back to article Stuxnet: 'Moral crime' or proportionate response?

Delegates at the Black Hat conference in Las Vegas are sharply split on the merits (or otherwise) of malware like Stuxnet that can be used offensively to take down infrastructure. Stuxnet was the first malware that was publicly acknowledged to have been designed to take down physical equipment – in this case, Siemens …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "civilian infrastructure"

    ""I think what you're talking about is a moral crime," said Marcus Ranum, faculty member of the Institute for Applied Network Security. "What you're really doing is putting civilian infrastructure on the front line in this non-existent war. The military is basically saying 'we've saved you a little old fashioned bombing - you should be happy,' but that's not appropriate."

    Is a facility meant to produce nuclear weapons *really* to be considered "civilian infrastructure"?

    1. Charles Manning

      Re: "civilian infrastructure"

      The end target was not civilian infrastructure, but civilian infrastructure, and many civilian PCs were used and infected to get Stuxnet to its final destination.

      Is it OK to use civilian machines and infrastructure like this?

      If you think so, then you are condoning the press-ganging of Aunty Mable's laptop.

      Surely from the other side's perspective, that then makes Aunty Mable's a potential part of the aggressor military establishment and fair game for hostile acts.

    2. Anonymous Coward
      Mushroom

      Re: "civilian infrastructure"

      "Is a facility meant to produce nuclear weapons *really* to be considered "civilian infrastructure"?

      OK I'll bite .. How do you know it's meant to produce nukes ?

      1. Anonymous Coward
        Anonymous Coward

        Re: "civilian infrastructure"

        Because the IAEA say that there is no other reason to have uranium enriched to the level it is being by the Iranian government.

        1. Anonymous Coward
          Anonymous Coward

          Re: "civilian infrastructure"

          Last I've read they haven't enriched anything above roughly 60%. Which is certainly very highly enriched uranium, but by no means bomb material yet. (You need ATLEAST 85% enriched, and that is with super efficient design and perfect control over the fission process. Something I doubt Iran would have mastered yet. Thus I wouldn't "worry" much until they enrich over 95%.

          1. Anonymous Coward
            Anonymous Coward

            Re: "civilian infrastructure"

            Yes, it's only 60%, which is still rather over the less than 10% required for power. To put it another way, US civilian power plants use about 3-5% enriched.

            There is no other reason to enrich uranium to this degree. They may not have achieved weapons grade, but the only reason to enrich uranium past 10% (and that's at a push) is to try to make it weapons grade.

        2. Anonymous Coward
          Anonymous Coward

          Re: "civilian infrastructure"

          @ac 0725. Reference please. Last I heard no one had any firm idea exactly how much had been enriched or to what level.

      2. This post has been deleted by its author

    3. g e
      Meh

      Re: "civilian infrastructure"

      I thought it was only the US and its 'allies' that were claiming is was a nuke material processing plant.

      In which case it would be a proportional response to something made up by the people launching the response in the first place.

      A bit like me calling you fat then, because you're fat, punching you. Regardless of whether or not you actually are fat in the first place. It's a proportionate response to a fantasy world inside my head not necessarily connected to observable reality.

      Not that Iran aren't trying to build nukes, they might be, but it's the way the USA likes to roll - more than a little swivel-eyed, especially if you have oil.

  2. Anonymous Coward
    Anonymous Coward

    Moral Crime ?

    It depends. If done by a state then it was an act of war. If no state of war existed, then it was a crime, moral or otherwise.

    And that's the danger. It's all too easy to launch such an attack and believe that no-one is getting hurt, but the victim might feel justified in considering physical violence to be a proportionate response.

    I think they're playing with fire.

    1. DeKrow
      Mushroom

      Re: Moral Crime ?

      Didn't the US recently add 'cyber' attacks to that which constitutes an act of war?

      ie. Had any country sponsored a Stuxnet-style virus aimed at disabling nuclear facilities in the US, then the US would feel justified declaring war on said sponsor. And I would wager that declaring war on said sponsor would be, primarily, non-cyber attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Moral Crime ?

