To many in the intelligence community (especially those who purportedly created it), the Stuxnet worm was a wildly successful cyberattack. But it was also a major failure on at least two fronts—fronts that could come back to haunt us.
The first of these failures, as outlined in a report from ABC News, is that the Stuxnet worm was identified. This was not supposed to happen. How do experts know this? Easy: Stuxnet’s design implies it was never supposed to be found, Attackers designed the worm to make it appear as though the Iranian scientists were inept, and were personally responsible for destroying the uranium-enriching centrifuges at the Natanz nuclear facility.
Exposure and an incredibly public international press response means that Iran can no longer deny that a cyber attack took place. Exposure, say the experts, means retaliation is imminent. Whether that retaliation is web-based like Stuxnet, or increased American deaths in Iraq or Afghanistan is unclear, but they are certain something will happen. Today they lean toward a cyber counterattack, mainly due to what they’ve identified as the second failure.
The second failure is related to discovery. After Minsk-based hackers uncovered Stuxnet, the worm was exposed and therefore subject to dissection. And dissect they certainly did. Stuxnet, you see, did not self-destruct in 2009 as its designers intended. Buried in the code was a self-kill switch that did not go off as planned, and so Stuxnet stayed around long enough to be “interrogated,” experts told ABC. It even spread far and wide outside of Natanz to places like India and the U.S., where it was largely harmless due to the fact that it was custom-coded to affect only the Siemens hardware found in Iran’s nuclear testing facility.
In the years after exposure, hackers loyal to Iran or its allies are now changing Stuxnet code to suit their own cyberterrorism needs. As far as U.S. interests are concerned, this is a very bad thing indeed:
Moreover, the Obama Administration’s policy is that the hundreds of privately owned companies that run those networks have to defend them by themselves. Our new military Cyber Command is not allowed to protect our electric power grid, banking system, railroads, or pipelines. Nor is the Department of Homeland Security. Given the fact that Stuxnet may turn into a boomerang, we may want to rethink whether our tax dollars might buy us some defense of the computer networks that we need to make the country run.
One would hope that the U.S., should it have been involved with Stuxnet (never officially confirmed or acknowledged), would have failsafes in place should the Stuxnet worm be compromised or turned back against its infrastructure in the future. Otherwise, uh, who likes reading by candlelight?
Send an email to Jack Loftus, the author of this post, at email@example.com.