Stuxnet and the Limits of Cyber Warfare

Security Studies

Volumn 22, Issue 3, 2013, Pages 365-404

  Lindsay, Jon R ^a  

^a University of California Institute on Global Conflict and Cooperation and University of California San Diego School of Global Policy and Strategy   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84881657193     PISSN: 09636412     EISSN: 15561852     Source Type: Journal    
DOI: 10.1080/09636412.2013.816122     Document Type: Article

References (167)

1. The original announcement of "Rootkit. TmpHider" was posted by Sergey Ulasen of VirusBlokAda on an information security forum on 12 July 2010, http://www.anti-virus.by/en/tempo.shtml. For an accessible account of Stuxnet's discovery see Kim Zetter, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History, " Wired Threat Level Blog, 11 July 2011, http://www.wired.com/ threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet.
2. For an accessible account of Stuxnet's discovery see Kim Zetter, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History, " Wired Threat Level Blog, 11 July 2011, http://www.wired.com/ threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet.
3. Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho, "Stuxnet under the Microscope, " ESET, white paper, 20 January 2011. The dubious honor of "most sophisticated malware" has perhaps passed to a Stuxnet relative named Duqu or to the Flame spyware (which is twenty times the file size of Stuxnet).
4. Mark Clayton, "Stuxnet Malware Is 'Weapon' Out to Destroy. Iran's Bushehr Nuclear Plant?" Christian Science Monitor, 21 September 2010.
5. David E. Sanger, "Obama Order Sped Up Wave of Cyberattacks Against Iran, " New York Times, 1 June 2012.
6. William J. Broad, John Markoff, and David E. Sanger, "Israel Tests on Worm Called Crucial in Iran Nuclear Delay, " New York Times, 15 January 2011.
7. Mark Clayton, "The New Cyber Arms Race, " Christian Science Monitor, 7 March 2011, ("cyber equivalent").
8. "Russia Says Stuxnet Could Have Caused New Chernobyl, " Reuters, 26 January 2011.
9. Sanger, "Obama Order. "
10. Arguments for the Cyber Revolution thesis by former senior US officials include Mike McConnell, "Cyberwar is the New Atomic Age, " New Perspectives Quarterly 26, no. 3 (Summer 2009): 72-77.
11. Richard A. Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do about It (New York: Harpercollins, 2010)
12. Joel Brenner, America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (New York: Penguin Press, 2011).
13. On Stuxnet as an RMA, see James P. Farwell and Rafal Rohozinski, "Stuxnet and the Future of Cyber War, " Survival 53, no. 1 (February-March 2011): 23-40
14. Joseph S. Nye Jr., "Nuclear Lessons for Cyber Security?" Strategic Studies Quarterly 5, no. 4 (Winter 2011)
15. Paulo Shakarian, "Stuxnet: Cyberwar Revolution in Military Affairs, " Small Wars Journal (April 2011)
16. Sean Collins and Stephen McCombie, "Stuxnet: The Emergence of a New Cyber Weapon and Its Implications, " Journal of Policing, Intelligence and Counter Terrorism 7, no. 1 (2012): 80-91.
17. Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, US Dept. of Defense, New York City, 11 October 2012, http://www.defense.gov/transcripts/transcript.aspx? transcriptid=5136.
18. Barack Obama, "Taking the Cyberattack Threat Seriously, " Wall Street Journal, 19 July 2012.
19. "Senate Select Intelligence Committee Holds Hearing on Worldwide Threats, " Defense Intelligence Agency, 31 January 2012, http://www.dia.mil/public-affairs/testimonies/2012-01-31.html.
20. Adm. Mike Mullen, quoted in Marcus Weisgerber, "DoD to Release Public Version of Cyber Strategy, " Defense News, 8 July 2011. This is an astonishing claim coming from a man well familiar with the world's nuclear arsenals.
21. James A. Lewis and Katrina Timlin, Cybersecurity and Cyberwarfare: Preliminary Assessment of National Doctrine and Organization (Washington, DC: Center for Strategic and International Studies, United Nations Institute of Disarmament Research, 2011).
22. See inter alia, Nicholas Burns and Jonathon Price, Securing Cyberspace: A New Domain for National Security (Aspen, CO: Aspen Institute, 2012).
23. Kristin M. Lord and Travis Sharp, America's Cyber Future: Security and Prosperity in the Information Age (Washington DC: Center for a New American Security, 2011)
24. David J. Betz and Timothy C. Stevens, "Cyberspace and the State: Toward a Strategy for Cyber-Power, " International Institute for Strategic Studies (IISS) Adelphi Paper, no. 424 (2011)
25. Paul Cornish, David Livingstone, Dave Clemente, and Claire Yorke, "On Cyber Warfare, " Royal Institute of International Affairs, Chatham House Report (November 2010)
26. Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, eds., Cyberpower and National Security (Washington, DC: National Defense University Press, 2009).
27. Adam P. Liff, "Cyberwar: A New 'Absolute Weapon'? The Proliferation of Cyberwarfare Capabilities and Interstate War, " Journal of Strategic Studies 35, no. 3 (June 2012).
