The cyber community is always teaming with conversations about the newest/greatest threats, exploits, or malware. Who remembers the Morris Worm? Nobody but students of computer security and computing historians. The sendmail and fingerd exploits were long patched and RFC 1135 written to memorialize the event. Today, the Boston Museum of Science displays the Morris Worm source code stored on a floppy disk. Over the last year it has been Stuxnet.
Outsiders, and even insiders, think that we are only one exploit/worm/virus away from total destruction. However, any single rational-actor adversary with a capability, even an advanced and dangerous capability, is relatively limited in their damage potential.
The biggest cyber threat is not any one particular capability or vulnerability, but rather that we will die a death by a thousand cuts. The biggest threat to the global network is the proliferation of offensive cyber tradecraft in the hands of many capable actors.
U.S. General Accounting Office put the total damages of the Morris Worm at $100K – $10M. This is small compared to the estimated $5.5B in worldwide damages caused by the ILOVEYOU worm in 2000. Yet, the tradecraft of self-replicating computer code began with the Morris Worm and proliferated into the ILOVEYOU worm 12 years later.
The danger with Stuxnet is not the worm itself, it is that others will learn tradecraft from Stuxnet such as more advanced malware droppers, the targeting of industrial control systems (e.g. SCADA), and better obfuscation techniques. In total, Stuxnet will make networks harder to protect for years to come and in the meantime Stuxnet will be a museum display.
Doug
This feels like a very slippery slope. While you have provided several examples where malware was the source of proliferation of tradecraft, I’d make the claim that they are a minor one. There are so many sources of information on both the defensive and offensive end that are feeders for malicious tools. Its really just a matter of where you look in the spectrum of say [tool poc research idea]. And again, fed by both offensive and defensive stances.
The problem is that anything software is relatively cheap when compared with physical alternatives. Compared to say a nuclear weapon, where many “persons” may know academically how to build one but lack the resources to do so. We find ourselves in a situation where information is so much more powerful than before yet I don’t think an adequate response to the change in landscape has occurred.
A good example I remind myself of is of the ‘unicorn exploit’. The remote, single packet, unauthenticated, pre-firewall, etc etc exploit. Owns the world, so powerful yet so brittle. One vendor patch, one firewall rule, one IDS update, and that capability instantly disappears. And more on topic, one packet capture and I can make limitless copies of the tool for myself. We, as a society, just haven’t figured out how to handle and deal with the information age really. Look at copyrights and patents, cyber weapons (yes, I want to stab myself for saying that) are just as a big of a cluster F.
So I’ll claim, not only is Stuxnet just one fish in a sea of information, it actually has positively affected protecting networks by proving that capabilities like this can and do exist. Network defense needs to move beyond patch management and firewall rules and without real threats (vs. imaginary) what will provide the push needed for that?