MELISSA BLOCK, host:
Now a story about actually breaking into the computers of another country. The government of Iran says it has found no evidence that its nuclear facilities have been damaged by a highly sophisticated cyber-worm that has infected many industrial computers there.
Security specialists say the Stuxnet worm has the characteristics of a cyber superweapon, capable of causing physical damage to industrial systems. What's not clear is who developed Stuxnet and who it's intended to hurt.
NPR's Tom Gjelten reports.
TOM GJELTEN: Until now, most computer attacks have been attributed to cyber criminals out to steal credit card information or hack into bank accounts, for example.
But the head of the U.S. military's new Cyber Command, Army General Keith Alexander, told Congress last week that he worries about something more serious:
General KEITH ALEXANDER (United States Army): What concerns me the most is destructive attacks that are coming. And we are concerned that those are the next things that we will see.
GJELTEN: Computer attacks meant not just to steal information but rather to destroy things. In fact, even as Alexander was testifying, word was spreading of the kind of thing he had in mind: the Stuxnet worm, designed to attack systems that control the equipment at factories, power plants and other industrial facilities.
Gerry Egan, a director of the security response unit at the Symantec company, says the creators of Stuxnet used previously undetected vulnerabilities, made the worm able to disguise itself and stole digital certificates that gave it an authentic look: All in all, probably not the work of a single individual.
Mr. GERRY EGAN (Director, Security Response Unit, Symantec): Anywhere from five to 10 people probably were needed, with a variety of different skills over as long as a six-month period to try and put this very sophisticated attack together. So that definitely points away from somebody like a typical hacker in their front bedroom or a garage doing this as a hobby toward something that was extremely organized and very well-funded.
GJELTEN: An organized crime group, perhaps or, more seriously, a government intent on going after a sensitive facility in another country.
The Stuxnet worm was designed to zero in on its target, ignoring most parts of a computer system, says Gerry Egan, in order to find a particular piece of hardware in an industrial control system.
Mr. EGAN: Whether it's a flow meter or a temperature reading, in other words, this threat got very far into the control systems of the real world. This attack was not about stealing information. This attack was about physically doing things, physically turning a dial or reading a sensor.
GJELTEN: Turning a dial on a gas pipeline conceivably could have blown it up, tinkering with the centrifuge in a nuclear plant could have made it ineffective.
There are no reports yet that the Stuxnet worm actually did any physical damage anywhere, but this computer worm could have had the effect of a bomb.
Most of the infected computer systems are in Iran, some of them apparently at nuclear facilities there. That has prompted speculation that that the United States or Israel might have launched the attack in order to set back any nuclear weapons program Iran may have.
But the Stuxnet worm has also turned up in many other countries, including India. Derek Reveron, a cyber expert at the Naval War College, points out that a cyber weapon, just like a wayward bomb, can cause significant collateral damage.
Mr. DEREK REVERON (Naval War College): Once a computer worm is released in the wild, it will move freely. And this makes it extremely difficult, I think, to weaponize something like this because you can't necessarily insulate your own systems from the attack.
GJELTEN: Here's another problem: For the targeted country, it would be hard to know how to respond. No government knows for sure the Stuxnet worm was meant for it, nor is it likely ever to know where the attack came from.
Experts say the next war will almost certainly be fought at least partly in the cyber domain, but the Stuxnet episode shows that cyber conflict will raise many difficult questions, and for that reason, it's sure to be studied closely.
Tom Gjelten, NPR News, Washington.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.