Warfare has always been a game of which opponent can be one step ahead of the other, and how to beat the competition with advancements that they are completely unaware of. Prior to 2005, most States were worried about physical manpower or the latest weaponry; however, the political tensions following the 9/11 attacks brought warfare to the cyber realm. Political tensions between Iran and the allies: the United States of America and Israel, led to the frontier of cyber-espionage, later declared the Stuxnet virus. Prior to developing how the virus came to be, it is crucial to identify what exactly the virus set out to achieve. Stuxnet has proven to be a pivotal moment in history, specifically in regards to post modernity. The events leading up to the Stuxnet epidemic have been questioned thoroughly; yet, scholars have yet to decide which factors were the most imperative in the case itself. There are a plethora of factors to take into consideration when contemplating cyber-espionage or cyber-terrorism, but I would like to further explore the role of data analysis, datification, and algorithmic citizenship in regards to all cyber-espionage situations but primarily, Stuxnet. In this essay, I will provide a critical explanation of the Stuxnet epidemic itself, continue by analyzing the role of datafication within this case, and further develop a hypothesis as to consequences this event has had on society’s online presence.
In the midst of 2010, a virus called Stuxnet rampaged through the power plants and fabrication factories all throughout the globe, but primarily centralized in Iran. Viruses are a normality in the modern world, especially in areas that are extremely sensitive such as power plants and military bases. Nevertheless, the Stuxnet virus caused immediate concern because it was more profound and complex in comparison to any other virus that had been discovered in these locations. Some of the characteristics that identified it as a complex threat were that the virus could fluctuate and control the pressure within nuclear power plants, thus rendering them useless for development or turning them into an unstoppable super weapon. Some question how a virus could break into complex security systems as those in the Iranian power plants, and this can be answered in two words: zero days. Zero days are holes within security systems that the creators are unaware of, and the developers of Stuxnet used these gaps to implement one of the most dangerous viruses ever seen. In Countdown to Zero Day by American journalist Kim Zetter, she addresses zero days as, “An exploit that attacked a function so fundamental to the Windows operating system, it put millions of computers at risk of infection” (Chapter 1). Given that the primary suspects for the creators of Stuxnet are the US and Israel, it is no surprise that a huge American company, Microsoft, was exploited to build this cyber weapon. The Stuxnet virus was essentially implemented in three steps. First, it examined and isolated Windows services and computer networks in order to have a location to implement the worm. The worm thus embedded itself within the machines and began to make copies of itself. In the next step, the virus dug deeper into a specific Windows system called, Siemens Step7 Software. The reason the specific software is of importance is because it uniquely attacked a software system typically used by industrious networks, and indeed used by the Iranian nuclear power plants. The final step of the process was the worm successfully gaining access to the power plants and thus being able to stop operations from continuing. Professor Yasan Hassar of Carnegie Mellon University best depicts the process of the Stuxnet infiltration as stated previously, it had been clear from the beginning that Stuxnet was not an average virus, and the replication process is what determined it to be so unique. Even after the virus had spread on the computer through software, the damage did not stop there. Any USB device that had been plugged into an infected computer consequently became infected as well. In regards to this function of the virus, Jon R. Lindsay in Stuxnet and the Limits of Cyber Warfare states, “[Stuxnet is] the harbinger of a new form of warfare that threatens even the strongest military powers” (5). Again, this process is unique to Stuxnet and this is crucial in order to comprehend why this is so much more than a virus. It was a pivotal moment in history that had the potential to unleash another world war at the click of a button.
