Vol. XLI No. 31 July 30, 2017
Array

Cyber Peace Treaty or the Peace of the Hegemon?

Prabir Purkayastha

AFTER WannaCry and (Not)Petya ransomware hitting global high profile organisations, there is a much greater awareness of the risks from cyber weapons. Both these ransomware used EternalBlue, the stolen NSA exploit of a Windows vulnerability. The call for a Geneva Convention for controlling cyber weapons – a cyber Geneva Convention – has therefore grown, with Microsoft, Deutsch Telekom and other big corporations now backing the call.  

Instead of moving in this direction, the US has announced the separation of its offensive Cyber Command (Cybercom) from its defensive intelligence platform, and putting it on par with the Strategic Command that controls all the US nuclear weapons. Cybercom will focus exclusively on developing cyber weapons; or what Phil Quade, former director of the NSA Cyber Task Force termed as “attack tools”.

QUEST FOR FULL SPECTRUM DOMINATION

Clearly, the US is continuing its quest for full spectrum domination, the complete military dominance of all the five spaces – land, air, water, space and cyber space – irrespective of the risks involved. The control of cyber space involves controlling the entire electromagnetic spectrum as also the communication networks. Seizing “enemy” communications, blinding or misdirecting them, is very much a part of this new dimension of war. The problem is that weapons that can be used in this form of war, are no different from the ones that are being used to create ransomware such as WannaCry or NotPetya; or the ones that can bring down the electricity grid; or the financial systems.

Once such cyber weapons are created, they are themselves vulnerable to either thefts by insiders, or being hacked by criminals. Shadow Brokers, a criminal group, got hold of a cache of such weapons that the NSA had created, and have even dumped some of these online. More recently, WikiLeaks has put up details of another set of such tools that were created by the CIA, and have also been hacked. Though Wikileaks has described these CIA tools on its site, the tools themselves are not yet in public domain.

Pointing out this new threat to the world, Brad Smith, the president of Microsoft, wrote (https://blogs.microsoft.com), “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage...this most recent attack (WannaCry) represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today – nation-state action and organised criminal action.”

For the US companies that have cooperated with their intelligence agencies, the chickens of cyber weapons are now coming home to roost.

If intelligence agencies, with the resources of a nation state, create cyber weapons, it poses enormous risks to the computer systems that pretty much run everything in the world today. In a 2010 UN Report, a group of experts including experts from the United States, China, and Russia, determined that cyber security threats are among the most serious challenges of the 21st century. With computer systems and networks underpinning the global financial, telecommunications, energy and other infrastructure, the risks of cyber weapons to the world are greater than ever before.

If an intelligence agency has a defensive purpose, it may work with the industry, in quickly discovering and patching of software vulnerabilities. If it has an offensive purpose, it will hoard these vulnerabilities to create tools – essentially cyber weapons – that can then be used to either, steal information from, or even take down targeted systems and networks.  The Stuxnet attack on Iran and its nuclear fuel enrichment centrifuges in Natanz is an example of the use of weaponised software.  

UNRIVALLED ACCESS TO NETWORKS AND SYSTEMS

These weapons gave the NSA and the CIA unrivalled access to networks and systems all over the world. The Snowden revelations make clear that the US not only hacked into Russia and Chinese systems, but also the systems of its allies. From Snowden files, we know that the US routinely spied upon the country delegations in any major international negotiations. Though Germany is a major NATO partner, the US even hacked into Prime Minister Merkel's phones. Neither was India spared, a large number of Computer Network Exploits (CNE's) of the Indian network are visible in the leaked Snowden documents.

The demands for a Cyber Geneva Convention, or barring nations from developing such tools, have been raised not only from countries at the receiving end of US surveillance, but now also by major IT companies. Protecting systems from nation states is a qualitatively different task than protecting systems from criminals. The nation states have much larger resources – both financial and human – to mount far more serious threats to systems. That is why the call for prevention: asking nation states to not develop attack weapons.

Russia, China and countries from the Shanghai Cooperation Group have proposed a treaty to limit cyber weapons modelled on the 1997 Chemical Weapons Convention that outlawed chemical weapons. In 2011, Russia, China, Tajikistan and Uzbekistan jointly submitted an international code of conduct for information security to the General Assembly, subsequently also co-sponsored by Kyrgyzstan and Kazakhstan. This was followed up by a revised proposal in 2015 by the above six countries, asking for UN discussions on how to prevent members from using cyberspace for acts of aggression.

All these proposals have been rejected by the US and other NATO powers, arguing that a cyber treaty is difficult, and therefore not practicable. The US felt that they had a decisive advantage over others in cyber weapons. The Russia-China proposals for a ban on cyber weapons was therefore seen by the US as a ploy to deprive them of this advantage.

Commenting on the US rejection of any proposal to ban cyber weapons, Mary Ellen O’Connell and Louise Arimatsu explained in a report (Cyber Security and International Law, Chatham House, 2012) that the US’s resistance to proposals for a treaty may have related to “US plans to use the Internet for offensive purposes (…) US officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true US position.”

Bruce Schneier, one of the leading security experts in the US, wrote in 2012, “There's a common belief within the US military that cyber weapons treaties are not in our best interest: that we currently have a military advantage in cyberspace that we should not squander. That's not true. We might have an offensive advantage – although that's debatable – but we certainly don't have a defensive advantage.”

The US has argued that instead of a new treaty, countries should join the European Treaty on Cyber Crime and expand it if necessary. The problem with the European Cyber Crime Treaty – apart from being a European treaty – is that it was created explicitly against criminal threats, against those who are outside national governments. It is not about barring governments themselves from mass surveillance of its citizens; or weaponising software to take down other country’s infrastructure.

The key issue – after the leak of NSA and CIA's cyber weapons – is should nation states develop such weapons at all? This is what leading figures within the industry are now raising.

Yes, cyber weapon bans are difficult. It is difficult to distinguish between defensive research and weapons research. But so was chemical weapon ban; or a biological weapon ban. Schneier had argued, “The very act of negotiating limits the arms race and paves the way to peace. And even if they're breached, the world is safer because the treaties exist.”

The Microsoft president Brad Smith demanding a Geneva Convention is the recognition that in trying to convert the US lead in software to cyber weapons, is making the world a much more unsafe place for everyone including the US. The US, as a heavily networked society, is also much more vulnerable to cyber attacks. The only solution lies in a collective agreement to give up cyber weapons.

Instead, the US has now told the world that it sees the cyber space as a new domain that it needs to control militarily, and therefore its new command – the cyber command – is explicitly tasked with developing offensive weapons. This is the US government's official answer: the only peace that it wants is through full spectrum domination of the world; the peace of the Hegemon.