Stuxnet worm: Private security experts want US to tell them more
Private sector security experts say the government’s public reports on the Stuxnet worm – the world’s first publicly-known cyber superweapon – often seem to be old news or incomplete.
An Iranian security man stands next to journalists outside the reactor building at the Russian-built Bushehr nuclear power plant in southern Iran on August 21, 2010. The Stuxnet computer worm has infected 30,000 computers in Iran but has failed to "cause serious damage," Iranian officials were quoted as saying on September 26, 2010.
Newscom
America’s government security experts are among the best in the world. But their private sector counterparts are mystified why government’s public findings on the Stuxnet worm – the world’s first publicly-known cyber superweapon – so often have seemed muted, old news, or incomplete.
Skip to next paragraph
Subscribe Today to the Monitor
Tucked away on a government website, the Industrial Control System-Cyber Emergency Response Team (ICS-CERT) – part of the Department of Homeland Security – posts alerts and bulletins with government analysis of Stuxnet, dutifully logging its findings since it emerged publicly in July.
Yet those government alerts have mostly been echoes of findings already made public by anti-virus companies and private researchers – often lagging by several days and providing less detailed findings, industrial control system security experts say.
It looks like government is either inept at releasing detailed technical information to help protect the country or – for other reasons political or strategic – has decided to pull its punches on helping defuse Stuxnet, security experts, former government officials and Stuxnet experts told the monitor.
For instance, they say, the US government so far has refused to provide details on Stuxnet that might help some 40-50 US-based industrial control systems possibly infected by this new generation of cyber-war software. The government’s failure, they say, leaves US corporations infected and open to attack in the future.
“Name me one new or helpful piece of information that ICS-CERT provided to the community on Stuxnet? Or any other helpful contribution on the biggest control system security event to date,” writes Dale Peterson, CEO of Digital Bond, a control systems security firm, in his Sept. 20 blog. “It seems to me to have been a delayed clipping service.”
'Those bulletins they put out were missing key data'
“They had the expertise, the relationship with vendors, the equipment in their labs and the ability to analyze Stuxnet,” Mr. Peterson said in an interview. “But those bulletins they put out were missing key data or late. Getting this information out quickly was their sole mission, and they failed.”
Sean McGurk, director of DHS’s Control System Security Program, who oversees ICS-CERT, disputes that view, saying the team has been very focused on putting out timely public alerts – leaving out details if they did not serve the function of protecting critical US infrastructure systems.
“We took a broad all-hazards approach to the [Stuxnet] malcode,” he says in an interview. “We immediately began to analyze it and produce information to get into the hands of the community so they could begin taking protective measures.”
At the company level, ICS-CERT is focused on forensic incident response – like dealing with Stuxnet – and vulnerability assessment. Computer engineers in Washington, along with experts at the Department of Energy’s Idaho National Laboratory, test control system software and equipment. Results are distributed to software vendors and users of the system software.
