The Technium

Cyberweapons: A Real Worry


There is not too much about technology that I worry about. But one technological area I do worry a lot about is cyber war, cyber security, cyber conflict. My worry stems from the lack of accountability and the lack of consensus in this arena. It is devilishly difficult to discern what is being done cyberwise, and who is doing it. At the same time, there is no consensus about which actions need to be disclosed, or monitored, or verified. Nor is there real consensus on what actions are allowed, permitted, prohibited, discouraged, or encouraged. Finally, there are no limits, remedies, restrictions that can be enforced.

What this means is that right now there are huge cyber operations happening around the world every day. Some of these are defensive, but many are offensive attacks. Systems are breached, probed, potential damage is rehearsed, future secret entrances installed, small things are broken. The US, China, Russia, Isreal, Iran, North Korea — to name some of the most active countries — plus many more non-state, quasi-state, organized crime agents, like hacker groups, are involved in huge maneuvers that are invisible to the rest of the world. Increasingly these data vs data conflicts are touching the physical infrastructure. The world’s electrical grids, transportation networks, hospitals, water systems all depend on an intangible data structure, where these skirmishes are taking place. So far only a few incursions have crippled physical civic services; a hospital is cut from electricity, or traffic lights are disrupted. My worry is that because there is neither transparency nor agreed norms, these mutual attacks will escalate until something horrible happens. There is no push-back on this arms race. The public doesn’t see it, and the experts who do see it, don’t agree on where to go.

We beings on this planet have evolved an elaborate set of rules about how to conduct war. Weirdly we have agreed on how to kill each other. Some ways are okay and some are not. You can’t kill someone you take as  prisoner. You can’t intentionally kill children. You can’t torture. Etc. As new weapons were invented we added them to our agreement. We have agreed to avoid using nuclear bombs (although some countries, including the US, still make them).

Cyber weapons are new, and have not been included in our agreements. In war is it okay to take down a nation’s banking system? Is it permissible to disable everyone’s phones? Should the world accept hacking interference in another nation’s election?

Problematic weapons like nuclear, chemical, and biological ones, have extensive, complicated programs of verification to make sure our collective agreement is adhered to. Part of that process is self-reporting, self-disclosure by those who posses these weapons. None of this disclosure is happening in cyberspace.

None of the countries active in using these new weapons will acknowledge they have the weapons; they deny they are using them, and don’t even communicate when others use the weapons against them. There is a conspiracy of silence in cyberwar. That is the danger.

This silence and denial also creates cover for non-state attacks by criminals, rouge state hackers, naive teenage hackers, to do damage. They are hidden behind the same cloak that nations are hiding behind. Together state and non-state hacking can add up to a potentially mutual destruction. Today every developed country is potentially very vulnerable to a cyber attack. And soon every developed country will be capable of delivering a crippling attack.

We have nuclear arms treaty because we realized we had the capability of mutual destruction . Our next step is to realize we have the capability of mutual CYBER destruction. The remedy is  similar: a global agreement on acceptable use of cyber weapons, and a public accounting of those weapons.

A significant hurdle for the accountability of cyber weapons is their close alignment with intelligence gathering. Cyberwar is fought with information, and information is the heart of intelligence. It is very difficult to unravel cyber weapons from cyber tools. There is the thinnest line between hacking a system to learn about it (intelligence gathering) and hacking it to learn how to damage it (reconnaissance) or hacking it to damage it (war). The same tools (weapons?) may be used in each case.

Understandably, the intelligence departments of nations are reluctant to reveal their methods, or share their tools, or in any way handicap themselves. Cyber-weapons derive from cyber spy tools, and it is a challenge to untangle the two. Knowledge and intelligence can be wielded as a weapon. It’s hard to see a way to account for information weapons that does not expose information spying.

But not impossible. We can regulate specific actions via treaties and agreements. Rather than outlaw tools (or weapons), we can outlaw outcomes. We might agree that taking a banking system down is not acceptable, whether you use a computer virus, a social media hack, or a EMP bomb blast. Interfering in an election should be prohibited via any method, even the most indirect.

The remaining challenge is mutual verification of the source of cyber actions. Tracking the source of actions is made difficult by the dark web. Much can be hidden by anonymizers and cleverness. But a lot online is hidden because the global internet is a patchwork of national networks, and because the actual humans creating attacks are shielded from inspection by national laws. Hackers in country X casting spells on country Y, even if proven bad, may be out of reach of country Y.

Part of the needed reform for a consensus on cyber war extends to making it harder to hide behind the walls erected by nations. I predict the nations will begin to cooperate more in disclosing the source of actions, including their own departments, for this simple reason: nations will come to understand that there is no national cyber security without global cyber security.

Rather than kumbaya global peace, pure self-interest will drive nations to be more cooperative in the cyber dimensions. When you have a global network, your security is only reliable as the weakest link in that system.  Attackers bleed to the least secure edges where they can continue to cause damage.  Ultimately security within your nation will fail unless the security of all the other nations is also maintained.

In addition to improving the overt security in peacetime, this requirement for global mutual security can drive the transparency needed to regulate cyber weapons.  My only worry is that it may take a huge cyber disaster with many people dying before nations come together in agreement on how we should treat these new weapons.




Comments