Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

  The presidential directive addresses only the military’s use of digital operations, however. A list of exceptions in the document excludes intelligence agencies like the NSA and CIA from it, as well as law enforcement agencies like the FBI and Secret Service. And although it establishes broad ground rules for conducting offensive military cyber operations, it does not address questions that are raised when the United States is faced with responding to a digital attack. In 2011, Pentagon officials took at least one step in this direction when they announced that any digital attack against the United States that took out portions of the electric grid or resulted in casualties would be considered an act of war and receive the appropriate response—even a kinetic military response, if the situation called for it, using “all necessary means.”53 In other words, as one military official put it, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”54 At least they didn’t assert, as the Joint Chiefs of Staff did in a statement of doctrine in 2004, that the United States reserved the right to respond to some cyberattacks with nuclear weapons. That wording has disappeared in subsequent statements of doctrine from the Joint Chiefs, Lin points out, but members of the Defense Science Board apparently hoped to revive it when they asserted in 2013 that the United States should not rule out a nuclear response. It’s probably a good thing that the Science Board is just an advisory group and has no say in policy.

  Though the Snowden leak of the presidential directive hints at some of the questions the government has been asking internally about these issues, the public still has little understanding of what questions have been answered and which are still unresolved. Lin says that for the sake of transparency there are important conversations that could be made public without compromising classified operations. “We could in fact get into a discussion about what is possible without saying what the US is actually doing,” he says. It would also be possible for US Cyber Command and the NSA to provide examples of circumstances under which they would use cyberweapons, or explain the circumstances under which they hoard information about zero-day vulnerabilities versus when they might allow disclosure of information about a security hole to get it fixed. And it would be important to know, at the very least, where the government draws the line in compromising trusted systems that are critical to the integrity of the internet—if it draws a line at all.

  “Senators and congressmen need to be educated about this,” Lin says, not to mention the public. “And there ought to be an accounting somewhere about all the cyberattacks that the US conducts for any purpose … that tells you what was attacked and under what circumstances.… It can be classified, but at least it would give the first step toward better understanding what the US is actually doing.” Lawmakers like Rep. Mike Rogers (R-MI) insist that Congress has held private discussions on the government’s cyber activities. But so far, Capitol Hill has shown little interest in holding even basic public discussions about the government’s offensive operations.

  “I do believe without question there needs to be a full conversation about doctrine and there needs to be a full conversation about rules of engagement,” Air Force general Robert Kehler, the current head of US Strategic Command, said in 2011, before the presidential directive was signed. “I can’t say all of that needs to be in the public domain.”55

  AS THE UNITED STATES and other countries beat the drum of cyberwarfare, it’s not just policy questions that are still unanswered, however. Many of the legal questions around digital operations are still unresolved.

  Some, like Kaspersky Lab founder Eugene Kaspersky, have called for a cyber arms treaty to control the proliferation of digital weapons and set norms for their use. But as noted previously, there are obvious problems with trying to control the stockpiling of nonphysical weapons. Governments can sign treaties to halt the proliferation of nuclear weapons and use satellite imagery and UN inspectors to track the movement of nuclear materials. But satellites can’t track the movement of illicit digital weapons, nor can custom inspections catch the smuggling of malicious code across borders. Nor can anyone monitor all of the rogue players who might emerge to exploit the vulnerabilities in critical infrastructure systems that Stuxnet exposed.

  As for developing new laws to govern the use of cyberattacks by nations, the consensus among legal experts seems to be that existing laws of warfare will work just fine—it’s just that new interpretations of these laws need to be developed to address cyber.

  In 2013, a group of twenty international legal experts convened by a NATO-related institute attempted to do just this. The result was the three-hundred-page Tallinn Manual, designed to help military legal advisers in NATO member states develop cyber doctrine for their armies.56 But despite the manual’s length, it left many questions unanswered. The experts found that while some attacks in cyberspace have clear parallels to conventional attacks in physical space, others are murkier.

