After a few years of grandstanding and chest-thumping about the dangers of cyberwar from the military complexes of the West, especially the US, we finally see something that actually looks like a covert act of digital warfare initiated at nation-state level (as opposed to the petty vandalism and independent street-gang-equivalent activity that has been heretofore labelled as cyberwar). And you know what? It might well have been the US military establishment that did it.
The story in question is the Stuxnet computer worm, which you’ve probably read about somewhere already. But just in case you’ve not, here’s the skinny: Stuxnet takes advantage of four different security holes in Microsoft Windows (which is far from out of the ordinary; if you’re gonna rob houses, go for the ones with no locks on the doors), which means it can spread very fast; it’s controlled and upgraded in a decentralised peer-to-peer fashion (also not new, as we saw the same thing in the big botnet worms of recent times), and has the added ability to jump onto removable media (thumb drives) to expand the infection vectors.
So far, so geeky. The weird bit is what Stuxnet actually does. Rather than setting up spam email farms or harvesting credit card numbers (the traditional remunerative ends of such software), it targets a very specific type of embedded industrial control software developed by Siemens… software that, according to Wired, is “installed in pipelines, nuclear plants, utility companies and manufacturing facilities to manage operations.” Furthermore, the configuration suggests a very specific sort of installation was the intended target, and that sabotage thereof was the intent; a German researcher theorises (admittedly without much in the way of evidence) that one of Iran’s nuclear plants was the target, and that the US or Israel are the likely nation-states-of-origin. It’s a sad thing to admit, but that’s all too believable a theory… which is doubtless why it’s getting so many mentions. Read, and read widely:
- Ars Technica
- Global Dashboard
- Christian Science Monitor
- Bruce Schneier (at pains to point out lack of supporting evidence for admittedly “interesting” theory)
Of course, plausibility isn’t probability; perhaps Stuxnet was developed by a rival company wishing to discredit the safety of Siemens’ systems*. The web enables industrial espionage, so why not industrial sabotage? But it seems an odd angle to take; deft marketing does just as effective a job of discrediting market-leading tech without engaging in criminal activity, and a black-ops hacking project would be an odd way to spend an R&D budget that would be better spent on, y’know, building a better mousetrap. Sabotage is a political act, ideological warfare… and that’s a nation-state game, not a corporate one.
It’ll be interesting to see what more we hear about Stuxnet, if anything, but I suspect it marks the start of a new chapter of geopolitics and technologised warfare.
[ * The fact that said systems run on Windows machines should be indictment enough, to be honest. ]