Now that the basis of Stuxnet is understood, it is imperative to explore a few in depth questions mainly regarding how a virus of this scale was even conceivable. How exactly did the creators of Stuxnet get enough information to find the zero days within the security system and what had to be sacrificed to do so? The answer lies within the simplistic process of datafication. Through the employment of datification, Stuxnet developers were able to continuously watch and collect information about people related to the target areas. With this information, they were able to lock onto specific zero days, and to infiltrate the power plants in the most efficient ways. Yet, what exactly is datafication? Datafication is the transformation of social action into online quantified data. Everything that used to seem frivolous, such as brushing your teeth or clicking on a product on Amazon, are all now fragments of code that represent who we are to the online world and those who monitor it. Essentially it encompasses the idea that anything we do online, or in social activities can then be converted into numbers and data that people or agencies can then use in their favor. In Big Data: a Revolution that Will Transform How We Live, Work and Think Mayer-Schönberger and Cukier assert, “the ability to record information is one of the lines of demarcation between primitive and advanced societies” (136). This entails that this process is one that is changing the world, one that has the potential to benefit and assist us. On the other hand, it is a process that we are not entirely aware of yet and the consequences could be detrimental, as they were predicted to be with the Stuxnet virus. Datafication was the funnel for the Stuxnet events, it gave the creators a whole pool of people who had relations with their target and narrowed them down to those that could help the most. With this data, the virus was able to attack the target centrifuges in Iran; however, it also infected a plethora of other countries. Countries and citizens all over the globe have been subject to datafication whether they know it or not, and this process was crucial to the successful execution of Stuxnet.
Following datafication, there is another process that proved to be detrimental to the implementation of the Stuxnet virus. This was algorithmic citizenship. This is one of many results that can be derived from datafication and was an extremely beneficial tool for the creators. Algorithmic citizenship is a specific term used within the National Security Agency for determining the citizenship of a person through their online presence. American Citizens could have their passport at the ready and their social security on guard; however, this does not matter and in the online world it classifies absolutely nothing. The NSA has determined that the employment of this online algorithm is better to determine a person’s true citizenship regardless of documentation or tangible history. Given that the US and Israel were allies in this fight against Iranian nuclear systems, it is no surprise that the NSA concocted a process to determine where a person is from just from coding and online histories. In fact, John Cheney-Lippold in We Are Data emphasizes, “our algorithmic identities will certainly impact us in ways that vary according to our own social locations ‘offline’ which are likewise determined by classifications that are often not of one’s choosing but which operate according to different dynamics from their algorithmic counterparts” (14). This insinuates that we are no longer limited to our physical selves to determine what we like or grander things such as our citizenships. We are moving forward with technology and Stuxnet capitalizes on this. Though the process is extremely similar to that of how Darwin classified animals in order to realize evolution. There is a group of subjects and then we developed a way to classify them. The authors of Exploring Animal Social Networks state, “If the population we plan to study is very small, it may be possible to mark and monitor all individuals, giving us potentially complete information on the social structure” (19). This is what the ultimate goal of Stuxnet was, to identify holes or weak links and then capitalize on them to understand the structures, both social and physical, of the Iranian nuclear power plants. In the past years, algorithmic citizenship has become another way people define themselves and with programs such as Citizen Ex, it is simple for one to identify themselves the way the NSA and Stuxnet developers did. The developers of the virus acknowledged that there is boundless information available to them if they simply organize it. That is the true beauty and consequent danger of this cyber weapon. The process itself was immensely effortless, yet it had almost a cataclysmic result and it should be considered a huge facet as to how the creators of Stuxnet fabricated such a complex and new type of virus.
Given that the Stuxnet virus was used to survey and target supervisory control and data acquisition systems, it should be evident that the use of data was imperative in order to carry out this attack. The data of both US/Israeli and Iranian parties were essential to creating the virus as explained in the previous sections; however, it is vital to comprehend how they employed these tools. As stated prior, the allies used Microsoft Windows to collect and analyze data prior to fully releasing the virus. The main attacking machine used by the US and Israeli party was an operating system that most citizens are aware of and use avidly. This made for an impeccably easy way of collecting information regarding the opponent. Therefore common user data was caught in the crossfire of a new form of cyber battle and could be employed or exploited at any time for the benefit of those in charge. Moreover, Stuxnet was a virus that was intentionally created to invade and control certain systems in order to shut down the Iranian nuclear program. Therefore, it is obvious that the agencies involved will not stop to contemplate the ethical circumstances and have no regard of the privacy conflicts that may arise. In any conflict, especially on the international level, three basic questions must be answered: What conflict is this? Who is involved? And if we act, who will get hurt? However, given the recency of this new frontier of warfare, no one entirely knows the answers to these questions. The prime principles of “necessity, distinction, and proportionality with regard to autonomously spreading computer programs are collectively a large area of concern”. The unfortunate reality is, is that we are not informed enough as a general public to prevent or even be aware of these types of attacks. Therefore, the employment of such a common software essentially had the data served on a silver platter for the developers. They only had to decide which equation to put the data in and from there on, the virus took control and did what it was designed to do.
