I’m surprised this article is still making its rounds. Two points have always stood out to me:
1) you never empty the barn on a nation state attack. If you know the systems you’re targeting are primitive, you don’t go in with the F-35 of initial compromise schemas. Aim for +10 over the enemies ability to counter, not +1000.
2) the level of overestimation of federal cyber weapons is too damn high. Is it impressive? Absolutely. Is it the best? No. Check in with your private Israeli intel firms for that kind of James Bond stuff. What sets nation states apart are their ability to acquire and perform highly redundant and critically targeted attacks. The NSA would be hamstrung without the cooperation of the CIA and so on. It’s not technical prowess, it’s money and coordination.
It comes up regularly in part because there's a lot of pop-sci reading for people to do on Stuxnet, and so people in 2022 generally feel like they know a lot about it, which makes it easy and fun to dunk on a 2011 take. What's embarrassing about the whole scene is that actual analysis of Stuxnet is almost besides the point of this blog post; it's pretty clear that some of the most strident takes on this thread are from people that haven't read any of it before.
1) you never empty the barn on a nation state attack. If you know the systems you’re targeting are primitive, you don’t go in with the F-35 of initial compromise schemas. Aim for +10 over the enemies ability to counter, not +1000.
2) the level of overestimation of federal cyber weapons is too damn high. Is it impressive? Absolutely. Is it the best? No. Check in with your private Israeli intel firms for that kind of James Bond stuff. What sets nation states apart are their ability to acquire and perform highly redundant and critically targeted attacks. The NSA would be hamstrung without the cooperation of the CIA and so on. It’s not technical prowess, it’s money and coordination.