On Friday, the Wall Street Journal reported that Stuxnet, the virus that targeted Iran’s uranium enrichment program and that is generally thought to have been created jointly by the United States and Israel, also infected the computer systems of energy giant Chevron. Although it breached Chevron’s security systems, the virus apparently did not cause any damage. Chevron discovered Stuxnet in its systems after Stuxnet’s existence was disclosed in July 2010, but has only publicly acknowledged it now. As a prior report noted, the infection is likely not limited to Chevron:
Chevron is the first U.S. company to acknowledge that its systems were infected by Stuxnet, although most security experts believe the vast majority of hacking incidents go unreported for reasons of security or to avoid embarrassment. The devices used in industrial equipment and targeted by Stuxnet are made by huge companies, including Siemens (whose devices were in use at Iran’s facility). Millions of these devices have been sold around the world, so potentially every industrial company that uses these devices, called programmable logic controllers, or PLCs, are at risk of being infected
Although cyber warfare is sometimes compared to nuclear warfare, especially with regards to proliferation and arms races, this incident suggests that the better analogy might be to biological warfare. As a 2009 National study by the National Academy of Science noted (pp. 298–99):
“Blowback” from biological weapons and from cyberweapons is an important concern. Blowback refers to the phenomenon in which a weapon loosed on an enemy blows back against the weapons user. A biological virus used by Zendia against Ruritania may, in an unknown period of time, affect Zendian citizens en masse. Similarly, a Zendian computer virus targeted against Ruritanian computers may eventually infect Zendian computers.
This appears to be exactly what happened in this case. As both the use and sophistication (especially the autonomous capabilities) of cyber weapons increases, it seems likely that blowback in cyber warfare will be an increasingly serious problem.
Update: Joel Brenner, who served as inspector general of the National Security Agency and as the national counterintelligence executive in the DNI’s office, and author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare, writes in with the following comment:
The press reporting on the Chevron “infection” has been misleading, suggesting that Chevron somehow suffered from Stuxnet. It’s pretty clear that the malware did not work — was programmed not to work — in any of the places to which it foreseeably but unintentionally spread. You should be explicit about this when you write about it. There will be blowback from Stuxnet, but the Chevron episode is not part of it. The blowback will come from the re-use of this malware by all sorts of people who could never have figured out how to engineer this seven-stage, multi-zero-day attack it in the first place, but who now have the blueprint for it.