January 18, 2011, 5:38 PM — ARLINGTON, Va. -- The ability of the Stuxnet worm to damage Iran's nuclear complex demonstrated, in a very public way, the capabilities of cyber weapons. That was not lost on the program team of the Black Hat conference, or its founder, Jeff Moss.
Moss, a security consultant who was appointed in 2009 to serve on the U.S. Dept. of Homeland Security Advisory Council, said some experts call Stuxnet the "first targeted cyber weapon attack," a declaration he takes issue with.
"I don't believe it is the first one - I think it is the first public one," said Moss. "I think it's the first one that we all get to talk about out loud."
Discussions about techniques that are used to mount offensive attacks are also becoming increasingly public, at least at the Black Hat conference held this week at a hotel two Metro stops from the Pentagon.
The conference has specific tracks that look at offensive cyberwar capabilities, which are broadly called "irregular tactics" and "Web skirmishes."
Moss said Black Hat added such tracks at the latest conference "for people who legitimately perform offense."
Sessions about offense have long been part of Black Hat conferences, Moss pointed out, but previously the subjects focused on using such tactics to test defenses. "Now (offense) has its own rules," he added.
Moss believes the public disclosure of these attacks is elevating the role chief security officers, who now have tangible incidents to use as evidence in explaining IT risks to CIOs and CEOs.
But much remains unsettled.
When Stuxnet sent some of Iran's uranium enrichment centrifuges spinning out of control, the attack served to broadly illustrate the vulnerability of control systems, such as those used in various parts of the world's electric grid.
Franklin Kramer, a former assistant secretary of defense in President Clinton's administration, said a cyberwar won't be limited to any one domain, and government will need a menu of responses to cyber threats.
The first response level could be diplomatic, and the second economic, said Kramer. A third level may involve a cyber or "kinetic" response, military-speak for possible military action.