Make Cyberpeace not Cyberwar!

21/05/2015
  • Español
  • English
  • Français
  • Deutsch
  • Português
  • Análisis
Foto: Wikimedia monitoring a simulated test at central control facility at eglin air force base 080416 f 5297k 101   wikimedia peq
-A +A
Article published in ALAI’s magazine No. 503: Hacia una Internet ciudadana 28/04/2015

Cyber weapons are no longer the stuff of science fiction.  They are all too real, and so is their threat to our interconnected world. This threat is bound to grow in the coming days with the Internet of things, when all our devices will have intelligence and be connected to the internet. If we want to stop the Internet from being weaponised, we have to start talking about what nation states should or should not do.  And that means an international compact on a par with what the world did with biological and chemical weapons, and what it failed to do with nuclear weapons.

 

These are the two interconnected questions we face: will we recognise the danger posed by weaponising cyberspace and confront it squarely?  Or will we allow the continued building of a world in which a few countries, by their offensive power, come to a state of mutual deterrence as we have done with nuclear weapons, always at the edge of spinning out of control any moment?  Non-proliferation is not disarmament, as we are finding out to our cost.

 

The danger to our vital infrastructure

 

A nation state today has the ability to target computers that control the vital infrastructure of a country and cause catastrophic failures.  Consider the case of a nuclear reactor.  Its core is controlled by embedded computers, a part of the plant control system.  If the control system is known, it is possible to “infect” the system in a way that may cause its malfunction, even a core melt-down.  After Fukushima, can anybody doubt that this would be an act of war, on a par with a physical attack on the nuclear reactor?

 

The power grid, the control of hazardous plants, telecommunication networks, air traffic controls, even flying aircrafts, are handled by computers and software.  With the Internet of things, even the lowly washing machine will have embedded computers and will be connected to the Internet.  If countries want to play games with such software and computers, it opens a whole new arena of war, a war with untold consequences.

 

In the nuclear fuel enrichment plant at Natanz, Iran, the US and Israel deployed the Stuxnet virus to attack the Siemens controllers of the centrifuges, causing physical damage to the equipment. Even when a specific equipment or country is targeted, Stuxnet has shown that such viruses can escape into the wild and pose a threat to other equipment and countries. The Stuxnet virus infected thousands of such computers in Indonesia, India and other countries, and could easily have affected other Siemens controllers in the vital equipment of these countries.  The attack on Iran – codenamed Olympic Games – has not only been on its centrifuges, but also on computers handling oil industry data, using a virus (Flame) that appears to be from the same family to which Stuxnet belongs.

 

There have been attacks, attributed by US sources to Iran, that wiped off data from two-thirds of Armco computers in Saudi Arabia; there have been similar attacks on the US banking system. The Intercept published an NSA document that considers such attacks as Iran's response to the attacks on Natanz and its oil information infrastructure.  In other words, Iran responded with its own version of Olympic Games.

 

The Stuxnet virus is the first known use of a computer virus to destroy or damage physical equipment. For those who follow such matters, this is the first time any country has crossed this threshold. It was the crossing of the Rubicon in cyber-attacks.

 

In the context of the use of Stuxnet against Iran, many western experts have argued that using a computer virus to cripple a nuclear fuel enrichment facility is better than bombing it outright. The issue here is not which course of action is better (and of course for whom), but whether this is an act of war. Is there a difference between bombing a facility and physically damaging it with a virus?

 

The US and the 5-Eyes partners have inserted 50,000 malwares – or Computer Network Exploitations (CNE's) – in the network of almost all countries in the world. These are “logic bombs”; on activation, they can bring down these networks. They have also weaponised the internet backbone.

 

What is cyberspace and what is cyberwar?

 

As the Iran example shows, we are already in the early stages of cyberwar.  Bruce Schneier, the doyen of cyber security, has said, “We're in the early years of a cyberwar arms race.  It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day.  Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.”

 

The key problem in de-weaponising the internet is the US conviction that it is far ahead of its rivals, and any compact of not weaponising the internet is akin to its unilateral disarmament.  As a result, the US has rejected Russian and Chinese proposals of de-militarising the internet in the UN and other platforms; or watered them down to be virtually useless.  While some concessions have recently been made – as exemplified by the Report of the Group of Governmental Experts to the 68th Session of the General Assembly – they do not, unfortunately, go far enough. All they have achieved is setting up a new Group of Governmental Experts.

