Stuxnet and Flame: Operationally Coherent?

There has been some debate about the similarities and differences between Stuxnet and Flame amongst the “Cyber Press”.  Speculation has been rife about the new “Cyber Weapon” to hit the public eye.  A number of commentators have noted that where Stuxnet was a weapon, designed to have a detrimental effect on its targets, Flame is clearly “only” a sophisticated intelligence gathering tool.  Some have suggested that it is not, therefore a weapon.  This view is understandable, but somewhat innaccurate.

Regardless of who initiated, created, resourced or deployed either tool, they both play an important  part in the cyber operations spectrum.  We must understand the entire context in order to understand where they fit..

Most practitioners see “Cyber Operations” as comprising three principle areas:

  •  Defence – which comprises the bulk of traditional information security and assurance activity.  In simple terms, Defence is an activity which seeks to counter exploitation or attack.
  • Exploitation – Preparatory activity undertaken, often covertly, to gain information or to create conditions for subsequent activity.  Exploitation activity effectively “farms” affected infrastructures.
  • Attack – Activity undertaken to achieve a specific effect – whether it involves destruction, disruption, denial or disclocation of target assets (whatever they may be).

Clearly there may be blurring or overlap between the various areas, and in some cases, exploitation may never evolve into attack, as is often seen with many traditional hacking scenarios.  A valuable information feed will often dry up if the attack  is discovered.  In many situations; exploitation is “the endstate”.  This is not a new concept; supported by much traditional warfighting doctrine.

We must also be aware that for most of us, Cyber operations involve the first area; defence.  Exploitation and Attack being largely illegal in many countries fall within the realms of the criminal and national defence communities.

To  strip away the hyperbole:

  •  Both Stuxnet and Flame are highly sophisticated tools, which appear to be well resourced at a high level.
  • Flame is a covert tool that was designed to gain information and to create conditions for subsequent operations across a wide spectrum.
  • Stuxnet was designed to have a direct targeted effect on a particular type of system.  It was not unmasked till it started delivering its effect.

Both have clear roles within the cyber operations spectrum.  It is probable that other similar tools and toolsets are out there, in addition to those known to be deployed by the criminal and security communities.

It may also be wise to assume that because an attack has not been identified, it does not mean that an infrastructure or system has not been compromised.  Whoever deployed them, Stuxnet and Flame both fill entirely coherent roles in the cyber spectrum.  We must assume that they are not the only compromises out there, whether we can see them or not.

In summary, it is critical that as organizations and individuals we keep a clear picture of what information assets we hold, what they are worth to us (and to an attacker) and ensure that we are deploying appropriate protective measures.  The Information Battlefield is active and contested.  Directly or indirectly, we are all either potential players or victims either whether we like it or not.  We must keep actively engaged, and encourage those around us to do the same.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Posted 6 years ago on · Permalink