Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon
© 2014 Kim Zetter
A couple of years ago I created a new label, ‘digital world’, in recognition of the fact that the Internet is no longer a discrete system (like a grid of water pipes). It has seeped into every aspect of our everyday lives, as basic as electricity. Through it, the entire developed world moves. War is no exception to this digital revolution, and the fun is just beginning. People may associate cyberwar with the theft of intelligence, or perhaps monkeying-around with the power grid, but the case of “Stuxnet” demonstrates how weaponized computer programs can cause physical destruction no less complete than a bomb. What’s more, the specific vulnerability used to great effect here is virtually universal in the industrial world. Countdown to Zero Day is a forensic-political history of how the United States used a computer virus to effect the kind of destruction only imaginable before by an airstrike, and a warning to the entire online world that we are vulnerable.
If war is the continuation of politics by other means, cyberwar appears to occupy a grey area between the two. The policy of the Bush administration, once it became obvious that Iran was pursuing nuclear weapons, was to squelch the threat through any means necessary. While there may have been many in DC who wanted to see another example of shock-n-awe, even Bush knew a third war in the same mideast minefield wasn’t possible. Remote sabotage, however, offered an alternative to war or a nuclear Iran, and a program which started under Bush would bear full fruit during the Obama administration. What a small elite knew in DC as “Olympic Games”, the world would later call “Stuxnet”: a virus that began as a carefully targeted weapon and but which would later spread across Eurasia.
The author delivers the full story of Stuxnet in a back and forth narrative: the first track begins with the eruption of the virus, and the methodical picking-apart that Symantec, Kapersky, and other cybersecurity firms subjected the code to. Step by step, they attempted to figure out what the code was doing, how it got in, what mechanisms the code was using, and finally — what was its intended target? This campaign of digital detection work wasn’t the product of one cyber Sam Spade, but a collaborative effort between various businesses who shared their information and results. Eventually, over the course of two years, they realized that the initial program was highly target specific: it was aimed at two kinds of programmable logic controllers, or computers used in industrial work. The particular PLCs targeted were used in rotors that were specific to the kind of centrifuge that Iran used to enrich uranium.
The teams dissecting the Stuxnet code marveled several times at its structure, but marveled all the more when they figured out – -based on reports coming in from Iran — how the program worked. Because the centrifuges’ speed and weight necessitate careful handling — slow acceleration and then slow deceleration, nothing too abrupt — the program’s main attack was to methodically stress the centrifuges by taking them up to speed, or down, in patterns resigned to slowly ruin the pieces. What’s more, long before this act of digital undermining ever began, the program silently sat and waited, recording the normal activities: during the actual sabotage, the program fed recorded data to he plant’s control room, meaning eventually the Iranians had to physically watch the motors to see what was happening. The program had a nucleus so deeply hidden that when the machine software was placed under repair by the Iranian engineers, the core program methodically re-wrote the new programming. It’s as if an invasive bacteria promptly turned the body’s immune system into its own means of reproduction.
The case of Stuxnet is important because PLCs are pervasive; they aren’t just used in manufacturing, but are common wherever computer-controlled machinery is used. They’re in hospitals, food production plants, powerstations, transit networks: there’s no end to the mischief that could be managed by attacking them, and until recently very little done to protect the systems. Stuxnet was a wakeup call to many technical directors in the developed world, an alarm bell to their vulnerability. As the recent WannaCry attack which cripped hospitals in the UK demonstrates, however, we’re not taking cybersecurity anywhere near enough seriously. (The WannaCry and Stuxnet attacks also demonstrate the volatility of cyberweapons: they don’t go away. In both cases, code and tools designed by DC were trapped and corralled into use by other parties.) Throughout the world we rely on computers which haven’t been protected for years, or we have foolishly ensnared vital public infrastructure like the power grid with the public internet. Stuxnet was only the beginning — perhaps it may be like the Hiroshima-Nagasaki attacks, a singular event that frightens everyone into more caution. I doubt it, though.
@ war: The Rise of the Military-Internet Complex, Shane Harris
Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World, Joel Brenner