Stuxnet — a cyber “cold start”?

Ikram Sehgal

 Very recently a security firm in Belarus discovered a “malware” which they called Stuxnet, a worm that spies on and reprograms industrial systems, the very first to successfully target critical industrial infrastructure. Specifically meant to attack “Supervisory Control and Data Acquisition” (SCADA) systems used to control and monitor industrial processes, Stuxnet specifically targets Siemens computers in the network by using infected USB flash drives. A major computer virus attack was made on the Windows computers at Iran’s Bushehr nuclear power plant, however it does not seem to have damaged the major systems at the plant.
Designed as a kind of guided missile to target facilities, this virus is not the work of some odd hacker sitting at a computer. Only a government or a government-level group, with a well-financed highly organised team of programmers with access to plenty of specialised resources could have created it, a prime example of clandestine warfare. The educated speculation is that the virus was designed by Israel to target Iran. A virus of this type can effectively destroy an entire factory or power plant causing them to fail in ways virtually undetectable, the results could be as spectacular as the detonation of a bomb. There would be no trace of the bomber, or any way to find out who it is. The complexity of the software is very unusual for “malware”, if Pakistan is using Siemens centrifuges, we are in deep trouble. Dangerous proliferation is a distinct possibility, if the problem is not fixed in the near future, independent hackers may soon start using it. Melissa Hathaway, a former US National Secretary Coordinator, has warned against proliferation “as a real problem, no country is prepared to deal with it.”
Addressing EWI’s First Worldwide Cybersecurity Summit on May 4 and 5, 2010 in Dallas, Texas, EWI’s President Edwin John Mroz said, “differing perceptions, concerns and suggested solutions availing from different points of the globe must be understood as a vital first step to find common ground for joint actions that are so desperately needed. We cannot allow the technological advances to continue outpacing common-sense-cybersecurity measures. It is time for the world to confront the challenges of our digital age,” unquote. Paraphrasing this in the context of Pakistan, “it is time to understand and confront the imminent national security challenges we face because of our pathetic lack of knowledge of cybersecurity”. Cyber warfare is rapidly developing into the “fifth domain”, following the four domains of land, sea, air and space.
The Summit recommended, viz (1) focusing on problems of common interest (technical issues, spam etc.) to find consensus and build trust (2) create an umbrella organisation integrating the 12 regional organisations round the world dealing with cybersecurity (3) Begin private-public dialogue in finding solutions, i.e. voluntary rating system of best practices, rewards for institutions that implement standards that reduce risk (4) Pay attention to critical international infrastructure (eg underwater sea cables) whose oversight and vital dependencies go beyond that of an individual nation-state or existing inter-governmental organisations (5) Establish a coordination centre between information response teams of different countries to act in case of a cyber catastrophe (6) Use Cyber technology in other ways, applications for humanitarian efforts and to find victims under debris to create a “safety blanket” when a disaster happens, etc and (7) countries experiencing a proliferation of spyware, especially in Asia, need to be more sensitised to the lack of a legal framework to regulate cyberspace and to combat cyber crimes.
Three levels of information warfare need to be understood (and regulated); political, military-strategic and military-tactical. Lastly, electronic warfare oriented to single-enemy targets or groupings in a localised vicinity is often overlooked. If there were an ability to demonstrate a specific entity’s or a foreign government’s complicity in an attack, what are the options for response? A physical attack on any nation is an act of war that would certainly be met with retaliation, should the same principle apply in the context of Internet attacks in cyberspace? Should cyber policies hold a hosting state responsible for attacks launched by its agents, sanctioned or not? Is the response to a cyber attack limited to the cyber world or are physical responses on the table? If Iran discovers Israel was the source of the Stuxnet attack on Bushehr, what next?
According to renowned cybersecurity expert, Lt Gen (USAF Retd) Harry D Raduege Jr, the US built a “strategic triad” of land, sea and airborne nuclear weapons during the cold war that deterred a nuclear attack. The US now needs a “cyber triad” that will similarly deter cyber attacks. The first is “resilience”, the enemy knowing that a nuclear first strike was futile, the second part of the triad will be “attribution”, to determine where and how the cyber attack emanated. The final leg of the triad, “offensive capabilities”, is the only way to deter any attackers from taking the ultimate risk of overwhelming retaliation. The US National Security Council (NSC) says, “an overwhelming military response is a vital option to a massive cybersecurity attack.”
A cyber physical attack may well herald something far more dangerous, this difference is important for Pakistan. India’s “COLD START” plan is Pakistan-specific, an all-out physical attack across our frontiers against vital Pakistani targets by pre-designated forces without any mobilisation and without any warning. Viewed in conjunction with and preceded by a cyber attack, this becomes ominous. Both in 2002 and 2008, India reacted to terrorist excesses by non-state actors by blaming Pakistan, that brought us very close to total war. India’s capacity and vast lead over us in cyber issues is something which we cannot be complacent about conceding to. To forestall an all-out war that may happen because of the machinations of third forces it is necessary to put into place pragmatic confidence-building measures leading to a fail-safe mechanism in place. Worse, in upending over present nuclear détente India may over-estimate the effectiveness of its cyber attack aimed at crippling our nuclear machine. Our self-defence measures will trigger massive nuclear retaliation, Armageddon anyone?
Pakistan’s domestic preventive measures must be a part of civil defence in the overall concept of national security viz (1) educating awareness, capacity and trust building, as well as systematic training of key policy makers and the overall population (2) not take for granted the Internet being “on” forever, being down would “rain disaster” on online businesses as well as transport, industry and government surveillance systems”. It makes strategic sense to use cyber potential as a weapon of war. Other than education, the basic elements required for security are governance and technology. Moving forward, security must be designed into new software and hardware products from the earliest planning stages and (3) Interconnectedness mandates multilateral coordination. A cohesive and coordinated approach that reflects existing political structures have remained elusive at the regional — much less global — level.
After 1971 Pakistan should have no illusion about our “friends” coming to our help in time of our dire need to defend us, given the uneven conventional balance we built up with our nuclear deterrent. Similarly our cyber defences must be built both at the strategic and tactical level. The problem is that the speed of the possible attack limits our response with respect to time, we do not have the luxury of second-guessing a cyber-first-strike. Our strategic planners must put in place (and soon) a potent and credible defence mechanism against a cyber “COLD START” from malware of the Stuxnet-kind.

The writer is a defence and political analyst. Email:

Leave a Reply