Following an interview with me in their Saturday edition, the Financial Times (European edition) contemplates about what will come after Stuxnet, setting the focus on ‘full-scale cyberwarfare in which major infrastructure is destroyed’. The reporters also speculate whether governments, especially those from the major powers, should sign treaties to ban the use of cyberoffensive weapons. I believe such concerns and speculations are misleading. Here’s my take.
First of all, the risk of a cyberwarfare attack is LOWER after Stuxnet than was before. The attackers behind Stuxnet had and used the element of surprise. Few people besides me had EXPECTED such an attack, and therefore defense was non-existent. This has now changed, or at least it should have. Any operator of an installation of strategic value who has NOT reviewed security policy during the last two weeks is doing the same thing that I said about the Bushehr plant: Begging to be cyber-attacked. The good news with critical infrastructure is, this is a manageable task, as the number of installations is comparatively low and the assets are worth significant investments in appropriately upgraded security.
Now let’s look at the second item: The major powers should ban the use of cyberoffensive weapons, similar to weapons of mass destruction. If you think about it long enough, it’s almost ridiculous. PROLIFERATION OF CYBER WEAPON TECHNOLOGY CANNOT BE CONTROLLED. So while governments may sign lengthy treaties addressing the issue, such treaties won’t be countersigned by rogue nation states, terrorists, organized crime, and hackers. Yet all of these will be able to possess and use such weapons soon. With Stuxnet providing a blueprint for a major aggressive cyber strike involving common automation equipment, it is now much easier for others to attempt something similar. It is also important to understand that with Stuxnet being in the wild, obtaining cyber weapons is no longer a question of technological capability, but a question of buying power.
Let’s focus on terrorists, for example. I have speculated that the development of Stuxnet may have cost several million dollars, somewhere in the upper seven-digits. The next cyber weapon will be considerably cheaper, since much of the attack vector and the specifics of how to use automation equipment will simply be copied. So let’s assume the next Stuxnet costs below one million dollar and is for sale on the black market (it’s just a question of time). It is then that some not-so well equipped nation states and well-funded terrorists will grab their checkbooks. Let the street price drop to the five-digit region and organized crime is in. Sabotage with the motivation of extortion will get a commonplace scenario. At this time targets are no longer limited to cricital infrastructure but will especially cover the private sector — a TARGET-RICH AREA where it cannot be assumed that organizations will install countermeasures large scale in a reasonable amount of time.
Last but not least, the average bored hacker will jump on, playing around with the latest control system exploit code in Metasploit, this time targeting industrial controllers, so what. It is then that widespread, non-directed attacks will occur, with the payload being distributed by conventional worms, and the attacker not even knowing, or bothering, whether his malware hit a wastewater facility in Podunk or a cookie plant in Denmark. Complete industry sectors with complex supply chains as in automotive break down due to a simple worm? Even better for bragging rights.
Summing up, my assessment of the threat posed by post-Stuxnet weaponized malware is as follows. Strategic high-value targets are least at risk, because they can be easily identified, are low in number, and justify high investments in countermeasures which should be in the process of being implemented as I write this. The greatest risk is with medium- and low-value targets, with the majority of such targets in the private sector, including production facilities as well as low-tech automated systems such as traffic lights, elevators etc. For such targets, culture shift and significant investments in cyber security countermeasures cannot be expected short-term. However, such targets are low-value only when viewed in isolation. If attacked more or less simultaneously and/or persistently, either coordinated or randomly, they may well cause as much or even more damage to economy and society than an attack on a power plant. After Stuxnet, cyberspace will never be the same.