‘Shamoon’ computer virus attack marked new height in international cyber conflict

David Ruth
713-348-6327
david@rice.edu

Jeff Falk
713-348-6775
jfalk@rice.edu

‘Shamoon’ computer virus attack marked new height in international cyber conflict

HOUSTON – (Feb. 12, 2013) – The deployment of the “Shamoon” computer virus against the Saudi Arabian Oil Co. last year was an important new development in international cyber conflict. Shamoon must put all providers of critical services on alert and requires concerted action by governments and private interests, according to a new working paper from Rice University’s Baker Institute for Public Policy and the International Institute for Strategic Studies (IISS) in Manama, Bahrain.

The paper, “Hack or Attack? Shamoon and the Evolution of Cyber Conflict,” was co-authored by Christopher Bronk, a fellow in information technology policy at the Baker Institute, and Eneken Tikk-Ringas, a senior fellow for cybersecurity at the IISS. The paper documents the Shamoon case and considers its impact on broader policymaking regarding the Middle East, energy and cybersecurity issues. The paper has been approved for publication in the March issue of the journal Survival, Global Politics and Strategy.

“Although the Shamoon attack did not result in any physical damage to critical infrastructure in the Middle East, there has been a secondary impact on risk assessment for providers of critical services worldwide,” Bronk said. “Shamoon is a reminder that enterprises need to be alert about the possibility of becoming the target of a politically motivated cyberincident.”

On Aug. 15, 2012, the Saudi Arabian Oil Co. (also known as Saudi Aramco) was struck by a computer virus that possibly spread across as many as 30,000 Windows-based personal computers operating on the company’s network. The company is Saudi Arabia’s national petroleum concern and a producer, manufacturer, marketer and refiner of crude oil, natural gas and petroleum products. According to news sources, it may have taken Aramco almost two weeks to fully restore its network and recover from the disruption of its daily business operations caused by data loss and disabled workstations resulting from the incident. The computer security research community dubbed the virus Shamoon.

While Aramco leadership has asserted that production was unaffected, the authors said there are important questions from the Shamoon case germane to other players in oil and gas and elsewhere in industry. “But the critical point for policy is how government, commercial actors, the international system and other players share and manage cyberincident risk,” Bronk said. “Shamoon identifies just how broadly a major cyberattack can impact key national capabilities and concerns.”

The authors argue that the Shamoon incident calls for a review and refinement of critical infrastructure policies (CIP) and joint efforts between governments and private interests.

“Developing working public-private partnerships in CIP is a challenging task, as it requires very careful consideration by government of relevant business goals and processes as well as appreciation of the governmental threat assessment logic and the required supervisory steps by the private sector,” Tikk-Ringas said. “Although the need for public-private protection and defense models has been acknowledged, the policy goals and business routines are difficult to marry without resistance.” She said a plan of action for achieving a working CIP model will need a balanced role division.

The authors said cyberattacks against critical infrastructure are unlikely to go unnoticed, and therefore, an appropriate response is in order. “This raises the questions of strategic communications, decision-making about who responds to which aspects of the incident and how,” Tikk-Ringas said. “Such transgressions challenge national security and raise the questions of use of force considered by lawyers of international conflict. Therefore, responses to CI cyberincidents matter from both national authority and general deterrence perspectives and, in the light of the Aramco-Shamoon incident, require special attention by enterprises, governments and international organizations alike.”

About the authors

Bronk previously served as a career diplomat with the Department of State, where his last assignment was in the Office of eDiplomacy, the department’s internal think tank on information technology, knowledge management, computer security and interagency collaboration.

Before joining IISS, Tikk-Ringas worked as legal adviser and head of the legal and policy team at the NATO Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia. She was one of the lead experts to analyze and write about cyberattacks against Estonia in 2007 and has since worked with many governments and international organizations on strategic cybersecurity matters.

-30-

For more information or to schedule an interview with Bronk or Tikk-Ringas, contact Jeff Falk, associate director of national media relations at Rice, at jfalk@rice.edu or 713-348-6775.

Related materials:

“Hack or Attack? Shamoon and the Evolution of Cyber Conflict” working paper: www.bakerinstitute.org/publications/ITP-pub-WorkingPaper-ShamoonCyberConflict-020113.pdf

Bronk bio: http://bakerinstitute.org/personnel/fellows-scholars/cbronk.

Bronk on Twitter: http://twitter.com/techpologist @techpologist.

Tikk-Ringas bio: http://www.iiss.org/about-us/staffexpertise/list-experts-by-name/eneken-tikk-ringas/.

Follow Rice News and Media Relations via Twitter @RiceUNews.

Founded in 1993, the James A. Baker III Institute for Public Policy at Rice University in Houston ranks among the top 20 university-affiliated think tanks globally and top 30 think tanks in the United States. As a premier nonpartisan think tank, the institute sponsors more than 20 programs that conduct research on domestic and foreign policy issues with the goal of bridging the gap between the theory and practice of public policy. The institute’s strong track record of achievement reflects the work of its endowed fellows and Rice University scholars. Learn more about the institute at www.bakerinstitute.org or on the institute’s blog, http://blogs.chron.com/bakerblog.  

The IISS was founded in the UK in 1958 with a focus on nuclear deterrence and arms control. It is considered a world-leading authority on global security, political risk and military conflict. Today, it is also renowned for its annual Military Balance assessment of countries’ armed forces and for its high-powered security gatherings, including the Annual Regional Shangri-La and Manama Dialogue Security Summits. Its mission is to promote the adoption of sound policies to further global peace and security and maintain civilised international relations. More information can be found on www.iiss.org.