Many claim that Stuxnet will usher in a new kind of ‘cyber war’. Stuxnet does introduce a previously unexplored area of attacking power facilities via USB stick, however, vulnerabilities in these systems–theoretically accessible to foreign hackers–are not new at all. SCADA systems that control the United States power grid have been widely declared as vulnerable to hackers for several years. These systems could theoretically be attacked at any time, but because these attempts are not packaged in an accessible piece of malware, they may never be detected.
The most interesting facet of Stuxnet could be the precision of its scope. Rather than creating a generic piece of malware that could theoretically infect and take over many different types of sytems, the creators of Stuxnet targeted very specific Siemens boards. Why? Speculation from experts widely suggests that the intent was to infect the nuclear facilities of Iran, specifically the developing site Bushehr. Bushehr has had a variety of setbacks, but a photograph depicting an error at the site indicates that it was the exact same board that Stuxnet targeted.
In order to create such a specific payload, the designers must have known the exact build and firmware version of the boards at Bushehr. ‘Cyber war’ is a loaded term these days, mostly because its use is widespread and often does not amount to much. Stuxnet does, however, underscore the role of information security’s application in traditional forms of intelligence.
For the most part, hackers strictly engage in information espionage. Although systems that are attacked can sustain damage, with a proper information security strategy these losses can be effectively mitigated or temporary. Sensitive data disclosure is the primary concern in the PCI-DSS and HIPAA security space, because physical damage to the systems is usually impossible and data loss is mitigated by off-site backups.
Information espionage–a fancy way of describing what we normally think of as hacking–has an obvious place in the government’s arsenal. The Pentagon has complained numerous times about incessant instrusion attempts it receives daily (who doesn’t?), while the Air Force has set up its Cyber Command to counteract these threats. Hack the government, steal state secrets without a trace, rinse and repeat.
The other, previously unexplored area of information warfare is information sabotage. Intelligence agencies have, of course, engaged in traditional forms of sabotage since their inception. When Israel destroyed the al-Kibar reactor in Syria in 2007, it seemed the only way to halt its construction. Now that we’ve learned that North Korea is enriching uranium, wouldn’t it be convenient if there were a way to stop them without inciting further violence?
There is no arms race for 0-day exploits today; at least not any more than there always has been. Researchers find vulnerabilities, some publish, some sell on the black market, but this is a practice that has gone on for years in the hacker “scene.” Stuxnet piques our collective interest because of the real world applications of electronic attacks, but it is hardly the creation of a new kind of warfare. A far more interesting comparison is integration of electronic media into the existing world of intelligence operations.