By Courtney Walsh —
In June of this year, a new and powerful threat to national security emerged in the form of a cyber worm. Stuxnet, as it has since been named by computer experts, represents a new frontier in the use of force in cyberspace. While much remains unclear about Stuxnet, such as its source and specific target, further study has revealed that this piece of malware possesses a highly complex and discriminating series of targeting code aimed at the substantial disruption and even ultimate destruction of industrial processes. These findings have led to a growing consensus in cyber security circles that Stuxnet is the world’s first successful employment of a guided cyber weapon that has the potential to destroy real, tangible targets.
In a recent interview with the Christian Science Monitor, German cyber security expert Ralph Langner described his analysis of Stuxnet. According to Langner, Stuxnet is a piece of malware designed to target industrial supervisory control and data acquisition (SCADA) software, which is used to control factory and plant operations across the world in various economic sectors, including energy and chemicals. While Stuxnet can easily spread to many machines, it lies dormant in most and, in fact, may never execute its code. As it lies dormant, though, it monitors the host machine in five second intervals to determine whether its engagement code has been triggered. These trigger conditions are designed in order to execute the attack and manipulation of a particular industrial process at a specific time and location. This ability to discriminate potential and actual targets depends upon no human command and control. Like its discrimination controls, its subsequent operation once engaged requires no positive, human command and control.
Once engaged, that is where Stuxnet makes the leap from the cyber world into the destruction of a real-world, tangible target. For example, Stuxnet may be used to override a plant’s programmable logic controls (PLC) for the operation of a turbine. While the original PLC will presumably control the RPMs so as to ensure safe and efficient operation, the Stuxnet code (assuming this is its target) will override the PLC and may direct the turbine RPMs to soar beyond a sustainable speed. With the turbine RPMs ratcheting higher and no way to counteract the Stuxnet control, it is not hard to imagine the turbine destroying itself and possibly the entire plant in short order. In other words, the resultant targeting effects of a Stuxnet attack are the same as if ordinance had been dropped on it – Stuxnet or cruise missile, either way the plant turns into a fire pit.
Analysis of Stuxnet has been pushed to the forefront of national security conversation with two discoveries. First, the number of Stuxnet-infected computers is surprisingly large. According to a report by Symantec, approximately 100,000 computers worldwide are infected. Most interesting, Symantec estimates that approximately 60 percent of the computers infected worldwide are located in one country of intense interest – Iran. This dovetails to the second discovery causing heightened interest in Stuxnet – the revelation that some of those infected computers are associated with Iran’s Bushehr nuclear plant.
While speculation is rampant concerning the possibility of a Stuxnet infection of the Bushehr nuclear plant, a few things are known. First, the head of Iran’s atomic energy agency has stated that Stuxnet has infected the personal computers of some technicians who work at Bushehr (though the government denies that Stuxnet has spread to the plant’s main computers). Second, it is known that Stuxnet is designed to target the sort of plant process software employed at Bushehr. Additionally, there is at least one reference to an Old Testament story about a Jewish victory over the Persians in Stuxnet’s code. Finally, the plant has been plagued by delays and will not go online for at least another three months, according to the Iranian government. These circumstances, even if ultimately proved coincidental, have made many analysts and policymakers pause to consider the possibility that Bushehr was the object of a targeted cyber attack and how this new reality affects the national security posture of nations dependent upon computer technology.
In particular, William Lynn, Deputy Secretary of Defense, has voiced the need to rethink comprehensively how the United States defends itself in the cyber realm. In particular, he has identified difficulties that cyber attacks pose when applying the law of armed conflict. For instance, cyber attacks are not always easy to identify as either uses of force or attacks, as contemplated by Articles 2(4) and Article 51 of the United Nations Charter. For instance, while the Bushehr example may fit the definition of use of force well, there is a real question whether it would constitute an attack, authorizing Article 51 self-defense. Additionally, there exists a vast spectrum of lesser cyber incursions that, though certainly unwelcome, would constitute neither a use of force nor cyber attack. Whether a cyber attack’s severity constitutes an Article 2(4) use of force or attack is a critical question, because it determines whether and to what degree the affected nation may respond in lawful self-defense.
Also of particular concern is the issue of determining ultimate responsibility for a cyber attack and how that affects whether and to what degree a nation may respond. As Deputy Secretary Lynn succinctly states the problem, unlike missiles, there is no return address on a cyber attack. Even worse, the movement of much of this code, whether inadvertently or by design, passes through many nation-states, potentially causing an affected nation to attribute blame falsely to innocent actors and states. And clearly, as a law of war problem, the inability to identify a responsible party makes any responsive use of force problematic.
These emerging cyber threats defy easy answers. While nation-states seek to develop strategies that adequately respond to cyber attacks, they also face the challenge of developing strategic responses that are consistent with domestic and international legal norms.
Image courtesy of Bloomberg