In the film Contagion, a developer knocks down some trees in Hong Kong, disturbing a nest of bats.
As one of the awakened bats flies off, it drops a piece of fruit it’s been chewing. The fruit lands in a local pigpen and is consumed by one of the porkers. Soon, a chef at a ritzy Hong Kong restaurant is seen sticking his hand into the mouth of the slaughtered pig as he prepares it for Gwyneth Paltrow’s lunch. He personally serves the meal to her and shakes her hand.
We next see Gwyneth at Hong Kong’s bustling international airport. She’s blowing her nose as she makes a date with an ex-paramour in Chicago, whom she will briefly visit while changing planes on the way back to her home in Minnesota. Gwyneth barely has time to say hello to her husband before she convulses and drops dead.
You know you’re in for a serious pandemic when a major star croaks in the first three minutes of the movie. Sure enough, the outbreak traced to Ms. Paltrow kills millions on screen before it’s brought under control. In a neat twist, Gwyneth’s character works for the developer who caused the whole mess.
Cut to the real world and a virus of a different sort. This time, the vector isn’t Blythe Danner’s talented daughter–it’s the U.S. Department of Defense. The outcome of this drama also could be messy.
According to Eugene Kaspersky, the Pentagon isn’t just planning for a cyberwar: they’ve already weaponized a computer virus and used it at least once. And just like the biological virus in Contagion, once you release a computer virus in cyberspace, it’s Out There.
Kaspersky is the Russian computer security expert who founded Kaspersky Lab, one of the world’s leading trackers of computer viruses. For more than a decade, Kaspersky and his brethren have been the Paul Reveres of the Internet Age. He and his fellow geeks look for vulnerabilities deep within the code of the most commonly used software programs, glitches that can be subverted by malware into ceding control of a hard drive, a database or an entire network to people with evil intent.
When a vulnerability is discovered, Kaspersky et al sound the alarm. Then the clock starts running until the other shoe drops: an “exploit” program appears in cyberspace, meaning someone has unleashed malevolent code written to penetrate the vulnerability. It usually doesn’t take more than a few days after a vulnerability is announced before the exploit appears, sometimes just a few hours. Even the most primitive malware is designed to spread exponentially using individual PCs or Macs (and the servers they’re connected to) as booster rockets. Thus a computer virus is born.
Kaspersky and his friends periodically take off their Paul Revere tri-cornered hats and put on their Ben Franklin glasses, producing some of the leading anti-virus programs on the market.
Until about six years ago, computer viruses almost always were the work of individual hackers or groups of hackers who simply wanted to prove they could cause an uproar with a few lines of code. Think of them as cyber graffiti artists, or the type who used to be classified (in the Analog Age) as juvenile delinquents.
Hacking took an ominous turn in 2007 with the advent of “phishing” emails (sending malware disguised as seemingly harmless email), which became the favorite technique of the Russian Mafia to pry account passwords from unsuspecting bank customers.
Phishing email also has been used to great effect by China to unlock the secrets of the most sensitive U.S. databases. An entire division of the People’s Liberation Army is believed to focus exclusively on phishing expeditions. They’ve reportedly managed to hook some big ones, including the blueprints for the U.S. Navy’s nuclear submarines.
In late 2010, a Belarussian virus hunter (who now works for Kaspersky’s shop) discovered that the folks at the Pentagon had unleashed a genie which may prove impossible to put back in the bottle: in a joint project with Israel, they weaponized malware and sent it into combat.
The weapon of choice was dubbed Stuxnet: it was implanted in the software of Siemens computer numerical control (CNC) units before these were shipped from Germany to Iran, where they were deployed on Iranian centrifuges purifying enriched uranium. The Stuxnet virus in the CNC machine tools reportedly infected a large number of Iran’s centrifuges (all of which are linked together in a cascading spinning operation), significantly slowing Iran’s nuclear enrichment program. [The centrifuges have since been repaired and Iran is believed to have accumulated enough highly enriched uranium to produce at least four atomic bombs.]
When word about Stuxnet first began to seep out, it generally was assumed this was a unique trick which had achieved the worthy goal of pushing back against nuclear proliferation.
But as the drumbeat for military action against Iran has increased in recent months, details about Stuxnet were leaked to The New York Times, which ran the story on its front page. Congressional leaders have demanded an investigation, saying the leaks jeopardized U.S. national security. It now appears Stuxnet is part of a growing arsenal of cyberweapons under development by the U.S. and its allies.
Kaspersky warns that the unleashing of Stuxnet crossed a dangerous threshold. Cyberweapons initially may be aimed at military targets, he says, but these custom-made bits of malevolent code always leach into cyberspace, where they can be adapted for use against civilian targets like power grids and financial networks.
“Cyberweapons are the most dangerous innovation of this century,” Kaspersky told a gathering of tech company executives at the recent CeBIT conference in Australia.
According to Kaspersky, a growing array of nations — and “other entities” (presumably including criminals and would-be cyberterrorists) — are using online weapons because malware is “thousands of times” cheaper than conventional armaments. Only an international treaty banning militaries and spy agencies from making viruses will truly solve the problem, he says.
The new cyber arms race is unfolding in a way that is eerily similar to the early days of the nuclear arms race: the U.S. has jumped out to a cyberweapons lead, Russia has responded with a call for an international cyberweapon ban; military analysts with close ties to the Pentagon are branding this as a ploy to enable the Kremlin to close the “cyberweapons gap.”
“There is no broad international support for a cyberweapons ban,” intones James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. “This is a global diplomatic ploy by the Russians to take down a perceived area of U.S. military advantage.”
In the early 1960s, similar hogwash was spewed whenever anyone suggested it was time to unwind the nuclear arms race. Fifty years and 50,000 warheads later, we are racing around the planet desperately trying to corral “loose nukes” before they fall into the hands of terrorists.
When it comes to cyberterrorism, it won’t take 50 years for the threat to become untenable: once a computer virus enters cyberspace, it’s Out There.