"Son of Stuxnet", the Rules of War, and the New Cyber Arms Race

October 19, 2011


A product of the defence procurement process at DSEi, London, September 16 2011

There's an interesting post on Foreign Policy magazine's website today, about Duqu, an apparent derivative of Stuxnet, that was discovered last week. According to this report, by Nick Hopkins in the Guardian, it appears to be in an information-gathering phase - something that Stuxnet did before it apparently succeeded in its aim of bringing a halt to operations at a nuclear lab in Iran. In his piece, Blake Hounshell, FP's managing editor, asks whether another major cyber attack on part of a nation's computer-dependent infrastructure may be in the offing, and whether the original virus-weapon may now be in the hands of criminals or terrorists. These are valid and worrying questions; but they may not be the most urgent ones to be asking.

Amid all the coverage of Stuxnet (and there's lots of it, but by far the best I've come across is Kim Zetter's magnum opus for Wired), I keep on seeing the same two facts through the fog. Neither seem to have been clearly delineated - they're more like black holes, only visible by their absence. The first is that although it's easy enough to detect a cyber attack once it's underway - or even, as with Stuxnet and Duqu, to identify malicious code before it's done anything permanently destructive - it is pretty much impossible, at present, to accurately and definitively attribute an attack to a specific author or even to a geographic point of origin. The second is that while certain nation states may well have been the ones to benefit from the effect that Stuxnet delivered, it does not automatically follow that the code was written by employees of those nations' governments.

The real authors of Stuxnet are almost certainly not in Langley or Tel Aviv, clocking in to their desk jobs at the NSA or the Mossad. In the same way that nobody sits in MoD Main Bulding in Whitehall and actually designs or builds Dual Mode Seeker Brimstone missiles, it seems unlikely that governments would go to the considerable trouble and expense of creating their own in-house cyber weapons divisions. Much more likely is that things work in cyber just as they do in the realms of air, sea and land warfare. Governments will likely prefer to remain customers - albeit very well-informed ones - and restrict themselves to defining the task and outlining the requirement. Whether that requirement is for a stealth fighter jet able to carry a certain amount of air-to-air and air-to-ground weapons, or a computer virus capable of making a particular uranium enrichment complex's centrifuges self-destruct, it is surely more likely that the customer will contract out the work to build the weapon itself to a specialist third party.

So, at DSEi last month, I spent a couple of days asking multinational arms companies about their cyber warfare portfolios. Most offer solutions to businesses, utilities or government departments who have strong and obvious requirements to keep their in-house computer systems secure and functional. But the minute you ask them about offensive cyber capabilities, they begin to shuffle a bit and look at their shoes. Even off the record, they let very little slip. Confidential, unattributable conversations I had during the exhibition revealed nothing of substantive, hard detail, but the overall impression is clear: whether by merger and acquisition, recruitment, or partnership, the kinds of companies that manufacture physical weapons are all - probably; quietly; discretely - readying cyber weapons that can be used to strike at an adversary's systems. (The author and journalist Joseph Menn came to similar conclusions in his series of articles on cyber in last week's FT.)

Frankly, defence contractors would be mad not to be readying offensive cyber products; and their shareholders would be disappointed if they weren't. While spending on ships, aircraft and ground vehicles is contracting, the budgets for cyber are getting bigger, with Britain's Strategic Defence and Security Review committing the country to spending £650m on the sector by the next election. A year on from that announcement, detail is still lacking on precisely how the money will be spent: and the cynic's supposition remains that the detail is of less importance in government circles than the ability the announcement affords to be seen to be doing something about a large and growing problem everyone acknowledges but relatively few understand. The language of the SDSR hinted at offensive cyber as a growth area, and just yesterday, in an interview with The Sun, the Foreign Secretary, William Hague, appeared to announce that Britain already had an offensive cyber arsenal.

