Getting to the bottom of Stuxnet is a sticky business, though plenty of researchers are trying. What is known is that it was a worm targeted at a uranium enrichment site in Iran, ostensibly to slow down the country’s nuclear production programme. It is also known that it was the first cyber attack that has directly caused physical damage. What is not so clear is who was behind the attack, nor whether a Stuxnet-like virus could potentially knock out a city’s power grid or other critical infrastructure – and panic around the latter has led to much rhetoric around the growing threat of cyber war.
Antivirus researchers agree that Stuxnet’s careful orchestration means another government is likely to have been behind the attack. Several media reports cite officials who place the blame squarely on US and Israeli shoulders, though neither government has publicly accepted it.
“We’ve concluded that whoever wrote it was highly sophisticated, highly organised, had experience, had resources and was likely to have hierarchical structure,” says Ilias Chantzos of online security firm Symantec, which began studying Stuxnet in 2010. “That indicates the involvement of a nation state, but at no point have we had enough information to attribute what that state might be.”
Symantec and other antivirus firms are still in the process of establishing a timeline for Stuxnet. Although the worm was first identified in 2010, Symantec found that Natanz’s control systems had been infected as early as 2005 – meaning that it had been much longer in the making than previously thought. It also concluded that different developer groups participated as Stuxnet evolved, lending credence to the theory that multiple states took part.
But other independent researchers consider Stuxnet to be rather rough-and-ready, pointing out that for all the worm’s precision inside Natanz, its makers could not do much to stop it getting out and infecting other machines. One well-known US cryptographer, Nate Lawson, is more sceptical of the Western state theory, noting inconsistencies and technical flaws in Stuxnet’s code.
“We’re left with the authors being run-of-the-mill,” he writes.
Independent consultant Tom Park has also voiced scepticism, pointing to basic errors that suggest a less-than-elite group may have put the finishing touches to the worm.
A changed hacking environment
Neither theory is particularly comforting. A physically destructive worm – planned and executed with permission from the highest levels of the US government. Or a patched-together virus produced by contractors who, though technically successful in their mission, were not skilled enough to stop the virus spreading to a large number of Iranian computers. Either marks something different to the protest hacks that bring down, say, online banking sites for a few hours.
“Previous attacks were more visible and aimed to cause disruption. They were for fame and notoriety,” explains Chantzos.
That is still the case, to a large extent. Vigilante collective Anonymous uses simple distributed denial of service attacks or website defacement as a kind of prankish political statement. More often than not it is, as they put it, “for the lulz”. But virtual graffiti on payment sites, though annoying, is more of a middle finger to a vague notion of authority than sinister disruptions of government projects. Even the more sophisticated takedowns, such as the 2007 DDoS attacks on Estonia, caused surface damage at best.
Huge cyber-attack causes worldwide disruption
The most immediate online threat is, perhaps, more state-sponsored cyber espionage than sabotage like Stuxnet. More than a quarter of US companies have been targeted by Chinese hacks, according to the American Chamber of Commerce – none have seen their equipment break. Reliable estimates of financial losses due to data breaches are hard to come by, but a report from the US national intelligence director pins it at $398bn between 2009 and 2011. Meanwhile, the US has moved to restrict government purchases of Chinese IT equipment for fear of buying infected systems.
Cyber war talk
To classify any of this as cyber war would be overblown. To put it bluntly, no one has died as a result of a cyber attack. Nor has one triggered a military confrontation. The only worm that may have caused physical damage to another nation’s critical infrastructure seems to have originated from the US. But the growth in cyber espionage, DDoS attacks and the arrival of Stuxnet has prompted talk of a “cyber 9/11”, something which could, ironically, slow down the implementation of relevant safeguards by overstating the threat. According to Dr Thomas Rid, a senior academic specialising in cyber security at Kings College London, an online Armageddon is not on the horizon just yet.
“A cyber 9/11 is not realistic,” explains Dr Rid firmly during a phone call. “People exaggerate the threat because they can make money – security companies, contractors and yes, academics.”
Certainly, the Chinese hackers feared by proponents of a “cyber 9/11” have done very little by way of sabotage, instead stealing information from US companies to benefit their eastern counterparts. But one-off attacks like Stuxnet and the 2007 attack on Estonia have prompted some panic, particularly as cyber crime remains so difficult to legislate. An attack conducted via internet can cross multiple jurisdictions. It is also still difficult to pinpoint the perpetrator of an attack, both technically and sometimes politically. For example, the US might find it easier to request for help locating an infected machine in the UK than it might if that same machine were in North Korea.
This panic has triggered the creation of a kind of rulebook for cyber war, the Tallinn Manual. Published in the wake of both Stuxnet and the attacks on Estonia, the Tallinn Manual is not a legal document, but an attempt by various international legal and military experts to establish some initial ground rules. It is also indicative of a community still tripping over exact definitions and in danger of conflating different threats.
For one thing, the manual kicks off with an apparent dismissal of the cyber espionage and security threat, instead focusing on attacks on critical infrastructure, or command and control systems, like Stuxnet. But given there has only been one Stuxnet, it is questionable whether this is really a priority for resources.
“The Tallinn Manual operates on a level above the intensity of Stuxnet, but nothing else has happened,” says Rid. “We have a former CIA director [Michael Hayden] noting that this is the ‘golden age’ of computer espionage. Lots of states are playing in this arena.”
Instead, argues Rid, the US government, being the most vocal about the cyber threat, should focus on shoring up its defences where it matters most. Though cyber attacks are increasingly equated to terrorist attacks or military operations, the equivalent information is never published. There is, for example, no cyber equivalent of the Department of Homeland Security publishing reports in the aftermath of an attack.
“If you have a cyber attack, there’s no government agency talking about the details,” says Rid, pointing out that any knowledge is tightly guarded by intelligence agencies. “It just leaves private companies to talk about it.”
There are, slowly, measures being implemented to counteract this, with US companies increasingly pressured to disclose any cyber attacks. The European Commission is considering proposals to force European companies to do the same. But until there is a clearer line that cuts through the fear and hype of cyber attacks and focuses on defence rather than attack, we will be hearing talk of that cyber 9/11 for a while yet.
Shona Ghosh is a technology journalist, currently writing for British computing magazine PC Pro.
Follow her on Twitter: @shonaghosh