Was Stuxnet an inside job?

While Stuxnet has been painted as an unprecedented takedown of one government’s facilities by another, the truth is that very little information is known about the worm that rose to prominence with reports that it set back Iranian nuclear enrichment two years. There is even statistical evidence to suggest that, rather than a highly secretive joint-operation between the United States and Israel, Stuxnet might even have been an insider threat.

Forget everything you know about Stuxnet, the Iranian nuclear program and the dawn of a new age of cyber missiles. Forget these things because they’re largely unknowns. They are speculation and distraction from the more important lessons the security, defense and electrical industries should be learning.

For example, as security researcher Davi Ottenheimer told an audience recently, there’s statistical evidence to indicate the attack was more likely an inside threat than an external one. In other words, not the first salvo of Israel’s and/or the United States’ cyberwar against Iran so much as a play by an Iranian politico vying for power.

This is based on a rising tide of intrastate violence, even as interstate violence is being reduced. In an authoritarian regime such as Iran’s, assassinations and violence aren’t uncommon campaign tactics when it comes to securing a promotion.

To be clear, Ottenheimer is not saying Stuxnet was or wasn’t an inside job, but outlining a fundamental point overlooked in the popular and even most of the trade press: In the 21st century, attribution to state actors has become an increasingly tricky job, even in the physical world.

“We always say it’s China, or Russia, or the Reds, and that compromises our ability to analyze threats,” he told me. ”What I tend to find in the data is that we’re finding attribution harder and harder, and so we should give pause before we make attribution, at least before we say it’s got to be this guy or that guy.”

And while turning Stuxnet and other high profile attacks into a made-for-Tom Clancy-and-Harrison Ford drama does a great job at raising awareness, it often hurts the greater cause of securing basic infrastructure.

“I’m very sympathetic into scaring people into action, because I’m a security consultant,” Ottenheimer told me, before diving into all the reasons that, in Stuxnet’s case, marketing through fear could easily backfire.

• It’s old news. In 1998, security researcher Mudge declared before a U.S. Senate Committee, under oath, that he could disable the United States’ access to the Internet in 30 minutes. Even more pertinent, and worrying, were leaked videos prepared by the Department of Homeland Security showing how a cyber attack could cripple physical infrastructure, breaking turbines and disrupting electricity access. This was in 2007.
• It actually minimizes the perceived risk. You’d think that highlighting these dangers would increase not only awareness but also spending. But just look at how much movies like Armageddon have shaped the United States’ meteorite defense priorities. The problem, Ottenheimer told me, is that by turning cybersecurity into spy-on-spy dramas, you tip the bean counter’s equations the wrong way. “If we’re scaring people with ‘This is an online missile, they might take a look at it and say the likelihood is too rare for us to worry about,” he said. “So you have to scare them by saying this is going to happen all the time, this is really severe.” And at the end of the day, what happened to Bushehr and other reactors might not even have been that severe.
• It’s a bad example of what could happen. While the majority of the press has latched onto the narrative that Iran’s program has been set back years, Ottenheimer said that the truth is likely much less dramatic, and much less devastating than similar attacks could be. “The best sources are people who have been watching for a very long time, and they have said that, the program hasn’t been really set back,” he said (Read his blog post on this). But the experts being interviewed on the subject were generally very good at understanding security in most settings, but out of their league when it comes to understanding the technology and context of the industrial control systems that were being deployed in these plants, making the attacks sound groundbreaking when in fact (as previously mentioned) the methods were largely well-known.

The commonality is that people are looking for the next thing rather than jumping on the cloud-wagon.  The community voted on the presentations they wanted to see and that’s how the schedule was created.