28. On the direct technical effects of Stuxnet on Iranian computer systems, I draw on forensic investigation by computer security firms Symantec, ESET, and Langner Communications; Nicolas Falliere, Liam O Murchu, and Eric Chien, "W32. Stuxnet Dossier, version 1.4, " Symantec, 4 February 2011, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_ stuxnet_dossier.pdf.
29. Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho, "Stuxnet under the Microscope, version 1.31, " white paper, ESET, 20 January 2011, http://go.eset.com/us/resources/ white-papers/Stuxnet_Under_the_Microscope.pdf
30. For a detailed history of computerization in the American private and public sector, see James W. Cortada, The Digital Hand, 3 vols. (New York: Oxford University Press, 2004-2008).
31. William A. Owens, Kenneth W. Dam, and Herbert S. Lin, eds., Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (Washington, DC: National Academies Press, 2009).
32. Ross Anderson, Chris Barton, Rainer Bohm, Richard Clayton, Michel J. G. Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, "Measuring the Cost of Cybercrime, " Proceedings of the Workshop on the Economics of Information Security (June 2012).
33. Kirill Levchenko et. al, "Click Trajectories: End-To-End Analysis of the Spam Value Chain, " Proceedings of the IEEE Symposium and Security and Privacy (May 2011): 431-46
34. Misha Glenny, DarkMarket: How Hackers Became the New Mafia (New York: Vintage, 2011)
35. Bryan Krekel, Patton Adams, and George Bakos, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, " prepared for the USChina Economic and Security Review Commission by Northrop Grumman, 7 March 2012.
36. Gauss: Abnormal Distribution, Kaspersky Lab Global Research and Analysis Team Report, August 2012, http://www. securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution.
37. Christian Czosseck, Rain Ottis, and Anna-Maria Talihärm, "Estonia after the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security, " Journal of Cyber Warfare and Terrorism 1, no. 1 (2011).
38. John Bumgarner and Scott Borg, "Overview By the US-CCU of the Cyber Campaign Against Georgia in August of 2008, " US Cyber Consequences Unit Report, August 2009
39. Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom (New York: PublicAffairs, 2011).
40. Military doctrine has not stabilized for cyber concepts yet, and debate continues on the distinctions between cyber warfare, computer network operations, information operations, electronic warfare, etc. In this paper I focus on the use of computer hacking to cause mechanical damage in the service of strategic objectives. Cyber warfare clearly encompasses the tactical modalities of cyber attack (degredation of normal hardware or software functionality), exploitation (covert theft or use of data or computational resources), and defense (efforts to prevent adversarial attack or exploitation); my emphasis in this paper is on the primary aggressive move of attack.
41. David A. Fulghum, "Why Syria's Air Defenses Failed to Detect Israelis, " Aviation Week, Ares Blog, 3 October 2007.
42. Ellen Nakashima, "U.S. Accelerating Cyberweapon Research, " Washington Post, 18 March 2012.
43. Raphael Satter, "US General: We Hacked the Enemy in Afghanistan, " Associated Press, 24 August 2012.
44. Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica, CA: RAND, 2009) distinguishes "operational cyberwar-cyberattacks to support warfighting" from "strategic cyberwar, cyberattacks to affect state policy".
45. Joseph Weiss, Protecting Industrial Control Systems from Electronic Threats (New York: Momentum Press, 2010).
46. Anna Mulrine, "CIA Chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack, " Christian Science Monitor, 9 June 2011.
47. James Adams, The Next World War: The Weapons and Warriors of the New Battlefields of Cyberspace (London: Arrow, 1998)
48. John Arquilla and David F. Ronfeldt, Networks and Netwars: The Future of Terror, Crime, and Militancy (Santa Monica, CA: RAND, 2001).
49. Widely cited as an example of supply-chain sabotage is an elaborate 1982 counterintelligence operation in which the CIA allegedly tampered with Canadian software that the Soviets planned to steal. Once the Soviets installed it in controllers on the Trans-Siberian oil pipeline, this Trojan horse caused "the most monumental non-nuclear explosion and fire ever seen from space" and "significant damage to the Soviet economy, " according to Thomas C. Reed, At the Abyss: An Insider's History of the Cold War (New York: Random House, 2004), 268-69.
50. Marcelo Soares, "Brazilian Blackout Traced to Sooty Insulators, Not Hackers, " Wired Threat Level Blog, 9 November 2009, http://www.wired. com/threatlevel/2009/11/brazil_blackout
51. On the INL Aurora demonstration, see Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid, " CNN, 26 September 2007.
52. On the historical absence of cyberwar, see Sean Lawson, "Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats, " Journal of Information Technology & Politics 10, no. 1 (December 2012): 86-103
53. Michael Stohl, "Cyber Terrorism: A Clear and Present Danger, the Sum of All Fears, Breaking Point or Patriot Games?" Crime, Law and Social Change 46, nos. 4-5 (December 2006): 223-38.
