Cyber arms race
October 21, 2011
Internet security firms have raised the specter of a new round of cyber warfare with last week's detection of the Duqu virus - a "relative" of last year's Stuxnet malware, which is thought to have slowed down at least one Iranian nuclear facility.
Duqu's detection comes amid growing talk in Europe about launching pre-emptive strikes to stop cyberattacks before they happen. But the nature of malware like Duqu and Stuxnet make pre-emptive strikes unrealistic.
"The problem is you can't really say where they come from," Candid Wüest, a virus expert at IT security firm Symantec told Deutsche Welle.
"You need evidence about who is behind an attack before you can strike pre-emptively," said Wüest, "but you can never be sure - you can't attack infrastructure, or even send in a stealth bomber, because any information about a location could be a red herring."
Malware makers can hide their tracks using spoofing, VPNs, proxy services and other means to make it look like they are based in any number of countries - when in truth they are somewhere completely different.
Not spreading, but waiting
Wüest is one of the experts at Symantec, who is currently analyzing the source code behind Duqu. Symantec says it was alerted to the new threat on October 14 by a laboratory that has "international connections."
Since then, Symantec's investigations suggest that a "few hundred systems have been infected at a handful of companies," many of which are in Europe.
Another IT security firm, McAfee, is also working on the virus. McAfee and Symantec both believe that Duqu shares strong similarities with the Stuxnet virus.
Some of its source code matches that of Stuxnet and because the Stuxnet code is not known to be available online, they say it is likely that Duqu was created by the same people or that they sold the code to another group. While it remains unclear where Stuxnet came from, the New York Times reported in January 2011 that Stuxnet was developed by the American and Israeli governments.
But there are significant differences as well between Duqu and Stuxnet.
"Duqu is not spreading like Stuxnet," said Wüest, "Duqu was carefully placed and can be controlled remotely."
Experts believe that Duqu has been used to target only a limited number of organizations for the specific assets.
"Its warhead is not aimed at the technology industry, it's being used to steal information, so it's more like industrial espionage," Wüest added.
Industrial control systems
By contrast, Stuxnet was created to attack particular computer control systems made by the German firm Siemens.
These control systems are typically used to manage water supplies, oil rigs, power plants and other critical infrastructure.
Stuxnet infections were also found at Iranian nuclear facilities in 2010, leading some to speculate that the virus may have been designed by state actors - by governments or state security services who had wanted to disrupt Iran's nuclear program.
A year later, Siemens spokesman Wieland Simon is keen to stress that "no customers reported any disruptions" of their control systems because of Stuxnet.
Siemens products have also so far not been affected by Duqu.
"We learnt quite a bit through our experience with Stuxnet," said Simon, "but we tell everyone that security starts with awareness of the problem at managerial levels and right down to the front desk."
Government intervention
It is a slightly more "internal" approach than the one being adopted by the United Kingdom.
British Foreign Minister William Hague has said his country is developing an unspecified electronic weapons that could be used to defend Britain against cyber attacks or prevent them.
Earlier this week, he told The Sun, a British newspaper that the United Kingdom was prepared to strike first in a cyber conflict, and that there was potential for a cyber arms to grow out of control.
Hague's comments could soon be echoed in Germany, where the Criminal Police Union (BDK) called this week for a specialized federal ministry for the Internet.
Andre Schulz, the head of the BDK, told Deutsche Welle there was no danger that such a ministry would politicize issues around cyber warfare.
"It's a sad situation," said Schulz, "to realize that the government considers the Chaos Computer Club as its experts on IT security - we need a centralized body and I think that would be in the interest of business too."
The CCC revealed nearly two weeks ago that a German government tool designed to perform digital surveillance domestically, went well beyond its legal guidelines.
Wieland Simon, the Siemens spokesperson, was less than encouraging, suggesting that "no government can guarantee it can protect a country or entity against cyber attack."
But there is still pressure for governments to do something.
"In future wars, there will be a cyber element," said Mikko Hypponen, the chief research officer of F-Secure, a computer security firm, in an interview with Deutsche Welle. "Countries hope that if they threaten to use missiles to retaliate against a cyber attack, others will think twice about launching one."
Author: Zulfikar Abbany
Editor: Cyrus Farivar