May 31, 2015

Cyberwar or Cyberpeace?

Prabir Purkayastha

CYBER weapons are no longer the stuff of science fiction. They are all too real, and so is their threat to our interconnected world. This threat is bound to grow in the coming days with the internet of things, when all our devices will have intelligence and be connected to the internet. If we want to stop the internet from being weaponised, we have to start talking about what nation states should or should not do. And that means an international compact on a par with what the world did with biological and chemical weapons, and what it failed to do with nuclear weapons.

These are the two interconnected questions we face: will we recognise the danger posed by weaponising cyberspace and confront it squarely? Or will we allow the continued building of a world in which a few countries, by their offensive power, come to a state of mutual deterrence as we have done with nuclear weapons, always at the edge of spinning out of control any moment? Non-proliferation is not disarmament, as we are finding out to our cost.

Amit Yoran, in his keynote speech to this year's RSA Conference –a premiere computer security event – held last month, warned that while computer technology has advanced at near-lightening speed, cyber security is still in the dark ages. Sophisticated attacks cannot be prevented by our virus scanners and existing threat detection tools, because they are handling yesterday's attacks. According to Yoran, the only way to beat such threats is to make visible what your computer and your network is doing – who it is communicating to, what is being transmitted, and at what speeds. Seems simple, does it not? Except that it goes against what the US has been doing and the basic business model of the internet.

The US has been systematically working to weaken security. As we now know from Snowden revelations, they have weakened encryption standards, worked with various vendors to create backdoors in hardware and software, and in the process created gaping security holes in the networks and systems that we all rely on. The second is the business model of the internet. This depends entirely on mining users’ data and selling it to advertisers. Unfortunately, the business model of advertising is identical to the mass surveillance model, the need to syphon off “users” data. This is the reason that internet companies are very much a part of the US surveillance state. 

According to Yoran, the world has reached an inflection point. The barbarians are not at the gates; they are within the gates. And to drive home the point, he projected on the screen a North Korean figure in military fatigues. Presumably, the hacking of networks and computers is now no longer the exclusive preserve of the US. Invading Roman armies conquering barbarians and creating empires is normal; it becomes an inflection point only when barbarians enter Rome. Having systematically weakened security, the US and its giant internet companies have put the entire cyber resources of the world, including that of the US, at risk. The sophisticated entities that Yoran talks about are the nation States, who have the ability and the resources to mount dangerous attacks that cannot be stopped by the cyber defences we have today.




A nation State today has the ability to target computers that control the vital infrastructure of a country and cause catastrophic failures. Consider the case of a nuclear reactor. Its core is controlled by embedded computers, a part of the plant control system. If the control system is known, it is possible to “infect” the system in a way that may cause its malfunction, even a core melt-down. After Fukushima, can anybody doubt that this would be an act of war, on a par with a physical attack on the nuclear reactor?

The power grid, the control of hazardous plants, telecommunication networks, air traffic controls, even flying aircrafts, are handled by computers and software. With the internet of things, even the lowly washing machine will have embedded computers and will be connected to the internet. If countries want to play games with such software and computers, it opens a whole new arena of war, a war with untold consequences.

In the nuclear fuel enrichment plant at Natanz, Iran, the US and Israel deployed the Stuxnet virus to attack the Siemens controllers of the centrifuges, causing physical damage to the equipment. Even when a specific equipment or country is targeted, Stuxnet has shown that such viruses can escape into the wild and pose a threat to other equipment and countries. The Stuxnet virus infected thousands of such computers in Indonesia, India and other countries, and could easily have affected other Siemens controllers in the vital equipment of these countries. The attack on Iran – codenamed Olympic Games – has not only been on its centrifuges, but also on computers handling oil industry data.

There have been attacks, attributed by US sources to Iran, that wiped off data from two-thirds of Armco computers in Saudi Arabia; there have also been similar attacks on the US banking system. NSA considers such attacks as Iran's response, or Iran's version of the Olympic Games, to the attacks on Natanz and its oil information infrastructure.

