Thoughts on "Cyber Weapons"

With all the activity concerning Stuxnet, I've been thinking about "cyber weapons." You might recognize the image at left as coming from the venerable rootkit.com site operated by Greg Hoglund since 1999 (for real -- check out archive.org!) When Greg started that site I remember a lot of people complaining about cyber weapons and putting offensive tools in the wrong hands. Now with tools like Metasploit and Ronin, people are bound to worry about the same issues. It would be terrible to see valuable tools get painted with the same "ban the guns" prescriptions I expect to hear when Stuxnet becomes more popular in the media.

So, in this post I'd like to share a few thoughts on differentiating security tools from cyber weapons (CWs). These are just my thoughts so I'd be interested in feedback. Some of them may be controversial and I could probably argue the opposite case for some of the items.

• Operators develop CWs privately. I don't think a tool you can download from a public Web site qualifies as a true CW. Yes, you can use tools like Metasploit offensively, but a good deal of the value of a real CW comes from the "whoa" factor. (See the next point.) You can't preserve the "whoa" factor after publishing code on the Web.


• CWs tend to be innovative. Innovation means incorporating 0-day attacks (researched by the developers), new command-and-control methods, or other measures. Real CWs take victims by surprise, especially if they target multiple aspects of the kill chain.


• CWs tend to have specific effects. Think of Stuxnet and it's programming to alter specific values in PLCs. These are actions designed to damage a target, not provide generic remote control access so intruders can open someone's CD player.


• CW value degrades quickly. I believe a real CW is much less valuable after being used, often due to the points listed earlier. It's easier to disable a radar the first time than it is the second or third times. As soon as an aggressor uses a CW on a victim, the victim will try to be better prepared for later attacks and may be able to recognize or even thwart them entirely. Contrast that with a tool designed to help validate defenses or conduct audits.


• Intent matters. The intent behind a CW is to enable the agenda of a nation state or other high-end structured threat, not simply to demonstrate a new technique, or be the best penetration tool, or compromise the most victims, or help administrators validate defensive measures. I don't think HD Moore (who wrote a great pitch on cyber weaponry) intends for Metasploit to be used by governments to harm each other or their citizens. Ask someone who develops real CWs for a living why they wrote CW X and they will likely say "because I was under contract to deliver X by date Y for customer Z."

I hope we can be clever enough to separate real CWs like Stuxnet from tools that serve a useful security function like Metasploit, because actions to try to outlaw all offensive tools would be devastating for defenders everywhere.
Tweet