Libicki: Stuxnet isn't all it's cracked up to be -- but then neither is cyberwar, really

Posted By Thomas E. Ricks Thursday, March 3, 2011 - 10:58 AM Share

"Cyber security has become Washington's new growth industry," two of my CNAS colleagues, Kristin Lord and Travis Sharp, commented the other day. They warn especially against billion dollar solutions to million dollar problems. They're right. Everyone's hyperventilating about cyber-this and cyber-that, so we dispatched one of our cyber-reporters, Zach Keck (real name) across the real river to see what up.

By Zach Keck
Best Defense cyberwar bureau

The Stuxnet virus isn't as big a deal as people think and only worked because the Iranians weren't practicing safe computing, Martin Libicki of the Rand Corporation said at his packed briefing on "Cyber-security and Cyber-deterrence," in Pentagon City the other night.

Dr. Libicki began the night by noting that his definition of cyber-warfare only considers conflict between states. More specifically, he defined cyberwar as one state using information to attack another state's information by attacking the other's information system. This definition excludes many of the closely related concepts such as cyber-espionage, electronic warfare, or even attacking prominent public websites. Still, this somewhat limited definition proved robust enough to facilitate some interesting discussion, particularly with regard to Stuxnet and for the purposes cyber-warfare best lent itself too.

The presentation challenged the conventional wisdom on the significance of Stuxnet. To begin with, the virus was only effective because the Iranian regime disregarded some commonsense safeguards that would have immediately alerted them that their systems had been corrupted. Moreover, another crucial aspect to Stuxnet's success was Iranian inexperience with spinning centrifuges as any mature nuclear state, even if it too disregarded these simple safeguards, would have been able to quickly recognize that system was not running properly.

Libicki used Stuxnet to illustrate an important insight into the nature of cyberwar in general. In direct contrast to senior advisor for cyber-security in the Department of Energy Bill Hunteman, who has predicted that Stuxnet will set off a chain of copycats, Dr. Libicki argued that we were unlikely to see a sequel to Stuxnet. Cyber attacks exploit a hole in the program which, consequentially, brings the glitch to the attention of the victim government and others monitoring the situation, who will then patch it up rendering that particular cyber capability useless.

This point had interesting implications when the subject turned to the ends that cyber attacks were best suited towards. Specifically, he argued that cyber attacks were unlikely to be effective for coercive purposes. Libicki noted that attacking a country simultaneously produces feelings of anger, for being attacked in the first place, as well as fear of being attacked again. Since a second cyber- attack will not be nearly as effective as the first one, however, a country's anger will likely overpower the fear making the victim country prone to retaliate.

Nonetheless, cyber-war tactics may be useful when integrated with other military capabilities. The example Libicki used to demonstrate this point to the audience if China, while still much weaker militarily than the United States, decided to take Taiwan by force. In such a scenario, China could launch a cyber attack on the U.S. Navy's 7th Fleet, which, if the attack were successful, could render the fleet incapable of responding for up to 48 hours. At this point, however, China may already control the island, and the United States would have to consider acquiescing to this reality. While I tend to doubt the likelihood of the United States doing this, it could be a powerful argument that could be used by the hardliners in China to convince their country to take action against Taiwan. In this sense at least, cyber-warfare capabilities may increase the probability of war by miscalculation.

The briefing stood on less solid ground when turning to the topic of cyber-deterrence. After noting the important, if somewhat apparent problems of recognizing the system had been infiltrated, and attributing the source of the attack, the briefing discussed problems related to whether the country would want to respond to the attack, and even whether the government would want to make it publicly known that it had been attacked at all. It wasn't clear to me, however, whether these points were made to convey the sense that deterrence, at least as the concept is commonly used with regard to nuclear weapons, wouldn't work in cyberspace because countries wouldn't fear retaliation; or, alternatively, if the briefing were using deterrence in the sense of responding in ways that will deter future attacks.

This point got murkier when the first person during Q&A reasonably asked: "why would the victim of a cyber attack have to respond in kind?" Dr. Libicki at first fumbled around with this question, by discussing the uses of sanctions and that of armed force, before finally acknowledging that the state could respond in whichever manner it chose. "This becomes a strategic question" Libicki noted, before moving on to the new question.

