From the man who discovered Stuxnet, dire warnings one year later
Stuxnet, the cyberweapon that attacked and damaged an Iranian nuclear facility, has opened a Pandora's box of cyberwar, says the man who uncovered it. A Q&A about the potential threats.
(Page 2 of 2)
LANGNER: There is no way to prevent the production and transfer of bits and bytes that can be transferred anywhere in the world by Internet. Arms control with satellite surveillance is impossible.... So I'm afraid cyber-arms control won't be possible. That's why the best option we have to start to counter this threat is to start protecting our systems – control systems, especially – in important facilities like power, water, and chemical facilities that process poisonous gases. Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don't have any significant level of cybersecurity for them.Skip to next paragraph
Subscribe Today to the Monitor
CSM: What's the hold up?
LANGNER: It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first. Most engineers are aware of the problem, it's just that they don't get the budget to fix the problem. The risk is just discounted. As long as management doesn't see an immediate threat, there is a tendency to ignore it because it costs money to fix.
CSM: You warned a year ago that hackers would begin to explore how to modify Stuxnet – are you still worried about that? Should we be concerned about a "son of Stuxnet"?
LANGNER: Son of Stuxnet is a misnomer. What's really worrying are the concepts that Stuxnet gives hackers. The big problem we have right now is that Stuxnet has enabled hundreds of wannabe attackers to do essentially the same thing. Before, a Stuxnet-type attack could have been created by maybe five people. Now it's more like 500 who could do this. The skill set that's out there right now, and the level required to make this kind of thing, has dropped considerably simply because you can copy so much from Stuxnet.
CSM: But we haven't seen a follow-up to Stuxnet yet?
LANGNER: Not yet. But the clock is ticking. Parts of Stuxnet can simply be copied now. A cybersecurity researcher named Dillon Beresford this summer described to a hacker conference an industrial control system exploit that involved copying. His findings confirm my view that you don't have to be a genius to create a program that works on a control system exactly the way Stuxnet does. You just have to know how to copy parts of it. After that, you just need a little more knowledge to make a simple but effective digital dirty bomb. It may not be nearly as powerful as Stuxnet on a single system, but it could have a far broader effect on many systems. That's a digital dirty bomb.
CSM: But you yourself recently decided to demonstrate how simple a Stuxnet attack could be – just four lines of code – to make an industrial system freeze. A time bomb, really. Why did you do that?
LANGNER: I couldn't stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened. What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish this four-line attack just to make sure no smart-guy tells his boss that this is impossible. I left out some key parts of it so it could not be used.
CSM: Some describe Stuxnet as a "game changer" – do you think that's true?
LANGNER: It's certainly going to change the world. It already has in ways that not many people would recognize. The bottom line is that now we have a much better idea of what the future of war will look like – and what it would look like if certain military systems were a primary target.
CSM: What are the questions that Stuxnet has left behind?
LANGNER: It raises, for one, the question of how to apply cyberwar as a political decision. Is the US really willing to take down the power grid of another nation when that might mainly affect civilians? Could or should military contractors, instead of soldiers, wage cyberwar? What happens when cyberweapons dealers start selling sophisticated cyberweapons to terrorists? There is also the manner in which Stuxnet was used – which could be considered a textbook example of a "just war" approach. It didn't kill anyone. That's a good thing. But I am afraid this is only a short term view. In the long run it has opened Pandora's box.