Stuxnet and Cyber Deterrence

Monday, August 13, 2012

Robert M. Lee


The United States has not claimed any responsibility or role in developing and using the cyber weapon known as Stuxnet. 

Nor has it claimed any responsibility in DuQu, Flame, or Gauss which all seem to share commonalities if not solid connections via shared source code, vulnerabilities, and modules. 

However, it would be hard to miss the New York Times’ article on Stuxnet as well as all the analysis done on it and its possible partners that cite the United States’ government’s involvement. 

Regardless of your opinion on the attribution or what inspired it, it is clear that the world believes the United States was behind the attack on the Iranian uranium enrichment facility at Natanz and an ongoing offensive cyber campaign.   This has powerful implications on the cyberspace domain and particularly cyber deterrence.

Activities and operations in cyberspace are not new. For decades the cyberspace domain has been filled with activities from botnets and scams run by cyber criminals to operations orchestrated by nation-states. 

For the most part, cyber attacks and the tactics behind them have not changed.  New technologies have been presented over the years but many attack vectors, including phishing emails and insider threats, remain the same. One thing that has changed though is the amount of news coverage cyber attacks generate. 

The general public is mostly unaware of even high profile cyber attacks including operations Shady RAT, Aurora, and Night Dragon.  Yet, Stuxnet has become a household name.  This is for a good reason though as Stuxnet demonstrated an ongoing operation that resulted in the physical destruction of a nation’s critical infrastructure through computer code.  It is both exciting and scary at the same time. 

Stuxnet generates an emotion from almost everyone that knows about it whether they want to express that it was the right decision, that it was irresponsible, or that they are tired of hearing about it.  It is truly newsworthy and important on a global level.  And out of all of its importance to the cyberspace domain one of the greatest aspects is its role as a case study.

Stuxnet acts as a true and prime case study when it comes to discussions on cyber deterrence.  The possibly related pieces of malware (Gauss, Flame, and DuQu) can arguably not be considered cyber weapons as none of them, as of yet, have caused physical destruction. 

The three pieces of malware are very impressive and advanced nation-state cyber capabilities that have demonstrated an ongoing cyber espionage campaign but have not risen to the level of Stuxnet.  They are, in a way, very similar to previous cyber campaigns and capabilities highlight in numerous threat reports and news media articles.

Gauss, Flame, and DuQu generate a level of cyber deterrence in of themselves (being attributed to the US and Stuxnet offer them an extra level of credibility) but the importance for deterrence purposes is still placed on the capability to impart physical destruction through cyber capabilities.

Before Stuxnet, the only public attribution discussions were to cyber attacks/conflict and not to an example of a true cyber weapon that was able to cause physical degradation of systems.  Military leaders, government officials, and security experts put forth their ideas on cyber deterrence and how a nation might achieve it, yet the ideas were mostly based on educated guesses and expected results. 

The consensus of many was that deterrence could only truly be had when capabilities and weaponry were showcased.  It makes sense that cyber weapons cannot deter adversaries from attacking when adversaries do not know what type of arsenal a nation has. 

However, there were few historical events to look at as case studies and use as lessons learned.  Proven strategies simply could not be developed based on the lack of information.  Stuxnet changed that.

Stuxnet clearly showed that a nation-state was capable and willing to use an advanced cyber weapon against an adversary.  With the world believing that the United States is responsible, the nation now has the highest level of credibility for willingness and capability to develop and use a cyber weapon. That is a strong deterrent. 

But will it be enough?  What will the outcome be?  The fear is that Stuxnet opened up the United States to similar attacks and has encouraged this type of warfare in a way which was not present before.  This uncertainty and doubt may yield negative results and momentum for everything from inaction on key legislation and treaties to a security company trying to convince people that buying their latest product is a point of national security. 

Yet it is also possible that impactful legislation passes, more cooperation between the government and civilian communities occur, and that national critical infrastructure receives better protection. The truth is though that no one knows the outcome.

A nation has never been in this situation before.  The case studies do not exist.  The context has not existed. And like it or not things have changed.  It does not matter what anyone says about the United States’ involvement in Stuxnet or any of its possible relatives; the perception of attribution is there and now has to be dealt with.

How the nation moves forward from here, how it responds to threats, and what strategies are developed will all impact the future of cyber deterrence and the entire cyberspace domain.  This is a crucial point in the history of the domain and all of us can only try to do our part and hope that level headed and responsible actions prevail. 

Whatever your opinion is on Stuxnet, there is at least one universal truth that has come out of it: things are only going to get more interesting.

Follow Robert on Twitter @robertmlee


Robert M. Lee is an Air Force Cyberspace Operations Officer yet his views and opinions in this article do not represent or constitute an opinion or endorsement by the United States Government, Department of Defense, or Air Force.  His opinions are his own.

Possibly Related Articles:
Government Cyberwar Stuxnet Deterrence cyberweapons DUQU Offensive Security Flame GAUSS
Post Rating I Like this!
Krypt3ia Robert, I'd love to read the paper. You can reach me at Agreed, there has to be much more thoughtfulness on this but it may just seem like the hype is getting in the way. I have seen many sides of this outside of the media in dealing directly with mil/gov types and various thought processes are out there. Generally though, people are grappling with technologies they don't understand and thus the framework is muddled as is the response.
Krypt3ia Mikko, Yeah, the animal behind the keyboard is the target ultimately and PSYOPS/DISINFO etc is becoming more used and understood by the general populace. It's all about manipulation.
Mikko Jakonen So what's new now? Its been a couple of weeks now, we have seen 0day Java exploit, we have witnessed 30k assault over SaudiAramco - how the Deterrence should be visualized now?
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.