When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 4 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

Arms races stem from ignorance and fear: ignorance of the other side’s capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them.”[i]

I wrote last time that I believe it is dangerous for a nation such as the U.S. to inflate the threat of cyberattacks to such an extent that it can justify conventional counter-attacks on military or civilian targets. However, that does not mean that state-sponsored computer viruses do not have numerous–and serious–detrimental consequences. They include escalation, a high opportunity cost to society, erosion of the nation’s moral position, unexpected technical consequences, a civilian population forced to live in the shadow of incessant harassment by warring computer systems, and the militarization of cyberspace—a supposedly peaceful civilian zone.  All of these outcomes are worth avoiding independently of one’s definition of “cyberwar.” Understanding them will be the objective of the next three posts in this series.

A new and improved Stuxnet will likely be coming


One major negative consequence of nation-states starting to use cyberattacks as a generalized national security tool is that, once states get involved, escalation becomes inevitable as the logic of attack/defend/counter-attack ratiocinates devilishly onward.

Technical Escalation

Once the domain of minor criminals and activists with few resources, limited technical knowledge, and a predominantly economic motive, the malware scene has a different character when it becomes state-sponsored. Nation-states can afford to spend millions for a virus-creation effort, as the U.S. and Israel did on Stuxnet. States can buy the best technical talent, purchase zero-day exploits from hackers in shadow Internet markets, and design and test with professional expertise. Worse, nations can (and do) even collude with commercial anti-virus companies and software vendors by convincing companies to “look away” from the exploits they use.[ii] Even when antivirus companies don’t collude, they tend to be outgunned, according to Mikko Hypponen of F-Secure. Contrast this to when minor criminals create viruses for economic gain—each effort at building a virus must be at least proportional to the return the criminals expect to derive. With nation-states, such limitations are only theoretical, not practical.

When states are involved technical escalation is a given: each round of sophistication in a new virus is used to build upon the next round. Stuxnet was created according to professional software engineering principles using modular design. This means that, for example, the module which exploited the hole in Windows is functionally and logically independent from the advanced command-and-control modules and remote servers which delivered the code to the specifically targeted systems. Like in professional software, reusability emerges from modularity. Stuxnet and its brother “Flame” were meant to be reused multiple times; this was evident from Mossad’s “disappointment” that useful techniques were discovered.[iii] Had Stuxnet remained hidden, it was certainly capable of being used again in a completely different system with less effort the next time. Indeed, Stuxnet’s modular architecture has prompted some to claim that it will “serve as a model” for how future malware will be created.

Viruses progress technically as one state invests in and improves its development processes, but when the viruses are discovered, other states’ knowledge is also advanced. Deployment and discovery means that other nations (and also non-state actors) can dissect and understand the virus and coopt its techniques into their own malware programs. This cycle of constant deployment, discovery, and diagnosis of viruses means that they evolve more rapidly, in contrast to a conventional military weapon, which is meant to be kept secret except during actual warfare and is often destroyed in the process.

Target Escalation

Just as the tools advance technically by building upon one another, so does the desire to use them build upon each preceding attack. This is not uncommon in war, or in any other situation where one side’s willingness to use a particular technique erodes the other side’s hesitance to respond in a manner it once might have seen as repugnant. Consider, for comparison, our country’s use of warrantless detention in Guantanamo and certain forms of torture as techniques in the “war on terror.” Under the traditional models of warfare and international agreement, these acts are viewed as morally repugnant and unlawful. However, our nation’s military and self-defense policymakers have adjusted those traditional doctrines to justify detention and torture, largely with the civilian population’s assent. Likewise, computer viruses—once the tools of cybercriminals and hackers—may be reassessed and viewed as valuable contributions to our stockpile of available weaponry.

