Stuxnet is not Stable

Tom Gjelten, 10-1-2010, "Stuxnet Computer Worm Has Vast Repercussions," NPR.org,
https://www.npr.org/templates/story/story.php?storyId=130260413

A powerful new computer worm apparently is capable of causing power plants or pipelines to
blow up. It's a cyber superweapon called Stuxnet. Experts suspect it was designed to disable
nuclear facilities in Iran, but Stuxnet could have consequences its creators did not anticipate.
When cybersecurity experts get together, they usually talk about such things as the latest
techniques in credit card fraud. But the big session at the Virus Bulletin conference Thursday in
Vancouver, British Columbia, Canada, was one called "Stuxnet: An In-Depth Look." It was
arranged by the Symantec company, whose researchers have been analyzing the computer
worm for several weeks. Eric Chien, technical director at Symantec's Security Response Unit,
says he and his colleagues have been stunned by what they've found. "I've been dealing with
malicious code threats for 15 to 20 years now, I've seen every large sort of outbreak, and we've
never seen anything like this," Chien says. "It's fundamentally changed our job, to be honest."
That's because studying a computer worm designed to sabotage a power plant or gas refinery is
a far cry from thinking about some virus engineered by a lone hacker. "It changes the urgency at
which we have to analyze these threats and understand them and make sure that people who
are affected know they are affected and how to get themselves cleaned up," Chien says. The
Symantec researchers say the Stuxnet worm was designed by a well-funded, well-organized
group, perhaps affiliated with a government. They're convinced it was meant to target facilities
in Iran. The worm was apparently designed to penetrate and take over the computerized control
system used in nuclear plants there. But it's becoming clear that the repercussions may go far
beyond Iran. "Now that it's released, numerous other people will take that and go, 'aha,' " says
Stephen Spoonamore, a veteran cybersecurity consultant who has spent years pursuing hackers.
He thinks some other group may now be able to take the Stuxnet computer code and modify it
slightly to create its own cyber super weapon. Symantec's Chien is not sure it will be all that
easy. But if nothing else, he says, other cyber warriors are likely to be inspired by what Stuxnet
has been able to do. "People have been talking about this in theory for a long time, and we've
had movies that have demonstrated this kind of thing, but it's never been done," Chien says.
"And now, it's been done." The Stuxnet story raises the question of what the consequences of
using a cyber weapon might be. Maybe Pandora's box has been opened -- this weapon, or one
modeled after it, could soon come back in even more dangerous form. Security experts call this
"blowback." Some experts are convinced the Israeli government developed and used the
Stuxnet worm as a weapon, to disable a nuclear plant in Iran. After all, hitting the nuclear plant
with a 500-pound bomb would have produced far more collateral damage than attacking it with
a cyber weapon, right? Spoonamore is not so sure. "Compared to releasing code that controls
most of the world's hydroelectric dams or many of the world's nuclear plants or many of the
world's electrical switching stations? I can think of very few stupider blowback decisions," he
says. Here's the situation: Even as U.S. and other Western cybersecurity officers scramble to find
new ways to protect industrial facilities from a Stuxnet-like attack, their governments in all
likelihood have their own people developing new cyberweapons that are not unlike the Stuxnet
worm. Deputy Defense Secretary William Lynn, speaking Thursday night about U.S. cyberwar
plans at a meeting in New York, said he did not know where Stuxnet came from. Asked about
the U.S. military's own offensive cyber-arsenal, Lynn refused to comment. A cyber professional
who has worked on both sides says the offensive and defensive players bring different mindsets
to their work: Those on the offensive side tend to focus more narrowly on the accomplishment
of their war-fighting mission and may not pay as much attention to the wider consequences.