  Under the UN Charter’s Law of Armed Conflict, for example, they determined that hacking the control system of a dam to unleash water into a valley was the equivalent of breaching the dam with explosives. And launching an attack from a proxy system located in a neutral country would be prohibited in the same way that an army couldn’t march through a neutral country’s territory to invade an enemy. They also determined that an attack had to cause physical or personal damage to qualify as an act of force—simply erasing hard drives, if it didn’t result in physical damage or injury, didn’t qualify. But what about an attack on Wall Street that damaged a nation’s economy or aimed to do so? Here they found the legal waters less clear. Some of the experts believed such an attack qualified, while others were less convinced.

  The experts also made a distinction between an act of force and an armed attack. Though the latter is considered more serious, it’s not clearly defined. It’s generally interpreted to refer only to the gravest uses of force, which are judged by the effects the attack has. Under Article 24 of the UN Charter, nations can respond to an act of force only with nonforceful countermeasures—such as applying economic sanctions or cutting off diplomatic ties with the offending nation.

  Under Article 51, however, every state has the right to defend itself with lethal force—individually, or collectively on behalf of allies—if it or an ally suffers an armed attack, as long as the response is necessary and proportional to the initial attack and occurs while the threat of the original attack is ongoing or there is a threat of a future attack. As for what level of damage qualifies as an armed attack, and therefore justifies a lethal response—it’s up to the victim to determine the threshold and defend its decision to the United Nations.57 But what about an attack that is intended to cause great harm but fails to achieve it? A missile launched by one nation against another that gets diverted by a Patriot missile is still an attempted armed attack. Would the same hold true in the cyber realm? Catherine Lotrionte says no, since the effect of the attack is what matters, not the intent. But Gary Brown, senior legal adviser to the US Cyber Command from 2010 to 2012, says it likely would be considered an armed attack “if you can make an argument [with evidence] that it was going to have a kinetic effect.”58

  And what about espionage? Under international law and US policy, espionage is not an act of war. But since espionage could be the prelude to a destructive attack, as it was with Stuxnet and the spy tools the attackers used to collect intelligence for that operation, could the discovery of spy tools on a system indicate an intention to conduct an armed attack? Under current doctrine, an armed attack has to be current or imminent to merit a lethal use of force in response, but what determines imminence? After 9/11, the United States asserted that the invasion of Afghanistan was an act of self-defense, under Article 51, since the country was housing al-Qaeda leaders who were believed to be planning additional strikes against the United States.

  One thing the Tallinn experts did agree on unanimously was that Stuxnet was an act of force that likely violated international law. They were split, howeve
r, on whether it constituted an armed attack. As an armed attack, Iran would have been within its rights to defend against the digital onslaught with a counterstrike—digital or kinetic—as long as it was proportional to the damage Stuxnet caused and occurred while the attack was ongoing. Once the attack subsided and there was no impending threat to the centrifuges or threat of another impending attack—that is, once the weapon was discovered and defused—the proper response was diplomacy or some other nonforceful measure.

  It’s important to note that official US policy, unlike the interpretation of the Tallinn experts, doesn’t distinguish between an act of force and an armed attack—the two are considered the same. Under this interpretation, then, Stuxnet was an illegal armed attack, and Iran could have made a case for responding in self-defense. It also means, though, that if someone were to use a weapon like Stuxnet against the United States, the US government would consider it an armed attack, something Lotrionte says concerns her.59

  There have been conflicting reactions to some of the Tallinn Manual’s conclusions. Martin Libicki, an expert on cyberwarfare with the RAND corporation, questions the wisdom of allowing cyber conflicts to be resolved with kinetic attacks. He wonders if it wouldn’t be wiser to apply “Las Vegas rules” to cyberwarfare so that what happens in cyberspace stays in cyberspace. “Your escalation potential, if you go to the kinetic realm than if you stay in the cyber realm, is much greater,” he says. “So a rule that says you can only match cyber with cyber puts a limit on your topside risk.”60