Now that the developers have the information and the Stuxnet epidemic has occurred, what are the people supposed to do? Many concerned citizens now have begun to protect themselves online and on technology in general, through multiple security softwares or general protection services. However, the people cannot protect themselves from the power of the government and ultimately it is up to the government to create and enforce certain restrictions regarding the privacy invasion of its citizens. They must value the protection of their data instead of using it to enforce or encourage their own agendas. In regards to national securities and governments, countries have been “turning their attention to the development of doctrine, policies, and institutions necessary for cyber offensive operations”. However, there is no feasible result as of yet. This is increasingly concerning because the world witnessed how far a government would go in the name of war i.e. invading privacy with no information, taking data and using it without consent, and exploiting the innocent to hurt the opponent. Though these are not new revelations in the realm of war, given that the world has so much more to learn about technology and its potential, it is a terrifying thing to imagine. To have your freedom exploited and developed into a cyber weapon is something that sounds to be straight out a sci-fi movie; however, with modern technology, this is exactly what is happening.
Moreover, on the citizens behalf, there has been a general confusion given that no party has fully owned up to the events that occurred during the Stuxnet epidemic. Obviously there is a lot of evidence pointing to the US-Israeli alliance; yet, no government has completely admitted to the event. However, no matter who started developing the virus or who attacked who, this pivotal moment has caused people to rethink their online presence. As stated previously, general anti-viruses cannot protect the citizens from government intervention and since a lot of the facets of the case remain unknown, many citizens do not know how to react or how to protect themselves from such exploitation. Many believe that hackers are a huge issue facing anyone and anything that is related to technology, but studies show that following the Stuxnet attack, many people began to get protection software due to a fear of malware. This entails that Stuxnet has shaped the direction in which people decide to go when it comes to protecting themselves on the internet or with technology as a whole. Though this is an incredible feat, there still remains a huge gap of information when it comes to the government and the public. Many governments continue to avidly decide to hide what is going on within the office and this in turn leads people to be afraid. The bigger issue with this is that fear does not always lead to knowledge. Many citizens are afraid and blindly make decisions to “protect” themselves, when instead they should become informed about what threats there actually are. This is where the government should step in and contribute to the public’s awareness of the expanding topic of technology and the dangers that come with it. This lack of information also leads to the public deciding that certain dangers exist, when in fact, things are not as scary as they may seem. For instance, not all viruses are bad. They can be comparable to a simple bodily function such as mucus. Mucus creates a barrier to the outside world and is home to phages, a virus that can infect and destroy bad bacteria. This is exactly what some technological viruses do for our devices and ultimately to protect our data. As Jussi Parikka summarized in Digital Monsters, Binary Aliens – Computer Viruses, Capitalism and the Flow of Information, “Now the “virus” equals damage, it is easier to sell the idea of a “full spectrum” anti-virus product that would “kill them all”, with no distinctions. Instead, our work says that there are many types of viruses: good, evil, entertaining, boring, elegant, political,furious, beautiful, and very beautiful” (16). By bridging the information gap, the citizens would not only be aware of the dangers of the new technological era, but they would also be able to determine what aspects of it are actually detrimental for themselves. They would have to rely on the relaying of information or ambiguous proposals made by governments. The citizens would have control of how they present themselves and how their data would be employed.
In conclusion, Stuxnet genuinely paved the way for cyber warfare, cyber espionage, and cyber terrorism. Whether this is a good or a bad thing is debatable; however, the one thing that is certain, is that it gave the public an influx of knowledge regarding the future of technology. Though certain details remain unknown or ambiguous, it permitted a basic understanding of how the world is becoming ever more technological. We can no longer wait and be happy with slow moving results, with the technology that humanity has created, it is now time to anticipate the repercussions of such advancements. No one thought that a weapon completely made out of code was possible, and that it would actually succeed. However, this is precisely what Stuxnet achieved. Stuxnet, though ambiguous in certain areas, has set precedence for all malware following it. It also revealed to the public that their information is not as protected as the government may portray it. This has caused a tension between the citizens and their government, even beyond the countries involved. Datafication and new theories regarding security or privacy are the frontier in both cyber-espionage and cyber protection. This is the future and now it is time for all citizens to become informed before their data evolves into a facet of the next, potentially even more dangerous weapon in cyber warfare.
