Monday, December 13, 2010

Stuxnet Secrets

Ralph Langner has an interesting post on his blog that discusses his recent interview conducted by Dale Peterson over at DigitalBond. In his own blog post, Ralph makes an interesting claim about why the DHS ICS-CERT people have not been more forthcoming about the research that they have conducted on the Stuxnet malware; he says the reason is that the information is classified. In fact, he says the fact that it is classified is, itself, classified. He says the reason that everything is so classified is that disclosing the classification of the research “would be evidence for US participation in Stuxnet.”

Now I have gone back and re-read Ralph’s words a number of times and he doesn’t ever really say that the ICS-CERT people had anything to do with the development of the Stuxnet worm, just that their post-release research is classified. I don’t know how Ralph reaches this conclusion, he doesn’t say.

Classified Information

Before I go any further lets talk a little about classified information in general. First there are a number of different reasons that something might be classified. Generally speaking information is classified because the release of the information could jeopardize National Security.

The reason for that can be quite apparent, for example codes used to transmit classified information must be kept classified. Failure to do so could result in someone being able to decode the information. Most often, the encrypting keys are classified, but the general method of applying the keys may be less critical.

The military used to use (and may still use) an authentication table to allow individuals to prove they were the good guys when transmitting information in the clear. How the authentication table was used was not classified; it was taught to every solider in basic training. The actual tables that changed every day were, however, classified.

Now other types of information are even more sensitive. The very existence of the information is vital to national security. The classic example from World War II is the development of the atomic bomb. The very existence of the Manhattan Project was a carefully protected secret. Now once the first weapon was deployed against Japan, the existence of the program was no longer classified; that loud noise, fire, smoke and destruction were just too hard to plausibly deny. The methods of making the modern counterparts of those weapons remains classified today, but not the existence of the weapons programs themselves.

Now if it was a nation-state that developed the Stuxnet malware (suspected but not known or proven) then they would have a very real national security reason for hiding that development. Even after it was deployed, it would be in their best interest for their involvement to remain classified. It would make it harder for some targeted entity to demand reparations, apologies or even seek retribution for the ‘dastardly sneak attack’

ICS-CERT and a Stuxnet Secret

I don’t have any contacts at ICS-CERT so there is no way for me to know how true this claim of Ralph’s is. If I were to ask them as a blogger/reporter, I know what answer they would be required to tell me if they did do classified research (which I would suspect that they might). They would be required to say something to the effect of the classic ‘we can neither confirm nor deny’. Anyone that has handled classified information knows the reason for that answer, but let me lay it out, by looking at the possibilities.

It’s not classified: if the facility does do classified work it can not confirm that something is not classified when asked a question like this. If they do and the same question is asked about a later project that is classified the inability to say that the second project is not classified becomes confirmation that it is classified. Even if the facility does not currently do classified work the potential for doing classified work in the future would require the ‘neither confirm nor deny’ response.

SIDE NOTE: They could of course lie, but lying is almost always counter-productive. It is almost always discovered and the lie is ultimately more damaging than revealing the classified information. Besides, few people can really lie effectively.

It’s classified: the development of a cyber weapon directed at critical control systems would certainly be classified and you never confirm or deny the existence of such classified weapon systems in development. Once deployed a country would want to deny that it had that capability to avoid retaliation. One would disclose the existence of such weapons that rely on a certain amount of stealth capability only after their existence was widely known and clearly traced back to the attacker. Then you just try to keep the details of the weapon system secret.

With cyber warfare becoming ‘the obvious next battlefield’, everyone must assume that the ICS-CERT people are or will be looking at either the development of control system cyber weapons and/or defeating such weapons. Even if they were just working on defensive measures, I would keep that information classified. The delineation between offensive and defensive capabilities in advance technology weapons is very hard to define. And any properly paranoid enemy would have to assume that a defensive lab was actually producing weapons; and that would require their work on a similar weapon.

Alternative Explanation for Secrecy

There is a very plausible alternative reason for a lab like ICS-CERT to keep their research on Stuxnet unpublicized. As Ralph himself has so clearly pointed out, the Stuxnet work has pointed out a couple of major vulnerabilities in the Siemens control systems, and in fact, any control system using modern PLCs. More importantly, Ralph has pointed out that there is currently no real way of preventing exploits of these vulnerabilities if access can be gained to the control system.

Now, if ICS-CERT has located additional vulnerabilities in their research into the Stuxnet malware they have long maintained that they would not disclose such vulnerabilities until they had a chance to work with the vender to come up with a counter to that vulnerability. This is done to protect the control system community against the ‘bad guys’ from using those uncorrected vulnerabilities against systems that could not be protected. They have also said that they would not violate that non-disclosure rule unless there was found to be exploit code available in the public domain or in use in the wild.

Even with people like Ralph and Symantec describing the attack code in Stuxnet, ICS-CERT could use this internal non-disclosure policy to justify not talking about those vulnerabilities beyond the generalities that it has posted on their web site. Again, they would be concentrating on working with venders like Siemens to figure out a way to defend against the vulnerabilities. Once those advanced mitigation/prevention strategies were developed, we would expect full disclosure of the vulnerability as well as the fix.

The CERT non-disclosure policy is not the same as the information being classified though the practical effect may be the same, at least initially. It is no where near as bureaucratic as the security classification procedures. The managers at CERT can, under this policy, change the disclosure status of a particular vulnerability with a simple verbal order. A bureaucratic declassification procedure is not required.

Non-disclosure or Classified?

So which is it? Is a nondisclosure policy directive or security classification preventing the ICS-CERT lab from disclosing the results of its investigation into the Stuxnet malware. Or is it simply a matter of a less than competent investigation not revealing anything worth discussing (as some writers have suggested).

Personally, I seriously doubt the latter; I have no data to support that, it is just my opinion. Similarly I have no data available to weigh in definitively on either of the other two alternatives. I would like to think that it is simply the non-disclosure issue controlling the current situation. There are too many problems with Stuxnet as a weapon for me to want to suspect that the ICS-CERT people had anything to do with cooking it up.

Of course I have been forced to use too much poorly designed military equipment to say that we couldn’t have designed and deployed Stuxnet. I would just like to think that a research organization that we have to rely on helping us to protect our control systems would do a better job of designing a stealthy attack program. It’s not necessarily a rational desire on my part, but it is there.

No comments:

/* Use this with templates/template-twocol.html */