Cybersecurity expert: Stuxnet attack wasn't 'game-changing'

The cybersecurity debate on Capitol Hill might be centered around the perils of Stuxnet, the malware that hit in September and showed its potential to paralyze industrial and operating systems. But one security expert says Stuxnet "was sophisticated, but not different from a lot of malware."

Adam Meyers is the director of cybersecurity intelligence at the government contractor and IT security provider, SRA International, where he supports federal clients such as the State Department and Federal Aviation Administration. He talked to Nextgov about what should be a healthy perspective on the security landscape, during SC World Congress in New York City in early November, after returning from Abu Dhabi, United Arab Emirates, where he led a training session at the security convention Black Hat.

Meyers also spoke about the limitations of penetration testing -- or the authorized hacking of systems to find vulnerabilities -- at the federal level. With the changing government presence at security conferences, there could be reason for cautious optimism that the state of pen testing could change. Federal employees, he said, aren't dyeing their hair or piercing their ears to get in anymore. Instead, they are openly rubbing shoulders with the hacker-turned-security professionals.

An edited transcript of the conversation follows.

NG: How have threats to federal networks changed?

Meyers: The threats are just evolving. Over the last year -- even the past four years -- there hasn't been something that has been completely surprising. The capability to inflict damage by adversaries has increased with the ability to get new tools. But anybody with a reasonable understanding can take [the open source pen testing tool] Metasploit, take a document, pull it off the Web and attack a target. That doesn't take a lot of sophistication and it's effective.

Stuxnet, which targeted a specific type of infrastructure, was sophisticated, but not different from a lot of malware. There wasn't anything that was game-changing.

NG: So the idea that Stuxnet was a game-changer was just hype and political rhetoric?

Meyers: For a lot of people who hadn't seen that before, it was a revelation to them that you can target supervisory control and data acquisition systems and incident command systems and have malware jump from an open network to a closed network from, say, a USB port. For some people, it was a game-changer, but I guess it's all about perspective.

NG: So what's a healthy perspective on the threat landscape?

Meyers: The healthy perspective is there are capable actors out there from all walks of life interested in all manner of targets, whether it's financial or classified information. The thing to be aware of is the amount and capability of actors are increasing every day. And a lot of the tools that they are using are more sophisticated. We need to understand and protect the targets.

The way to deal with threats is really by going through the intelligence and the steps. I just did a training session at Black Hat in Abu Dhabi. From a cyber network defense standpoint, at every step you have to sift through intelligence. In one example, intelligence network forensics, drive forensics, malware analysis, reverse engineering and then reporting had to be done. We pulled information intelligence about what we've learned at each step, using that to better defend the network and incorporating it into some way of defending the network.

NG: Is the federal government doing enough pen testing?

Meyers: The way you see it happen a lot is that people will buy a product that allows them to do point-and-click pen testing. They will tend to target, say, a patchy Web server that they think might have a vulnerability and launch the attack. So the way that agencies are bringing penetration testing into the security apparatus overall is more like a targeted vulnerability assessment than an actual pen test. What we're seeing is people are essentially running tools to break into systems without an understanding of what exploit they're launching -- what the exploit is supposed to accomplish, and how it works. Sometimes you actually have to tweak it and do something different depending on your targets to exploit a system. But because people just kind of point-and-click, they fail to exploit the system and begin reporting false positives or false negatives.

Pen testing in terms of federal compliance was a progression of the vulnerability assessment requirements built into the 2002 Federal Information Security Management Act. Compliance-based security gets people to think about security but doesn't really solve anything. The focus on penetration testing should be redirected to holistic security.

NG: Do you think this sloppy point-and-click pen testing has to do with the growing bubble around the federal cybersecurity market?

Meyers: Every government sector has its preferred vendors and people they trust. They go to people they normally go to. The other thing that is happening is that demand has completely outpaced the ability to train and interest people in getting involved in cybersecurity.

There's a mentality that, "I'm going to get a certification, I'm going to put it on my resume and now I'm a cybersecurity professional." So they took a course for four months, passed it and now they're a cybersecurity person. They don't have any classic background in security or computer science or any core areas you would think they would need to have.

NG: How has the federal presence changed at the Black Hat and DEF CON cybersecurity conferences?

Meyers: It's a little more open now. They think this is a community of people working at helping to solve our problems.

Years ago, you'd have guys in the federal government wanting to go to the conferences and they'd dye their hair and pierce their ears because they thought that would make them legitimate. I'll go to Black Hat and DEF CON now, and I'll run into law enforcement friends and people that I know from all over the federal government. And they'll have it on their badge. They're openly feds.