Stuxnet Poses Thorny Issue For Cyberdefenders
STEVE INSKEEP, HOST:
We've been following up, this week, on the story of a computer bug that attacked Iran. The Stuxnet virus partially disabled a nuclear plant, and though nobody has taken credit, it's suspected the United States may have played a role.
RENEE MONTAGNE, HOST:
So it's ironic that Stuxnet could provide a blueprint for cyber attacks against the United States. Power plant operators are preparing for the worst.
UNIDENTIFIED MAN: This is not a good thing. Our screens are black. The lights are out. We're flying blind.
MONTAGNE: That was a training exercise. The big fear for the Department of Homeland Security and others, is what happens in a real attack. Today, NPR's Tom Gjelten considers what Stuxnet tells us about the dilemmas of cyber war.
TOM GJELTEN, BYLINE: This story begins back in 2007. That spring, researchers at the Energy Department's Idaho National Laboratory carried out an important experiment. They'd been looking at the computers that run the equipment at power plants and other critical facilities, and they wondered if someone could hack into those systems and somehow destroy the equipment - the turbines, the pumps, the pipelines. So they hauled a big diesel generator into the lab. It was a million dollar guinea pig.
MICHAEL ASSANTE: I saw a fine piece of machinery. It was spring mounted. It had a flexible coupling...
GJELTEN: Michael Assante was one of the researchers. The experiment was called Project Aurora. Assante and the others hooked the generator up to the computer, just as it would be in real life, and then they messed with the instructions that the computer was sending to the generator.
Until then, computer bugs were seen as more of an annoyance than anything else. But the Idaho researchers were able to rewrite the code so that the computer told the big generator to blow itself up, which it did.
ASSANTE: When we started to conduct the test, that really robust machine couldn't take it. The coupling broke between the prime mover and the generator. You saw the actual machine, itself, belching, smoke coming out of it.
(SOUNDBITE OF HISSING AND BELCHING)
GJELTEN: The test was initially kept secret, but video of the generator coming apart was soon leaked and broadcast on CNN.
(SOUNDBITE OF HISSING AND BELCHING)
GJELTEN: From that point on, Assante says, the cyber risk to power plants and other facilities had to be taken more seriously. Project Aurora demonstrated the cyber threat in vivid terms.
ASSANTE: It's very vivid when something shakes apart and you see black smoke belching out of it and it doesn't do what it's supposed to do. It's very vivid when something breaks apart in a fireball.
GJELTEN: About two years after the Aurora experiment, someone introduced a bug into a computer that controlled some of the centrifuges at a uranium enrichment facility in Iran: Stuxnet. And what happened? The centrifuges broke. Just like the diesel generator at the Idaho lab.
The fact that U.S. researchers in 2007 already knew how to destroy equipment through a cyber attack, has prompted some people to think the United States maybe developed the Stuxnet worm. There's also the sophistication of the worm. Ralph Langner, one of the first cyber researchers to study Stuxnet, says he was impressed by the malicious software - the malware - used in the Stuxnet cyber weapon.
RALPH LANGNER: To us, it was pretty clear in the early phase of our analysis, that the development of this particular malware required resources that that we do only see in the United States.
GJELTEN: Others dispute that. Marty Edwards from the Department of Homeland Security, runs the cyber emergency response team at the Idaho lab. He says that by the time Stuxnet came along, engineers around the world had already figured out that the computers used in industrial control systems were vulnerable - in similar ways.
MARTY EDWARDS: The vulnerabilities discovered in those systems all have common threads or common traits. And so I think it was only a matter of time before those common weaknesses or vulnerabilities were leveraged in an event such as Stuxnet. So I don't think anybody was particularly surprised when that happened.
GJELTEN: We may never know whether the U.S. government had a role in creating the Stuxnet cyber weapon. But we do know this: the necessary knowledge and expertise was apparently there. The use of Stuxnet against Iran would have been consistent with U.S. policy, which has favored the sabotage of Iranian nuclear facilities.
And finally, we know the United States does have some kind of offensive capability in the cyber war domain. We can attack. We just don't know much about that capability. Herbert Lin, chief scientist at the National Academy of Sciences, edited an unclassified report on policy, law, and ethics in cyberwar.
He says one possible reason for the silence on offensive cyber weapons is that they're still in development. Or maybe the government still hasn't figured out what U.S. policy should be in this area.
HERBERT LIN: We're still trying to get our heads around whether we really want to have a world in which offensive capabilities play a big role. Some people might say yes, some people might say no, and we don't really know what we want. So we're silent about it.
GJELTEN: The use of cyber weapons by the United States, or anyone, would pose a dilemma, because of what security experts call the blowback risk: the idea that a weapon meant to be used against your enemy might be turned back against you. In such cases, you need a risk-benefit analysis of the cyber war option. The conclusion of such an analysis may not be obvious.
The Project Aurora researcher, Michael Assante, was among the first cyber security experts to warn that Stuxnet could provide a blueprint for attacks on U.S. infrastructure. But, meeting with reporters recently at the Idaho Lab, Assante chose to emphasize the context in which Stuxnet was apparently developed - the fear that Iran might develop a nuclear weapon.
ASSANTE: That's probably one of the largest national security challenges I can envision, personally. So, in that context, I bet you can make a pretty strong argument that the benefit of using a cyber weapon to slow down or delay, or to achieve a specific objective, might absolutely outweigh the risk.
GJELTEN: But who gets to weigh the benefits against the risks? That's a pretty big responsibility. And here's another question: If the U.S. government develops a cyber weapon that could eventually be turned against us, should the people responsible for defending the country against cyber attacks be told about it?
A former intelligence official tells NPR that if the National Security Agency or the CIA did develop a cyber weapon, it would probably be so top secret that not even the Department of Homeland Security would know about it. Herbert Lin of the National Academy of Sciences says the question of information-sharing between the offensive and defensive teams, is a hot issue right now in cyber circles.
LIN: My sense is that there are lots of people talking about it, but most of the discussion, almost all the discussion, is going on behind closed doors.
GJELTEN: Eventually this could change. Whether and when the United States should use nuclear weapons, or chemical weapons, or land mines has been vigorously debated in public for years. And it's probably only a matter of time before we can also discuss the risk and benefits of using a cyber weapon like Stuxnet, for example.
Tom Gjelten, NPR News.
(SOUNDBITE OF MUSIC)
MONTAGNE: This is NPR News. Transcript provided by NPR, Copyright NPR.