Eugene Kaspersky: Clear Need to Define Cyberweapons and Cyberwar

The term cyberwar has become a catch-all used by politicians, talking heads and others to encompass just about any online threat, regardless of the attacker or the target. Among security professionals, however, the word has a specific connotation–an attack by one nation against another nation’s infrastructure. Aside from the semantic issues, one of the major challenges for government agencies and security teams dealing with his problem is attribution and recognizing what constitutes an actual act of cyberwar. Stuxnet, Flame and their cousins may qualify, but more discussion is needed to help define the terms of these new conflicts, experts say.

The term cyberwar has become a catch-all used by politicians, talking heads and others to encompass just about any online threat, regardless of the attacker or the target. Among security professionals, however, the word has a specific connotation–an attack by one nation against another nation’s infrastructure. Aside from the semantic issues, one of the major challenges for government agencies and security teams dealing with his problem is attribution and recognizing what constitutes an actual act of cyberwar. Stuxnet, Flame and their cousins may qualify, but more discussion is needed to help define the terms of these new conflicts, experts say.

One of the key problems is that virtually any attack tool could be defined as a cyberweapon, depending upon the context, the target and the attacker. Certainly tools such as Duqu fall into that category, but so might simple remote-access Trojans under certain circumstances. Who makes that call? Right now, it’s mainly made by either the victim or a security researcher on the outside. 

“There’s no definition of cyberweapons. What’s the difference between cyberweapons and traditional ones?” said Eugene Kaspersky, CEO of Kaspersky Lab, in a discussion on Tuesday. “One difference is software is software. People can make a copy, disassemble it, learn its tricks.”

This is one of the points that security researchers have made about the use of tools such as Stuxnet and Flame: Once the tool is discovered, experts on the victim’s end have the chance to tear it apart and see what tactics and methods the attackers used. In the same way that enemy armed forces can take apart a downed fighter or helicopter and learn from what the other side is doing, engineers can pore over lines of code in attack tools and look for ways to improve their own creations.

Another problem that crops up in discussions around the use of cyberweapons is the issue of attribution. Discovering who is behind a given attack is a notoriously difficult problem, even when there are seemingly obvious clues in the code such as idiomatic phrases in a specific language or a traceable path that leads to servers in a hostile country. Those things can be faked easily and there don’t seem to be many countries standing up to take credit for any of the known attacks. That leads to speculation and guesswork.

“It’s very difficult to find out who is behind an attack. It’s easy to point a finger at the wrong source,” Kaspersky said. “There’s no such thing as true attribution for cyberweapons. It’s very easy to cheat.”

As the Stuxnet attack in particular showed, it’s also quite easy for cyberweapons intended for one specific target to get a little feisty and end up on neighboring systems or networks. Stuxnet was designed to attack the systems controlling the centrifuges at the Natanz nuclear facility in Iran, systems that ran on software from Siemens that is not widely understood. However, the worm ended up making a leap to some desktop machines and eventually made its way out of the facility entirely. The mistakes by the Stuxnet attackers led to the worm’s eventual discovery. Even years later, the effects are still being felt. Officials at Chevron said this week that their corporate network had been infected by Stuxnet, but that no damage was done.

Despite those unintended consequences, like Stuxnet, most cyberweapons are written with a specific target or set of targets in mind, often a small number of systems in a particular organization or industry that contain valuable data. But when they make their way out of those targeted environments, there can be wide-ranging consequences. This, Kaspersky said, is one of the things that concerns him most about the way these tools are being used.

“The damage for cyberweapons won’t just happen to the target,” he said. “There will be random victims if the software isn’t able to recognize its targets. There could be many victims, especially when you realize the Internet doesn’t have borders.”

Government officials have begun making noises about the need for international discussions regarding the use of cyberweapons, either during a conventional war or as standalone attacks. But without a clear definition of what constitutes a cyberweapon or a good way to identify the people or nation behind an attack, any discussions could end up being fruitless. 

Suggested articles

Discussion

  • Anonymous on

    Cyber war is not so different as "real" war, in which you have "friendly fire" and "unintended" targets.  When someone attacks someone else with things (guns, bullets, etc.) that can harm persons or property, that constitutes an attack with a weapon.  If war has been declared by one or both of the parties, that attack constitues war.  Otherwise, it falls under the category of either a crime or espionage.  How do we currently treat crimes and espionage?  Treat cyber attacks the same way.

    Regards,

  • Jarno Limnéll on

    The nature of cyber reality (blurring opf peace and war times) adds a dangerous new dimension of instability; future conflicts are becoming vague, without a clear beginning and end. Sometimes actor may not even be concious of being in conflict with someone, when unpleasant tangible things "just happen" all the time or just every once in a while.


  • Larry Constantine (Lior Samson) on

    To add to the semantic mess, we have the closely related constructs of cyber-terrorism and state-sponsored cyber-terrorism as the cyberspace analogs of terrorism and state-sponsored terrorism in real-space. The last of these can pose similar problems of attribution as with cyber-warfare. Counterattacks against an unknown attacker are problematic, which might not deter nation states from declaring war in any case as might suit their purposes. It did not stop the Americans from declaring a "war on terror" following 9/11, with concommitant curtailing of individual rights. The United States has already publically announced a policy of interpreting state-sponsored cyber-terrorist attacks as acts of war, which opens the possibility of cyber-warfare escalating into physical war.

    A truly nightmare scenario in this diplomatic and political wild frontier would be if a cyber-attack were to wipe out significant portions of a country's infrastructure under conditions that permit attribution, valid or not. For instance, if Chinese hackers, with or without "facilitation," were to take down the U.S. power grid, would the U.S. possibly launch a tit-for-tat response? If they did, what might be expected in reaction from a now economically devastated China?

    When nuclear powers begin playing such games without rules, without precedents, and without even full understanding, the quite plausible scenarios can be truly frightening.

    --Prof. Larry Constantine (Lior Samson, author of Web Games)

  • American Thinker on

    Our dependence on high technology  also means our hidden vulnerability. From the insane to the hateful, we are at risk--all of us, all of the time.

    Perhaps our rescue, our true security--lies  in that much slandered shield--Government Regulations.  Can we border patrol our computers? I don't know? The notion to do so is oh, so timely.  As President John Kennedy said of Alan Sheppard's first jaunt into space I say, "Let us begin."

    If the insane and the hateful want to play bullies, we must not  give into to being computer chip victimized. We need  get our experts and our country ready for an appropriate defense. The window to proceed is open right now.

     

  • Vytautasba on

    Appears there is still some misunderstanding about Stuxnet and the way it works.  Yes it appeared in many places (now can add Chevron to the list) but it only did its dirty work after checking whether the place it happened to be in met very specific criteria.  If the the criteria was not met it would try to look elsewhere or just deactivate.  See Ralph Langner's analysis.  He looked more at the 2nd payload (Siemens dedicated part).  Too many miss this and just talk about the Windows part (0 days and certificates).  The real interesting part is the SCADA payload not so much the Windows (just designed to break in, look around and spread)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.