Back in November 2010, Andrew Ginter wrote a blog post in which he put Symantec’s Stuxnet dossier in the context of irresponsible disclosure. In a nutshell, Andrew argued that publishing technical analysis of cyberwar weapons in the midst of an ongoing cyber battle may enable the victim to better defend against the attack. In other words, the good guys would publicly deliver cyber reconnaissance for free, and that could become a problem if the attacked are bad guys.
Certainly I disagree with Andrew on this (and had some backchannel conversation with him on the topic), otherwise we wouldn’t have published so much detail on Stuxnet. The problem with disclosure on Stuxnet is that since the virus is in the wild and has such a huge impact, researching it can and will not be stopped until the very last bit has been examined, either by good guys or bad guys. When I realized that, I gave up all efforts to try to stop Symantec from publishing any more detail on the controller exploits and decided to take the lead instead – and publish exploit details along with our assessment of impact and recommendations on what to do about it.
I don’t think that we gave the victim a measurable advantage by this practice. At last, the victim would still have to figure out which parts of our analysis are correct, which parts might be wrong, and which parts may just be deceiving (come on… you sniffed that, didn’t you?). Besides, in an operation of this magnitude, the attackers cannot bet on remaining under the radar all the time. Much more important for the success or failure of the mission is the hardcore technical defensive capability of the attacked. According to our research, the single most important asset of Iran in defending against Stuxnet was their ability to cut communications to the CC servers on August 22, 2010. If we are not completely mistaken, this was achieved by an Internet filtering solution called Monitoring Center, delivered by Nokia-Siemens in early 2008. So any success that Iran may claim in fighting Stuxnet will probably be less due to the publications of overeager researchers but to mundane technicalities.
We have argued earlier that the fact alone that Stuxnet substitutes a conventional warfare attack against a military target qualifies it as a cyberwar weapon. In the light of the above, this leads to a whole new problem of almost philosophical dimensions: Defensive measures become weapons, too. Anti-virus solutions become substitutes of air defense missiles.
When we realized that operation Myrtus is designed as a multi-year campaign, we put the delivery of our Controller Integrity Checker software to a screeching halt. Fortunately, that was before we had shipped the first copy. We realized that copies would quickly find its way into Natanz. Sales orders by companies from countries where the sun is hot, vegetation is sparse, and Minarets are plenty added to that impression. In other words, a cyber arms race has started before anybody had even thought about it. Not only will potential cyber victims improve defensive capability; cyber attackers will upgrade as well — and there is a lot to improve after the Stuxnet experience for version 2.0 and following before the B-2s are sent.
We are presently in the process of securing the Controller Integrity Checker with hardware copy protection, and we have revised initial plans to sell the software via integrators. So if you are interested in buying the product, it might be a little bit more difficult, or even impossible. What about other anti-malware products? Will they be subject to trading sanctions? Even if it’s a security product, does that automatically mean that its distribution is good and beneficial for all of us? As far as I know, questions like these hadn’t been raised before. After Stuxnet, they must be answered. Cyberwar cannot be discussed only in terms of offense; it includes defense, too – defense not only for us, but also for them. The delivery of such defensive weapons is much harder to restrict than a shipment of surface-to-air missiles, since it takes just an email transmission.
I don’t have answers to all these questions. But I’m afraid we’re going to need answers soon.