The US military is a big operation. They deal with big groups and big numbers. I just don't think it's in their DNA to approach a small group of blackhats to do what they could contract a legitimate firm to do. The US military contracts out to private firms for almost everything. To think that the US would approach a small, illegitimate group requires viewing Stuxnet as an aberration. I just don't think it is. It may be a new medium for the military, but it isn't a new paradigm: they identified a problem, and approached a firm that could solve it for them. That's my theory, at any rate. It's supported by those in the security industry who've analyzed it and determined the code itself wasn't anything special, just that the number of 0days involved was unusual. Any major security firm will have a shelf full of 0days kicking around; just look what we saw come out of HBGary.

I don't have any evidence that Stuxnet was a contract job. Hell, I don't even have any evidence beyond hearsay that the US was involved. I'm simply looking at the known facts and the known motivations and standard practices of the institutions that were (likely) involved.

I'm still amazed it's in their DNA to do this at all, but if they did, blackhats are the right people for the job. No point in hiring a legitimate firm to build an illegitimate weapon. Remember, Stuxnet infected thousands of other factories around the world. Whoever built it ain't legitimate anymore.

The story of the teenaged arms dealers also sheds some light on acceptable behaviour by those the US military contracts out to: http://www.rollingstone.com/politics/news/the-stoner-arms-de...

Not necessarily for highly classified projects.

I can see a NSA or CIA internal group organizing. I imagine some projects can be compartmentalized and organized to run like a small startup with a handful of hand-picked individuals having a narrowly focused goal.