One of the most worrisome threats in cyber security are independent hackers reverse-engineering potent high-end cyber weapons and espionage tools like Stuxnet, Flame and Gauss, and then unleashing them into the global ecosystem, according to IT security expert Eugene Kaspersky, founder of Kaspersky Lab.
While sophisticated cyberweapons like Stuxnet -- designed to pass benignly through computers until it reached its exact target, the industrial-control systems at Iran's Natanz uranium enrichment facility -- likely cost millions to produce at the hands of state-backed software engineers aided by sophisticated intelligence networks, they are relatively easy to copy once in the wild.
and Gauss are more recent cyber espionage tools capable of gleaning a host of information off a victim's computer, such as screenshots, keystrokes, passwords and location information. Both worms infected thousands of computers in the Middle East in the last year.)
Kaspersky worries that the clones these copycat hackers produce won't be nearly as accurate as guided cybermissles like Stuxnet, meaning that they could infect and damage facilities far beyond their targets.
Speaking at a cybersecurity conference in Washington Thursday, Kaspersky noted that cyberweapons have certain unique attributes that make them dangerous. "The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," he said. "Cyber weapons are different" because the victims "can learn from" weapons used against them.
A cyberattack aimed at Saudi Arabian oil giant Saudi Aramco in August bore a striking resemblance to attacks against Iranian oil interests in April, Kaspersky said. Although he cautioned that he had no proof, he said it strongly appeared as if "hacktivists" had reverse-engineered the weapons that hit Iran -- possibly with the help of the Iranian government.
"There could be very random victims," he said, noting that "IT systems are everywhere."
"Stuxnet infected thousands of computer systems all around the globe, I know there were power plants infected by Stuxnet very far away from Iran," Kaspersky said.
A copy of a worm designed to wreak havoc on power stations or other facilities controlled by SCADA systems
-- as Stuxnet did -- built by amateurs could wrongly infect the control systems of a nuclear power plant.
"Stuxnet was made by very professional people and Stuxnet hit only the station that was the exact target," Kaspersky said. "What about mistakes? What about engineers that are not so professional developing [copied] malware which is not able to recognize an exact target [the way Stuxnet did]?"
Kaspersky told Killer Apps after his talk that it would be easy to "hijack" new cyberespionage tools like Flame and Gauss and put virtual "warheads" on them, turning them from the most potent cyberspying tools ever seen into actual weapons capable of causing damage in the physical world, in the same vein as Stuxnet.
Making matters worse is the burgeoning market for sophisticated software exploits that are sold among hacker networks, known colloquially as "zero-days."
"There's a growing black market for zero-day attacks, which is the exact type of thing you need to inflict major damage on the networks," Eric Rosenbach, deputy assistant secretary of defense for cyber policy told Killer Apps earlier this month. "Because there's an active black market for it, it's likely to expand, so it's something we need to get our arms around as a country."
"That would be a whole of government effort" with the "heavy involvement" of the FBI and the Department of Homeland Security, Rosenbach added.
New, more secure operating systems for critical infrastructure such as power plants could bolster U.S. defense against cyberattacks. But such an approach would be costly, and there will always be someone somewhere who is devising a way around new defenses, analysts say.
Kaspersky argues that the best way to combat the threat of increasingly sophisticated hackers is international agreements on the use of cyberweapons and cooperation in hunting down cyber criminals.
"Governments can talk to each other. Governments can agree not to use" certain cyberweapons, Kaspersky said.
"In the future ... will be a very big demand for international [cooperation] to recognize who is behind attacks, to find the Internet terrorists before they do action," Kaspersky said. "This is a place for intelligence [agencies], it's a place for international [cooperation], and a place for IT contractors to assist."
Easier said than done, says Rosenbach.
"There are several countries right now that are very aggressive in cyberspace and are likely trying to create norms [of cyberspace behavior] that would be unstable for the international community because they are so aggressive," Rosenbach said. "It's still not completely clear what's acceptable and what's not acceptable and several nations different than the United States have very aggressive notions of what's acceptable."
The Pentagon is pushing for the international community to adopt cyber norms based on the rule of armed conflict; this is where the United States is meeting resistance, especially from Russia and China, according to Rosenbach.
"We look at cyber just like you would look at any other form of warfare or military operations," Rosenbach said. "So the law of armed conflict applies, and within that you can already interpret what would be acceptable in cyberspace. We don't have a lot of case history to back up the customary aspect of it in international law, but we think that the framework is already there."
Russia and China are focused more on controlling citizens' activities on the internet rather than limiting attacks on nations' critical infrastructure, he said.
"There are other countries, the Chinese and Russians in particular, that don't think the law of armed conflict is the best framework to view these things through and they focus much more heavily on control of information than they do on the security of crucial infrastructure or preventing the destruction of networks."
Rosenbach went on to call this a "nonstarter."
"To say that your model of an international law for cybersecurity is based on controlling media content or what people can say about the government isn't something we're interested in at all," he said. "There are other areas -- in particular, the theft of intellectual property -- because that's a major problem for the United States right now, where there are very different ideas about what's acceptable and what's not."