Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
Page 49
7 Speaking in 1862 after the Battle of Fredericksburg.
8 Kevin Haley, “Internet Security Predictions for 2011: The Shape of Things to Come,” Symantec blog, November 17, 2010, available at symantec.com/connect/blogs/internet-security-predictions-2011-shape-things-come.
9 Kennette Benedict, “Stuxnet and the Bomb,” Bulletin of the Atomic Scientists, June 15, 2012, available at thebulletin.org/stuxnet-and-bomb.
10 There are ways to lessen this risk by carefully encrypting digital weapons to prevent random parties who get hold of the code from reverse-engineering it. A digital weapon has to decrypt itself in order to engage its payload once it finds the system it’s targeting, but the keys for doing this don’t have to be inside the weapon itself, as they were with Stuxnet. Instead, the better design is the one that Gauss used, which employed a complex encryption scheme that used the actual configuration of the system it was targeting to generate the decryption key. Gauss only delivered and decrypted its payload once it found this specific configuration. This won’t work, of course, if the configuration on the targeted system changes, thereby defusing the digital weapon, but it will work in cases where the configuration of a system isn’t likely to change. See the discussion of Gauss on this page. Also, to limit a digital weapon’s exposure once it is decrypted on the system it’s targeting, it could be designed to self-destruct upon completing its mission so that it won’t linger on a system longer than necessary. This won’t work for all weapons, however. Stuxnet needed to remain on a system for a long time to achieve its aim, for example. But it will work for other weapons that do their damage quickly.
11 Marcus Ranum, “Parsing Cyberwar—Part 4: The Best Defense Is a Good Defense,” published on his Fabius Maximus blog, August 20, 2012, available at fabiusmaximus.com/2012/08/20/41929.
12 Grant Gross, “Security Expert: US Would Lose Cyberwar,” IDG News Service, February 23, 2010, available at computerworld.com/s/article/9161278/Security_expert_U.S._would_lose_cyberwar.
13 Though Siemens control systems aren’t as widely used in the United States as they are in other parts of the world, the control systems that dominate facilities in the United States operate under the same design principles with some of the same flaws. An attacker would simply need to study the systems to find ways to attack them, which a number of security researchers have already done in the years since Stuxnet was released.
14 Gerry Smith, “Stuxnet: U.S. Can Launch Cyberattacks but Not Defend Against Them, Experts Say,” Huffington Post, June 1, 2012, available at huffingtonpost/com/2012/06/01/stuxnet-us-cyberattack_n_1562983.html.
15 Prepared statement to the Strategic Forces Subcommittee of the House Committee on Armed Services, for a hearing on March 17, 2009, available at gpo.gov/fdsys/pkg/CHRG-111hhrg51759/html/CHRG-111hhrg51759.htm.
16 In August 2012, a destructive virus called Shamoon struck machines at Saudi Aramco, Saudi Arabia’s national oil and natural gas company, and wiped all the data from more than 30,000 machines—an attack that provided a stark reminder of how any machine on the internet can become ground zero for destruction in a political dispute and how difficult it can be to determine attribution afterward. The virus didn’t just wipe data from the machines, it replaced every file on them with one containing an image of a burning US flag—though a bug in the code prevented the flag image from fully unfurling on infected machines. Instead, only a snippet of the image appeared when files were opened; the rest of the image was blank. US officials accused Iran of masterminding the attack, though offered no proof to back the claim. The attack may have been launched by Iran as retaliation for the Wiper attack that erased data from machines at the Iranian Oil Ministry and the Iranian National Oil Company four months earlier, or it may have been retaliation for Stuxnet, aimed at a US ally that was less capable of attacking back. Or it may simply have been the work of hacktivists opposed to US foreign policy in the Middle East (a group of hackers calling themselves the Cutting Sword of Justice took credit for the attack). It might even have been a “false flag” operation launched by another country to make it look like the perpetrator was Iran (NSA documents released by Edward Snowden disclose that the UK sometimes uses false flag operations to pin blame on third parties).