  Lotrionte, however, says the method of a counterattack doesn’t matter, since escalation is controlled by the fact that a counterattack must be both necessary and proportional. “Necessary means you have to determine that there is no other way to resolve this threat,” she says. “You can’t talk, you can’t sanction or call on the Security Council. If there is any other way to stop these attacks, you have to use that, and not use of force. That’s how you stop escalation.”61

  Others point out the difficulty of applying the conventional laws of war to the cyber realm, where attribution is a problem. The Law of Armed Conflict requires that an attacker be identified to conduct a counterstrike. Though attribution in a digital attack can sometimes be determined—through intelligence means if not forensic ones—the anonymous nature of cyberattacks makes responding quickly to an attack, while the threat is current, complicated to say the least.

  “Smoking guns are hard to find in the counterterrorism environment; smoking keyboards are that much more difficult,” Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University told Congress. Cyberspace, he said, “is made for plausible deniability.”62

  If all of this wasn’t enough to complicate the issue of cyberwarfare, there are further problems having to do with the lack of a clear understanding about what constitutes a cyberweapon. In the kinetic world, a weapon is something that damages, destroys, kills, or injures, which is something very different from an espionage tool. But Gary Brown notes that so many activities in cyber are carried out by “a guy sitting at a keyboard typing commands” and doing everything from installing malware and destroying data, to destroying and damaging a system or damaging equipment the system controls. “Does that mean that the software or technique we used to get access to the system turned into a weapon?” he asks. “That would mean everything [is a weapon]. It’s a very complicated issue. I don’t feel like we have a very good handle on it.”

  Brown says the lack of clarity about what constitutes a digital weapon and what constitutes attack activity as opposed to espionage raises the risk of escalated responses, since the same techniques and tools used for espionage and damaging attacks in the digital realm can be indistinguishable to the victim.63

  “Traditional espionage is less likely to be escalatory because it was better understood,” he says. “Even if you cut through border-fence wire and tiptoed into an office and stole files … it doesn’t look like we we’re starting a war.… In cyber, if somebody got access to a critical system, maybe to the nuclear command-and-control … maybe they’re just looking around. Or maybe they’re planning to disable it and launch a nuclear attack.… It’s that kind of escalation that worries me.”

  Clearly Stuxnet and the prospect of digital warfare has raised a host of issues that have yet to be adequately addressed. And if it seems the United States is late in getting around to looking at them, it’s not the only one. “There are countries [in Europe] that are not even close to writing rules,” says Lotrionte.

  IN THE YEARS since Stuxnet was first exposed, a lot has changed—not just for the military but for malware hunters. For the researchers who spent so much time disassembling and analyzing Stuxnet—and its accompanying spy tools—deciphering the malware was an incomparable thrill that stretched the boundaries of virus research. But it also irrevocably changed the parameters of their profession by imbuing it with a degree of risk and politicization it had never known before.

  In one of his team’s final assessments of Stuxnet, Symantec’s Eric Chien wrote that whether Stuxnet would usher in a new generation of real-world attacks that targeted critical infrastructure or was just a once-in-a-decade phenomenon, they couldn’t say. But he was clear about his preference. It was the type of threat, he said, “we hope to never see again.”

  Thankfully, as of this book’s publication there has been no sign yet of the counterstrikes against industrial control systems that Ralph Langner warned about, nor have there been signs of any other types of comparable digital attacks launched by the United States or anyone else. Stuxnet still holds the distinction of being the only known case of cyberwarfare on record. But that can change at any time, now that Pandora’s digital box has been opened.

