does cyberwar’s digital bell toll for thee?
Having firmly established why antivirus software can’t really deal with cyberweapon-grade malware, let’s take a look at the really big news in the world of both information security and politics, an official reveal of Stuxnet’s origin as excerpted in the New York Times, and which at this point wasn’t much of a surprise to anyone. The entire web was certain that it was created by the NSA and that the process somehow involved Israel because some of the malware’s critical flow controls were peppered with references to Jewish history and myth. But as the world now acts shocked that what they very vocally and unambiguously suspected actually happened, the contingent of Americans convinced that a cyber attack could cripple the nation’s infrastructure are now waiting for the other shoe to drop. After all, while nations like Iran wouldn’t be able to offer a conventional response to a worm that crippled some of their centrifuges, isn’t creating malware much simpler and just as effective as a couple of bombs, and aren’t there thousands of network and software vulnerabilities to exploit as payback?
Well, if you recall one of my earlier posts on the subject, the second part of that statement is true but the first comes from a massive overestimation of what computers can and can’t do. As noted before, yes there are an amazing number of potential vulnerabilities, or infection vectors if we want to get fancy, but the vectors expose different functionality and far from all of the exposed functionality will actually let you do real damage. There’s a reason why it took a while to write Stuxnet; it had to use several different hacks to get into the right machine, it required expertise not only in how the centrifuges worked, but in how Siemens Step 7 operated and the OB35 data block structure, and finally, needed fake digital certificates to mask its true payload and convince humans to let it out of its sandbox and gain the access it needed to unpack and get to work. In other words, this wasn’t an easy task and by the nature of the beast, the software has to be extremely specialized. Drop any old worm into a control center of a power plant and it’s going to error out and be discovered when a system admin goes over the event log which would more than likely record the errors thrown by the worm during a crash.
Again, I’m sure that Live Free or Die Hard was a fascinating movie, but were it based in the real world instead of a technophobe’s nightmare, the hackers would’ve taken months to gain control of a small local power grid and would’ve spent tens of thousands of dollars at least to test their worms on real equipment they think was being used by the grid they were targeting. Spyware is an entirely different matter altogether and software a lot like Flame is nothing new. In fact, over the last five to seven years, hardly a few months go by without articles mentioning some mysterious spyware attributed to China found on computers of officials in big international organizations, or in a U.S. lab working on national security matters. Does anyone really think that the U.S. isn’t going to spy back or try to gather intelligence on regimes with which it has an antagonistic relationship? True, it is so far the only country known to have used malware as a weapon, but it did so for a subtle act of industrial sabotage rather than a conventional military attack, and acts like this very, very rarely result in war since spying and sabotage are facts of life for nations. In a high profile case there’s a lot of tough talk, a lot of threats, but as soon as the press coverage fades, the saber rattling fades with it as things more or less return to normal.