Stuxnet marks the start of the next security arms race

More information about Stuxnet continues to dribble out, and each new fact and rumor never fails to astound me. As covered by InfoWorld’s Robert Lemos, the New York Times reported that a U.S.-Israeli team accessed inside information in creating Stuxnet to wreak havoc on Iran. Most of the report was anonymously sourced, so it’s impossible to tell how much of it’s true. Still, the tone doesn’t seem overly speculative — and suggests Stuxnet is a revealing study in the future of cyber warfare, with potentially greater damaging force than a heavy bomb attack.

Stuxnet was easily the world’s most successful cyber warfare attack to date and an incredible study in the future of the field. If the Times article is correct, the programming code of Stuxnet was more effective than any bomb run could have been. While the Stuxnet worm was purportedly spinning the Iranian nuclear facility’s centrifuges to the point of damage, it was simultaneously sending false “Everything is OK” signals to the control equipment, and the engineers sat by (at least initially) as the destruction occurred.

Most nuclear facilities are air-gapped, meaning that it’s relatively difficult to get the destructive worm into its target site or sites. To counter these protective measures, it seems that the original Stuxnet coders either had trusted insiders initiating the worm’s spread or relied upon compromised USB keys or management computers.

A lot of readers have commented on how a U.S. laboratory worked with Siemens (the vendor of the centrifuges’ control equipment) to find exploits not known by the general public. Although this might seem alarming at first, we have to assume cyber warfare groups have been doing the same with general-purpose operating systems, applications, and war-specific equipment. Most cyber warfare groups are likely to be sitting on dozens to hundreds to thousands of nonpublic exploits, ready to use when needed.

Heck, it would be negligent for a cyber warfare team not to have such inventory. I know for sure the United States was doing similar research at least five years ago, when a friend began working for a military subcontractor and described to me his general role. Other countries have probably been doing this for a long time, along with most crimeware organizations. It’s the world we’ve been living in for a while.

How can end-users and vendors fight back? The obvious answer is to work hard (or harder) at finding vulnerabilities and closing them before they can be used against a general populace. Vendors of general OSes and apps are continually updating their wares, including making them more secure; the vendors of firmware and SCADA (supervisory control and data acquisition) software really need to get started on fixing vulnerabilities. Until now, these vendors haven’t had a significant incentive to proactively find and eliminate vulnerabilities.

But now that their products are under attack, they need to realize they’re involved in what has previously been a very asymmetric battle. Stronger products with fewer vulnerabilities help everyone. The city/state-funded cyber warfare gangs will always find and securely store found vulnerabilities; I’d like to make it a little harder for the professional criminals and less restrained attackers to cause large problems.

With the announcement of the purported success of Stuxnet, the next-generation arms race is on. Ironically, while Stuxnet has possibly slowed down the international proliferation of nuclear arms, it’s also officially launched the next big weapons battle.