  * * *

  1 “Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” May 29, 2009, available at whitehouse.​gov/​the-​press-​office/​remarks-​president-​securing-​our-​nations-​cyber-​infrastructure. The claim that cyber intruders have plunged foreign cities into darkness has been repeated often by many officials, but has been disputed—though this hasn’t prevented officials from continuing to repeat it. The claim was first made by CIA senior analyst Tom Donahue while speaking at a conference for cybersecurity professionals in 2008: “We have information that cyberattacks have been used to disrupt power equipment in several regions outside the US,” he said. “In at least one case, the disruption caused a power outage affecting multiple cities.” He also said the intrusions were “followed by extortion demands.” (See Thomas Claburn, “CIA Admits Cyberattacks Blacked Out Cities,” InformationWeek, January 18, 2008, available at informationweek.​com/​cia-​admits-​cyberattacks-​blacked-​out-​cities/​d/d-id/​10635137.) Donahue never named the country where the attacks occurred, but in 2009 60 Minutes identified it as Brazil, asserting that a 2007 blackout in Espirito Santo that left 3 million people without power was caused by hackers. (See “Cyber War: Sabotaging the System,” 60 Minutes, November 6, 2009, available at cbsnews.​com/​news/​cyber-​war-​sabotaging-​the-​system-​06-​11-​2009.) Others have claimed Donahue was referring to a 2005 outage in Brazil instead. According to two sources I spoke with in 2009 who were interviewed by 60 Minutes for their story, the newsmagazine sent a producer to Brazil to try to verify the hacker/extortion claim but was never able to do so, though viewers weren’t told this. The Brazilian government disputed the claim after the 60 Minutes show aired, pointing to a lengthy report about the 2007 outage that attributed it to soot and equipment failure. Furnas, the Brazilian energy company that experienced the blackouts, is a customer of Marcelo Branquinho, who operated the only ICS security firm in Brazil at the time. Branquinho told me there was no evidence the blackout was caused by anything but equipment failure. “We have full access to the documentation and [government reports investigating] what happened on these two blackouts,” he told me in October 2011, referring to both the 2005 and 2007 incidents. “There is no single
evidence that hacking activity happened here. Both events were due to hardware problems, not software problems.” What’s more, he says the substation that was affected in the 2007 blackout was not even an automated SCADA system that could be controlled by hackers. “It was only hardware, so it couldn’t be hacked anyway,” he says. “I’m not saying that we can’t be hacked. We can be hacked; it’s pretty easy. I believe that most of the electric installations—not only here, but worldwide—have very weak security if you compare them with a bank, for example, that has some good level of security infrastructure. But … in this case, the evidence tells us that we weren’t hacked.” It’s possible the stories about the hacker blackout have been confused with a real cyberextortion incident that occurred in 2005 or 2006 but that had nothing to do with a blackout. Brazil’s director of Homeland Security Information and Communication told Wired.com that in this case, attackers breached an administrative machine at a government agency using a default password and deleted files on the machine. They also left a ransom note for return of the data. But the incident involved no power outage. See Marcelo Soares, “WikiLeaked Cable Says 2009 Brazilian Blackout Wasn’t Hackers, Either,” Wired.com, December 6, 2010, available at wired.​com/​2010/​12/​brazil-​blackout.

  2 David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012.

  3 “Iran’s Supreme Leader Tells Students to Prepare for Cyber War,” Russia Today, February 13, 2014, available at rt.​com/​news/​iran-​israel-​cyber-​war-​899.

  4 Ellen Nakashima, “Pentagon to Boost Cybersecurity Force,” Washington Post, January 27, 2013.

  5 Ellen Nakashima, “With Plan X, Pentagon Seeks to Spread U.S. Military Might to Cyberspace,” Washington Post, May 30, 2012.

  6 Interview with Michael V. Hayden, in “Stuxnet: Computer Worm Opens New Era of Warfare,” 60 Minutes, CBS, originally aired June 4, 2012, available at cbsnews.​com/​8301-​18560_162-​57390124/​stuxnet-​computer-​worm-​opens-​new-​era-​of-​warfare/​?tag=​pop;stories.