British Stuxnet could have unintended fallout, government admits

British Stuxnet could have unintended fallout, government admits

Summary: The risk of state-sponsored malware escaping into the wild is 'something we've got to live with', the Cabinet Office has said, as MPs push for the UK to build its own Stuxnet-like software

SHARE:

Stuxnet and other state-developed malware could hit unintended targets, the government has acknowledged, as MPs urge the UK to build its own attack software.

Malware
The risk of UK government-developed malware getting into the wild is 'something we've got to live with', the Cabinet Office has said.

UK intelligence agencies and the military should create malware like Stuxnet to launch at adversaries and to access the systems of countries trying to hack the UK, the Intelligence and Security Committee (ISC) said in a report (PDF) last week.

However, Stuxnet escaped into the wild and hit businesses in the US, Iran and Indonesia, as well as the specific Iranian nuclear systems targeted by its makers, the US and Israel.

This type of unintended consequence is to be expected with government-developed malware, the Cabinet Office told ZDNet.

"[Malware] escaping into the wild is something we've got to live with, with the internet," a spokesman for the Cabinet Office said on Tuesday.

'Blow back'

One risk is that any new government-developed malware may not be as carefully written as Stuxnet, according to Cambridge University security expert Richard Clayton.

"A useful parallel is chemical and biological weapons," he said. "Once you release it into the environment, it tends to hang around for a long time, and may blow back over your own troops."

In addition, malware samples on the internet can be dissected by any researcher and may be used by cybercriminals for their own ends, he noted.

"It makes the world a bit more dangerous," Clayton said. "A lot of people spent a lot of time pulling [Stuxnet] apart, and they may engineer what they find for less noble objectives."

Pre-emptive strikes

MPs on the influential security committee also recommended that British intelligence and defence agencies should use hacking and other cyber-techniques to misdirect enemy countries. For example, in a military conflict, the UK should destroy data, networks and systems, it said.

"While attacks in cyberspace represent a significant threat to the UK, and defending against them must be a priority, we believe that there are also significant opportunities for our intelligence and security agencies and military which should be exploited in the interests of UK national security," said the ISC.

However, security company LogRhythm warned that government hacking may be "a step too far".

"Rather than engaging in such antagonistic pre-emptive cyberattacks — which would no doubt only incite more damaging and sophisticated attacks on the UK's cyber-infrastructure — the move to an 'active defence' system simply requires truly proactive protection of Britain's own networks," the company said in a statement.

Topics: Security, Government UK, Malware

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Put a kill switch in it.

    Give it an expiration date or a cpu cycle lifetime.
    Programmer1028
    • Couldn't they just be rewritten out?

      While keeping the most impressive parts intacts?
      William Farrel
  • Nailed it

    Quoted at the end of the article:
    "Rather than engaging in such antagonistic pre-emptive cyberattacks — which would no doubt only incite more damaging and sophisticated attacks on the UK's cyber-infrastructure — the move to an 'active defence' system simply requires truly proactive protection of Britain's own networks,"

    Also, a rational foreign and military policy would help to keep attacks to a minimum. As it is, the West led by the U.S., is poking 4-foot sticks into hornets nests all over the planet. And, if there are no hornets nests, will gladly create them first.
    Rabid Howler Monkey
    • Actually it's a 5'4" stick

      The AGM-114 Hellfire is 64 inches long not 48...
      T1Oracle
  • Stuxnet is a Windows problem

    Us linux users are safe :-)
    T1Oracle
    • Of course you're safe

      it's not like anyone would trust uranium enrichment to a Linux based system. :-)
      William Farrel
  • YAFW

    however, it's not like->wise anyone would trust uranium enrichment to a Linux->Windows based system... as Stuxnet has proven this in an excellent way. BTW both mentioned platforms have an EAL4 level assurance. I feel this is too few for that purpose.
    Emmerich Bartfelder