IPI HomeNewsComment & AnalysisThe Stuxnet Virus: The Start of a New Digital Arms Race?


print print |  share share back back

Comment & Analysis - December 02, 2010

The Stuxnet Virus: The Start of a New Digital Arms Race?

Chris Perry l Research Fellow and Data Scientist

A great deal has been made of “cyber warfare,” and the reaction to it. Ranging from alarmist to overly optimistic, this has spurred the usual talk of new institutions and organizations to deal with the threat. But the existing institutional architecture may be the most appropriate.

The wide range of reactions is due to a conflation of various types of illicit electronic activity. At their root, the methods of electronic attacks are really nothing new. Rather they represent the use of new technology to perpetrate old forms of aggression and criminal enterprise, though on a much more vast scale.

Denial-of-service (DoS) attacks inundate a machine or network with external communication requests that make it impossible to respond to legitimate traffic. This is done as mischief-making (a sort of vandalism) or as a premise for extortion. Espionage, both state-sponsored and industrial, certainly has precedent before the Internet. Even the most fantastical scenarios revolve around electronic monkey wrenching.

For instance, the vast majority of what is casually referred to as cyber warfare is actually cyber espionage. Cyber espionage is the use of computer and wireless networks to capture email, text and other online communications as well as corporate and government data. Often this is for the purpose of national- or commercial-intelligence gathering and is well documented.

Cyber warfare, on the other hand, is more conceptually ambiguous but can be thought of as a deliberate nation-state-sponsored sabotage of an adversary’s networks to make them inoperable. Scenarios often revolve around disruption of infrastructure—usually financial and communication networks with a particular emphasis on electrical grids. With a few exceptions, acts of cyber warfare have not really occurred, and anecdotal evidence can usually be traced back to a confusion of terminology.

The Operation Aurora attacks in the latter half of 2009 are a prime example of this. Often referred to as the opening salvos in a looming cyber war, the attacks were more an act of large-scale state-sponsored espionage to gain valuable data from high-tech and security companies.

Likewise, the 2007 cyber attacks on Estonia, sometimes referred to as the Estonian Cyber War, were nothing more than nationalistic vandalism in the form of DoS attacks on eGovernment sites and mass spamming. Even the 2008 cyber attack, credited by some as having inspired the current US Pentagon cyber-defense policy, was more a classic case of spying.

All of these were cause for concern, but hardly acts of war. In fact, the definition of what the threshold of an electronic “act of war” under international law is a highly contentious point. Some states prefer the much more expansive term “information war” to capture what they see as external actors fomenting unrest through the Internet. Additionally, much of the past electronic malfeasance has been tightly linked to both domestic and transnational criminal networks—networks that some states have been a bit lax in dealing with. Some have hypothesized that this may be an intentional gambit, giving criminal organizations breathing room in return for periodic help with espionage or other activities.

Until now, there really hasn’t been an instance of an electronic attack that brings to mind an act of war, as such. The one exception may have occurred during Israeli air strikes on an alleged Syrian nuclear installation in September 2007. There is every indication that Israel bolstered conventional radar-jamming techniques with the use of an airborne network attack program—essentially a computer virus used to trick Syrian air defense. But even this electronic attack only provided tactical and secondary support to an attack that could easily be classified as an act of war.

However, all may have changed with the identification of the Stuxnet virus last June. Stuxnet’s main innovation is the ability to disable real-world targets and the ability to precisely “aim” the malware to only affect the intended target. This negates one of the main obstacles to mass electronic attacks—namely the unpredictable nature of electronic blow back. A traditional piece of malware can be highly effective in disabling an adversary’s network, but there is a very real chance of it having the same effect on your own or an ally’s.

Stuxnet gets around this by targeting supervisory control and data acquisition (SCADA) software systems found in industrial control settings. These systems control a multitude of complex processes giving each individual SCADA system profile a unique “DNA.” Stuxnet uses this DNA like a key. While a multitude of machines can be infected, it will only execute the final disable, disrupt, deceive or destroy command when it recognizes the correct destination.

Because of the incredible amount of sophisticated code, the unprecedented use of four “zero-day” or previously unknown exploits, and the amount of background intelligence needed to target the virus, Stuxnet was surely created by a nation-state. Additionally, there is every indication that the target was the Iranian Natanz reactor. As an ironic aside, Stuxnet may have affected some North Korean nuclear facilities, indicating an identical SCADA system and by extension an identical supplier.

With this emerging reality of a “fifth domain” of warfare, the distinctions in this terminology have become even more important. While it may be politically convenient to deal with similar security-oriented threats under a single rubric, history has shown that this can lead to problematic and counterproductive outcomes.

Upon examination, it becomes clear that much of this emerging issue lies within the transnational organized crime agenda or is at heart a trade issue in the spirit of intellectual-property rights. To this end, it is encouraging to see that the incoming executive director of the United Nations Office on Drugs and Crime (UNODC), Yuri Fedotov, has placed cybercrime high on the agenda.

All this is to say that while it is convenient to talk of creating new institutions and organizations to deal with cyber threats, the existing institutional architecture both internationally and domestically may be both the most feasible and the most appropriate. It is good to see the General Assembly begin to consider what an appropriate international framework for the largely unregulated Internet would look like. The International Telecommunication Union conference on addressing security challenges on a global scale in December will hopefully offer some next steps in realizing this goal.


The Global Observatory

As UN Troops Withdraw from Syrian Golan Heights, Stakes Increase for Israel and Lebanon
The recent capture of the Quneitra crossing by Syrian militant forces is of great symbolic importance and reminds us that the Syrian civil war is nowhere close to an end.

Key Global Events to Watch in September
A list of key upcoming meetings and events with implications for global affairs.

2014 Top 10 Issues to Watch in Peace & Security: The Global Arena
A list of ten key issues to watch that are likely to impact international peace and security in 2014, compiled by IPI's Francesco Mancini.

The Global Observatory, produced by IPI, provides timely analysis on peace and security issues, interviews with leading policymakers, interactive maps, and more.

Recent Events

September 10, 2014
Lessons from the Past, Visions for the Future: The Middle East After 1914
On September 10-11, 2014, the International Peace Institute launched its inaugural meeting at its Middle East Regional Office in Manama, Bahrain titled “Lessons from the Past, Visions for the Future: The Middle East After 1914.”

September 09, 2014
Threats and Opportunities for Energy Sector in West Africa
West African development depends on energy, and that energy depends on stability—this was one of the sentiments repeated during a September 9th expert roundtable held in Paris on the theme of energy and security in West Africa.

September 09, 2014
Preventing Mass Atrocities: Why We Fail, and What Can be Done About It
In the twenty years since the Rwandan genocide, the United Nations system has developed a considerable body of policies, principles, and practices dedicated to the goal of preventing future atrocities.

View More