That's the intriguing question posed by journalist Angus Batey, who writes:
I spent a couple of days asking multinational arms companies about their cyber warfare portfolios. Most offer solutions to businesses, utilities or government departments who have strong and obvious requirements to keep their in-house computer systems secure and functional. But the minute you ask them about offensive cyber capabilities, they begin to shuffle a bit and look at their shoes. Even off the record, they let very little slip. Confidential, unattributable conversations I had during the exhibition revealed nothing of substantive, hard detail, but the overall impression is clear: whether by merger and acquisition, recruitment, or partnership, the kinds of companies that manufacture physical weapons are all - probably; quietly; discretely - readying cyber weapons that can be used to strike at an adversary's systems.
Frankly, defence contractors would be mad not to be readying offensive cyber products; and their shareholders would be disappointed if they weren't. While spending on ships, aircraft and ground vehicles is contracting, the budgets for cyber are getting bigger.
. . .
But are these hush-hush cyber weapon development efforts proactive on the part of business ... Or are they in response to already existing requirements from customers in the UK, the US, or other nations? Nobody is saying. And the reason why they're not saying ... has a great deal to do with that other problem - the issue of attribution.
No government is willing to risk being seen as the nation who fired the first shot in a cyber war. Apart from anything else, no-one knows how international law applies to cyber weapons, either in terms of their use, their manufacture or their sale. Worse, even the lowest-collateral cyber weapon may have unintended and unimagined after-effects. Unlike a bullet, which hits its target and stops, a cyber weapon potentially carries on working after it's finished doing what it was built to do. Crippling Iran's nuclear program might sound like something a western government would want to brag about: but you might not be quite as pleased with your handiwork if the virus later ends up accidentally shutting down the power supply to a hospital somewhere. Also, if your country is identified as the one that "fired" the cyber salvo, your own systems are likely to be seen as legitimate targets for reprisals - whether formally, if the initial attack is considered an act of war under international law, or informally, as seems to have happened when a massive denial-of-service attack that effectively shut down the Estonian economy in 2007 was revealed as (possibly and quite plausibly, at least in part) an impromptu bombardment by large numbers of private Russian computers.
. . .
So who is writing worms like Stuxnet and Duqu if it's not nation states? Maybe not one of the big defence conglomerates; more likely a small startup, probably created and staffed by former penetration testers and ethical hackers, maybe located in offices carved out of some old hotel in a city many miles from western militaries' power centres. Symantec's researchers were astonished that Stuxnet exploited as many as four zero-day vulnerabilities - that is, previously unknown flaws in the software it targeted: yet one small and secretive US company, founded only three years ago, appears to have offered packages of 25 zero-day exploits, every year, to any client willing to pay its asking price of $2.5m per annum. Whether anyone has as yet taken them up on their offer remains unknown.
There's more at the link. If you're interested in computer security and cyber-warfare, Mr. Batey's article is highly informative and thought-provoking. Recommended reading.