Monday, May 30, 2011

Langner calls US a Cyber Bully. I hope he's right.

Score: 5 balloons

German security researcher Ralph Langner was the first to decode and publish the inner workings of Stuxnet, a Windows-based computer worm that successfully targeted Iran's nuclear enrichment facility, setting back their nuclear weapons program by three years (according to the public statements of several authoritative sources). Although no one has claimed credit for creating Stuxnet, it has been widely attributed to a collaboration between Israeli and US intelligence agencies.

I had come into his TED Talk with high expectations, but I was disappointed -- not by the science but by Ralph's political commentary. What started as an interesting (though simplified) explanation of a ground-breaking cyber weapon devolved into a naive, self righteous rant against the US that appealed to TED's liberal audience. (I normally share that liberal viewpoint, but I overcame my bias with actual knowledge, having connected with my hacker friends at the last DEFcon, and having just read two well documented books on cyber warfare by Jeff Carr and Richard Clarke.)

Langner's first pot shot was his characterization of the US as the only superpower in cyberspace. Apparently Langner is not familiar with Russia and China's far more developed and extensive cyber militaries, which they supplement with privately contracted cyber gangs. Furthermore, Russian and China have far more experience than the US in waging cyber warfare, as evidenced by repeated, successful, multi-day attacks on the government and civilian electronic infrastructures of South Korea, Chechnya and Georgia during the last decade.

Langner's second, more damning accusation was aimed at the US for unleashing Stuxnet on the world, since it can now be repurposed as a weapon against anyone, including our own computer networks. The implication was that just as we did in 1945, the US is once again developing non-conventional weapons that threaten global stability.

But Stuxnet is not what exposes our digital infrastructure to attack. No, we opened that door long ago when we put the computers in charge. Is Langner -- or anyone -- really so naive as to think that without Stuxnet we wouldn't have to defend our networks from cyber attack?

What really irked me, though, was that at no point did Ralph question the wisdom of sharing all his findings publicly (which certainly aids and abets anyone who might wish to repurpose Stuxnet). Nor did he express any hesitation in reaching out to the Iranians to help them overcome this nasty infection. Was I the only person in the audience who thought, "Wait a minute, shouldn't we be thanking the creators of Stuxnet, instead of the guy who stopped it?"

If ever there was a time when US aggression was called for, this was surely it. Ahmadinejad has stated very clearly that Iran supports Jihad on the United States, and that he fully intends for Iran to destroy "the Zionist State" at his earliest convenience. The dictator of Iran holds the Presidential title despite having lost the election, and having brutally crushed the political dissidents who protested. Now who among you really think that stopping the nuclear ambitions of a raving, rogue, belligerent madman is a poor use of our tax dollars?

International pressure has not worked. Economic sanctions have not worked. Sure, we could have used conventional missiles to disable this dictator's Jihad machine, but that would have killed Iranians, possibly spread radiation, jeopardized the lives of our soldiers, cost hundreds of millions, provoked military reprisals, and it may not have even worked.  If indeed our intelligence community helped develop and launch Stuxent, then I for one am grateful.

On the final day of the conference, one TEDster was so fired up by Langner that he got up on stage to denounce the people behind Stuxnet for their evil ways, demanding that the US bring them to justice for their illegal aggression and for exposing our country's infrastructure to Stuxnet variants. The audience applauded loudly.

Except that cyber warfare is NOT illegal. (Though unlike Russia and China, the US does prohibit citizens from computer hacking.) Cyber warfare is, however, fast, effective, precise, virtually free, stealthy and usable without loss of life. If we can't altogether rid the world of conflict, our species is surely better off fighting cyber wars than conventional ones.

 See the Guide to TED Talks 2011.


  1. Thanks for posting this David. Could not agree more with your views here. As a matter of fact I have seen a universal approval of the targeting of nuclear enrichment in Iran (Other than Syria). What is there not to like?

    Fascinating to see Ralph's career being launched by this. Of course other researchers contributed valuable understanding of Stuxnet, most notably Symantec.

    What address can I send *my* book to for your review? :-)


  2. " widely attributed to a collaboration between Israeli and US intelligence agencies."

    Stuxnet effects Seimen's programmable logic circuits (PLC's) which are made in Germany. Richard Clarke suggests that the Germans had a hand in the exploit also.

  3. "There must have been ways to test with real equipment before it was deployed. So given that, if you look at who is in the possession of such centrifuges besides Iran, there are two sites. One is in the [U.S.] Oak Ridge National Lab and the other is [Israel's] Dimona complex. There are centrifuges from the dismantled Libyan uranium enrichment program. They are identical to Iran in centrifuges because they go back to the same model. Libya and Iran bought blueprints from Pakistani nuclear scientist Abdul Qadeer Khan."

    Read more:

  4. Anand5:30 PM

    Oh my God David! You are so american! All you guys can think of is yourself. Just because a country does not function the way USA wants it to, does not warrant an attack. What do u mean by this was the correct time to be the aggressor? The US has been the aggressor any way, correct or not. It is not naive to suggest that this only aids people to affect systems more. This demonstrates the possibilities and this weapon can indeed be dangerous.
    Rogue belligerent madman? Who the hell are u to term anyone that? He is the leader of their country and they chose to do what they do. U don't have to try to destroy every country. And if at all there has been a poor use for american tax dollars then this would be it. Look at the shoddy economy and look at what people want. Peace!

    1. Anand,
      I actually agree with you that the US is generally an aggressive nation that uses military might to advance foreign policy. I for one would rather see us cut our "defense spending" in half, since we indisputably have the means to defend ourselves already. But when a nation declares Jihad against the US (or any other nation), we have a right to defend ourselves. To do so with a cyber attack is certainly the most civilized way to do so.

  5. Anonymous4:31 AM

    Agree with you ANAND! The Americans will never Understand this...

  6. Igor R10:37 AM

    Great post, I haven't seen this talk but will have to now. Very logical dissection of his points. I think most experts would be very surprised if Iran's nuclear efforts turn out to be purely civilian.

  7. Anonymous6:04 AM

    Just stumbled over the dated Stuxnet issue. And lo and behold, a German is "making hay" with.

    I bet Ralph Langner never programmed a PLC in his live for a real industrial application (I am in this business for a long time). His TED talk is a lot of BS scaring the ignorant (on the PLC subject) industrial community.

    Let me clarify:
    1. A PLC has a real time operating system,
    developed by the manufacturer of this PLC. In this case Siemens. It has nothing in common with Windows. To download a PLC program, requires a very specific protocol.
    The logic code in the PLC's processor is binary without descriptors. When a developer downloads a PLC program the descriptors (of the source code) are not loaded.
    3. The program for the centrifuge speed control is unique for this particular job. Even if it is a copy of a similar centrifuge control system, the binary word containing the speed value will be impossible to guess without intimate knowledge of this particular installation. The next problem is finding the logic which moves the speed values into the output cards of the PLC (increasing centrifuge speed).
    4. It is unlikely that this PLC system was connected to the internet (no reason to be)

    From this follows:
    Who ever managed to get into this system must have been involved with the development of it and he/she must have had the development documentation (Source code in IT jargon) which included all I/O descriptors and, not to forget, the hardware drawings identifying with I/O point controls which hardware item.
    There is NO WAY that anybody else could get job done without bringing down the system which may take changing only one wrong bit in the program.

    Calling it a virus opens up business opportunities.
    Ralph is making hay by scaring the industries management and selling them "advice".

    Stuxnet is custom-made for this (and ONLY this) PLC installation. It is useless for anything else.