A cyberworm that knows no boundaries

Iran's announcement that a computer worm called Stuxnet had infected computers that controlled one of its nuclear processing facilities marked a signal event in cyber attacks. Although such attacks were known to be theoretically possible, the incident proved that a cyberworm could successfully infiltrate a system and produce physical damage. Furthermore, the sophisticated nature of the worm and the resources that would have been required to design, produce, and implant it strongly suggest a state-sponsored effort. It has become clear that Stuxnet-like worms pose a serious threat even to infrastructure and computer systems that are not connected to the Internet. However, defending against such attacks is an increasingly complex prospect. The nature of cyberspace ensures that the attacker has the upper hand and can move about with impunity and relative anonymity. The sophistication of virulent malware has also made it difficult to detect whether an intrusion has occurred, and attackers have a wide range of means at their disposal to gain access to networks, even those that are closed. Finally, bureaucratic and legal barriers can hinder the ability to mount a successful defense. Under the current framework, different organizations have different responsibilities and different levels of authority when it comes to investigating or defending against intrusions, depending on the nature of the attack, its geographic origin, and the systems it targets. In addition, there is a need to protect critical government and private-sector infrastructure in a way that does not infringe on civil liberties or proprietary data. The authors argue that new legislation is needed to establish a more efficient assignment of responsibilities, and a revised legal code may be required to successfully defend against the ever-evolving cyber threat.