NYTimes Reveals Details Of How US Created Stuxnet… And How A Programming Error Led To Its Escape
from the when's-the-movie-coming-out dept
With a lot of new attention being paid to the Flame malware that was datamining computers around the Middle East, there have been plenty of comparisons to Stuxnet, the famous bit of malware that was targeted at mucking up Iran’s nuclear power program. So it’s very interesting timing to see the NY Times reveal many of the details behind Stuxnet, including confirming that it was a program driven by the US, with a lot of help from the Israelis. Many, many, many people suspected that already, but it certainly appears that the NYTimes has numerous detailed sources that support this claim.
Perhaps even more interesting, however, is the fact that Stuxnet (which apparently originally infected Iranian nuclear plants via workers using USB keys when they shouldn’t) was never supposed to get out into the wild. It was supposed to just sit in the computers at the power plant, confusing the hell out of the Iranians. But, obviously, that didn’t happen. Having that info get out into the wild probably killed off the effort much earlier than expected, since it basically explained to the Iranians what was happening.
It’s also noteworthy that a source in the article claims that Stuxnet was the first example of using a computer attack to destroy physical items (it made centrifuges work irregularly in ways that could cause them to break). Some have therefore used Stuxnet as “proof” of the cybersecurity threats out there and the misnamed “cyberwar.” I’m not sure that’s true. Stuxnet still appears to be a rather unique case in terms of a very, very specific target that had some significant vulnerabilities. We hear lots of worries about cybersecurity impacting physical infrastructure — and I’m sure that those who wish to do harm would love to bring down power grids and airplanes through some form of a cyber attack. But I’m not convinced that the success of Stuxnet is so easily replicable in other such areas. And I don’t see how that automatically justifies effectively tossing out all privacy protections.