Stuxnet: Computer worm opens new era of warfarehttp://www.cbsnews.com/8301-
The most pernicious computer virus ever known wasn't out to steal your money, identity, or passwords. So what was the intricate Stuxnet virus after? Its target appears to have been the centrifuges in a top secret Iranian nuclear facility. Stuxnet showed, for the first time, that a cyberattack could cause significant physical damage to a facility. Does this mean that future malware, modeled on Stuxnet, could target other critical infrastructure -- such as nuclear power plants or water systems? What kind of risk do we face in this country? Steve Kroft reports.
The following script is from "Stuxnet" which originally aired on March 4, 2012 and was rebroadcast on July 1, 2012. Steve Kroft is the correspondent. Graham Messick, producer.
For the past year, the nation's top military, intelligence and law enforcement officials have been warning Congress and the country about a coming cyberattack against critical infrastructure in the United States that could affect everything from the heat in your home to the money in your bank account. The warnings have been raised before, but never with such urgency, because this new era of warfare has already begun.
The first attack, using a computer virus called Stuxnet was launched several years ago against an Iranian nuclear facility, almost certainly with some U.S. involvement. But as we first reported in March, the implications and the possible consequences are only now coming to light.
FBI Director Robert Mueller: I do believe that the cyberthreat will equal or surpass the threat from counterterrorism in the foreseeable future.
Defense Secretary Leon Panetta: There's a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack.
House Intelligence Committee Chairman Mike Rogers: We will suffer a catastrophic cyberattack. The clock is ticking.
And there is reason for concern. For more than a decade, the U.S. military establishment has treated cyberspace as a domain of conflict, where it would need the capability to fend off attack, or launch its own. That time is here. Because someone sabotaged a top secret nuclear installation in Iran with nothing more than a long string of computer code.
Ret. Gen. Mike Hayden: We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, and in this case, physical destruction in someone else's critical infrastructure.
Few people know more about the dark military art of cyberwar than Retired General Michael Hayden. He's a former head of the National Security Agency and was CIA director under George W. Bush. He knows a lot more about the attack on Iran than he can say here.
Hayden: This was a good idea, alright? But I also admit this was a really big idea too. The rest of the world is looking at this and saying, "Clearly someone has legitimated this kind of activity as acceptable international conduct." The whole world is watching.
The story of what we know about the Stuxnet virus begins in June of 2010, when it was first detected and isolated by a tiny company in Belarus after one of its clients in Iran complained about a software glitch. Within a month, a copy of the computer bug was being analyzed within a tight knit community of computer security experts, and it immediately grabbed the attention of Liam O Murchu, an operations manager for Symantec, one of the largest antivirus companies in the world.
Liam O Murchu: As soon as we saw it, we knew it was something completely different. And red flags started to go up straightaway.
But General Hayden did acknowledge that there are all sorts of potential problems and possible consequences that come with this new form of warfare.
Hayden: When you use a physical weapon it destroys itself, in addition to the target, if it's used properly. A cyberweapon doesn't. So there are those out there who can take a look at this, study it and maybe even attempt to turn it to their own purposes.
Such as launching a cyberattack against critical infrastructure here in the United States. Until last fall Sean McGurk was in charge of protecting it, as head of cyber defense at the Department of Homeland Security. He believes that Stuxnet has given countries like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations.
Sean McGurk: You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back towards wherever it came from.
Kroft: Sounds a little bit like Pandora's box.
Kroft: Whoever launched this attack--
McGurk: They opened up the box. They demonstrated the capability. They showed the ability and the desire to do so. And it's not something that can be put back.
Kroft: If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?
McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code.
Kroft: Meaning that other people could use it against you?
Kroft: Or use their own version of the code?
McGurk: Something similar. Son of Stuxnet, if you will.
As a result what was once abstract theory has now become a distinct possibility.
Kroft: If you can do this to an uranium enrichment plant, why couldn't you do it to a nuclear power reactor in the United States or an electric company?
O Murchu: You could do that to those facilities. It's not easy. It's a difficult task, and that's why Stuxnet was so sophisticated, but it could be done.
Langner: You don't need many billions, you just need a couple of millions. And this would buy you a decent cyberattack, for example, against the U.S. power grid.
Kroft: If you were a terrorist group or a failed nation state and you had a couple of million dollars, where would you go to find the people that knew how to do this?
Langner: On the Internet.
Kroft: They're out there?
Most of the nation's critical infrastructure is privately owned and extremely vulnerable to a highly sophisticated cyberweapon like Stuxnet.
Sen. Susan Collins: I can't think of another area in Homeland Security where the threat is greater and we've done less.
After several failures, Congress is once again trying to pass the nation's first cybersecurity law. And once again, there is fierce debate over whether the federal government should be allowed to require the owners of critical infrastructure to improve the security of their computer networks. Whatever the outcome no one can say the nation hasn't been warned.