The Risks of Deploying Malware: Duqu and Stuxnet through the Lens of the Libya Cyberattack Dispute

Kim Zetter at Wired writes this afternoon of the discovery of a strain of malware that appears to build in significant part on components of Stuxnet--but that functions more as a reconnaisance tool enabling the future exploitation or manipulation of infected systems, rather than as a means to directly and immediately impact the operation of those systems.  Zetter says the malware is known as "Duqu," or as the title of her piece puts it "Son of Stuxnet."   It is interesting to think about this story in the context of the article to which Jack linked this morning (i.e., the story about debate within the Obama administration as to whether to conduct a computer network operation ("CNO") to disrupt Libya's air defense systems last spring).  As Jack highlighted, one of the more persuasive points in the article was the suggestion that some opposed conducting that CNO out of concern that this would have revealed our capabilities.  Zetter's story about Duqu prompts me to expand on that point a bit.  Particularly insofar as a CNO makes use of zero-day exploits, and in any event insofar as a CNO uses truly novel approaches of some kind, actually deploying malware as part of a CNO runs at least two risks.  First, you might lose the ability to conduct similar operations in the future (because adversaries might see the code involved and develop countermeasures, patching previously-unknown vulnerabilities).  Second, you run the risk of having the methods involved turned against you (or at least against others).  When the Stuxnet story broke, some commentators noted that something similar might occur in that context--and Zetter's story raises the possibility that Duqu is an example of this.  Zetter, to be sure, focuses on the possibility that Duqu is the product of the same entity responsible for Stuxnet.  But it is possible that it is instead an example of third parties taking advantage of what they learned from Stuxnet's release into the open, thus illustrating the second type of risk mentioned above.  Of course, that would not establish that it was good or bad for someone to have employed Stuxnet in the first place; the benefits of the operation may well have outweighed whatever costs later materialed, in the form of Duqu or otherwise.  Decisionmakers have to make their best guesses in advance, alas, without knowing for sure what benefits and costs will materialize.