Stuxnet smart, but stupid, says MP

Stuxnet 'tactically smart but strategically stupid', says David Davis, MP for Haltemprice and Howden, former Minister of State at Foreign Office

Stuxnet was tactically smart, but strategically stupid, says David Davis, MP for Haltemprice and Howden and former minister of state at the Foreign Office.

“While the attacker has the first-mover advantage, Stuxnet delayed the Iranian nuclear programme by only three months, yet revealed what Western powers are willing to do,” he told the ISSA London 2013 European Conference.

The unintended consequences of actions involving complex systems are not always fully understood by politicians, said Davis, noting that after just a few months in office, US President Barack Obama signed an executive order to accelerate actions to counter Iran.

“It has since emerged that this included developing and deploying Stuxnet,” he said.

Davis said he doubted Stuxnet would have taught the Chinese much, but there are other less sophisticated cyber actors that it will have taught a great deal.

“There is a very real danger that such cyber weapons can be adapted and used against those who developed the original,” he said.

This concern has been echoed by Howard Schmidt, former cyber security coordinator for the Obama Administration, and Eugene Kaspersky, founder and CEO of security firm Kaspersky Lab.

Kaspersky said governments must understand that cyber weapons are extremely dangerous and have to agree not to use them at the Kaspersky Cyber Security Summit 2013 in New York

Schmidt said any government that creates a cyber weapon in the belief that it will not be discovered, reverse-engineered and used against it is “playing with fire”.

Davis said governments would do better to concentrate on developing defensive capabilities in cyberspace.

He said the UK government would also do better to fighting cyber crime than increasing its capability to monitor the electronic communications of its citizens.

The final version of the controversial Communications Data Bill has not even been printed yet, but the government has already committed to spending £400m on it, said Davis.

“It would be better if just 50% of that could be redirected to fighting cyber crime,” he said.

The draft Communications Data Bill, which has been criticised by MPs, technologists and human rights groups, could serve only to further swamp the UK’s anti-terror capability, said Davis, noting that security agencies failed to pick up the 7/7 bombers because they were monitoring 2,000 other people.

“These people were known to at least two security agencies and had talked about the planned bombing [on 7 July 2005 in London], but they were overlooked,” he said.

According to Davis, the government needs to ensure that is has the right capability to deploy against real threats, rather than illusory threats.

Read more on Hackers and cybercrime prevention