One year ago a malicious software program called Stuxnet exploded onto the world stage as the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyber space to destroy a physical target in the real world.
It took Ralph Langner about a month to figure that out.
While Symantec, the big antivirus company, and other experts pored over Stuxnet's inner workings, it was Mr. Langner, an industrial control systems security expert in Hamburg, who deciphered and tested pieces of Stuxnet's "payload" code in his lab and declared it a military-grade cyberweapon aimed at Iran's nuclear facilities.
Days later, he and other experts refined that assessment, agreeing Stuxnet was specifically after Iran's gas centrifuge nuclear fuel-enrichment program at Natanz.
After infiltrating Natanz's industrial-control systems, Stuxnet automatically ordered subsystems operating the centrifuge motors to spin too fast and make them fly apart, Langner says. At the same time, Stuxnet made it appear random breakdowns were responsible so plant operators would not realize a nasty software weapon was behind it.
In the end, Stuxnet may have set back Iran's nuclear ambitions by years. But it also could prove a Pyrrhic victory for its still-unknown creator – a sophisticated cyberweapons nation state that Langner argues could be the US or Israel. Like the Hiroshima bomb, Stuxnet demonstrated for the first time a dangerous capability – in this case to hackers, cybercrime gangs, and new cyberweapons states, he says in an interview.
With Stuxnet as a "blueprint" downloadable from the Internet, he says, "any dumb hacker" can now figure out how to build and sell cyberweapons to any hacktivist or terrorist who wants "to put the lights out" in a US city or "release a toxic gas cloud."
What follows are excerpts of Langner's comments from an extended interview:
CSM: How would you characterize the year since Stuxnet – the response by nations, industry and government?
LANGNER: Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems.... That wakeup call lasted only about a week. Thereafter, everybody fell back into coma. The most bizarre thing is that even the Department of Homeland Security (DHS) and Siemens [maker of the industrial control system targeted by Stuxnet] talked about Stuxnet being a wakeup call, but never got into the specifics of what needed to be done.
CSM: What do you think has been the most important or dangerous development to emerge since you identified Stuxnet as a weapon?
LANGNER: The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks.... With every day [that] cyber weapon technology proliferates; the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares.
CSM: How should nations and critical infrastructure owners deal with the threat of Stuxnet-like attacks or deter them?
LANGNER: There is no way to prevent the production and transfer of bits and bytes that can be transferred anywhere in the world by Internet. Arms control with satellite surveillance is impossible.... So I'm afraid cyber-arms control won't be possible. That's why the best option we have to start to counter this threat is to start protecting our systems – control systems, especially – in important facilities like power, water, and chemical facilities that process poisonous gases. Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don't have any significant level of cybersecurity for them.
CSM: What's the hold up?
LANGNER: It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first. Most engineers are aware of the problem, it's just that they don't get the budget to fix the problem. The risk is just discounted. As long as management doesn't see an immediate threat, there is a tendency to ignore it because it costs money to fix.
CSM: You warned a year ago that hackers would begin to explore how to modify Stuxnet – are you still worried about that? Should we be concerned about a "son of Stuxnet"?
LANGNER: Son of Stuxnet is a misnomer. What's really worrying are the concepts that Stuxnet gives hackers. The big problem we have right now is that Stuxnet has enabled hundreds of wannabe attackers to do essentially the same thing. Before, a Stuxnet-type attack could have been created by maybe five people. Now it's more like 500 who could do this. The skill set that's out there right now, and the level required to make this kind of thing, has dropped considerably simply because you can copy so much from Stuxnet.
CSM: But we haven't seen a follow-up to Stuxnet yet?
LANGNER: Not yet. But the clock is ticking. Parts of Stuxnet can simply be copied now. A cybersecurity researcher named Dillon Beresford this summer described to a hacker conference an industrial control system exploit that involved copying. His findings confirm my view that you don't have to be a genius to create a program that works on a control system exactly the way Stuxnet does. You just have to know how to copy parts of it. After that, you just need a little more knowledge to make a simple but effective digital dirty bomb. It may not be nearly as powerful as Stuxnet on a single system, but it could have a far broader effect on many systems. That's a digital dirty bomb.
CSM: But you yourself recently decided to demonstrate how simple a Stuxnet attack could be – just four lines of code – to make an industrial system freeze. A time bomb, really. Why did you do that?
LANGNER: I couldn't stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened. What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish this four-line attack just to make sure no smart-guy tells his boss that this is impossible. I left out some key parts of it so it could not be used.
CSM: Some describe Stuxnet as a "game changer" – do you think that's true?
LANGNER: It's certainly going to change the world. It already has in ways that not many people would recognize. The bottom line is that now we have a much better idea of what the future of war will look like – and what it would look like if certain military systems were a primary target.
CSM: What are the questions that Stuxnet has left behind?
LANGNER: It raises, for one, the question of how to apply cyberwar as a political decision. Is the US really willing to take down the power grid of another nation when that might mainly affect civilians? Could or should military contractors, instead of soldiers, wage cyberwar? What happens when cyberweapons dealers start selling sophisticated cyberweapons to terrorists? There is also the manner in which Stuxnet was used – which could be considered a textbook example of a "just war" approach. It didn't kill anyone. That's a good thing. But I am afraid this is only a short term view. In the long run it has opened Pandora's box.