Stuxnet: Tsunami of Stupid or Evil Genius?

Friday, June 01, 2012

Ali-Reza Anghaie


By now you probably have read The NY Times piece Obama Order Sped Up Wave of Cyberattacks Against Iran and if you follow me on Twitter a number of stabby tweets.

Countless hours have been spent on STUXNET and I won't rehash it all - all the technical details, actors, decisions, etc. have been guessed at some point and confirmed completely or in-part with today's NYT's piece. There is just one thing ~I~ wanted clarity on and I got it:

"He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks."

So The Bush and Obama Administrations did realize they were probably establishing a new "Rules of Engagement" with STUXNET? And they still executed and expanded operations at that given time - with the situations going on in Afghanistan and Iraq?

And potentially, if Iran is to be believed, may have continued operations on Oil Fields and other economic spheres against Iran today with the additional backdrops of Arab Springs and continued economic unrest Worldwide.

A lot of people look at Iran or Terrorists and say they'll always act with guerrilla intentions anyway but that's simply not the case. There are limits depending on what they have at stake. They know they're almost always asymmetrically overpowered and while they're often a bit off-kilter they are rational Actors.

Cutting to the chase..

STUXNET was a strategic mistake. It ushered in a new era in Cyber we weren't ready for. If we were going to do stupid - we should've done the stupid we know all angles of and gone kinetic from the get go. Now, regardless of STUXNET, we're just all struggling with the idea of if and when Israel will go kinetic on Iran and what part the US might play in it anyway. We just compounded ugly.

I've stated emphatically I think weaponizing Cyberspace is a losing proposition across the board but it's still going to happen. I was just hoping we'd cut it a bit short and realize the errors - this NYT piece makes me feel like we don't have enough depth in DC to realize the risks before it's too late.

Now - I didn't go to a War College - nor do I have any insider information - and I frequently say a lot of InfoSec practitioners who have wandered into geopolitics are armchair Generals. Myself included. So I always work under the assumption I'm probably wrong and trying to hash out where and learn.

This time - sorry - I think I'm right.

Cyber is unique in that you're giving away your weapons, tactics, the design of them, etc. simply by using them. It's only a matter of time. You'll never know if you have better or the same weapons as your adversary. You're not always sure where the cyber attack is coming from.

And the battlefield is, by default, across uninvolved Nation-State boundaries and online services, engrosses economic spheres far wider than any traditional conflicts. And, even more-so that traditional conflicts, a Cyber conflict can cause further stunting to underdeveloped regions of the World, reactions like Nation-State Intranets, more surveillance, less Freedom, etc.

OK - lets still say you were going to do this. At the same time you were complaining we're not ready for attacks? Preaching Doom & Gloom to our own Grid. On our own infrastructure. THAT'S when you choose to attack the Nuclear infrastructure of another Nation-State?

It doesn't matter if you've got big guns, if you don't have pants on, don't poke a Honey Badger in the eye with a stick. Certainly don't do it when all the other angry critters see you're occupied elsewhere and without pants.

So lets say the instigation and the race for readiness was a calculated risk. Some people have suggested it's Genius to mobilize "our forces" this way - force readiness down from on-high.

Uhh. No. We don't have the documentation, the human resources, the know how, or the slightest clue what to do on a wider scale. This isn't a centralized send a man to the Moon sort of project. We. Just. Aren't. Ready.

So here we are, each day someone else talks about Terrorism Online or Cyberwarfare.. our lack of readiness across the board. And we pushed the first pieces forward? (The Russian Georgia or Estonia arguments don't compare - lets not bring those back up.)

Was it the right time? Do we have that much confidence in our economies ability to absorb a return salvo and our Militaries ability to respond asymmetrically? Do we have confidence allies both economically and militarily will support us? Do we have the right stand-off ability?

It was just too soon. I'm not sure Donald Rumsfeld was asked but is this a case of quot;As you know, you go to war with the army you have, not the army you might want or wish to have at a later time." ??

I'm sure we'll get a better picture and re-visit this when Confront and Conceal is released.

Cross-posted from Packetknife's Space

Possibly Related Articles:
Viruses & Malware
Information Security
malware Iran Military Cyberwar Attacks Stuxnet Obama cyber weapon
Post Rating I Like this!
Ali-Reza Anghaie As a follow-up you can hear more at including how this could be more Evil Genius than stupid. -Ali
Andrew Baker Wading into armchair general space for a few moments...

Cyber warfare is already being pursued by many nations, and so not pursuing it on purely philosophical grounds is probably not that helpful. The nuclear arms race occurred because everyone was sure that everyone else would do it regardless, so they did it too.

Pursuing cyber warfare has some advantages over conventional physical warfare, particularly when trying to prevent or forestall a country from obtaining nuclear capabilities. Diplomatic options are ongoing, and other military options are less appealing (and more fraught with risks). Not a really good place to be.

None of this is to suggest that I am for or against any of the decisions that have been made. I'll keep my feelings on this to myself as I have no intention of tilting this discussion in any political direction.

Cyber warfare is here, and has been for some time. Stuxnet did raise the bar, and eventually will because available to others, as will subsequent other weapons. This is largely true in the physical realm as well, although there are a few caveats, and is something that we will just have to deal with now that the cat is out of the bag.

I will say, that many of the comments about our lack of preparation might be deliberate propaganda, though. Not that I think that our infrastructure is flawless, mind you, but there's no other legitimate reason to broadcast those kinds of weaknesses unless you want people to falsely think they are weak (vs something else), or you want them to think that those are false targets.

I do agree that we've just compounded ugly, though... Big time.

