Tuesday, January 18, 2011

Idaho and Stuxnet

The New York Times on Friday published a provocative article suggesting that the United States and Israel jointly developed and tested the Stuxnet computer worm that many suspect has partially crippled Iran’s uranium enrichment program.

The article suggests that cybersecurity research at the Idaho National Laboratory played a role in the development of the worm in Israel.

But that’s about all the article does: suggest. The paper offers no concrete evidence, only conjecture, which they openly acknowledge:
Many mysteries remain, chief among them, exactly who constructed a computer worm that appears to have several authors on several continents. But the digital trail is littered with intriguing bits of evidence. 

Evidence that Jeffrey Carr, a cyber warfare expert who has consulted with, among others, the governments of the United States and Russia, says is scanty and based on a timeline that is incorrect and “excluded evidence that didn’t support their theory.”

For its part, the Idaho National Laboratory, per the Times, confirmed its partnership with German control systems manufacturer Siemens, “but said it was one of many with manufacturers to identify cybervulnerabilities.”

Further, the INL, per the Times, argues “that the report did not detail specific flaws that attackers could exploit.”

And though I’m no expert in cybersecurity, upon looking at the report the paper suggests is evidence, I’ve got to agree with the INL statement.

The PowerPoint presentation the New York Times suggests is evidence of a plot is too general to suggest anything of the sort. The report lists general weaknesses that have been spotted in these systems and how they’re secured, ranging from factory default passwords never being changed to passwords being shared too frequently to automatic log-ons being abused. The Siemens portion of the presentation is also very general, showing what kinds of attacks might be possible and identifying what the general approaches the company could take do make its devices more secure against cyber attack.

I won’t rule out, however, that governments – perhaps our own – would be involved in developing and deploying such a worm. But I find it hard to believe, by implication, that the INL had anything to do with that kind of nefarious mischief. That some other entity took INL-based research and did something with it, however, is not outside the realm of possibility.

No comments: