World leaders fear that cyber-terrorism and cyber-warfare may pose a real threat to national security. In the future, unknown hackers might target everything from electricity to elections.
Therefore, national security planners may look beyond reactive cyber-defense tactics to proactive, cyber-defense strategies.
On the surface, the arms control analogy appears difficult to make. Chemical warfare is designed to kill humans, cyber-warfare is designed to kill machines (or their functionality). But let's see where the comparison could be helpful -- and where cyber-weapons may be unique.
Chemical weapons employ the toxic properties of chemicals to kill or injure human beings and animals. Archeologists have found poison-covered arrowheads dating to 10,000 BC. In WWI, chemical weapons may have caused one-third of the estimated 5 million casualties.
First, the most important reason for the success of CWC was political will. In 1997, Bill Clinton and Boris Yeltsin declared that we should "banish poison gas from the Earth." Political leaders today are beginning to describe the cyber-attack threat in similar terms: Chinese Minister Lou Qinjian has complained of "massive and shocking" damage caused by hacking, and President Obama announced that unknown hackers had "plunged entire cities into darkness."
Second, there is a universal nature to the threat posed by both chemical and cyber-weapons. For CWC, signatories feared not only nation-state use; they also worried that chemical weapons may be used by terrorists. CWC's goal is thus worldwide participation and the elimination of an entire class of weapons of mass destruction (WMD). Currently, CWC has 188 signatories, encompassing 98 percent of governments and 95 percent of the Earth's population. The ubiquity of cyberspace and the fact that hackers are able to anonymize their attacks may put a fear of cyber-weapons into the same universal category.
Third, CWC helps its members to fulfill treaty requirements and provides advocacy in the event that a member is threatened by chemical weapons. The persistence of cyber-vulnerabilities and the challenge of implementing best practices in computer security suggest that a Cyber Weapons Convention could create an international institution to provide technical, legal, and policy guidance to its members. One significant but politically and technically difficult step might be the joint observation of Internet traffic flows.
At this point, however, the helpful analogy between chemical and cyber-weapons breaks down. Arms control in CWC relies on the principles of prohibition and inspection. Both are currently very hard to imagine implementing in cyberspace.
Since 1997, CWC has overseen the destruction of over 60 percent of the world's declared chemical agent stockpiles and almost 50 percent of chemical munitions. However, it is difficult to prohibit something that is hard to define, and cyber-weapons present just such a challenge. In the single month of May 2009, Kaspersky Lab
counted 42,520 "unique malicious, advertising, and potentially unwanted" programs on its clients' computers.
Another key to the success of CWC is its inspection regime. Since 1997, there have been over 4,000 CWC inspections in 81 countries, and almost 5,000 industrial facilities are subject to inspection at any time. This is a large but manageable number. Compare it to one 256-Gbyte USB Flash drive, which holds over 2 trillion bits of data. Or the number of Internet-connected computers in the US, 400 million.
Some regular inspections probably already take place at the ISP level -- perhaps as part of China's Golden Shield Project, the European Convention on Cybercrime, Russia's SORM, and the USA PATRIOT Act -- but all such initiatives will face the same problem of overwhelming traffic volume.
In spite of these challenges, cyber-arms control may be a part of our future. CWC is an imperfect analogy, but it still offers national security planners with a few helpful ideas and some inspiration. In the future, if enough political will is generated to sign an international cyber-arms control treaty -- perhaps in the wake of a surprisingly powerful cyber-attack -- political leaders may give scientists the funding they need to attack the technical challenges of prohibition and inspection.
— Kenneth Geers, US Representative to the Cyber Center of Excellence in Tallinn, Estonia
"The risk of cyber attacks is massively overstated, because very few attacks can cause global meltdown, an OECD report claims.
Headline-grabbing events including malware, distributed denial of service attacks, criminal activities and espionage can, at best, cause only local disruption, and it would take a concentrated attack on the technology protocols underpinning the Internet to cause a catastrophic meltdown in global communications, the report states."
The stream of database exposures remained steady in the second half of 2010: We saw organizations face the consequences of inept database account provisioning, bad encryption policies, poor choice of third-party vendors, and an overall indifference to security -- all of which continued to keep consumers on the watch for blips in their credit reports.
According to the recent Computing Technology Industry Association's (CompTIA's) 8th Annual Global Security Trends Study, only about half of IT professionals view security as a major priority. It's no surprise, then, that the survey found 63 percent of their companies have experienced some kind of breach this year.
Consider the Bradley Manning/Wikileaks thing: it seems he wrote all those memos to a RW DVD and just walked out of the message center with all of it.
NOT JUST END USERS
The behavior issue isn't limited to end users but is pervasive through the process that builds and distributes software with little or no attention to the security question. And this starts with the guy who assembles the compiler.
David, what I was relating to was the overall structure of multilateral inspection that would set a broad standard that a multinational collaboration would be involved with, like his examples in chemical warfare, nuclear, etc.
Obviously, that in and of itself will not be a full detection. That would that require our own national security process that would seek protection, or minimally detection of leaks.
I do not know if it is technically possible to stop leaks, I was thinking that a better and more comprehensive monitoring and detection may be the best security at this stage.
I'm not sure quite what you mean. Ken did mention inspection, but mentioned the challenges of inspecting data. I'd amplify; there is not way to inspect packets that contain arbitrary malicious code, only scan for specific know attacks. This is effective ask long as there is no encryption of the data which is basically trivial and will be come universal for attackers if such a regime is implemented. (It's already not uncommon for botnets to encrypt most of their traffic.)
So what are we planning to inspect? My vote would be checking machines for required patches. If a machine facing the internet is found unpatched more than some fixed amount of time after the patch is released, there would be a flag. The rule could be, for instance, that if networks with more than some minimum number of flags would have different treatment; possibly restrict nonroutine traffic, or increase penalties for compromised machines within such networks. (if a network that has always stayed patched get compromised, the penalties should be significantly less.
Does anyone have any other ideas about what could be inspected?
Enforcing any sort of treaty will be largely determined by everyone’s definition of the key terms. International law enforcement is current slogging its way through legal channels to bring these definitions into agreement. This is why piracy and slavery are still rampant in some parts of the world.
No political entity is willing to share their slice of the pie in order to prevent crime somewhere else. It’s not so much a “not in my backyard” mentality as it is an “it’s my yard, it’s my rules.” We will continue to operate in a reactive fashion, chopping off the hands that reach into our jurisdictions until all parties involved agree on what constitutes a crime and how it should be stopped.
I agree, David, that the accountability and use of the existing tools would advance the controls of the cyberwarfare.
Kenneth has some interesting new thoughts as well on increased "inspection", along the lines of chemical warfare and nuclear inspections. Maybe that would hold some promise.
Extradition isn't necessary to stop attacks; it's a poor security system where the only thing preventing robberies is that the police might catch you afterwards. We need proactive approaches for cutting off attacks as they happen, as well as regimes to stop those who have acted badly, to reform or restrict them.
The best way to provide enforcement in these cases is to use the system they are abusing; if an ISP refuses to block an attack, the ISP would need to be blocked completely, in order to prevent the attack from occurring. That's all the impetus they should need.
Great point. The extradition of criminals is hard because it offends national pride, not just the principle of sovereignty over people and borders. "Like, I am sure that my kid did not hit your kid."
In the 2007 cyber attacks against Estonia, most of the original attacking computers were located in the U.S. As the traffic was blocked, the bots moved to Egypt, Vietnam and elsewhere.
The cyber treaty negotiators would have to come up with something, but it could be different in every case. With extradition, I think the treaties are mostly bilateral, which provides some flexibility.
For a universal treaty, part of the new power might be the ability to publicly name and shame those who flout the treaty. Just peer pressure, but better than nothing.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
National security thinkers are still debating whether a"“Digital Pearl Harbor" is possible. But in the ongoing revolution in Syria, the cyber battleground is already strewn with interesting proofs-of-concept.
My blog, The Art of Cyberwar, posted on Internet Evolution this past January, described 10 revolutionary aspects of conflict in cyberspace. Based on the feedback I received, I've decided to revisit each of the 10 aspects with a new view based on what I've learned from many comments. Here is my list:
The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into military doctrine as soon as possible.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
It wouldn't be the first time, but a group of Chinese engineers has proposed a means by which the Internet's root could be split, enabling secondary, independent networks that could be government-controlled. The Internet's root security committee is taking such proposals seriously.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
