To put this in context, it is called the BIOS Plot, and the inevitable sources, "cyber security experts briefed on the operation," informed CBS that the threat originated in and would have come from China. For further context, Gen. Keith Alexander had just warned that "a foreign nation could impact and destroy major portions of our financial system, yes;" and that "right now it would be difficult to stop it because our ability to see it is limited."
But security experts have been quick to question this. "Regardless of where you stand on the Snowden/NSA debate, it's obvious tonight's '60 Minutes' was a travesty of journalism," wrote Robert Graham in Errata Security yesterday. "In exchange for exclusive access to the NSA, CBS parroted dubious NSA statements as fact. We can see this in the way they described what they call the 'BIOS plot', which the claim would have destroyed the economy of the United States had the NSA not saved us. The NSA spokesperson they quote, Debra Plunkett, is a liar."
Infosecurity went to those who would know about 'superviruses' – the anti-malware industry. First, and unanimously, they told us that, yes, such a virus is technically possible. "Remember Chernobyl virus, aka W32/CIH?" said Luis Corrons, technical director at PandaLabs. "It is an old virus, it was created in 1998 and had a similar payload: on a certain date (26th April) it overwrites the BIOS, and that day of the year 1999 thousands of computers around the world got bricked: no BIOS, no way to boot the computer. That one was even worse, as on top of that it also overwrites the MBR (master boot record) and all information in the hard drive was lost."
So BIOS Plot could have happened. But is it likely to happen – or is it, as Graham suggests, "just like the existing testimony from Clapper and Alexander that is never precisely a lie, but likewise, intentionally deceptive."
Normally, suggests Fraser Howard, a senior researcher at Sophos, "when you typically read this sort of content, it is in the form of email hoaxes or overly sensationalist articles." Frankly, he doesn't believe the scenario described by the NSA is very likely. " In my mind," he suggests, "international cyber espionage attacks are far more likely to use malware to steal data, or even modify data. Data destruction is just not as powerful a weapon. If you were an adversary, which would you prefer, wipe out x computers creating short term hassle (recovery from backup etc) or many months/years of data exfiltration after penetrating a target network?"
David Harley, senior research fellow at ESET is equally sceptical. He points out that following the Chernobyl virus, manufacturers have built some BIOS protection facilities into their products; that not all machines use the same BIOS; and that the "nightmare scenario proposed here would also require an extraordinarily effective delivery mechanism. From the transcript of the interview, one of the interviewees was talking about social engineering and targeted emails. But targeted social engineering isn’t very practical when everyone is the target."
But then he muses, "Unless, of course, the ‘vulnerability’ is in the supply chain, a possibility that isn’t mentioned in the transcript. Surprisingly, given the alleged source of the malware. I’ve no idea how many motherboards are made in China, but I suspect it’s a pretty large number..."
Mikko Hypponen from F-Secure keeps his options open. It's unlikely: "Most governmental attackers are not interested in destroying systems," he comments. "For an attacker, there are much more useful things to do - intercepting traffic, stealing data, sending false communications." But possible: "However, we have seen some destructive attacks lately, including the attacks against South Korean media houses and the Saudi Aramco - RasGas attacks. Those attacks wiped data on the systems, including their boot sectors, making machines unbootable."
But China really have an attack like this ready? "I don't know," he told Infosecurity. We haven't seen destructive attacks attributed to the Chinese - just spying attacks."
The general consensus from the security industry is that this could have happened, and indeed, in one form or another, might have happened – but almost certainly not in the way it was described to CBS. But just in case, Amichai Shulman, CTO at Imperva, points to the inherent strength of bio-diversity. "If an organization has enough diversity of makes and models then the effect of such an outbreak on an organization is mitigated," he told Infosecurity.