What Stuxnet means

The last bit of evidence is now in - it appears that the mysterious Stuxnet worm was indeed aimed at Iran's nuclear capability. This means that we now know for sure that Stuxnet was an event of great significance - the first example of a type of sophisticated interstate warfare that we can expect to see a lot more of in future. It neatly ties together a number of trends that we've been talking about to clients at Nullcube for years:

  • The worm as a targeted delivery platform. Stuxnet spread indiscriminately, waiting until it infected its intended target before springing into action. This is a marvelous delivery platform with excellent deniability. When executed with flair - using multiple previously unknown vulnerabilities, spreading through both physical media and networks - it can be incredibly hard to defend against. Look for a Stuxnet-like worm that exfiltrates data from targeted systems next.

  • Internet security is a national concern. There's a tendency to view the Internet as an internationally homogeneous network. Stuxnet makes it (even more) clear that the Internet is a domain for contest between nation states, and that national differences in security readiness and technology populations matter. Look for more direct government involvement in tracking and improving the security of local networks. I suspect we'll also see the rise of national perimeter defenses in some countries in the next few years.

  • Embedded systems are a target. Embedded systems are everywhere, are often ignored when security is considered, and are opaque, difficult to inspect, and difficult to monitor. This is a malware nirvana. Whether they are directly or indirectly connected to a network, embedded systems are a target. My prediction: soon, we'll see a Stuxnet-like worm that spreads directly from embedded system to embedded system, most likely affecting DSL modems. In fact, we've already seen a clumsy precursor of this in Psyb0t, discovered at the beginning of 2009.

There's a lot about this incident that we will most likely never know. We're unlikely to find out who's behind Stuxnet (although Israel and the US seem to be the only real possibilities). We're unlikely to find out if Stuxnet ever repayed the immense technological capital its creators invested. But we do know that it's a sign of things to come.