Home / Blogs

Flame On!

Here we go again; another instance of really sophisticated spyware has been reported, a system that is “so complex and sophisticated that it’s probably an advanced cyber-weapon unleashed by a wealthy country to wage a protracted espionage campaign on Iran”. I won’t get into the debate about whether or not it’s really more impressive than Stuxnet, whether or not it’s groundbreaking, or whether or not Israel launched it; let it suffice to say that there are dissenting views. I’m more interested in the implications.

The first take-away is that this is the third major piece of government-sponsored malware that has been found, after Stuxnet and Duqu. All three were out there for quite some time before they were noticed. If there are three, there’s no reason to think there aren’t more. Like any other covert action, the most successful cyberattacks are never found, and hence never receive any publicity. (There’s an important reason for this: while defense against the generic concept of cyberattack is hard, defending against a known piece of malware is relatively straight-forward; this is what antivirus companies do for a living. They’re not perfect, but by and large their systems work well enough.)

The second important point is that these three were found by commercial antivirus firms. This is perhaps not surprising, since all three apparently targeted countries that aren’t at the top of anyone’s list of highest-tech places. Government-grade malware targeting major powers—the U.S., Russia, China, Israel, Japan, much of Western Europe, etc.—would be much more likely to be analyzed by an intelligence agency; unlike commercial firms, intelligence agencies rarely publish their analyses. In other words, we don’t know how many other pieces of militarized malware have already been found, let alone how many others haven’t been detected yet. We do know that the US, Russia, and China regularly charge that others have been attacking their computers. (There’s been a lot of publicity about the attack against RSA, but almost no technical details have been released, unlike Stuxnet or Flame.)

Third, and most important: in cyberattacks, there are no accepted rules. (Some issues are discussed in a new New York Times article.) The world knows, more or less, what is acceptable behavior in the physical world: what constitutes an act of war, what is spying, what you can do about these, etc. Do the same rules apply in cyberspace? One crucial difference is the difficulty of attribution: it’s very hard to tell who launched a particular effort. That in turn means that deterrence doesn’t work very well.

It may be that these changes are for the better; according to that NY Times article, Stuxnet was seen as less risky than a conventional military operation. But we don’t know that, we don’t know the rules, and we don’t know how long it will take for a new world consensus to develop. We also have to face the fact that cyberweapons are a lot easier to develop than, say, nuclear bombs or ICBMs. While al Qaeda is not going to develop cyberweapons of the grade of Stuxnet or Flame any time soon—it’s not as easy to do as some scare stories would have you believe—it is far from clear that the defenses of, say, a water plant are as good as those of the Natanz centrifuge plant.

There needs to be a national and international debate on this topic. No one is going to supply details of their operations or capabilities, but the simple fact that they exist isn’t and shouldn’t be a secret. Basic US nuclear doctrine has never been concealed; why should this be different?

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com


Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign