Computer viruses that steal identities are nothing new. But 2010 introduced the world to something potentially far more dangerous: Stuxnet.
Stuxnet is the world's first publicly known cybersuperweapon – a computer program that is able to cross the digital divide and destroy a real-world target. In the case of Stuxnet, that target seems to have been Iranian nuclear facilities. But future variants could be used to hammer US critical infrastructure, too, the Congressional Research Service warned this month.
Discovered in June by a Belarus antivirus company and later revealed as a cyberweapon by a German researcher, Stuxnet was designed to control and destroy industrial control systems. It could be activated merely by plugging a thumb drive loaded with the malware into the target computer system.
Many experts worry that a "son of Stuxnet" clone could make an appearance in 2011. "My greatest fear is that we are running out of time to learn our lessons," Michael Assante, an industrial control systems security expert, told a congressional hearing on Stuxnet in November. "Stuxnet ... may very well serve as a blueprint for similar but new attacks on control system technology."
Stuxnet required a team of experts working clandestinely for months or more to build it – and cost millions of dollars to produce and test. Only a few nations – Israel, the US, China, France, or Britain – could create it, many say. Now a rich terrorist could buy a Stuxnet variant.
The original Stuxnet was a cyber "guided missile" that unleashed its digital warhead only under very specific conditions (believed by a number of experts to be part of Iran's nuclear plant designs). The son of Stuxnet might not be so selective. If retooled slightly, a Stuxnet clone could be made to detonate and damage a wide swath of critical infrastructure facilities – water, power, energy, and transportation facilities, for instance.
It "threatens to cause harm to many activities deemed critical to the basic functioning of modern society," the Congressional Research Service reported Dec. 9.
"Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life sustaining or comforting services for a long period of time," the study's summary states. "The resulting damage to the nation's critical infrastructure could threaten many aspects of life, including the government's ability to safeguard national security interests."
By Mark Clayton, Staff writer