We are in a real war with real weapons, but we may never see the actual soldiers, or even hear about the battles.
Unless you have never heard of the Internet, you are aware of malware, short for “malicious software.” Malware is the general term for all of the hostile, intrusive or annoying software that, among other things, tries to steal, destroy, or contaminate information. You are probably running some kind of anti-virus software on your own personal computer and maybe your smart phone to protect yourself. Worldwide, we spent about $14.8 billion for this software in 2009, and the respected analyst firm Gartner expects this to grow to $16.5 billion this year.
Malware isn’t new. In Clifford Stoll’s interesting book The Cuckoo’s Egg he describes how in the late 1980’s he tracked down a hacker in Hannover, West Germany (remember, there were two Germanys back then). This hacker was getting into about 400 computer systems belonging to the US military and US defense contractors. Some of this information was sold to the KGB (you may also remember them, the Soviet komitet gosudarstvennoy bezopasnosti, the “Committee for State Security”). This was before the Internet as we know it.
The Ponemon Institute measures the actual costs to companies of data breaches at more than $200 per lost record. This includes directs costs like notifying everybody, reporting to governments or regulatory organizations, paying for credit checks, lawyer fees, penalties, and the general costs of the time it takes an organization to “fix” the problem. It also includes indirect costs such as the impact to the business. Over half the people who receive the “we’re sorry we lost your personal data” letter don’t do business with that company again. So when TJX had 45.6 million credit and debit card numbers “borrowed” in 2007, it was real blow to their reputation and their pocketbook. Let’s see, if it really was $200 times 45.6 million – wow, that is real money.
All this has been “practice” and weapons development. We have now moved beyond this stage with the development and deployment of real malware that is not just very annoying, but with the capability to do significant physical harm.
In 1921 Brigadier General Billy Mitchell proved that air power could destroy navy warships, including the ex-German World War I battleship, Ostfiresland. The navy had considered the Ostfriesland as unsinkable. In general, the US military was unimpressed. While the German Air Force in the late 1930s proved the value of air power against ground forces, it took 20 years from Mitchell’s demonstration until the Japanese finally proved the power of an air attack against a strong navy fleet and changed the nature of country-to-country war.
Similarly, it has taken about 20 years to go from the annoying stage to the really dangerous stage in malware.
So what has changed? Over the past 20 years, malware creators have learned how to distribute their product quickly and efficiently around the world, easily infecting millions of computers in hours. They have learned how to get information from those computers, and how to capture your keystrokes. They have learned how to change the information on your computer. The last steps are now complete: they know how to identify a single computer, monitor what it is doing, and then cause that computer to do something outside of what it is supposed to do at a critical moment.
First discovered in June, a new piece of malware that has been dubbed “Stuxnet” has been under intense study by computer security experts. This particular malware attacks process control systems manufactured by Siemens. Process control systems are the brains that operate complex facilities like chemical plants, nuclear reactors, railroad signal systems, water systems, power plants, electrical grids, …. Stuxnet is huge and very complex. Unlike the hacker Clifford Stoll tracked down in the late 1980’s, Stuxnet is a very sophisticated software product that required a lot of resources to create. Stuxnet is essentially a guided cyber missile. It can seek out a very specific computer, wait for it to be in a very specific state, and then take over overriding the existing software in the system. Stuxnet can do anything: shut down safety systems, shut down a entire process, or cause a plant to physically destroy itself.
By September, Stuxnet had infiltrated 45,000 industrial control systems. It can also attack systems that are not connected to the Internet through the use of a thumb drive (the small portable “sticks” that you use to move files from one computer to another).
Who is the enemy? Probably some country, and not many have the resources and talent to create something like Stuxnet. In alphabetical order: China, England, Israel, North Korea, Russia, South Korea, United States. Since the initial concentration of the Stuxnet attacks appears to be Iran, Israel and the US are the “obvious” candidates, but both have denied having anything to do with it. Both China and Russia have government-supported companies helping Iran with its nuclear and other industrial efforts, thus giving them physical access.
In late September, the China state media reported that Stuxnet had attacked million of computers in China.
It took a lot of experts from many countries months to figure out what Stuxnet is. At this point they understand its capabilities, but don’t know what it is specifically targeting. They have determined that it is fairly easy to retarget it for different specific systems.
The US is reacting to Stuxnet and other cyber-war potential attacks:
- The US Department of Homeland Security is building specialized teams that can respond quickly to cyber emergencies at industrial facilities.
- The US Department of Defense established the US Cyber Command in May, 2010, at Fort Meade, Maryland. You may know that Fort Meade is the home of the NSA (National Security Agency), the chief watchdog over, among other things, computer security in the US DoD.
Before you decide whether this activity makes you feel better, consider how fast the government reacts to well-understood and sometimes predicted disasters like Katrina and the BP oil rig explosion.
Has the war actually started? Don’t know. We know that it infected systems at Bushehr, Iran’s first nuclear power station, just before it was scheduled to go online. Some groups will claim credit for incidents, whether they caused them or not, and no one will be willing to admit that they were successfully attacked.
The last word:
Don’t expect daily live film on the eleven o’clock news about the latest developments in Cyber War I. Conspiracy people will have a ball with this – every airplane crash, oil rig explosion, regional power outage, train wreck, or other major accident will become part of Cyber War I. Most of the time they will be wrong. Sometimes they will be right.
Keep your sense of humor – you’ll need it.