How Obama Endangered Us All With Stuxnet


A few months after President Obama took office in 2009, he announced that securing the nation’s critical infrastructure — its power generators, its dams, its airports, and its trading floors — was a top priority for his administration. Intruders had already probed the electrical grid, and Obama made it clear the status quo around unsecured systems was unacceptable. A year later, however, a sophisticated digital weapon was discovered on computers in Iran that was designed to attack a uranium enrichment plant near the town of Natanz. The virus, dubbed Stuxnet, would eventually be identified by journalists and security experts as a U.S.-engineered attack.

Stuxnet was unprecedented in that it was the first malicious code found in the wild that was built not to steal data, but to physically destroy equipment controlled by the computers it infected—in this case, the cylindrical centrifuges Iran uses to enrich uranium gas.

Much has been said about Stuxnet in the years since its discovery. But little of that talk has focused on how use of the digital weapon undermined Obama’s stated priority of protecting critical infrastructure, placed that vulnerable infrastructure in the crosshairs of retaliatory attacks, and illuminated our country’s often-contradictory policies on cyberwarfare and critical infrastructure security.

Even less has been said about Stuxnet’s use of five so-called “zero-day” exploits to spread itself and the troubling security implications of the government’s stockpile of zero-days — malicious code designed to attack previously-unknown vulnerabilities in computer software.

Because a zero-day vulnerability is unknown, there is no patch available yet to fix it and no signatures available to detect exploit code built to attack it. Hackers and cyber criminals uncover these vulnerabilities and develop zero-day exploits to gain entry to susceptible systems and slip a virus or Trojan horse onto them, like a burglar using a crowbar to pry open a window and slip into a house. But organizations like the NSA and the U.S. military also use them to hack into systems for surveillance purposes, and even for sabotage, such as the case with the centrifuges in Iran.

Generally when security researchers uncover..

Read more