Stuxnet and Cyber Deterrence

Monday, August 13, 2012

Robert M. Lee

Aadb52f9100e0d31264fb3ce9e3d2536

The United States has not claimed any responsibility or role in developing and using the cyber weapon known as Stuxnet. 

Nor has it claimed any responsibility in DuQu, Flame, or Gauss which all seem to share commonalities if not solid connections via shared source code, vulnerabilities, and modules. 

However, it would be hard to miss the New York Times’ article on Stuxnet as well as all the analysis done on it and its possible partners that cite the United States’ government’s involvement. 

Regardless of your opinion on the attribution or what inspired it, it is clear that the world believes the United States was behind the attack on the Iranian uranium enrichment facility at Natanz and an ongoing offensive cyber campaign.   This has powerful implications on the cyberspace domain and particularly cyber deterrence.

Activities and operations in cyberspace are not new. For decades the cyberspace domain has been filled with activities from botnets and scams run by cyber criminals to operations orchestrated by nation-states. 

For the most part, cyber attacks and the tactics behind them have not changed.  New technologies have been presented over the years but many attack vectors, including phishing emails and insider threats, remain the same. One thing that has changed though is the amount of news coverage cyber attacks generate. 

The general public is mostly unaware of even high profile cyber attacks including operations Shady RAT, Aurora, and Night Dragon.  Yet, Stuxnet has become a household name.  This is for a good reason though as Stuxnet demonstrated an ongoing operation that resulted in the physical destruction of a nation’s critical infrastructure through computer code.  It is both exciting and scary at the same time. 

Stuxnet generates an emotion from almost everyone that knows about it whether they want to express that it was the right decision, that it was irresponsible, or that they are tired of hearing about it.  It is truly newsworthy and important on a global level.  And out of all of its importance to the cyberspace domain one of the greatest aspects is its role as a case study.

Stuxnet acts as a true and prime case study when it comes to discussions on cyber deterrence.  The possibly related pieces of malware (Gauss, Flame, and DuQu) can arguably not be considered cyber weapons as none of them, as of yet, have caused physical destruction. 

The three pieces of malware are very impressive and advanced nation-state cyber capabilities that have demonstrated an ongoing cyber espionage campaign but have not risen to the level of Stuxnet.  They are, in a way, very similar to previous cyber campaigns and capabilities highlight in numerous threat reports and news media articles.

Gauss, Flame, and DuQu generate a level of cyber deterrence in of themselves (being attributed to the US and Stuxnet offer them an extra level of credibility) but the importance for deterrence purposes is still placed on the capability to impart physical destruction through cyber capabilities.

Before Stuxnet, the only public attribution discussions were to cyber attacks/conflict and not to an example of a true cyber weapon that was able to cause physical degradation of systems.  Military leaders, government officials, and security experts put forth their ideas on cyber deterrence and how a nation might achieve it, yet the ideas were mostly based on educated guesses and expected results. 

The consensus of many was that deterrence could only truly be had when capabilities and weaponry were showcased.  It makes sense that cyber weapons cannot deter adversaries from attacking when adversaries do not know what type of arsenal a nation has. 

However, there were few historical events to look at as case studies and use as lessons learned.  Proven strategies simply could not be developed based on the lack of information.  Stuxnet changed that.

Stuxnet clearly showed that a nation-state was capable and willing to use an advanced cyber weapon against an adversary.  With the world believing that the United States is responsible, the nation now has the highest level of credibility for willingness and capability to develop and use a cyber weapon. That is a strong deterrent. 

But will it be enough?  What will the outcome be?  The fear is that Stuxnet opened up the United States to similar attacks and has encouraged this type of warfare in a way which was not present before.  This uncertainty and doubt may yield negative results and momentum for everything from inaction on key legislation and treaties to a security company trying to convince people that buying their latest product is a point of national security. 

Yet it is also possible that impactful legislation passes, more cooperation between the government and civilian communities occur, and that national critical infrastructure receives better protection. The truth is though that no one knows the outcome.

A nation has never been in this situation before.  The case studies do not exist.  The context has not existed. And like it or not things have changed.  It does not matter what anyone says about the United States’ involvement in Stuxnet or any of its possible relatives; the perception of attribution is there and now has to be dealt with.

How the nation moves forward from here, how it responds to threats, and what strategies are developed will all impact the future of cyber deterrence and the entire cyberspace domain.  This is a crucial point in the history of the domain and all of us can only try to do our part and hope that level headed and responsible actions prevail. 

Whatever your opinion is on Stuxnet, there is at least one universal truth that has come out of it: things are only going to get more interesting.

Follow Robert on Twitter @robertmlee

***Disclaimer***

Robert M. Lee is an Air Force Cyberspace Operations Officer yet his views and opinions in this article do not represent or constitute an opinion or endorsement by the United States Government, Department of Defense, or Air Force.  His opinions are his own.