54. Bill Gertz, "Computer-Based Attacks Emerge As Threat of Future, General Says, " Washington Times, 13 September 2011. Alexander also cited "the August 2003 electrical power outage in the Northeast U.S. that was caused by a tree damaging two high-voltage power lines. Electrical power-grid software that controlled the distribution of electricity to millions of people improperly entered 'pause' mode and shut down all power through several states. "
55. William J. Lynn III, "Defending a New Domain: The Pentagon's Cyberstrategy, " Foreign Affairs 89, no. 5 (September-October 2010): 97-108, quote at 98-99.
56. Obama, "Taking the Cyberattack Threat Seriously. "
57. These and other trends lowering barriers to entry for cyber attack are described in Kenneth J. Knapp and William R. Boulton, "Cyber-Warfare Threatens Corporations: Expansion Into Commercial Environments, " Information Systems Management (Spring 2006).
58. Clayton, "The New Cyber Arms Race. "
59. Scott Borg, "Economically Complex Cyberattacks, " IEEE Security and Privacy 3, no. 6 (December 2005): 64-67.
60. A classic example of malformed input is a buffer overflow attack in which the attacker provides an input parameter larger than the space allocated for it by the programmer, who has failed to check the length of the input; the input string thus overwrites memory for the function's internal control variables, which were supposed to be inaccessible but can now be changed arbitrarily. Note that some types of attacks exploit physical connections rather than logical inputs. Although most malware goes through the front door to exploit programming flaws, side channel attacks can exploit information from the physical implementation of a system, such as excess heat generated by correct passwords. Furthermore, even the best-designed systems can and often do fail through social engineering techniques, such as phishing scams that exploit human gullibility.
61. Andy Greenberg, "Shopping for Zero-Days: A Price List for Hackers' Secret Software Exploits, " Forbes, 23 March 2012, http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-forzero-days-an-price-list-for-hackers-secret-software-exploits/.
62. See Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon Mccoy, Geoffrey M. Voelker, and Stefan Savage, "Re: CAPTCHAs-Understanding Captcha-Solving from an Economic Context, " Proceedings of the USENIX Security Symposium, Washington, DC, August 2010.
63. "Senate Select Intelligence Committee Holds Hearing on Worldwide Threats, " Defense Intelligence Agency, 31 January 2012, http://www.dia.mil/public-affairs/testimonies/2012-01-31.html.
64. Ross Anderson and Tyler Moore, "The Economics of Information Security, " Science 27, no. 5799 (October 2006): 610-13.
65. Terrence August and Tunay I. Tunca, "Network Software Security and User Incentives, " Management Science 52, no. 11 (November 2006): 1703-720
66. Johannes M. Bauer and Michel J. G. Van Eeten, "Cybersecurity: Stakeholder Incentives, Externalities, and Policy Options, " Telecommunications Policy 33, no. 10 (2009): 706-19
67. Ludovic Piètre-Cambacédès, Marc Tritschler, and Göran N. Ericsson, "Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs, " IEEE Transactions on Power Delivery 26, no. 1 (Fall 2011): 161-72.
68. David D. Clark and Susan Landau, "Untangling Attribution, " Proceedings of a Workshop on Deterring Cyberattacks, ed. National Research Council (Washington, DC: National Academies Press, 2010), 25-40.
69. For richer discussion of the challenges of cyber deterrence-which might mean deterring cyber attacks or using the threat of cyber attack to deter other activity. See National Research Council, Proceedings of a Workshop.
70. General Martin Dempsey, speech at the Commonwealth Club of California, 27 July 2012, http:// www.commonwealthclub.org/events/archive/podcast/general-martin-dempsey-chairman-joint-chiefs-st aff-72712.
71. I am grateful to Erik Gartzke for framing the gap between the "logic of possibility" and the "logic of consequence" in cyber warfare discourse; see Gartzke, "The Myth of Cyber War: Bringing War on the Internet Back Down to Earth" (paper presented at the International Studies Association Annual Convention, San Diego, April 2012).
72. IAEA, "Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions 1737 (2006), 1747 (2007), 1803 (2008) and 1835 (2008) in the Islamic Republic of Iran, " GOV/2010/10, 18 February 2010.
73. Whitney Raas and Austin Long, "Osirak Redux? Assessing Israeli Capabilities to Destroy Iranian Nuclear Facilities, " International Security 31, no. 4 (Spring 2007): 7-33.
74. The precise configuration of Natanz' networks has not been revealed to IAEA inspectors, but we can gain some insight into the defensive challenge from Siemens-recommended best practices for ICS security and through analysis of the pattern of exploits employed by Stuxnet, as discussed in Eric Byres, Andrew Ginter and Joel Langill, "How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems, " Tofino Security white paper, 22 February 2011. The Iranians probably diverged significantly from best practices, but the operational implications of this are ambiguous, as discussed below: it may either have provided more vulnerabilities to exploit, or it may have invalidated target intelligence. According to Byres et al., the outer level of the FEP would have been the enterprise network, which hosted most of the everyday business and administrative computers. Within that was the perimeter network-sometimes called "the demilitarized zone" among ICS administrators-where servers managed the computer equipment in the control systems and provided data to end users in the enterprise network. Firewall servers on the perimeter network gateways would have been set to "deny by default" so that they only allowed incoming connections from authorized users with legitimate credentials and outgoing connections only to specifically approved servers for maintenance. This network may indeed have had physical connections from the FEP's exterior networks to sensitive ICS to facilitate remote management and troubleshooting-there might not have been an "air gap"-but there would have been, nonetheless, multiple logical layers of defenses to penetrate. The perimeter network protected SIMATIC systems, and there may have been different system partitions for each of the different cascade modules in the FEP's two production halls. Each of these included the process control network that hosted human interface servers for the SIMATIC operator and engineering systems as well as the control system network that hosted the automation system running the controllers and peripherals driving industrial processes.
