There’s been a ton of speculation on stuxnet so far, much of it seeming to indicate that this was created by a state actor. Most people have pointed at the incredible levels of effort that went into creating it. However people are forgetting that many recent malware attacks – including Zeus and Conficker, have had the title of “most complex ever” bestowed upon them as well. It seems natural that malware and computer attacks will only continue to get more complex. Complexity alone does not indicate a state actor.

What people aren’t saying (but I have a feeling many people sense it intuitively without stating it), is that the lack of monetization combines with the effort is indicative of a state actor being behind the stuxnet worm. Zeus and Conficker were easily monetized, which explains the effort involved – people (perhaps many people), worked hard to create something to make them money. If they needed an exploit, one could be purchased with the hope that they’d recoup the costs later. The fact that Stuxnet seems to do something (but we don’t know what), and doesn’t seem to be easy to monetize, certainly seems to indicate a non-criminal motive. Since we haven’t seen many other players in this space with significant resources other that criminals and governments, government because the natural suspect.

As for the target of Stuxnet, Iran has the most infections, but that could very easily be coincidence. So far there’s no evidence at all that Iran, or anyone else, was a specific target, and we’ve had a simple case of the media continuing to report on each other’s reporting. There are so many reasons that Iran could have more infections I can’t even count them all. Perhaps Iran doesn’t have great antivirus adoption rates. Perhaps the first few infections simply happened to be there. Perhaps, this was made by Iranians. Viruses are inherently untargetted, so trying to guess at a target based on the geographical location of infections is speculative at best. However, since no one has any better theories, the media echo chamber will continue to promote this until people assume it’s true, whether or not it really is.

As a followup to my previous post about cyber-war, it looks like the cyber-attacks against Georgia started before the Russian invasion. Although interesting, it doesn’t change the basic concept of cyber-war very much. The initial attacks garnered little attention until they were combined with conventional kinetic warfare. The reason is simple – cyber-war, on it’s own, doesn’t do a whole lot.

In the spring of 2007, the world’s first real cyber-war commenced. Now, with hostilities in the same area of the world flaring up again, we appear to have the world’s second cyber-war. Although the history of cyber-war is still very new, it is interesting to note that in the first case cyber-war was performed in the absence of state sponsored military action, while in the second case it only supplemented the tanks, guns, and bombs that go along with conventional warfare. In the former case the damage may have been swift and shocking, but it was also temporary and somewhat ephemeral. No lives were lost, no infrastructure was permanently crippled. (There are however a lot of lessons learned – the postmortem interview with Estonia’s secretary of defense is highly recommended.) In the latter case, the war seems to be having serious geopolitical ramifications, but the effect of the cyber-attacks is as of yet unclear. All that we can currently say for certain is that it has helped to weaken the Georgian PR machine, which in this era of 24 hour news cycles,  UN resolutions, and the more globally connected world, is more important during wartime than ever before. What the future of cyber-war entails I clearly can’t tell for certain, but I do have a feeling that it can’t stand on it’s own. Cyber-war may get people’s attention, force societies to alter how they function in the short term, and annoy people who can’t check their bank balances, but they don’t have serious geopolitical implications when they stand on their own. Cyber-war works best when it works in concert with conventional warfare.