Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Born on the 4th of July: Will There Be Collateral Damage in Cyberwar to U.S.?

If you needed any further evidence about the possibility of an unexpected blowback from the creation of the Stuxnet worm and other cyber-weapons like it, the U.S. Department of Homeland Security has something for your night table, bound to keep you awake.

Earlier this week, it released a 17-page report, embedded below, detailing the activities of the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT for short.

It’s the DHS group that responds to cyber-incidents on those specialized computers that control industrial machinery, which are sometimes called SCADA systems. They’re the kind that were targeted in what’s turned out to be a joint U.S.-Israeli cyber-campaign against the Iranian nuclear research program.

Stuxnet was the first worm detected, but it came later, after the creation of Flame, a piece of software that can on command record everything that goes on inside and in the general vicinity of a computer.

The Washington Post, citing intelligence sources, reported that both were created as a result of the combined efforts and resources of the U.S. and Israeli intelligence agencies, filling in some gaps of reporting initially done by the New York Times.

The report details the number of incidents at numerous critical infrastructure sites: Energy plants, water facilities, factories, that sort of thing. The first bit that everyone pays attention to is how the number of incidents reported skyrocketed from nine in 2009 to 198 in 2011. A lot of that increase can probably be attributed to the fact that the ICS-CERT was a relatively new creation.

But the part that caught my eye was what the government wordsmiths at DHS creatively called “sector distribution.” In 2009, there were all of four sectors targeted for some kind of malicious attack: Dams, energy, water and two attacks that crossed sectors. Last year, there were 10 sectors targeted, and 49 cross-sector incidents.

See the graphic below for the breakdown:

On the bottom of Page 9, the report covers a case where a “critical manufacturing facility” — it doesn’t go into any more detail than that — discovered that its engineering workstations were all infected with Stuxnet. ICS-CERT arrived on the scene, confirmed that the malware infecting the machines was indeed Stuxnet and cleaned up the mess.

Consider for a moment that Stuxnet was never intended to be seen in the wild in the first place, but had, in the words of one intelligence official, “escaped,” and you get the idea of the kind of unintended consequences that the cyberwar age brings with it. That is to say: Silent, invisible weapons, adapted and turned back on their creators.

The fact that it was found infecting systems thousands of miles away from its intended target — outside of the control of the people who initially deployed it — raises questions about whether such a weapon can be realistically deployed without causing what in conventional warfare is known as “collateral damage.”

And make no mistake: This is a new age of warfare, comparable with the nuclear age that dawned in 1945 with the atomic bomb attacks. Who says so? No less than the reasoned minds of the Bulletin of the Atomic Scientists, the people who regularly adjust the so-called “Doomsday Clock.”

Kennette Benedict, the Bulletin’s executive director and publisher, summarized, about as eloquently as anyone has so far, the philosophically important moment at which society has arrived:

The parallels with the invention and first use of atomic bombs on Hiroshima and Nagasaki are eerie. Consider the similarities: First, government and scientific leaders invent a new kind of weapon out of fear that others will develop it first and threaten the United States. Second, the consequences of using the new weapon — both the material damage it might cause as well as its effects on international security and arms-race dynamics — are poorly understood. Third, scientists and engineers warn political and military leaders about the dangers of the new weapon and call for international cooperation to create rules of the road. Fourth, despite warnings by experts, the U.S. government continues to develop this new class of weaponry, ultimately unleashing it without warning and without public discussion of its implications for peace and security.

I wish I had said it that well myself. America’s first cyberwar is already under way, and has been for some time, without so much as minute’s serious discussion in the public sphere.

This we already know.

We also know that once the weapons are developed, attacks are easy to carry out. Stuxnet was initially introduced by way of USB thumb drives surreptitiously dropped around a target site. Attacks documented in the DHS report describe employees of a targeted facility being tricked into clicking on PDF files attached to email messages. Brian Ahern, CEO of Industrial Defender, a company that specializes in helping companies prepare for attacks on control systems and the like, says these types of attacks are growing more common all the time.

What we don’t know — and can’t know, before it’s too late — is what might be the result of an advanced cyber-attack on a tender spot here at home. America, and the developed world in general, is more dependent on computer networks that are arguably more vulnerable to similar attacks, because of the knowledge gained by analyzing weapons like Stuxnet and Flame.

Pick your favorite metaphor: Genies let loose from bottles, or perhaps toothpaste squeezed from a one-way tube.

Here’s the report:

ICS-CERT Incident Response Summary Report 2009-2011


Latest Video

View all videos »

Search »

There’s a lot of attention and PR around Marissa, but their product lineup just kind of blows.

— Om Malik on Bloomberg TV, talking about Yahoo, the September issue of Vogue Magazine, and our overdependence on Google