First published: 30th September 2010
Allan Dyer
An article in today's South China Morning Post describes Stuxnet as 'world's "first cyber super-weapon"', but it seems to me that malware is much more like anti-personnel mines: cheap, dirty, and goes on injuring innocents long after the conflict they were deployed for has ended. True, Stuxnet is a shining example of sophistication, but it has still spread to thousands of systems across the world, including Iran, Indonesia, Germany, India, and now, as the Post reports, China. How many of those were the intended targets? The leading conspiracy theory is that Stuxnet was deployed, by a major Government, to damage Iran's first nuclear plant at Bushehr. Assuming this is true, what was the justification for the "collateral damage" to Chinese, Indonesian, German and India industrial plants?
Another parallel with malware is the list of countries that have not joined the Ottawa Treaty, which bans the use, production, stockpiling, and transfer of anti-personnel mines: United States, Russia and China. These states, that are arrogant enough to insist that they should be allowed to deploy indiscriminate weapons of dubious military value regardless of the humanitarian issues, are also accused of being most aggressive in the development of cyberwar: China for Operation Aurora and Titan Rain, USA for Stuxnet and Russia for network attacks in Estonia and Georgia. But, just like an unmarked mine, there is only circumstantial evidence of their involvement.
Enough of the metaphors, cyberwar's cost is merely economic. No malware has ever blown off a child's hand while they played.