With Stuxnet as a "blueprint" downloadable from the Internet, he says, "any dumb hacker" can now figure out how to build and sell cyberweapons to any hacktivist or terrorist who wants "to put the lights out" in a US city or "release a toxic gas cloud."
What follows are excerpts of Langner's comments from an extended interview:
CSM: How would you characterize the year since Stuxnet – the response by nations, industry and government?
LANGNER: Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems.... That wakeup call lasted only about a week. Thereafter, everybody fell back into coma. The most bizarre thing is that even the Department of Homeland Security (DHS) and Siemens [maker of the industrial control system targeted by Stuxnet] talked about Stuxnet being a wakeup call, but never got into the specifics of what needed to be done.
CSM: What do you think has been the most important or dangerous development to emerge since you identified Stuxnet as a weapon?
LANGNER: The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks.... With every day [that] cyber weapon technology proliferates; the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares.
CSM: How should nations and critical infrastructure owners deal with the threat of Stuxnet-like attacks or deter them?