The deployment of the “Shamoon” computer virus against the Saudi Arabian Oil Co. last year was an important new development in international cyber conflict. Shamoon must put all providers of critical services on alert and requires concerted action by governments and private interests, according to a new working paper from Rice University’s Baker Institute for Public Policy and the International Institute for Strategic Studies (IISS) in Manama, Bahrain.
The paper, “Hack or Attack? Shamoon and the Evolution of Cyber Conflict,” was co-authored by Christopher Bronk, a fellow in information technology policy at the Baker Institute, and Eneken Tikk-Ringas, a senior fellow for cybersecurity at the IISS. The paper documents the Shamoon case and considers its impact on broader policymaking regarding the Middle East, energy and cybersecurity issues. The paper has been approved for publication in the March issue of the journal Survival, Global Politics and Strategy.
“Although the Shamoon attack did not result in any physical damage to critical infrastructure in the Middle East, there has been a secondary impact on risk assessment for providers of critical services worldwide,” Bronk said. “Shamoon is a reminder that enterprises need to be alert about the possibility of becoming the target of a politically motivated cyberincident.”
On Aug. 15, 2012, the Saudi Arabian Oil Co. (also known as Saudi Aramco) was struck by a computer virus that possibly spread across as many as 30,000 Windows-based personal computers operating on the company’s network. The company is Saudi Arabia’s national petroleum concern and a producer, manufacturer, marketer and refiner of crude oil, natural gas and petroleum products. According to news sources, it may have taken Aramco almost two weeks to fully restore its network and recover from the disruption of its daily business operations caused by data loss and disabled workstations resulting from the incident. The computer security research community dubbed the virus Shamoon.
While Aramco leadership has asserted that production was unaffected, the authors said there are important questions from the Shamoon case germane to other players in oil and gas and elsewhere in industry. “But the critical point for policy is how government, commercial actors, the international system and other players share and manage cyberincident risk,” Bronk said. “Shamoon identifies just how broadly a major cyberattack can impact key national capabilities and concerns.”
The authors argue that the Shamoon incident calls for a review and refinement of critical infrastructure policies (CIP) and joint efforts between governments and private interests.
“Developing working public-private partnerships in CIP is a challenging task, as it requires very careful consideration by government of relevant business goals and processes as well as appreciation of the governmental threat assessment logic and the required supervisory steps by the private sector,” Tikk-Ringas said. “Although the need for public-private protection and defense models has been acknowledged, the policy goals and business routines are difficult to marry without resistance.” She said a plan of action for achieving a working CIP model will need a balanced role division.
The authors said cyberattacks against critical infrastructure are unlikely to go unnoticed, and therefore, an appropriate response is in order. “This raises the questions of strategic communications, decision-making about who responds to which aspects of the incident and how,” Tikk-Ringas said. “Such transgressions challenge national security and raise the questions of use of force considered by lawyers of international conflict. Therefore, responses to CI cyberincidents matter from both national authority and general deterrence perspectives and, in the light of the Aramco-Shamoon incident, require special attention by enterprises, governments and international organizations alike.”