 

Almost all the systems of the world that control critical physical infrastructure today are connected to the Internet in some way or the other.  They may be connected via internal networks which may appear to be isolated from the Internet, but in reality, they do have common devices that breach this isolation.  In theory, we have firewalls protecting such internal networks and control systems.  In practice, such security firewalls can be easily breached.  Cyberspace is the entirety of all such networks and devices that are interconnected in this way.

 

Cyberwar consists of attacks in cyberspace that cross a certain threshold.  One approach to defining cyberwar would be to define it in terms of physical damage that a cyber attack would cause in the real world.  The attack, by a state actor against another, uses software or code intended to prevent the functioning (or the misuse) of an essential computer network, and so damage critical infrastructure, or cause physical damage to property or people, including loss of life, or both.  In this definition, cyberwar always involves a state actor, not the work of a group or an individual.

 

This approach has the merit of putting on a similar basis the definition of cyberwar as an act of war as defined in international law.  In order to constitute cyberwar, the actions must be on a scale as to constitute a use of force (or threat of a use of force) as required by Article 2(4) of the UN Charter.  Other approaches also seek to include the damage to the information system and information as cyberwar, and these would require widening of the current definition of war.  There is, too, the problem of defining what constitutes a threshold: at what point do we describe information loss on systems as an act of war?  After all, information loss takes place due to a variety of reasons, and only some of them are malicious.

 

We can define what constitutes war in cyberspace, and have an international agreement that holds cyberwar – or any attack that leads to physical damage or loss of life – as henceforth illegal.  It is important to note that current international law does not consider all acts of war to be illegal.  It limits, to a relatively narrow width, the legal basis for war, either to a country's self-defence, or based on a resolution of the United Nation's Security Council.  Removing cyberwar as a “permissible form of war” in international law would be a big step forward.

 

The other option would be to ban cyber weapons, and pledge, through an international agreement, that such weapons will not be developed or used by any country.  Banning cyber weapons would be akin to banning biological and chemical weapons.  I would strongly argue that, given our rapid movement toward a more interconnected world, we need to go beyond outlawing cyberwar; we need to ban cyber weapons as well. The development of such weapons is a threat to our future. As long as cyber weapons are not illegal, there will be an incentive to develop them as a kind of deterrence; moreover, there will be perverse incentive to weakening security of networks and devices.

 

The recent revelations by Snowden and others have revealed that the US has systematically weakened security in a variety of ways.  Lack of security was built into devices, the software driving such devices, various protocols, and even encryption standards.  The US intelligence agencies did this in partnership with leading manufacturers of hardware and software.  While this might have helped the NSA and other intelligence agencies in mass or targeted surveillance, the danger is that it has resulted in far less secure systems for all of us.  By weakening the systems, the NSA and its allies have made us all easier targets for malicious software.

 

Of course, offensive capabilities are much easier to build than defensive ones.  For offence to succeed you need to be successful once; for defence, you need to succeed every time.  Hence defence needs global collaboration.  This is the point of difference with the Olympic Games: there are no individual winners or losers.  You win only when everyone also wins.

 

We need a change in mind-set: we have to engineer the devices and the networks for defensive purposes.  We have to build security into the DNA of all communications.  This means changing the outlook of all the players, including that of the most dominant one, the US.  We need to build strong defences and not weaken them, if we are to achieve cyberpeace, not cyberwar.

 

Prabir Purkayastha is co-coordinator of the Just Net Coalition and participates in the Free Software Movement of India.

Article published in: Latin America in Movement 503, ALAI, April 2015.  “Towards a people’s Internet” http://www.alainet.org/en/revistas/169787

 

Acknowledgements:

 

1) This article has used, as a basis, "Notes on the Need for a Cyber Peace Treaty", Just Net Coalition, June 2014, available at http://www.alainet.org/en/active/74561.

 

2) I would like to acknowledge Rishab Bailey, who has done much of the research for this article and a longer piece on this topic which is still in draft stage.

 

 

https://www.alainet.org/pt/node/169780?language=es

Publicado en Revista: Hacia una Internet ciudadana

 alai503
Subscrever America Latina en Movimiento - RSS