WASHINGTON – The Obama administration is warning American businesses about an unusually potent computer virus that infected Irans oil industry – even as suspicions persist that the United States is responsible for secretly creating and unleashing cyberweapons against foreign countries.
The governments dual roles of alerting U.S. companies about these threats and producing powerful software weapons and eavesdropping tools underscore the risks of an unintended, online boomerang.
Unlike a bullet or missile fired at an enemy, a cyberweapon that spreads across the Internet may circle back accidentally to infect computers it was never supposed to target. Its one of the unusual challenges facing the programmers who build such weapons, and presidents who must decide when to launch them.
The Homeland Security Departments warning about the new virus, known as Flame, assured U.S. companies that no infections had been discovered so far inside the U.S.
It described Flame as an espionage tool that was sophisticated in design, using encryption and other techniques to help break into computers and move through corporate or private networks. The virus can eavesdrop on data traffic, take screenshots and record audio and keystrokes. The department said the origin is a mystery.
The White House has declined to discuss the virus. But suspicions about the U.S. governments role in the use of cyberweapons were heightened by a report in Fridays New York Times.
Based on anonymous sources, it said President Obama secretly had ordered the use of another sophisticated cyberweapon, known as Stuxnet, to attack the computer systems that run Irans main nuclear enrichment facilities. The order was an extension of a sabotage program that the Times said began during the Bush administration.
Cyberweapons are uncharted territory because the U.S. laws are ambiguous about their use, and questions about their effectiveness and reliability are mostly unresolved. Attackers online can disguise their origins or even impersonate an innocent bystander organization, making it difficult to identify actual targets when responding to attacks.
On the Internet, where being connected is a virtue, an attack intended for one target can spread unexpectedly. Whether a cyberweapon can boomerang depends on its state of the art, according to computer security experts.
On that point, there are deep divisions over Flame.
Russian digital security provider Kaspersky Lab, which first identified the virus, said Flames complexity and functionality exceed those of all other cybermenaces known to date. There is no doubt, the company said, that a government sponsored the research that developed it.
Other experts said it wasnt as fearsome. Much of the code used to build the virus is old and available on the Internet, said Becky Bace, chief strategist at the Center for Forensics, Information Technology and Security at the University of South Alabama.
You dont have to be a nation-state to have what it would take to put together a threat of this particular level of sophistication, said Bace, who spent 12 years at the National Security Agency working on intrusion detection and network security. Theres no secret sauce here.
Stuxnet was far more complex.
Still, Stuxnet could not have worked without detailed intelligence about Irans nuclear program that was obtained through conventional spycraft, said Mikko Hypponen, chief research officer at F-Secure, a digital security company in Helsinki, Finland. The countries with the motivation and the means to gather that data are the United States and Israel, he said.
The more intricately designed a cyberweapon is, the less likely it will boomerang. Stuxnet spread well beyond the Iranian computer networks it was intended to hit. But the collateral damage was minimal because the virus was developed to go after very specific targets.
When some of these super-sophisticated things spread, its bad, but it may not have the same impact because the virus itself is so complex, said Jacob Olcott, a senior cybersecurity expert at Good Harbor Consulting. Its designed to only have its impact when it finds certain conditions.