Yes, pretty much everybody in the industry said “duh!” when it was revealed (well, “semi-officially”) that USA and Israel are behind the Stuxnet code.
However, if you think about it, there are some interesting implications of this:
- What do you call “malware” working for the good guys? “Attack software”? “Sabotage-ware”? “Good malware”? We need a whole new language to describe what we are seeing now. This is "one man’s terrorist is another man’s freedom fighter" all over again…
- “Malware” (with the above caveat) developer is now a legitimate occupation that you can put on your resume. Example: “2006-2007: developed ‘attack software’ for XYZ government”
- An attack launched by one state’s military/intelligence against another state using “malware” is a reality. This is probably not cybercrime? (well, just like spying, this actually looks like crime to the victim – as was pointed out to me, spying is often prosecuted in civilian courts and thus can be seen as a special kind of a crime, despite that a foreign government is behind it). This is not “cyber-terrorism.” Is this cyber-sabotage? Is it cyber-warfare after all? I have to grudgingly agree that it might be. Then again, warfare has many forms already, even without tossing “cyber” in the mix.
- Also, state-developed “malware” used against other states raises interesting questions regarding malware defenses. Such software needs to hide from AV defenses, just like it criminal brethren which leads to the situation described back in 2007: if you have a 0-day (or a novel malware hiding tech), you can choose to defend against it OR attack others with it, but likely not both.
- This is (to the best of my knowledge) the first example of technology invented by criminals (well, sort of – science fiction authors first described “malware”) and then adopted for legitimate military purposes that happened in modern times.
Any other thoughts?
If not, all I can say is “we live in interesting times”!
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
Move Beyond 'Awareness' to Security Culture Management
On its own, security awareness can be ineffective in helping organizations instill the desired/needed values and behaviors. Employees...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.