Risk
8/23/2012
11:22 AM
Connect Directly
RSS
E-Mail
50%
50%

The Case For A Cyber Arms Treaty

In the wake of Stuxnet, could an international 'cyber arms' agreement forestall U.S. cyber warfare with China and other countries?

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
On the other hand, the best way to employ malware--either as a weapon or a diplomatic tool--isn't yet clear. "While the U.S. now has a very subtle understanding of when it wants to use drones and not, there is no equivalent right now of when you use cyber weapons," Sanger told NPR. "Partly that is because Olympic Games was so secret, and part of that is because the weapon is new and developing so fast that no one is really gathering together the sort of theory about how and when you would use it, when you would use it as a deterrent, that we developed in the 1950s about nuclear weapons."

But every new Stuxnet amplifies the possibility that other nations might justify escalating their own malware operations--against the United States and other countries. "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?" wrote veteran reporter Joseph Lelyveld in last week's The New York Review of Books. Furthermore, what if other nations, such as India and Pakistan, begin escalating their cyber attacks against each other? "Or, scariest of all, China and the United States start playing cyber-chicken?" he asked.

Former White House cybersecurity coordinator Howard Schmidt, who left that post in May, warns that it's a "slippery slope" when the U.S. government hacks back at its adversaries. In an interview this week with InformationWeek's John Foley, Schmidt said government agencies and businesses in the private sector may be putting themselves at bigger risk when they go on the offensive because opponents may feel compelled to retaliate. "Just because you can do it doesn't mean you should do it," Schmidt said.

[ DARPA makes plans ... just in case. Read DARPA Seeks 'Plan X' Cyber Warfare Tools. ]

Furthermore, the United States--as one of the most heavily networked nations on the planet--could present an attractive target. Beyond the business necessity of Internet availability, numerous so-called "critical infrastructure" systems, including water treatment and energy plants, are Internet-connected, poorly secured, and in private hands. Should someone wish to cause related damage, opportunities abound.

Accordingly, the obvious next course of action seems clear: the United States should negotiate some type of cyber arms treaty. "There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country's critical telecommunications or banking infrastructure. It is in the United States' interest to push for one before the monster it has unleashed comes home to roost," said DarkMarket author Misha Glenny, a British journalist and visiting professor at the Columbia University School of International and Public Affairs, in a New York Times opinion piece earlier this year.

Likewise, Eugene Kaspersky, chief of security firm Kaspersky Lab, which discovered Flame, has argued that such malware should be banned by international treaty.

But would the president ever sign such a treaty? Notably, it would tie the hands of government-backed malware operators, and undermine a potentially valuable diplomatic tool. By some accounts, unleashing Stuxnet against an Iranian nuclear enrichment facility held Israel back from bombing Iran, which might have drawn the United States into a new on-the-ground conflict. Geopolitics is complicated; building malware--the digital equivalent to drone attacks--seems to remain relatively cheap. At least for now.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/28/2012 | 2:03:26 AM
re: The Case For A Cyber Arms Treaty
By developing the most advanced weapons in the world, one can develop the most advanced defenses in the world - I think that's a pretty fair statement.

All throughout history, there have been things going on that the average Joe or Jane on the street don't know about but should be thankful for - things that their country is doing to protect them, whether they approve or disapprove of it.

Kaspersky's a funny guy here - sure, go ahead, ban malware. Doesn't that put him out of business? And as other posters have mentioned, sure, you can have every country on the face of the planet sign a treaty saying that they won't develop or use malware - but that doesn't keep a 14 year old kid from sitting down and learning assembly, C, or any other language and building something that could obliterate a network. No, a treaty, while nice on paper... exists only on paper.

Having malware banned leads to a false sense of security - sure, let's ban it... and forget how to defend against it. Then when the next attack happens, it's magnitudes worse. And the next attack will happen, it's just a matter of when. You have to be ready for it... and a treaty is not going to do much to help prevent an attack or clean up after one.

Andrew Hornback
InformationWeek Contributor
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
8/27/2012 | 3:10:46 PM
re: The Case For A Cyber Arms Treaty
Article states, "Having been the first nation to use it purposefully against the weapons program of another state--to have 'crossed the Rubicon,' as General Michael Hayden, the former Bush intelligence chief, put it--will we eventually be judged to have hastened its spread?"

Has that ever stopped the US Govt or any nation of developing and using a system to its advantage either strategically or operationally? They used firearms against native americans and were the first to use/introduce nuclear weapons. An unknown or unproven weapon system serves little as a detterrent. Treaties are nice, but as others have stated, wholly reliable on the good faith of the parties. As with regulatory guidance and laws, sometimes the value gained may just be worth the penalty imposed for non adherence.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
8/26/2012 | 1:20:36 PM
re: The Case For A Cyber Arms Treaty
Treaties are only worth something when the partners adhere to them. Just look at the reports about human rights violations and you will see that a treaty for cyber security between US and China is just a waster of paper and resources.
Leo Regulus
50%
50%
Leo Regulus,
User Rank: Apprentice
8/25/2012 | 5:45:18 PM
re: The Case For A Cyber Arms Treaty
GET THIS TO YOUR EDITOR:
You have made some client-unfriendly changes.
When we hit the 'Print' Icon, we expect to see the entire article as one page and relatively 'free' of garbage.
On this article, it was necessary to go to page 2 to get the whole article.
The result was also littered with garbage.
I will not insult your intelligence by specifically what I define as 'garbage'.
TreeInMyCube
50%
50%
TreeInMyCube,
User Rank: Apprentice
8/24/2012 | 6:11:30 PM
re: The Case For A Cyber Arms Treaty
A treaty is a nice idea, but ineffective, since there are too many non-nation-state actors. Building nuclear weapons requires fissile material, which is not sold in every Best Buy or Walmart. Building malware can be done on a laptop, and launched from an Internet cafe.
Perhaps the only effective defense for the US military is to build out private networks that are not visible to other parties, friends or foes.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.