Stuxnet? Let’s stop being scared of shadows

Sky News just published an article, complete with video, entitled Stuxnet Super Virus ‘In Hands Of Bad Guys’.

In the article and the video, you will see and hear a variety of startling claims.

The narrator, for example, states that “Stuxnet disrupted Iran’s nuclear programme. The bug, or malware, was slipped into the circuits in the new Busheshr power plant.”

Really? Prove it. Show me some credible evidence.

A tame ethical hacker, interviewed to camera by Sky, points at some graphs on a web page, claiming that the graphs show the number of attacks this month and last month.

The screen grab is too indistict to make out. It could show anything, and probably does, especially since the hacker doesn’t bother to define “attack”. Does he mean the number of reports from computers where an attempt at infection was detected and blocked? Where an infected file ran on a PC which needed to be cleaned up? Or a full-blown infection in which an industrial control device was actually affected, as ultimately intended by the virus?

An unnnamed source is quoted by Sky to have said that “we have hard evidence that the virus is in the hands of bad guys – we can’t say any more than that.”

Honestly? A virus in the hands of bad guys? What a surprise. “We can’t say any more.” Really? This is the same sort of excuse I’ve heard many times before from those who claim to have irrefutable evidence of some sort of nation-state cyberwarfare.

Try looking up catchy names like Titan Rain, Ghostnet, and Operation Aurora. Now find someone who claims to be able to show that those were cyberwar. Then ask them about the proof. If they don’t jump at once behind the “if I tell you, I’ll have to kill you” copout, please tell me. They sound like people we could genuinely learn from.

And Sky even managed to get a UK-based consultant to say, as deadpan as you like, that with a copy of the Stuxnet malware, you could pretty much do anything you want. “You could shut down the Police 999 [UK emergency number] system. You could shut down hospital systems and equipment. You could shut down power stations, you could shut down the transport network across the United Kingdom.”

(That’s the first time I’ve heard that the UK actually has a country-wide integrated transport network which could operate all at once, which is surely an important prerequsite for any possibility of shutting it down in its entirety.)

We don’t need yet more speculation about Stuxnet when we already face a determined and extensive enemy in the form of cybercriminals. They are routinely stealing our credentials, plundering our bank accounts, raiding our retirement funds, subverting our payment systems and even – as one poor fellow in Western Australia found out recently – selling our houses from under our feet.

The problem with inaccurate, inflammatory and irresponsible stories about Stuxnet – good though they may be for page impressions and video views – is that they make cybercriminality sound like a second-rate problem when it is positioned against a news backdrop alleging cyberwar.

Yet it is the sort of rampant and general cybercriminality I mention above which is, in my opinion, significantly more likely to undermine the economic stability of, and thus the quality of life in, many developed countries.

Let’s stop being frightened of shadows and actually concentrate on getting rid of the cyberenemy already in our midst.