We begin today with an abject lesson in the “law of unintended consequences” — the bane of bureaucrats and world improvers the world over.
“We’re finding it in our systems, and so are other companies,” says Mark Koelmel. “So now we have to deal with this.” Mr. Koelmel runs the earth sciences unit at Chevron, the oil giant.
“This” refers to a computer virus created by the U.S. government.
The computer virus in question is Stuxnet — developed by the U.S. to cripple Iran’s nuclear capacity. Not that the U.S. government ever fessed up to that. Not officially, anyway:
“We’re glad they [the Iranians] are having trouble with their centrifuge machine,” White House arms control czar Gary Samore commented last year. “The U.S. and its allies are doing everything we can to try to make sure that we complicate matters for them.”
Unfortunately, the Iranians are no longer the only ones for whom “matters” have been “complicated.”
“I don’t think the U.S. government even realized how far [Stuxnet] had spread,” Chevron’s Koelmel tells CIO Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished.”
Koelmel says Stuxnet had no adverse effects on his company — except for the man-hours required to zap the virus from the company’s computer hardware. Other companies? They’re not saying. Chevron kept its situation quiet for at least two years until The Wall Street Journal broke the story late last week.
That’s if most corporate IT departments can even recognize their systems are infected. “There are probably only 18-20 people in the country who have those fundamental skills,” says Alan Paller of the IT security research group SANS.
Good work, if you can get it, we suppose. Apart from the irony unleashed by Stuxnet, we bring it up today because it makes a fine addition to the list of 2013 “gray swans” we identified last week.
The preceding article was excerpted from Agora Finacial’s 5 Min. Forecast. To read the entire episode, please feel free to do so here.