Cyber Black Swans

How can cyberspace be protected in advance from sudden events with far-reaching implications? Gil David examines the phenomenon of the “Black Swan”
Cyber Black Swans

In the 16th century, when people wanted to say that something was impossible, they used the term “black swan.” This expression describes an event that could not happen in reality.

According to historical evidence, it was believed at the time that swans had only white feathers – ergo, a black swan could not exist. Then, in the seventeenth century, the world was stunned to learn that black swans had been found in remote Australia. The categorical assumption that black swans were impossible was abandoned.

In 2007, the Lebanese-American philosopher Nassim Taleb presented his own black swan theory after several years of work. Taleb defines events as black swans that are generally random and unexpected. In other words, a black swan is a high-impact, low-frequency event whose influence on the future is extreme but whose likelihood of happening is low.

In our time, a classic case of a black swan is the September 11, 2001 terrorist attack on the World Trade Center and Pentagon in the US. This event contains all the criteria that define a black swan. It was a unique event. Whoever watched it – no matter where – was shocked. Its repercussions are still felt today, especially in airport security. The level of protection has risen dramatically and governments are continually upgrading security measures. This trend has had a powerful impact on the handling of passengers and the need for enormous resources.

Worms and Swans

One of the paramount cyber war events in recent years was the Stuxnet worm that infiltrated Iran’s nuclear facilities. Experts in cyber security agree that the Stuxnet worm attacked the centrifuges’ control systems and reshuffled their operating instructions, altering the centrifuges’ speed cycles, causing them to crack and then explode.

Stuxnet can be defined as a black swan for a number of reasons. First, it contained the element of surprise. Nuclear facilities are tightly guarded against physical, virtual, and cyber threats. Their communication networks are isolated from the Internet and buried several meters underground. In addition, the facilities’ production network operates according to SCADA protocol (Supervisory Control and Data Acquisition), and until the Stuxnet penetration, almost no cases of attacks aimed specifically against this protocol were registered. Despite enhanced security measures and isolation from external networks, the worm made its way so sophisticatedly into the reactor’s software and wreaked so much havoc in the facility’s innermost core that everyone was caught by surprise. In effect, what appeared as an impossible mission for the Stuxnet designers was carried out brilliantly and with craft, leaving the Iranians awestruck.

Second, from both a practical perspective and as a confidence destroyer, the effect of the worm on the Iranian nuclear program was immense. Some pundits claim that the attack pushed the nuclear project back by months, even years. Following the event, the Iranians decided to base their software on a code that they developed themselves, without recourse to any external codes that could harbor more worms. This required special preparations, such as training engineers and allocating costly resources. It also meant a setback for development plans. On the international level, Stuxnet had a powerful impact on cyber defense, forcing vast sums to be diverted to improving counter measures. In this way, it caused a reconfiguration of the security concept in states and governments and awakened the need for a significant change in preparing for future cyber threats.

Third, in recent years, there have been many indications of zero-day Trojan horses (exploiting computer application weak spots), backdoor attacks (circumventing normal authentication), and other malware designed for targeted attacks against organizations and facilities. Another technique that has been around for several years is malware incursion of networks via external infection (such as a disk-on-key) that bypasses the defense mechanisms that deny unauthorized access. Human agents have been used for carrying out an attack (for example, infecting a network with a worm) and social engineering has been employed for evading sophisticated security mechanisms. There were even some reports that attacks could be made against SCADA protocol-based systems.

The West is determined to impede the Iranian nuclear project at almost any price. The Stuxnet worm was indeed a black swan. It was the first major one to be seen in the cyber world, and is a harbinger of things to come in cyberspace. The trick is to avoid this kind of attack on our own systems. One solution is to identify weak points in our systems and transform a black swan into a white one. This is the only way we can protect our most sensitive systems and prepare for the cyber war that looms on the horizon.