The Stuxnet Virus: The Start of a New Digital Arms Race?

A great deal has been made of “cyber warfare,” and the reaction to it. Ranging from alarmist to overly optimistic, this has spurred the usual talk of new institutions and organizations to deal with the threat. But the existing institutional architecture may be the most appropriate.

The wide range of reactions is due to a conflation of various types of illicit electronic activity. At their root, the methods of electronic attacks are really nothing new. Rather they represent the use of new technology to perpetrate old forms of aggression and criminal enterprise, though on a much more vast scale.

Denial-of-service (DoS) attacks inundate a machine or network with external communication requests that make it impossible to respond to legitimate traffic. This is done as mischief-making (a sort of vandalism) or as a premise for extortion. Espionage, both state-sponsored and industrial, certainly has precedent before the Internet. Even the most fantastical scenarios revolve around electronic monkey wrenching.

For instance, the vast majority of what is casually referred to as cyber warfare is actually cyber espionage. Cyber espionage is the use of computer and wireless networks to capture email, text and other online communications as well as corporate and government data. Often this is for the purpose of national- or commercial-intelligence gathering and is well documented.

Cyber warfare, on the other hand, is more conceptually ambiguous but can be thought of as a deliberate nation-state-sponsored sabotage of an adversary’s networks to make them inoperable. Scenarios often revolve around disruption of infrastructure—usually financial and communication networks with a particular emphasis on electrical grids. With a few exceptions, acts of cyber warfare have not really occurred, and anecdotal evidence can usually be traced back to a confusion of terminology.

The Operation Aurora attacks in the latter half of 2009 are a prime example of this. Often referred to as the opening salvos in a looming cyber war, the attacks were more an act of large-scale state-sponsored espionage to gain valuable data from high-tech and security companies.

Likewise, the 2007 cyber attacks on Estonia, sometimes referred to as the Estonian Cyber War, were nothing more than nationalistic vandalism in the form of DoS attacks on eGovernment sites and mass spamming. Even the 2008 cyber attack, credited by some as having inspired the current US Pentagon cyber-defense policy, was more a classic case of spying.

All of these were cause for concern, but hardly acts of war. In fact, the definition of what the threshold of an electronic “act of war” under international law is a highly contentious point. Some states prefer the much more expansive term “information war” to capture what they see as external actors fomenting unrest through the Internet. Additionally, much of the past electronic malfeasance has been tightly linked to both domestic and transnational criminal networks—networks that some states have been a bit lax in dealing with. Some have hypothesized that this may be an intentional gambit, giving criminal organizations breathing room in return for periodic help with espionage or other activities.

Until now, there really hasn’t been an instance of an electronic attack that brings to mind an act of war, as such. The one exception may have occurred during Israeli air strikes on an alleged Syrian nuclear installation in September 2007. There is every indication that Israel bolstered conventional radar-jamming techniques with the use of an airborne network attack program—essentially a computer virus used to trick Syrian air defense. But even this electronic attack only provided tactical and secondary support to an attack that could easily be classified as an act of war.

However, all may have changed with the identification of the Stuxnet virus last June. Stuxnet’s main innovation is the ability to disable real-world targets and the ability to precisely “aim” the malware to only affect the intended target. This negates one of the main obstacles to mass electronic attacks—namely the unpredictable nature of electronic blow back. A traditional piece of malware can be highly effective in disabling an adversary’s network, but there is a very real chance of it having the same effect on your own or an ally’s.

Stuxnet gets around this by targeting supervisory control and data acquisition (SCADA) software systems found in industrial control settings. These systems control a multitude of complex processes giving each individual SCADA system profile a unique “DNA.” Stuxnet uses this DNA like a key. While a multitude of machines can be infected, it will only execute the final disable, disrupt, deceive or destroy command when it recognizes the correct destination.

Because of the incredible amount of sophisticated code, the unprecedented use of four “zero-day” or previously unknown exploits, and the amount of background intelligence needed to target the virus, Stuxnet was surely created by a nation-state. Additionally, there is every indication that the target was the Iranian Natanz reactor. As an ironic aside, Stuxnet may have affected some North Korean nuclear facilities, indicating an identical SCADA system and by extension an identical supplier.

With this emerging reality of a “fifth domain” of warfare, the distinctions in this terminology have become even more important. While it may be politically convenient to deal with similar security-oriented threats under a single rubric, history has shown that this can lead to problematic and counterproductive outcomes.

Upon examination, it becomes clear that much of this emerging issue lies within the transnational organized crime agenda or is at heart a trade issue in the spirit of intellectual-property rights. To this end, it is encouraging to see that the incoming executive director of the United Nations Office on Drugs and Crime (UNODC), Yuri Fedotov, has placed cybercrime high on the agenda.

All this is to say that while it is convenient to talk of creating new institutions and organizations to deal with cyber threats, the existing institutional architecture both internationally and domestically may be both the most feasible and the most appropriate. It is good to see the General Assembly begin to consider what an appropriate international framework for the largely unregulated Internet would look like. The International Telecommunication Union conference on addressing security challenges on a global scale in December will hopefully offer some next steps in realizing this goal.