Cyber warfareStuxnet heralds age of cyber weapons, virtual arms race

Published 27 January 2011

Mounting evidence indicates that Stuxnet was created by the United States and Israel to target Iran’s nuclear program; analysts call this the first use of a specially designed cyber weapon and fear the beginning of a cyber weapons arms race; one analyst hopes that a doctrine of mutually assured destruction will limit the use of these devastating weapons in the future; current trends and other analysts indicate that cyber space will continue to be militarized

Cyber security analysts are increasingly viewing the Stuxnet virus, which sabotaged Iranian nuclear centrifuges, as a watershed moment in cyber warfare.

According to a recent New York Times article, mounting evidence suggests that the United States and Israel created the virus specifically to hamper Iran’s efforts to become a nuclear power.

If true, this virus is the first instance of a specially designed cyber weapon used to attack the industrial infrastructure of a sovereign nation. Moreover, its efficacy in delaying Iran’s nuclear program has shown the world the viability of such weapons.

Ralph Langner, an independent cyber security expert based in Germany, along with his team of engineers carefully picked apart the code of the Stuxnet virus and were surprised by what they found.

Unlike other viruses created by hackers that are indiscriminate with what they infect and cause general chaos, the Stuxnet virus was highly targeted in that it only attacked specific electronic components configured in a particular way, in this instance centrifuges designed for a nuclear plant.

“The attackers took great care to make sure that only their designated targets were hit,” he said. “It was a marksman’s job.”

Langner found the code to be highly advanced employing what he calls a “dual warhead.”

The program had two components. The first was designed to lay hidden before suddenly speeding up the rate at which the centrifuges spin so that the rotors would wobble and destroy themselves.

The second part of the code prevented engineers from recognizing what was occurring by sending false sensor signals indicating that nothing was wrong. This effectively kept engineers and the plant’s automatic safety system from shutting down problematic centrifuges.

Creating such sophisticated code required detailed knowledge of the individual components as well as how those specific centrifuges functioned in Iranian nuclear plants, well beyond that which an ordinary civilian could gather.

According to Langner, “code analysis makes it clear that Stuxnet is not about sending a message or proving a concept, it is about destroying its targets with utmost determination in military style.”

In a recent article, David Gerwitz, the cyber terrorism advisor for the International Association for Counterterrorism and Security Professionals, argues that the Stuxnet virus has ushered in anew age of cyber warfare and potentially sparked a virtual arms race similar to how Hiroshima sparked the nuclear arms race.

Gerwitz calls the Stuxnet virus the Little Boy and Fat Man of the digital age, in reference to the first two atomic weapons developed by the United States that heralded the age of nuclear weapons.

Unlike nuclear weapons that are costly to develop and scientifically difficult to create, nearly any group, individual, or state can quickly and cheaply develop a devastating cyber weapon.

Gerwitz fears the destructive potential of these new cyber weapons and how they will be used. Nothing is stopping Iran or any other group from attacking U.S critical infrastructure that is already vulnerable to cyber attack.

Defending U.S. networks is a daunting task due to its sheer size and the number of vulnerable points. Cyber weapons by nature are asymmetrical in that they exploit large networks and it is nearly impossible to defend all points against all potential attackers.

Gerwitz hopes that the doctrine of mutually assured destruction (MAD) can be established by making it clear “that if you attack us, we will attack you back and you will be badly hurt.”

He writes, “Perhaps if all nations and all actors keep MAD in mind, Stuxnet will be a one-time event and we’ll be writing about it in the history books like we now write about Hiroshima and Nagasaki.”

Others are not as optimistic about the limited use of such weapons.

The British organization the Organization for Economic Cooperation and Development (OECD) recently released a study that predicted cyber weaponry will become a routine part of future wars.

Further bolstering this belief is the fact that the United States recently stood up a new combatant command, Cyber Command, that is tasked with not only defending the nation against cyber attacks, but also developing offensive cyber capabilities.

Meanwhile Estonia just launched a volunteer cyber army in response to crippling cyber attacks, largely believed to have been launched by Russia.

Whether a doctrine of mutually assured destruction can be developed with cyber weapons remains to be seen, but in the meantime it is likely that the militarization of cyber space will continue.