For at least the past few years, you and I and over 6 billion other people on this planet have been living in a new age, the age of malware warfare — let’s call it MalWar for short.
Today, the New York Times revealed — through a report citing anonymous sources involved in the program — that two White House administrations and Israel collaborated to create the Stuxnet worm and deployed it to attack an Iranian nuclear facility. According to the Times, the operation dubbed “Olympic Games” began during the George W. Bush administration, when frustration over Iran’s developing nuclear program was at a fever pitch in 2006. The CIA had tried more traditional means of sabotaging Iran’s nuclear facility, attempting to get faulty and even booby-trapped parts set to explode into the facility, but with little success.
In the waning years of the Bush presidency, a bit of code called a beacon was developed and smuggled into the Iranian facility. Its job was to gather information on computer systems, essentially creating an electronic map that would then be sent back to the National Security Agency. The beacon did its job and its findings, coupled with some follow-up research and experimentation in a joint effort between Washington and Israel, yielded the development of Stuxnet. The idea behind the worm was to infiltrate the systems that control centrifuges, which spin at high speeds to separate uranium molecules. The virus would vary the speeds of the spinning machines rapidly, speeding them up and slowing them down in quick succession until the delicate parts gave way under the stress.
Iran’s centrifuges first began spinning out of control for no apparent reason in 2008, but no damage was done. Bush left office and pressed the new President Obama to preserve “Olympic Games.” The 44th President took his predecessor’s advice and continued the operation.
In 2010, the worm escaped the confines of the Iranian plant, apparently on an engineer’s computer. It soon began to propagate itself on the Internet and made worldwide headlines. Even with the cat out of the bag, Obama pressed on and shortly thereafter the worm took down nearly 1,000 centrifuges. Several years after President Bush had marked Iran in his infamous “Axis of Evil” State of the Union speech, the United States and Israel had launched a successful attack to do real (if only temporary) damage to the country’s infrastructure. The weapon was a USB thumb drive and the ammunition was a chunk of code – the initial tools of nascent MalWar.
The way nations wage warfare has changed multiple times over the past century, each time thanks to the emergence of new technology. World War I marked the dawn of air combat, the geopolitical power structure shifted in an instant when the Americans dropped an atomic bomb on Hiroshima, satellites gave us eyes in the sky, drones allowed for attacks to be carried out in Afghanistan without any personnel ever leaving Nevada, and now MalWar further removes physical geography from military strategy.
But MalWar doesn’t just break down the importance of geographic boundaries, it also strips away the prominence of political boundaries and nation-states themselves. Just as terror networks driven by ideology rather than nationalism changed how we think about national and global security, MalWar further decentralizes those threats. Fifteen years ago, the simplest way to launch a strike on Iran’s infrastructure (to say nothing of planning for Iran’s likely retaliation) might have involved a supersonic bomber taking off from a base in Missouri, dropping a payload and heading back home. The resources to pull off that single bomb run have required many years, several big defense contracts and several billions in taxpayer dollars to create. That means that the barrier to entry for engaging in global warfare was pretty much restricted to nations. Now, in the age of MalWar, that bar has been lowered dramatically.
While worms like Stuxnet and the recently discovered Flame are believed to be so complex that they could only have been created with the backing of a large government, that won’t be true forever, and it may not even be true any longer as I write this, if it ever was.
New Armies of MalWarriors
In fact, as Data Center Pro and MIT’s Technology Review point out, hackers have already begun to learn from Stuxnet, and some of the worm’s code even showed up in TDL-4, the so-called “indestructible” zombie botnet. This means the confusing array of hacks, DDOSes and defacements perpetrated by Anonymous, AntiSec and other groups (if you can even call them that) with a dizzying variety of names, structures, associations and motives could be just the beginning.
Many of the world’s Industrial Control Systems like those Stuxnet infiltrated are woefully short on anti-virus and basic security protection, and the foundation for making MalWar on them is now loose in the wild. Can it be long until a now unknown group conducts an attack on a power plant to make a political statement, or takes down a sewage treatment plant just for the “lulz?”
Just as the dropping of Little Boy and Fat Man on Japan spawned new worries decades later like the always-eerie spectre of a “loose nuke” getting into the hands of terrorists, “Olympic Games” and Stuxnet may one day lead the masses to cast suspicious glances in the direction of those who seem to spend just a little too much time coding.
One day we might all become MalWarriors for hire. When that day comes, which side will you be on? Or I should say, how many sides will you be on?