One day, the summer of 2010 may be remembered as “The Summer of Stuxnet”—the moment when we discovered the power of Geek Terror, and how the digital world, the world of the Internet and malware, Trojans and worms, could penetrate the physical world, destroy infrastructure and even kill people.
There were some who saw this Matrix-like moment coming. A year ago, Rodney Joffe, one of nation’s top cyber experts, began to warn the security community that cybercriminals were testing and training, adapting and evolving; 2010, he said, would be the year they started carrying out their plans. It was only a matter of time, before cyberterrorists would be able shut down vital control systems and put lives at risk, he warned.
Cybersecurity hasn’t exactly lit up the media or public debate in the past year, even as the Obama administration made it a national security priority. But geek terror finally began to get people’s attention last week, when details of the Stuxnet worm began to seep out of the shadow world of cybersecurity.
At first, Stuxnet was thought to be spyware; its goal, industrial espionage. The worm had burrowed its way into what had been considered one of the most secure operating systems for critical infrastructure, the Siemens’ systems that control power grids and industrial plants.
But last week security experts revealed that the worm was designed to look for a specific computer controlling a specific automated system and, without waiting for an outside signal, trigger a physical malfunction. In other words, Stuxnet was the cyber equivalent of a cruise missile, capable of taking down a power plant—but from the inside out.
The fact that thousands of these cybermissiles have been discovered in Iranian computers has, inevitably, led to much speculation that Stuxnet was designed to take down the Bushehr nuclear power plant, which was supposed to come online in late August. And on Sunday, the official news agency admitted that computers at the plant were infected, but, predictably, denied that there was any significant damage.
“I think Stuxnet is the prime example of the modern, targeted cybermunition,” says Joffe. “It’s capable of being unleashed anonymously somewhere in the world, finding its way to a highly specific set of targets and then destroying them without risk to the attacker. In this case, if generating systems were to explode, people could easily be hurt in the process. It's a very short step for there to be loss of life in the future.”
Already, malware has caused the loss of life. This August, the Spanish government released its report on Spanair Flight JK5022, which crashed on takeoff from Madrid two years ago. The pilot of the McDonnell Douglas MD 82 took off thinking that the flaps controlling lift were extended when they were, in fact, retracted. The plane ascended briefly before plunging into the ground, killing 154 of its 172 passengers. Trojan viruses spread by infected USB sticks—the dirty needles of the tech world—had stalled the execution of a key safety protocol before the jet took off, which would have shown that the aircraft’s systems were malfunctioning.
“I was shocked that [the report] didn’t get more coverage,” says Joffe. Even if the failure to run the safety protocol was unintentional, it’s the model for how malware can seek out and surgically disable critical systems. Who needs to spend years training pilots to hijack aircraft, when you can crash them with a few clicks of a keyboard?
The evolution of malware isn’t just a story about exploiting technology to conduct a better kind of bank robbery; it has added a new dimension to international affairs. We are no longer able to distinguish between mere cybercriminals getting rich and foreign intelligence services using cybercriminals to gather intelligence at our collective expense. Look at Zeus, says Joffe. One particular criminal gang used this Trojan to steal $100 million from various U.S. companies last year. But, as Brian Krebs reported, Zeus was also used to send out bogus emails to .gov and .mil addresses, ostensibly from a real organization (The National Security Council) with an attachment to an apparently real report (the 2020 project). Hundreds of machines were infected when people, blindly, downloaded the attachment, allowing Zeus’ controllers to steal their passwords.
“Zeus is a perfect case study of what the world looks like,” says Joffe. “There's a blurring of the lines between criminals and nation states. It’s no longer easy or even important to differentiate between a criminal attack and a politically motivated attack, because more and more they're going to blur. The political attacks will employ criminals to develop and generate them.”
Or take the case in March, when a computer administrator in Chile noticed that a number of requests for Facebook and other popular websites had been sucked out of the “real” Internet and into China’s separate, fortress-like Internet. The event, which got very little media coverage, left security experts stunned. It showed that it was no longer possible to know what was real on the Web, because you couldn’t verify whose Internet you were in faster than someone could fake it.
If the media has been slow to grasp the evolution of cyberwarfare, the government hasn’t. And in part, that is thanks to Joffe who has emerged as a kind of Morpheus-like figure (to push the Matrix analogy further) dispensing red pills to politicians and wonks so that they may wake from their happy slumber and face the unnerving vulnerabilities of the Internet.
Charming and quick-witted, Joffe, who is 55 and originally hails from South Africa, earned his tech spurs as the founder of CenterGate, a research lab for super-geeks, where he created a massively successful cloud-based system for making the process of routing Web requests much more efficient—UltraDNS. In 2006, UltraDNS was bought by Neustar, the “neutral” clearinghouse that routes calls, texts, data, and common short codes (used for things like voting for a TV show contestant) between competing telecoms. Joffe became Neustar’s chief technologist, which gave him a perfect vantage point to watch how the Internet works on a day-to-day basis—and to see how it could be abused.
If the media has been slow to grasp the evolution of cyberwarfare, the government hasn’t. And in part that is thanks to Joffe, who has emerged as a kind of Morpheus-like figure.
In March 2009, he and David Dagon from Georgia Tech were the first to find the Conficker virus in x-ray and MRI visualization systems, and Joffe was instrumental in pushing the Federal government to create a task force to respond to it, in tandem with the international working group he now chairs (the story of Conficker and its fiendish ingenuity was brilliantly told by Mark Bowden in the June issue of The Atlantic Monthly).
While security experts know what Stuxnet is designed to do, Conficker is still the reigning mystery of the cyberworld because no one knows why it’s there or what it’s going to do. “Whoever developed it must be thinking that this was an incredible learning exercise,” says Joffe. “They were able to modify their code four times as we reacted defensively each time. They were able to step around us.” Version E of Conficker came out at the beginning of April 2009 and—alarmingly—it remains unbroken a year and a half later. “They raised the bar so high I have no idea what it’s doing,” he says. “It looks like it’s dormant.” But if he were to put himself in the Conficker controller’s shoes, he muses, “I'd be tactically selling off individual machines,” so that customers could choose their targets from a directory of hacked computers. “He could give me your computer, and we would never know it, as a security industry.”
Last week, the cascade of cyberthreats led Gen. Keith B. Alexander, the military’s new commander of cyberwarfare operations, to call for a secure computer network to protect critical civilian and government infrastructure from attack.
But how do you decide what should be part of this new secure network, when roughly 85 percent of critical infrastructure resides in the private sector? Our collective interdependence on the Internet and computer networks presents myriad ways for cyberattackers to cause havoc, and government resources are limited. The private sector simply cannot depend on the military to protect everything. This is why Joffe is trying, with Neustar’s CEO, Jeff Ganek, to build a kind of civilian, commercial cyberversion of the AWACS aircraft that monitor and coordinate battlefield intel for the military. “We have an enormous amount of infrastructure that gives us early warning of events,” says Joffe, “and we're able to correlate information from seemingly unconnected occurrences, do the analysis, extract actionable intelligence, and feed it back to our users who can then better protect themselves.”
And given Neustar’s neutrality in business (all the movie studios but Disney are working with the company on a digital-rights system), Joffe says it can cut through the systemic, competitive fear that companies have about sharing vulnerabilities and failures with other companies.
Other experts say Joffe is one of the few people who could create such a network. “He has the ability to drill down and solve technical problems like no one else in the industry,” says former colleague Jeff Samuels, who is now chief marketing officer for GoGrid, a major cloud computing infrastructure company. “Rodney has been successfully challenging the status quo in the DNS field for over a decade,” says Paul Vixie, president of Internet Systems Consortium, arguably the key global player in DNS, “and his insight into the challenges of cybersecurity commands respect.” Joffe also possesses a key skill beyond the reach of programming: social affability.
But even Joffe admits that a better radar and rapid reaction system is only a partial, stopgap solution. The Internet was built without any sense that it would allow crime and espionage to evolve in the way they have, and the only real—albeit radical—solution to our current vulnerability is to re-engineer the way it works. “We need to rewrite the protocols that run the Internet,” says Joffe. “Many people claim that would be like changing the tires on a car at 80 mph, but that doesn’t mean you don’t go out there and build a brand new car with tires that don’t go flat. I’m talking about rethinking how computers interconnect and how communication occurs, and then build something that's better.” Such a project would take, he believes, a decade, and cost billions of dollars.
The vast money grab of cybersecurity has already led some in the pundit class to fret about a return of Cold War hawkism, and military industrial complexes. Recently, the Washington Post’s David Ignatius decried the militarization of the Internet and warned that “a new (and expensive) obsession with cybersecurity is not what this traumatized country needs.” On the Huffington Post, the ACLU’s Jay Stanley, warned about allowing “our security agencies to ‘re-engineer’ the Internet in ways that work for them, not for us.” What does Joffe say to such fears?
The Spanair crash should be a wake-up call for everyone, he says. “I don't consider myself to be an evil person at all—but I will tell you that if it was me and I was evil, I absolutely know how I could kill hundreds of thousands of people, and cause damage to millions; and if I could do that, why would I possibly think that a world that could give us Hitler couldn’t give us someone else who would make that same decision?”
Trevor Butterworth is a regular contributor to the Financial Times, Forbes, and the Wall Street Journal. He is also editor of STATS.org