The computer virus Stuxnet, which some experts believe was created specifically to target Iran's nuclear facilities, could also threaten U.S. infrastructure, according to a senior Department of Homeland Security official.
"That virus focused on specific software implementations, and those software implementations did exist in some U.S. infrastructure," Greg Schaffer, the department's assistant secretary for cybersecurity and communications, told reporters at a breakfast Monday morning. "So, there was the potential for some U.S. infrastructure to be impacted at some level."
Schaffer described Stuxnet as a "very tiered, complex, and sophisticated virus" that has attracted worldwide attention because it specifically targeted supervisory control and data acquisition (SCADA) systems at Siemens plants, including those in Iran. Experts have suggested that the cost and manpower required to create such a virus indicate that a government, rather than a rogue hacker or criminal gang, was behind its creation.
Despite this, Schaffer downplayed the overall threat of Stuxnet within the United States. "There was some risk because those software packages exist within the U.S. ecosystem," he said. "But it's not clear there are any particular processes within the United States that would have triggered the software."
There has been widespread speculation that Stuxnet was created to target Iran's Bushehr nuclear plant, but little solid evidence backs up this claim. Security expert Bruce Schneier has expressed skepticism, pointing to evidence that Stuxnet had spread to other countries, like India. "By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide," Schneier wrote. "From a foreign policy perspective, that seems dumb."
The fact that Stuxnet may not have targeted U.S. systems does not mean that U.S. facilities are safe from the virus. "One of the tricks about any piece of malware is it doesn't necessarily stay in the form in which it was released," Schaffer said, noting that such software can be manipulated by others as it spreads.
He declined to speculate on who or what was the original target of Stuxnet.
Even if Stuxnet wasn't targeting U.S. infrastructure, its creation signifies a new wave of cyberattacks—viruses and malware designed to attack infrastructure, such as power-generating facilities. "This is no longer a world where malicious defacements of Web pages are what we are focused on as a department or government," Schaffer said. "We are worried about more sophisticated attacks; we are worried about migration to things of value."
Stuxnet, Schaffer says, is simply more evidence of such attacks targeting physical infrastructure.
"Those," he said, "are the kinds of things that give us pause."