        I believe you're correct, and that's something I've commented on previously. In particular I think that if these are seen as weapons of war then their use should be under the control of the military and the normal rules for warfare. If not, then it's conceivable that someone low-down in the hierarchy could start a sequence which leads to serious harm all round.

    2. Anonymous Coward
      Anonymous Coward

      Re: Moral Crime ?

      An act of war: Like training and supplying an insurgency? Or kidnapping sailors in the navy of a sovereign nation?

      We seem to be trying rather hard not to go to war with Iran.

  3. Justicesays
    Big Brother

    So , where are the "sports" police

    "Operation Olympic Games"

    This is clearly a breach of the special magical protected state of the word "Olympics".

    Aggravated even further by the use of the word "Games" in conjunction with it.

    I assume the Corporate goons of the IOC (Illuminated Olympic Conspiracy) are even now moving to arrest the coiner of that operational label?

    And this website.

    And me.

  4. P. Lee

    > "Ultimately the ethics of this don't really matter – the decision has been made and this kind of stuff is going to be unavoidable."

    i.e. those making the decisions don't care about the ethics and are not accountable for their actions.

    Hmmm. Perhaps we should hold them accountable? That's the problem - we will still vote in people who do things we despise. Just look at Tony Blair being re-elected despite setting up a war the electorate didn't want.

    1. Anonymous Coward
      Anonymous Coward

      "we will still vote in people who do things we despise" @P.Lee

      No meaningful choice was offered to the electorate, because both main parties voted to go to war, and so despite abstentions and protest votes at the subsequent election some party who supported the Iraq war was going to win.

  5. Anonymous Coward
    Mushroom

    "it provided military options without the need to endanger human life"

    Until someone fucks up and a nuke plant goes bang. It seems hard enough to securely operate a nuke plant (Fukushima, etc) without some morons from elsewhere deliberately screwing around with control systems. Jesus H.

    <-- Too obvious?

    1. Joe Gurman

      Re: "it provided military options without the need to endanger human life"

      I'm sorry, but given what's known about Stuxnet, where you like it or not, this is a remarkably ignorant comment.

      Stuxnet was about disrupting uranium enrichment. You could break every centrifuge wide open and nothing (but the spare pieces of sheet metal) would "go bang."

      Since Iran's *cough* peaceful facilities for refining uranium so it contains enough U-235 to make fissile material are designed to keep radioactive material in (to prevent detection), and the snooping eyes of the IAEA out, you could be pretty certain that even if all the centrifuges started sewing shrapnel and uranium in various stages of enrichment, none to speak of would leak out. Cleaning up the inside would be, as they say, an exercise for the student.

      In what way would that be worse for world peace than an ayatollah with a bomb or ten, or Israel or the US plastering every suspected Iranian nuclear facility, some of which are near cities, with bunker busters? We're not talking theory here, but a real world in which, for instance, the same Pakistani government who didn't realize Sheikh Osama was living in a nice suburb a few blocks from a major military establishment decided as a result of the US raid to start driving its nukes around the country in unshielded vehicles to avoid seizure. And a real world in which al-Assad has control of stocks of chemical and biological weapons.

      It is time to get a little more serious about these things, or the next 7/7 might just be nuclear, chemical, or biological.

      1. Anonymous Coward
        Anonymous Coward

        Re: "it provided military options without the need to endanger human life"

        this is a remarkably ignorant comment

        Did someone piss on your cornflakes this morning? Funnily enough I'm neither a malware expert or nuclear facilities engineer but I think I'm allowed to voice my worries here.

        And if I was considering the likelihood of some country making a nuke and using it I think I'd be looking at the countries that have built one and tested it first although no one seems too bothered about those countries.

      2. Will's

        Re: " this is a remarkably ignorant comment."

        Indeed, and given that the worm wasn't even meant to break containment, simply wear out the active components faster this is even less of an issue....

        Except that, this hacker conference isn't about Stuxnet, it is about a class of attack like Stuxnet.

        The fact that Stuxnet was effective because of its total stealth doesn't mean that the next attack might be effective because it takes out a whole gas pipeline destroying the infected machines (and the leccy of half of Europe) in the process. Now that the stealth of the concept isn't key, expect to see escalations.

