Moral Hazard of Flame

Moral Hazard of Flame & Stuxnet It is becoming increasing apparent that the U.S. Government is behind both Flame and Stuxnet. The poor quality of the latter notwithstanding, the complexity and sophistication of the attacks are not in doubt. Deployment and infiltration techniques require human involvement and impressive technical resources (paid for with tax dollars). Consider the scenario that an 18-year old in a coffee shop or a "cyber-business man" creates a virus, worm or other form of enhanced malware. He then distributes it hundreds or thousands of computers for the purposes of causing damage to someone with whom he does not agree or perhaps to make money. Just as one will text message something that they would never say in person, the attackers feel there is something acceptable about carrying out a form of violence through electronic means. These individuals would be called cyber criminals in most countries. They would be subject to arrest and prosecution using the evidence obtained. As security professionals we are angered, frustrated and concerned about the potential for this to happen to our own organization we are paid to protect. When a government does the same thing to another government, there is a sense that this is acceptable. If the government does this to another government, it is okay, The government is on our side. Stuxnet targeted Iranian fuel enrichment. It caused physical destruction of the infrastructure. Somehow many people seem to feel it is justified and event commendable. But the bigger picture is not discussed. This behavior creates a strategic cyber security threat to all of us. Once this Pandora's box is open, the U.S. is a target for retaliatory attacks. We may say that it is a bad thing but that is only because it is happening to us. Private infrastructure must be a legitimate target because it serves the needs of our government. Furthermore, these attacks may reasonably be considered an act of war. A weapon such as Stuxnet or Flame was used to cause physical and technological damage and steal confidential information. If this is an act of war, retaliation may amount to a missile strike against a U.S. target. After all, not everyone will send a text message when they can speak to you in person. More relevant to security professionals around the world, your private infrastructure may be the target of a cyber or even physical attack. Whatever the reason for the attack, it is our responsibility to discourage this behavior. But we cannot discourage this if we condone or fail to reject this behavior from our own government. In a sense, the U.S. Government may become the single biggest threat to the cyber security of private enterprise. Posted by Park Foreman, CISSP, ISSAP, CEH, CHFI, GIAC 27000 at 7:52 PM 0 comments: