Stuxnet has been in the news a lot lately, as it appears to have been an effective case of cyberespionage against a high-profile and high-stakes target: Iran's nuclear processing facilities. Much of the focus in articles such as this New York Times piece has been on who was behind the attack and/or how effective it was at handicapping the Iranian government. These are important and interesting questions, but no one seems to be talking about collateral damage.
Collateral damage? Yep. Here's the definition from the U.S. Air Force;
Collateral damage is unintentional damage or incidental damage affecting facilities, equipment or personnel occurring as a result of military actions directed against targeted enemy forces or facilities.
Setting aside the question of whether Stuxnet was military in nature, the basic principle still applies. Though the malware is highly targeted at Uranium-spinning centrifuges, the designers needed a way to spread it around until Iranian nuclear facilities got hit. The solution was to use typical malware techniques: Stuxnet can travel across local networks and via infected USB flash drives. When first released, it exploited no fewer than three zero day vulnerabilities, making it an especially potent threat, even to those keeping their sotware patched.
The result of using Windows-based malware as a way of delivering the payload is that over a hundred thousand computers that were not in Iranian nuclear facilities became infected and helped to spread the worm. Many of these were in Iran, though tens of thousands were also in the U.S., Indonesia, and India, amongst other countries. In other words, ordinary computer users took collateral damage.
Some might argue that, because the malware only has a malicious payload when it discovers industrial control systems, that most "infected" users were not, in fact, damaged. People making this argument are wrong. Imagine if someone sends an envelope containing white powder to a government facility. The white powder turns out to be flour, not Anthrax. Was damage done? Of course! Although no injuries may occur, there is still a cost: time is wasted, money is spent, people panic, etc. The same is true with malware. Here are a few of the things that might happen if a typical user's PC becomes infected with Stuxnet:
- The user receives an anti-virus warning, leading to fear, confusion, and/or some of the actions below.
- The user takes his computer to a repair shop and pays to have the malware removed and/or to check for damage.
- The user loses valuable productivity time investigating the malware.
- The worm slips by the user's AV software, and the user's ISP later warns the user or disconnects the user's network connection for attempting to spread malware across the network.
Multiplied by large numbers of users, these effects could have a substantial impact. There are also systemic side effects. Criminals can study and learn from the malware, so they can use similar techniques to steal money from unsuspecting consumers and businesses.
As governments and private interests alike use ever-evolving digital means to undermine each other, it's inevitable that such collateral damage will continue to grow. The institutions behind these attacks must, for their part, be cognizant of this new type of damage, which (at least to me) feels very different from wartime physical damage. The rest of us, meanwhile, must continue to help the Internet ecosystem evolve such that it is more resistant to, and resilient in the face of, malware generally, whatever the malware's source.