The new documentary about Stuxnet, "Zero Days," begins with the real-world murder of nuclear scientists. This is a smart way to start a movie about cyberwar because skeptics often fail to see the connection between digital and traditional operations. In fact, nation-states have always understood that cyberattacks are merely one type of weapon in a very large military and intelligence arsenal.
At the strategic level, it is only logical that the world’s most advanced malicious code was written to address one of the White House’s most pressing concerns: how to prevent Iran from joining the most exclusive club in the world — the nuclear club.
The George W. Bush (and later the Obama) administration had another dilemma on its hands: how to avoid invading a third Muslim country. The answer was to employ a new, high-speed, long-range and low-signature weapon, aka malware.
President Bush had seen the combined arms power of computer network operations during his 2007 "surge" in Iraq, but the deal clincher may have come when White House aides tossed the shards of a demolished centrifuge onto the Situation Room table and explained that malware alone could now destroy critical infrastructure.
The technical wonders of Stuxnet are well-known, so I will just mention some of those highlighted in "Zero Days." First, the primary attack vector was likely via Iranian IT contractors, who worked outside the nuclear establishment but were assumed to have access to it. Second, breaching an air-gapped network seems to have a shocking ramification: The lack of a traditional command-and-control (C2) channel means that the attacker should lose control of a now-autonomous weapon. Third, as with the Christmas 2015 electricity grid attack in Ukraine, the emergency mechanisms were also compromised, so even when system administrators became aware of the attack, there was no immediate digital solution. Fourth, Symantec researchers stated that the virtually bug-free Stuxnet code was something they had not seen before or since, which means either that this was an extremely rare event or an extremely rare lapse in tradecraft.
On the side of cyber defense, one emerging dynamic that must worry intelligence agencies is the international, crowd-sourced nature of technical analysis. Because data packets do not wear uniforms, computer network operations are more like covert action than traditional military operations — they are supposed to remain secret.
However, from the Cuckoo’s Eggto Stuxnet to the DNC hack, all cyberattacks share this mysterious quality: If they rise above a certain threshold of pain, curious scientists in disparate and previously disconnected laboratories will sacrifice a certain amount of sleep in order to find even one piece in a very large puzzle. And, as seen in "Zero Days," even a three-letter agency like the NSA (National Security Agency) appears to want to offer some juicy details, including the assertion that it was Israel, and not Fort Meade, who blew the operation.
The national security implications of Stuxnet are as controversial as ever. The technical nature of the topic, the "attribution problem" and over-classification give government hackers the space to do whatever they can get away with. But the laws of war dictate that militaries must operate within certain predefined parameters.
As a technical expert to the Tallinn Manualprocess, I believe that our understanding of a national security threat must evolve with technology. This is happening, but slowly. For example, no one is quite sure where the line is between cyber espionage and cyberattack. Once a hacker is in position to read an adversary's traffic, he or she can also manipulate it. Hence, the colocation of NSA and Cyber Command; the former has the technical capability to hack networks, while the latter has the authority to manipulate data.
We have already seen hints of self-imposed restrictions: Instead of compromising as many machines as possible, Stuxnet wanted to hack as few as possible. Further, one of the "kill dates" found in the code, Jan. 11, 2009, was just a week before the presidential inauguration of Barack Obama. Apparently, a legal team had decided that a presidential reauthorization of the operation was necessary.
"Zero Days" asks all of us to think harder about national security in the digital age, specifically from the standpoint of arms control and international norms. In the film, an alleged secret government source claims that Stuxnet was only a small part of " Nitro Zeus," a larger operation that could theoretically knock Iran right out of cyberspace. The right question to ask, then, is whether Iran (or more likely, Russia or China) could do the same to the U.S., and whether crossing the digital Rubicon with Stuxnet was worth it.
It is widely believed that Iran sent a message to the West in retaliatory cyberattackson Saudi Aramco and Wall Street, thereby signaling that the U.S. does not have a monopoly on cyber weapons.
The U.S. has more strategic depth in cyberspace than all of the world’s dictators combined, but we still have a lot to lose. Our economies and democracies depend on critical infrastructure, which, in turn, depend on the proper functioning of the internet. This is why, for example, the Department of Homeland Security spent significant resources to protect the U.S. from ... guess what? Stuxnet.
And relative to international norms, a legitimate fear is that this operation set a bad precedent: The U.S. did it, so it must be OK.
As the Internet of Things expands all around us, the line between "cyberspace" and "physical space" will disappear. In "Zero Days," researchers demonstrated this in a laboratory by popping a balloon with a Stuxnet-infected computer. At NATO’s annual Locked Shieldscyber defense exercise, we attached small fireworks to miniature factories.
Of course, the public will never understand all the technical aspects of Stuxnet, and there is nothing simple about the idea of cyber arms control. But just like Bush in the Situation Room, the public can see when something is physically destroyed. And by comparison, it should be simple to begin an international discussion on cyberwarfare in order to examine how we might limit the size of the cyber battlefield.
In my view, none of these issues raised in "Zero Days"
is hyperbole, and this film is worth your time.
Kenneth Geers (PhD, CISSP) is a senior research scientist at Comodo
, a global innovator and developer of cybersecurity solutions. He is also a NATO CCD COE (Cyber Centre) ambassador, a non-resident senior fellow at the Atlantic Council, an affiliate at the Digital Society Institute of Berlin, a visiting professor at Taras Shevchenko National University of Kyiv in Ukraine, and an accomplished author.