        1. Anonymous Coward
          Anonymous Coward

          Re: "takes out a whole gas pipeline"

          "takes out a whole gas pipeline"

          That wouldn't be good would it.

          Another equally plausible but distinctly not good possibility would be to knock out a good proportion of the UK's (and maybe elsewhere's) electricity generating capacity, at a stroke, by knocking out most of the combined cycle gas turbine installations. I believe they total roughly 15GW max in the UK, hopefully not all of which will be exactly the same design, out of a daily demand varying between around 30GW and 50GW [1].

          Take out the systems (PLCs and PCs) that control the pre-packaged volume-built gas-wasting CCGTs built in the insane post-privatisation "dash for gas" and that's maybe a 15GW hole to fill. With no notice in advance.

          Filling a 15GW hole **at zero notice** just doesn't happen (you get lots of notice if there's going to be no wind at all, and if necessary can light a few fossil fuel stations or knock off some interruptible demand).

          The other question to ask, not widely addressed so far, is why have IT departments in general not treated Stuxnet as a wakeup. Sadly, I think I know why it's not been asked.

          [1] http://www.gridwatch.templar.co.uk/

      3. Naughtyhorse
        Thumb Down

        Re: "it provided military options without the need to endanger human life"

        It is time to get a little more serious about these things, or the next 7/7 might just be nuclear, chemical, or biological or a re-engineered stuxnet triggering a firesale in our highly automated and interconnected infrastructure.

        there fixed it for you.

        i think the guy who designed the Boeing 757 didn't think of it as something that would un-necasarily endanger human life. september 11 put paid to that idea.

        questioning the morality of state sponsored malware is moot. it exists, and in the future those most dependent on technology will be most at risk from attack.

        the US and israel developing stuxnex was above everything else incredibly stupid and shortsighted. and we will all rue the day.

        1. Anonymous Coward
          Anonymous Coward

          Re: "it provided military options without the need to endanger human life"

          "there fixed it for you."

          Nope. You fixed nothing, you just embedded a hystryonic little bit of ill informed alarmism. The highly varied SCADA used by the various infrastructure players is rather more robust than you seem to realise, less extensive than you assume, and accompanied by multiple different control and monitoring techniques. Whilst it is certainly within the wit of man to come up with a hack to disable or mismanage SCADA systems, the extension of this to the fall of civilisation is complete tosh.

          Taking the example of Wintel SCADA plant that the Stuxnet attack was on, don't you think that all internet connected plant is already (like your home PC, or your firm's network) under continuous malware assault? That's a little different to a targeted assault, other than that if the control PC is infected then chances are it's going to cause problems sooner or later. But nothing of significance has happened. Indeed Stuxnet spread worldwide, but the lack of material collateral damage to SCADA systems other than the centrifuges proves my point more than yours, and that undoubtedly would include unintentional infection of air gapped SCADA under the normal operating circumstances.

          There's far more effective, and usually practical means of attacking infrastructure than cyber warfare, which is a wildly over-rated tool. The lesson of Stuxnet is probably that the benefit (of delaying Iran's enrichment programme by at most a few months) was nothing like as successful as targeted assassinations and conventional sabotage inside Iran, and the "benefits" of both were undoubtedly offset by the hardened Iranian resolve to do what they want to do, driven by a sense of pananoia and fear.

  6. jake Silver badge

    The slippery slope.

    My bottom line is that if you don't actually own (financially, not in the "owned" sense) the physical computer infrastructure, you have no place running code on it without permission.

    This kind of thing is a bad precedent when it comes to personal freedom ... which is what I thought[1] was the thing TPTB was supposed to be trying to protect ...

    [1] I know, I'm a dreamer :-/

  7. Spotswood
    Thumb Up

    Wars are going to be fought, it's in our nature. Why not do it in a way that doesn't endanger human life? Wouldn't that be more ethical? And anyway who in their right mind would trust Iran with a Nuke? I think the US has done us all a service here.

    1. Schultz

      "Wars are going to be fought, it's in our nature."

      There is a word for humans doing things that are not in their nature: it's called civilization. Let us now if you want to join!