75. David Albright, Paul Brannan, and Christina Walrond, "Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report, " Institute for Science and International Security, 15 February 2011, 2. Symantec has not publicly released the names of these companies. Epidemiological data came from Stuxnet itself: as it copies itself from computer to computer, each instance keeps a log of all the machines infected by the lineage (evidence of developers interested in debugging or accountability). From samples of the worm collected in the wild, Falliere et al. traced a total twelve thousand infections to five internet domain names, the names of which have not been publicly disclosed. One of these domains was infected on three separate occasions, one was infected twice, two were infected only once, and one had three different computers infected at once (as if an infected thumb drive was repeatedly connected), for a total of ten known initial infections. There are three known versions of Stuxnet, but based on IAEA inspection data only the first version appears to have done any damage at Natanz. The three different compilations of Stuxnet attacked multiple sites in three waves: June and July 2009, March 2010, and April and May 2010. The IAEA observed that about one thousand centrifuges were disconnected in January 2010, as covered later, but in subsequent inspections, the Iranians were already bringing them back under vacuum when the second and third waves hit. These second and third versions thus appear to have had no dramatic effect as the total number of enriching cascades began to increase after August 2010. Considering only insertions of the first version, Stuxnet's damage thus resulted from four initial infections, each in a different domain in Iran. The delay between compilation and infection could have been due to the logistic challenges of testing and getting the worm to the human agents who would launch the attack, or to internal bureaucratic processes within the attacking organization such as legal review. I assume that compilation, the process that packages human-readable programs into the executable binary file, occurred on computers at the attack's home facility, although remote compilation is technically possible. The attack waves, defined as the infections associated with a single compilation, are distributed across the ten initial infections: four, one, and five. The minimum time between compile and infect time was twelve hours, the next shortest was over six days, and the maximum was twenty eight days.
76. Contractors might have been especially attractive as mules, as they could have unwittingly received the malware at tradeshows. Employees or contractors might also carry infected SIMATIC files directly to computers in the interior control system while performing maintenance, thus bypassing safeguards in the perimeter network altogether and vastly simplifying Stuxnet's infiltration. Alternatively, attackers could have sent phishing emails to employees with infected attachments that would open and drop the worm. See Byres et al., "How Stuxnet Spreads, " 13. A lot of attention has been paid to a zero-day vulnerability in Windows shortcut (. lnk) files that enable a hacked shortcut to surreptitiously load malware binaries as soon as the icon is simply viewed onscreen (MS10-046). This vulnerability appeared for the first time in the second version of Stuxnet, compiled on 1 March 2010. As I argue elsewhere, most of the centrifuge damage attributed to Stuxnet occurred prior to March 2010; thus it might not have been the celebrated. lnk vulnerability that delivered the payload that actually did the work at Natanz. The first version of Stuxnet used a less sophisticated autorun. inf vulnerability to propagate via removable media; Falliere, "W32. Stuxnet Dossier, " 31-32.
77. Sanger, "Obama Order. "
78. William Yong, "Iran Says It Arrested Computer Worm Suspects, " New York Times, 10 October
79. Of course, Iran was likely to arrest anyone as a scapegoat after the fact, so we cannot put too much weight on this report.
80. A binary file of executable machine instructions is more or less just like any other data file until an operating system loads it up and treats it as a program. Thus attackers need first to find a way to get their binary into the proper runtime context on target computers. All of Stuxnet's functionality is packaged as a single 1.18 Mb library file (. dll). This file can export thirty-two different functions, each of which has a different purpose in controlling the worm for infiltration, communication, and sabotage, as well as other resource files these functions use.
81. Upon being run on a host for the first time, the worm checks which type of antivirus program is protecting it-Symantec, ESET, McAfee, Kapersky, etc.-and then loads itself into a section of memory where that antivirus product would not look; if Stuxnet assesses that security cannot be bypassed, then that instance of the worm terminates.
82. One of these zero-days turned out to have been employed previously by another criminal malware. It is not uncommon for zero-days to be used successfully in the field long before their discovery by defenders. Leyla Bilge and Tudor Dumitras, "Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World, " Proceedings of the19th ACM Conference on Computer and Communications Security, 16-18 October 2012.
83. Falliere, "W32. Stuxnet Dossier".
84. Matrosov, "Stuxnet under the Microscope. "
85. Matrosov, "Stuxnet under the Microscope. "
86. Conficker exploited a vulnerability (catalogued by Microsoft as MS08-067) as well as some generic malware techniques that were also used by Stuxnet.
