Details on Stuxnet
Geospatial intelligence indicates a need for cyber intervention
In 2009, the United States and its allies collected geospatial intelligence on the Natanz nuclear facilities in Iran. It is the most frequently used facility for uranium enrichment in the country, containing two separate and active departments for gas enrichment operations in order to provide active materials for domestic and commercial use. The facility has three underground buildings, two of which contain tens of thousands of centrifuges, and an additional six buildings above ground. The Natanz facilities began operations in 2002 after the Federal government ended its nuclear operations with a private company; however, by the end of the year, cybersecurity professionals within many state-actors had intelligence regarding Iran’s secretive move to Natanz, and began to assess Iran’s nuclear capabilities. Due to diplomatic solutions made between Iran and other nations during the early life-cycle of the Natanz nuclear facilities, the country’s nuclear ambitions were not initially seen as threats to national security or foreign policy; the Iranians removed the country from diplomatic talks in 2006 and began to continue its uranium enrichment programs without generating reports for the public or any other state-actor. By 2009, the United States and Israel collaborated in the collection of intelligence on Iran, as both countries have a shared socio-political motivation to denuclearize Iran and provide stability in the region, which provided the framework for a cyber strategic operation known as Stuxnet.
Malware created physical damage to critical infrastructure
Stuxnet, often referred to as the world’s first digital weapon, made it possible for malicious code to cause physical damage to an adversary’s critical infrastructure. The malware exploits a vulnerability in the Windows operating system which gave hackers the ability to remain undetected on infected computers while they compromise supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs). The code used automation to spread rapidly to many computers and security devices on Iranian networks. Although several theories exist regarding the initial installation of Stuxnet, many cybersecurity professionals assert that around a dozen government employees may have retrieved flash drives containing the malware and unknowingly infected computers when they tried to use them. Once the malware infects the PLCs, it changes the speed of centrifuges (which are already spinning at the speed of light) to an uncontrollable rate, which causes the physical destruction of the infrastructure.
Impact on Cybersecurity management
When details concerning Stuxnet were made available in the open source, it served as a network security resource for both public and private entities. Upper management at government facilities and private companies need to develop policies which can prevent the installation and spread of malware, as well as identify and mitigate malicious code. Federal workers with managerial roles assisted the last four Presidents of the United States on cybersecurity policies, dating back to the mid-late 90s during the Clinton administration. After the terrorist attacks on the World Trade Center in 2001, President Bush established the Department of Homeland Security to provide support for domestic acts of terror, including providing additional resources during cyberattacks on networks in the United States. The Department of Defense also featured a military division, US Cybercommand, which handles offensive cybersecurity efforts around the world on behalf of the Federal government. The concluding findings on Stuxnet indicates that state-actors would greatly benefit from the United States’ approach to establishing a communications network between DHS, DOD and other departments like the NSA and CIA in order to gather as much intelligence as possible on prospective threat agents. Private companies also develop and update cybersecurity policies on an ongoing basis in order to reduce or eliminate vulnerabilities to stop malware like Stuxnet from infecting company networks that can slow down or halt business operations. From a managerial perspective, using social engineering upper management can use training resources to increase the probability of employees not engaging in behaviors that compromise network security: using unidentified flash drives, conducting security maintenance on all computers, the use of encryption and other cybersecurity best practices. Introducing cybersecurity best practices into business cybersecurity policies indicates key areas in which companies can prevent or mitigate threat agents: update all anti-virus and anti-malware programs, ensure that operating systems receive ongoing maintenance in the form of updates and security patches, make sound decisions regarding firewall settings, include password requirements that recommend a collection of a variety of characters in order to make it more difficult for hackers to bypass authentication, determine specific rules on the appropriate use of technology, and use training methods to inform all employees.