By Misha Glenny, New York Times, June 24, 2012
Misha Glenny, a visiting professor at the Columbia University School of International and Public Affairs, is the author of “DarkMarket: Cyberthieves, Cybercops and You.”
The decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.
There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.
Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.
This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.
Until recent revelations by The New York Times’s David E. Sanger, there was no definitive proof that America was behind Stuxnet. Now computer security experts have found a clear link between its creators and a newly discovered virus called Flame, which transforms infected computers into multipurpose espionage tools and has infected machines across the Middle East.
The United States has long been a commendable leader in combating the spread of malicious computer code, known as malware, that pranksters, criminals, intelligence services and terrorist organizations have been using to further their own ends. But by introducing such pernicious viruses as Stuxnet and Flame, America has severely undermined its moral and political credibility.
Flame circulated on the Web for at least four years and evaded detection by the big antivirus operators like McAfee, Symantec, Kaspersky Labs and F-Secure — companies that are vital to ensuring that law-abiding consumers can go about their business on the Web unmolested by the army of malware writers, who release nasty computer code onto the Internet to steal our money, data, intellectual property or identities. But senior industry figures have now expressed deep worries about the state-sponsored release of the most potent malware ever seen.
During the cold war, countries’ chief assets were missiles with nuclear warheads. Generally their number and location was common knowledge, as was the damage they could inflict and how long it would take them to inflict it.
Advanced cyberwar is different: a country’s assets lie as much in the weaknesses of enemy computer defenses as in the power of the weapons it possesses. So in order to assess one’s own capability, there is a strong temptation to penetrate the enemy’s systems before a conflict erupts. It is no good trying to hit them once hostilities have broken out; they will be prepared and there’s a risk that they already will have infected your systems. Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive and can lead to the uncontrolled spread of malware.
Until now, America has been reluctant to discuss regulation of the Internet with Russia and China. Washington believes any moves toward a treaty might undermine its presumed superiority in the field of cyberweaponry and robotics. And it fears that Moscow and Beijing would exploit a global regulation of military activity on the Web, in order to justify and further strengthen the powerful tools they already use to restrict their citizens’ freedom on the Net. The United States must now consider entering into discussions, anathema though they may be, with the world’s major powers about the rules governing the Internet as a military domain.
Any agreement should regulate only military uses of the Internet and should specifically avoid any clauses that might affect private or commercial use of the Web. Nobody can halt the worldwide rush to create cyberweapons, but a treaty could prevent their deployment in peacetime and allow for a collective response to countries or organizations that violate it.
Technical superiority is not written in stone, and the United States is arguably more dependent on networked computer systems than any other country in the world. Washington must halt the spiral toward an arms race, which, in the long term, it is not guaranteed to win.
"Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework."
And such development, while still appearing to give the advantage to the U.S., is unlikely to preclude both their development by potential enemies, like China and Russia, not to mention North Korea, Iran and other potential satellite countries in either of those two countries' orbits. Even with a nuclear proliferation treaty, which attempts to prevent the spread of those weapons, the world still faces real threats from countries who either refuse to comply with the terms of the treaty they signed, or continue to live outside its parameters.
Without even a modest treaty, the "wild west" would be an appropriate metaphor for the current, and foreseeable future pictures. In the "wild west" without any legal framework, sheer power, now including secret knowledge of the enemy, does and will rule.
And such an unmonitored, undocumented and unpredictable terrain provides only jeopardy for all potential players/combatants/competitors/opponents.
Reluctance to open discussions, on the part of the U.S. is hardly surprising; however, reluctance and refusal to do so serves best the interests of those countries who prefer an unregulated "playing field" especially one in which increasing numbers and depth of resources will be deployed, generating new findings, which could quickly and easily render any treaty obsolete.
Is it possible that in two decades, those responsible will look back to this period of unregulated development of cyberweaponry as the greatest failure of omission of the current group of world leaders, and not their failure to come to grips with the fiscal crisis that seems to be on the front burner of many stoves?