87. Early reporting in Fall 2010, prior to discovery of the Natanz attack sequence by forensic investigators, suspected that the Bushehr reactor was the target; Clayton, "Stuxnet Malware. "
88. Payload details are described by Falliere, "W32. Stuxnet Dossier, " 38-45.
89. Langner, "Stuxnet Attack Code Deep Dive. "
90. David Albright, Paul Brannan, and Christina Walrond, "Did Stuxnet Take Out 1,000 Centrifuges At the Natanz Enrichment Plant?" Institute for Science and International Security, 22 December 2010, 3-4. Iran is known to have obtained the 315-2 PLC by 2003, but the IAEA has been unable to verify the actual types of PLCs and frequency converters installed at the FEP.
91. Stuxnet's timing works not by interrogating the system clock but by counting reporting events generated by the PLC as it controls spinning motors, which is further evidence that Stuxnet developers knew and mastered FEP technical details.
92. Alexander Glaser, "Characteristics of the Gas Centrifuge for Uranium Enrichment and Their Relevance for Nuclear Weapon Proliferation (Corrected), " Science and Global Security vol. 16 (June 2008): 1-25, describes that the Iranian cascade of 164 centrifuges "is characterized by a total 15 stages; the feed is introduced in stage 5, which consists of 24 machines, " and "the product stream feeds into the next stage and the tails stream into the previous stage" in a symmetric arrangement of decreasing numbers of machines in each stage. This configuration can be verified in a publicity photo of President Mahmoud Ahmedinejad visiting the Natanz SCADA control room where, on one of the monitor screens, there is an image of an array of 164 items grouped into a symmetric arrangement of 15 clusters, http://www.president.ir/en/9172, accessed 18 April 2012. The parameters of the array pictured on the screen exactly match those in Stuxnet's code. Furthermore, there are six such arrays described in the code. Three Siemens S7-317 PLCs could control six cascades each, and this would amount to a total of eighteen cascades, which is the number known through IAEA inspections to be contained in each of the eight planned enrichment modules in one of Natanz's production halls.
93. Albright et al., "Stuxnet Malware and Natanz. "
94. Sanger, "Obama Order"; David E. Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (New York: Crown, 2012): 188-225.
95. David E. Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (New York: Crown, 2012): 188-225
96. Broad et al., "Israel Tests on Worm. "
97. This attack resembles a commando raid deep into enemy territory against superior forces, as contrasted with the strategic bombing imagery of widespread devastation to economic infrastructure that is often used to describe cyber warfare. See Lukas Milevski, "Stuxnet and Strategy: A Space Operation in Cyberspace, " Joint Forces Quarterly 63, no. 4 (4th Qtr. 2011): 64-69.
98. Joby Warrick and Greg Miller, "U.S. Intelligence Gains in Iran Seen as Boost to Confidence, " Washington Post, 7 April 2012.
99. William J. Broad and David E. Sanger, "In Nuclear Net's Undoing, a Web of Shadowy Deals, " New York Times, 25 August 2008.
100. Gus W. Weiss, "The Farewell Dossier: Duping the Soviets, " Studies in Intelligence 39, no. 5 (1996).
101. Sanger, "Obama Order, " describes "a beacon that could be inserted into the computers. " This may have been the Flame spyware that was publically discovered after Stuxnet but which had been active before it, and almost certainly a product of the same U.S.-Israeli collaboration.
102. Ellen Nakashima, Greg Miller and Julie Tate, "U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say, " Washington Post, 19 June 2012. An anonymous reviewer of this paper suggests that the intelligence used in the 2007 National Intelligence Estimate on Iranian nuclearization was consistent with the sort of intelligence collected by Flame.
103. Nakashima et al., "U.S., Israel Developed Flame. "
104. Richard Sale, "Stuxnet Loaded By Iran Double Agents, " Industrial Safety and Security Source Blog, 11 April 2012, http://www.isssource.com/stuxnet-loaded-by-iran-double-agents/.
105. Once zero-days are discovered, software vendors work on patches and antivirus firms work on detection. Thus zero-days are extremely valuable prior to use (vendors interested in defense and criminals interested in offense are both willing to pay), but their value rapidly drops off after they are revealed. Holding onto a valuable zero-day for too long is risky, since if someone else discovers and publicizes it first, then the value is lost. These properties make markets for zero-days highly imperfect because it is difficult to credibly signal quality without giving away the goods. See Charlie Miller, "The Legitimate Vulnerability Market: Inside the Secretive World of 0-Day Exploit Sales, " workshop on the Economics of Information Security, 7-8 June 2007. Attackers with the research and development resources to find and secretly stockpile zero-days in-house can insulate themselves from this market somewhat.
106. Broad et al., "Israeli Test on Worm Called Crucial in Iran Nuclear Delay. " Siemens cooperation in SCADA penetration testing was ostensibly for defensive purposes, but the same research could be leveraged for attack planning.
