Stuxnet forced countries to assess their vulnerability to cyber-attacks and make cyberwarfare mainstream defense policy.
The last year has proved to be a game-changer in the perception of threats in cyberspace. Above all, the discovery of the computer worm Stuxnet alerted the world that cyber-weaponry capable of causing real havoc to advanced industrial systems is now a reality.
Stuxnet was designed to interfere with a particular target: the so-called programmable logic controller regulating the speed of electric motors in plants that included two of Iran’s nuclear facilities. This very specific aim strongly suggests Stuxnet was not the work of a random criminal gang but of a state intelligence service. It has acted as a starting gun in a long-distance cyber-arms race. All countries with a stake in global security are now assessing their cyber-defences and seeking to develop their ability to attack others.
Some, such as the former presidential security adviser Richard Clarke, see Stuxnet as proof that the US and western Europe are fatally vulnerable to a range of cyber-attacks that could result in a catastrophic collapse of the so-called critical national infrastructure (CNI). He described a doomsday scenario in which the US is reduced to stone-age conditions within a few days as viruses and other cyber weapons bring down planes and trigger nuclear explosions.
Few security professionals fear this “cybergeddon” is imminent, but there is nonetheless real concern that most banking, power and water systems are over-reliant on vulnerable computer networks.
There are significant questions about cyber-security to which nobody has yet found an answer. The first lies in the web’s interconnectivity and the ability of advanced users to disguise their physical location using the techniques of ‘anonymisation’.There are three main areas of malfeasance on the web: cybercrime, cyber-industrial espionage and cyberwarfare (which is where Stuxnet usually belongs). Security professionals categorise most cybercrime as “high volume, low impact”, and say its policing should be left to law enforcement agencies like the UK’s Serious Organised Crime Agency, or the Secret Service and the FBI in the US. Yet when more than 80% of all email is spam, is the negative impact on a country’s communication infrastructure an issue for crimefighters or those responsible for the CNI?
President Obama’s cyber-security strategy compels the private sector to take responsibility for combating industrial espionage where companies seek competitive advantage by infiltrating corporate networks to steal data.
The third area, cyberwarfare, pertains to the military. Washington’s decision to establish the US Cyber Command last year made cyberspace the first man-made military domain alongside land, sea, air and space.
Interconnectivity, however, means that when Google, Citibank or the Pentagon come under attack (as they do tens of thousands of times a day), the defenders cannot know with certainty if the assault is coming from China, Russia, Israel or Yemen nor whether its instigator is a playful hacker, a mastermind criminal, an al-Qaida cell or the People’s Liberation Army.
A second major problem is that a country’s strategic advantage in cyberspace lies in its ability to penetrate the defences of potential opponents: its assets are its enemy’s vulnerability, which encourages pre-emptive probing of those weaknesses. For this reason, offensive cyber-weaponry, the sci-fi end of US security strategy (and for that matter anyone else’s), is shrouded in secrecy. The US is regarded as leading the field of cyber-weaponry, thanks largely to the indefatigable efforts of the defence department’s research wing, Darpa. But other nations are catching up, notably Russia, China, Israel, France and Britain.
There are no comprehensive agreements about defining the rules of war, espionage or crime in cyberspace and major powers, including the US, appear reluctant to discuss an international treaty. However, a definition may become necessary as cyberthreats force ever more countries to ringfence large parts of the internet to counter cultural or digital contamination. These blocking strategies can prove effective, but when deployed injudiciously undermine the whole ethos of the internet.
• DarkMarket, Misha Glenny’s book on cybercrime, is published in September. Follow him on twitter @MishaGlenny
guardian.co.uk © Guardian News & Media Limited 2010