Picture yourself in a large control room watching some computer monitors with centrifuge displays when suddenly loud AC/DC music blares through the room. “Thunderstruck.” You have to watch the video or listen to a cover of the song on Spotify to imagine what it may have been like there in Iran –
“Seriously,” you may ask, “What are the security questions? “
What happened? There’s been reports of another cyberattack on the Natanz nuclear site by parties unknown. The story is still young and could even turn out to be misinformation, but F-Secure has received email reports that malware from Metasploit was used to deliver the raucous AC/DC payload.
Who was responsible? After the Flame and Stuxnet virus revelations, it’s natural that some would point the finger at the U.S. and its allies. But the AC/DC virus hardly sounds like a typical sophisticated and stealthy nation state attack. Has cyberwar – not to put too fine a point on the definition – taken a turn for the bizarre? Has some U.S. defense or intelligence agency developed a sense of humor? Is it a form of psychological warfare? Who knows. The attack could equally have come from a hacktivist group or individual prankster. It’s very important to attribute threats as much as possible but it takes time.
What does it mean? Maybe the reports F-Secure received will turn out to be false and we’ll have been all thunderstruck by a bad song for nothing. But the implications of nation state cyberattacks are so big they’ve brought me out of my cave to write about it anyway.
If the U.S. was behind yet another cyberattack, I think we have to ask what kind of future we’re creating. President Obama himself, according to the New York Times, has repeatedly told his aides that there are risks to cyberattacks on nation states. No kidding! In fact, it may be that no country’s physical, financial and energy infrastructures are more dependent on computer systems, and thus more at risk of cyberattacks, than those of the United States.
As I wrote in Proposing an International Cyberweapons Control Protocol it may be only a matter of time before we’re attacked and the arms race goes into overdrive. Cyberwar is destabilizing, as Bruce Schneir wrote. Shouldn’t the world’s nations attempt to deter military cyberweapons much as they’ve banned chemical weapons and struggled against nuclear weapons proliferation? The actual Chinese-Russian proposals to UN for cyberweapons control are seen by some as yet another state censorship initiative or an attempt to stop the U.S. from developing an area of military advantage. But we have to keep talking.
Recommended Reading and Sources
- Quote origin for “those who live in glass houses should not throw stones” goes all the way back to Benjamin Franklin and Geoffrey Chaucer!
- Iran nuclear facilities hit by cyber attack that plays AC/DC’s – Daily Mail
- F-Secure weblog with all the real information we have so far
- New York Times Article: Obama Order Sped Up Wave of Cyberattacks Against Iran.
- Book: Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, by David Sanger
- Cyberwar arms control proposals and controversy
- Schneier on Security: Cyberwar Treaties
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
The Mobile Scenario: Taking Mobility to the Next Level
The definition of "mobile" in the post-app era will involve new interactions such as bots and conversations, new devices such as wearables...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.