107. Ron Rosenbaum, "Richard Clarke on Who Was Behind the Stuxnet Attack, " Smithsonian, April
108. On installation the worm checks the current date and halts if it is later than 24 June 2012, which suggests that its designers expected the attack to be complete by then (this might also suggest a legal requirement to limit the lifetime of a covert operation). The first version of Stuxnet limited each instance to three infections, and each instance only had a twenty-one day window to infect others. If Stuxnet did not find SIMATIC files with the right configuration, it did not affect the functionality of the host and might even delete itself. Michael Joseph Gross, "A Declaration of Cyber-War, " Vanity Fair, April 2011, quotes Richard Clarke: "If a government were going to do something like this, a responsible government, then it would have to go through a bureaucracy, a clearance process. Somewhere along the line, lawyers would say, 'We have to prevent collateral damage,' and the programmers would go back and add features that normally you don't see in the hacks. And there are several of them in Stuxnet. It just says lawyers all over it. "
109. Recent forensics on the Duqu worm, which was discovered after Stuxnet, and appears to target Siemens SCADA for intelligence exploitation rather than sabotage attack, reveals that both malwares share provenance in a driver compiled in January 2008. See Alexander Gostev and Igor Soumenkov, "Stuxnet/Duqu: The Evolution of Drivers, " Kaspersky Lab Securelist Blog, 28 December 2011, http: //www.securelist.com/en/analysis/204792208/Stuxnet_Duqu_The_Evolution_of_Drivers.
110. Ewen MacAskill, "Stuxnet Cyberworm Heads Off US Strike on Iran, " The Guardian, 16 January 2011.
111. Ralph Langner, the investigator who deciphered Stuxnet's payload, often makes this argument, e.g., Tom Gjelten, "Security Expert: U.S. 'Leading Force' Behind Stuxnet, " NPR Morning Edition, 26 September 2011.
112. It is always possible to think up scenarios whereby organized criminals in the hinterlands of Siberia might have assembled a mock-up of Natanz to test their weapon, but this strains credibility.
113. Albright et al., "Did Stuxnet Take Out 1,000 Centrifuges. "
114. Morteza Rezaei, "What's the Best Defense against Stuxnet? A Comparison of Which Tools are the Best for Finding Stuxnet in a System, " Control Magazine Web Exclusive, 28 May 2012, http://www.controlglobal.com/articles/2012/stuxnet-iranian-view.html, (quotation).
115. Albright et al., "Preventing Iran from Getting Nuclear Weapons"
116. The first known Stuxnet infections date to June and July 2009. Stuxnet was discovered in June 2010 and patched by August 2010 thanks to an international effort by the global commercial information security community that benefited Iran as well. Thus the Stuxnet attack lasted at most from mid-2009 to mid-2010. From May 2009 to August 2010 there were six IAEA inspections; http://www.iaea.org/newscenter/focus/ iaeairan/iaea_reports.shtml, accessed 20 April 2012.
117. At Natanz in 2009-10, a single separation cascade had 164 centrifuges, and eighteen cascades were grouped into operating modules. Iran had reported plans to install a total of eight modules in the main production hall at Natanz, but by late 2009 only three were installed to some degree. IAEA inspectors were able to record, for each module, how many were filled with UF6 and thus enriching, how many were not enriching but under vacuum and ready, how many were installed but not under vacuum, and how many were disconnected altogether. Module A24 had been enriching with all eighteen cascades since 2008, while only had a fraction of the cascades of module A26 were enriching and no cascades of module A28 were performing any enrichment. Of these three modules, IAEA inspections only record damage to A26 during the Stuxnet attack window, and this damage was largely confined to centrifuges which were not yet filled with UF6. A26 appears to have suffered serious problems in the latter half of 2009. In June, twelve cascades were enriching, but in August there were only ten, and by November only six; this implies some chronic problem with enrichment. These non-enriching cascades in A26 all remained under vacuum during this time; then suddenly in January 2010, the IAEA found eleven cascades of A26 completely disconnected. Six of these were brought back under vacuum by May 2010, and after August the numbers of cascades actually enriching began to increase again. As a result, the most productive module online (A24) continued to enrich with all eighteen cascades. The newest module (A28) had sixteen cascades under installation and two being removed in January 2010, but Stuxnet is probably not to blame for those two since they were not even spinning yet.
118. Albright et al., "Did Stuxnet Take Out 1,000 Centrifuges. "
119. Albright et al., "Did Stuxnet Take Out 1,000 Centrifuges. "
120. Might overall enrichment efficiency at Natanz have been even more degraded had Stuxnet never attacked at all? The cumulative ratio (total product and feed over time) of kg LEU to kg UF6 from 5 percent improves from early 2008 to a peak of 9 percent at the end of 2009, and then, right after the height of Stuxnet activity, gradually diminishes. At first blush this appears to be evidence for Stuxnet effectiveness. However, a more disaggregated (noncumulative) measurement of the monthly ratio tells a quite different story. From nearly 10 percent (kg/month LEU per kg/month UF6) in early 2008, efficiency declines gradually to under 8 percent in August 2009; but it then jumps suddenly to over 10 percent in November 2009, only to decline gradually again to 8 percent by September 2011. A similar story can be told with a different efficiency measure, that of average separative work per year per centrifuge. Efficiency declines from the beginning of plant operations until the beginning of Stuxnet attacks, then increases into early 2010, only to decline again after August 2010. Stuxnet in effect provided a reset to the inefficient drift of the noncumulative ratio and the average separative work; alternatively (as an anonymous reviewer has pointed out), Stuxnet acted as a quality control measure for Iran by removing inefficient centrifuges. Either way, in the absence of this bump in efficiency, the ultimate performance could have been even worse. Technical details are drawn from David Albright and Christina Walrond, "Performance of the IR-1 Centrifuge At Natanz, " Institute for Science and International Security, 18 October 2011.
121. Sanger, "Obama Order. "
122. Sanger, "Obama Order. "
123. Claudio Ciborra, The Labyrinths of Information: Challenging the Wisdom of Systems (New York: Oxford University Press, 2002), 3.
124. Susan Leigh Star, "The Ethnography of Infrastructure, " American Behavioral Scientist 43, no. 3 (November 1999): 377-91.
125. Paul N. Edwards, Matthew S. Mayernik, Archer L. Batcheller, Geoffrey C. Bowker, and Christine L. Borgman, "Science Friction: Data, Metadata, and Collaboration, " Social Studies of Science 41, no. 5 (October 2011): 667-90.
126. Albright et al., "Did Stuxnet Take Out 1,000 Centrifuges, " 6.
127. The risks of complexity have spawned a vast literature, inter alia, Charles Perrow, Normal Accidents: Living with High Risk Technologies (Princeton, NJ: Princeton University Press, 1999).
128. Scott Snook, Friendly Fire: The Accidental Shootdown of U.S. Black Hawks over Northern Iraq (Princeton, NJ: Princeton University Press, 2000)
129. Diane Vaughan, The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA (Chicago: University of Chicago Press, 1997)
130. Scott D. Sagan, The Limits of Safety: Organizations, Accidents, and Nuclear Weapons (Princeton, NJ: Princeton University Press, 1993).
131. One might argue that friction is even more problematic for cyber warfare than other operations. Unlike a human commando team that can rely upon their intuition and ingenuity to recognize and adapt to unforeseen problems, malware has only explicit rules and coded assumptions to guide it. Malware that communicates through command and control servers does not solve this problem because the remote operator remains deeply unaware of actual machine states, details of real time network configuration, and the activities of local users in situ. Even if the payload manages to reach its target, there is no guarantee that the target equipment and organization will react as attack planners expect, or on the anticipated timelines.
132. Karl E. Weick and Karlene H. Roberts, "Collective Mind in Organizations: Heedful Interrelating on Flight Decks, " Administrative Science Quarterly 38, no. 3 (1993): 357-81.
133. Karl E. Weick, "Organizational Culture as a Source of High Reliability, " California Management Review 29, no. 2 (Winter 1987): 112-27.
134. Lawson, "Beyond Cyber-Doom, " reviews studies of societies that experience natural and military disasters; scholars find that such societies, especially if they have high social capital, are likely to display altruistic tendencies and to organize themselves to restore services. Ironically, given the cyber war emphasis on the vulnerability of advanced industrial states, such societies are more likely to have the social resources to compensate for disaster.
135. Computer security engineers usually deride "security through obscurity" in the belief that a determined hacker always finds a way through, or that lazy users who ignore security can easily be exploited. Although by way of comparison, see Andrew Odlyzko, "Providing Security with Insecure Systems, " ACM Conference on Wireless Network Security, March 2010. The argument here is that obscurity in embedded practice of the larger socio-technical system, not just the narrow computer system, can enhance security.
136. Sanger, "Obama Order. "
137. Falliere, "W32. Stuxnet Dossier, " 4.
138. Falliere, "W32. Stuxnet Dossier, " 5-7; Symantec monitored two of Stuxnet's command and control servers they had discovered and found that they were in communication with one hundred thousand infected hosts in over thirty thousand organizations by the end of September 2010. One third of these infections were outside of Iran. Indonesia and India were a distant second and third in Stuxnet infections. Despite some panic over Stuxnet that it might have harmed an Indian satellite and a British reactor, the remaining global third of infections seems not to have caused any damage beyond the costs of investigation and cleanup. Stuxnet was looking for a SIMATIC configuration peculiar to Natanz, so it remained relatively inert as it spread elsewhere. Of course, the fact that two-thirds of the infections were in Iran is an important clue, along with the specifics of the payload discussed later, that Iran was the intended target. This count of one hundred thousand infected hosts probably severely undercounts the true number. Symantec only found and monitored two command and control servers; there could have been others. Furthermore, many infections would have been in peer-to-peer botnets without direct connections to those servers.
139. Because it is almost impossible to measure computer security, antivirus firms compete by producing free threat analysis to advertise their technical competence. I am grateful to Stefan Savage for this point.
140. Stephen W. Van Evera, "Offense, Defense, and the Causes of War, " International Security 22, no. 4 (Spring 1998): 5-43.
141. Charles L. Glaser and Chaim Kaufmann, "What Is the Offense-Defense Balance and Can We Measure It?" International Security 22, no. 4 (Spring 1998): 44-82.
