Vulnerability Disclosure

Andrew Ginter has an interesting posting on his Control System Security Blog (also posted on the Findings From the Field blog) talking about public disclosure policies for discovered cyber vulnerabilities. This is a recurring topic in the cyber security community, but Andrew adds a new dimension to the discussion after looking at the latest discoveries made by Symantec about the Stuxnet worm. Those discoveries seem to point even more firmly towards Stuxnet being a cyber weapon targeted at Iranian nuclear processing capabilities.

Control System Vulnerability Disclosure

Andrew does a very good job of describing the standard debate between security researchers (those who discover vulnerabilities) venders (those who create and must fix vulnerabilities) and system owners (who might get attacked via the vulnerabilities). I’ll summarize briefly here (and the summary is my fault not Andrew’s):

● Researchers – want their discovery released so that they get full and open credit for their prowess in detecting vulnerabilities.
● Venders – want to keep vulnerabilities quiet as they make them look bad and they have to take people away from new product development to fix something that they have already sold.
● Users – want to know about the vulnerabilities, want them fixed, but don’t want anyone telling potential attackers how to get inside their systems.

Weapon System Disclosure

When a cyber weapon (like maybe Stuxnet) is involved, as Andrew points out, the problem becomes even more clouded. First off we, presumably, add a government or two to the mix of players. The first is the target government and the second is the targeting government. Their motivations in the disclosure debate are even more complex.

When a cyber weapon is covert the government wielding the weapons does not even want its existence disclosed as that would decrease the potential effectiveness. They certainly don’t want the detailed mechanisms of the weapons disclosed as this would make it easier to defend against. And they probably don’t want their identity as the weapon wielder disclosed; it could expose them to retaliatory attacks (and not necessarily cyber attacks either).

There are potential reasons that the targeted government would not want it disclosed that they were the target of a cyber attack. The disclosure of an attack almost requires a knee-jerk requirement for a retaliation; the more effective the attack the stronger the required response. If a government does not think that it has the where-with-all to mount an effective response, it might not want the attack exposed. Or it may want to use a period of non-disclosure for planning and mounting an appropriate counter attack. If it didn’t look like they knew they were being attacked, perhaps the attacker would be less diligent in looking for the counter-attack.

The innocent bystanders, in this case other control system owners not involved in either the attack from either side, also have a complex outlook about disclosure. At first it would seem obvious that they would want disclosure about the attack vector/method so that they could consider deploying defenses to defend their system from similar attacks. The argument against disclosure from this view point is a bit more convoluted, but still potentially very real.

Stuxnet is a large and convoluted piece of software. According to most commentors it required a lot of assets and knowledge to put together and deploy. The list of countries with the in-house expertise to construct this cyber weapon is fairly limited, by some estimates no more than a half-dozen countries; most of whom the United States considers friendly to our interests. That keeps us relatively safe against a similar attack, or at least common wisdom would seem to hold that point of view.

The problem is that ‘weapons’ like Stuxnet, once they are understood, are relatively easy to duplicate and modify; the hard work has been done. The key word there is, of course, ‘understood’. So, full disclosure here would almost certainly increase the number of countries (and potentially groups) that could file off the serial numbers and re-direct Stuxnet type weapons at whom ever they desired.

Pandora’s Box is Open

Unfortunately, Andrew’s valuable discussion is about two months too late. The details about Stuxnet that have been released by Langner and Symantec are almost certainly enough to increase the number of Stuxnet capable countries by a factor of at least two. The cyber weapon arms race has almost certainly begun and there is no non-proliferation agreement.

To make matters worse there is already an international arms market in existence for the ‘small arms’ in this weapons race. There is also a growing ‘small arms’ independent research establishment in existence supporting that arms market. Both will almost certainly realize that scaling up their research and weapons development to the industrial scale is not only possible, but certainly profitable.

We better start building better defenses quick. The offense always has the benefit in the arms race between offense and defense. We better not get too far behind.