Flame Virus, a Controlled Burn?

In Florida I have a friend who is a park ranger who does controlled burns in hope of curtailing any large park brush fires.  This may be similar to how the new virus Flame is being used. Like any controlled burn, however, there are risks of the fire getting out of control.

We need to come to a consensus on cyberwar. It has officially started and the weapons are improving. The new computer virus nicknamed Flame, also known as Flamer, sKyWIper and Skywiper and Stuxnet 20, is many times worse than its predecessors. It has the capability of specifically attacking its targets and evading detection.

Based on its predecessors Stuxnet and Duqu, Flame can spread to other systems over a local area network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.

These data, along with locally stored documents, are sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

Taking away the sociological and political ideologies of whose side we are on in cyberwar, the recent cyber attacks demonstrate the current vulnerability of our legacy security solutions. What Flame is doing in targeted Middle East attacks can be done in other countries, even the ones releasing the attack. There is a first response advantage but the technical nature of computer virus propagation could leak the virus to unintended areas as did Stuxnet. Playing with these vulnerabilities is like playing with fire.  

In a recent conference in Orlando Florida, UTC Telecom 2012, the consensus of those who were somewhat involved in cyber security was that there clearly is no 100 percent capability of securing even our critical infrastructure. This concern was further emphasized when keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in knowledge of cyber security. One or two hands went up out of 500 in the audience. Weatherford responded by saying we need to prepare our workforce and find talent "to prepare the next generation for cybersecurity. Gaps in talent means gaps in security."

Even the Department of Defense is recognizing the need for forging private-industry partnerships on cybersecurity. This makes sense when the Internet and much of the experience behind it will be found in the private sector. There is a clear issue though, for those who have pursued DOD cyber security jobs or partnerships. That issue is secret and top secret clearance.  There needs to be a better way to address needed background checks than the current clearance procedures.

A person with secret or top secret clearance may have little experience in cyber security or tremendous experience in cyber security but no ability to quickly and economically obtain secret or top secret clearance.

We are faced with some tough decisions as they relate to cyber security with few if any quick decisions. With a limited cyber security workforce and clear cyber security vulnerabilities it seems time to look for new security solutions rather than playing with the appropriately named Flame virus. We can’t continue to patch cyber security while thinking we can manipulate these vulnerabilities in targeted cyber attacks. This could and has already backfired.  We have to minimally overlay new security protection or wipe the slate clean and look for new ways of addressing cyber security or this controlled Flame may get out of control.

Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.