You Were Warned: Cybersecurity Expert Edition — Now with Space Stations

Over the last handful of days breathless reports may have crossed your media streams about Stuxnet infecting the International Space Station.

The reports were conflations or misinterpretations of cybersecurity expert Eugene Kaspersky’s recent comments before the Australian Press Club in Canberra. Here’s an excerpt from his remarks, which you can enjoy in full in the video embedded above:

[26:03] “…[government] departments which are responsible for the national security for national defense, they’re scared to death. They don’t know what to do. They do understand the scenarios. They do understand it is possible to shut down power plants, power grids, space stations. They don’t know what to do. Uh, departments which are responsible for offense, they see it as an opportunity. They don’t understand that in cyberspace, everything you do is [a] boomerang. It will get back to you.

[26:39] Stuxnet, which was, I don’t know, if you believe American media, it was written, it was developed by American and Israel secret services, Stuxnet, against Iran to damage Iranian nuclear program. How many computers, how many enterprises were hit by Stuxnet in the United States, do you know? I don’t know, but many.

Last year for example, Chevron, they agreed that they were badly infected by Stuxnet. A friend of mine, work in Russian nuclear power plant, once during this Stuxnet time, sent a message that their nuclear plant network, which is disconnected from the internet, in Russia there’s all that this [cutting gestures, garbled], so the man sent the message that their internal network is badly infected with Stuxnet.

[27:50] Unfortunately these people who are responsible for offensive technologies, they recognize cyber weapons as an opportunity. And a third category of the politicians of the government, they don’t care. So there are three types of people: scared to death, opportunity, don’t care.”

He didn’t actually say the ISS was infected with Stuxnet; he only suggested it’s possible Stuxnet could infect devices on board. Malware infection has happened before when a Russian astronaut brought an infected device used on WinXP machines with her to the station.

But the Chevron example is accurate, and we’ll have to take the anecdote about a Russian nuclear power plant as fact. We don’t know how many facilities here in the U.S. or abroad have been infected and negatively impacted as only Chevron to date has openly admitted exposure. It’s not a stretch to assume Stuxnet could exist in every manner of facility using SCADA equipment combined with Windows PCs; even the air-gapped Russian nuclear plant, cut off from the internet as Kaspersky indicates, was infected.

The only thing that may have kept Stuxnet from inflicting damage upon infection is the specificity of the encrypted payload contained in the versions released in order to take out Iran’s Natanz nuclear facility. Were the payload(s) injected with modified code to adapt to their host environs, there surely would have been more obvious enterprise disruptions.

In other words, Stuxnet remains a ticking time bomb threatening energy and manufacturing production at a minimum, and other systems like those of the ISS at worst case.

As Kaspersky noted, there are three government reactions to Stuxnet’s continued proliferation in the digital world. The computing cowboys who likely approved, supported, created, and launched this cyber weapon continue their optimistic stance with regard to the use of cyber weapons.

The politicians who knowingly or unknowingly signed off on these weapons remain indifferent and clueless. (Hello, Congress?)

And the remainder are still terrified — scared to death, said Kaspersky — of the potential for a disaster set in motion by Stuxnet. They may have limited solutions, but funding could be dependent on people in the indifferent/clueless politician category. They may not have solutions, thwarted by the cyber warfare zealots in the first category, or by the nature of the technology itself (you’ll notice Microsoft is doing nothing out of the ordinary about its vulnerabilities apart from offering a bounty to citizen bug hunters).

This does not sound like a formula for effective pre-emption of cyber weapons, does it?

We can only wonder what it will take for a critical mass of those persons responsible for effecting national security to get on the same page. Will it take more corporations the size of Chevron admitting to Stuxnet-infections?

Or will it take ISS breaking up spectacularly like an IMAX 3D-screened sci-fi movie before they catch a clue?

Whatever it takes, you know the responsible folks been warned — again, and again, and again.

You’ll also recall the Stuxnet payload delivery method requires two different failures of security before it launches its payload: a fake or stolen security certificate, and encryption which unpacks the content. Neither of these challenges have been addressed effectively by the global IT community. The latter challenge may have been enabled in no small part by the National Security Agency’s efforts to weaken of National Institute of Standards and Technology’s encryption standards, used on Microsoft Windows devices — as discussed here in September. We’re still waiting for credible traction on this, as are members of the cybersecurity community.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

10 replies
  1. Greg Bean (@GregLBean) says:

    Hmm, in some ways it sounds like Year 2000 paranoia, in other ways it sounds like Year 2000 on steroids.

    Hacking back doors into encryption technology, hacking OPEC, hacking malicious worms like Stuxnet is so so so much more nasty than anything Anonymous or the like has done it is like a WMD versus a non-WMD.

