Since September 26th, when the Stuxnet computer worm was found on computers at Iran's Bushehr nuclear plant, media have been endlessly speculating about which country might be responsible. Security specialist Bruce Schneier says that we not only have no proof that the worm was state-backed, we still don't know what it does.
Peanut Butter and Patience
BROOKE GLADSTONE: Last weekend, Iran’s official news agency reported that the country’s new Bushehr nuclear reactor had been hit by a piece of malicious software or malware called Stuxnet. The malware is specifically designed to infiltrate software manufactured by the company Siemens, software that monitors automated industrial processes in refineries, water towers and yes, nuclear power plants. Discovered in June by a cybersecurity firm, Stuxnet sent a chill through the security community because it’s unprecedented in its complexity, implying that it must have a lot of money and talent behind it. The worm’s sophistication and the high concentration of infections in Iran have led many in the media to suggest that it was deliberately targeted at Iranian nuclear facilities by a foreign foe.
MALE CORRESPONDENT: Computer security specialists say the Stuxnet worm apparently was created by a government somewhere.
MALE CORRESPONDENT: It is theoretically possible that the U.S. government did this. More likely, frankly, it’s Israel.
[MUSIC UP AND UNDER]
MALE CORRESPONDENT: The Pentagon tonight, refusing to say whether United States government programmers created a powerful computer worm, one that’s apparently targeting Iran’s nuclear facilities.
BROOKE GLADSTONE: This enticing story of international espionage fits neatly in the narrative of strained relationships between Iran and the West. But cybersecurity specialist Bruce Schneier says that not only don't we know who or what Stuxnet was designed to attack, we aren't even sure what it does yet.
BRUCE SCHNEIER: Stuxnet’s job right now is primarily to spread itself. Its writers, its controllers can change what it does. It can be reprogrammed on the fly. And, in a sense, that’s the greatest danger. We don't know what it’s gonna do.
BROOKE GLADSTONE: Is it rare for a piece of software to actually cause physical damage to the hardware of a computer?
BRUCE SCHNEIER: Most worms just go after information. Certainly, today’s worms infect computers that in turn affect real world systems. You'll see worms infecting computers that might drop a control system in a hospital, in a police station. These aren't deliberate. You know, these tend to be accidental. But this seems a little different in that it is deliberately attacking these control systems. And we don't know why.
BROOKE GLADSTONE: What sort of damage could this worm do?
BRUCE SCHNEIER: You know, it’s a hard question and probably a - not a very valuable question. It’s certainly fun to talk about the worst possible case, but the worst possible case isn't the likely case and it just makes people scared for no good reason.
BROOKE GLADSTONE: Wait a second! This worm has gone into this facility. There’s got to be a reason why.
BRUCE SCHNEIER: Well I mean, there are worms all the time and they go into nuclear power plants all the time and other valuable facilities. This isn't a targeted missile. It’s a worm that’s wandering around the planet infecting computers it can find. Among the many countries Stuxnet infected, one of them is Iran. And you can put it first on the list, but it’s like claiming, because your house got snowed on, that the snow is intended to find your house.
[BROOKE LAUGHS] It’s snowin’ all over town! I mean, stop taking it personally.
BROOKE GLADSTONE: There is a security expert named Ralph Langner who, after doing some reverse engineering of the program, posted on his website what he found, including a section he called “completely speculative”, which supposed that Stuxnet must have come from the West.
BRUCE SCHNEIER: Langner’s blog postings were really very good, and he made sure to say that his theories were just theories and speculation. As the media started replaying those, they got more the air of fact, even though there was no new evidence to support them.
BROOKE GLADSTONE: If there’s no proof that this was created by a nation-state, why do you think the newspapers have so heavily implied that it was?
BRUCE SCHNEIER: I think there’s a good story here. I think a government writing a worm to attack an Iranian nuclear power plant plays into the politics of today, plays into our fears of cyberwar, so it’s a good story to repeat.
BROOKE GLADSTONE: Maybe the U.S., even if it didn't build Stuxnet, is deriving some benefit from not denying it, because if it erodes Iranian confidence in its nuclear infrastructure, that might be useful.
BRUCE SCHNEIER: I think the Israelis are playing the same game too, not denying that they wrote it because there’s political advantage. And, I mean, that makes a lot of sense, right? Once something’s out there you might as well take advantage of it for your policy goals. You mentioned that because of its complexity some people theorize that it can only be written by a government. I think the notion that complexity equals government is overstated. When you think about the most complex pieces of software out in the world, they're not written by governments. They're written by corporations.
Now that this code is out there, anybody with the skill – and it does require skill but it still can be done – can reverse engineer it, can modify it, can learn from it, can improve it and rerelease it.
BROOKE GLADSTONE: So what are we to learn from Stuxnet, if anything?
BRUCE SCHNEIER: Well, we're to learn that the motivations behind worms are hard to discern. We know there’s a class of criminal worms that have a very obvious profit motive, and then there are these worms that are out there that don't have obvious profit motives. And there are groups writing them and releasing them for some reason. And we don't know if these are government cyber warriors doing tests, we don't know if these are criminals with some new moneymaking idea. We don't know if they're governments or spy organizations or commercial spy organizations. We, we just don't know.
BROOKE GLADSTONE: Why can't we know?
BRUCE SCHNEIER: We don't know because you can't figure out human intent from computer code.
BROOKE GLADSTONE: Bruce, thank you very much.
BRUCE SCHNEIER: Thank you.
BROOKE GLADSTONE: Bruce Schneier is an author and computer security specialist.