As far as Mikko Hyppönen is concerned, the story of nation-state cyber attacks begins with Stuxnet. It is, he says, the moment when computer scientists lost their innocence by using malware for offensive purposes. As reported last June, Stuxnet was part of a collaborative intelligence operation between the United States and Israel that deployed the worm beginning in 2008 and engaged it for the next two years to destroy centrifuges at Iran's Natanz uranium enrichment plant.
Hyppönen (left), the widely respected chief research officer at Sweden's F-Secure, says what is often missing in this story is whether Stuxnet actually killed people. It could have, as scientists might have been in the control room when the centrifuges spinning at high speed with uranium exploded.
“The countries launching these attacks, they must have known at least the possibility of killing people with this malware was there, and they went ahead and did it anyway,” he says. “And when they did that, I think we crossed an important line.”
Crossing that threshold was discussed in the White House's Situation Room once Stuxnet escaped into the world on the internet in 2010, according to David E. Sanger of the New York Times, to whom the White House leaked the story. It was the first time the United States had repeatedly used cyber weapons to cripple another country's infrastructure.
Consequently, Stuxnet triggered an unregulated cyber arms races in which nation-states are the big players, developing malware to use against other nations or their own citizens. Though short of cyber war, Hyppönen expects this activity to intensify in 2013 – and with more leaks to confirm the attacks, and from countries which haven't been active so far.
“It's quite clear that we have entered a new era of cyber arms race,” says Hyppönen. “And it's only going to get more and more active.”
There is presently no international treaty or agreement restricting the use of cyber weapons, which can be used for anything from espionage to disrupting a country's infrastructure or banking sector. Each government argues that it must join the race or lose, but the issue raises serious questions regarding attack versus defense, most notably in the United States, which, according to experts, has the best cyber offensive capabilities, followed closely by Russia, with China a remote third.