Stuxnet, Flame and the future of cyber-warfare

Here’s my latest BBC Future column – cross-posted here for the benefit of UK readers – exploring recent events in the increasingly alarming realm of cyber-espionage.

It’s rare to hear someone admit to failure. Even rarer to admit that their company and the entire industry it represents is guilty of a “spectacular failure”. But that is just what Mikko Hypponen, “cyber-security Jedi” and chief research officer at anti-virus firm F-Secure, did recently.

In a candid article for Wired published at the start of June, he admitted that the antivirus industry had been caught with its trousers down by what has been described by some as the most complex piece of malicious software ever created.

Known as Flame, the software is an example of a “spyware” infection, designed surreptitiously to record and transmit a record of actions taking place on a compromised system – from video and audio to the individual strokes of a keyboard – as well as offering access to sensitive and supposedly private information.

More striking than these capabilities, however, are two crucial factors: the sophistication of Flame’s targeting, and its ability to evade detection. Flame’s targets were almost certainly a handful of computers operating sensitive aspects of nuclear programs in the Middle East. And, as soon became apparent after its discovery, it had been spreading across the world towards these machines for over two years, undetected.  Until its purpose was due to be served, one of the most important pieces of malicious code in existence had to all intents and purposes been invisible.

All of which marks out Flame as a tool not of mere criminality, but of cyber-espionage: one developed by a state-sponsored intelligence program with the intent of gathering technical information of the most sensitive kind. Hence Hyponnen’s remarkably frank assessment: “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

Cyber-crime used to feel, if not like a game with rules, then at least like an arena of knowable motivations. Thanks to the internet, every petty criminal in the world suddenly had access to your front garden (metaphorically speaking) and would muster as much cunning as possible to break into your house – or at least your bank account.

Just a day after Iran had announced the discovery of Flame, I was speaking at the Thinking Digital conference in northeast England, where I listened to Hypponen outline one of the more ingenious of such scams. Once infected by the malware in question, your computer produces an official-looking message on startup claiming to be from the FBI.

It has been detected, the message says, that your hard drive contains a treasure trove of illicit materials, incriminating you in everything from terrorism to child pornography. Your entire system has been frozen, leaving you only two options: either click here to take the claim to “court” (a bogus dead end); or pay an instant fine to unlock your system. Some users, Hypponen went on to explain, actually paid the fine even though they knew it was a scam – because they couldn’t face the potential humiliation and suspicion of explaining what was going on.

Such attacks can be destructive, disturbing and costly. Yet it is, at least, clear what’s going on once you see behind the deceiving veil: what the scammers want (money); how they aim to get it; and what your recourses may be (download a fix; contact the police or civilian digital security experts). Even when it effectively entails taking your computer hostage, financial gain remains a comprehensible motive.

What, though, is to be done when the actors involved are states themselves; or digital aggressors acting with the resources of a state behind them? Shrouded by plausible deniability on all sides, it’s increasingly clear that a kind of silent war is beginning online: one whose battles even the experts may only recognize after they’ve been fought, and whose potential targets encompass almost every system or service plugged into a computer.

Take Stuxnet, another complex piece of code thought to have targeted Iran’s nuclear facilities. Only today, a full two years after its discovery, are we beginning to get to the bottom of who launched the attack. And, as Hypponen warns, “it’s highly likely there are other similar attacks already underway that we haven’t detected yet.”

If this sounds alarmist, well, that’s because it is. If your nuclear research programme is under covert digital attack, the police aren’t likely to be of much use – but it’s far from clear at the moment who else might do a better job. Hence the current global recruitment drive among military contractors for technology experts; and hence an online arms race that has seen Tehran alone spend a reported billion dollars on its offensive and defensive digital capabilities in recent months.

Eugen Kaspersky, the man who owns the lab that first identified Flame, has called on nations to stop releasing these weapons “before it’s too late”. The tools of cyber-espionage, he points out, are not like conventional weapons. Once released, they are free to spread beyond their original purpose or target. And when that happens, they can be analysed, tweaked, built upon and relaunched. They are “cyber boomerangs” that can come straight back at a nation with potentially devastating consequences.

Even assuming Kaspersky’s warning is heeded, however, “too late” remains an alarmingly elusive notion in the context of espionage. In Donald Rumsfeld’s immortal words, we live in an age of “unknown unknowns”: of ignorances that we don’t even know we’re ignorant of. We have no idea what threats may arise next in the digital realm – not least because, somewhere, they may already have beaten us in a battle we didn’t even know we were fighting.