The New Virology

From Stuxnet to biobombs, the future of war by other means.

BY DAVID E. HOFFMAN | MARCH/APRIL 2011

Largely unseen by the world, two dangerous germs homed in on their targets in the spring and early summer of 2009. One was made by man to infect computers. The other was made by nature, and could infect man.

The man-made virus could invade a computer running Windows, replicate itself, wreck an industrial process, hide from human operators, and evade anti-virus programs. The natural pathogen could invade human cells, hijack them to replicate billions of copies of itself, and evade the body's immune system.

The man-made weapon was Stuxnet, a mysterious piece of computer malware that first appeared in 2009 and was identified more than a year later by Ralph Langner, a Hamburg-based computer security expert, as a worm designed to sabotage Iran's nuclear-enrichment facilities. The natural pathogen was the swine flu virus, which first appeared in Mexico City in March 2009 and touched off a global pandemic.

In the physical world, they have nothing in common. Stuxnet is computer code, bits of binary electronic data. The swine flu virus is a biological organism, a unique remix of genes from older influenza viruses. But they share one fundamental characteristic: They spread themselves and attack before their targets know what is happening. And in that way, they offer a glimpse of a rapidly evolving class of dangerous threats that former U.S. Navy Secretary Richard Danzig once described as instruments of "nonexplosive warfare."

When Danzig first raised the concept in 1998, an Internet bubble was mushrooming, terrorist cult Aum Shinrikyo had attacked the Tokyo subway with sarin gas, and there were fresh disclosures about the vast, illicit biological-weapons program built by the Soviet Union. What has happened since then? Cyberattacks have grown in intensity and sophistication. The technology for manipulating biological organisms is advancing rapidly. But these potentially anonymous weapons continue to perplex and confound our thinking about the future of war and terrorism.

Both cyber and bio threats are embedded in great leaps of technological progress that we would not want to give up, enabling rapid communications, dramatic productivity gains, new drugs and vaccines, richer harvests, and more. But both can also be used to harm and destroy. And both pose a particularly difficult strategic quandary: A hallmark of cyber and bio attacks is their ability to defy deterrence and elude defenses.

Think of it this way: The most sophisticated cyberattacks, like Stuxnet, rarely leave clear fingerprints; bioweapons, too, are famously difficult to trace back to a perpetrator. But the concept of deterrence depends on the threat of certain retaliation that would cause a rational attacker to think twice. So if the attacker can't be found, then the certainty of retaliation dissolves, and deterrence might not be possible.

What would a president of the United States say to the country if thousands of people were dying from a disease or trapped in a massive blackout and he did not know who caused it? A ballistic missile leaves a trajectory that can indicate its origins. An airline hijacker might be caught on video or leave behind a ticket or other telltale clue to his identity. When someone is shot with a weapon, the bullet and firearm can be traced. Not so for many cyber and bio threats.

Moreover, as Danzig pointed out, armies are of little use against such dangers, and neither the production nor delivery of such weapons requires large, expensive systems. They are accessible to small groups or individuals, and can hide under the radar.

So how to think about this? Recently, the Pentagon commissioned one of its most prestigious research advisory groups, JASON, to study the science of cybersecurity. One of the panel's recommendations for dealing with threats: Draw lessons from biology and the functioning of the human body's immune system. When it sees a dangerous pathogen, part of the immune system is adaptive and can resist the invader even if it has never seen the agent before. What computers might need to counter this new warfare is something similar, a "learning algorithm" that would allow them to adapt and resist when a bug like Stuxnet comes sneaking around -- as it surely will.

ILLUSTRATION BY MATTHEW RICHARDSON FOR FP

 SUBJECTS: NUKES
 

David E. Hoffman is a contributing editor to Foreign Policy and author of The Dead Hand: The Untold Story of the Cold War Arms Race and Its Dangerous Legacy.