To me, this point is worth dwelling on as it potentially has significant strategic importance for U.S. cyber-strategy moving forward. For instance, it suggests that even though the United States will probably develop the capabilities to institute a "Flexible Response" strategy in the mold of JFK, it would be prudent to follow the precedent of President Eisenhower's "New Look" by reserving to itself the right to respond asymmetrically to cyber attacks. Although we may rely more heavily on the internet and related infrastructure than some of our potential adversaries such as Venezuela or Iran, we also maintain a military that can destroy the very things that these regimes hold dear. This would seem to be the best way to establish an effective cyber-deterrent, at least against weak non-nuclear states. On the other hand, because of the inherent plausible deniability of cyber attacks, limited uses of them may come to be an important aspect of conflict between nuclear armed adversaries, much as the use of terrorism and proxies was during the Cold War, and continues to be in the Indo-Pakistani conflict.

ZackW/Flickr

EXPLORE:GUEST BLOGGER, IRAN
 

JASON SIGGER

4:17 PM ET

March 3, 2011

Interesting topic

"This point got murkier when the first person during Q&A reasonably asked: "why would the victim of a cyber attack have to respond in kind?" Dr. Libicki at first fumbled around with this question, by discussing the uses of sanctions and that of armed force, before finally acknowledging that the state could respond in whichever manner it chose. "This becomes a strategic question" Libicki noted, before moving on to the new question. "

I think the answer should have been, if you consider cyberwar to be an engagement between two nations (or proxies), then the wisdom of "Arms and Influence" still applies. That is to say, there needs to be an expectation of what you are trying to influence through a retaliatory action - that there shouldn't be an over-reaction to any adversarial attack by an opponent. Therefore, you don't send an EMP attack against a city where the enemy had a covert cyber-warfare cell just because they hacked into the Pentagon's unclassified web sites.

The challenge is that people think old defense policy no longer applies to electronic warfare. The truth is, the more things change, the more they remain the same. It's still all about power politics.

 

JPWREL

4:40 PM ET

March 3, 2011

JASON SIGGER makes a very

JASON SIGGER makes a very relevant point about proportionality in retaliation to a cyber attack. If we are the targets of a bio attack with high loss of life it may require one type of response or if it is a cyber attack with no loss of life but is very disruptive then another.

One of the key problems is of course accuracy in assigning responsibility for initiating an attack. Our first impulse is of course to eye with suspicion the names on our most wanted list (Iran, North Korea, Venezuela, China, etc.,) but a cyber attack could just as easily emanate from a non-state actor residing in an allied country. All it takes is some smart guys with a little money.

The Bush administration didn’t seem to care very much about accuracy in intelligence since they had other things on their minds but I suspect after the past ten years future administrations will be more sensitive to getting the facts (what facts there are) straight before committing us to a course of action.

 

GOLD STAR FATHER

5:00 PM ET

March 3, 2011

Suspicions of Accuracy In Intell

I think you might be a bit off base, good buddy. The Bush Administration participants, regardless of the memoirs spin, had the intel wired. They choose what to believe and what to promote all in line with the predetermination to invade Iraq. As much as myself and others complain about these people, I will never say they aren't smart.

 

JPWREL

5:46 PM ET

March 3, 2011

GSF, you said what I meant to

GSF, you said what I meant to say. For Bush & Co. intelligence was converted into propaganda to serve their will. They knew what they wanted to do and they were going to do it irrespective of ‘accurate intelligence’ or even common sense. Essentially we spent $50 billon bucks a year on the CIA to basically have them act as the Bush administrations Madison Ave. in marketing their wars. Pretty disgusting.

 

WILLIAM OCKHAM

9:05 PM ET

March 3, 2011

Libicki's analysis is full of basic errors

Dr. Libicki is sadly mistaken about a great many things in relation to Stuxnet. First, he says (as paraphrased in the article above, I have downloaded the presentation and the notes from the session to confirm that the article is an accurate portrayal of Libicki's views)

"To begin with, the virus was only effective because the Iranian regime disregarded some commonsense safeguards that would have immediately alerted them that their systems had been corrupted. "

This is completely incorrect. Stuxnet was able to infect sites that followed the best practice security approach recommended by Siemens for installation using its hardware/software combination. This includes being fully patched with all the latest Microsoft patches, having appropriate firewalls in place, etc. Some folks with a real background in control systems explain this in great deal here:

http://www.controlglobal.com/11WPpdf/110228_Tofino_Stuxnet.pdf

Then, Libicki argues that there will be no copycats because the holes that Stuxnet exploited will be patched. The problem with that attitude is that, on the Windows side, there will be new holes to exploit, especially for institutions who have access to the Windows source code as the perpetrators of Stuxnet almost certainly did (and do). On the PLC side, Stuxnet introduced a whole new type of attack that no one had ever actually accomplished before. Much of what they did was simply take advantage of features of the system that can't be plugged.

