Stuxnet. Duku. DigiNotar. Commodo. The names of exploits and breached organizations reel past like dark clouds of a gathering storm. Cybersecurity programs spread ominously around the world. I’ve seen the importance of international cyberweapons control for some time and wondered why more people weren’t talking about it. But recently, a new voice from the other side of the world took up the call for a virtual détente.
I first saw Eugene Kaspersky on the beach in Cancun. Lulled to tranquility by tossing turquoise waves – like someone in a Corona commercial – I observed two individuals speaking Russian setting up microphone stands and cameras in the sand. I watched behind sunglassed anonymity as a few more came, one in a black jacket with bushy gray hair. As he sat on the contrasting white sand and began an interview I realized this must be THE Kaspersky.
The next morning at his company’s analyst conference Kaspersky spoke about “The Internet as a military-free zone – A Dream or an Opportunity?” He began by saying that cybercrime has worsened, but governments now understand the problem and would solve it in a couple years. “I’m not going to talk about cybercrime,” he said, “I’m going to talk about digital passports, social networks, and cyberwar.”
Unlike some who would have a narrower definition of cyberwar, Kaspersky uses the term expansively. He once forbade his employees from even talking about cyberterror or cyberwar publicly. But after watching Hollywood portray the subject quite accurately in the movie Diehard 4, he decided it’s time to tell the world.
Could Stuxnet’s sabotage of nuclear centrifuges be replicated on a broader scale against power plants and water plants? “I’m afraid yes.” Because so much of our physical infrastructure is Internet-connected and computer-controlled, it’s possible to stop critical equipment from working. Once, Kaspersky told the audience, he toured an Internet-connected experimental nuclear fusion reactor facility.
Cyber-weapons are easier and cheaper to develop than physical ones and cyber-attacks tend to be less attributable. A number of governments have cybersecurity programs and some have announced they are developing cyber-weapons. Still, we’re unprepared for cyberwar consequences and we can’t reasonably harden the physical infrastructure against cyberattacks anytime soon. Kaspersky warns that the major victims of cyberwar will be developed countries.
“We are living in a very dangerous world,” he said. “I do my best to explain this to governments.” The only way to avoid a “cybershima” scenario is to create an international agreement not to develop and not to share cyber-weapons. Nuclear test bans and restrictions on biological or chemical weapons show that treaties can be effective in curtailing arms races.
Time’s not on our side
Over the rest of the meetings in Cancun, I talked with people and explored implications and challenges of cyberweapons control. I’m concerned that the line will blur between well-heeled cyberterrorists and financially-motivated criminals. The subject Kaspersky didn’t talk about – how governments may come to control cybercrime – is interwoven with creating a viable cyber-weapons disarmament protocol. Without a way to greatly deter, attribute, and prosecute cybercrime and cyberterror, it might be too easy for bad actors to sow discord among the nations in the much the same way as extremists on both sides of the Middle East conflict and others conflicts have sabotaged peace efforts.
With multiple countries already developing cyberweapons, time isn’t on our side. What if weapons leak to criminals, or are reverse-engineered? What if cybersecurity programs and institutions grow larger and more lucrative, creating powerful and entrenched interests (like conventional arms dealers and defense industries) for developing yet more cyberweapons and ever fomenting distrust among their nation state customers, if not actual cyberwar?
Do you start to see the complications? There’s so much to do, and so many competing interests, it boggles the mind. It’s enough perhaps to make some proponents of a cyberweapons treaty wish for an actual cybershima (picture cities without power for days, hospital generators failing, people in intensive care dying) that would the foment public outrage to compel a solution.
But I fear the protocol that would emerge from a post-traumatic atmosphere even more than our current state of confused purposes and discussions. What if political support in the wake of cybershima built for retaliatory cyber-weapon programs rather than détente? What if cybershima led to a legislated state of panoptical government surveillance – something many fear is already in the making?
The only way forward
Should such worst case scenarios arise, events could spiral out of control. Official responses might take the form of arms race escalation, ride roughshod over civil liberties, or both. We might then see an escalation of conflict, with idealists and hacktivists taking up cyber-arms against the governments who are in turn in conflict with each other. Rather than an open but secure Internet with the transparency so many people are demanding, we might see escalating suppression of free speech and anonymity, growing darknets and chaos, an endless sate of cyber-insecurity.
In my opinion, the protocols for cyberweapons weapons control and law enforcement are linked. Both must operate in a form that enhances human dignity, privacy, and trust between people. It helps to know that problems and aspirations are similar worldwide; in Russia as elsewhere, restive hacktivists are compromising web sites, cracking email accounts, and dumping out embarrassing information. It is encouraging to find a voice from the other side of the world echoing sentiments I’ve long held myself.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.