Stuxnet and the New Era of Cyber-Warfare
Not so long ago, talk about cyber-warfare fell somewhere between hype and science fiction. Killer robots have been wreaking havoc on the big screen for generations, but in the real world it all seemed a bit abstract. Then along came Stuxnet, showing that cyber-weapons could indeed wreak physical destruction.
The information security community, including IT at midsize firms, is still catching up to the new - and fast-evolving - realities of cyber-warfare. A variety of factors are making the challenges more difficult. But the one piece of good news for IT managers is that basic security precautions can still help, even in the age of cyber-war.
Up until a couple of years ago, warnings of a cyber Pearl Harbor or cyber 9/11 were likely to fall on fairly deaf ears. Yes, we knew that important - even critical - information could be stolen by hackers. Or it could be destroyed, by wiping files. But true physical destruction, breaking stuff, seemed like a different matter.
Then, as Roberft L. Mitchell notes at InfoWorld, along came the Stuxnet worm. Apparently developed and deployed by US covert agencies, it took over the control systems of perhaps a thousand Iranian centrifuges used for nuclear materials refinement. They were commanded to overspeed, causing them to disintegrate. Not only could cyber-weapons cause physical destruction, but their use had been legitimized.
Subsequent cyber-weapons have been aimed at espionage or disruption rather than outright destruction. Just last month Iran evidently launched distributed denial-of-service (DDoS) attacks against US banks and financial firms. But the risk of physical damage remains.
And cyber-security measures have been slow to catch up. According to Melissa Hathaway of Hathaway Global Strategies, "a lot of critical infrastructure is not even protected from basic hacking."
What are IT managers at midsize firms supposed to do in this expanding threat environment? Midsize firms cannot simply rely on either government agencies or security vendors to shield them from cyber-attacks.
But while firms can do very little to protect against physical attacks, they have significant scope to self-protect against cyber-attacks. According to Gartner analyst John Pescatore, attacks target specific vulnerabilities. Says Pescatore, "By closing that vulnerability, you stop the teenage kid, the criminal and the cyber warrior."
And in spite of sophisticated new weapons, many attacks remain simple, exploiting vulnerabilities that could readily be closed. Others, such as "spear phishing," exploit the human factor. Spear phishing attacks mimic emails from persons known to the target. We need to train people to ask themselves, why is this friend sending me an email attachment out of the blue?
IT departments at midsize firms can do much to protect themselves. And the time to start taking those measures is now.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.