Weekender: The Age of Cyberwar is Here

2:31 pm - January 16, 2011

There’s a war out there, old friend. A world war. And it’s not about whose got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!
~ Sneakers

One of the most fascinating (and perhaps most overlooked) stories of 2010 was that of Stuxnet, the mysterious computer virus that jammed up Iran’s nuclear enrichment program.

This was no ordinary virus, as The Economist describes:

According to Symantec, a computer-security company, the worm performs an inventory of the systems it is running on, looking specifically for “frequency converter drives” made by two firms, one Iranian and the other Finnish, running at speeds between 807 Hz and 1210 Hz. (These high frequencies correspond to the rotation speeds of centrifuges; America tightly controls the export of frequency converter drives able to operate at frequencies above 600 Hz.)

If it finds the right configuration, Stuxnet sabotages it by making subtle changes to the speeds of the centrifuges over several weeks, while displaying normal readings to cover its tracks.

That is not all. Ralph Langner, a German researcher, says Stuxnet has a “second warhead”. It targets a different industrial-control system that just happens to be used at Bushehr, Iran’s much-delayed nuclear-power station, replaying previously recorded normal readings as it causes havoc. Mr Langner likens its complexity to “the arrival of an F-35 fighter jet on a World War I battlefield.”

Disrupting key processes… creating false readings… covering its own tracks… this thing is like a trojan horse mayhem capsule filled with nanobot super-hackers.

Welcome to 21st century warfare…

The New York Times sheds further light on Stuxnet with a longform reporting piece, Israel Tests on Worm Called Crucial In Iran Nuclear Delay:

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program.

Wow. Four questions come to mind in light of all this: When does the next James Bond movie come out? What kind of accelerated technological arms race is being kicked off here? What happens to the cloud and the much vaunted digital future? And what are the potential investment implications?

Digital 007

First on the James Bond stuff — Stuxnet is a real-life example of what might be dreamed up by an evil genius supervillain. (Except in this case the “good guys” came up with it first.)

Think about the frightening implications for the concept behind the Stuxnet virus: Not just a specifically designed tool for jamming Iranian centrifuges, but rather a new prototype for “disrupt, deceive and destroy” technology that can be aimed like a guided missile at any sufficiently complex (and thus vulnerable) computer-monitored system.

Think how much of our lives, both financial and physical, are regulated and enabled by sprawlingly intricate software programs and monitoring systems. Then think of the disruption capability embedded in trojan horse hacker programs that tell the operator “everything is fine” even as real processes are going haywire.

Get your 14-day Free Trial to the Live Feed

See our trading book in real-time. Trade setups, execution reports and real time market commentary.

Claim your 14-day trial to the Mercenary Live Feed.

Electrical power grids that quietly cycle up until they blow. Water and sewage systems that use the wrong chemical concentrations and jam up completely. Financial software metrics that report one level of transaction flow while actually implementing another. Bank accounts going haywire, value-at-risk calculations of multi-billion-dollar hedge funds being tampered with, trillions of dollars in credit card transactions or interbank cash flows being compromised, and so on.

And to some extent this is all fair game, because once again the “good guys” (said with a hint of irony) started it.

Stuxnet might not qualify as the first full-on “cyberwar” attack. The 2007 cyberattacks on Estonia might lay claim to that. But this is definitely a new level of escalation — one in which two powerful governments, in collaboration with at least one multinational corporation (Siemens), conceived and executed a cyberattack on an enemy government, in an openly recognized (if not openly acknowledged) way.

It now seems abundantly clear, to any political or military leader with half an imagination, that the next round of superviruses won’t be created by bong-smoking Linux enthusiasts or bored sixteen-year-old wunderkinds.

No, we’ve upgraded now. Starting with Stuxnet, the superviruses of the future are being created in collaboration with governments — sometimes multiple governments — and the private sector.

Vulnerable Clouds

Take the implications one step further. Stuxnet was used as a proxy for real bombs — a bloodless alternative means for Israel to delay, if not halt outright, Iran’s nuclear program. Rather than send fighter planes, as they did with Operation Opera in 1981, they sent a virus instead.

But with the high-tech virus conscripted for international warfare, how long before various parties recognize the value in waging economic warfare?

Back up for a moment and look at how 21st century terrorism is evolving. The terrorists may have realized something in the aftermath of the airport security nightmare and the homeland security backlash. They don’t have to physically blow things up to achieve their goals. They can simply jam up the system instead.

The Pentagon will probably find a way to protect its supercomputers. But what about the municipal fire and water departments of countless mid-sized American cities? What about bridge and port operators? What about the endless network of power grids, security systems, and so on that enable our economy to function smoothly?

If Iran and a couple other black hats got together and brought down a major bank’s back office tomorrow — or shut down the New York Stock Exchange — what would we say? What would they say? Would they be apologetic if caught? Or would they give some version of “Too bad, you guys did it to us. Tit for tat…”

And in terms of financial terrorism, what about “cloud” themed enterprises with tens of billions in market value: Facebook, Google, VMWare, Rackspace, Amazon.com, and so on?

Are we deluded in thinking we can just waltz on out into the cloud, all our personal information ready to be intercepted… or disrupted or distributed… or worse?

Investment Implications

It’s probably too early to pull concrete investment themes from all this. But there are certainly some intriguing trains of thought forming. Here are some rough ideas possibly worthy of discussion:

Cyberwar will “break out” as a big story. No one is really paying attention right now. Stuxnet made ripples at the time, but it didn’t make waves. At some point that will change — perhaps when a disruptive attack of major proportions is successfully executed on a western country.

The “cloud” is more vulnerable than we think. Up til now, primary objections to the cloud have been oriented towards privacy. People who don’t like Facebook, for example, tend to think of Mark Zuckerberg as the potential enemy. They haven’t thought about the possibility that the enemy is a third party looking to disrupt, deceive and destroy, with government-funded tools to do so. That realization could scare a lot of people — and negatively impact market valuations.

Physical warfare is becoming an anachronism. We are moving away from traditional “bombs and bullets” warfare towards something else entirely. We can see this in the manner that Israel (with America’s help) successfully hobbled Iran. They used computers instead of bombs. So at one end of the spectrum warfare is becoming digital. At the other end it’s about “shock and awe” — nuclear bombs, biological retaliation, and so on. It may also be that, as “weapons of mass destruction” become truly mass destructive, a willingness to use them recedes — which in turn favors the rise of digital and economic warfare as a more palatable proxy.

Cybersecurity firms have a bright future ahead. It isn’t clear who will be the big winnners from a shift towards “cyberwar,” but it isn’t hard to picture a sea-change in investor psychology unfolding. At some point the “new cloud” could be the guys protecting the old cloud. Right now there is still a lot of complacency and relaxed comfort in respect to digital communications. We worry about privacy, but mostly in a superficial way. If that shifts to genuine fear and concern, we could even see overshoot — a full-blown investment bubble developing in next-gen security companies.

p.s. Like this article? For more, visit our Knowledge Center!

p.p.s. If you haven't already, check out the Mercenary Live Feed!

Similar articles you might like: