Schneier on Security
A blog covering security and security technology.
« Teaching the Security Mindset |
| Cheating in Online Classes »
June 14, 2012
We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.
If you read the press and listen to government leaders, we're already in the middle of a cyberwar. By any normal definition of the word "war," this is ridiculous. But the definition of cyberwar has been expanded to include government-sponsored espionage, potential terrorist attacks in cyberspace, large-scale criminal fraud, and even hacker kids attacking government networks and critical infrastructure. This definition is being pushed both by the military and by government contractors, who are gaining power and making money on cyberwar fear.
The danger is that military problems beg for military solutions. We're starting to see a power grab in cyberspace by the world's militaries: large-scale monitoring of networks, military control of Internet standards, even military takeover of cyberspace. Last year's debate over an "Internet kill switch" is an example of this; it's the sort of measure that might be deployed in wartime but makes no sense in peacetime. At the same time, countries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame.
Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar.
The cyberwar arms race is destabilizing.
International cooperation and treaties are the only way to reverse this. Banning cyberweapons entirely is a good goal, but almost certainly unachievable. More likely are treaties that stipulate a no-first-use policy, outlaw unaimed or broadly targeted weapons, and mandate weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. We could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits.
Yes, enforcement will be difficult. Remember how easy it was to hide a chemical weapons facility? Hiding a cyberweapons facility will be even easier. But we've learned a lot from our Cold War experience in negotiating nuclear, chemical, and biological treaties. The very act of negotiating limits the arms race and paves the way to peace. And even if they're breached, the world is safer because the treaties exist.
There's a common belief within the U.S. military that cyberweapons treaties are not in our best interest: that we currently have a military advantage in cyberspace that we should not squander. That's not true. We might have an offensive advantagealthough that's debatablebut we certainly don't have a defensive advantage. More importantly, as a heavily networked country, we are inherently vulnerable in cyberspace.
Cyberspace threats are real. Military threats might get the publicity, but the criminal threats are both more dangerous and more damaging. Militarizing cyberspace will do more harm than good. The value of a free and open Internet is enormous.
Stop cyberwar fear mongering. Ratchet down cyberspace saber rattling. Start negotiations on limiting the militarization of cyberspace and increasing international police cooperation. This won't magically make us safe, but it will make us safer.
This essay first appeared on the U.S. News and World Report website, as part of a series of essays on the question: "Should there be an international treaty on cyberwarfare?"
Posted on June 14, 2012 at 6:40 AM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I agree with limiting the tactics and broadly targeted attacks, but how do you limit stockpiles of cyber weapons? Also it would probably be a good idea for any cyber arms treaty to list a class of targets that are 'off limits' entirely.
Cyberweapon is the example of the weapon with lethal and less-than-lethal capabilities which can be ajusted within same type of weapon depending on settings and tragets, and as result consequences.
Yes, for international treaties for lethal applications of cyberweapon.
No, for less-than-lethal applications
The treaty could specify the "casus belli" limits of cyberweapons.
Example: "If my power grid is knocked out, I will bomb for real the country in control for that."
In this realm, there'll be little sympathy for governments that actively engage in the same tactics as 'cyber' criminals, and subsequently get targeted themselves.
If they continue down that road, it's going to be just like Electronic Warfare - all sides would be doing it, and the civvy population just wouldn't care.
That's how the ball rolls here.
I expect the now public use of offensive cyberweapons ie Flame and Stuxnet will just result in more support for projects like OpenBSD and paranoid Linux distros increasing everyone's defensive stance. I see this as a natural process of the market punishing Microsoft for a poor (overly complex, buzzword compliant but riddled with holes) product. The downside is some companies are going to have to start supporting OS's other than Windows XP...
I made many of the same points in response to the ISSA Journal May 2012 "Waging War in the Digital Age" (page 34).
The international community has not been all that effective in dealing with "chop your dollar" spammers in Nigeria, bot rings (whether for spam or other purposes), and Eastern Europe cybercrime gangs because they're underground (as with black programs). For that matter, the international community has not been all that effective dealing with rogue nuclear programs, either, even though we know what countries are running them and probably where the work is being done. So I'm not confident such a treaty would even be effective in reducing cyberwar.
The stated purpose of the Can-Spam Act of 2003 was to stop email spam (effective, eh?) but it also limited speech by requiring commercial email to jump through arbitrary hoops. I predict a cyberwar treaty (as with Kyoto and the UN weapons ban) would be targeted at US rights and freedoms, and ignored when some other country does it.
Finally, turning Israel and then Iran into smoking heaps would be a lot more disruptive than some software that makes Iranian centrifuges do the hokey-pokey. But there will be retribution and we need to be ready for it. We aren't.
I can code a basic "cyberweapon" in a fortnight and something more advanced in 6 months. How ever this would be enforced, monitored?
Cyberweapon treaty is just as enforceable as banning rolling up newspapers into millwall bricks.
@Konrads: Based on your point, it's clear that anyone who can code will need to be licenced, monitored, pass a security check, and have every keystroke they type logged in the event of an investigation.
Let us know if you think you can write a "cyberweapon" in VBA. Those dual-use software munitions from companies like M*******t need to be closely watched.
(YES, it's sarcasm!)
I hate the term "cyberwar". What most people consider cyberwar is really either espiange or terrorism. I don't consider fraud to fit in with this term at all just as I don't consider robbing a bank to be a war crime. As Bruce has said many times, there are no really new attacks, just new methods for those attacks. Either the goal is to gain intelligence (espionage) or disrupt or cause panic (terrorism). Nothing is new about these except the methods through which they are being done.
I've mentioned these problems at length before on this blog including the issues of what is and is not ware as a societal state. As a loose aproximation a society has three main states,
1, At Peace with it's people and those of other nations,
2, In Civil War with it's own people
3, At war with the people of other nations.
But what is a Nation or state? generaly it's an area of land with fairly clear borders and it's own judicial system. The Internet has no georgraphy or borders and no judicial system. Therefore you can not be at war in it...
Secondly we call them "Cyber-Weapons" however we forget they are nothing like conventional directed energy/mass weapons.
They are at best "cyber-tools" or "cyber-components". In of themselves they do absolutly nothing, they are information without mass and without energy without which they cannot do any harm whatsoever. To do harm they have to get onto a system that will give them the energy or mass to do harm.
Thus either no systems or properly issolated or defended systems means that they are impotent.
Further we already have treaties that define if and how weapons should be used and if and when a nation is at war. Some go back a century or more.
Importantly is the definition of "an act of war" and the doctrine of just and unjust warfare.
Prior to a nation being at war the use of a weapon such as a gun is not an act of war except in very special circumstances. It is infact a crime for which most nations already have adiquate laws.
Untill a nation is formaly at war it's use of these "cyber-tools' is at beast a crime of "sabotage" or "espionage".
It is the missuse of the word "weapon" that gives these war mongering idiots traction for their notions by which they stand to proffit greatly. I just wish that they would stop and inject some reality into their rhetoric before people get seriously hurt.
Which country? How do you know the government of the country was involved?
If we go down this line, China, USA, Russia and most of Eastern Europe would be having bombs lobbed at them on a daily basis.
@Clive: "The Internet has no georgraphy or borders and no judicial system. Therefore you can not be at war in it..."
Sure you can. It can be a medium to transport war-activities much alike to the air, the oceans, or even space.
Nations can execute their wars through all these mediums if they wish.
@Clive - Well made - exactly my thoughts. The consequences of us treating these as "wars" can be, at best, causing us to fight these like actual wars and, at worst, cause actual wars to start.
@Paeniteo - You can use the Internet as a medium to conduct attacks, but thats not attacking the Internet any more than flying a bomber through the air is attacking the air.
One of the potentially interesting issues about "cyberwarfare" is that civilians may in some cases be better armored (and armed) than the military or government that is the usual target.
Along those lines, however, are a bunch of considerations involving the laws of war. If you're going to call it warfare and wage it with arms of your military, then at some point you'd better expect someone to try bringing your commanders up in a dock at The Hague. In particular, it's a war crime to indiscriminately attack civilian targets. In something that meets the legal status of a conflict between nations, the military is required to ensure that damage from its attacks is limited to other military and government targets insofar as possible.
