Stuxnet is the world’s problem

The highly sophisticated Stuxnet computer worm suspected of sending Iran’s nuclear centrifuges into self-destruction mode forces a difficult debate on whether longstanding firewalls in our country’s democracy should be breached for the sake of national security.

Stuxnet is a malicious, complicated program, which has been detected on computers in Iran, India, Indonesia, and other countries. It allows an outside force to take control of a certain industrial computer system made by Siemens and “sabotages normal operations by speeding up industrial control processes,” according to Eric Chien, a researcher at the Symantec computer security company. Stuxnet’s embrace and destruction of computer codes can suddenly cause centrifuges to blow apart. That effect, as recently detected on computers in Iran’s Natanz nuclear facility and Bushehr nuclear power plant, has terrifying implications for any country, including the US, whose gas pipelines, chemical plants, and nuclear centrifuges, among other important computerized platforms, depend on similar equipment.

Though Stuxnet may have been targeted to disrupt Iran’s nuclear program, the fact that worms like Stuxnet now exist raises the specter of still other worms that could evolve and interfere with electrical grids, causing loss of power to millions; or interrupt transmissions from the Global Positioning System (GPS), affecting motorists, emergency responders, and the military’s guidance of precision weapons; or foil electronic fund transfers, causing a banking meltdown.

Who is responsible for Stuxnet? We don’t know. However, the amount of time, money, and brainpower required to create such a sophisticated worm likely make it the work of a nation or other well-funded organization, not some whiz kid hacker. As such, Stuxnet and its theoretical “bad-seed cyber-cousins” become an ominous shadow looming over all countries.

The United States has long predicted that a Stuxnet would occur; what the nation has not foreseen is how to mount a defense. In October, the National Security Agency (NSA) and the Department of Homeland Security (DHS) signed an agreement to work together on cybersecurity — the NSA representing military interests and DHS representing those in the private sector. In America’s democracy, the military does not interfere with private-sector business and the private sector is not required to reveal information on its computer systems to the government. But lawfully protected boundaries between the public and private sectors place the US at a huge disadvantage to defeat a worm that can easily transcend boundaries.

America’s vulnerability stems in part from widespread use of commercial software for military purposes. That dependence enables potential adversaries to buy the same software, study it, and practice attacks that could be fatal in both private commerce and public defense. Our military, other government agencies, and private-sector firms each has its own hierarchy of experts and authority over  its own computer system secrets, guarded to protect profits in the private sector, and security and privacy in public sectors. But a problem with a Stuxnet-like worm in one sector can become a problem for all sectors.

Even isolating a system from the Internet, so-called “air gapping,” does not make a system invulnerable since a worm could surreptitiously be planted on an employee’s computer when connected to the Internet or when the worm is inadvertently inserted on a thumb drive.

What to do?

The most capable resource the United States has to mount a defense is the National Security Agency (NSA), which, unlike the nascent US Cyber Command, has been engaged in cyber efforts and cryptanalysis for decades. The NSA has the personnel, resources, and access to information to build a robust defense against complicated worms. However, employing that capable asset requires sorting out boundary issues among internal government agencies, such as the Defense Department (including the US Cyber Command), the CIA, and the FBI.

A knottier problem is the fence between public and private entities. This is not just a matter of giving industry cyber-protectors a seat at the table. It is a matter of deciding what the National Security Agency should be allowed to do to defend Americans. For example, should it have access to private industry’s computer systems? Government intrusion into private affairs, even for reasons of the common defense, evokes an emotional response, sometimes a violent one.

A first step requires an honest, public debate of the sort that public officials understandably try to avoid. The debate calls into question the very firewalls between public and private sectors that are intrinsic to democracy. Yet Americans can no longer afford to avoid the debate. Stuxnet exists; other worms may not be far behind.