The discovery of the Flame malware last week focused the cyber security world on the sophisticated strikes targeting energy companies in the Middle East. Although Flame's goal was espionage rather than damaging operations as Stuxnet did, it has been seen as one more indication that the industrial world is now in the bull's eye of clever attackers.
On the heels of Flame coverage, this week David Sanger, the Pulitzer Prize winning Washington correspondent for The New York Times, released his new book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power". Up to now, many writers speculated that the U.S. and Israel collaborated on Stuxnet. This book does not speculate; it builds a strong circumstantial case that these two countries did indeed create and launch Stuxnet against Iran.
While the book does not include named sources or other hard evidence, the information is very plausible. A number of the technical subtleties of Stuxnet are described with unusual accuracy. Dale Peterson has pointed out a number of technical flaws in the New York Times' article based on the book, but these appear to have been introduced by the New York Times editors, as they are not in the book.
Undoubtedly, there will be other mistakes in a book like this, but the core message seems very plausible – the U.S. and Israel did launch Stuxnet against Iran's nuclear program.
Left Photo: U.S. President Barack Obama. Courtesy: www.indecisionforever.com
Right Photo: Iranian President Mahmoud Ahmadinejad views centrifuges at an Iranian nuclear facility. Courtesy: www.president.ir
Up until now Iran couldn't be sure who created Stuxnet, so it might have held back from launching a counter attack. (Of course countries don't always wait for definitive proof before taking military action. The U.S. invasion of Iraq is an example of this.)
Now, true or not, the New York Times story has made it difficult for the U.S. administration to deny it was behind the Stuxnet attacks.
This means that the gloves are off. Cyber warfare has moved from "you don't ask and we don't tell" to open aggression between countries.
"The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force."
Does this now give Iran the right to respond with a military option?
At the just concluded ISS Asia Security Summit, the UK Minister of State for the Armed Forces, Nick Harvey, commented:
"Pre-emptive cyber strikes against perceived national security threats are a "civilised option" to neutralise potential attacks".
At the same conference, Malaysian Defence Minister Ahmad Zahid Hamidi said a cyber arms race was already under way:
"What remains disturbing is that cyber warfare need not to be waged by state-run organisations but could be conducted by non-state entities or even individuals with intent to cause disruptions to the affairs of the state," he added.
The likely targets of cyber attacks aimed at nation states are energy, water and transportation systems. If your facility is in these sectors, you now have more urgency than ever to make sure that your facility is following robust cyber security practices.
What do you think of Sanger's assertion that the U.S. and Israel are behind Stuxnet? Is it plausible? What does it mean for your company's cyber security practices, especially if you are in a critical industry?
© Byres Security Inc. 2012 | All Rights Reserved | Byres Security is part of Hirschmann, a Belden brand