At What Point Do Our Cyberwar Toys become WMD?

The other day, Ellen Nakashima reported on new cyberwar acquisition guidelines that will allow DOD, under certain circumstances, to deploy targeted exploits without the regular testing or oversight process.

The rapid process will take advantage of existing or nearly completed hardware and software developed by industry and government laboratories. This approach could take several months in some cases, or a few days in others.


Under the rapid plan, weapons can be financed through the use of operational funds, in “days to months,” and some steps that ordinarily would be required would be eliminated. These include some planning documents and test activities, according to the report.

The weapons may be designed for a single use or for some other limited deployment, and they would be used in offensive cyber operations or to protect individual computer systems against specific threats, said the report.

As she describes it, this rapid development will (is supposed to?) only be used in fairly targeted cases.

But what are the chances the speed and limited oversight lead to mistakes? What are the chances that our rush to roll out exploits leads us to set off some unintended consequences?

Consider Richard Clarke’s explanation for how StuxNet escaped the narrow confines of the Natanz centrifuge facility it targeted.

“It got loose because there was a mistake,” [Clarke] says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

“Why wouldn’t it have worked?”

“TTL operates off of a date on your computer. Well, if you are in China or Iran or someplace where you’re running bootleg software that you haven’t paid for, your date on your computer might be 1998 or something because otherwise the bootleg 30-day trial TTL software would expire.

“So that’s one theory,” Clarke continues. “But in any event, you’re right, it got out. And it ran around the world and infected lots of things but didn’t do any damage, because every time it woke up in a computer it asked itself those four questions. Unless you were running uranium nuclear centrifuges, it wasn’t going to hurt you.”

“So it’s not a threat anymore?”

“But you now have it, and if you’re a computer whiz you can take it apart and you can say, ‘Oh, let’s change this over here, let’s change that over there.’ Now I’ve got a really sophisticated weapon. [first brackets mine, all others original]

Here’s a cyberweapon presumably developed under the existing “deliberate” process, with full testing and oversight. If Clarke’s description of the problem is correct, it’s not so much a testing problem as an inadequate understanding of the environment–a failure to account for all those computers on which, because their clocks were not set properly, the TTL orders malfunctioned. And while StuxNet itself may not have done collateral damage, who knows what hackers who have gotten the code did with it?

So while StuxNet, with the benefit of time and testing, didn’t do excessive damage when DOD’s plans proved to be inadequate, who’s to say that an exploit deployed with far less time–purchased for use–won’t do more damage?

Also, note how much more quickly DOD appears to be moving to make sure it has lots of cyberweapons to deploy than it has moved to make sure it has the most rudimentary defenses against exploitation. Probably, when our cyberwar toys turn into a WMD, they’ll hurt people in the Middle East or China. But given our rush into offensive cyberwar before we’ve protected ourselves, who knows?

3 replies
  1. MadDog says:

    One of the primal fears of US government policy for the past 70 years has been the dangers of the proliferation and spread of WMD.

    And in an apparent blink of their eye, in a nanosecond really, our US government has abandoned that fear with respect to the WMD that are cyberweapons.

    Just like the nuclear weapons of WMD, these cyberwar WMD toys have a half-life of forever!

    The cyberdummies warriors of the US government apparently aren’t aware of bothered by the fact that once released, these cyberwar WMD toys are reusable weapons that can be used again and again by any fool with a computer.

  2. Frank33 says:

    This is all Computer Games, compared to the new, US exceptional, strategy, Weapon of Mass Destruction. That is mass assassinations of scientists, impoverished peasants, journalists, and even Pat Tillman. Anyone who opposes victories in the never ending wars are fair game for this neo-con strategy.

    Stuxnet itself, was created with previously unknown Microsoft Backdoors. As if Bill Gates computers did not have enough vulnerabilites. Also “certificates”, necessary for to protect the Microsoft monopoly, were illegally stolen, unless they were given to Richard Clarke’s friends, by Microsoft.

    Stuxnet can also be employed for Espionage or plain criminality because the Microsoft OS is dreadful. SIRPNet seems to have marginal security, and is vulnerable to Stuxnet, or some variation. But any computer, even open source systems, such as Linux, can be attacked successfully. For instance, downloading, or installing software that pretends to be a “trusted source”.

    The price we pay for world-wide networking, is imperfect security. Any computer system with a public internet connection should have NO classified information. If it does have classified information, that information can be stolen and no one ever knows.

    I am guessing SIRPNet and its classified data had been compromised long before the persecution and torture of Bradley Manning started.

  3. earlofhuntingdon says:

    To answer your question, I’d simply change the verb’s tense to “did” our “cyberwar toys” become WMD.

Comments are closed.