November 21, 2013: Stuxnet Evolution: NSA input turned stealth weapon into internet-roaming spyware
First discovered in June 2010, Stuxnet is a computer worm that has officially made cyberwarfare a reality. The primary focus of the malware targeted Siemens Supervisory Control and Data Acquisition (SCADA) systems that were used to control uranium enrichment infrastructures. After infecting the industrial controller systems, Stuxnet sped up uranium enrichment centrifuge rotors while faking control sensor signals so the system doesn’t shut down. The NSA, in collaboration with the Israel Defense Forces, created Stuxnet to target Iran. Symantec released a study of the spread of Stuxnet and found that 58.85% of affected computers were located in Iran followed by 18.22% in Indonesia. Although not the first attack on an industrial system, Stuxnet has received the most attention and has raised the ethical dilemmas of cyberwarfare to the public.
When I first read this article, I was really interested in Stuxnet yet at the same time was extremely conflicted about its application – hacking could bring about a lot of productive, beneficial changes but also like all technology, could be used for harm. I always knew that cyber hacking was occurring and we definitely have the technology and resources to exploit it (as with banking and identity theft) but I never considered it on an international governmental level. Cyberwar will become the new form of warfare, and bring with it new technological ethical dilemmas to add onto the already highly controversial topic of war.
The biggest ethical issues I see with the realization of cyberwar is that this advancement blurs the lines even more of what justifies the start of a war along with which technologies can be used and in what context. Although the concept of a cyberwar is more appealing because it removes the physical human casualties associated with war and the expenses and risks of deploying troops, the same ethical dilemmas are still present. We can attack another nation from thousands of miles away (the same arguments for deploying robots in war) in the safety of our own homes; cyberwar is a lot easier, but the question of whether we should go to war still remains.
International humanitarian laws don’t cover technological cyberspace warfare so how do we justify a war? Is it possible to wage a just cyberwar? Traditionally, we are given moral permission to go to war only in the circumstance of self-defense; war should be considered a horrible last resort but with the introduction of cyberwar, it makes declaring war a lot easier because it gets rid of the physical casualties and subdues a lot of the emotive reactions that comes with war.
There a 4 main aspects of the practice of cyberwarfare that I am most interested by from an ethical perspective:
- How should the national military/defense respond to a cyberattack since it doesn’t cause any direct physical harm to people/isn’t a traditional form of aggression? Should we treat a cyberattack like we treat a normal attack? Does it count as a trigger for war when it’s installed and has been set off already, or the act of installing the malware is an attack and we should declare war, or about unsuccessful attempts to install the malware?
- How should we reciprocate in our defense? In traditional “just-war” ethics, we retaliate only as much damage in defending as the attacker did in the first place. In the case of cyberwar however, most times the victim can’t assess exactly how much damage was received; should we respond physically? What if the malware spirals out of control and does more collateral damage than was originally intended by the attacker?
- Is it right for us to declare war on an entire nation, even though the actions of a cyberattack may just be that of one person? What if we blame the wrong person or can’t figure out who the attacker is?
- What role should the engineer play in the development of malware? Is it more acceptable (or dismissable) for an engineer to help in the production of a malware versus a traditional weapon that causes direct physical harm? What responsibilities do engineers have towards the government?
Class discussion notes:
cyberwarfare – you subdue all of the emotional response associated with loss of lives
how should our nation respond to a cyber attack? should we respond like to a normal attack, or should we respond stricly with cyber attacks?
Can you verify the originator of the cyber-attack? Is it a person or a nation?
It depends on the consequences of the attack, not the type of attack.
What should be the responsibilities of the engineers towards the government?
It’s a lot easier to think about the ethics issues in the early stages of the technology being developed.
You introduce a lot of interesting points. 🙂
A cyberattack is certainly a very different way of engaging warfare. It doesn’t harm anyone in a way, as you mentioned. I feel that depending on its severity, you need to decide the correct response. There is no way to tell how, though. If it is an “eye for eye”, the correct response would be another hacking attempt on the opponent. But wouldn’t this quickly escalate to full-blown war out of frustration? That seems a bit extreme, but as you pointed out, hacking is starting to become a bigger issue and more potent weapon. You also bring in the scenario that the bug causes more damage than predicted. In that case, the offender needs to offer some compensation, although this seems unlikely in the grand scheme of things. I don’t think a war should be considered on the entire nation, but it seems much harder to assign blame with a cyberattack. It is much harder to identify someone who hides behind a computer. It is a very intricate ethical dilemma without a certain solution.
I feel that the discussion on cyber warfare was extremely interesting since it challenges currently “accepted” methods and procedures of war. In class, we have already discussed how sending drones that torture and harm humans leads to a more detached view of war, and many encourage it because it comes at less of a human cost. Cyber warfare, however, removes direct human harm on both the offensive and defensive end, which may be why engineers are looking to cyber warfare as a more desirable alternative. In class, most people seem to be concerned about how a country would identify the offending hacker; this is only evident when the offending group comes forward and makes a political statement that they declared war. While the class felt that this would prevent cyber warfare from completely replacing traditional warfare, a county does ultimately have to come forward to declare war even if they used a traditional attack on another country. Otherwise, there is no way of confirming that the attack was due to a rogue militant group or an organized government. If this point was brought up earlier, then maybe the class would have responded differently to the idea of cyber warfare.
Something I wish we discussed more was the responsibility of engineers to the government. It is important for us engineers to realize what is unethical for the government to ask us to do, which may be a difficult thing to do considering that the government heavily funds engineering education and projects, as it directly ties into a nation’s ability to defend itself. Could you elaborate more on your opinions about this issue?
Overall, the issues we discussed in class were not elaborated upon much in the article, which takes on a more informative tone. It briefly brings up the politics behind Stuxnet through a quote at the end of the article, claiming that the development of the software improves the United States’ reputation as a technological giant and maintains its powerful role in international relations. As a whole though, the article focuses on the mechanisms Stuxnet employs, and gives more technical information. Despite the technical information, no numbers have been provided about how much damage the technology is capable of doing. This was a point of contention in class, as the dollar value of damage is an important factor in assesses the severity of a war.
Annie, I feel you did a good job of taking factual information and finding the ethical arguments that would result from employing this technology. The article is not focused on the ethics, yet the class was engaged in a stimulating discussion that was not centered around protocol or techniques, but rather how technology effects the morality of war practices.
It seems that there is emphasis on the idea that cyber-warfare is appealing because it does not directly harm people. I don’t agree with this idea because if someone hacks a remote software controlled piece of artillery and then proceeds to shoot down a village or a city, then I don’t see how that is any different than pulling the trigger themselves. I’d love to see a worldwide boycott between engineers on weapons development altogether. It’s interesting to note that so much of the funding and motivational propaganda related to weapons development is propagated on the perception that we need to defend our country, which in some respects is true, but how often have we actually had to use weapons to fight off intruders amidst an ambush on our country? It almost seems like engineers like building weapons as much as politicians like starting wars.