In 2010, computer programmers around the world noticed a strange kind of cyber attack--although it had global reach, it was highly targeted and very sophisticated. A German team, led by Ralph Langner, figured out that the worm, now known as Stuxnet, specifically targeted certain operations related to the Natanz nuclear facility in Iran, causing the enrichment centrifuges to break down without any notice or apparent reason. As news of this new worm and its effects spread around the globe, the role of cyber attacks within the laws of war came into the forefront of discussions about the future of armed conflict. This article examines how Stuxnet changed the nature of cyber attacks and the ongoing discussion of where digital technology fits into the laws of war.
The Digital Mystery II. Stuxnet and Its Characteristics A. Getting Past Operating System Security B. Stuxnet's Target C. What Made Stuxnet Different III. Stuxnet as Cyberweapon I. THE DIGITAL MYSTERY
Ralph Langner is a jovial fellow with a quick wit, whose sense of whimsy is perhaps best illustrated by the fact that he wears cowboy boots. Wearing cowboy boots shouldn't be all that notable, until one realizes that Ralph is not from Texas, but Germany, and is not a cowboy, but a computer specialist. Langner is also incredibly inquisitive. It was this combination that led him to play a role in the discovery of one of the most notable weapons in history; and not just cyber history, but history overall.
Since 1988, Ralph and his team of security experts have been advising organizations on the safety of large-scale computer system installations. Their special focus was industrial control systems, such as the Supervisory Control and Data Acquisition system (SCADA), that monitor and run industrial processes. SCADA is used in everything from the management and operation of power plants to the manufacture of candy wrappers. (2)
In 2010, like many other industrial control and cybersecurity experts around the world, Ralph grew concerned about the cyber worm of unknown origin that was spreading across the world and embedding itself in these control systems. Thousands of computers in places like India and the United States had been infected. But the bulk of the infections (roughly 60 percent) were in Iran. This led many experts to infer that either Iran had particularly poor cyber defenses for its SC ADA-related programs, which made it more vulnerable, or a virus had initially targeted some site in Iran and, as one report put it, "subsequently failed in its primary purpose and run amok, spreading uncontrollably to unintended targets all over the world, and thus demonstrating how indiscriminate and destructive cyber weapons were likely to be." (3)
STUXNET AND ITS CHARACTERISTICS
Getting Past Operating System Security
Both turned out to be far from the case. Various teams of cyber experts from around the world began dissecting the code of this cyber worm, which became known as Stuxnet, and debates grew over its origin and targets. (4) Ralph and his team were curious, and the more they explored the code, the more interested they became in it. It was a wonderfully complex piece of malware like none the world had ever seen. It had at least four new "zero days" (previously unknown vulnerabilities), utilized digital signatures with the private keys of two certificates stolen from separate well-known companies, and worked on all Windows operating systems down to the decade-old Windows 95 edition. (5) The number of new zero days particularly stood out. Hackers prize zero days and do not like to reveal them when they don't have to. To use four at once was unprecedented and almost illogical given that one new open door is enough. It was a pretty good sign that Stuxnet's makers had enormous resources and wanted to be absolutely certain they would penetrate their target.
Stuxnet also slipped by the Windows' defenses using the equivalent of a stolen passport. To gain access to the kernel, or operating system's control system, Stuxnet had to install a component that could...