11:22 AM

The Case For A Cyber Arms Treaty

In the wake of Stuxnet, could an international 'cyber arms' agreement forestall U.S. cyber warfare with China and other countries?

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
On the other hand, the best way to employ malware--either as a weapon or a diplomatic tool--isn't yet clear. "While the U.S. now has a very subtle understanding of when it wants to use drones and not, there is no equivalent right now of when you use cyber weapons," Sanger told NPR. "Partly that is because Olympic Games was so secret, and part of that is because the weapon is new and developing so fast that no one is really gathering together the sort of theory about how and when you would use it, when you would use it as a deterrent, that we developed in the 1950s about nuclear weapons."

But every new Stuxnet amplifies the possibility that other nations might justify escalating their own malware operations--against the United States and other countries. "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?" wrote veteran reporter Joseph Lelyveld in last week's The New York Review of Books. Furthermore, what if other nations, such as India and Pakistan, begin escalating their cyber attacks against each other? "Or, scariest of all, China and the United States start playing cyber-chicken?" he asked.

Former White House cybersecurity coordinator Howard Schmidt, who left that post in May, warns that it's a "slippery slope" when the U.S. government hacks back at its adversaries. In an interview this week with InformationWeek's John Foley, Schmidt said government agencies and businesses in the private sector may be putting themselves at bigger risk when they go on the offensive because opponents may feel compelled to retaliate. "Just because you can do it doesn't mean you should do it," Schmidt said.

[ DARPA makes plans ... just in case. Read DARPA Seeks 'Plan X' Cyber Warfare Tools. ]

Furthermore, the United States--as one of the most heavily networked nations on the planet--could present an attractive target. Beyond the business necessity of Internet availability, numerous so-called "critical infrastructure" systems, including water treatment and energy plants, are Internet-connected, poorly secured, and in private hands. Should someone wish to cause related damage, opportunities abound.

Accordingly, the obvious next course of action seems clear: the United States should negotiate some type of cyber arms treaty. "There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country's critical telecommunications or banking infrastructure. It is in the United States' interest to push for one before the monster it has unleashed comes home to roost," said DarkMarket author Misha Glenny, a British journalist and visiting professor at the Columbia University School of International and Public Affairs, in a New York Times opinion piece earlier this year.

Likewise, Eugene Kaspersky, chief of security firm Kaspersky Lab, which discovered Flame, has argued that such malware should be banned by international treaty.

But would the president ever sign such a treaty? Notably, it would tie the hands of government-backed malware operators, and undermine a potentially valuable diplomatic tool. By some accounts, unleashing Stuxnet against an Iranian nuclear enrichment facility held Israel back from bombing Iran, which might have drawn the United States into a new on-the-ground conflict. Geopolitics is complicated; building malware--the digital equivalent to drone attacks--seems to remain relatively cheap. At least for now.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
8/28/2012 | 2:03:26 AM
re: The Case For A Cyber Arms Treaty
By developing the most advanced weapons in the world, one can develop the most advanced defenses in the world - I think that's a pretty fair statement.

All throughout history, there have been things going on that the average Joe or Jane on the street don't know about but should be thankful for - things that their country is doing to protect them, whether they approve or disapprove of it.

Kaspersky's a funny guy here - sure, go ahead, ban malware. Doesn't that put him out of business? And as other posters have mentioned, sure, you can have every country on the face of the planet sign a treaty saying that they won't develop or use malware - but that doesn't keep a 14 year old kid from sitting down and learning assembly, C, or any other language and building something that could obliterate a network. No, a treaty, while nice on paper... exists only on paper.

Having malware banned leads to a false sense of security - sure, let's ban it... and forget how to defend against it. Then when the next attack happens, it's magnitudes worse. And the next attack will happen, it's just a matter of when. You have to be ready for it... and a treaty is not going to do much to help prevent an attack or clean up after one.

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
8/27/2012 | 3:10:46 PM
re: The Case For A Cyber Arms Treaty
Article states, "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?"

Has that ever stopped the US Govt or any nation of developing and using a system to its advantage either strategically or operationally? They used firearms against native americans and were the first to use/introduce nuclear weapons. An unknown or unproven weapon system serves little as a detterrent. Treaties are nice, but as others have stated, wholly reliable on the good faith of the parties. As with regulatory guidance and laws, sometimes the value gained may just be worth the penalty imposed for non adherence.
User Rank: Apprentice
8/26/2012 | 1:20:36 PM
re: The Case For A Cyber Arms Treaty
Treaties are only worth something when the partners adhere to them. Just look at the reports about human rights violations and you will see that a treaty for cyber security between US and China is just a waster of paper and resources.
Leo Regulus
Leo Regulus,
User Rank: Apprentice
8/25/2012 | 5:45:18 PM
re: The Case For A Cyber Arms Treaty
You have made some client-unfriendly changes.
When we hit the 'Print' Icon, we expect to see the entire article as one page and relatively 'free' of garbage.
On this article, it was necessary to go to page 2 to get the whole article.
The result was also littered with garbage.
I will not insult your intelligence by specifically what I define as 'garbage'.
User Rank: Apprentice
8/24/2012 | 6:11:30 PM
re: The Case For A Cyber Arms Treaty
A treaty is a nice idea, but ineffective, since there are too many non-nation-state actors. Building nuclear weapons requires fissile material, which is not sold in every Best Buy or Walmart. Building malware can be done on a laptop, and launched from an Internet cafe.
Perhaps the only effective defense for the US military is to build out private networks that are not visible to other parties, friends or foes.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-05
system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in a cookie.

Published: 2015-10-05
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate ...

Published: 2015-10-05
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 allows remote authenticated users to bypass intended access restrictions and log into arbitrary meetings by leveraging a meeting id and meetin...

Published: 2015-10-05
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse.

Published: 2015-10-05
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.