The Russian security firm Kaspersky Labs has released a report on a new, sophisticated malware variety called FLAME. It has been found on various targets in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. The purpose appears to be mass harvesting of sensitive data.
Kaspersky claims that the malware is clearly the product of a nation-state, due to its sophistication and purpose, but others disagree. The Kaspersky folks think there are only three groups of people who write malware: criminals, hacktivists, and nation states. They drop the first two from consideration for FLAME because it has such a high level of sophistication and because the purpose of FLAME does not match the profiles of criminals or hacktivists.
That leaves nation-states. But among policy, intelligence, and technology experts, the jury is still out.
That said, the report is still significant. A program this sophisticated warrants notice by all the “good guys,” and, be assured, it has gotten experts’ attention. Debates over the targets (“Why were those countries targeted?”), the purpose (“Is it really a data vacuum cleaner?”), and the origins (“Could terrorists or hired cyber guns have done this?”) have already begun and will continue.
StuxNet and DuQu got everyone’s attention, but now FLAME should show the naysayers that strategic cyber “weapons” are really a part of the modern landscape. They are not a passing aberration but the reality of our digital world.
No, the sky is still not falling, but action is needed. Those who would hold up positive cyber legislation because they do not trust their own governments—even with appropriate oversight—are truly keeping their heads in the sand. Privacy laws already exist that can be applied to government use of digital means. What we lack are adequate provisions allowing those tasked with defending the nation from cyber attacks to properly do their jobs.
This is not a “privacy versus security” debate. Without security, you have no privacy. There are enemies (nation-state and non-nation-state) who are already plundering the intellectual property that fuels American prosperity. The threat is growing, so our response capability should grow as well.
Regardless of how this newest cyber riddle is answered, it is yet another warning to our highly digital society. Will it be heeded? Will the cure be worse than the disease? Responsible action is needed.