Stuxnet and the Dawn of Cyber Warfare.

But if the name of the piece of military technology in question is Red October or Firefox, then it's OK to do.

Call me when they actually do something significant.

Hey, you picked the criteria, and it's been met. Don't move the goal. Arguing that it's not significant also misses the point that about 20% of the centrifuges were actually damaged. If you think that's the last attack of this sort, I suspect you're mistaken.

Aetius wrote:
Shoal7 wrote:

Aetius, you're espousing that there's been little to no damage from cyber warfare. While it's true there's been little physical damage, and little to no known deaths, the economic damage is massive. Unfortunately, you won't know much about it, because it happens in a world you don't know much about.

Right, so in this world, massive economic damage isn't noticeable? Umm ... okay. The "massive economic damage" is trivial compared to real internet problems like spam.

Hmm. Isn't that a bit like saying that since the annual number of deaths by homicide is "trivial" compared to those from heart disease and cancer that we shouldn't bother funding police departments?

More Schneier on Cyberwar.

Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed. Enforcement will be difficult, but that’s not a reason not to try. It’s not too late to reverse the cyber arms race currently under way. Otherwise, it is only a matter of time before something big happens: perhaps by the rash actions of a low level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could actually find ourselves in a cyberwar.

Interesting article claiming that traffic to Stuxnet expert sites from Iran is way, way, up recently.

Also claims that the Iranian scientist killed by a magnetic bomb attached to his car was their chief Stuxnet guy.

JPost reports that Stuxnet has set the Iranian program back by two years.

Last month, the International Atomic Energy Agency (IAEA), the United Nation’s nuclear watchdog, said that Iran had suspended work at its nuclear-field production facilities, likely a result of the Stuxnet virus.

According to Langer, Iran’s best move would be to throw out all of the computers that have been infected by the worm, which he said was the most “advanced and aggressive malware in history.” But, he said, even once all of the computers were thrown out, Iran would have to ensure that computers used by outside contractors were also clean of Stuxnet.

“It is extremely difficult to clean up installations from Stuxnet, and we know that Iran is no good in IT [information technology] security, and they are just beginning to learn what this all means,” he said. “Just to get their systems running again they have to get rid of the virus, and this will take time, and then they need to replace the equipment, and they have to rebuild the centrifuges at Natanz and possibly buy a new turbine for Bushehr.”

Call me when they actually do something significant.

I already did that.

Well, time has rolled on and we can add the Sony attack and this recent German steel company disaster to the list of "real world damage from cyber attacks".

Aetius, genuine question - after four years and the Snowden revelations, attacks on various country's infrastructure (for example Russian attacks on the Baltic states) and recent events, has your view that "cyberwarfare" is "nothing of the sort" changed? Or is this all just... Well, what would the major investment in cyber capabilities by countries large and small reflect, if it's not capable of doing real world damage?

Not trying to pick on you, just curious if your views have changed with events.

No, not at all - if anything, the last few years have cemented my opinion that "cyberwarfare" is largely worthless. The Stuxnet attack was five years ago, and yet the Iranian nuclear program continues - and as I noted, Stuxnet was a historical footnote only a couple of months after it was in the news. Also note that the supposed two year delay mentioned in that article mysteriously vanished. Today, the best examples you can come up with are embarrassing a movie company, some damage to a single factory in Germany, and some brief DDOS attacks that accomplished nothing?

Robear wrote:

Well, what would the major investment in cyber capabilities by countries large and small reflect, if it's not capable of doing real world damage?

There is a long and storied history of the military-industrial complex investing in various fads that turn out to be useless. Mostly, it just means they have enormous budgets and little incentive to produce things that are useful or effective.

Compare the effect of these "cyberwarfare" events to the economic impact of, say, dealing with spam or credit card fraud - and both of those are considered nuisances. "Cyberwarfare" fails the bathtub test and is irrelevant economically. That doesn't mean there aren't things to worry about on the Internet, such as NSA surveillance, goverment co-option and use of the Internet to suppress dissent, and various criminal activities. It does mean that the threat of societal collapse from "cyberattack" is an overblown mirage.

Well, the Iranian nuclear program has suffered physical bombings in the past, and assassinations of it's experts, and sanctions, and yet it still continues. Is that evidence that those tools are ineffective or incapable of larger damage?

It's not. Cyber attacks are just another tool in the box. They have limits, but they are clearly part of warfare (cold and hot) today. But there will also inevitably be improvements, and attacks which yield more severe results (like blowing up gas pipelines, which seems to have happened at least twice in the last ten years or so). Taking down society? That seems like raising the bar past your original argument, and I have not argued that that is what would happen, so I think that's a straw man here. But a useful part of warfare? Seems to be so far, especially if you count propaganda and intelligence activities as part of the conduct of war.

I'd argue that, in the case of Natanz at least, the cyber warfare was much more effective than a simple airstrike would have been. They didn't know they were infected for a very long time, and the damage to their centrifuges kept accumulating; as far as we can tell, production from that plant was completely stopped for more than a year, maybe two years, and they spent a huge amount of money replacing centrifuges, only to watch them blow up again.

Honestly, Aetius, if you're sticking to the 'cyber warfare doesn't matter' after THAT, then you've already made up your mind, and you cannot be convinced otherwise. I doubt that any evidence would suffice to change your opinion.

edit to add a note: I think it is a terrible idea for us to be doing stuff like that. When we work on subverting the world's defenses as we are, we are also subverting our own.