Copyright ©2010 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

STEVE INSKEEP, host:

Let's follow up now, on the story of that powerful, new computer worm that is apparently capable of causing power plants or pipelines to blow up. It's a cyber super-weapon called Stuxnet. Experts suspect the intent is to disable nuclear facilities in Iran, but it could have consequences its creators did not anticipate, as NPR's Tom Gjelten reports.

TOM GJELTEN: When cybersecurity experts get together, they usually talk about such things as the latest techniques in credit card fraud. But the big session at the Virus Bulletin conference in Vancouver, Canada, yesterday, was one called "Stuxnet: An In-Depth Look." It was arranged by the Symantec Company, whose researchers have been analyzing the computer worm for several weeks now .

Eric Chien, technical director at Symantec's Security Response Unit, says he and his colleagues have been stunned by what they have found.

Mr. ERIC CHIEN (Technical Director, Security Response Unit, Symantec): I've been dealing with malicious code threats for 15 to 20 years now. I've seen every large sort of outbreak, and we've never seen anything like this. And it fundamentally changed our job, to be honest.

GJELTEN: Because studying a computer worm designed to sabotage a power plant or gas refinery is a far cry from thinking about some virus engineered by a lone hacker.

Mr. CHIEN: It changes the urgency at which we have to analyze these threats and understand them, and make sure the people who are affected know they are affected, and how to get themselves cleaned up.

GJELTEN: The Symantec researchers say the Stuxnet worm was designed by a well-funded, well-organized group, perhaps affiliated with a government. They're convinced it was meant to target facilities in Iran. The worm was apparently designed to penetrate and take over the computerized control system used in nuclear plants there. But it's becoming clear the repercussions may go far beyond Iran.

Mr. STEPHEN SPOONAMORE (Cybersecurity Consultant): Now that it's released, numerous other people will take that and go, a-ha.

GJELTEN: Stephen Spoonamore is a veteran cybersecurity consultant who has spent years pursuing hackers. He thinks some other group may now be able to take the Stuxnet computer code, and modify it slightly to create their own cyber super-weapon.

Symantec's Eric Chien is not sure it will be all that easy. But if nothing else, he says, other cyberwarriors are likely to be inspired by what Stuxnet has been able to do.

Mr. CHIEN: People have been talking about this in theory for a long time, and we have - you know - movies that have demonstrated this kind of thing, but it's never really been done. And now, it's been done.

GJELTEN: The Stuxnet story raises the question of what the consequences of using a cyberweapon might be. Maybe Pandora's box has been opened this weapon, or one modeled after it, could soon come back in even more dangerous form. Security experts call this blowback.

Some experts are convinced the Israeli government developed and used the Stuxnet worm as a weapon, to disable a nuclear plant in Iran. After all, hitting the nuclear plant with a 500-pound bomb would have produced far more collateral damage than attacking it with a cyberweapon, right?

Stephen Spoonamore is not so sure.

Mr. SPOONAMORE: Compared to releasing code that controls most of the world's hydroelectric dams, or many of the world's nuclear plants, or many of the world's electrical switching stations? I can think of very few stupider blowback decisions.

GJELTEN: Here's the situation: Even as U.S. and other Western cybersecurity officers scramble to find new ways to protect industrial facilities from a Stuxnet-like attack, their governments, in all likelihood, have their own people developing new cyberweapons that are not unlike the Stuxnet worm.

Deputy Defense Secretary William Lynn, speaking last night about U.S. cyberwar plans at a meeting in New York, said he did not know where Stuxnet came from. Asked about the U.S. military's own offensive cyber-arsenal, Lynn refused to comment.

A cyber professional who has worked on both sides says the offensive and defensive players bring different mindsets to their work. Those on the offensive side, he says, tend to focus more narrowly on the accomplishment of their war-fighting mission, and may not pay as much attention to the wider consequences.

Tom Gjelten, NPR News, Washington.

Copyright © 2010 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Support comes from: