(THIS ARTICLE IS MACHINE TRANSLATED by Google from Norwegian)
In January 2010, inspectors from The International Atomic Energy Agency (IAEA) began to believe that something was wrong with Iran's uranium enrichment plant in Natanz. Nearer the summer, a new computer virus appeared at VirusBlokAda, an obscure antivirus company in Belarus. It would take half a year and data security experts from several countries before the connection could finally be established Stuxnet and the problems in Iran. This was the first time a digital weapon was discovered in use. "Welcome to the cyber war," Ralph Langner declared in the blog post, which finally showed how Stuxnet worked.
An act of war. Stuxnet was basically an act of war, according to author Kim Zetter. At the same time, the virus was probably used to avoid an escalation with conventional weapons. In a tense situation where the Israelis became increasingly nervous and pressured for air strikes against installations in Iran, Stuxnet became a compromise that made negotiations still a possibility. The virus went after the industrial control systems for slow, but safe to sabotage the centrifuges used to enrich uranium, thus buying more time. The result was around 1000 broken centrifuges. Zetter assumes that Iran's nuclear program may have been delayed by about 18 months.
Kim Zetter has done an impressive piece of research, and extensively talks about the discovery of Stuxnet, vulnerable infrastructure and the development of digital weapons. Still Countdown to Zero Day not quite successful in book format. Zetter has tried to combine technology history with a more thriller-like narrative centered around the security experts who deconstructed Stuxnet, but she gets lost in the details. Often she fails to contextualize the many factual information into a larger narrative along the way, and much of the information thus appears detached and repetitive. It seems that she simply has not been able to decide completely which book to write. With a slightly tighter editing, this engaging story could have come to its own. For those who want to get to know how today's digital weapons work, the book may still be worth reading.
Make everyone vulnerable. Digital warfare is essentially different from the use of conventional weapons. A secret Pentagon document from 2003 shows that the US military will establish cyber war as a fifth area of expertise, by land, sea, air and special forces. The benefits can potentially be many: There are many possible targets for digital attacks, geographical distance is no obstacle, costs are relatively low and it can be more edible for a population tired of sending troops overseas. But digital warfare also has very problematic sides. In order to attack a computer system, one must know about security holes in the system and then to program viruses that exploit these holes. A security hole that is not known to the manufacturer of the software, and which has not been repaired through a software update, is called a "zero day". To build an arsenal of digital weapons, the NSA collects zero days for all possible systems.
The problem when collecting zero days, is that one makes all computer users vulnerable. Sooner or later, someone else will discover the same security holes and use them, be it other states, criminal hackers or people who want to steal business secrets. "It's a model that rests on keeping everyone vulnerable so that a select few can be attacked – comparable to withholding a vaccine from an entire population so that a few individuals can be infected with a virus," Zetter said in Countdown to Zero Day. Since digital weapons are not limited by geography, they may end up spreading throughout the world, including in the country that first used the weapon. One of the peculiar things about digital weapons is that when you attack with them, you simultaneously release the code to the weapon. Then anyone can use it afterwards. Ralph Langner estimated it would take about six months from Stuxnet was known until an attack was seen where someone else copied the Stuxnet code.
Digital Weapon Control? Although Zetter does a thorough job of documenting and presenting the history of the digital weapons, she only highlights to a limited extent the discussions that must obviously be taken. Here we are talking about a method that affects systems everyone uses, including vital functions such as hospitals, even if they are not the intended goal. It can be far more unpredictable and difficult to define what should be considered accidental damage from a military attack when using digital weapons. Zetter says that Stuxnet may have accidentally caused gas explosions elsewhere in Iran due to a compatibility issue. Stuxnet was very sophisticated and tailor made for the goals it was about to hit. If Stuxnet caused such unintended effects, how will less sophisticated digital weapons hit? And what responsibility do the original developers have when other players create copy attacks based on the code they have created?
Export control is also a delicate issue when it comes to digital weapons, but Zetter does not address this issue. Finding security holes in software and creating simple viruses is something even teens can do in the boys and girls room. Where do you put the border between what is a weapon and what is not? Recently, there was an uproar in the data security environment because an attempt to gain knowledge about security gaps in the Wassenaar regulations, which regulate international trade in weapons, would hit the exchange of knowledge and research aimed at sealing such gaps to make software safer. Knowledge of security holes is an essential part of programming, and can be difficult to regulate in the same way as a physical weapon. It is difficult at all to imagine that it will be sustainable to try to keep the security holes open, but to limit their knowledge to the military and intelligence services. In any case, there is a debate that should be taken out in the open, and not in the corridors of the military and intelligence services.
tori@toriaarseth.no
