Outside of what the media is reporting, the impacts of Stuxnet on the way governments across the world handle cyber warfare is speculation. It is not often to the benefit of nations to advertise what steps they are taking in their own security or actions taken to prepare for war, and this holds true for war in cyberspace as well. Cyber warfare is a hot topic right now, in part to Stuxnet, and opens up many new attack vectors and vulnerabilities to governments that they are undoubtedly exploring.
What Is Next?
Stuxnet has been part of an intense debate in the cyber community as to whether or not it is the most advanced malware ever created. However, it is generally accepted that Stuxnet is incredibly advanced and impressive; in the future, though, the malware will only be considered advanced for its time. Cyberspace is a quickly evolving domain that takes innovation and information from people all over the world to turn out impressive technology. Although Stuxnet has shaken the community in terms of its nature and feature set, we have to look at what's next in cyber warfare so that we are not caught off guard.
Researchers at the data security company Imperva released predictions that in 2011 we will see more state-sponsored cyber-attacks. They have stated that there will be more advanced persistent threats like Stuxnet that build upon the techniques and concepts from the commercial hacking community.17 What we are essentially seeing is technology that is impressive and dangerous, but in its youth. Just as the F-4 fighter jet was impressive during the Vietnam War, it is nowhere near as advanced as the F-22 fighter jet of today.
Not only will we see more state-sponsored attacks in cyberspace, but we also will also see more non-state attacks from groups possessing powerful technology and software. In February 2011, the hacking group Anonymous, affiliated with Wikileaks, claimed possession of and then released a copy of the Stuxnet worm. The worm itself, as described earlier, is very precise and poses little threat to anyone else. However, the worm can be broken into two parts: the weapon system and the payload. The weapon system is the part of the worm's code that allowed it to gain access into computer systems and networks, whereas the payload is the part of the code that modified and attacked the PLCs of the Iranian nuclear facility. It is theoretically possible to modify the Stuxnet worm to have a different payload while still taking advantage of the weapon system. This would mean that the Stuxnet worm could gain access into computers all over the world that were not properly patched against it and have whatever effects the programmers desired. These effects could include stealing corporate secrets, stealing personal information from individuals and even targeting other SCADA systems, including oil refineries and water filtration plants. The Stuxnet worm will eventually be outdone by a new contender, but the threats posed and inspired by Stuxnet and its variants will be around for years to come.
The Paradigm Shift
Cyber warfare is new relative to traditional warfare, but it has been around years before Stuxnet. However, Stuxnet has changed the face of the cyber community around the world. It not only showed just how vulnerable even large governments are to cyber-attacks, but also how quickly a cyber-attack could take place while remaining undetected for so long. The allure to corporations and nation-states alike to conduct cyber-based attacks and espionage is great. The Stuxnet worm was a demonstration to groups and nation-states, both those who were planning to invest in cyber warfare and those who were not, that cyber warfare lacks much of the normal attribution and the high financial and political costs usually associated with traditional warfare. To those groups and nation-states that were not investing a significant amount in cyber warfare, the threat of catastrophic loses echoed across the deserts of Iran and into the fiber that connects the world.
Stuxnet has had an impact on politics and the federal budget, been used as the inspiration and justification for cyber police units with tremendous power over the Internet and freedom of speech in Iran, and has been publicly released with the intent of modification by powerful groups such as Anonymous. In addition, it has unquestionably inspired other governments and groups to develop their own cyber weapons, as well as increase defenses on their networks. On a larger international scale, the Russian ambassador to NATO, Dmitry Rogozin, said that NATO should investigate Stuxnet, as it was "very toxic, very dangerous" and "could lead to a new Chernobyl."18 Cyber warfare has changed.
The public's knowledge on cyber warfare has also changed due to Stuxnet. In the months following the public release of information on Stuxnet, it was nearly impossible to turn on the nightly news, access news websites or escape Internet forums talking about the worm. The vulnerability of governments also has left a sense of serious vulnerability to many civilians about their personal information and assets. If a worm as powerful as Stuxnet could have been created to infiltrate extremely secretive and protected security measures around a nuclear facility, then it was more than theoretically possible that a worm could be designed or reverse-engineered to easily access banking information and personal details of millions of people around the world. When people of a nation do not feel secure, they look to their government to protect them; if the government cannot, then the people look towards change in the government. Stuxnet could have had much more drastic effects and a much more costly outcome. It was a wake-up call to those operating in cyberspace and to those who never before thought they would have to be concerned with it.
Stuxnet also raises the question of how non-state actors will be viewed in cyberspace in the future. If Stuxnet were launched from a non-state actor, for example, a corporation, what implications would it have for the non-state actor's home nation and how would Iran react? If a non-state actor launches a cyber-attack of the magnitude of Stuxnet and possibly one with more damaging effects, including a nuclear meltdown, would the nation under attack consider it an act of war? Would the non-state actor be held responsible by its home nation, and if so, to what extent? These questions are not easy to answer, but now must be addressed.
Stuxnet has caused a paradigm shift in cyber warfare and changed the way nations, corporations and we as citizens view cyber warfare. This is just the beginning of a new era of warfare that will only become more invasive and costly to each of us.
Robert M. Lee is an officer in the United States Air Force; however this paper and his views do not constitute an endorsement by or opinion of the Air Force or Department of Defense.