Similar to nuclear war scenarios, the most significant damage the recently discovered Flame malware will inflict comes from its fallout rather than from the initial blast.
The seriousness of Flame is real: Flame and the Duqu and Stuxnet malware are capable of attacking national critical infrastructure. The U.S. used Stuxnet against Iran’s nuclear program, which, given the many alternatives, seems like a pretty good idea. The same virus programs, however, could be used against any system that attackers wanted to target, including those in the U.S., and put millions of people at risk.
On the other hand, experts say there isn’t anything special about Flame and that it can be easily defended against with conventional security tools and policies. Microsoft this week revoked fraudulent certificates used by the Flame malware toolkit. Some experts say there is a bigger threat to businesses from application-level exploits by individual hackers than from the Flame-category cyberespionage attacks.
Two points are emerging in the wake of the discovery of Flame. One is (needless) panic; the second is a call for international treaties banning cyberwarfare. A big push for this is coming from Eugene Kaspersky, an influential security expert and founder of Russian antivirus company Kaspersky Labs, and the Russian government. Both entities are well populated with talented malware security experts, both legitimate and criminal.
As we have learned over the past decade, the best policy for security is openness. If we start making any kind of code or use of code illegal, we are going to have more problems than the threat of cyberattack. As the saying goes, if you outlaw guns, only outlaws will have guns.