AusCERT 2012: US Army Cyber Command has never seen a cyber attack

Stuxnet was not a cyber attack because Iran never said it was.
  • Liam Tung (CSO Online)
  • — 17 May, 2012 09:28

The US Government, like most others, is openly building up offensive ‘cyber’ capabilities, but the arms race is on before the world has even seen a real cyber attack, says Robert Clark, operational attorney for the U.S. Army Cyber Command.

“With all due respect to all my friends out here doing this, we’ve never seen a cyber attack because I’m looking at a very specific definition of what a cyber attack is,” Clark on Tuesday told the AusCERT conference in Queensland.

“Stuxnet was not a cyber attack. Estonia, nope. Georgia, nope.”

The cyber attacks on Estonia and Georgia could not be considered real because neither could be tied back to a nation-state.

“If you can’t tie it back to a nation state, you can’t call it a cyber attack because the law of armed conflict applies between states, not individuals,” said Clark.

China remains the poster-child for industrial and national espionage, but Clark noted that while espionage on domestic turf carries tough penalties, espionage is not illegal under international law and was rife. The question of where and when to use ‘cyber’ force, however, is more complicated.

Stuxnet, thought to have been developed by Israel with the aid of the US, was definitely a “game changer”, said Clark, but it too failed to qualify for one reason.

“Iran didn’t call it an attack. They didn’t step up and say, ‘We’ve had a cyber attack’. Why? I don’t know,” said Clark, explaining that a critical criterion for an attack is the target's declaration that the incident is, in fact, ‘an attack’.

“The nation state that gets attacked gets to announce and decide whether they have suffered a ‘use of force’ or an ‘armed attack’.”

In turn that might influence how to define a proportional response.

Still, Stuxnet did satisfy two other conditions of ‘armed conflict’, including physical destruction of a system and, assuming Israel was behind it, a proportional response to an “imminent threat”.

“Under the law of armed conflict, you have to have necessity, proportionality; it’s got to be a non-discriminatory weapon, which means it’s got to be a targeted weapon,” said Clarke.

“[Stuxnet] was very discriminatory because it was looking for that one SCADA system, that Siemens machine, with the Iranian subsystem and the Finnish aspect in there.”

Symantec researchers in 2010 detailed the trigger for Stuxnet was at least 33 frequency converter drives made by Fararo Paya in Iran or by Finnish company Vacon. Because it was unlikely to find Iran’s equipment anywhere but Iran, the finding suggested the malware was designed specifically to target Iran's facility.

“And if it wasn’t there, this thing goes off the box June 24th 2012, or it would just go away or just lay there dormant, doing nothing. So it was a very discriminatory device.”

Was Stuxnet proportional if it was an attack by one state on another?

“I don’t know. Which one is better: dropping a 20,000 pound bomb on the dang thing or knocking it out with a cyber attack? So no deaths, just destruction—very proportional to the threat being faced,” said Clark.

#auscert2012

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Heartbleed panic drives flood of enquiries to Symantec's Melbourne CA

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.