informa
News

Stuxnet And Playing Offense Instead Of Defense

Security experts call for emphasis on resilience, offense
The theme of this week's Black Hat DC conference was offense -- not the traditional Black Hat tagline of digital self-defense.

That amid the backdrop of another report implicating the U.S. and Israel in the Stuxnet worm that targeted an Iranian nuclear facility. Stuxnet has become the poster child for the possibilities of covert, cyber-response to international conflict rather than traditional warfare, according to Jeff Moss, founder of Black Hat. "Would you rather have a power plant turned off or exploded with bombs? This is the new normal -- the new world we're going to be living in," Moss told attendees at Black Hat DC this week.

Moss, pointing to an investigative piece in The New York Times that implicated Israel and the U.S. in Stuxnet's creation, said the notion of cyber-response is working its way into doctrine. "Was The New York Times story a clever leak by the administration to demonstrate that this is our power?" he said.

The bottom line is that researchers and security experts are being drawn into protecting critical infrastructure, he said. This makes addressing resiliency especially important, he said.

Franklin Kramer, former Deputy Secretary of Defense and currently a distinguished research fellow in the Center for Technology and National Security Policy at the National Defense University, said in his keynote address at Black Hat DC that he thinks Black Hat should consider exploring resilience techniques.

He also proposed a public-private think-tank that would serve as a catalyst for merging policy and technology for the notion of cyber-response or cyberwar. "Combining policy with the technical is too difficult to do only in the government or outside the government," Kramer said.

Kramer said cyberwarfare requires a combination of offense and defense. "You can't succeed without both," he said. And cyber conflicts themselves aren't easy to control: "Non-state actors could engage ... and they can be less rational, less controlled, a potentially escalatory" situation, he said. And the basic ease-of-use of technology could result in too much damage too quickly. "A contained war might be less possible,' he said. "And with the ease of entry and lack of overall defenses could mean it's harder for the U.S. to dominate."

Meanwhile, the debate still rages on about who was behind Stuxnet. "It was too sophisticated for a 19-year-old in Stockholm to create," says Evan Lesser, managing director and founder of ClearanceJobs.com, an online career site for jobs that require federal security clearance. If indeed it was the U.S. and Israel, he says, it will be tough to prove. "The difference between cyberwar and regular war is that with boots on the ground, you can see the U.S. flag, for example ... so it's more obvious who is doing what. Cyberwar is much more shady and clandestine."

One thing is certain: Iran was the target of Stuxnet, says Tom Parker, director of security consulting services at Securicon. Parker maintains that Stuxnet was for delaying or setting back Iran's nuclear enrichment program, not destroying it.

"It was not an insider, and probably not a Western-state acting alone," Parker said. "There were too many slip-ups."

No one party could have done it all alone, he said. "You would need access to the hardware and software, frequency converters ... stolen digital certificates," he said. "They had to test it on systems themselves ... An adversary would have needed to acquire it officially or illicitly."

But neither Parker nor other security experts this week were willing to say for sure that they are convinced that Stuxnet was the cyberoffensive work of the U.S. and Israel.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: