Government-directed cyberoperations have already caused material damage, and not just to the Iranian nuclear-enrichment centrifuges hit by the Stuxnet worm in 2010. Under continuous attack from cyberespionage or cybernetwork exploitation (CNE), much of it originating in China but known by the diplomatic euphemism of the Advanced Persistent Threat (APT), the U.S. has been forced to delay programs and divert resources into cumbersome security precautions.
APT attacks break into ostensibly secure company and government networks (DTI September 2011, p. 52). Many are aimed at “exfiltrating” information of financial value, but the clear pattern in APT operations against defense interests, since 2006, has been the use of techniques invented by cybercriminals against targets of no importance to anyone except intelligence agencies.
This year will see continuing efforts to protect the defense enterprise against APTs, which continued to score hits in 2011, extracting 24,000 files from a defense program in an exploit discovered in March. Security company McAfee last year disclosed the results of Operation Shady Rat, a reverse CNE in which it compromised a server used for APT attacks. The range of targets was clearly of interest only to governments and covered most Asian nations except China.
So far, the program affected in the March attack has not been publicly identified, nor has anyone in the Pentagon answered the question that William Lynn, then-deputy defense secretary, raised when he disclosed it: whether that system will have to be redesigned or modified to eliminate vulnerabilities due to the disclosure, and how much that will cost. (An extreme, pre-cyber example of such a measure was the Soviets' replacement of the radar systems on its MiG-25P interceptors after a defector flew one to Japan in September 1976.) That would constitute direct damage.
Indirect material damage has already occurred in at least one case, where an APT attack forced a major program to suspend many activities while it was converted to what was in essence an old-style special-access program, with its information systems “air-gapped”—i.e., without wired or wireless connections to the public web—and elaborate precautions taken against any compromise. Such measures have been estimated as adding up to 20% to a system's R&D bill.
Defense Secretary Leon Panetta revived the threat of a “digital Pearl Harbor” in remarks to U.S. Strategic Command in August: “Someone using cyber can take down our power-grid system, take down our financial systems in this country, take down our government systems, take down our banking systems. They could virtually paralyze this country.”
Some of this anxiety could be based on the Stuxnet attack. First, the attack demonstrated that an industrial control system that was nominally air-gapped from the net could be vulnerable. Most programmable logic controllers (PLC) and supervisory control and data acquisition (Scada) systems used to run everything from power plants to food factories are protected in this way. Second, if anyone knows exactly how Stuxnet made it on to the Iranian system, they are not talking, so whatever vulnerability exists cannot yet be patched.
Third, as Stuxnet discoverer Ralph Langner commented in DTI in September (p. 56), creating a copycat virus, even with modifications, is easier than inventing Stuxnet. This process appears to have started with the surfacing of the Duqu malware in September—it was assessed as being similar in structure, but its apparent targeting is different, leading to speculation that its role is to probe for vulnerabilities and Internet connections that would allow a PLC or Scada attack (see p. 60).
The U.K. has also played a leading role in developing cyberdefenses, as has Israel (which has a large, secure network protecting its defense enterprise). In the coming year, the U.K. will continue to build on its plan to develop cybersecurity as a national asset, in a public-private partnership with a major role played by the renowned codebreakers at Government Communications Headquarters in Cheltenham. In the U.K.'s case, the plan is to demonstrate that strong security can go along with efficient data flows, enhancing the nation's attractiveness as a hub for financial services and critical corporate data.
So far, Stuxnet is the high-water mark of physical damage caused by cyberattack. But damage can take many forms, as in the CNE/APT operations described above—and the most dangerous attack of all is the one that compromises a system's effectiveness in combat, and isn't discovered until it is too late.