"That virus focused on specific software implementations, and those software implementations did exist in some U.S. infrastructure," Greg Schaffer, the department's assistant secretary for cybersecurity and communications, told reporters at a breakfast Monday morning. "So, there was the potential for some U.S. infrastructure.to be impacted at some level."
Schaffer described Stuxnet as a "very tiered, complex and sophisticated virus" that has attracted worldwide attention because it very specifically targeted supervisory control and data acquisition, or SCADA, systems at Siemens plants, including in Iran. Experts have said that the cost and manpower required to create such a virus seem to indicate that a government, rather than a rogue hacker or criminal gang, was behind the virus' creation.
Still, Schaffer downplayed the overall threat of Stuxnet within the United States. "There was some risk, because those software packages exist within the U.S. ecosystem," he said. "But it's not clear there are any particular process within the United States that would have triggered the software."
Despite widespread speculation that Stuxnet was created to target Iran's Bushehr nuclear plant, there has been little solid evidence to back up that claim. Bruce Schneier is among the security experts who have expressed skepticism, pointing to evidence that Stuxnet had spread to other countries, like India. "By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide," Schneier wrote. "From a foreign policy perspective, that seems dumb."
That Stuxnet may not have meant to target U.S. systems doesn't mean that facilities in the United States are safe from the virus. "One of the tricks about any piece of malware is it doesn't necessarily stay in the form in which it was released," Schaffer said, noting that such software can be manipulated by others as it spreads.
He declined, however, to speculate on who or what was the original target of Stuxnet.
Even if Stuxnet wasn't targeting U.S. infrastructure, its creation signifies a new wave of cyberattacks -- viruses and malware that are designed to attack infrastructure, such as power-generating facilities. "This is no longer a world where malicious defacements of Web pages is what we are focused on as a department or government," Schaffer said. "We are worried about more sophisticated attacks; we are worried about migration to things of value."
Stuxnet, Shaffer says, is simply more evidence of such attacks targeting physical infrastructure.
"Those," he said, "are the kinds of things that give us pause."