FlameThe discovery of the Flame malware has raised a number of questions, some mundane, some interesting and many unanswerable at this point. But the point that’s most interesting also is the one that likely will go unaddressed for the foreseeable future, and that is, the need for a serious, open discussion on the use of cyber weapons.

The Stuxnet, Duqu and Flame episodes have stirred up a giant swirl of hyperbole and speculation, both along the lines of sophistication and attribution. A piece in The New York Times today speculates that not only was the United States responsible for creating and deploying Stuxnet, but it was just one part of a comprehensive campaign by the Bush and Obama administrations to disrupt nuclear operations in Iran through the use of offensive security tools. This is something that people in the security community have been talking about since the discovery of Stuxnet, when researchers pointed the finger at the U.S., or possibly Israel, for the attack. So the idea that one of Iran’s stated enemies would have launched Stuxnet against that country isn’t much of a stretch. 

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives,” David E. Sanger wrote in the Times piece.

It’s been known that many countries have developed offensive cyber weapons and there have been discussions in the security community about the use of these tools and who may be using them against whom. But the problem is that there’s no public discussion about the existence, let alone the use, of these tools. Obama officials have only referred obliquely to the possibility of offensive security operations in policy documents. Other governments have taken a similar stance, not specifically discussing the use of attack tools and only speaking in generalities when the topic comes up.

But, as Steve Bellovin points out, the time has come for an open and frank discussion about the kinds of tools that governments and intelligence agencies are developing and how they can and should be used. 

The world knows, more or less, what is acceptable behavior in the physical world: what constitutes an act of war, what is spying, what you can do about these, etc. Do the same rules apply in cyberspace? One crucial difference is the difficulty of attribution: it’s very hard to tell who launched a particular effort. That in turn means that deterrence doesn’t work very well,” Bellovin wrote in a blog post. 

“There needs to be a national and international debate on this topic. No one is going to supply details of their operations or capabilities, but the simple fact that they exist isn’t and shouldn’t be a secret. Basic US nuclear doctrine has never been concealed; why should this be different?”

The answer is, it shouldn’t be any different. These weapons already are in use, and as Bellovin says, one looming problem is that the targets and the rest of the world don’t know who launched any given attack. No one is standing up to take credit for attacks such as Stuxnet or Duqu, which leads to rampant speculation. That helps no one. 

What would help is for someone in the administration to acknowledge that attack tools are in use, and talk about the circumstances under which they’re being used. It’s easy to find stories with named government and military officials talking about their development of new conventional weapons and they hold massive press events for the unveiling of new fighter planes. But cyber weapons are the orphans, unacknowledged and undiscussed.

This isn’t 1995 or even 2005 anymore. Let’s get on with it.

Categories: Government, Malware

Comments (7)

  1. The Game remains the same
    1

    the past few years have seen 2 of the 3 threat source pursue their courses  (Hacktivists, Cybercriminals).

    In the  mean time nation states like Russia (in classic  Cold war style) have executed recruitment and infiltration, not ideologically but as catch-up and  business competition.

    The middle kingdom pursues a course typical for centuries,  and every day  the leagues of chinese PLA operating in bureaus sweep the Internet nation-by-nation.

    The Western Democracies by their nature and style don’t follow either of these approaches, but in their own way lean to the past ‘tactical’ tendencies.

    Now like the wakeup during the cold war the public is finally/begrudgingly aware and rattling its ‘rhetoric’.

    Whether its unrestricted warfare, asymetric response,  tit-for-tat.   Its HUMAN using a different ‘rock’.

    There will certianly be work aplenty for the Security Profession; most of it  management by crisis. And the abundance of low-hanging fruit with all of our data emblazoned upon it  will have to be trimmed from the trees before we finally get down to cases.

    Its not about getting the administration to talk,  its not about ‘ lets come together’ its human nature, and we will have to pursuse, expose, reason, Cyber-detente, and hopefully learn that  “Discretion is the better part of valor, and  Wisdom the province of the experienced”

  2. Anonymous
    2

    If you are a concerned American who cares about your country, then let me ask you a question:

    Do you really want an open treaty / diplomacy on “cyberweapons”, or more accurately, “cyberespionage”?

    Isn’t America a safer place because of this very thing that other’s are trying to prevent?

    Do you think that anyone would actually abide by laws governing this?

    Everyone in the infosec community, please stop acting like a treaty will do anything and just accept the fact the governments can and will use “cyber” tools to make the world safer (As they have ever since the internet first became public).

     

  3. Anonymous
    4

    Terminology is a real barrier to meaningful discussion.  For example, you (along with a lot of other people) call “FLAME” a “cyberweapon” but since its purpose is to gather intelligence (or “prepare the battlefield” if you like), one could really question whether it is a weapon at all.  Espionage is not an act of war.

    There’s some really good discussion of misusing metaphors in:

    A. Lapointe (CSIS), “When good metaphors go bad: the metaphoric branding of cyberspace”.

    There’s actually been a lot of work on international frameworks for governing/managing cyber conflict:

    East-West Institute, “Working Towards Rules for Governing Cyber Conflict”

    National Academies Press, “Technology, Policy, Law and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities”.

    S. Bradbury, “The developing legal framework for defensive and offensive cyber operations”.

    For a general discussion of warfare in cyberspace (hint: it’s not as easy as it sounds), see:

    G. Rattray (RAND), Strategic Warfare in Cyberspace.

    M. Libicki (RAND), Cyberdeterrence and Cyberwar

    Setting limits on what can and cannot be done in cyber space is a hard (maybe even a wicked) problem and we need to build on the work that’s already been done.

    – Ishmael

  4. Anonymous
    5

    Knowledge is power -> Information is power -> All your info has owned by Flame.

    I can see your point in advocating that the cyber warfare be looked at under the same microscope as conventional, physical warfare. In the long run, I can foresee both becoming more and more intertwined as the two worlds collide.

    However, if you consider the way in which cyber weapons are utilized from start to finish it is a completely different ball game. The element of surprise is absolutely crucial, and instead of comparing the Flame malware to a new model of a dogfighter, it would be more fair to compare it to a stealth bomber (which I believe was a highly protected secret).

    If enemies were to discover the development of the stealth bomber they would attempt to reverse engineer the technology so they could A.) use it for their own offensive military operations and B.) to develop technologies to detect and counter it. If Flame has been deployed without detection for 4+ years, I’d say that’s one hell of a stealth bomber.

     

     

  5. rgrein
    6

    ‘A concerned American’ should also be concerned about ethics and worldwide cooperation, at least if you hold any of our founding principals dear.

    Your question is not ‘can we trust’, but ‘can we verify?’ President Kennedy had a chance to stop all nuclear weapons development when we had an overwhelming advantage, but not understanding the science behind seismology and fueled by arguments like yours he opted for an above ground only ban that slowed no one. The result was another 25 years of arms race that bankrupted both sides. We could go that way, smugly certain that our side can somehow out develop the other, but given numbers and our lack of education support that’s unlikely.

    So, the questions morph into ‘can we win this fight’, ‘is this a fight we should be involved in’, and ‘what are the ethical considerations of involvement?’ Oh, and one more, ‘what is the cost of this fight?’ The answers are ‘likely not’, ‘not if we can avoid it’, ‘messy with civilian casualties everywhere’, and ‘potentially trillions’. A little depolomacy is cheap insurance by  comparison.

  6. Anonymous
    7

    So you think we should just sit by and let other nations take out our power grid because we are in a period of “ worldwide cooperation“?  

    Get your head out of the clouds

Comments are closed.