{"id":1461,"date":"2010-10-07T21:43:02","date_gmt":"2010-10-08T01:43:02","guid":{"rendered":"http:\/\/www.harvardnsj.com\/?p=1461"},"modified":"2013-04-03T22:39:04","modified_gmt":"2013-04-04T02:39:04","slug":"us-prepares-for-cyber-threats-in-the-wake-of-suspected-stuxnet-attack-in-iran","status":"publish","type":"post","link":"https:\/\/journals.law.harvard.edu\/nsj\/2010\/10\/us-prepares-for-cyber-threats-in-the-wake-of-suspected-stuxnet-attack-in-iran\/","title":{"rendered":"US Prepares for Cyber Threats in the Wake of Suspected \u201cStuxnet\u201d Attack in Iran"},"content":{"rendered":"

By Courtney Walsh —
\n<\/strong><\/p>\n

 <\/p>\n

In June of this year, a new and powerful threat to national security emerged in the form of a cyber worm.\u00a0 Stuxnet, as it has since been named by computer experts, represents a new frontier in the use of force in cyberspace.\u00a0 While much remains unclear about Stuxnet, such as its source and specific target, further study has revealed that this piece of malware possesses a highly complex and discriminating series of targeting code aimed at the substantial disruption and even ultimate destruction of industrial processes.\u00a0 These findings have led to a growing consensus in cyber security circles<\/a> that Stuxnet is the world\u2019s first successful employment of a guided cyber weapon that has the potential to destroy real, tangible targets.<\/p>\n

In a recent interview with the Christian Science Monitor, German cyber security expert Ralph Langner described his analysis of Stuxnet<\/a>.\u00a0 According to Langner, Stuxnet is a piece of malware designed to target industrial supervisory control and data acquisition (SCADA) software, which is used to control factory and plant operations across the world in various economic sectors, including energy and chemicals.\u00a0 While Stuxnet can easily spread to many machines, it lies dormant in most and, in fact, may never execute its code.\u00a0 As it lies dormant, though, it monitors the host machine in five second intervals to determine whether its engagement code has been triggered.\u00a0 These trigger conditions are designed in order to execute the attack and manipulation of a particular industrial process at a specific time and location.\u00a0 This ability to discriminate potential and actual targets depends upon no human command and control.\u00a0 Like its discrimination controls, its subsequent operation once engaged requires no positive, human command and control.<\/p>\n

Once engaged, that is where Stuxnet makes the leap from the cyber world into the destruction of a real-world, tangible target.\u00a0 For example, Stuxnet may be used to override a plant\u2019s programmable logic controls (PLC) for the operation of a turbine.\u00a0 While the original PLC will presumably control the RPMs so as to ensure safe and efficient operation, the Stuxnet code (assuming this is its target) will override the PLC and may direct the turbine RPMs to soar beyond a sustainable speed.\u00a0 With the turbine RPMs ratcheting higher and no way to counteract the Stuxnet control, it is not hard to imagine the turbine destroying itself and possibly the entire plant in short order.\u00a0 In other words, the resultant targeting effects of a Stuxnet attack are the same as if ordinance had been dropped on it \u2013 Stuxnet or cruise missile, either way the plant turns into a fire pit.<\/p>\n

Analysis of Stuxnet has been pushed to the forefront of national security conversation with two discoveries.\u00a0 First, the number of Stuxnet-infected computers is surprisingly large.\u00a0 According to a report by Symantec<\/a>, approximately 100,000 computers worldwide are infected.\u00a0 Most interesting, Symantec estimates that approximately 60 percent of the computers infected worldwide are located in one country of intense interest \u2013 Iran.\u00a0 This dovetails to the second discovery causing heightened interest in Stuxnet \u2013 the revelation that some of those infected computers are associated with Iran\u2019s Bushehr nuclear plant.<\/p>\n

While speculation is rampant concerning the possibility of a Stuxnet infection of the Bushehr nuclear plant<\/a>, a few things are known.\u00a0 First, the head of Iran\u2019s atomic energy agency has stated that Stuxnet has infected the personal computers of some technicians who work at Bushehr (though the government denies that Stuxnet has spread to the plant\u2019s main computers).\u00a0 Second, it is known that Stuxnet is designed to target the sort of plant process software employed at Bushehr.\u00a0 Additionally, there is at least one reference to an Old Testament story about a Jewish victory over the Persians<\/a> in Stuxnet\u2019s code. Finally, the plant has been plagued by delays and will not go online for at least another three months, according to the Iranian government. \u00a0These circumstances, even if ultimately proved coincidental, have made many analysts and policymakers pause to consider the possibility that Bushehr was the object of a targeted cyber attack and how this new reality affects the national security posture of nations dependent upon computer technology.<\/p>\n

In particular, William Lynn, Deputy Secretary of Defense, has voiced the need to rethink comprehensively how the United States defends itself in the cyber realm<\/a>.\u00a0 In particular, he has identified difficulties that cyber attacks pose when applying the law of armed conflict.\u00a0 For instance, cyber attacks are not always easy to identify as either uses of force or attacks, as contemplated by Articles 2(4) and Article 51 of the United Nations Charter.\u00a0 For instance, while the Bushehr example may fit the definition of use of force well, there is a real question whether it would constitute an attack, authorizing Article 51 self-defense.\u00a0 Additionally, there exists a vast spectrum of lesser cyber incursions that, though certainly unwelcome, would constitute neither a use of force nor cyber attack.\u00a0 Whether a cyber attack\u2019s severity constitutes an Article 2(4) use of force or attack is a critical question, because it determines whether and to what degree the affected nation may respond in lawful self-defense.<\/p>\n

Also of particular concern is the issue of determining ultimate responsibility for a cyber attack<\/a> and how that affects whether and to what degree a nation may respond.\u00a0 As Deputy Secretary Lynn succinctly states the problem, unlike missiles, there is no return address on a cyber attack.\u00a0 Even worse, the movement of much of this code, whether inadvertently or by design, passes through many nation-states, potentially causing an affected nation to attribute blame falsely to innocent actors and states.\u00a0 And clearly, as a law of war problem, the inability to identify a responsible party makes any responsive use of force problematic.<\/p>\n

These emerging cyber threats defy easy answers.\u00a0 While nation-states seek to develop strategies that adequately respond to cyber attacks, they also face the challenge of developing strategic responses that are consistent with domestic and international legal norms.<\/p>\n

Image courtesy of Bloomberg<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

By Courtney Walsh<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[24,29],"tags":[],"class_list":["post-1461","post","type-post","status-publish","format-standard","hentry","category-online","category-student-articles"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/peZtUX-nz","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts\/1461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/comments?post=1461"}],"version-history":[{"count":0,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts\/1461\/revisions"}],"wp:attachment":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/media?parent=1461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/categories?post=1461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/tags?post=1461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}