The world braces itself for new technological weapons
By Shaza Elsheshtawy
In July 2010 news broke out of a vicious, complex computer worm –Stuxnet—infecting staff computers at Iran’s Bushehr nuclear plant. Known as a cyber super weapon, the worm targeted Iran’s nuclear centrifuges, which are an integral piece of equipment in uranium enrichment, by causing them to stop functioning properly, thus severely delaying the progress of Iran’s nuclear program.
The complexity of the worm has some experts speculating that it was planted by a nation-state. In fact, The New York Times reported that the worm planted in the Bushehr plant might have originated from Israel, a country that has similar nuclear centrifuges to Iran, does not look favorably on their nuclear program, and has reportedly tested the effectiveness of Stuxnet before.
The unsettling thing is that this was not the first time a nation has been vulnerable to a cyber attack.
During the 2008 Russian invasion of South Ossetia, Georgia, the country’s government agency websites were hit with “Distributed Denial of Service” (DDoS) attacks. DDoS attacks send waves of false requests to a website’s Internet server so it becomes overwhelmed and shuts down. Pro-Russian websites provided the DDoS software and instructions to any Russian nationalist that wanted to launch an “attack” of their own on Georgia.
In 2007, Estonia was also the target of cyber attacks launched from Russia. Russian nationalists used computer worms and viruses to disable the websites of government ministries, banks, companies and even Estonian newspapers.
The consequences for the Georgian government were not terribly severe, disrupting only some e-mail and a few websites. For Estonia, however, the consequences were more worrisome. Estonia’s government relies heavily on the Internet—in fact, in 2000 the Estonian Parliament declared Internet access a human right.
This heavy reliance on the web meant that some vital government organization operations, such as telephone access to emergency services, stopped working due to attacks launched from nationals in another nation.
Jason Healey, director of the Cyber Conflict Studies Association, argues that while none of these cyber attacks have caused any significant long-lasting destruction, newer viruses like Stuxnet are noteworthy.
“Stuxnet really was sophisticated,” Healey said. “It used multiple, previously unknown methods to gain access to its target, which would have been significant enough on its own. What was unprecedented was the level of specific research that went into making sure that it would only affect a limited number of computers in the world.”
Unlike the DDoS attacks launched against Russia that merely shut websites down, Stuxnet affected something physical—the Iranian nuclear plant centrifuges. This is significant and unprecedented because if Stuxnet can target a centrifuge, then it could possibly target a weapon.
The use of these “weapons” could lead to an unfamiliar and intangible form of conflict between nations. There have been land wars, sea wars and air wars, but the prospect of a cyber war in the 21st century is not too far-fetched.
The threat of cyber conflict has emerged as a pressing global security concern. President Obama has even referred to cyber attacks as “one of the most serious economic and national security threats our nation faces.”
It is generally unknown what these threats mean for international and even homeland security. Perhaps the world and the United States might not be well equipped for these threats.
Healey says the world is not completely prepared for such a danger. He says nations are still working on protecting against physical, traditional threats. And to make matters worse, unless they are specifically being looked for, the viruses often go undetected.
What nations need to do, he argues, is to not worry about stopping the attacks and instead start focusing on circumventing and detecting basic cyber threats.
“It’s like trying to make a ship that won’t sink,” Healey said. “At some point, if someone is willing to throw enough missiles at it, then it is going to come down because you are never going to make an unsinkable ship. What we can do is continue a lot of basic things to keep off the most simple attack and to increase our chances of detecting and stopping them at an advanced level.”
The United States has taken some measures to protect against a cyber attack.
One such measure is the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT). According to their website, US-CERT is responsible for providing support and defense against cyber attacks on the United States, and it is also a way for citizens to communicate with the government about cyber security.
Despite the few government measures that have been taken to circumvent cyber threats, and despite President Obama’s reference to cyber attacks as the most serious national security threat today, the plausibility of nations and militaries engaging entirely in cyber war is hard to imagine.
Healey says this is because the world has simply not experienced one yet. The cyber attacks that have made headlines have not yet taken lives or left collateral damage, so it is hard to consider them as real wars or conflict.
“We haven’t had a real cyber war,” Healey said. “People die in a war, and there is collateral damage and a lot of other things. We have seen what wars are in the real world, and nothing that has happened in the cyber world has even come close in relation to the kind of death and destruction that you see in war time.”
While the world has not experienced cyber conflict as it has traditional, kinetic conflict, major international security alliances have engaged in discourse on the issue.
In June 2010, NATO was involved in the Cooperative Cyber Defense Centre of Excellence Conference on Cyber Conflict held in Tallinn, Estonia. The conference brought together cyber security experts from governments, militaries and academia from across the globe to discuss ways to approach cyber threats.
Estonian President Toomas Hendrik Ilves gave the opening address for the conference. Ilves highlighted the necessity of a holistic, multilateral approach to these threats.
“Before we can talk about the hardware and software side of cyber defense and cyber warfare, we have to develop a conceptual consensus,” he said. “As much of our critical infrastructure is also transnational, we require a transnational approach.”
Whether the threat of cyber conflict is extremely plausible or over-hyped, and whether the world is prepared for such a conflict or not, the capabilities of computer viruses have evolved immensely. As seen with Stuxnet’s effect on Iran’s Bushehr nuclear plant, these viruses have the potential to affect large-scale physical machinery.
The best approach to the cyber “threat”—real or not—is certainly not to ignore it. The threat requires multilateral discourse and cooperation. It is only a matter of time before simple DDoS attacks and even more sophisticated viruses such as Stuxnet evolve into true cyber “super-weapons” that can cause significant harm to people and the environment, not just nuclear centrifuges.
Shaza Elsheshtawy is a sophomore journalism and politics major who wants to make the world a safer place, one click at a time. E-mail her at [email protected].