Monday, March 5, 2012

The Stupidity of STUXNET

Anyone who watched the first segment of '60 Minutes' last night, would have been treated to the news (kept seemingly well concealed hitherto) of one of the most malicious pieces of software ever conceived - a worm called "Stuxnet". According to the 60 Minutes' piece, the noisome behavior of this worm eventually drew the attention of Liam O Murchu, an operations manager for Symantec, one of the largest antivirus companies in the world. As he noted in the interview:

"As soon as we saw it, we knew it was something completely different. And red flags started to go up straightaway."

Those red flags included the way this worm specifically singled out computing command and control operations protocols to take over sophisticated robotic -run systems and divert them subtly toward perdition - to the extent no one running any plant operations (mainly at Iran's nuclear processing plants) would be any the wiser. Thus the worm could carry on its destruction undetected.

In the case of Stuxnet, its malicious trail commenced in June of 2010, when it was first detected and isolated by a tiny company in Belarus after one of its clients in Iran complained about a software glitch. Subsequently, reports filtered in that Iran's centrifuges were somehow compromised, though they didn't let on that they were aware of the real culprits (which I suspect was the NSA, whose cryptological-computer-savvy 'fingerprints' are all over this. )

Meanwhile, also featured on the 60 Minutes' piece was Retired General Michael Hayden, a former head of the National Security Agency. As he talked about the damage inflicted by the worm he damned near gloated with self-satisfaction as he babbled:

"We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, and in this case, physical destruction in someone else's critical infrastructure. This was a good idea, alright? But I also admit this was a really big idea too. The rest of the world is looking at this and saying, 'Clearly someone has legitimated this kind of activity as acceptable international conduct.' The whole world is watching."

Indeed, but WAS IT a "good idea" to bring this genie out of the bottle and introduce it to the world? Especially when the initiator -attacker nation - obviously the hubristic U.S. - believes itself beyond the range of retribution? This is the question that must be asked, especially when we have a creaky power grid that just barely functions efficiently in periods of high demand - such as this summer promises to be, what with global warming continuing its ramping up!

Evidently, Sean McGurk - former head of cyber defense at The Department of Homeland Security, in charge of protecting critical infrastructure in the U.S. - doesn't believe so. WHen interviewed last night, he pointed out (alarmingly):

"You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back towards wherever it came from."

CBS' Steve Kroft then remarked: "Sounds a little bit like Pandora's box." To which McGurk responded, "Yes!"

McGurk added:

"They opened up the box. They demonstrated the capability. They showed the ability and the desire to do so. And it's not something that can be put back."

Kroft then pressed the issue, asking:

"If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?"

To which McGurk didn't hesitate in responding:

"I would have strongly cautioned them against it because of the unintended consequences of releasing such a code."

Kroft then surmised that one such "unintended consequence" is that this same code might be "re-purposed" and used against us. Perhaps against nuclear power plants or the power grid. Again, McGurk responded:"Yes", labeling the possible retributive cyber attack worm, "Son of Stuxnet".

But this is no laughing matter! Because of the hubristic, belligerent and arrogant actions of an enclave of pointy-headed computer geeks at the Puzzle Palace, we're likely all in jeaopardy (as we were with the Wall St. quants inventing insane credit derivatives using the Gaussian Copula formula before the financial meltdown). These sort of reckless actions do not bode well, and although their creators and the guilty agency might argue they were done with the "best intentions" , i.e. to slow down Iranian processing of nuclear fuel, we know the road to Hell is paved with them.

More than 15 years ago such malicious and aggressive cyber-actions were forecast by author Winn Schwartau in his book: 'Information Warfare:Chaos on the Electronic Superhighway', 1995, Thunder's Mouth Press. As Schwartau noted ( p. 297):

"At the pinnacle of the Information Army is what the military calls C3I: Command, Control, Communications and Intelligence (some military planners now call it C4I, adding computers into the equation) - and what business calls 'the board of directors.' This is where strategic plans are made and directives for tactical support are calculated."

Schwartau also noted that "all money comes through C3I" (or C4I as the case may be), and much may emerge from "black budgets" or off the books funded operations to retain maximal security. Such levels of security are not as typical with the CIA or DIA (Defense Intelligence Agency) but they are with the grandaddy of spookhood, the NSA, which oversees all others. (Two of the best exposes of this bunch based at Ft. Meade, MD and their methods appeared in James Bamford's book, Body of Secrets (2001), and the Baltimore Sun series: 'No Such Agency: America's Fortress of Spies', by Scott Shane and Tom Bowman, Dec. 3-15, 1995)

The different echelons of information warrior, in the Class III (global) arena include(op. cit. 298-311):

- 'Communications or C-group' - responsibility for all communications, networking aspects, including encryption schemes. They may even "use the Global Network to achieve anonymity and privacy". Also "to make interception and traffic analysis of their activities much more
difficult, convoluted routing of communications paths all over the country and the world will require C-group to be multinational."

- 'Mappers' - as the name implies, those who chart cyberspace, showing how all the connections occur - and the critical points - for future targeting of attacks.

- 'Crackers' - use special software tools to decipher passwords, or break encryption schemes, say trhereby allowing a "worm" or virus to penetrate firewalls.

- 'Sniffers' - e.g. 'sniff' out passwords using sophisticated programs, or install 'taps' to eavesdrop or monitor selected targets.

- 'Readers' - Monitor emanations from computer screens/monitors using Van Eck radiation detectors. A person can park in a specially outfitted truck (often made to look like the local phone service) and 'read' everything on your monitor screen from up to a half mile away.

- Software Development group - "duplicate field conditions reported by a mapper or cracker and then develop a reliable means to compromise it".

- 'Moles' "deploy malicious software, garner confidential information from the target, or provide valuable inside information to C3I (or C4I)."

- Analysts - as the name implies, responsible for sifting through the vast reams of information made available and separating 'signal' from 'noise'. These eggheads would've been able to assess the extent of damage inflicted by Stuxnet to the Iranian centrifuges.

- 'Public Relations Group' -will feed information to the press on a selective basis."

Readers interested in seeing the '60 Minutes' segment can find it here:;storyMediaBox

Sadly, this reckless and pre-emptive cyber attack, obviously initiated by our country (despite all the cloak and dagger BS), may well pave the way for a much less secure world affecting all of us. Let us hope if the Russians, Chinese or anyone else - run of the mill terrorists - mount their own attacks using "Son of Stuxnet" or an even worse variant, we are prepared and it doesn't lead to mass chaos!

No comments: