Andreas Thrane

Do you remember the Stuxnet virus that last year attacked the Iranian nuclear program and made several parts of the industries and government commissions around the world tremble?

Now it seems that the infamous computer virus – apart from the attack on Iran´s upcoming nuclear power – had more lasting effects than just making the newspaper headlines for a while. It has thus been reported by New Scientist and The Register that the virus has prompted several international security researchers to recently publish the analysis of the vulnerabilities of the software in question, the so called SCADA programs, with the intention to urge the producers of the software to close the security holes in the programs as soon as possible.

Some of these researchers claim that they have found at least 34 holes in the programs, and that they are likely to find even more. Among the most vulnerable software programs are those of Iconics of Foxborough in Massachusetts, the well known German company Siemens, as well as of the company 7-Technologies in Denmark.

The SCADA programs

SCADA is an acronym for supervisory control and data acquisition and consists (mostly) of Windows-based programs that act as front ends to computers (called programmable logic controllers, or PLC) controlling equipment on the factory floor in the industries.
This makes it possible for the SCADA programs to monitor and control industrial processes (such as power generation and fabrication), facility processes (for example in public buildings, airports and space stations) and infrastructure processes (for example oil and gas pipelines, electrical power transmission and large communication systems).

The possible threat against civic society

Stuxnet was a new computer virus in the sense that it was the first virus to include a programmable logic controller rootkit designed specifically to infect the PLC by subverting a specific software application (Step-7 application) used to reprogram the devices of the PLC. By this subversion, combined with the attack on the Windows operating system, the Stuxnet virus is able to manipulate processes facilitated by the SCADA program.

One easily understands the concern among several government commissions around the world: If succeeding to obtain remote control over the SCADA programs, Stuxnet attackers could not only bring some disturbance into the Iranian nuclear ambitions, but also damage severely the infrastructures of the civic society in other parts of the world if the virus comes into the wrong hands.

A political virus?

However, the civic approach was not the most prominent one when the virus was first being reported in mid June 2010 by the security company VirusBlokAda and became known in the broad international public about a month later. Among the most affected countries were United Kingdom, USA, Indonesia, India and Australia, but the country that took all the attention was Iran.

This was not only due to the fact that 60% of all attacks were perpetrated against Iran, as reported by Symantec Corporation, but primarily because of the objects of the attacks. For it appeared that the attacks were not perpetrated against pipelines, wind farms, communication systems or public buildings, i.e. against civic targets. No, the attacks were apparently perpetrated directly against Iranian organizations working on the enrichment of uranium that can be used to produce a nuclear bomb.

As it turned out, this was enough to create the first suspicion among security experts that the virus was not the work of individuals, but the work of an uttermost capable and powerful institution, such as a whole state. It soon became clear that – regardless of who was the mastermind behind the virus – it was in no way an ordinary malware.

The state connection

There is a remarkable thing about how the virus is made.

Not only is it unusually sophisticated and complex, written in different programming languages, including CC and CC+, and attacking its object on three levels: The Windows operation system, the PLC and the 7-step application. It is also made in a way that does not harm other computers to the same extent that other malwares would normally do. It contains, for example, safeguards to prevent that the virus spreads to more than three computers from the computer infected, and it contains a self destructive code that makes it erase itself in 2012.

Such carefulness is unusual in the malware world, where destructiveness is normally only privileged the target, not the malware, and this combined with the fact that the virus has required more work and more resources than any other malware in history, with estimated up to 30 highly specialized people working on it for at least half a year, has given some experts a reason more to think that the virus can only be powered by a very strong institution in the size of a state.

The question is, of course, which possible state has produced the virus – if we presume that it is a state.

The American connection

It is almost impossible to think of a complex intelligence operation perpetrated against an Arab country which does not include the United States among the usual suspects. However, the reason why some researchers have pointed out the United States as a possible mastermind of the Stuxnet virus is not because of geopolitical paranoia, but because of the self destructive code in the malware. The fact that the virus contains a self destructive code could be an indication of the juridical ramifications that intelligence agencies have to live with when they operate within the frameworks of the Western democracies. Furthermore, it is presumed that the United States already have experiences with sabotaging SCADA programs since they apparently sabotaged a SCADA program in the former Soviet Union under the cold war. Not to mention an otherwise secret document released to the public by the controversial organization WikiLeaks which allegedly shows that the United States was advised to reduce Iran´s nuclear capacity through so called “covert sabotage” which is commonly interpreted to be an attack perpetrated with malware.

The Israeli connection

From a geopolitical point of view, Israel would be a natural guess when searching for the Stuxnet mastermind, and therefore it is no surprise that another commonly held theory points to the state of Israel as the perpetrator of the cyber attack. But there is less agreement on how Israel could be involved. Some think Israel made the virus with technical support from the United States and possibly tested the virus on P-1 centrifuges facilitated by the United States which – allegedly – received the P-1 centrifuges form Libya´s former nuclear program. Others claim that the State of Israel did the job themselves. Among the experts supporting the latter theory, it is considered likely that Israel is technically capable of producing a virus of the quality and complexity which characterizes the Stuxnet without any help from the outside – and the theory is added an esoteric charm when it is claimed that two codes in the virus, MYRTUS and 24 September 2007, allegedly point to Israeli contexts, as well as the number 19790509 that could point to a historically traumatic murder of a Jew in Tehran. However, there is no agreement about how to interpret these codes and the overall picture does not get any simpler when not only the United States and Israel, but also Russia, France and Jordan are mentioned as possible creators of the Stuxnet virus.

The mark of an intelligence agency mission

Personally, I am quite sure there is a state involved in this affair, which also means there is an intelligence agency involved. And – as we all know – this makes it increasingly difficult, if not impossible, to find the origin of the virus, since an important part of the job of any decent intelligence agency is to create false traces and misleading signs. So, in the end it all boils down to three premises:

1. Who has most motives for trying to destroy the Iranian nuclear program
2. Who has the capability (technologically and financially)
3. Who is willing to take the several risks that come with an operation like this

An operation like this does not only include a risk for the possible reveal of the origin of the virus, but also – as we have seen – the risk that the virus would be misused to cause severe damages on civic facilities. However, I think that the self destructive code in the virus is a good argument for the theory that a Western country is involved, even though it has to be said that – in theory – it could as well be a precausive way to try to prevent the virus from getting out of control (even if it is impossible). I would also expect both Israel and the United States to be involved in some way or another.

The future cyber war

Whatever may be the origin of the Stuxnet, the fact is that the virus so far only managed to reduce the capacity for enrichment of uranium with 30% in one of the central Iranian production facilities during the last year, and apparently the overall capacity of the centrifuges in Iran has increased with about 60% in 2010, compared with year before. So if the goal was to obstruct the Iranian enrichment of uranium, the mission failed. If the mission was to slow it down, and experiment with a sophisticated way of controlling and manipulating with industrial processes for political purposes, the mission was a success.

However, I think the case is interesting, not only because of its technical uniqueness, which involves malware of – until now – unknown complexity, but also because it indicates how the battle field in cyber space between nation states will look like in the future. In fact, the cyber war already started long ago, and the only reason we do not receive more news about it in the public is due to its invisibility in our everyday life, the strong influence of the intelligence agencies, and the fact that the cyber weapons reach far beyond the well known frames of conventional war.

It is well known that China, for example, has perpetrated huge cyber attacks on the American military data systems as well as on NATO and EU for a long time. It is perhaps less known that American security experts are intensely trying to defend themselves against the apparently overwhelmingly capable Chinese cyber army, using – among other techniques – vulnerable programs that invite the aggressive Chinese internet soldiers into a kind of cyber ambush, following their path back to their own terrain. A fight that is increasingly difficult for Western nation states like USA and England as they use a proportionally much bigger part of their cyber resources trying to prevent terrorist attacks from Arab terrorists, while China – being less exposed to that kind of threat – has been able to put its enormous technological and economic powers into programs that launch a ceaseless chain of world class cyber attacks on Western institutions. In this respect, China also takes advantage of the former Chinese leader, Deng Xiaoping´s, development plan, launched in 1986, which aimed at giving China a technological boost and a future front position on the international cyber scene.

But the case is also interesting because we are now confronted with civic considerations in a way that we are not used to. Much similiar to the dilemma we are exposed to when it comes to conventional war, questioning the damage on civic institutions in order to defend values that are defined by the very same institutions, we now have to consider whether we can accept the civic consequences of a possible misuse of a complex and highly sophisticated virus like Stuxnet that is most likely developed to reduce a geopolitical threat.

Which leads us to the preliminary question in this post: Can a virus be good?

Personally, I believe it can, or better put: I think that a computer virus can be in the service of the good, just as any other humanly created weapon. But the Stuxnet virus confronts us with a problem that is as old as the axe or the knife and that has only grown bigger and more complex with the development of modern technologies, such as the nuclear facilities and the internet.

One day, when I was about ten years old, our teachers took us to the local church, only 5 minutes walk from our house. We lived on the top of a hill, with the village lying beneath us, separated by huge wheat fields, and the church was at the bottom of the hill, placed besides a small lake (on which we went ice skating in the winter and caught newts and frogs in the summer), and surrounded by old chestnut trees. It was a small, white church with a red roof, built in the Nordic, protestant traditions, and it had won a certain reputation for its remarkable lime paintings in the roof – which were supposed to scare the church guests from thinking in sinful objects under the worship – and for hosting the grave of the controversial 18th century writer, Agnes Henningsen, who was raised up near our village, and who later – in spite of her highly emancipative and provocative texts – became the only female member of the Danish academy, besides the most well-known female writer in our country of all times, Karen Blixen.

