Cyber Security and Emerging Threats Enko Koceku

Finding Pandora: Open Source Warfare

On June 2011, NATO announced its Policy on Cyber Defense. In the brief the organization stated that its primary stance on cybersecurity would be defensive and would focus on “the protection of NATO networks and on cyber defence requirements related to national networks that NATO relies upon to carry out its core tasks: collective defence and crisis management.” In the same document NATO promised “coordinated assistance if an Ally or Allies are victims of cyber attack [sic].” The concept of collective defence is difficult to implement in cyberspace. However, one must understand that a state’s cyberwarfare attack is not exactly the type of spam your grandfather finds in his email. To paraphrase former Deputy SACEUR Rupert Smith, any war waged at an industrial scale will have industrial consequences.

As an example, on June 2010, a computer worm of unprecedented sophistication that had spread throughout various computers in Iran was discovered. Stuxnet, as it was later named, was not the first instance malware was designed to specifically target industrial systems, but it the was first worm to have the ability to both spy and reprogram, said systems. Unlike most malware, Stuxnet does little harm to your average computer or network. In fact, the worm contains safeguards that prevent an infected computer from spreading the worm to more than three other targets, and to erase itself on June 24th 2012. Stuxnet only activates its primary functions when it detects the existence of a Siemens industrial software and equipment, specifically industrial control systems that are used to monitor and control industrial processes that exist in the physical world. In particular, the Siemens software used on the factory floor of the Natanz nuclear enrichment facility in Iran. On November 29, 2010, President Majmoud Ahmadinejad publicly confirmed what many knew, that a computer virus of some sort had done physical damage to the centrifuges in the Natanz nuclear facility.

Despite a lack of official confirmation, it is generally believed that Stuxnet was co-developed by Israel and the United States to specifically target centrifuges in Iranian nuclear facilities. Experts believe that the sheer complexity of the worm overrules the possibility of its having been developed by a small non-state party. In an interview on 60 Minutes on March 2012, retired USAF general Michael Hayden, who served as director of both the CIA and NSA, stated that despite its benefits, Stuxnet had legitimized the use of cyberattacks designed to do physical damage. While the worm has set a new standard in the use of cyberweapons, and through its application has created many more problems for both military organizations and lawmakers, the most salient consequence was largely unintended. Stuxnet can now be downloaded online, modified, and used to target new systems. The most sophisticated computer worm ever designed is now the building block for open source warfare. Speaking about the Stuxnet creators, former cybersecurity official at the Department of Homeland Security Sean McGurk, stated that “They opened the box. It’s not something that can be put back.” One can find various videos on YouTube of private individuals unraveling the Stuxnet code.

NATO’s defence planning towards the issue is still at a nascent stage but the alliance has identified the most difficult aspects of the cyber defence, namely determining the origin of an attack, and ensuring that the attack was intended and not an error arising from increasingly complex communication systems. The pace at which the organization is planning its defences presents an issue however.

Two years ago when Stuxnet was first discovered, it was widely considered to be the most complex piece of malware ever designed. Its successor is 40 times larger. Now referred to as “Flame”, the worm was discovered in May 2012. Flame shares a strong relationship with Stuxnet and exploits the same network vulnerabilities as its predecessor. Flame was only designed to spy on its targets, which include Iran, Syria, Sudan, Lebanon, Saudi Arabia, Egypt, and the Israeli Occupied Territories. Notably, the worm was also designed with a remote “kill” command that wipes away any trace of the malware from the computer. After the public announcement of its exposure, the command was sent.

Currently, the rate of increasing complexity for virus development outpaces any planned defences NATO had in mind. It is understandable given the open-source nature of virus development in comparison to the more traditional paradigm of cyber defence.  The Alliance made it clear that it would support its allies in the event of an attack. However, the details are still unclear. There is a definite increase in the complexity of these attacks as well as the development of physical damage through cyberwarfare as a viable tactic. NATO might be inclined to consider invoking Article 5 as a way of deterring said attacks. However, even such a strong stance might ultimately be ineffective. If the majority of cyberattacks are coming from non-state actors, who do you threaten?

Enko Koceku
Enko Koceku is currently completing his final undergraduate year at the University of Toronto. He is pursuing an Honours degree in Political Science with a minor in English. As an extension of his academic interests, he is a Co-Director of Compliance Studies at the G8 Research Group and is currently the Non-Resident Head of Student Affairs at Trinity College, Toronto.