22 November 2014

Hacking The Ayatollahs: Countdown To Zero Day — And, The Age Of Cyber Warfare

November 17, 2014 

Hacking The Ayatollahs: Countdown To Zero Day — And, The Age Of Cyber Warfare

Garbiel Schonefeld, a Senior Fellow at the Hudson Institute; and, the author of “Necessary Secrets: National Strategy, The Media, And The Law,” has a review of Kim Zetter’s/Wired.com new book, “Countdown To Zero Day,” just out from Crown Publishers — in today’s (Nov. 17, 2014) Wall Street Journal. Ms. Zetter’s new book takes an in-depth look at the first known use of a “digital missile,” – the Stuxnet cyber virus that was inserted into the Iranian nuclear facility at Natanz, back in early 2010. Mr. Gabriel writes that “early in 2010, inspectors from the International Atomic Energy Agency noticed a problem: centrifuges employed to separate enriched uranium — the precursor to bomb-grade material — from uranium hydro-fluoride gas were breaking down at a startling rate. What the inspectors did not know was that the facility was under attack by Stuxnet, a computer virus designed by American and Israeli intelligence agencies under the code-name, “Operation Olympic Games.” 

“Countdown to Zero Day,” by Wired.com’s Kim Zetter, “gives a full account of this “hack of the century,” as the operation has been called,” Mr. Schonefeld writes. He adds, “the book goes well beyond the ostensible subject, to offer a hair-raising introduction to the age of cyber warfare.” “Among much else,” he adds, “Ms. Zetter chronicles just how the world came to learn of Stuxnet. Obscure computer-security firms in locations like Belarus and Slovakia, first detected the virus in 2010. Before long, it began appearing on thousands of computers worldwide, including powerhouses like antivirus firm Symantec set to work trying to solve the riddle posed by the mysterious code.”

Most “conventional [computer] viruses aim to steal passwords, or accomplish some other criminal purpose,” Mr. Schonefeld argues. But, “Stuxnet was different,” he contends. “Despite its complexity, it appeared to do nothing at all…beyond attempting to spread and replicate itself. After the digital sleuthing of far-flung investigators, it emerged that the code was narrowly tailored to come to life — only when it encountered certain industrial-control devices, containing proprietary software produced by the German firm — Siemens. The devices running that software were installed in only one location; the heavily fortified Iranian [nuclear] facility at Natanz,” Mr. Schonefeld notes.

“The first thing Stuxnet did upon invading a computer was to “phone home,” — i.e., send a signal to a server (based in Malaysia) that operated as its command post,” Mr. Schonefeld writes. “The signal repeated key details about the computer,” he adds, “such as where it was located, what its IP address was; and, critically — whether it contained the Siemens software. If it did not, the virus became inert — end of story. If the virus hit pay dirt, the fun began. The fun seems to have included opening and closing valves on Iranian centrifuges; and, adjusting their power supply. The objective was to cause pressure to build up to dangerous levels and force the precious uranium gas into a “dump line,” where it went to waste. At the same time, the virus fed false normal readings to the Iranian operators, who were left clueless as their inter-linked centrifuges quietly went haywire.” Ms. Zetter “suggests that Stuxnet might have also altered spin speeds, leading centrifuges to wobble, break free from their moorings and fly apart…not so quietly destroying entire production chains.”

Mr. Schonefeld writes that, “Ms. Zetter marshals evidence suggesting that these high jinks slowed down Iran’s nuclear effort. It is not a criticism of her book to note that this assessment, like many of its observations and conclusions, is at best — well-informed conjecture. Operation Olympic Games remains shuddered in secrecy. “The interviews and public sources upon which Ms. Zetter draws — yield no definitive information. Perhaps only the Iranians themselves know for certain what happened and, they are not telling.”

“Whatever Stuxnet did, or did not accomplish,” Mr. Schonefeld notes, “Countdown to Zero Day,” has the virtue of putting the attack into broader context. The epoch of cyber warfare, inaugurated by Stuxnet — promises to be no less unnerving than the nuclear weapons age that began in 1945. The problem is familiar. What goes around, comes around. We may hope that the virus damaged the ayatollah’s nuclear program, but given the degree to which Internet connectivity has expanded into every corner of American life, we ourselves are susceptible to attack by the same kind of stealth weapon.”

“Though recent headlines have focused on the cyber penetration of retail outlets, financial institutions, and government systems” Ms. Schonefeld writes, “Ms. Zetter reminds us that our physical infrastructure is vulnerable as well. In 1997, a teenager hacked into a Bell Atlantic computer system and for six hours turned off the runway lights and crippled the control tower of the Worcester Mass. airport. In 2000, in Australia, a disgruntled former employee of a water-treatment firm evaded safeguards to cause 750,000 gallons of raw sewage to pour into pubic waterways. In 2003, the SoBig virus attacked train-signaling equipment on the Eastern Seaboard and brought rail traffic to a halt. That same year, the Slammer worm disabled critical safety systems at the Davis-Besse nuclear power plant in Ohio.”

“If individuals, or small groups of amateurs can penetrate attacks of this magnitude, imagine what nation-states might do,” Mr. Schoenfeld warns. “With the advent of Stuxnet, state-sponsored attacks are no longer hypothetical. In military and intelligence establishments the world over, the race is on to find the exploitable security holes in widely used software — called “zero days,” because programmers have had zero tine to plug the holes — that make cyber warfare a mounting threat.”

“What can we do to better guard against the dire possibilities that may lie ahead?” Mr. Schonefeld asks, “Advocates of arms control call for a treaty that would limit or abolish digital warfare. But, if it has been difficult to verify treaty compliance with physical weapons, doing so with intangible computer code may be well-nigh impossible. Noting the “obvious problems” with the treaty approach,” Ms. Schonefeld concludes, “Ms. Zetter is rightly dismissive of it, but she does not suggest an alternative. The reason may be that there is none,” Mr. Schonefeld argues, “In the cyber battle ahead, the only true winners may be the hackers and computer engineers who increasingly hold our future in their hands.” V/R, RCP

No comments: