Stuxnet. Duku. DigiNotar. Commodo. The names of exploits and breached organisations reel past like dark clouds of a gathering storm. Cybersecurity programs spread ominously around the world.
I’ve seen the importance of international cyberweapons control for some time and wondered why more people weren’t talking about it. But recently, a new voice from the other side of the world took up the call for a virtual détente.
I first saw Eugene Kaspersky on the beach in Cancun. Lulled to tranquility by tossing turquoise waves – like someone in a Corona commercial – I observed two individuals in black jackets speaking Russian setting up microphone stands and cameras in the sand. I watched behind sunglassed anonymity as a few more came, one stocky with bushy gray hair. As he sat and began an interview I realised this must be THE Kaspersky.
The next morning at his company’s analyst conference Kaspersky spoke about “The Internet as a military-free zone – A Dream or an Opportunity?” He began by saying that cybercrime has worsened, but governments now understand the problem and would solve it in a couple years. “I’m not going to talk about cybercrime,” he said, “I’m going to talk about digital passports, social networks, and cyberwar.”
Unlike some who would have a narrower definition of cyberwar, Kaspersky uses the term expansively. He once forbade his employees from even talking about cyberterror, or cyberwar, publicly. But after watching Hollywood portray the subject quite accurately in the movie Diehard 4, he decided it’s time to tell the world.
Could Stuxnet’s sabotage of nuclear centrifuges be replicated on a broader scale against power plants and water plants? “I’m afraid yes.” Because so much of our physical infrastructure is internet-connected and computer-controlled, it’s possible to stop critical equipment from working. Once, Kaspersky told the audience, he toured an internet-connected experimental nuclear fusion reactor facility.
Cyber-weapons are easier and cheaper to develop than physical ones and cyber-attacks tend to be less attributable. A number of governments have cybersecurity programs and some have announced they are developing cyber-weapons. Still, we’re unprepared for cyberwar consequences and we can’t reasonably harden the physical infrastructure against cyberattacks anytime soon. Kaspersky warns that the major victims of cyberwar will be developed countries.
“We are living in a very dangerous world,” he said. “I do my best to explain this to governments.” The only way to avoid a “cybershima” scenario is to create an international agreement not to develop and not to share cyber-weapons. Nuclear test bans and restrictions on biological or chemical weapons show that treaties can be effective in curtailing arms races.
Time’s not on our side
Over the rest of the meetings in Cancun, I talked with people and explored implications and challenges of cyberweapons control. I’m concerned that the line will blur between well-heeled cyberterrorists and financially-motivated criminals. The subject Kaspersky didn’t talk about – how governments may come to control cybercrime – is interwoven with creating a viable cyber-weapons disarmament protocol. Without a way to greatly deter, attribute, and prosecute cybercrime and cyberterror, it might be too easy for bad actors to sow discord among the nations in the much the same way as extremists on both sides of the Middle East conflict and others conflicts have sabotaged peace efforts.
With multiple countries already developing cyber-weapons, time isn’t on our side. What if weapons leak to criminals, or are reverse-engineered? What if cybersecurity programs and institutions grow larger and more lucrative, creating powerful and entrenched interests (like conventional arms dealers and defense industries) for developing yet more cyberweapons and ever fomenting distrust among their nation state customers, if not actual cyberwar?
Do you start to see the complications? There’s so much to do, and so many competing interests. Some proponents of a cyberweapons treaty might wish for an actual cybershima – imagine cities without power for days or weeks, hospital generators failing, premature babies and others in intensive care dying – this would foment public outrage and demand for the solution.
But I think one should fear the kind of protocol that would emerge from a post-traumatic atmosphere even more than the current state of confused purposes and discussions. What if political support in the wake of cybershima built for retaliatory cyber-weapon programs rather than détente? What if cybershima led to a legislated state of panoptical government surveillance – something many fear is already in the making?
The only way forward
Should such worst case scenarios arise, events could spiral out of control. Official responses might take the form of arms race escalation, ride roughshod over civil liberties, or both. We might then see an escalation of conflict, with idealists and hacktivists taking up cyberarms against the governments who are in turn in conflict with each other. Rather than an open but secure internet with the transparency so many people are demanding, we might see escalating suppression of free speech and anonymity, growing darknets and chaos, an endless state of cyberinsecurity.
In my opinion, the protocols for cyberweapons weapons control and law enforcement are linked. Both must operate in a form that enhances human dignity, privacy, and trust between people. It helps to know that problems and aspirations are similar worldwide; in Russia as elsewhere, restive hacktivists are compromising web sites, cracking email accounts, and dumping out embarrassing information. It is encouraging to find a voice from the other side of the world echoing sentiments I’ve long held myself.
Dan Blum is a Gartner VP and distinguished analyst. He currently covers security architecture, cloud computing security, endpoint security, Web/email content filtering, and the cybercrime/threat landscape.