CLIFFORD7777

11:01 PM ET

February 21, 2011

The New Virology

Damn well said, and spot on.

 

TOM HOLSINGER

8:11 PM ET

February 22, 2011

Deterrence by Denial

This issue was addressed long ago in a Defense Department publication whose titlle I forget. The publication's conclusion was that the only effective defense was what it euphemistically called "Deterrence by Denial", as in deterrence by denial of the means of attack by adversaries. By which the author meant pre-emptive genocide of the usual suspects.

I also suggest you get the advice of science-fiction authors, and that is not facetious. They are far, far more knowledgeable concerning all sorts of scientific knowledge than near-future technothriller writers.

As an example, ask John Barnes (author of Directive 51) about what really scares him. Bathtub biowar it isn't. I can give you his address. You could also go to the Baen Books forum and directly ask science-fiction authors about these matters.

 

CSERAPH

2:43 AM ET

February 26, 2011

This is a very weak article.

This is a very weak article. The fact that a low-probability catastrophic event (nuclear terrorism) has not happened yet does not mean it isn't an important issue to monitor and prepare for.

As has already been pointed out, regrown forests are nothing like the old-growth rainforests they replace, having radically different and less diverse ecosystems.

The lack of understanding displayed by the author of the issues I personally have background doesn't bode well for the handling of issues I don't. The 'joke' about obese teens with nukes was also in very poor taste.

Shame on you for publishing, FP.

 

CSERAPH

2:44 AM ET

February 26, 2011

Oops, put on the wrong

Oops, put on the wrong window! please delete if possible.

 

MATC

12:23 AM ET

February 28, 2011

My memoiries of SARS

As a Chinese, I can still recall my memories of Severe Acute Respiratory Syndrome in 2003. It was a tense social mobilization in China. Governments set up routines and separate people into groups. As a 18 years old, my class is cancelled for two weeks. The SARS incident has left some measures still exist today. One of them is every passenger crossing the customs must go through the heat spectator.

 

HURRICANEWARNING

7:49 PM ET

February 28, 2011

I was under the impression

I was under the impression that according to top health officials and scientists; Biowar, as practiced by non-state actors would be VERY ineffective. It would have initial effectiveness, but without the type of expensive, time consuming, and expertise laden bio-engineered viruses only generally available to states, terrorists would be left with alternatives that would kill on a city or town level, but might not go beyond that. i could be wrong...I still think a dirty bomb planted in a important financial hub, or governmental facility would be a far more dangerous, plausible , and frightening scenario. I also believe one of the experts on another article on FP stated that a "nuclear car bomb" would be the weapon of the future...that idea alone, is enough to make ones blood run cold. All I know is, conventional wisdom is nearly always wrong. I.E. if people are saying that this is the generation of virology, it will probably end up being something verry different, and usually less complex. Example: IED's. Probably one of the top ten most effective tools of warfare ever devised...and, we never saw it coming.

With regards to Cyber war, I'm fairly certain that no matter what are enemies capabilities are...we are better, and we have a level of deterence that is absolutely massive. The NSA is by far and away the largest and best funded intel org. on the planet, and it is soley dedicated to signals intel (computers, phones, email etc) . Bottom line, anything they can do, we can do better...much better. Look at Stuxnet for proof.

Im not worried about what we see coming, I'm worried about what we dont see coming, or where we lose focus.

 

KOHAN JILI

1:57 PM ET

March 19, 2011

The publication's conclusion

The publication's conclusion was that the only effective defense was what it euphemistically called "Deterrence by Denial", as in deterrence by denial of the means stavkove kancelarie of attack by adversaries. By which the author meant pre-emptive genocide of the usual suspectsI also suggest you get the advice of science-fiction authors, and that is not facetious. They are far, far more knowledgeable concerning all sorts of scientific knowledge than near-future technothriller writers.As an example, ask John Barnes (author of Directive 51) about what really scares him. Bathtub biowar it isn't. I can give you his address.