Think back to the 2007 “Live Free or Die Hard.” The movie is about a National Security Agency analyst who brings the United States government to its knees by having a “fire sale,” a three–stage attack which takes down telecommunications, financial and utilities infrastructure systems. At the end of the movie, the threat is neutralized, and the country safe again.
Fast forward to June 2009. Early traces of a new and formidable computer worm, nicknamed “Stuxnet” appears. The National Institute of Standards and Technology defines a computer worm as a malicious self-replicating program that uses computer networks to spread itself.
Computer worms have been around since 1988, when Cornell University graduate student Robert Morris accidentally disrupted 10 percent of traffic on the Internet at the time. The program that Morris designed was supposed to measure the size of the Internet, but instead caused many computers to disconnect from the Internet.
Stuxnet, which security researchers at Symantec estimate has been around since November 2008, has now become one of the hot topics of technology next to the recent legislative proposals for making Internet wiretaps easier, and for good reason.
Although the source and true purpose of Stuxnet remains unknown, it has caught the attention of governments and computer security professionals worldwide.
What makes the worm so special is that it is able to exploit the software used for controlling industrial machinery such as oil pipelines. The network of computers that control these machines are not directly connected to the Internet, therefore, the worm propagated through the system via a USB device.
As of Sept. 29, the worm has infected over 60,000 computers worldwide, more than half of which are located in Iran.
Many of the infected computers in Iran are at a nuclear power plant in Bushehr. Scheduled to launch sometime this month, the plant’s opening has been delayed by at least four months. So far, the Iranian government has made no official announcements attributing this delay to the Stuxnet worm’s presence in their systems.
At a presentation by Symantec, researcher Liam O Murchu demonstrated the potential outcomes of the Stuxnet virus. Using similar hardware operated in industrial machinery and targeted by Stuxnet, he showed a balloon being filled with too much air, causing it to explode. Now, imagine if that were a gas line.
According to Ralph Langer, a German cyber-security researcher who has analyzed the worm, Stuxnet is “essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance.”
The executive director of the European Network and Information Security Agency claims that Stuxnet is a “paradigm shift” in cyber-security. The worm itself is the first cyber weapon of its kind.
To help bolster its defenses against such threats, the Senate Committee on Homeland Security and Governmental Affairs has approved a new bill that if passed would grant the president the ability to temporarily shut down certain parts of private or government networks to prevent serious damage in the event of a cyber attack.
The bill itself is called Protecting Cyberspace as a National Asset Act. Unfortunately, there has been a lot of misconceptions about this bill. Many of the headlines contain the term ‘Internet kill-switch.’ However, this is a serious mistake. One cannot “turn off” the Internet. The Internet is comprised of many different networks across the world. The only things that the president would be able to do through this act is cut off Internet access from the United States to foreign nations and restrict or disable services within the nation.
In other words, it would make America a virtual island separated from the rest of the world. As seen in the attacks on the nuclear power plant in Iran, however, isolation doesn’t necessarily ensure security. Something as simple as a USB stick could infiltrate the government’s defense systems. The bill is unable to account for and cope with new cyber weapons such as Stuxnet.
If emergency powers were exercised, there are still ways of connecting to the Internet other than through domestic Internet service providers such as Comcast. Some of these methods include using Internet service providers in Canada or satellite phones. Also, the bill assumes that the results of cutting off the United States’ Internet are predictable, when in reality there could be unforeseeable consequences of doing so.
With the United States lagging behind other countries such as China in cyber security, redesigning a system that can be used to shutdown government networks with the possibility of these systems being exploited is too big of a risk.
Previously, the U.S. government has had control over handling domain names through the Internet Assigned Numbers Authority. But this year, the government is relinquishing some of its control to the United Nations as part of a slow transition of power.
For now, China is the only nation that would have a network infrastructure and government capable of cutting themselves off from the rest of the world; there is no word on whether other nations are thinking about adopting similar policies.
