British Stuxnet could have unintended fallout, government admits

The risk of state-sponsored malware escaping into the wild is 'something we've got to live with', the Cabinet Office has said, as MPs push for the UK to build its own Stuxnet-like software

Stuxnet and other state-developed malware could hit unintended targets, the government has acknowledged, as MPs urge the UK to build its own attack software.

The risk of UK government-developed malware getting into the wild is 'something we've got to live with', the Cabinet Office has said.

UK intelligence agencies and the military should create malware like Stuxnet to launch at adversaries and to access the systems of countries trying to hack the UK, the Intelligence and Security Committee (ISC) said in a report (PDF) last week.

However, Stuxnet escaped into the wild and hit businesses in the US, Iran and Indonesia, as well as the specific Iranian nuclear systems targeted by its makers , the US and Israel.

This type of unintended consequence is to be expected with government-developed malware, the Cabinet Office told ZDNet.

"[Malware] escaping into the wild is something we've got to live with, with the internet," a spokesman for the Cabinet Office said on Tuesday.

'Blow back'

One risk is that any new government-developed malware may not be as carefully written as Stuxnet, according to Cambridge University security expert Richard Clayton.

"A useful parallel is chemical and biological weapons," he said. "Once you release it into the environment, it tends to hang around for a long time, and may blow back over your own troops."

In addition, malware samples on the internet can be dissected by any researcher and may be used by cybercriminals for their own ends, he noted.

"It makes the world a bit more dangerous," Clayton said. "A lot of people spent a lot of time pulling [Stuxnet] apart, and they may engineer what they find for less noble objectives."

Pre-emptive strikes

MPs on the influential security committee also recommended that British intelligence and defence agencies should use hacking and other cyber-techniques to misdirect enemy countries. For example, in a military conflict, the UK should destroy data, networks and systems, it said.

"While attacks in cyberspace represent a significant threat to the UK, and defending against them must be a priority, we believe that there are also significant opportunities for our intelligence and security agencies and military which should be exploited in the interests of UK national security," said the ISC.

However, security company LogRhythm warned that government hacking may be "a step too far".

"Rather than engaging in such antagonistic pre-emptive cyberattacks — which would no doubt only incite more damaging and sophisticated attacks on the UK's cyber-infrastructure — the move to an 'active defence' system simply requires truly proactive protection of Britain's own networks," the company said in a statement.