17 In August 2008, armies of computers with Russian IP addresses launched distributed denial-of-service attacks that knocked Georgian government and media websites offline, thwarting the government’s ability to communicate with the public. The timing of the attacks, right before the Russian invasion of South Ossetia, was proof enough for many that the digital campaign was part of the military offensive.
18 The simulation designers revealed in the end that the bewildering web of attributions behind the cyberattacks had been a key part of their strategy. Under their plan, it was al-Qaeda that had actually launched the initial attacks against Israel in the hope of escalating tensions between Israel and the Iran-backed Hezbollah in Lebanon. But it was Iran that launched the attacks on the United States. The latter were done in a way to make it look as if Israel had launched with the intention of framing Iran for them. The US was supposed to think that Israel had played the ultimate dirty trick—launching an attack against the United States in order to point the finger at Iran and drum up US support for an Israeli airstrike against Tehran.
19 Barbara Opall-Rome, “Israeli Cyber Game Drags US, Russia to Brink of Mideast War,” Defense News, November 14, 2013, available at defensenews.com/article/20131114/DEFREG04/311140020/Israeli-Cyber-Game-Drags-US-Russia-Brink-Mideast-War.
20 “Israel Combats Cyberattacks, ‘Biggest Revolution in Warfare,’ ” UPI, January 31, 2014, available at upi.com/Business_News?Security-industry/2014/01/31/Israel-combats-cyberattacks-biggest-revolution-in-warfare/UPI-24501391198261/.
21 Marcus Ranum, “Parsing Cyberwar—Part 3: Synergies and Interference,” published on his Fabius Maximus blog, August 13, 2012, available at fabiusmaximus.com/2012/08/13/41567.
22 Thomas Rid, “Think Again: Cyberwar” Foreign Policy, March/April 2012.
23 Author interview with Andy Pennington, November 2011.
24 James A. Lewis, “Cyberwar Thresholds and Effects,” IEEE Security and Privacy (September 2011): 23–29.
25 Rid, “Think Again: Cyberwar.”
26 This and other quotes from Healey come from author interview, October 2013.
27 Julian Barnes, “Pentagon Digs In on Cyberwar Front,” Wall Street Journal, July 6, 2012.
28 James A. Lewis in testimony before the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, March 16, 2012, available at homeland.house.gov/sites/homeland.house.gov/files/Testimony%20Lewis.pdf.
29 James A. Lewis, “Thresholds for Cyberwar,” Center for Strategic and International Studies, September 2010, available at csis-org/publication/thresholds-cyberwar.
30 Ibid.
31 W. Earl Boebert, “A Survey of Challenges in Attribution,” Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for US Policy. Published by the National Academy of Sciences at na.edu/catalog/12997.html.
32 Rules of engagement are the military orders that take into consideration international law and US policy to draw up a single document that the military uses to conduct its operations. There are rules of engagement for different operations, since the rules will change whether it’s a peacekeeping mission in Bosnia or an aggressive invasion of Iraq. Separately, there is an overarching set of rules of engagement that applies to the military’s day-to-day operations. These latter standing rules, which are mostly classified, include cyber. According to Gary Brown, who was legal counsel for US Cyber Command from 2009 to 2012, these standing rules were being rewritten during his
time with the command and he said in 2014 that he still didn’t know if they were completed. The military was using the second version of the rules that were finished in 2005, known as the Bravo version when he was there. The third version, known as Charlie, should have been finished in 2010, but still wasn’t completed when Brown left in 2012. The Bravo version addressed cyber, but only in broad terms. Version Charlie is supposed to address it in more specific terms.
33 Chris Carroll, “Cone of Silence Surrounds U.S. Cyberwarfare,” Stars and Stripes, October 18, 2011, available at stripes.com/news/cone-of-silence-surrounds-u-s-cyberwarfare-1.158090.