Acquisti, Alessandro, et al. “Predicting Social Security Numbers from Public Data.” Proceedings of the National Academy of Sciences of the United States of America, vol. 106, no. 27, 2009, pp. 10975–10980. JSTOR, www.jstor.org/stable/40483733.
Barrett, Danelle. “Cybersecurity: Focusing on Readiness and Resiliency for Mission Assurance.” The Cyber Defense Review, vol. 2, no. 3, 2017, pp. 15–22. JSTOR, www.jstor.org/stable/26267381.
Bridle, James. “Algorithmic Citizenship | Exposing the Invisible.” Algorithmic Citizenship | Exposing the Invisible, Creative Commons, exposingtheinvisible.org/films/algorithmic-citizenship/.
Bussing, Joseph. “The Degrees of Force Exercised in the Cyber Battlespace.” Connections, vol. 12, no. 4, 2013, pp. 8–14. JSTOR, www.jstor.org/stable/26326339.
Cheney-Lippold, John. We Are Data: Algorithms and the Making of Our Digital Selves. New York University Press, 2019.
COLEMAN, KEVIN G. “Aggression in Cyberspace.” Conflict and Cooperation in the Global Commons: A Comprehensive Approach for International Security, edited by SCOTT JASPER, Georgetown University Press, 2012, pp. 105–120. JSTOR, www.jstor.org/stable/j.ctt2tt578.13.
“Data Collection.” Exploring Animal Social Networks, by DARREN P. CROFT et al., Princeton University Press, 2008, pp. 19–41. JSTOR, www.jstor.org/stable/j.ctt7sfqv.5.
“Infrastructure Data Collection Process.” Characterizing National Exposures to Infrastructure from Natural Disasters: Data and Methods Documentation, by Anu Narayanan et al., RAND Corporation, Santa Monica, Calif., 2016, pp. 61–64. JSTOR, www.jstor.org/stable/10.7249/j.ctt1d9np0q.12.
Lindsay, Jon R. “Stuxnet and the Limits of Cyber Warfare.” Security Studies, vol. 22, no. 3, 2013, pp. 365–404., doi:10.1080/09636412.2013.816122.
Mayer-Schönberger Viktor, and Kenneth Cukier. Big Data: a Revolution. Houghton Mifflin Harcourt, 2013.
McCarthy, John A., et al. “Cyberpower and Critical Infrastructure Protection: A Critical Assessment of Federal Efforts.” Cyberpower and National Security, edited by Franklin D. Kramer et al., University of Nebraska Press, 2009, pp. 543–556. JSTOR, www.jstor.org/stable/j.ctt1djmhj1.28.
McGhee, James E. “Liberating Cyber Offense.” Strategic Studies Quarterly, vol. 10, no. 4, 2016, pp. 46–63. JSTOR, www.jstor.org/stable/26271529.
RID, THOMAS, and JOHN ARQUILLA. “THINK AGAIN: CYBERWAR.” Foreign Policy, no. 192, 2012, pp. 80–84. JSTOR, www.jstor.org/stable/23237859.
Segal, Adam. “Cyber Conflict After Stuxnet.” Council on Foreign Relations, Council on Foreign Relations, 2016, www.cfr.org/blog/cyber-conflict-after-stuxnet.
Statista. “Against Which Risks Did You Primarily Want to Protect Yourself When You Got Your Protective Software?.” Statista – The Statistics Portal, Statista, http://www.statista.com/forecasts/988108/main-reasons-to-purchase-protective-software-in-the-us.
Symantec. “Percentage of Stuxnet Infected Hosts by Country in 2010.” Statista – The Statistics Portal, Statista, http://www.statista.com/statistics/271110/stuxnet-infected-hosts-by-country/.
Topp, Neal W., and Bob Pawloski. “Online Data Collection.” Journal of Science Education and Technology, vol. 11, no. 2, 2002, pp. 173–178. JSTOR, www.jstor.org/stable/40188721.“What Is Postmodernity and How Does It Relate to the Culture Wars?” Society for US Intellectual History, SUSIH, 4 Nov. 2010, s-usih.org/2010/11/what-is-postmodernity-and-how-does-it/.