Stuxnet worm: Private security experts want US to tell them more
Private sector security experts say the government’s public reports on the Stuxnet worm – the world’s first publicly-known cyber superweapon – often seem to be old news or incomplete.
(Page 4 of 4)
The most plausible explanation is that private sector researchers are winning the race on getting information out because they are better at it.Skip to next paragraph
Subscribe Today to the Monitor
“Most experts [on control systems] are in the private sector and sometimes they are just faster,” Mr. Borg says. “Everyone in government has to follow proper procedure. In the private sector you go for the right answer, cut every corner to get their first. It’s easier to do this work in very informal settings.”
Others, however, told the Monitor there is every sign that US government researchers at the Idaho National Laboratory knew a lot more about Stuxnet and how to defeat it – far more than has yet been released by the government. Government researchers, they say, knew well before most information about it was released publicly by private companies.
Government might have decided to release less information publicly about Stuxnet, Borg said, and supply it instead to Siemens with the details needed to fix the problem with its own customers, thereby safeguarding a valued relationship.
“There’s this decision making process,” he said. “Do we hurt trusted relationships, other governments, vendors, our own military? This is why you get this disparity between what is released from government and what’s released privately.”
Still, such decisions can leave even professionals “incredibly frustrated because they ended up looking like goofballs,” a former senior government official, who asked not to be named because he still works with government, says of US researchers on Stuxnet. “They had done good work. They knew a lot – and had gotten to a good place with [Stuxnet] before anybody else. But in public they looked like they weren’t on top of their game. These guys did an incredible level of work that never got out in enough technical detail.”
Meanwhile, back in Germany, Mr. Langner posted another blog item – this one an eight-point critique of what he writes is critical, but missing information not raised in the most recent Sept. 29 ICS-CERT advisory on Stuxnet.
“Why explain in great length all the funny files that Stuxnet installs and not saying how to simply pull the plug by deleting one file?” he writes.
Joe Weiss, a managing partner at Applied Control Solutions, which sponsored the conference where Langner spoke, is disappointed that government officials at the conference provided few details about Stuxnet.
'Why are they holding back?'
“Neither the Department of Energy or DHS has been giving us any real help on this issue,” says Mr. Weiss. “If they’ve got the information, why the heck wasn’t that information being sent to our infrastructure owners? Why are they holding back?
He and others say there is more than a little irony in federal officials touting last week’s Cyber Storm III, the government’s third big war game, as great preparation for a cyber attack with the backdrop of Stuxnet, the first known cyber superweapon to make its appearance in the public realm.
But to charges of offering late and incomplete information on this major new threat, DHS’s Mr. McGurk says his agency has no apologies for not listing all the gory details, which he said is intentional when it occurs.
“I wouldn’t say information was intentionally withheld because it wasn’t complete,” he says referring to the ICS-CERT alerts on Stuxnet since July. Sometimes it’s best to go to work directly with the chemical industry or petroleum industry, he notes.
That may entail sharing some detailed information the government knows but wants to keep to itself and those who most need to know it – information, he says, that is “not something we are going to put publicly on a public website.”