’t have to tolerate horror stories that threaten to close down their freedom and privacy.
