The New York Times ran a story yesterday about how President Obama ordered further attacks on Iran's uranium processing infrastructure using the Stuxnet virus. The attacks were part of Operation Olympic Games which was started under the previous George W Bush administration.
These attacks have serious ramifications for world politics in general and for the computer security community. The following are my thoughts on what some of those effects might be.
- This story officially tells the world that the US has an extremely sophisticated cyber attack capability. The number of exploits and the complexity of the chain they created had not been seen before in the wild. This sets a precedent akin to us dropping the first atomic bomb on Hiroshima. No, not in the scope of the damage done, but in the level of seriousness of the attack. This is likely to set off a new "arms race" between countries and other organizations to create even more advanced cyber attacks.
- Our government is playing a very dangerous game by performing these attacks. They have given other would be cyber warriors, rogue states, terrorists, etc. a blueprint on how to circumvent all but the most robust defenses (and even then, it would be difficult to defend against something like this). The attack used cannot currently be defended against by most corporations, networks and infrastructure in the US. If someone wanted to do harm to the US and thought that physical damage was the only way to do it, they know now that a similar level of damage can be done using computers. How long will it be before we see a serious terrorist/rogue state cyber attack against vital infrastructure or economic centers?
- It takes a bite out of the use of Stuxnet by security professionals as an example of what organizations in the US have to defend against because no other cyber attack organization has demonstrated this level of sophistication, however, now that the blueprint is out there, it's only a question of time before others start duplicating what Stuxnet did and raising the bar of what is possible.
- The deployment of Stuxnet which uses so many vulnerabilities that were previously unknown and thus not patched shows that there are some in the US government who think it's more important to keep dangerous vulnerabilities available to them in the wild versus helping to close these gaps for everyone. This should make security researchers very nervous and anger security professionals.
- One "good" thing about this attack is that shows everyone involved with cyber security or system administation that we have a long way to go to build more secure systems and that we can't afford to wait on efforts to improve security of our vital infrastructure. The cost to improve might be high, but the costs of not doing so are much higher.
- I question the wisdom of the New York Times in doing the research and publishing any of this information. In many ways, shedding light on this operation does grave harm to our national interests and greatly increases the risks to US citizens. This operation was obviously highly classified and should have stayed a secret for many years to come. Although it does occur to me that this probably could not have been leaked without some help from the Obama administration. Which raises further questions about why they would jeopardize public safety by releasing the information necessary to write this story.
We certainly live in "interesting" times. I just hope that this doesn't cause an outbreak of cyber war that would be catastrophic to people all over the world.