34 David E. Sanger, “America’s Deadly Dynamics with Iran,” New York Times, November 5, 2011.
35 Duqu was publicly exposed in September 2011, and although Microsoft patched the font-rendering flaw it exploited, by late 2012 “attacks against this single vulnerability had skyrocketed,” Finnish security firm F-Secure noted in its 2013 annual report. This vulnerability alone “accounted for an amazing 69 percent of all exploit-related detections report.” See page 36 of “Threat Report H1 2013,” F-Secure, available at f-secure.com/static/doc/labs_global/Research/Threat_Report_H1_2013.pdf.
36 Dennis Fisher, “Nation-State Attackers Are Adobe’s Biggest Worry,” ThreatPost, a security blog published by Kaspersky Lab, September 20, 2011, available at threatpost.com/nation-state-attackers-are-adobes-biggest-worry-092011/75673.
37 Speaking to the Senate Committee on Appropriations, “Cybersecurity: Preparing for and Responding to the Enduring Threat,” June 12, 2013, available at defense.gov/home/features/2013/0713_cyberdomain/docs/Alexander,_General_Keith_Testimony_6.12.13_Cybersecurity_Hearing.pdf.
38 All quotes from Hayden here and next page come from author interview in February 2014.
39 The President’s Review Group on Intelligence and Communications Technologies, “Liberty and Security in a Changing World” (report, December 12, 2013), 37. The report is available at whitehouse.gov/sites/default//files/docs/2013-12-12_rg_final_report.pdf.
40 Clarke was speaking at the RSA Security Conference in San Francisco in February 2014.
41 “Advance Questions for Vice Admiral Michael S. Rogers, USN, Nominee for Commander, United States Cyber Command,” available on the Senate Armed Services Committee website at armed-services.senate.gov/imo/media/doc/Rogers_03-11-14.pdf.
42 David E. Sanger, “Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say,” New York Times, April 12, 2014.
43 Kim Zetter, “Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA,” Wired.com, April 15, 2014.
44 Soghoian was speaking at the Personal Democracy Forum in June 2012 in New York.
45 Author interview, 2014.
46 Lotrionte was with the CIA prior to 2002, followed by positions as counsel to the president’s foreign intelligence advisory board at the White House and a position as legal counsel for the Senate Select Committee on Intelligence. She left government in 2006 around the time Stuxnet was being proposed and prepared.
47 Stephen Cobb, “The Negative Impact on GDP of State-Sponsored Malware Like Stuxnet and Flame,” We Live Security blog, June 13, 2012, available at blog.eset.com/2012/06/13/impact-on-gdp-of-state-sponsored-malware-like-stuxnet-and-flame.
48 William A. Owens, Kenneth W. Dam, and Herbert S. Lin, (eds.), “Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities,” National Academies Press, 2009, available at: steptoe.com/assets/attachments/3785.pdf.
49 Ellen Nakashima, “List of Cyber-Weapons Developed by Pentagon to Streamline Computer Warfare,” Washington Post, May 31, 2011.
50 Lolita Baldor, “Pentagon Gets Cyberwar Guidelines,” Associated Press, June 22, 2011, available at usatoday30.usatoday.com/news/military/2011-06-22-pentagon-cyber-war_n.htm.
51 Glenn Greenwald and Ewen MacAskill, “Obama Orders US to Draw Up Overseas Target List for Cyber-Attacks,” Guardian, June 7, 2013. Presidential Policy Directive 20 was issued in October 2012, according to the paper.
52 All quotes from Lin in this chapter come from an author interview in January 2014.
53 “International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World,” The White House, May 2011, available at whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
54 Siobhan Gorman and Julian E. Barnes, “Cyber Combat: Act of War,” Wall Street Journal, May 30, 2011.
55 Carroll, “Cone of Silence.”
56 Michael N. Schmitt, general editor, Tallinn Manual on the International Law Applicable to Cyber Warfare, NATO Cooperative Cyber Defence Centre of Excellence, available at ccdcoe/org/249.html.