Doesn't cyberwar have many of the same traits as terrorism? Maybe not always the terror part, but rather the nature of the attack. It's not frontal, it can be launched in targeted ways any where at any time given the will.
Cyberwar can't be negotiated between governments since anyone can start an attack.
As with terrorism, monitoring and intelligence is really the only way to counter the attacks.
@Clive: "The Internet has no georgraphy or borders and no judicial system. Therefore you can not be at war in it..."
Opps you are correct due to my poor explanation.
What I was trying to say is the internet is not a "place" in any excepted meaning of the word. That is it's not a physical place people can inhabit and "fight" in anything approaching a recognisable definition. The "fight" if you could actually call it that occurs not in the Internet but in an InfoSystem effectively on the systems CPU. Further the physical location of the system is effectivly irrelevant because it might not actually be in either of the waring nations. Likewise the flow of information that is the "tool" on it's way to the system might well cross over a very large number of nations physical territory. Thus the "fight" is remote not just to the attackers but the defenders as well even if they are typing at the console of the targeted system.
The nearest we can think about this in the physical world is when a "robot system" such as a drone fires a munition at what it thinks is an enemy... The question of attributing the "kill" or "war crime" becomes at best complex...
Any way the moral from my error is "take more care when typing on a mobile on a train and worrying about if it's the station to change at..."
Would Von Clausewitz consider cyberwar war? I think not.
Would Sun Tzu? I am nearly certain he would. I also suspect that he would only modulate the level of cyberwar (presumably more towards intelligence than to sabotage) while attempting to maintain "peace" between nations. Cyberwar certainly seems to be a method for winning the war before the fighting starts.
"This definition is being pushed both by the military and by government contractors, who are gaining power and making money on cyberwar fear."
100% agreement. This is not "war". This is certain people and groups trying to drum up fear so that they can grab more public funding.
"And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident."
I doubt it. Again, because this is not "war". This is about drumming up fear to grab more public funding.
"Yes, enforcement will be difficult."
Not "difficult". Impossible. Literally impossible.
And useless once organizations start implementing decent computer security measures. Which includes NOT trusting the systems that you purchase and NOT connecting anything important to the Internet.
There is the nuclear non-proliferatiom treaty thar Iraq and Iran signed. We invaded Iraq over their WMDs, and are ready to start a war with IAEA compliant Iran. Israel hasn't signed the NPT. They would give "proxy" a new definition in cyberwar. We signed the geneva conventiona and a treaty banning torture and ignore both.
The threat to the Internet is not cyberweapons, that might knock out a few nodes (of billions) for a short time.
The real threat is laws passed by power-mad fear-mongerers.
Too bad all our governments destroyed their own future when they outlawed all p2p development and sued anybody developing a p2p system because it could be used for (gasp) piracy.
I bet a bulletproof network run completely p2p would be pretty awesome against a full scale "cyberwar" attack. GJ RIAA and MPAA lobbyists.
Limit the militarisation of cyberspace, and increase international co-operation? This is the great global hypocrite USA and its vicious little sidekick Israel we're talking about here...
They will always do what they want (may I add the murder of Iranian civilian physicists to tz's list above) and claim plausible deniability when it comes to cyber-sabotage.
It *would* be self-enforcing to start open collaboration: government agencies could collect and research how to trace malware samples, find and share and help patch vulnerabilities, etc. Participatng states could pitch in money or loan their agencies' employees to the effort. That requires the mindset that reducing the danger should be the priority, which won't go over well with agencies tasked with *creating* danger to other countries.
I bet rules-of-war-type limitations--basically, declarations that if you cross this line some governments will be extra mad and want to make you pay--would be partially effective.
It's not frontal, it can be launched in targeted ways any where at any time given the will
That covers the same ground as "asymmetric warfare".
But importantly to prosecut conventional warfare in the physical world, you need resources specificaly energy and force multipliers that take more energy to make.
Cyber-crimes don't require the attacker to use energy except for the initial development, storage and communication of the information. From then on it's the defenders resources that are used.
This is a typical characteristic of what is sometimes called "information warfare" which has been used to great effect in and since WWII. It used "propaganda" (essentialy "rumours" and "gosip" judiciously sprinkled with selected facts) to demoralize the enemy and sow discontent in the enemies population against those in charge.
Thus a single directing mind and minimal resources does indeed alow the defeat of a major organisation. Hence the notion of "An Army of One", which gives the conclusion you have come to of,
Cyberwar can't be negotiated between governments since anyone can start an attack.
@ Brandioch Conner,
I doubt it. Again, because this is not "war". This is about drumming up fear to grab more public funding
Whilst I agree with your point's about it not being war and mainly FUD for monetary gain. I think Bruce is refering to the fact that it could easily result in actuall physical attack as a retaliatory response. What makes FUD like all propaganda work is it always has an element of the "believable" about it, thus it has significant potential to escalate where "cool heads do not prevail". Whilst the cold war did not go hot there were quite a few occasions where, "political brinkmanship" and even accidents brought it close.
In part it was this that gave rise to the notion of Mutually Assured Destruction or MAD. I remember living through quite a chunk of the cold war and remember the various movments such as CND, GreenPeace etc to stop the "stock pile" build up. And worse the attempts by the various Intel organisations to discredit them in various ways (ask a Kiwi who was a young adult back then what they think about the French...).
Any way the moral from my error is "take more care when typing on a mobile on a train..."
No need to be defensive, it was only a nitpick at one of your (as ever) insightful postings ;-)
I merely intended to introduce the idea of the internet as a medium that just transports war-actions, similar to the air 'transporting' a cruise missile (which may also fly over non-involved territories on the way to its target, for example).
No matter what the medium is, however, the goal of a war-action generally is to have an effect "on the ground", i.e., in the enemy nation.
E.g., in the end it wouldn't really matter if Bushehr(?) was hit by a cruise missile fired by a B52 that launched from an airfield in the US (some of the first shots in the 1990/91 gulf war were fired in this way) or by a Stuxnet infection.
(Assume for the sake of argument that Stuxnet propagated online and take it as a purely technical example without any political interpretation whatsoever.)
The difference between USA & Israel is Israel defending its own existence against outside real threats/attacks by all means within or outside international law. Like G.W.Bush said when US was attacked on 9/11 : 'We will bring them to justice or we will bring justice to them'. Good point! That is justifiable self-defence like when somebody try to kill you, you have a right to apply deadly force in self-defence. I do not see any difference on personal or state level in those cases. Israel is not playing the role of eighter regional or world policeman, does not use its military forces to change political regime in any country (adjacent or not ).
A group has been working on a "MANUAL OF INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE" since 2010. It will be the equivalent of the manuals that govern warfare on land, sea, and and space. It's known as the Tallinn manual. It will cover Jus Ad bello, jus in bello, definition of cyberweapon. etc.
I think the chances of anyone abiding by it are slim to none (and that's being polite). I reckon the most likely benefit is that it will make it easier for a nation to consider itself under attack and gain international support.
Obama seems to be taking credit for unauthorized acts of war lately. We really don't need the expense of yet another unauthorized war.
Some similar sentiments are expressed here:
As can be seen in this photo, the Iranian ambassador is holding a "smart" phone. CIA/NSA experts believe that that phone has been "jail broken" which increases its destructive capability ten-fold.
Experts at the CIA/NSA believe that that "smart" phone contains enough virus code to infect every man, woman and child in America 17 times over. They could completely cripple our national infrastructure and our people.
We cannot wait for the "smoking gun" to be a virtual mushroom cloud at the New York Stock Exchange.
We must preemptively invade Iran for their violations of the CyberWar Treaty of 2013.
That is why we need more treaties that are impossible to enforce or even to verify. They provide the excuse for future wars and military actions.
Speaking of smart phones: Have you heard of any link between the recent "state sponsored" Gmail hacks and malware running on Android phones? Gmail at least on some Android devices is "always on", i.e.; cannot be logged out. If Gmail is hacked/infected, then phones (could be) too. Do you agree?
