Is the US building Stuxnet 2/3? Cyber tools that can act behind isolated (even air-gapped) networks to cause physical destruction, sometimes called “cyber weapons”, a generalised term, not exactly justified considering how such tools work (but in simplified cases, it is sometimes used).

This was the functionality of Stuxnet used at the Iranian uranium enrichment facility (Natanz) over 10 years ago. The tool caused physical destruction. Initially, the tool has been used in espionage/information gathering, but then the cyber operation transitioned to ‘effects’ - here meaning destructive effects. Physical destruction happened. It was a really capable tool.

Since then we did not experience such grandiose cyber operations with actual physical effects. There were some. There were also tools with such capabilities.

Then something happened. Recently, the US Special Operations Command is advertising a call for research-development projects which would bring very interesting deliverables, such as:

“Exploitation of maritime access opportunities to fuse with other domains, e.g. ground, air, cyber”

The exact meanings here are unclear but if we assume ‘access’ as ‘ability to access target information/operational technology systems', it would mean the uses of cyber operations vs maritime targets to be fused with other activities (ground, air, cyber…).

“Expansion of ISR operations to include exploitation of cyber, social media, and publicly available information”

This is about ‘intelligence, surveillance, reconnaissance' (typically conducted in the context of military operations, or as the sole goal, too) with the uses of cyber operations, the analysis of social media and public information (i.e. information operations or something?)

But the really interesting part is the ‘next-generation effects’.

“Cyber Platforms that have the capability to provide digital and physical situational awareness in connected environments through utilization of IoT devices, networks, and systems”

This is pretty standard.

“Cyber Applications capable of tracking and exploiting targeted mobile electronics, SCADA systems, and IoT devices”

This is about building cyber capabilities to exploit/engage mobiles, industrial control systems, and IoT devices

“Cyber payloads with deny, disrupt, degrade, or destroy capabilities that are able to be employed to both networked and air-gapped computer devices and systems.”

This is about effects operations against conventional networks and those well-isolated (i.e. air-gapped; like what Stuxnet or other tools did). Of particular note is the ‘destructive payloads’, meaning cyber operations with the capability to deliver destructive effects. Assuming that we link this point to the previous one (SCADA/etc), we would then have the capability to enter air-gapped, isolated systems, to engage industrial control systems, possibly with disruptive or destructive purposes. Something like Stuxnet 2 or 3. The only caveat is the upper bound on the monetary value of these projects, which is $150k. Quite low, but perhaps an initial exploratory demonstrator could be made?


This advertisement is about very advanced cyber capabilities. But what’s striking is the transparency involved. Many people complained about the difficulty to analyse/researching the strategic employment of cyber capabilities. Some also complain that this may even be destabilising. If so, this ad is pretty transparent.

This does not solve the issue of a number of States each developing their own very advanced cyber capabilities, of which little is known. This is still an area shrouded in secrecy. Some of it is justified, but perhaps not all.