The discovery of the Flame malware has raised a number of questions, some mundane, some interesting and many unanswerable at this point. But the point that’s most interesting also is the one that likely will go unaddressed for the foreseeable future, and that is, the need for a serious, open discussion on the use of cyber weapons.
The Stuxnet, Duqu and Flame episodes have stirred up a giant swirl of hyperbole and speculation, both along the lines of sophistication and attribution. A piece in The New York Times today speculates that not only was the United States responsible for creating and deploying Stuxnet, but it was just one part of a comprehensive campaign by the Bush and Obama administrations to disrupt nuclear operations in Iran through the use of offensive security tools. This is something that people in the security community have been talking about since the discovery of Stuxnet, when researchers pointed the finger at the U.S., or possibly Israel, for the attack. So the idea that one of Iran’s stated enemies would have launched Stuxnet against that country isn’t much of a stretch.
“It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives,” David E. Sanger wrote in the Times piece.
It’s been known that many countries have developed offensive cyber weapons and there have been discussions in the security community about the use of these tools and who may be using them against whom. But the problem is that there’s no public discussion about the existence, let alone the use, of these tools. Obama officials have only referred obliquely to the possibility of offensive security operations in policy documents. Other governments have taken a similar stance, not specifically discussing the use of attack tools and only speaking in generalities when the topic comes up.
But, as Steve Bellovin points out, the time has come for an open and frank discussion about the kinds of tools that governments and intelligence agencies are developing and how they can and should be used.
“The world knows, more or less, what is acceptable behavior in the physical world: what constitutes an act of war, what is spying, what you can do about these, etc. Do the same rules apply in cyberspace? One crucial difference is the difficulty of attribution: it’s very hard to tell who launched a particular effort. That in turn means that deterrence doesn’t work very well,” Bellovin wrote in a blog post.
“There needs to be a national and international debate on this topic. No one is going to supply details of their operations or capabilities, but the simple fact that they exist isn’t and shouldn’t be a secret. Basic US nuclear doctrine has never been concealed; why should this be different?”
The answer is, it shouldn’t be any different. These weapons already are in use, and as Bellovin says, one looming problem is that the targets and the rest of the world don’t know who launched any given attack. No one is standing up to take credit for attacks such as Stuxnet or Duqu, which leads to rampant speculation. That helps no one.
What would help is for someone in the administration to acknowledge that attack tools are in use, and talk about the circumstances under which they’re being used. It’s easy to find stories with named government and military officials talking about their development of new conventional weapons and they hold massive press events for the unveiling of new fighter planes. But cyber weapons are the orphans, unacknowledged and undiscussed.
This isn’t 1995 or even 2005 anymore. Let’s get on with it.