  8. Dr. Vesselin Bontchev
    Mushroom

    "Moral crime"?! You've got to be kidding. It was a military action. According to international law, all wars of aggression are crimes. Not "moral" crimes - crimes pure and simple. Iran did not attack the USA or Israel in any way - cybernetically or otherwise. Therefore, any kind of military action against it was criminal.

    As for the "how do we know the plant wasn't making nukes" quip - stop swallowing the mainstream media propaganda. We KNOW that the plant wasn't making nukes, because all the major intelligence outfits of USA and the UK told us so. Iran isn't trying to make a nuclear weapon. Iran gave up the idea years ago. The spiritual leader of Iran issued a religious ban against nuclear weapons. It's just the politicians of the USA and Israel who are hungry to find any reason to attack Iran, change its regime and steal its oil. Worked so well in Iraq, didn't it? Oh, wait a minute...

    Mikko's comment is disingenuous, too. Decades ago "decisions were made" to use weapons of mass destruction - poisonous gas, nukes, etc. (Remember which was the only country to use nukes? Against civilian targets, at that?) Does that also mean that their use "does not matter" - i.e., is not a crime against humanity?!

    Oh, and about "proportional response". The USA (and some other countries) have stated that they will consider a cyber-attack on their infrastructure as an act of war and will feel free to respond with conventional weapons. Does that mean that Iran has now the right to bomb the USA and Israel?

    Arrggh, what the world has become! :-( When I started working in this field, virus were just malicious pranks created by juveniles. I was just helping their innocent victims. Nowadays malware is a weapon used by organized crime and the military (is there really a distinction between the two?!). I don't want to be part of this any more! :-(((

    1. jake Silver badge

      "I don't want to be part of this any more!"

      Then bail out of that side of it. I've wondered for a decade and a half why you continue ...

      I use my ones & zeros knowledge elsewhere ... and I'm happily fixing shit, instead of trying to protect the great unwashed from stuff that they shouldn't have come into contact with in the first place.

    2. Anonymous Coward
      Anonymous Coward

      @Dr Vesselin Bontchev

      "Iran did not attack the USA or Israel in any way "

      Rubbish. Iran has been involved in ongoing tit for tat attacks on Israeli embasssies and civilians (and Israel attacks Iranian nuclear capabilities); Iran has been involved in extensive proxy wars through the supply of weapons, funds and training to the likes of Hezbollah and Hamas. Iranian military personnel have been involved in continued sectarian violence in Iraq (after the US withdrawal), and Iran continues to have a hand in ongoing attack on NATO troops in Afghanistan (albeit carefully controlling its support by allowing the insurgents to be a nuisance, but not to be successful). And they've been clearly fingered for actions like the attack on the Japanese supertanker M.Star, as well as destabilising activities in other Gulf countries, and in Pakistan.

      To deny that Iran has a nuclear weapons programme is a denial of common sense and the IAEA findings that Iran has been undertaking activities inconsistent with a civil nuclear programme. The same IAEA that found no evidence (and was later vindicated in this) of Iraqi nuclear weapons.

      There's certainly a valid argument that Iran is doing this because it feels isolated and victimised, and that mutual misunderstanding is a major contributor to ongoing conflict; But the fact remains that Iran isn't an innocent victim.

      1. Robert Carnegie Silver badge

        Re: @Dr Vesselin Bontchev

        If the U.S. government orders the IAEA to find that Iran has a nuclear weapons programme, or has an army of genetically recreated dinosaurs, then that is what the IAEA reports. And if the U.S. government says that the IAEA doesn't need to visit any industrial sites in Iran before announcing this discovery, then the IAEA doesn't go.

        Of course I'm not saying that the Muslim race should be allowed to develop twentieth century technology such as Christians have, e.g. electric cars. It isn't for me to say that. I am just saying that the IAEA report of a flying unicorn delivery system isn't going to have me watching the skies.

        When we go to war against the Muslims, it is because we don't like them, and because we want things that are theirs to be ours. The rest is bullshit and I don't like the smell.