I could go on, but what's the point. Libicki is hopelessly confused about the nature of conflict in a networked world. Because he doesn't understand what is possible in the "cyberdomain", his analysis is useless. He thinks that computers can't directly affect the real world, despite the fact that Stuxnet did, destroying about 1,000 Iranian centrifuges more effectively than an airstrike would have.

 

BELISARIUSORB

3:27 PM ET

March 18, 2011

What is he a doctor of

What is he a doctor of anyway? Fine Arts? Sure as hell isn't information technology.

 

BELISARIUSORB

3:29 PM ET

March 18, 2011

Doctor of Economics

Dr. Libicki received his Ph.D. from the University of California (U.C.) at Berkeley (1978) writing on industrial economics

 

JACKROVETI

1:45 AM ET

March 4, 2011

meet the new boss -- same as the old boss...

I'm not sure your author or the Rand dude understands much about warfare -- regular or cyber. There are some very sill and basic assertions that sound intelligent, but after a moments thought are really..not.

"Stuxnet only worked because the Iranians were ill-prepared and lacked expertise in centerfuges" ---- mmmmm, well most attacks in the history of warfare have worked when you attack an enemies vulnerability or in a manner that he is ill prepared to handle. Cyber is no different.

"Stuxnet will be followed by copycats according to Hunteman, but Libicki thinks you can't do the same thing because gov'ts will be aware of the glitch."

First - Hunteman said this was the beginning -- not the end and I took this to mean that the unique and successful aspects of Stuxnet will be repeated in a variety of new attacks: in terms of zero days, its ability to do no harm on a wide range of systems and its focused ability to affect a key operating system of a hostile regime...Hunteman isn't saying that all code of the future will be Stuxnet -- he is saying the capabilities and effects of Stuxnet will be repeated in new code going forward -- it is the beginning of what is possible.

Second - Gov't is never that smart to never be attacked the same way twice -- it is full of humans -- humans make mistakes....Despite years of warnings - USG and corporations still have employees who open unsafe email attachments and infect their systems....

 

BELISARIUSORB

3:24 PM ET

March 18, 2011

The complacency of people

The complacency of people like Libicki never ceases to amaze, does it? I have a very old Rand Corp paper from 1990 which warns about the very real dangers of cyberwar, back before trojans and worms even existed.
The fact that Rand in 2011 can blow it off like it's nothing is astounding. Never mind the reporter here, who clearly hasn't a clue, both Libicki and Rand Corp are just awe-inspiring in their stupidity, because they really ought to know better. The phrase "educated Idiots" springs to mind.

 

GRANT

1:42 AM ET

March 6, 2011

Given the inherently

Given the inherently non-physical nature of a cyber-attack I'd suggest we remain very cold to the idea of a kinetic response unless the attack had led to actual deaths. It would simply be incredibly difficult to justify to the public, not to mention the international community.
Following that is the problem of actually proving it was done on the order of a certain government. It's one thing to point out that most of the computers involved in an attack are located in China, it's quite another to be able to prove that Chinese leaders gave their approval. Without that kind of proof it might be best to stay to tit-for-tat responses (especially as most of our potential enemies are getting more connected to the internet).

 

VYTAUTASB

10:03 AM ET

March 7, 2011

It's all in how it is applied and by whom

Perhaps one can argue that Stuxnex was not a "big deal". This misses the point. As bombers in WW II the D3A and Ju 87 were technically perhaps no big deal either but both were quite effectively applied (Pearl Harbor 1941 and Blitzkrieg1939 respectively) against their chosen targets. In the digital world weaknesses will always be there for those to find and exploit. Those who were behind Stuxnet have learned valuable lessons which will be applied to the next "model year" of cyber weapon.

 

BELISARIUSORB

3:19 PM ET

March 18, 2011

Stuxnet is indeed a very real

Stuxnet is indeed a very real threat and very gifted hackers are working on new developments of it.

The best hackers I know speak of it in hushed tones and many are even afraid to write the word "Stuxnet" in electronic media for fear that someone is tracking them in discussions of this extremely dangerous tool.

You can be sure that whatever the "best practices" are that Dr Libicki imagines would have protected US and other nations from such attacks, they will not count against the next generation of Stux. Only a very active cyberdefence strategy will do so.

Complacency like this is the very worst attitude in regard to defence of vital infrastructures that can exist. Vigilance, active and updated by the week, is the only sure strategy for safety.

 

Thomas E. Ricks covered the U.S. military for the Washington Post from 2000 through 2008.

Read More