With each acceptable cyberattack, the next—perhaps slightly more damaging–attack becomes warranted. This cycle has already begun. Once Iran discovered Stuxnet, they formed an elite unit of the Republican Guard to conduct cyberattacks and cyberdefense.  At the end of September, Telvent, a maker of industrial control systems, reported that its network had been breached and project files were accessed of its OASys control software. This software is used to control electricity grids and is also used heavily in oil and gas pipeline systems in the U.S. The attack was reminiscent of Stuxnet, which also used techniques to infect the project files that instruct the control system’s logic units. While there is no evidence that this was an act of the Iranians (or any other state), or that any files were successfully modified, the attack demonstrates two things. First, it shows that future attacks model and build upon prior, successful attacks (technical escalation). Second, it shows an advance in target breadth and scope (target escalation): Stuxnet attacked a specific system used to control centrifuges, but this attack targeted a control system used primarily to control civilian energy resources and the electricity grid.

Tactical Escalation

Coincident with technical and target escalation is what I will term “tactical escalation.” As mentioned briefly in the last post, the Defense Department operates in the cyber-world under a doctrine called “offense dominates defense.” This means that, in general, the military believes it is better to focus on  offensive over defensive strength. Under this mindset, cyber-weapons (not only cyber-defenses) should be built because therein lies the greatest tactical advantage. In part, this doctrine seems to hold sway because of a belief that it is better to attempt to penetrate an enemy’s defenses prior to the outbreak of actual conflict than to wait to see if one’s offensive cyberattacks actually work.  It is easy to see how this policy escalates the progress of weapons over defenses, as well as escalates the willingness to use them. This strategy, however, has dangerous parallels to a Cold War doctrine which encouraged a “preemptive” nuclear strike on the theory that Nuclear War was survivable if one side could attack early enough, heavily enough, and with missiles close enough that the enemy would not have time to respond and fire its own missiles.[iv]

A final characteristic of cyberattacks which encourages escalation of all three kinds is lack of accountability. Unlike conventional warfare, the source of a cyber-attack can be hidden. The code can be encrypted and obfuscated. The command and control servers or attack-bots can be located in or conducted through computers across the world. The only real information about an attack’s originator is gleaned by trying to assess to whom the target has the most value. Blame assigned in this way is far from certain and easily deniable. So long as attacks can be conducted this way, it will encourage states to go on the offensive more often, and to conduct riskier attacks than they might otherwise have attempted. During the Cold War, fear of retaliation acted as an effective deterrent, but with cyberattacks this natural barrier to escalation is gone.

Next Time

Next time, we will consider the real and opportunity costs to society caused by a permanent “cyber-war” mindset, the erosion of our nation’s moral position, as well as the danger of unexpected technical consequences.

[i] Bruce Schneier, An International Cyberwar Treaty is the Only Way to Stem the Threat, US NEWS (June 8, 2012), http://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/an-international-cyberwar-treaty-is-the-only-way-to-stem-the-threat.

[ii] See generally Dan Raviv & Yossi Melman, SPIES AGAINST ARMAGEDDON (2012).

[iii] Holger Stark, Mossad’s Miracle Weapon, SPEIGEL ONLINE INTERNATIONAL (Aug. 8, 2011), http://www.spiegel.de/international/world/mossad-s-miracle-weapon-stuxnet-virus-opens-new-era-of-cyber-war-a-778912-2.html.

[iv] The strategy is also somewhat ironic considering that this October is the fiftieth anniversary of the Cuban Missile Crisis.


~ by K. Miller on October 25, 2012.

2 Responses to “When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 4 of 8)”

  1. Another great example of escalation was the recent revelation that The Saudi Arabian gas industry and related industries in Qatar had been hit with a virus. Many believe it to have been developed in Iran and it even included some hidden code to try and mask where it came from, yet at the same time reference Stuxnet. This time it did not shut down oil production but it did force the gas company to cut off all employees from internal email communications. They are still trying to get every one back on line and I believe the attack was in August. In all likelihood, it will simply be a matter of time before escalation affects a significant process.

  2. “[iv] The strategy is also somewhat ironic considering that this October is the fiftieth anniversary of the Cuban Missile Crisis.”

    When will we ever learn…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: