Thursday, October 21, 2010

You can't stop the next Stuxnet worm

Austin Bay has a very good article up, over at Strategy Page.  They headline, though - Stopping The Next Stuxnet - is misleading.  You can't.  Bay even says why:
Computer experts understand and respect its threat. StrategyPage.com, on Oct. 3, described Stuxnet as "the first piece of malware to damage the computer systems which control industrial plants," and its emergence should serve as "a wake-up call to the world." StrategyPage compared Stuxnet's strategic military implications to the introduction of intercontinental ballistic missiles in the 1950s -- weapons that could strike global targets.
ICBM technology changed the game, because it meant that nowhere was safe.  Before that, an attacker had to send ground troops (later bombers) to destroy assets behind the front lines.  ICBMs changed all that.  All you needed was a missle, and you could target anything, anywhere.  There was no defense.

Reagan's Strategic Defense Initiative ("Star Wars") tried to change that.  They jury's still out on how effective it will be.  Hopefully, we'll never find out.

Stuxnet is like that.  You can target whatever you'd like - power generation, refining, transport - all you need is time, and expertise, and money.  State actors have all of these, in sufficient quantity (at least, major state actors do).

What the War on Terror has taught us is that the world is filled with soft targets.  While it would be nice to defend everything, everywhere, that's not realistic.

However.

A lot of soft targets are soft because people haven't thought security was an issue before.  We've gotten the benefit of automation without paying the cost of reasonable hardening.  The entire software industry is sadly negligent here (that's a post for later).  Business leaders, however, understand cost/benefit analysis.  There's a lot that can be done to make targets harder software targets.  It's not glamorous work, but neither is building bridges in a way that they don't fall down.  The head of computer security for the UK government said it well:
Iain Lobban, the director of the signals intelligence and information security organisation, said if government departments observed basic network security disciplines, such as "keeping patches up to date", combined with the necessary attention to personnel security, their online networks would be much safer.
Setting minimum standards is something that the government can, and should do.  A lot of industries won't like doing it, because it will raise their costs, but the risk is real.  Quite frankly, we're a lot more likely to see more of this target Information Warfare than we are to see an ICBM strike.  There's a lot of plausible deniability in a worm, there's none at all in a missile launch.

3 comments:

bluesun said...

I was just thinking about that. I'm in the computer lab at school, and the IE browser always asks if I want it to save my password for things. Just setting it up so you can't have that option would make things much more secure for all the people out there who don't know any better.

DaddyBear said...

I run into vendors all the time who use the excuse of "you have to use our device/software/website on a secure network" and then refuse to even consider hardening their crap.

It's going to take a major accident that's linked to a series of controllers malfunctioning before they do anything.

TJP said...

A lot of soft targets are soft because there is a general trust between members of the human race not to mess with certain things. Something as elaborate as the "Stux worm" isn't necessary to break things, and anyway, it's tied to a particular platform. In the West we spend God-only-knows how much to create software; in the East they'd just tell a guy with a bomb under his hat to stand next to a target and press a button.

No one is addressing the painfully obvious reason that computer security sucks: greater security reduces productivity, and workers are hostile toward anything unfamiliar--especially when it also lowers their productivity.