Possibly Related Articles:
18515
Network->General
Military
Government Cyberwar Stuxnet Deterrence cyberweapons DUQU Offensive Security Flame GAUSS
Post Rating I Like this!
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia So you're discounting the leaks from the WH then? http://www.wired.com/threatlevel/2012/06/stuxnet-leak-investigation/
1344866257
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee The link you posted was written based off the New York Times article i mention in the beginning of the article. I.e. Im not discounting anything. The US governmet has not validated those leaks but one the points of the article is that it does not matter if the leaks are true or not the reality of the consequences are the same.
1344875801
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen Do you think that cyber weapon must perform "physical damage" prior to be counted as weapon? While comparing to other domains, I see much equivalency, which do not perform physical damage nor agent for it, in first hand.
1344882829
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee The DoD has numerous platforms that are considered weapon systems yet they do not impart physical damage. I do believe though that in trying to develop the cyber domain and terminology within it that it's beneficial, at least in it's current state, to classify cyber weapons as those that can cause physical damage. However, in it's truest form a cyber weapon is dependent more on who uses it and with what intent/operational objective than if it causes physical damage. Again though, with limited attribution surrounding most cyber operations and disconnects from the traditional domains of warfare I believe it better to focus on physical destruction aspects in classifying cyber weapons....for now.
1344883577
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen Appetizing view, I had to think this couple of times before typing it. By influencing high-velocity human factors and operational efficiency, performance, capabilities with pieces of software standing on top of OSI layers, focusing on intention to paralyze or misdirect. I feel it could be called usage of cyber weapon. It is very analogical to conventional warfare and the disctinction between domains is hard to make. Making my case here: Instead of disabling cellular network, paralyzing and falseflagging society in focus, making it vulnerable for efficient misdirection and uncertain of situation.
1344888011
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee You make a good point and I don't disagree. I feel what you've discussed/hinted on will be more aligned with the longterm definition of cyber weapons. I feel they need defined out a bi more rigidly at this point in the domain's development but in truth it'll take multiple viewpoints/definitions with some time for the domain to grow before reaching a solid answer on that topic. Either way good posts and thanks for the solid discussion.
1344888616
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen Sure, time will tell us how wrong we were with the magnitude in question.
1344889057
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Thus the idea that it's not cyberwar until it is kinetic.
1344889961
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen Cyber weapons could be used prior casus belli, which, in turn would make it war and kinetic.
1344890540
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee The whole cyberwar topic is another one altogether. I think you and I share plenty of viewpoints in that regard. Personally I don't feel cyberwar is a valid discussion because war in of itself is never truly limited to one domain. There will not be an aerial only war, nor ever again a land only war, or naval only war. The domains all work together and have capabilities useful in various operations and mission objectives. Cyberwar seems to be thrown around more as a FUD term than an actual attempt to study or understand cyber conflict.
1344890575
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen Older people are talking about information warfare, its predecessors and relations to other doctrines. I dont think it exists a conflict which is won by aerial operation solely either. Single battle yes, winning war require manpower, which equals physical presence.

However, I believe we are in uncertain territory here, defining the conflict boundaries and implementations gets harder to distinct from each other.

The domains, like cyber in question, it is new and practically without history compared to traditional warfare with rocks and sticks. If human physical involvement, or presence, with the conflict decreases, perhaps even dramatically, what then happens with the boundaries and disconnects between domains? Are we able to "win the war" purely with information warfare?

I've tried to find some understanding from those 60's cartoons and science fiction movies. Remember they show'd us how cars were flying and we were teleported to distant locations etc? Well, what happened instead. The information management or managing the information capabilities through the globe truly pushed us forward, we are able to "teleport" huge deal of data, make things happen in remote locations etc. instead of having such fantasies come true, we evolved in areas we did not have even clue back then. Why would'nt information warfare grow out from the limited box as well, as the physicalities now all use information in form or another. A bit stretched flow, but hopefully uncluttered.
1344892919
Default-avatar
James Webb Quick thoughts: The contention that the attribution of Stuxnet to US (and Israeli IDF) might represent a strong deterrent seems insufficient. As you allude, the resiliency of our critical infrastructure to attack is another major element of deterrence calculus. Without this, we in effect have nice stones to throw from within the glass house.

Also without demonstrable resilience, the risk of a "go first" strategic evaluation seems relevant especially for nation states that have lessened dependence on cyber domain for civilian and military operation(ex: N. Korea) or viable analog legacy backup systems. Interesting to speculate if earlier events this year also might be meant as demonstration of possible defensive asymmetry (ability to fire + disconnect):
http://www.zdnet.com/blog/asia/chinas-mysterious-internet-outage-speculation-over-a-kill-switch/1636

Thanks for thought provoking post!
1344919111
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee @Mikko great post as usual. I believe there is a distinction between Information Ops and Cyber Ops although they can interact and aid each other. I agree with you though that there are many uncertanties and things that have to be discovered largely without historical context. This points back to my point in the article that Stuxnet serves as a great case study. I think that really will be its ultimate purpose in terms of strategy and doctrine. As you mention though I believe cyberspace operations will grow far beyond their limited box they currently reside in (and what a vast box that limited one is).

