I am no expert on military strategy, but I do get that during an infiltration stage of operations, one wants to go unnoticed so that when one starts to actually make trouble, it’s a surprise. I also get that a primary objective of military activities is to disable enemy infrastructure, and that today, “infrastructure” includes functioning networks, secure data, and communications. So, with Stuxnet the U.S. (presumably) managed to disrupt Iranian nuclear infrastructure without firing bullets or landing troops. The lack of familiar conflict trappings may have made us less aware that the conflict was underway, but Iran did not miss the damage we inflicted, nor fail to understand it as an act of aggression.

So. You are Iran and you’ve just had your network infrastructure successfully attacked. Even though you and I are giving them lots of oil money[1] with which to build nukes, building nukes is inflammatory, easy to criticize, hard to hide, and just plain hard to do. Rather than keep dogging the nuke option, waiting years for it to be deployable, being hassled by everyone for doing so, and then figuring out the best way to use them (not a lot of good options here…), why not take inspiration from the attack you’ve just sustained, and pay a bunch of coders to launch a strike of your own? No messy shipments of centrifuges or uranium to explain, just a bunch of keyboards and wire. See if you can get in to your enemy’s network, gain control without actually doing anything so they don’t notice, wait until you’re solid and for the right moment, and then, kabang!

It appears that this scenario may, in fact, be underway.

Security companies have an understandable reputation for making more of security threats than appropriate. There is, however, no doubt that they have uncovered, and helped resolve, significant threats. I am grateful, even if I do take their warnings with a byte of bits.

I hope that if Operation Cleaver is even half as significant and effective as Cylance claims, that uncovering it will lead to our ability to minimize its impact.

It also makes me wish that folks like the NSA had devoted more resources tracking this kind of threat, and less to tracking my oh-so-interesting phone calls and whereabouts…

UPDATE: Just for fun, a map of internet connected industrial control systems; power plants and such.

UPDATE: German blast furnace pwnd, damaged

UPDATE: NYT on Russian hacking of U.S. election

  1. It doesn’t matter if we don’t buy oil directly from Iran, filling our big tanks with gasoline from anywhere keeps the price Iran and others are paid for their oil high.  ↩