The Complex

NATO looking at how to protect alliance members from cyber attack

Defense chiefs from across NATO have begun to work on how to protect member countries from cyber attack, an alliance official tells Killer Apps.

Although NATO has been working for a while on protecting its own networks (meaning the in-house systems NATO relies on for everyday functions) from cyber attacks, it hasn't come up with any plans to defend its member states from cyber attack. (Sound familiar? It should. While the United States government is responsible for defending its own networks against cyber attack, it is still trying to figure out how to protect the U.S. private sector from such attacks.)

To help remedy this, NATO defense chiefs last week discussed a U.S.-proposed "cyber work plan" aimed at "breaking through policy impasses" to get the alliance in a "much better position" to protect its member countries from cyber attacks, the official told Killer Apps in an email.

What exactly does that mean? Basically, figuring out what roles and responsibilities NATO, the European Union, and all the national governments and private sector organizations that are involved in NATO and the EU have in defending against cyber threats. This could mean figuring out which law enforcement agencies would respond to criminal cyber attacks against alliance members; which government agencies would respond to cyber attacks by other countries; how the various government agencies within NATO would collaborate to defeat cyber threats; and how major corporations that provide critical services to the public would be protected from crippling cyber attacks.

Good luck with that. Twenty-eight member countries, three continents, just sayin'.

During a speech at Kings College in London last month, outgoing U.S. Defense Secretary Leon Panetta said NATO is not adequately prepared to respond to cyber attacks against its member countries. "I urge in the coming year that NATO ministers hold a session to closely examine how the alliance can bolster its defensive cyber operational capabilities," he said.

"The impasses have to do with discussion of roles among NATO and EU and national government and civilian sectors," said the official. "It's very similar to discussions that member nations are having within their own government on which agencies protect and respond." 

It will be interesting to see how fast NATO can put any sort of plan in place. Remember, this discussion has been going on in the U.S. for years now. The failure of U.S. lawmakers to produce cyber security legislation prompted the White House earlier this month to release its cyber security executive order aimed at protecting a small group of U.S. banks, energy firms, transport companies, defense contractors and communications providers from a cyber attack that could harm millions of Americans.


National Security

Stuxnet is way older than we thought

Think you knew all there was to know about Stuxnet, the worm that was discovered in 2010 to have destroyed thousands of uranium enrichment centrifuges at Iran's Natanz nuclear facility? Think again. It appears that an early version of the worm was attacking Iran's nuclear program years before the version that made headlines in 2010 was unleashed, according to a new report by the IT Security firm Symantec.

Dubbed Stuxnet 0.5, the early version of the worm attacked Iran's nuclear program by closing valves that allowed uranium hexafloride gas (UF6) to flow into the centrifuges at Natanz, according to Symantec. Cutting off the flow of UF6 would, in theory, damage the centrifuges. (Click here for a primer on gas centrifuges.)

This apparently didn't work as well as Stuxnet's designers wanted it to and we saw later versions of the worm that famously caused the centrifuges to spin out of control -- thereby destroying them. Stuxnet 0.5 was under development as early as November 2005 and in the wild by November 2007 with orders to shut down by July 2009 -- the year that the version aimed at causing the centrifuges to spin out of control was developed, according to Symantec.

"The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now," reads a Symantec blog post accompanying the report.

Remember, Stuxnet was reportedly the work of a U.S.-led cyber campaign against Iran known as Operation Olympic Games. At the time of its discovery the worm was considered to be one of the most advanced cyber weapons ever fielded. The worm reportedly took an unprecedented amount of time, expertise, and money to create.

As a Symantec blog post says, "Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure."

The malware was designed to worm its way (See what I did there?) harmlessly around the globe until it found its precise target, the Siemens-made programmable logic control (PLC) computers that ran the centrifuges at Natanz. Once there, it attacked. You know the rest.

Some cybersecurity experts fear that cyberweapons like Stuxnet can be revers- engineered and used against their creators or sold on the ever-growing black market for cyber weapons.

"The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," said cyber security expert Eugene Kaspersky last September in Washington. "Cyber weapons are different" because the victims "can learn from" weapons used against them.

As another cyber security expert told Killer Apps last fall:

Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."

"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."

These new revelations are unlikely to assuage such fears.

Getty Images