        1. Anonymous Coward
          Anonymous Coward

          Re: @ Robert Carnegie

          "If the U.S. government orders the IAEA to find "

          Despite my reference, you've obviously overlooked that embarassing Iraq business, where the IAEA were sent in specifically to find the evidence, and there wasn't any. And after Saddam had been toppled the Yanks and their allies looked, and looked and looked, and found nothing.

          Good luck with your "Christians versus Muslims" trolling, but I'm not interested myself. Maybe somebody else will bite?

        2. jake Silver badge

          @Robert Carnegie (was: Re: @Dr Vesselin Bontchev)

          "the Muslim race"

          Race? Are you sure you know what that word means?

          The rest of your commentardary deserves no comment. It's that useless.

      2. Naughtyhorse

        Re: @Dr Vesselin Bontchev

        and how long do you think israel would be able to prosecute its campaign of genocide against the arab world with out the massive support of the worlds only super-bully?

        and your point is?

        btw israel and the us have nukes, and in 1 case has used them against civilian targets (i know the point has already been made - but its a pretty important point)

        1. Anonymous Coward
          Anonymous Coward

          Re: @Naughtyhorse

          "and how long do you think israel would be able to prosecute its campaign of genocide against the arab world with out the massive support of the worlds only super-bully?"

          No, what's YOUR point? I've not made any case for Israel doing anything, merely observed that it has been doing some things. But whilst I'm no fan of Israel, I'm feeling a little belligerent, so let the show go on.

          Notwithstanding the significant US funding and tech support, Israel would be able to take on its (often agressive) Arab neighbours for quite some while. The Israeli's have one of the most effective intelligence agencies on the planet, very well trained armed forces, and significant technological capabilities (for example drone production that wipes the floor with anything Europe produces). Meanwhile, you've got that skinny criminal Assad too busy using his outdated military hardware on his own population. Lebanon, Gaza, West Bank, evidently easily constrained (although the malignant influence and mismanagement by militant groups probably afflicts their populations far more than Israel). Jordan - busy minding their own business, and negotiating with Russia for some nuclear power plants, which curiously enough hasn't attracted any material complaint from the US, Israel, or IAEA - why might that be? Egypt - who knows, but their military learnt their lesson a long while back.

          Now, back to your poorly constructed argument: What Israeli genocide of Arabs? And if you want to identify the root cause of the ongoing Arab Israeli conflct, then I'd argue for pointing the finger at British Foreign Minister Arthur Balfour.

  9. Joe Gurman

    With all due respect

    .... I'll take my moral cues from philosophers and poets, and get my security advice from Black Hat participants, not t'other way around.

  10. wayward4now
    Black Helicopters

    I have to agree with the nay sayers

    We should either declare war on justifiable grounds or stay out of some one else's business. The oil producing countries have to decide is what to do when the oil runs out. Should they go back to burning camel dung for heat and light? With all that sand, and no trees, they won't be setting many fires in the fireplace. So, nukes are the way to go. They'll HAVE to have nuclear reactors to provide energy. So, if that is what they are doing, WTF? If we can prove WMD, and make a case to NATO and the UN, let's make it. Otherwise, they are justified in hating our very guts. If I were them, I'd be spending my oil money on reactors as fast as possible, while the money in the form of Dollars and Euros is still regarded as worth something.

    OR! Maybe someone has a vested interest in keeping these people in the dark when the oil runs out?? I wonder who would profit and how?

    1. Anonymous Coward
      Anonymous Coward

      Re: I have to agree with the nay sayers

      I'm always at loss to explain why we don't hear more about pebble reactors. Apparently, a much safer method of producing energy than other nuclear plants and the process makes it far more difficult to produce weapons grade nuclear material.

      http://en.wikipedia.org/wiki/Pebble_bed_reactor

  11. Neil Alexander
    FAIL

    The main question is: Why were any of these SCADA systems networked to anything else or have active USB ports for mass storage?

  12. That Steve Guy

    Is it really effective?

    This type of cyberwarfare sems to run a huge risk of the weapon escaping the control of its masters.

    Stuxnet and Flame both escaped into the wider world and onto the Internet despite not being originally intended to infect anyone other than Iran, you could run the risk of infecting and disrupting allies or even your own infrastructure if the weapon escaped in such a manner.

    At least by dropping a laser guided bomb collatoral damage is only limited to the blast radius and there is a high probablility of destroying the intended target.

  13. Irongut

    "Jeff Moss said that he was more supportive of using malware in this way, since it provided military options without the need to endanger human life"

    That's a very naive point of view. How does he know Stuxnet would not endanger human life. What if AQ decide to crash a plane into a tall building again because of the US cyber attacks on Iran? What if Iran themselves decide to blow up large parts of Israel as retaliation for their part in the operation?

    The Yanks themselves consider cyber attacks to be an act of war. You have to expect their response to a similar attack on their nuclear facilities to involve a few million in cruise missiles, smart bombs, UAVs, etc.

    1. Robert Carnegie Silver badge

      A military option that doesn't endanger life was developed by somebody who was missing the point. Anyway, it's not as though the U.S. -doesn't- assassinate foreign scientists, industrialists, and economists, when it can.

      I assume anyway that the point will be made, if it wasn't already, that you can intentionally kill people electronically by causing their medical appliances, vehicles, and kitchen equipment to misbehave. Or leave a USB stick nearby coated with ricin. Or fly a remote-controlled bomb into their house. And you will do all of these things, if you are that sort of person.

  14. Anonymous Coward
    Anonymous Coward

    the first cyber attack? i don't think so...

    "Stuxnet was the first malware that was publicly acknowledged to have been designed to take down physical equipment – in this case, Siemens supervisory control and data acquisition (SCADA) systems."

    i definitely disagree on this aspect... witness the earlier infestations of fighter aircraft systems, printers and other ROM based equipment... perhaps this was the beginning of Stuxnet... perhaps it was not but the fact still remains that these targeted infestations were designed to eliminate military response and to further infiltrate and infest military targets...

    for those not aware or not remembering, this was also back in the GWB days at least... i'd have to dig into the archives for more info to be more accurate on the dates but suffice it to say that military aircraft computers were downed due to these infestations and additional military networks were also downed due to the printers infesting other machines in those military networks...

    is memory really that short??

    OK, maybe i can give a plus to the "publicly acknowledged" aspect but that's razor thin and doesn't hold any real water...

    anonymous coward for obvious reasons ;)

    1. Anonymous Coward
      Anonymous Coward

      Re: the first cyber attack? i don't think so...

      I've worked on the fringes of avionics and aerospace for over a decade and I've no recollection of anything resembling the incidents you describe. Pointers welcome.

      1. jake Silver badge

        @AC 07:02 (was: Re: the first cyber attack? i don't think so...)

        I've worked as a sysadmin/securityadmin in the friendly confines of Silly Con Valley for close to forty years, and trust me, we've always had outsiders trying to get into our systems. Still do, in fact.

        Want a pointer? Use a search engine.

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: @AC 07:02 (was: the first cyber attack? i don't think so...)

          Thanks jake, but the usual attacks on IT kit on office LANs are, as you rightly point out, a fact of life these days.

          What I was specifically referring to may not have been all that clear, perhaps, so here's the reference from AC 05:11 on the 28th: "witness the earlier infestations of fighter aircraft systems, printers and other ROM based equipment... military aircraft computers were downed due to these infestations and additional military networks were also downed due to the printers infesting other machines in those military networks...".

          Just like yourself I've also been in the business a long time (TI9900? Z8002?) and I'm aware of no such reported infestations in "ROM based equipment", or of flight systems being downed in the time since then, so I'd be quite interested to hear about them.

          If you know of specific examples of such infestations, pointers welcome.

          [reposted with better quote]

  15. Anonymous Coward
    Anonymous Coward

    Moral Crime eh?

    Many botnet herders could live with that, infecting millions of computers around the world to achieve their goal and all they are committing is a 'moral crime', the logic is everywhere.

  16. SJRulez
    WTF?

    A lot of countries aren't keen on the US space policy with their recent launches of 'stealth space ships', when those projects were infiltrated by supposedly 'state sponsored' acts it was a crime.... When the US are sponsoring attacks though its OK

This topic is closed for new posts.

Other stories you might like