Recent news reports describing a U.S. role in a cyberattack againstIran’s nuclear program will cost the United States dearly, warned the chairman of the House Permanent Select Committee on Intelligence.
The reports, which said the U.S. and Israel were behind the Stuxnet cyberworm that sabotaged Iran’s uranium processing plants in 2009, started “a very dangerous speculation game that we are all going to pay the price for,” said Rep. Mike Rogers, Michigan Republican.
His comments underline growing concern among some U.S. security officials and private-sector specialists about blowback from the Stuxnet attack itself - like retaliation from Iran, or the proliferation of cyberattacks against the kind of computer-controlled machinery for operations such as factories and city water systems.
U.S. officials are so concerned that the president and his Cabinet recently rehearsed responses to a Stuxnet-type strike that destroys vital infrastructure such as the power grid.
In public, U.S. officials have declined to comment about Stuxnet, and did so for this article.
That is not surprising, said former White House cybersecurity officialMarcus H. Sachs.
“Deniability is one of the strategic advantages” of cyberwarfare, Mr. Sachs said, adding that it is easy for hackers to hide their tracks and leave false trails, and hard to prove who was behind an attack.
“Don’t believe everything you read in the papers,” Mr. Rogers said last week during a Bloomberg government conference, referring to reports about the U.S.-Israeli development of Stuxnet in the New York Times and later The Washington Post.
He said U.S. policymakers generally avoid offensive cyberoperations because they are aware of the vulnerability of critical infrastructure such as the power grid, oil pipelines and refineries, and the telephone system - all of which can be attacked over the Internet.
“We don’t want to throw that first punch and then not be able to take the first punch back,” Mr. Rogers said.
The problem is that no matter who threw it, the first punch has landed, and it was a very public knockout.
Stuxnet crippled Iran’s capability for enriching uranium by causing the centrifuges used in the process to spin faster and faster until they flew to pieces. The program also concealed the fact that this was happening from the scientists running the enrichment process by feeding them fake data.
Since the discovery of Stuxnet in June 2010, security researchers have identified two other pieces of malicious software associated with it and likely written by the same team: Duqu and Flame. All three programs are highly sophisticated, employing multiple previously undiscovered software security holes.
Regardless of who was behind Stuxnet, the attack called worldwide attention to the vulnerabilities of much industrial control software (ICS) - the kind of computer-controlled machinery that Stuxnet attacked, said Benjamin A. Powell, a lawyer and former top attorney for the U.S. director of national intelligence.
“There are a huge number of ICS systems accessible via the Internet,” he said. “Stuxnet’s discovery put the security vulnerabilities of ICS systems in the spotlight.”