142. Richard K. Betts, "Must War Find a Way? A Review Essay, " International Security 24, no. 2 (Fall 1999): 166-98.
143. Although a degree of homogenization in the centrifuge cascades did facilitate engineering the payload in the first place, the potential uncertainties of the physical plant were much greater. Stuxnet's covert yet promiscuous propagation enabled it to burrow deep into the network without advance knowledge of the best route to the centrifuges. The homogeneity of Windows operating systems on Iranian hosts enabled the worm to use the same tricks again and again to perform a random walk through Iran's networks. If it reproduced enough copies of itself, then eventually some of them would get to the right place and Stuxnet's handlers would receive feedback of mission progress. Yet even these tricks did not deal with all the frictions Stuxnet encountered. Viral propagation enabled Stuxnet to cope with uncertainty about Iran's network configuration, but it ultimately led to the compromise of the operation.
144. Greg Downey, "Virtual Webs, Physical Technologies, and Hidden Workers: The Spaces of Labor in Information Internetworks, " Technology and Culture 42, no. 2 (April 2001): 209-35.
145. Of course, there are areas where soldiers can exploit offense dominance in cyberspace, especially in those operations such as intelligence reconnaissance or psychological influence operations where soldiers behave more like spies or hacktivists. Specification of scope conditions could also help to identify a more narrow set of ICS targets and situations (e.g., surprise attack versus protracted war) where cyber warfare might be more feasible.
146. On the difference between deterrence by punishment and denial (or defense), see Glenn Snyder, Deterrence and Defense: Toward a Theory of National Security (Westport, CT: Greenwood Press, 1961), 14-16. I henceforth use "deterrence" to refer to the threat of retaliatory punishment.
147. Nakashima et al., "U.S., Israel Developed Flame".
148. Thomas Erdbrink, "Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals from Internet, " New York Times, 23 April 2012.
149. Ellen Nakashima, "Iran Blamed for Cyberattacks on U.S. Banks and Companies, " Washington Post, 21 September 2012.
150. David E. Sanger, "U.S. Rejected Aid for Israeli Raid on Iranian Nuclear Site, " New York Times, 10 January 2009.
151. Sanger, "Obama Order. "
152. Quoted in Nye, "Nuclear Lessons for Cyber Security?" 18.
153. Sanger, "Obama Order. "
154. Sanger, "Obama Order. "
155. Jan Drömer and Dirk Kollberg, "The Koobface Malware Gang Exposed, " SophosLabs, 2012.
156. Rachael King, "Stuxnet Infected Chevron's IT Network, " Wall Street Journal, 8 November 2012.
157. Interview with Saeed Jalili, "Iran's Nuclear Negotiator Says U.S. Involved in Cyberattack, " NBC News, 17 January 2011, http://video.msnbc.msn.com/nightly-news/41124888#41124888. Of course, for all the reasons in this paragraph, Iran would have good reason to suspect the United States, so the reliability of Iranian statements should be discounted. We do not know just what sort of evidence they may or may not have found.
158. Chris Demchak, "Stuxnet: Signs Could Point to Russia, " New Atlanticist Blog, 26 November 2010, http://www.acus.org/new_atlanticist/stuxnet-signs-could-point-russia.
159. Chris Demchak, "Stuxnet: Signs Could Point to Russia, " New Atlanticist Blog, 26 November 2010, http://www.acus.org/new_atlanticist/stuxnet-signs-could-point-russia.
160. Ron Rosenbaum, "Richard Clarke on Who Was Behind the Stuxnet Attack, " Smithsonian, April 2012.
161. Keir A Lieber and Daryl G. Press, "Reading the Return Address: Assessing the Danger of Anonymous Terrorist Attack" (paper presented at the Annual Meeting of the American Political Science Association) Seattle, WA, September 2011.
162. Michael Riley and Eric Engleman, "Code in Aramco Cyber Attack Indicates Lone Perpetrator, " Bloomberg, 25 October 2012.
163. This dynamic recalls the stability-instability paradox of classical nuclear deterrence theory: nuclear deterrent stability can promote limited conventional instability.
164. A dangerous situation, recalling the WWI context of original debate on offense-defense theory, would be if an actor believed cyberwar was offense dominant when it was really defense dominant. Stephen W. Van Evera, "Offense, Defense, and the Causes of War, " International Security 22, no. 4 (Spring 1998): 5-43. This misperception is certainly not helped by most of the rhetoric on the topic.
165. Stephen Peter Rosen, Winning the Next War: Innovation and the Modern Military (Ithaca, NY: Cornell University Press, 1991).
166. Francis J. Gavin, Nuclear Statecraft: History and Strategy in America's Atomic Age (Ithaca, NY: Cornell University Press, 2012) argues that even afterward the Nuclear Revolution lacked the clarity often assumed. Throughout the Cold War, there was something of a gap between the strategic consequences theorists expected from the Nuclear Revolution and the more pragmatic concerns of policymakers. A similar gap appears to be opening for the Cyber Revolution.
167. James R. Beniger, The Control Revolution: Technological and Economic Origins of the Information Society (Cambridge, MA: Harvard University Press, 1986).