So, in this post I'd like to share a few thoughts on differentiating security tools from cyber weapons (CWs). These are just my thoughts so I'd be interested in feedback. Some of them may be controversial and I could probably argue the opposite case for some of the items.
- Operators develop CWs privately. I don't think a tool you can download from a public Web site qualifies as a true CW. Yes, you can use tools like Metasploit offensively, but a good deal of the value of a real CW comes from the "whoa" factor. (See the next point.) You can't preserve the "whoa" factor after publishing code on the Web.
- CWs tend to be innovative. Innovation means incorporating 0-day attacks (researched by the developers), new command-and-control methods, or other measures. Real CWs take victims by surprise, especially if they target multiple aspects of the kill chain.
- CWs tend to have specific effects. Think of Stuxnet and it's programming to alter specific values in PLCs. These are actions designed to damage a target, not provide generic remote control access so intruders can open someone's CD player.
- CW value degrades quickly. I believe a real CW is much less valuable after being used, often due to the points listed earlier. It's easier to disable a radar the first time than it is the second or third times. As soon as an aggressor uses a CW on a victim, the victim will try to be better prepared for later attacks and may be able to recognize or even thwart them entirely. Contrast that with a tool designed to help validate defenses or conduct audits.
- Intent matters. The intent behind a CW is to enable the agenda of a nation state or other high-end structured threat, not simply to demonstrate a new technique, or be the best penetration tool, or compromise the most victims, or help administrators validate defensive measures. I don't think HD Moore (who wrote a great pitch on cyber weaponry) intends for Metasploit to be used by governments to harm each other or their citizens. Ask someone who develops real CWs for a living why they wrote CW X and they will likely say "because I was under contract to deliver X by date Y for customer Z."
I hope we can be clever enough to separate real CWs like Stuxnet from tools that serve a useful security function like Metasploit, because actions to try to outlaw all offensive tools would be devastating for defenders everywhere.