It was not the first time that I entered the church, but it was the first time that I remember sitting down on the solid, hazel-colored benches, looking up at the cross with the the Son of the Lord. I had not been baptized, unlike my classmates, and since my parents defined themselves (though somehow confusingly, as I was later to find out) as atheists, I had very little experience with the protestant liturgy – and even less with the protestant symbols.

The sight of the suffering Son of the Lord on the cross, put on the gable of the church ship, partly hidden in the shadows that seemed to creep from any corner of the ship, thus made a tremendous impression on me. I was almost unable to look at the cross, and the suffering man who was nailed to it, shocked by the unintelligible pain it irradiated. I still remember the head turning down to one side, distorted and incredible pale; the crown of thorns, that caused small rivers of blood on the forehead and on the cheeks; and the emaciated and sprained body with small wounds between the ribs. And I remember the most remarkable thing among those iniquities, the thing that made me turn the head towards the walls of the ship during most of the worship and desperate to get out of the church and back to the boring, but comfortable class rooms, only two kilometers from the village: The nails that were beaten through the palms and the insteps (that were somehow, with an even higher degree of unintelligible obtuseness, put on the top of each other).

I do not remember anything else from this day. Only this sight of the suffering Son of the Lord that changed my concepts of pain forever. And then the inevitable puzzle: Why was I the only one that turned my eyes away? How could my classmates endure this dreadful sight? Could it be because they were baptized, unlike me? And how could anyone be that cruel that they had beaten nails through palms and feet?

Passion as pain

The word passion is originally a Latin word, derived from the verb patior, meaning “I suffer” – a meaning that has been fully elaborated in the Christian mythology, where the passion of Christ, leading up to the crucifixion, took the word to its semantic roots, if it did not indeed make up those semantic roots. Even in the Germanic transformations of this word it has preserved its relation to the semantics of suffering: In German it is called Leidenschaft, in Danish lidenskab and in Norwegian lidenskap – where the prefix Liden- is a derivation of the verb lide; to suffer.

The etymology of the word, as well as its cultural history within the Christian world, could indicate that the semantics of passion were related to ethical and religious desires before it became a description of strong emotional (or erotic) desires for other persons or objects. However, I am not an expert on neither etymology, nor history of ideas, so I will restrict myself to the observation that passion is conceptually related to some sort of suffering and that it has had at least two significant, cultural meanings: One that is related to the Christian mythology – and which stresses the desires to fulfill the moral obligation of man towards God – and another that highlightens the desires of the body or the soul for another person or an object.

In Dostoyevsky´s book The Idiot those two concepts of passion are being described and counterposed – and indeed in a very passionate way. Dostoyevsky wanted to write a book about the ethically perfect human being (“The Idiot”), following the tradition of the biblical legend about Jesus Christ and Cervantes´s fairy tales about Don Quijote. While Prince Myskjin, the protagonist of the book, embodies the Christian passion for the good, Rogosjin, being his envious and yet brotherly related opponent, is the incarnation of the passion that is directed towards another person: His intense and almost burning desire for the femme fatal of the book; Nastasia Fillipovna.

Just as in the case of the Christian concept of passion, Dostoyevsky relates passion to suffering, since the intense passions of the two main figures of the book (one being intensely ethical, the other being intensely amoruos) lead one of them to death and the other to insanity.

But do we have to stick to this painful interpretation of passion – or can we, while being loyal to the ethical core of passion, start creating a new concept of passion that is founded in joy?

Passion as joy

Being passionate implies an inherent vulnerability that equals the vulnerability of life. But it is also this inherent vulnerability that leads to the profound joys and insights of passion. The deep caves of love for the universe and its creations come from this vulnerability that follows the human being from birth to death.

Passion is like a spring of fresh water: It renews everything that is around it. It gives persons and things a new twist, it adds new words to worn out phrases; it makes old people dance and young people wonder with an old mans heart. Fighting its way from the ground and the feet, rather than the head, it gives birth to any creative powers that are truly new. I am sure that this is what Lorca meant when he talked about the duende.

Being passionate, one is sure to taste life as it tastes, without the distortion that comes from the many human pretensions that aim to hide what is given or taken. Being passionate, one forgives easier, because hate, anger and grudge disappear with the same natural power that made them rise: This makes it easier to love.

Or to say it in a even more simple way: Being passionate, one is only guilty in being alive!

A poem

Every day she combed my hair
and called me Heaven

She smelled of roses and hot water
She said: You, my Heaven,
will always be mine!

She hold my hand
as if it was a bird
and put her soul
under my pillow
while sleeping

One summer´s day she disappeared
with the comb in her hand
and remembered no longer my

name

Welcome to my new blog dedicated themes and issues that I am passionately interested in, such as SEO, the Web, science, art and thinking. The blog will be in English in order to reflect my cosmopolitan way of life, having lived in countries like Spain, Argentina, Guatemala and England, in shorter or longer periods, and presently living in Munich in Bayern (Germany).
This will also make it possible for my many international friends to read the blog, even though one can always doubt whether they would miss anything if they couldn´t.