@James Really solid points. I feel the resiliency of our own critical infrastructure (or lack thereof) plays a huge role in decreasing our cyber deterrence. However, the US' apparent/supposed willingness and capability to use cyber weapons has pushed us farther down the road in terms of deterrence than any other nation. I honestly don't know if it'll be enough but it's something to consider for sure. Your example of North Korea and discussion of asymmetry type warfare (when you look at irrational/non nation-state actors what role does deterrence really play?) is a very valid point. I believe the point to focus on is that "something" has changed and that cyber deterrence has been affected in a way it has not been broached before. In what way or to what regard only time will tell although I personally feel the US now has the highest level of cyber deterrence of any nation; how that works in comparison to normal deterrence doctrine or applications of warfare is completely uncertain at this point.

And likewise gentlemen great posts. I love good intelligent conversations; debating these things out combined with education is really the root way to make the domain better in the long run.
1344928771
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen Personally I feel that many of the nations do have cyber security or cyberwarfare initiatives, but only holding defence viewpoint justified by the nations politics and overall situation. This, anyway, leads to well known discussion held about capabilities to have adequate performance and capability, without actual deterrence and weaponization of the platforms.

What comes to the capabilities, it sure looks like by the budget numbers and what has been released, that US is leading the score. In many ways.

And in addition, I have that strange tickling on my back of the neck that tells me we are closing the gap for advancing cold war. Not painting any fiends here.
1344944714
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Rob, Mikko, How then do you all feel about how we approach this sanely when we have the likes (here in the US) of Richard Clarke et al spewing the "Cyber Pearl Harbor" args? It's just out of hand.
1344958186
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee @Krypt3ia I feel there a number of paths and measures which can help the overall security of the cyber domain and in particular the US' preparation towards cyber conflict. Avenues such as information sharing between businesses and government, better legislature to support information sharing while forcing companies to take better approaches to protecting sensitive customer data and critical infrastructure, more open communication between nation-states on the issue, a more vectored approach to the military's role in the domain, etc.

A lot of those can be highly debated (and should be) as to what level and aspect of each is appropriate. However the real answer in my opinion is the education of the next generation. Offering reasonably priced conferences, training programs, and educational opportunities. We simply do not have enough well trained (actually trained not just people who hold certain certs) to create actionable threat intelligence (not just data and information) as well as defensive solutions and ways forward.

As far as Mr. Clarke et all I must admit I am torn. In many ways I feel that not many people wake up in the morning and want to make the world a worse place. Many including those who seem to get carried about with the "looming cyber threat" advocate based off their experiences. Many have experiences I do not have and so I feel harsh in judging those opinions too quickly. That being said I too believe that one day we will had our "cyber pearl harbor" moment where an offensive and open/aparent physical destruction cyber weapon will be used against the US. As Mikko mentions the US is not the only nation that possesses cyber capabilities. Eventually we will be a target and I do not feel we are prepared currently. But the way forward cannot be FUD and it cannot be based on individuals championing single solutions or security products. The way forward must be done with education, understanding, and a respect for certain rights such as the right to privacy. As a member of the military I believe a more offensive mindset is warranted but not the only solution and in what degree that is true must be debated.

I have a paper coming out with Air and Space Power Journal this Fall titled "The Interim Years of Cyberspace" where I speak on those issues. If you're interested I can email it to you.
1344975219
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee Sorry for the grammar/spelling mistakes in these posts I've been using my IPhone and have missed some mistakes.
1344975359
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen I have been such a slowhand today, apologizes. I concur the paths and measures, as they are nation-state independent and particulary they are a part of good information security governance and management.

I just had a insightful discussion with some collegues regarding how to do things more wisely in future - all agreed: next generation training, beginning in primary/1st level education at some level already. Yes! In schools! This is due the need to raise awareness and understanding of the cyberspace.

Unfortunately I am on very bad position/aligned poorly to comment nothign about Mr. Clarke et al, until I do some understanding upgrade. However, I do feel that we are going to have a few digital "pearl harbor" incidents, some of them major (lights off), and I think this is potentially targeted only towards US.

All of this is greatly dependent of the doctrine, politics and direction chosen. I have to admit that small country, such as Finland has is advantages here but also a great deal disadvantages - giving an example of one thesis currently being audited argues that it took decades due the lack of economical understanding and proper threat analysis to push air superiority forward, which basically created a standstill.

In regards of papers, I am publishing paper titled "Influencing high-velocity human factors with Cyber and information warfare operations" - that is, because I believe the uncommon warfare influence has continuum and in addition, I believe there is clear "nexus" between cyber and kinetic warfare operations which influence our doings.
1344977081
Aadb52f9100e0d31264fb3ce9e3d2536
Robert M. Lee The paper sounds very interesting Mikko and I'm excited about your thoughts/research into that. When you publish it be sure to post a link.

Also in my expeience the Denmark and Finland CERTs are extremely well done and accomplish much. Many groups and CERTs have plenty to learn from their models and practices.
1344977987
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen I'll do. The main issue within Nordics is the co-operation capability with private / defence / government sector, toether. Do not get me wrong, It do exists, and it performs, connectivity ok - but grouping, or say - together driving force is very little, still.
1345040149
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.