Stuxnet and a Discussion about Weapons Responsibility

Have you heard of Stuxnet? If you haven't, you're in luck, because I'm a defense industry programming geek, and I'm about to give you a little bit of enlightenment. If you have, stick around anyway, because you'll get to hear me gush about it, and then get a little bit of my thoughts about weapons responsibility in the current technology age, and where I think it's going.

So, here's a 10,000 foot view of Stuxnet. Stuxnet was a computer virus that was uncovered in 2010 after shutting computers down at offices in Iran.  A Belarussian security company with business in Iran was notified of the technical problems with their clients, and discovered the virus was responsible. They quickly realized that they had a special circumstance was on their hands, and the entire cyber security industry was soon slack jawed with amazement at what they found.

A team of programmers at Symantec quickly started unraveling the code line by line, and found that they were dealing with something the likes of which had never been seen before. Most malware is made quickly and imperfectly, to snipe financial information from people, or in some cases to wreak havoc for havocs sake. The average worm is usually a small program that simple in its execution; millions of them are deployed a year. Stuxnet was 20-30 times larger than the average virus, and truly written as perfect code. It was real-life James Bond level sabotage, and it quickly was becoming apparent that it must have been sponsored by a state.

A couple of the things that make Stuxnet so unique were first of all in its delivery system. A computer virus has a couple of parallels to a conventional missile. It both needs a delivery system (the thing that powers it to get to the destination), and it needs the actual warhead, or weapons payload, that either steals, corrupts, or destroys data. In the STUXNET virus, there was a very rare exploit called a zero day vulnerability. These are really unicorns in the cyber security realm. A zero day vulnerability is an undisclosed security vulnerability (in this case in the Windows OS, although they can affect systems, browsers, or other programs); they go for hundreds of thousands of dollars in the black and gray markets, because as soon as they are discovered they are patched. There are also bounties by many of the large computer and developer companies, so if a bug is discovered, the person who sends it to the company can get paid. Not only did Stuxnet use one zero day, it had FOUR. Just paying for the exploits alone could cost nearly a million dollars in the black market. Clearly the average teenage hacker trying to skim money for Pokemon cards would not be able to afford this level of investment. To blow all four exploits simultaneously was another curious event; clearly wherever the creators wanted to attack, they were willing to pay very high stakes to get there.

The second part of a virus after the delivery system, is the payload. In this case, there was another first time situation. After lots of research and work, they discovered that Stuxnet was targeting a very specific set of machines made by Siemens. They are a type of industrial computer called a "Programmable Logic Controller", or PLC. PLCs are used to control industrial processes, and are used in applications from power plants, to assembly line production, water purification plants, or....nuclear power plants. Further digging (I'm skipping a lot here) revealed that Stuxnet was specifically targeting PLCs that were in nuclear sites in Iran. The virus was discovered on millions of machines around the world, but didn't do anything except lie dormant and spread itself....until it hit the uranium enrichment facilities in Iran.

So what happened once it was there? Well, this exceptional piece of perfect sabotage, after establishing it was on the exact machines it needed to be, slipped into the controls for the centrifuges to make nuclear material. It would lie dormant for 13 days and record the behavior of the centrifuge monitors. Centrifuges enrich uranium in "cascades"; they spin the uranium at very specific and delicate speeds to mesh the atoms into a stronger material. Most nuclear power plants use 3% enriched uranium; weapons grade is above 70%. The Iranian materiel was at well above those levels when the centrifuges were working. What Stuxnet did to the centrifuges was adjust the RPM levels from 1,064 hertz for to 1,410 hertz for 15 minutes. The process is so delicate that this was enough to throw the centrifuges off center and ruin them. While the engineers were hearing the changes (the affected centrifuges were clearly making a loud sound they were NOT supposed to make), the virus was replaying the recorded data from the previous 13 days on the monitoring displays. A few days later, it would do the opposite, and slow the revolutions of the centrifuge down to a few hundred RPMs. And this went on for a few YEARS without being uncovered.

Stuxnet perfectly covered its tracks so that it was nearly impossible to find it at first. It hid itself from programmers, and spread its attack thin enough that no one was quite sure what was responsible.

What was ultimately the tipoff was that whoever made Stuxnet got impatient and put the four zero days in, ensuring widespread dissemination, and therefore a high likelihood of discovery. And discovery happened.

When it was discovered, it was discovered on PLCs all over the world, and made the cyber security industry work itself into an awed tizzy while they tried to figure out what it was for. It's hard to quickly state how perfect the software was, but it was akin to an SR-71 doing a low flyby on the Wright Brothers at Kitty Hawk. But now it was out there, and known, and the revolutionary theories that made it work were, for better or worse, in the hands of the worldwide community.

You see, unlike a conventional weapon that destroys itself upon detonation, the entire blueprint of a virus is retained in its full form wherever it goes. Especially when it's made for wide dissemination...even if it doesn't deploy its warhead. 

So now the worldwide cyber community had a blueprint for a perfect cyber weapon. And in fact, we've already seen several of the features used in attacks since then. So the question that is now asked between the world powers is, "Should we have a cyber weapons treaty?" 

And that's what I find really interesting. Because I think it's a question that is coming from the wrong perspective, in a way. I do think there's room for cyber weapons treaties, as we have nuclear treaties and bioweapons treaties. But I also think the conversation is sort of missing the point. Because nuclear and bioweapons DO have similarities to cyber weapons, in that it can affect human populations on a  total warfare scale. A city or country can be decimated by cyber sabotage of critical systems like the power grid, communications, and water systems. Absolutely. But the difference between a cyber weapon and nuclear or biological weapons (or any other weapon in history) is that, also in the realm of "total warfare", a cyber weapon that can affect millions does not need to be deployed by a nation state. For the first time, an individual with technical acumen and a dearth of compassion could act with the power of a state. What I mean by this is that an individual (or handful of individuals) with the right skill set and knowledge is very closely coming to the point where they can affect the same amount of people as a conventional weapon, thereby having state level power....with just a laptop and internet connection. It's not a matter of if, it's a matter of when.

As we increasingly see botnets interacting with the "internet of things" (i.e. common devices like washing machines, refrigerators, printers, and so on, with wifi networks), we are rapidly seeing the horizon line drawing closer on the tipping point between convenience and losing it all. The solution is increased security, of course, but no one likes to pay more for security, so it gets left behind. The more our lives intertwine, the more vulnerable we are to this sort of attack. And a cyber weapons treaty isn't enough to prevent it from happening, when in the near future individuals will have more power than states in certain circumstances.

PLCs are a great thing, but if we don't close the gap as quickly as possible between security and vulnerability, someone somewhere will pay the cost. Thank goodness the first true cyber weapon was perfectly created and resulted in no collateral damage in its first attacks. It's too bad the intelligence is now out there for others with less good intentions to hone and redeploy.

So the next time you hear someone complaining about the overreach of the NSA or cyber government programs, don't forget the overreach of individuals that they are trying to protect us from. I'm all for Iranian centrifuges getting shut down, but I shudder to think of PLCs getting affected in civilian areas. Thank you to the watchers and the guardians in the cyber wars, because without them we are truly alone in a dark night, and the wolves are always at the door.