Risk
8/23/2012
11:22 AM
Connect Directly
RSS
E-Mail
50%
50%

The Case For A Cyber Arms Treaty

In the wake of Stuxnet, could an international 'cyber arms' agreement forestall U.S. cyber warfare with China and other countries?

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
On the other hand, the best way to employ malware--either as a weapon or a diplomatic tool--isn't yet clear. "While the U.S. now has a very subtle understanding of when it wants to use drones and not, there is no equivalent right now of when you use cyber weapons," Sanger told NPR. "Partly that is because Olympic Games was so secret, and part of that is because the weapon is new and developing so fast that no one is really gathering together the sort of theory about how and when you would use it, when you would use it as a deterrent, that we developed in the 1950s about nuclear weapons."

But every new Stuxnet amplifies the possibility that other nations might justify escalating their own malware operations--against the United States and other countries. "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?" wrote veteran reporter Joseph Lelyveld in last week's The New York Review of Books. Furthermore, what if other nations, such as India and Pakistan, begin escalating their cyber attacks against each other? "Or, scariest of all, China and the United States start playing cyber-chicken?" he asked.

Former White House cybersecurity coordinator Howard Schmidt, who left that post in May, warns that it's a "slippery slope" when the U.S. government hacks back at its adversaries. In an interview this week with InformationWeek's John Foley, Schmidt said government agencies and businesses in the private sector may be putting themselves at bigger risk when they go on the offensive because opponents may feel compelled to retaliate. "Just because you can do it doesn't mean you should do it," Schmidt said.

[ DARPA makes plans ... just in case. Read DARPA Seeks 'Plan X' Cyber Warfare Tools. ]

Furthermore, the United States--as one of the most heavily networked nations on the planet--could present an attractive target. Beyond the business necessity of Internet availability, numerous so-called "critical infrastructure" systems, including water treatment and energy plants, are Internet-connected, poorly secured, and in private hands. Should someone wish to cause related damage, opportunities abound.

Accordingly, the obvious next course of action seems clear: the United States should negotiate some type of cyber arms treaty. "There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country's critical telecommunications or banking infrastructure. It is in the United States' interest to push for one before the monster it has unleashed comes home to roost," said DarkMarket author Misha Glenny, a British journalist and visiting professor at the Columbia University School of International and Public Affairs, in a New York Times opinion piece earlier this year.

Likewise, Eugene Kaspersky, chief of security firm Kaspersky Lab, which discovered Flame, has argued that such malware should be banned by international treaty.

But would the president ever sign such a treaty? Notably, it would tie the hands of government-backed malware operators, and undermine a potentially valuable diplomatic tool. By some accounts, unleashing Stuxnet against an Iranian nuclear enrichment facility held Israel back from bombing Iran, which might have drawn the United States into a new on-the-ground conflict. Geopolitics is complicated; building malware--the digital equivalent to drone attacks--seems to remain relatively cheap. At least for now.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/28/2012 | 2:03:26 AM
re: The Case For A Cyber Arms Treaty
By developing the most advanced weapons in the world, one can develop the most advanced defenses in the world - I think that's a pretty fair statement.

All throughout history, there have been things going on that the average Joe or Jane on the street don't know about but should be thankful for - things that their country is doing to protect them, whether they approve or disapprove of it.

Kaspersky's a funny guy here - sure, go ahead, ban malware. Doesn't that put him out of business? And as other posters have mentioned, sure, you can have every country on the face of the planet sign a treaty saying that they won't develop or use malware - but that doesn't keep a 14 year old kid from sitting down and learning assembly, C, or any other language and building something that could obliterate a network. No, a treaty, while nice on paper... exists only on paper.

Having malware banned leads to a false sense of security - sure, let's ban it... and forget how to defend against it. Then when the next attack happens, it's magnitudes worse. And the next attack will happen, it's just a matter of when. You have to be ready for it... and a treaty is not going to do much to help prevent an attack or clean up after one.

Andrew Hornback
InformationWeek Contributor
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
8/27/2012 | 3:10:46 PM
re: The Case For A Cyber Arms Treaty
Article states, "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?"

Has that ever stopped the US Govt or any nation of developing and using a system to its advantage either strategically or operationally? They used firearms against native americans and were the first to use/introduce nuclear weapons. An unknown or unproven weapon system serves little as a detterrent. Treaties are nice, but as others have stated, wholly reliable on the good faith of the parties. As with regulatory guidance and laws, sometimes the value gained may just be worth the penalty imposed for non adherence.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
8/26/2012 | 1:20:36 PM
re: The Case For A Cyber Arms Treaty
Treaties are only worth something when the partners adhere to them. Just look at the reports about human rights violations and you will see that a treaty for cyber security between US and China is just a waster of paper and resources.
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
8/25/2012 | 5:45:18 PM
re: The Case For A Cyber Arms Treaty
GET THIS TO YOUR EDITOR:
You have made some client-unfriendly changes.
When we hit the 'Print' Icon, we expect to see the entire article as one page and relatively 'free' of garbage.
On this article, it was necessary to go to page 2 to get the whole article.
The result was also littered with garbage.
I will not insult your intelligence by specifically what I define as 'garbage'.
TreeInMyCube
50%
50%
TreeInMyCube,
User Rank: Apprentice
8/24/2012 | 6:11:30 PM
re: The Case For A Cyber Arms Treaty
A treaty is a nice idea, but ineffective, since there are too many non-nation-state actors. Building nuclear weapons requires fissile material, which is not sold in every Best Buy or Walmart. Building malware can be done on a laptop, and launched from an Internet cafe.
Perhaps the only effective defense for the US military is to build out private networks that are not visible to other parties, friends or foes.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.