57 Many in the media and government have called the denial-of-service attacks against Estonian websites cyberwarfare, but they don’t qualify as such. The attacks, launched by a botnet of 85,000 machines in 2007, persisted for three weeks and, at their peak, bombarded nearly sixty websites, knocking Estonia’s largest bank offline as well as government sites. But when Estonia pointed the finger at Russia as the source of the attacks and sought help from NATO by attempting to invoke the collective self-defense agreement under Article 5 of the North Atlantic Treaty Organization, it was rebuffed. NATO determined that the attack did not constitute an armed attack under the treaty. The problem lay in the fact that the EU and NATO had not previously defined the obligations of its member states in the event of a cyberattack against one of them. NATO had also not defined a cyberattack as a clear military action, therefore Article 5 did not automatically come into play. Under Article 5 “an armed attack against one or more [members] in Europe or North America shall be considered an attack against them all.” In the event of such an attack, each member is expected to “assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.”
Estonian prime minister Andrus Ansip challenged NATO’s conclusion, however, asking, “What’s the difference between a blockade of harbors or airports of sovereign states and the blockade of government institutions and newspaper websites?” (See Thomas Rid, “Think Again: Cyberwar,” Foreign Policy, February 27, 2012, available at foreignpolicy.com/articles/2012/02/27/cyberwar.) The question is a valid one that has not been adequately resolved. If blocking commercial shipments can be an act of war, would thwarting e-commerce be the equivalent in cyberspace? And what kind of response would it merit? In 2010, NATO attempted to resolve the question by concluding that if an ally were hit with a cyberattack, NATO would help defend the victim’s networks, but the assistance fell short of offering to help a victim conduct a counterattack.
58 Author interview with Brown, February 2014.
59 Harold Koh, former legal adviser to the State Department, speaking at the US CyberCom Inter-Agency Legal Conference at Fort Meade in September 2012, asserted that the government’s position was that a use of force was the same as an armed attack. “In our view, there is no threshold for a use of deadly force to qualify as an ‘armed attack’ that may warrant a forcible response.” See state.gov/s/l/releases/remarks/197924.htm.
60 Author interview with Libicki, October 2012.
61 All quotes from Lotrionte come from author interview, February 2014.
62 Cilluffo was speaking at a hearing on the “Iranian Cyber Threat to the US Homeland” for a Joint Subcommittee Hearing of the Committee on Homeland Security, April 26, 2012, available at gpo.gov/fdsys/pkg/CHRG-112hhrg77381/pdf/CHRG-122hhrg77381.pdf.
63 Brown has writ
ten a paper on the issue. See Gary D. Brown and Andrew O. Metcalf, “Easier Said Than Done: Legal Reviews of Cyber Weapons,” Journal of National Security Law and Policy, published by Georgetown Law, February 12, 2014, available at jnslp.com/wp-content/uploads/2014/02/Easier-Said-than-Done.pdf.
ACKNOWLEDGMENTS
When I first began writing about Stuxnet after its discovery in the summer of 2010, there was no way to know where it would lead. It wasn’t until months later, after the Symantec researchers and Ralph Langner’s team dug into it further, that it became clear that there was a larger story that needed to be told—not only about the attack on Iran’s centrifuges and the discovery of the world’s first digital weapon but about the security community and its changing nature at the dawn of the era of cyber warfare. It’s a cliché to say that something is a game-changer, but Stuxnet really is. Everything in malware that occurred prior to its appearance might well be labeled BS—Before Stuxnet—since the code that came before it represented simpler, more innocent times when the motives and ambitions of attackers were more straightforward and easier to discern.
If Stuxnet was a challenge to decipher, the writing of this book was equally so. Combining a narrative structure with complex technical details and a political-historical context that was as convoluted as the code, while still offering a compelling read and doing justice to the intense labor that researchers invested in their analysis of the code, was not an easy task, especially when the subject of that narrative turned out to be a moving target.
As I began the book in earnest in early 2012, everything we thought we knew about Stuxnet had to be revised as one new discovery after another was made—first with Duqu, then with Flame, and then, in early 2013, with the unveiling of Stuxnet 0.5, the first known version of the digital weapon to be found. And the target is still moving today.