Although Stuxnet infected thousands of machines in friendly nations, it was written by cautious “professionals” who minimized collateral damage, Kaspersky said at the Billington Cybersecurity Summit at the National Press Club. The knock-off versions by others will be much less discriminating, he added.
To show how quickly computer attacks can proliferate, Kaspersky said an electronic assault that disabled thousands of computers at Saudi Arabia’s Aramco in mid-August had followed a separate infection reported by an Iranian oil company a few months ago.
Mounting a defense against nation-sponsored attacks will be extraordinarily difficult, Kaspersky said, as it requires new operating systems designed to manage equipment at crucial facilities. He said stopping criminals and terrorists who will adopt the same techniques would take strong international cooperation and deeper monitoring of the Internet, which many oppose on privacy grounds.
“We need to upgrade our understanding that the world is different,” Kaspersky said. “We need to pay more attention to the critical information technology security issues.”
Yet Kaspersky and Hayden said international treaties or even nonbinding agreements were nowhere in sight.
What is more, Hayden said, both the divided U.S. Congress and even different agencies within the executive branch have failed to reach a consensus on fundamental concepts, in part because the issues are still so new.
A Senate bill backed by President Barack Obama would have set voluntary cybersecurity standards for critical plants and allowed for greater information-sharing between intelligence agencies and private companies. But the bill encountered opposition from both the U.S. Chamber of Commerce, which objected to additional regulation, and the American Civil Liberties Union, which was worried about privacy issues.
The White House is now developing an executive order that would not go so far, but it still wants more powerful laws.
Even inside the administration, Hayden said, the Defense Department has defined cyberspace as a warfare domain that it must “dominate,” while the Department of Homeland Security has publicly disagreed.
A core problem is that the same communications networks are used both for military operations and civilian transactions, which are protected from unreasonable searches.