Q&A: Marcus Ranum on Stuxnet, Flame and the threat of cyberwar
For two years defense and security officials cited the Stuxnet worm, which targeted Iran's industrial control systems in June 2010, among the major threats to U.S. cybersecurity. But recent research from Kaspersky Lab and new reports indicate a single, U.S. team masterminded Flame and Stuxnet.
FierceGovernmentIT spoke with Marcus Ranum, a noted network security researcher and chief security officer of Tenable Network Security of Columbia, Md., to get some perspective on how this development impacts the state of cybersecurity.
FierceGovernmentIT: When we last spoke, you said that you were positive that the U.S., or the U.S. in collaboration with Israel, was responsible for Stuxnet. And now it's come to light that the U.S. was in fact responsible for Stuxnet and Flame. How in your view does this change the cyber security landscape?
Marcus Ranum: I don't think it changes it much. I think that it has some effect in that we shouldn't take as seriously the claims that we were hearing so much of in 2010. You know, 'Oh it's shocking, the Chinese have been doing all this cyber espionage against the U.S.'
So one of the things we now know for sure is when Mike McConnell and those guys were going around pointing their fingers and screeching at the Chinese, they had just released Stuxnet on the Iranians. I think what that shows is a certain amount of hypocrisy and audacity. We can't take those so seriously.
The other issue is that, you know, it begs retaliation. If we're going to go dishing this kind of stuff out, how are we going to react if someone dishes it out to us in return? And I don't think that our response is going to be very appropriate.
FGIT: Stuxnet became kind of a mainstay in cyber fear mongering. Do you think policies should be pushing less on cyber defense and more on accountability or rules of engagement?
Ranum: Yeah. Yes, absolutely. I mean I think that what was done with Stuxnet depending on--I mean you can pick--I think you could pick a choice between either it was a war crime, or it was a civil crime, or it was a crime against humanity depending on how you want to slice it, or it was state sponsored terrorism, which is a crime against humanity.
The important part that gets swept under the table about this was that the centrifuges at Natanz were damaged by Stuxnet but so was the nuclear reactor at Bushir which is, you know, it's a nuclear facility that's right next to a city of 100,000 people.
And launching cyber attacks inside the reactor is never appropriate. I mean, in fact, it's a war crime under protocol two of the Geneva Convention to attack damns, or power plants, or nuclear facilities.
I think whoever it was who authorized releasing that has some explaining to do and, unfortunately, what we're seeing in today's national security environment is that these kind of things are just being swept aside. There's a lot of this kind of stuff going on and, you know, what are really civil crimes and crimes under international law are just being kind of ignored.
FGIT: Going back to something you said earlier, I'm curious, what makes you think that we're unprepared for retaliation?
Ranum: Well, in that situation, you know, that's something I can say I know something about. I mean the problem here, and the reason this is bad is that Stuxnet was attacking civilian infrastructure--although some would say Iran's nuclear reactors are all military. Since they were only enriching fuel to civilian reactor densities rather than to weapons-grade densities, I'm inclined to think that they were actually just doing enrichment for normal nuclear activities. But the problem is at the same time we've got people in the U.S. saying our electric grid is vulnerable to attacks against the SCADA [supervisory control and data acquisition] systems.
Ranum: I guess what I really want to ask is what the fuck is wrong with these people that on one hand they're doing this to somebody else and then on the other hand, 'Oh, gosh, we'd be in big trouble if someone did that to us.'
They should make up their minds. Are they going to play in this way, in which case they should be hardening our infrastructure, or not? It just doesn't seem to line up. You know?
And then the other problem I've got with all of this is--I've been introducing a term that cyber war is becoming a 'weapon of privilege,' by which I mean we can use it on you but don't you dare use it on us. And that bothers me a lot.
Under the Department of Defense's own doctrines about possible military retaliation for cyber war, are the Iranians now justified in launching a cruise missile at a power facility in New Jersey in retaliation? I mean, as a peacenik, I don't think that military activity is ever justified under any circumstances, but these guys have pushed the civilians right into the front line of the battle zone.
FGIT: So, do you think if we're in the ring already should the DoD come forward and finally say what would constitute an act or war in cyberspace? Or do you think it's more advantageous to stay mum on the subject? Or does it matter?
Ranum: Well, I think that they should. What they're doing is they're staying mum on it because they're playing the same kind of game that these countries that are nuclear powers are playing. They're trying to have it both ways, right?
They should say, 'This is what we will consider an act of war, if there is a loss of life or if there's more than a certain amount of damage we will take you to court in the international court.'
If I was currently acting as an advisor to the government of Iran I would probably recommend that they sue the United States for damages, for financial damages, because this was a crime. I mean we understand that these kinds of things are not sanctioned activities.
That dialogue is just simply not taking place, right?
FGIT: So, any predictions for either the threat landscape or future policy in this area?
Ranum: Yeah, my prediction is that this is going to become a weapon of privilege, that the U.S. is going to continue to play this game in which we're going to continue to talk about how we're prepared to launch cyber attacks and we're going to continue to do all this kind of stuff. But we're going to match that with blustering about how inappropriate it is that the Chinese are spying on us using computers, and we will blow anybody away if they do this kind of thing to us. We're going to have a continuation of that kind of posturing.
Unfortunately, I would further predict that the American people are going to eat that. They're going to just swallow that and they're going to be okay with that.
So, I think what's going to happen is that the process is just going to accelerate. There's going to be more of this kind of low-level spoiler operations and unfortunately I would also predict that none of this stuff is ever going to come up in international criminal courts.
I think that's one of the other reasons why some of the other big hitters in the international community aren't saying anything. The Russians aren't going to say anything because what if the Russians decide that they're going to launch some cyber attack against somebody that annoys them and they're going to say, 'Well, the U.S. did it and nobody complained about them. So what?'
This is positioning itself to become a weapon of the powerful to use against the weak, which is weird because it's really an ideal weapon for the weak to use against the powerful. The powerful are going to basically shake their fingers in front of the nose of the weak and say, 'We understand that this would be a good weapon for you to use, but we've actually got real soldiers and stuff. So, don't even dream about using this on us, but we'll use it on you any time we want.'
FGIT: Those are actually all the questions that I had. I wasn't sure if there was anything else that you wanted to add.
Ranum: I mean, the main thing is…it's either immoral or it's not and that's really what we need to get out of [U.S. officials]. And, of course, the answer is it's not immoral if I'm doing it.