The Case For A Cyber Arms TreatyIn the wake of Stuxnet, could an international 'cyber arms' agreement forestall U.S. cyber warfare with China and other countries?
11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)
Malware attacks: can't live with them, can't live without them?
That's the curious situation now facing the U.S. government--and by extension, America--which on the one hand finds its networks being attacked more than ever before and, on the other hand, recently claimed credit for launching at a foreign nation some of the most advanced malware attacks in history.
Can this disconnect be resolved? To answer that question, it helps to understand the defensive side of the equation, as the Pentagon reports that it's having a harder time than ever blocking the increasing volume of attacks being launched at U.S. government networks. It's also been sounding the alarm over an increase in attacks against critical infrastructure systems controlled by the private sector.
Accordingly, elements of the Department of Defense (DOD) have been petitioning the Secretary of Defense to allow the military to not just defend its own systems and block malware, as it's currently authorized to do, but also defend critical systems running outside government-controlled networks, the Washington Post recently reported. Currently, the DOD isn't allowed to touch civilian networks in any way, although it does share threat intelligence with some defense contractors and service providers.
[ Are you paying attention to the right things? Read 6 Password Security Essentials For Developers. ]
Gen. Keith Alexander, who's both director of the NSA as well as Cyber Command--which protects DOD networks and oversees federal cyber warfare activities--argued at a recent conference that the government's cyber specialists "need standing rules of engagement and execute orders that allow the government to do defense that is reasonable and proportionate." In the event of a national-level attack, the DOD wants to be able to respond quickly, effectively, and legally.
The Pentagon also wants approval to use more aggressive defenses, such as sinkholing, which involves forcibly rerouting a botnet's command-and-control servers so that malicious code on infected PCs can't be used to launch attacks. Sinkholing is in widespread use by information security researchers, sometimes working in conjunction with technology vendors, including Microsoft.
But as the DOD seeks approval to get more defensive, the White House earlier this year revealed that the "Olympic Games" program begun by President George W. Bush, and continued at his urging by President Obama, launched Stuxnet, Flame, Duqu, Gauss, and no doubt other malware meant to disable parts foreign countries' critical infrastructure, or eavesdrop on people and information of interest.
That program was detailed by David E. Sanger in his recently published Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. In light of that program, "the United States lost a bit of the moral high ground when it comes to warning the world of the danger of cyberattacks," writes Sanger, in a bit of understatement. Furthermore, the generals sounding alarms over the rise of advanced persistent threats being launched en masse against Pentagon systems by China and other countries work for the same government that's been launching its own malware attacks against other countries.
Who Is Anonymous: 10 Key Facts (click image for larger view and for slideshow)
On the other hand, the best way to employ malware--either as a weapon or a diplomatic tool--isn't yet clear. "While the U.S. now has a very subtle understanding of when it wants to use drones and not, there is no equivalent right now of when you use cyber weapons," Sanger told NPR
. "Partly that is because Olympic Games was so secret, and part of that is because the weapon is new and developing so fast that no one is really gathering together the sort of theory about how and when you would use it, when you would use it as a deterrent, that we developed in the 1950s about nuclear weapons."
But every new Stuxnet amplifies the possibility that other nations might justify escalating their own malware operations--against the United States and other countries. "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?" wrote veteran reporter Joseph Lelyveld in last week's The New York Review of Books. Furthermore, what if other nations, such as India and Pakistan, begin escalating their cyber attacks against each other? "Or, scariest of all, China and the United States start playing cyber-chicken?" he asked.
Former White House cybersecurity coordinator Howard Schmidt, who left that post in May, warns that it's a "slippery slope" when the U.S. government hacks back at its adversaries. In an interview this week with InformationWeek's John Foley, Schmidt said government agencies and businesses in the private sector may be putting themselves at bigger risk when they go on the offensive because opponents may feel compelled to retaliate. "Just because you can do it doesn't mean you should do it," Schmidt said.
[ DARPA makes plans ... just in case. Read DARPA Seeks 'Plan X' Cyber Warfare Tools. ]
Furthermore, the United States--as one of the most heavily networked nations on the planet--could present an attractive target. Beyond the business necessity of Internet availability, numerous so-called "critical infrastructure" systems, including water treatment and energy plants, are Internet-connected, poorly secured, and in private hands. Should someone wish to cause related damage, opportunities abound.
Accordingly, the obvious next course of action seems clear: the United States should negotiate some type of cyber arms treaty. "There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country's critical telecommunications or banking infrastructure. It is in the United States' interest to push for one before the monster it has unleashed comes home to roost," said DarkMarket author Misha Glenny, a British journalist and visiting professor at the Columbia University School of International and Public Affairs, in a New York Times opinion piece earlier this year.
Likewise, Eugene Kaspersky, chief of security firm Kaspersky Lab, which discovered Flame, has argued that such malware should be banned by international treaty.
But would the president ever sign such a treaty? Notably, it would tie the hands of government-backed malware operators, and undermine a potentially valuable diplomatic tool. By some accounts, unleashing Stuxnet against an Iranian nuclear enrichment facility held Israel back from bombing Iran, which might have drawn the United States into a new on-the-ground conflict. Geopolitics is complicated; building malware--the digital equivalent to drone attacks--seems to remain relatively cheap. At least for now.