The Stuxnet virus is the first known use of a computer virus to destroy or damage physical equipment. For those who follow such matters, this is the first time any country has crossed this threshold. It was the crossing of the Rubicon in cyber-attacks.

In the context of the use of Stuxnet against Iran, many western experts have argued that using a computer virus to cripple a nuclear fuel enrichment facility is better than bombing it outright. The issue here is not which course of action is better (and of course for whom), but whether this is an act of war. Is there a difference between bombing a facility and physically damaging it with a virus?

The US and the 5-Eyes partners have inserted 50,000 malwares – or Computer Network Exploitations (CNE's) – in the network of almost all countries in the world. These are “logic bombs”; on activation, they can bring down these networks. They have also weaponised the internet backbone.




As the Iran example shows, we are already in the early stages of cyberwar. Bruce Schneier, the doyen of cyber security, has said, “We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.”

The key problem in de-weaponising the internet is the US conviction that it is far ahead of its rivals, and any compact of not weaponising the internet is akin to its unilateral disarmament. As a result, the US has rejected Russian and Chinese proposals of de-militarising the internet in the UN and other platforms; or watered them down to be virtually useless. While some concessions have recently been made – as exemplified by the Report of the Group of Governmental Experts to the 68th Session of the General Assembly – there is very little that has been agreed in terms of concrete action.

Cyberwar consists of attacks on computer networks or computer controlled resources that cross a certain threshold. One approach to defining cyberwar would be to define it in terms of physical damage that a cyber attack would cause in the real world. The attack, by a State actor against another, uses software or code intended to prevent the functioning (or the misuse) of an essential computer network, and so damage critical infrastructure, or cause physical damage to property or people, including loss of life, or both. In this definition, cyberwar always involves a State actor, not the work of a group or an individual.

This approach has the merit of putting on a similar basis the definition of cyberwar as an act of war as defined in international law. In order to constitute cyberwar, the actions must be on a scale as to constitute a use of force (or threat of a use of force) as required by Article 2(4) of the UN Charter.  Other approaches also seek to include the damage to the information system and information as cyberwar, and these would require widening of the current definition of war. There is, also, the problem of defining what constitutes a threshold: at what point do we describe information loss on systems as an act of war? After all, information loss takes place due to a variety of reasons, and only some of them are malicious.

We can define what constitutes war in cyberspace, and have an international agreement that holds cyberwar – or any attack that leads to physical damage or loss of life – as henceforth illegal. It is important to note that current international law does not consider all acts of war to be illegal. It limits, to a relatively narrow width, the legal basis for war, either to a country's self-defence, or based on a resolution of the United Nation's Security Council. Removing cyberwar as a “permissible form of war” in international law would be a big step forward.

The other option would be to ban cyber weapons, and pledge, through an international agreement, that such weapons will not be developed or used by any country. Banning cyber weapons would be akin to banning biological and chemical weapons.  Given our rapid movement toward a more interconnected world, we need to go beyond outlawing cyberwar and ban cyber weapons as well. The development of such weapons is a threat to our future. As long as cyber weapons are not illegal, there will be an incentive to develop them as a kind of deterrence; moreover, there will be perverse incentive to weakening security of networks and devices as the US has been doing.

Of course, offensive capabilities are much easier to build than defensive ones. For offence to succeed you need to be successful once; for defence, you need to succeed every time.  Hence defence needs global collaboration. This is the point of difference with the Olympic Games: there are no individual winners or losers. You win only when everyone also wins.

We need a change in mind-set: we have to engineer the devices and the networks for defensive purposes.  We have to build security into the DNA of all communications.  This means changing the outlook of all the players, including that of the most dominant one, the US.  We need to build strong defences and not weaken them, if we are to achieve cyberpeace, not cyberwar.

(An earlier version of this article was published in: Latin America in Movement 503, ALAI, April 2015.