Ali-Reza Anghaie I agree Cyber warfare was already on the table in concept. I agree it's going to be pursued - and as I stated, losing proposition or not, it's going to happen. Furthermore it's not secret I have spent a majority of my time in Defense circles. I'm quite hawkish.

The perceived advantages are quite unfounded - how do we know that? It's completely new space and what we do know is that response, when ~any~ new form of warfare that isn't OVERWHELMINGLY asymmetric domination (read: Hiroshima", comes in ways not previously seen. History has firmly demonstrated that. That's the main concern I state here with this action. It wasn't definitive enough in the timeframe and space to prevent mobilization, relationship building, and responses.

Further the idea we delayed the program.. wait, actually, this just all happened on Twitter. Let me redirect to the more salient point with regards to Iran ~here~:

Iran responded by cultivating "winning" relationships immediately. We gave them that window and now discussions of kinetic response range from we couldn't hope for success to much larger scale of operations than a few years ago. And diplomacy? We have a continued two-headed Iranian regime and didn't foment enough leverage w/ the Basij and regional IRGC infrastructure to hope to gain an actually foothold with the Green Revolution. (Short version.)

With all that said 1) The podcast I link talks about the potential positive results and other ways to look at this. I'm not immune to those views - they're just not captured in the core text.

And 2)

Bottom line: The better Digital Warriors get at their consoles and behind their SDRs - the more ~likely~ they'll see kinetic absolution.

This, ultimately, is the "reality" of a future in Cyber war people have to be ready to accept. Cyber doesn't end Cyber - it may be prolonged and there may be reduced bloodshed - but it's going to end kinetically. And probably shift "collateral damage" to the economies of the underdeveloped in the Gap while those with resources play this new field. And in those Gaps? Extremism will be fertilized. Rinse. Repeat.


Thank you for taking the time - if you're looking for the "positive" views perhaps listening to the Podcast linked in the first comment will appeal to you. Cheers, -Ali
Ali-Reza Anghaie Anybody who reads this, agree or disagree, should really consider reading this piece (and the references) from Abu Muqawama:

Cheers, -Ali
Andrew Baker Thanks for this link, Ali

I agree with much of what has been posted there.

Cody Renden You state that once unleashing a cyber weapon you're vulnerable to the same attack. Isn't this obviously untrue to any competent IT infrastructure? If we designed stuxnet, it should be rather simple to detect it. After all, the attack vectors and signature are written in.

I would argue that cyber weapons are more likely completely one-shot. You unleash Stuxnet, once it is dissected you can easily prevent it.

Also, as stated above I think it's naive to say we shouldn't do this kind of thing because we're opening a can of worms. I'm fairly confident we're already engaged in a cyber war... maybe there is a Chinese stuxnet sitting on our power grid right now waiting for an attack. Least we're building our cyber-muscle on a much inferior opponent financially and probably technologically.
Ali-Reza Anghaie I don't say that - I'm speaking of the doctrine. Furthermore what you say makes it sound like all pathways to pain lead through one place - one place we can monitor. That's simply not the case.

While I'm talking about the doctrine and geopolitics of it above, lets address your technical posit:

- First off to unleash a STUXNET you had to keep it secret - including from your own onshore. Otherwise if say certain AV vendors or IPS solutions were suddenly releasing really specific rules you're further compromising STUXNET. In this case the proverbial "we" didn't have the same infrastructure but if it broke free of the confines which they first set (and it did, by their own admission) a broader more generic tool like Flame could too (and oops, it did after people started looking for it). Although there is much disagreement if Flame was Nation-State sponsored (I'm in the disagreement pool there but using it as an example concept). So, in summary, to protect against a weapon you developed means you're compromising the operational security of the weapon as well as maintaining a lot of choke points and universal control over all the exposed threat surface area. Niether of which the US could do even if they really wanted to with so many people involved, Multinational corporations, etc. Collateral is inevitable.

- The "one shot" theory works against the adversary but what I discuss about is that the doctrine creates many many adversaries AND many many battlefields before we understand the consequences. And it doesn't matter if the 0-days used were patched on most systems right away. Chances are the ones we're most concerned about in this context, critical Infrastructure, will be ~exactly~ the ones that will ~not~ be patches as quickly as the others. Furthermore there are many many other plays in this space, both private and other Nation-States, that can't mobilize in a way the US would hope to do so. We're leaving them open for collateral in a way that we may not be able to step-in and defend. Or have the political willpower to do so. So if there are a few other Nation-States that have major collateral consequences based on a tool that was developed from something we originally unleashed who is responsible? And the economic problems that could arise if smaller lesser-developed "allies" could lead right into isolation either by naive Nation-State Intranet plans or flat-out anger. Exasperating the two problems that lead most to extremist elements --> War on Terror --> rinse, repeat. So again, if we create an environment that ~we~ can handle but our "allies" can't or lesser-developed haven't-chosen-a-side countries can't we still suffer if they suffer with this new doctrine. It should be noted to an extent the doctrine on using mines in war had a lot of similar discussion behind it. As I've said elsewhere lets not repeat those sins.

- Again, I say we that weaponizing cyberspace is a losing proposition. What "enables" that is what enables all sorts of other Cyber fraud and security problems we risk. While I don't expect you to have read everything I wrote recently I can say if you want clarifying context then you can see both:


Basically I believe we shouldn't be rushing into it without establishing some treaties that, while would NOT prevent it, would at least put some agreement on ground rules between the biggest players. Establish a sense of MAD - Godfather Doctrine - or whatever you want to call it.

I have stated numerous times I'm hardly a pacisfict. Note in the this piece alone I'm suggesting overwhelming asymmetric response was the only way to back up this cyber weapon IMO. And we didn't consider that until it was much later and now much more difficult.

Thank you for reading, -Ali
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.