A couple of days ago I came across (somewhat belatedly) an article by Robert M. Lee on Stuxnet and the Paradigm Shift in Cyber Warfare. You might consider the title a little overblown: Stuxnet doesn’t change everything, it merely encourages us to focus better on the likelihood and impact of infrastructure attacks, whether you call them cybercrime, cybersabotage, cyberwarfare or something else (I must admit that the current tendency to call every attack that could conceivably be state-funded “cyberwarfare” strikes me as unhelpful).
However, the article itself is interesting and reasonably accurate, and therefore a useful summarizing addition to the enormous corpus of work already published, with the added interest that it was written by a serving officer in the U.S. Air Force, though he is careful to point out that it doesn’t represent an official view.
The most serious reservation I have is with the implicit assumption that the “next Stuxnet” will be something similar, but not the same: Lee actually cites the claims of the Anonymous group as regards the Stuxnet code as an indication that the Stuxnet “weapon system” could be used to carry a very different payload. It could, of course, but the use of the same or similar base code would undoubtedly have restricted impact. While some SCADA sites continue to present difficulties in terms of patching and protection, it’s unlikely that there are many sites still seriously vulnerable to that base code.
Will there be another Stuxnet? Of course there will, if you mean will there be an incident that has similar implications. But it doesn’t have to be some sort of clone or variant. It doesn’t have to be a worm. It doesn’t have to be a malware attack at all, though malware does have advantages as an adjunct to many other kinds of attack.
Consider, for instance, the possibilities (hypothetically speaking) of the recent International Monetary Fund breach. It may have an element of malware support – one suggestion is that the breach was preceded by a spear-phishing attack – but the actual breach, which might yet turn out to be far more significant globally than anything Stuxnet is known to have done, is very different indeed.