A New Age1990s-2001: Worms (Code Red, etc.)
2002: Bill Gates Trustworthy Computing Email
2005-2015: Botnets and "APT" and Phishing <--THE ANOMALY DECADE.
2016: Advanced Persistent Worms! Worms everywhere! Internet of Worms!
2018: Defensive worms as policy teams catch up, in my optimistic worldview.
I'll be honest: Stuxnet and Flame and Duqu and the other tools (built during the anomaly decade) were worms, at their heart. All top-line nation-state tools are capable of autonomous operation. This means the state of play on the internet can change rapidly, with changing intent, rather than a massive five year wait as people do development and testing on new toolchains.
But all our defenses and policy regulations and laws and language have been built around botnets. The very idea of what attribution really means, or Wassenaar's cyber controls, or how we handle vulnerability disclosure as a nation-state are just some examples of this. But in the long run, both defense and offense will be using forms of self-replicant programs we don't have any kind of conceptual legal language to describe.
Part of the problem is that computer worms are not worms. Technically they are more like social insects building complex covert networks and distributed data structures on stolen computation. Worms are connected creatures - they are literally a tube from mouth to anus! Worms have a brain for command and control. This is how Metasploit works, basically.
Ants don't have and don't need a C2 and are much closer in terms of a model for what we will see on computer networks.
TrendlinesThe key thing to realize is this: Smaller players are inevitably getting into the cyberwar game. That means more worms. Why? Because the less resources you have, the better a worm fits your strategic equation. If you're trying to replicate the QUANTUM infrastructure, but you're Finland, you are crazy. This applies equally to small countries, and to non-nation-state players.
Likewise, the better defenses are at catching intrusions, the more worms you're going to have. Right now, vulnerabilities never ever get caught. But modern defenses have changed that. Here's Microsoft catching an A-grade team they call PLATINUM. Kaspersky also has been excellent at catching non-Russian A-Grade teams! :)
Exploits are going to start getting caught, which means they will be created and used very differently from the last ten years. Our policy teams are not ready for this change. Worms are an attacker's answers to the race of getting something done before getting caught by endpoint defenses and advanced analytics. And counter-worms are the obvious defensive answer for cleaning up unmanaged systems.
Fallacy: Some Bugs are Wormable vs Some Are Not WormableI'd like to take a moment to talk about this, because the policy world has this conception that some bugs are wormable, and should therefor go through the VEP process for disclosure, and other bugs are not, and are therefor less dangerous. It's super wrong. All bugs can be part of a worm. Modern worms are cross platform and can use XSS vulns and buffer overflows and logic bugs and stolen passwords and timing attacks all at once and get their information from all sorts of sources and spit out versions of themselves that have only some of their logic and auto-remove themselves from machines they don't need and frankly, act more and more like ants.
But many policy proposals try to draw a line between different kinds of vulnerabilities that is not there in practice by saying "These vulnerabilities are safe to have and use, and these are not". No such line exists in practice.
Policy Implications of the New Age of Worms
There are so many. I just want people to admit this is the age we are in and that our policy teams have all been trained on the Age of APT, which is now over. Let's start there. :)