But are these hush-hush cyber weapon development efforts proactive on the part of business - the equivalent of building a single prototype of a stealth tank, for example (see photo above, and link here), just to prove that you can do it, but without having a customer ready to buy it? Or are they in response to already existing requirements from customers in the UK, the US, or other nations? Nobody is saying. And the reason why they're not saying (as well as the reason why Hague is keen to ensure no-one knows just what Britain is capable of in cyber terms) has a great deal to do with that other problem - the issue of attribution.

No government is willing to risk being seen as the nation who fired the first shot in a cyber war. Apart from anything else, no-one knows how international law applies to cyber weapons, either in terms of their use, their manufacture or their sale. Worse, even the lowest-collateral cyber weapon may have unintended and unimagined after-effects. Unlike a bullet, which hits its target and stops, a cyber weapon potentially carries on working after it's finished doing what it was built to do. Crippling Iran's nuclear program might sound like something a western government would want to brag about: but you might not be quite as pleased with your handiwork if the virus later ends up accidentally shutting down the power supply to a hospital somewhere. Also, if your country is identified as the one that "fired" the cyber salvo, your own systems are likely to be seen as legitimate targets for reprisals - whether formally, if the initial attack is considered an act of war under international law, or informally, as seems to have happened when a massive denial-of-service attack that effectively shut down the Estonian economy in 2007 was revealed as (possibly and quite plausibly, at least in part) an impromptu bombardment by large numbers of private Russian computers.

While Stuxnet investigators have uncovered clues that seem to circumstantially link the virus to Israel, nobody has found the digital equivalent of fingerprints on it; and it seems unlikely, at this point, that anyone ever will. But even if they do, they're more likely to trace it back to a commercial entity rather than the defence ministry or clandestine service of the nation that commissioned it. There are clear benefits for governments in this arrangement. That way, even if someone does finally manage to work out who was behind it, there won't be any way of retaliating. In the rules of war, you're entitled to strike back against the adversary, not the person or company or country who built the adversary's weapon. And the kinds of agencies that might have supplied the information the authors of a precisely targeted weapon such as Stuxnet would have needed are precisely the types of institution most intimately familiar with the concept of plausible deniability.

So who is writing worms like Stuxnet and Duqu if it's not nation states? Maybe not one of the big defence conglomerates; more likely a small startup, probably created and staffed by former penetration testers and ethical hackers, maybe located in offices carved out of some old hotel in a city many miles from western militaries' power centres. Symantec's researchers were astonished that Stuxnet exploited as many as four zero-day vulnerabilities - that is, previously unknown flaws in the software it targeted: yet one small and secretive US company, founded only three years ago, appears to have offered packages of 25 zero-day exploits, every year, to any client willing to pay its asking price of $2.5m per annum. Whether anyone has as yet taken them up on their offer remains unknown.

I've been working on a piece that explores some of these issues, particularly the legal ones, on and off for most of this year. It's due out in the Seven section of the Sunday Telegraph some time next month, and I'll post a link to it here once it's live. I've not done any research on Duqu yet, so I've got nothing definitive to say on that specifically. However, while it wouldn't surprise me if it turned out to have been written by the same people as wrote Stuxnet, that shouldn't necessarily imply that it was created for the same customer. It may be that some outside actor has succeeded in getting enough people with enough coding skill together for long enough to have them take the Stuxnet code and repurpose it: but it seems much more likely that the same private company has taken their proven baseline weapon and developed it to a different set of parameters, either for the same customer who bought Stuxnet, or for someone else.

The most worrying part is that we'll almost certainly never know the truth. And that is why, for what little it's worth, I'm hoping that events like next month's London Conference on Cyberspace might start to see nations opening up about their offensive cyber capabilities and intentions, or at least acknowledging that work is proceeding apace in that area. But that remains, as I say, a hope: it's by no means an expectation.


Click here to add your comment.

Comments will be subject to approval and should not be defamatory, obscene, racist, in breach of copyright, or contrary to law. Neither Angus Batey nor the site host is reponsible for any views expressed here.





photo gallery


mailing list