Learning lessons from Stuxnet before it's too late

The Stuxnet cyberattacks may have been directed at Iran, but its repercussions have been felt around the world. The implications of sophisticated and highly targeted attacks on critical government and civilian infrastructure are keeping security experts up at night.

If a Stuxnet type virus or worm attacked the United States, there would be a very different outcome from the attack on Iran, said Kevin Coleman, senior fellow at the Technolytics Institute and Defense Systems Digital Conflict blogger.

Speaking at the Defense Systems Summit on cyber defense in Arlington, Va., Sept. 7, Coleman said that Iran’s information technology infrastructure is government-owned while in the U.S. 85 percent of the infrastructure is privately owned.

Related coverage:

All the news from the Defense Systems Summit

Workforce critical to Army's cyber future

Because Iran's nuclear enrichment resources were concentrated, the government was able to focus on solving the problem, Coleman said. However, this concentration also made its centrifuges more vulnerable to attack. He noted that such a focused response is more difficult for the United States because there are not chains of command and responsibility between the private sector firms controlling critical infrastructure and the government organizations responsible for possible retaliation.

Threats against private sector firms and government organizations range from amateur hackers to advanced persistent threats, said Don Gray, chief security strategist with the Solutionary Engineering and Research Team. Most concerning are “the guys in the middle” of this range, what he referred to as “advanced persistent adversaries.” Such adversaries will pick out an organization for an attack and devote resources to breaching its defenses.

Gray noted that commercial firms, compared to government organizations, don’t have a very good record of defending their networks. Private firms are collecting large amounts of data into data storage systems for data mining purposes. Such concentrations of information present tempting targets for attacks. “The problem they have to solve has grown so greatly over the past 10 years that I don’t think they can keep up with it,” he said.

Another area of concern is the move to cloud-computing services in the federal government. Gray noted that cloud services present challenges and potential advantages. Although cloud-based systems represent an opportunity to reduce operating costs and improve security, they also depend on industry developing new standards and controls for cloud computing.

Cyber warfare, like conventional warfare, has its own objectives, said James Howe, vice president for threats, technology and future requirements with Vision Centric. He noted that cyber warfare must be integrated into conventional warfare. However, it is entirely possible to wage a cyber war campaign completely independent of direct military action, he said.

Cyberspace capabilities are also causing a diffusion of power. Small nations, such as Israel, are now aspiring to be global superpowers through cyber warfare. Both the diffusion of potential adversaries and their capabilities are cause for concern, Howe warned.

He noted that cyber weapons, such as Stuxnet, can be tailored for specific attacks, making it possible for nations to develop a variety of cyber weapons for different types of effects to match specific strategies and objectives.

As an example of a potential target for a critical infrastructure attack, Howe noted that there are 10,000 power plants in the United States, but only 500 of those plants provide 85 percent of the nation’s power.