Stuxnet, Duqu, Flame: What It Means For You
The cyberweapon genie is out of the bottle, and the U.S. is engaged in a cyberwar. Now it becomes clear why the Government has been trying to get private industry to agree to certain cybersecurity standards. They are basically like an "arsonist calling for a better fire code", as per Jason Healey, director of the Cyber Statecraft Initiative at
the Atlantic Council.
June 2012 it was revealed that the White House decided to wage cyberwar against Iran starting with the Bush Administration and continued in an intensified form by the Obama Administration. President Obama was, and I assume still is, personally involved with the details of the attacks on the Iranian Natanz uranium enrichment facility. In David E. Sangers book Confront and Conceal: Obamas Secret Wars and Surprising Use of American Power this has been spelled out for the first time. Michael D. Hayden, the former chief of the CIA, said: This is the first attack of a major nature in which a cyberattack was used to effect physical destruction
you cant help but describe it as an attack on critical infrastructure. He continued with: Somebody has crossed the Rubicon
in one sense at least, its August 1945, the month that the world saw the first capabilities of a new weapon, dropped over Hiroshima. The big difference is that the cyberweapons that were created by the U.S. Administrations are weapons of precise destructions, not mass destruction, but Hayden does make a good point, in the hands of cybercriminals it easily can become a weapon of mass destruction.
The U.S. Administration obviously wanted to keep this under wraps as long as possible, and even when it was discovered, hoped it would be unattributable. So much for that. The idea was if they could damage Irans uranium enrichment capabilities, it would not be necessary for Israel to bomb Natanz, and potentially spark a war in the Middle East with disastrous consequences for oil prices. I understand all that. But now you have highly powerful cyberweapons in the hands of every somewhat capable hacker. Compare that to the limited nuclear proliferation we have today and you see that this genie is impossible to put back in the bottle.
Now, what risks are we talking here? Well, there is a spectrum of cyberthreats that you can see in a gradient scale from nuisance to catastrophic. Spam is a nuisance, your economic infrastructure shut down and utilities destroyed sets you back 50 years as a country. No, the sky is not falling. But bad guys are now having their hands on some mighty powerful malcode that could be used to penetrate your organization. How to protect yourself?
ABC News investigative producer Lee Ferran argues that human carelessness is more responsible for cyberthreats than technical advances: no matter how sophisticated the attack or how capable the defenses, the weakest link in cybersecurity is often the human at the keyboard. He just wrote an article called Bigger Than Flame, Stronger Than Stuxnet: Why Idiot Humans Are Best Cyber Weapon.
And I think he is right. How did the U.S. and Israel get Stuxnet into Natanz? With a bit of simple social engineering: the humble thumbdrive carried it in. All your employees need to be trained against social engineering attacks. And our
new Internet Security Awareness Training
is just the ticket to get there.