    And yet the US Gov, manufacturer of cyber-WMD’s is pursuing and prosecuting Anonymous for its non-WMD activity while ignoring its own major crimes.

    Does this sound at lot like every other, “we’re exceptional so can do whatever the fuck we want” argument that puts them outside the law?

    If you think so, then you also likely recognize that this exceptionalism is the problem.

    When the rulers have exclusions that are not permitted for all the rule of law breaks down.

  2. Rayne says:

    @Phil: Thanks, Phil. Nice to see you!

    @Greg Bean (@GregLBean): The damage Y2K caused wasn’t completely insignificant; there actually were reports of medical equipment failures as just one example. The risks were communicated and acted upon appropriately in most cases, in enough time to check any fixes implemented.

    This appropriate response to the risk is missing, though, in the case of Stuxnet. The government did not adequately communicate the risk of exposure to private sector because the computing cowboys responsible for Stuxnet and its siblings arrogantly believed they had absolute right-of-way to carry out their mission (everything else was subordinate); they were shortsighted about the long-term risks; and they just plain didn’t give a shit.

    OR…they knew damned well what the risks were, and they intend to make use of the pervasive infection for some other program. This Let-It-Happen-On-Purpose model might actually be scarier than the Oops-Fuck-You-So-What model; imagine one of the undisclosed parties to the Stuxnet project deciding to shake down its partners…

    So which is it, oops or LIHOP? It hardly matters; Stuxnet’s challenge is that it has been released into the wild and can be readily reverse-engineered to suit some other entity’s purposes. If a middle-aged mom in flyover country can understand the risk, you can bet a Russian coder working for whomever pays him the most has already been tinkering with this nasty xenomorph.

  3. lefty665 says:

    Please note that the Iranians late last year announced a cyber attack by Stuxnet that targeted a power plant and other industries.

    Targeting power plants and other industrial operations are not hypothetical, they are existing Stuxnet capabilities that have been deployed. There’s good reason for people to be scared as hell.

    Stuxnet is also a marker for other related cyber weapons like flame and duqu.

    Y2K hysteria was hugely disproportionate to the actual problem. The attention paid to Stuxnet and its variations has been the reverse, not nearly enough public awareness and discussion of very real threats.

    Irony is that Gen. Keith has tried his best to create hysteria by using a threat he created as justification to take over the entire internet. Go figure.

  4. bloodypitchfork says:

    Speaking of xenomorphs, I can only hope Alexander gets a dose of it at Bluffdale, notwithstanding his Startrek bridge. And then, hopefully Booz/Carlyle and the rest of these scumbag IC/ worldwide financial crooks get a comeuppance too. Hmmm, now that I think about it..hopefully it will come back and bite the CIA/DOD/FBI/ATF/DHS/DEA/SOD/ etc right in the ass.
    Hope springs eternal..

  5. Rayne says:

    @bloodypitchfork: The problem with hoping Alexander et al get their comeuppance in the ass is that the stakes are enormous; the potential collateral damage is mind-boggling when we consider the loss of part of the power grid, or an active nuclear plant, or the financial industry. There are too many innocents attached whose lives, welfare, families are exposed.

    I’d really like some adults to get their heads out of their asses and deal with it responsibly. Dead/injured/bankrupt Americans can’t buy your products and line your pockets; don’t test this by failing to fix your mess.

  6. P J Evans says:

    @Rayne:
    Someone playing with the valves on a gas transmission line and blowing up a neighborhood. Or an interstate, or a main railroad line.

  7. bloodypitchfork says:

    quote:I’d really like some adults to get their heads out of their asses and deal with it responsibly.”unquote
    Responsibly. right.
    You mean like the ones who have control of 6k+ nuclear WMD’s, or the ones who lied us into slaughtering Iraq/Afghanistan, or the one’s who vaporize 100’s innocent human beings via a murder by drone program around the planet, or the ones who signed the NDAA, or the one’s who to this day are detaining and torturing 100+ human beings in Guantanamo, or the ones who’ve secretly built a Surveillance State while holding a 16th Amendment gun to the taxpayers head, or..or..wait.. ummm,…you said..”adult”. DOH! Nevermind.

  8. Rayne says:

    @P J Evans: Yeah, like that, except at a safe remove–maybe even from another country altogether. As distant as Washington DC is from the infected Russian nuclear plant’s internal network.

    @bloodypitchfork: All that other stuff was in somebody else’s backyard. The risks the irresponsible parties ignore are in their own backyard. They could learn effective risk management the hard way.

    @Teddy: Yeah, not so much. Though if I were going to protect a manufacturing facility, I’d have already contacted either Kaspersky or Langner.

Comments are closed.