October 1, 2010

Stuxnet and the Tech World

Alright, so, Stuxnet. If you haven’t already heard about it, it’s the hot (tech) topic of the day, and it’s pronounced just like you think [stʌksnέʔ]. Stuxnet is a computer worm, a piece of malware that was apparently engineered to target energy infrastructure systems. It’s been reported in India, Pakistan, Indonesia, and most notably Iran.

I won’t discuss the ethical or political implications of Stuxnet and the imitators it’s sure to inspire, nor will I talk about Myrtus or 19790509 embedded in the code. I will, however, touch upon the technical implications of the worm and what it means for the computing world, including the job market.

First, the nature and scope of the architecture of Stuxnet seems to indicate not the work of a single or even a handful of individuals, but a highly-organized team of developers. Imagine your team, or a team you’ve seen, a team of 10 developers. Maybe some pair programming for specific functions, and you’ve got a team of highly-intelligent developers creating a complex and sophisticated piece of engineering explicitly for the purpose of infecting computer systems. This is a significant escalation – you’ll notice that the words used in the press and online to describe malware are the same as are used to describe nuclear weapons – in the production process, in the ‘malware arms race’ as it were.

What does this mean for the tech industry? Time to invest in Symantec*. Or start studying computer security. If the offensive side of malware production has kicked it up ten notches, then the defensive side is sure to attempt to catch up. For every one virus that’s out there, there are hundreds of companies with systems and databases that they’d like to keep secure. And now that malware is targeting not only software but also industrial control systems, there are going to be lots of companies out there who’ll be willing to pay more to keep their systems secure. And companies like Symantec are going to have to adjust (probably in size, certainly in sophistication) to keep up with these new technological demands.

Second, Stuxnet infects not only systems connected to the internet and internal networks, but also isolated systems via USB drive. Turns out all those spy movies and TV shows where someone like Sydney Bristow or Michael Westen breaks into a secure facility and then all they have to do is insert a thumb drive into a computer to steal files or plant a virus are more accurate than I usually give them credit for.

What does this mean for you? If you work in a secure facility (whether it’s for the military or for an investment bank or a pharmaceutical company – any facility with information on the inside that isn’t supposed to be on the outside), and you see a USB drive in the parking lot or in the lobby, don’t put it into your computer. Curiosity not only killed the cat, but it also shut down the uranium enrichment facility. If you just can’t stand the suspense, do it on your personal, isolated, not-connected-to-anything laptop, and then be prepared to clean and patch it diligently.

What will the actual consequences be? Only time will tell. But this will probably go down as a significant moment in the history of malware, and is certainly a significant moment right now for the field of cybersecurity.

This is a technology blog, not a finance blog. Please take any financial advice presented here with a grain of salt and at your own risk.

No comments:

Post a Comment