Strategic treaties between the United States and Soviet Union relied on numerous inspections and technical means to verify compliance. It took numerous spy sats to come up with numbers for Soviet arms that were always really just approximations. (The Soviets use to just "accept" our numbers.)
How would you even begin to verify compliance in the digital world? How difficult would it be for a Large Corporation let alone a Nation/State to create an environment for testing that was impossible to access or was really a dual use facility? (By day a small data center for the local university, but by night a cyber-weapon training ground....)
Either go big or go back to the stone age...
Good points. To go even further on those themes of fostering cooperation and reducing arms races, here is an excerpt from an essay I wrote related to rethinking our security paradigm for the 21st century:
Military robots like drones are ironic because they are created essentially to force humans to work like robots in an industrialized social order. Why not just create industrial robots to do the work instead?
Nuclear weapons are ironic because they are about using space-age systems to fight over oil and land. Why not just use advanced materials as found in nuclear missiles to make renewable energy sources (like windmills or solar panels) to replace oil, or why not use rocketry to move into space by building space habitats for more land?
Biological weapons like genetically-engineered plagues are ironic because they are about using advanced life-altering biotechnology to fight over which old-fashioned humans get to occupy the planet. Why not just use advanced biotech to let people pick their skin color, or to create living arkologies and agricultural abundance for everyone everywhere?
These militaristic socio-economic ironies would be hilarious if they were not so deadly serious. ...
Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic institutions in many ways. Despite probably having more computing power per square foot than any other place in the world, they seem not to have thought much about the implications of all that computer power and organized information to transform the world into a place of abundance for all. Cheap computing makes possible just about cheap everything else, as does the ability to make better designs through shared computing. ...
There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all. ...
The big problem is that all these new war machines and the surrounding infrastructure are created with the tools of abundance. The irony is that these tools of abundance are being wielded by people still obsessed with fighting over scarcity. So, the scarcity-based political mindset driving the military uses the technologies of abundance to create artificial scarcity. That is a tremendously deep irony that remains so far unappreciated by the mainstream.
We the people need to redefine security in a sustainable and resilient way. Much current US military doctrine is based around unilateral security ("I'm safe because you are nervous") and extrinsic security ("I'm safe despite long supply lines because I have a bunch of soldiers to defend them"), which both lead to expensive arms races. We need as a society to move to other paradigms like Morton Deutsch's mutual security ("We're all looking out for each other's safety") and Amory Lovin's intrinsic security ("Our redundant decentralized local systems can take a lot of pounding whether from storm, earthquake, or bombs and would still would keep working").
This rhetoric is just pathetic. Sending packets over the internet does not kill anybody. If this still should happen because of an online attack, then only because someone has been extremely negligent, presumably in a criminal way. There is no war in cyberwar, get over it.
As Bruce pointed out, all public signs point to the next few years being chock-full of various attacks. Malware, social engineering, and a whole lot more.
So, what happens when the world wakes up and realizes how vulnerable they are?
Consider Anderson et al.'s recent study of costs associated with conventional Internet crime. People are spending ten times as much on preventing electronic crime than they're losing to the criminals.
By conmparison, lots of Internet 'security' legislation has already failed. I would take this for evidence that most people care about privacy enough to prefer handling their own security.
I would propose that therefore, an uncertain world of attacks carries the inevitable consequence of huge demand for the stability of good defenses. And that presents opportunity for clever defenders.
As Microsoft did by selling an OS and word processor to the world and Apple a music player, so too might someone get absurdly rich by selling the world real security.
There are way too many mixed messages going on about this topic.
I heard one report say the commie b's are at least three decades ahead of us in their skillz ( sorry, I couldn't help it ). Then other people say they're not all that. Then someone else says they've already broke in to ghosty db this and/or that. Well, who knows the real truth? Whoever it is, I doubt they're talking about it outside their own circles.
Which is reallly frustrating because it hurts my feelings to be left out.
Drones and cyberwar. So there will be more non-traditional pilot schools than ever and comp sec students drinking Red Bull on scales such as never been seen in the annals of geekery.
Back to that gun debate...if drones become widley used by law enforcement, I bet some will be shot down.
"I thought it was damned crow Sheriff!"
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.