After WannaCry and (Not)Petya ransomware hitting global high profile organisations, there is a much greater awareness of the risks from cyber weapons. Both these ransomwares used EternalBlue, the stolen NSA exploit of a Windows vulnerability. Not surprisingly, the call for a Geneva Convention for controlling cyber weapons has grown, with Microsoft, Deutsch Telekom and other big corporations now backing it as well.
Image Courtesy: Cyberwar, Image Courtesy: flickr.com
Instead of moving in this direction, the US has recently announced an independent Cyber Command (Cybercom), on par with the US Strategic Command that controls its nuclear weapons. Cybercom will focus exclusively on developing cyber weapons; or what Phil Quade, former director of the NSA Cyber Task Force terms as “attack tools”.
Clearly, the US is continuing its quest for full spectrum domination, the complete military dominance of all the five spaces land, air, water, space and cyber space irrespective of the risks involved. The control of cyber space involves controlling the entire electromagnetic spectrum as also the communication networks. Seizing “enemy” communications, blinding or misdirecting them, is very much a part of this new dimension of war.
The problem is that weapons used in this form of war are no different from the ones that are being used to create ransomware such as WannaCry or NotPetya; or the ones that can bring down the electricity grid; or the financial systems. Once such cyber weapons are created, they are themselves vulnerable to either thefts by insiders, or being hacked by criminals. Shadow Brokers, a criminal group, got hold of a cache of such weapons that the NSA had created, and have even dumped some of these online. More recently, WikiLeaks has put up details of another set of such tools that were created by the CIA, and have also been hacked.
Pointing out this new threat to the world, Brad Smith, the President of Microsoft, wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage…this most recent attack (WannaCry) represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today nation-state action and organised criminal action.”
For the US companies that have cooperated with their intelligence agencies on developing such tools, the chickens of cyber weapons are now coming home to roost.
If intelligence agencies, with the resources of a nation state create cyber weapons, it poses enormous risks to the computer systems that pretty much run everything in the world today. In a 2010 UN Report, a group of experts determined that cybersecurity threats are among the most serious challenges of the 21st century. With computer systems and networks underpinning the global infrastructure, the risks of cyber weapons to the world are greater than ever before.
If an intelligence agency has a defensive purpose, it may work with the industry in quickly discovering and patching of software vulnerabilities. If it has an offensive purpose, it will hoard these vulnerabilities to create tools essentially cyber weapons that can then be used to either, steal information from, or even take down targeted systems and networks. The Stuxnet attack on Iran’s nuclear fuel enrichment centrifuges in Natanz is an example of the use of such weaponised software.
These weapons gave the NSA and the CIA unrivalled access to networks and systems all over the world. The Snowden revelations make clear that the US not only hacked into Russia and Chinese systems, but also the systems of its allies. From Snowden files, we know that the US routinely spied upon the country delegations in any major international negotiations. Though Germany is a major NATO partner, the US even hacked into Prime Minister Merkel’s phones. Neither was India spared; a large number of Computer Network Exploits (CNE’s) of the Indian network are visible in the leaked Snowden documents.
The demand for a cyber Geneva Convention, or barring nations from developing such tools, have been raised not only from countries at the receiving end of US surveillance, but now also by major IT companies. Protecting systems from nation states is a qualitatively different task than protecting them from criminals. The nation states have much larger resources both financial and human to mount far more serious threats to systems. That is why the call for prevention: asking nation states to not develop attack weapons.
In 2011, Russia, China and other countries from the Shanghai Cooperation Group have proposed a treaty to limit cyber weapons modelled on the 1997 Chemical Weapons Convention that outlawed chemical weapons. This was followed up by a revised proposal in 2015 by the same countries, asking for a UN discussion on how to prevent the use of cyberspace by countries for acts of aggression.
All these proposals have been rejected by the US and other NATO powers, arguing that a cyber treaty is difficult, and therefore not practicable. The US felt that they had a decisive advantage over others in cyber weapons. The Russia-China proposals for a ban on cyber weapons was therefore seen by the US as a ploy to deprive them of this advantage.
Commenting on the US rejection of any proposal to ban cyber weapons, Mary Ellen O’Connell and Louise Arimatsu explained in a report (Cyber Security and International Law, Chatham House, 2012) that the US’s resistance to proposals for a treaty may have been related to “US plans to use the Internet for offensive purposes [“¦] U.S. officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true U.S. position.”
Bruce Schneier, one of the leading security experts in the US, wrote in 2012, “There’s a common belief within the U.S. military that cyberweapons treaties are not in our best interest: that we currently have a military advantage in cyberspace that we should not squander. That’s not true. We might have an offensive advantage””although that’s debatable””but we certainly don’t have a defensive advantage.”
The US has argued that instead of a new treaty, countries should join the European Treaty on Cyber Crime and expand it if necessary. The problem with the European Cyber Crime Treaty apart from being a European treaty is that it was created explicitly against criminal threats, against those who are outside national governments. It is not about barring governments themselves from mass surveillance of its citizens; or weaponising software to take down other countries infrastructure.
The key issue after the leak of NSA and CIA’s cyber weapons is should nation states develop such weapons at all? This is what leading figures within the industry are now raising.
Yes, cyber weapon bans are difficult. It is difficult to distinguish between defensive research and weapons research. But so was the chemical weapon ban; or a biological weapon ban. Schneier had argued, “The very act of negotiating limits the arms race and paves the way to peace. And even if they’re breached, the world is safer because the treaties exist.”
The Microsoft President Brad Smith demanding a cyber Geneva Convention, is the recognition that in trying to convert the US lead in software to cyber weapons, is making the world a much more unsafe place for everyone including the US. The US may have a lead in cyber weapons, but as a heavily networked society, is also more vulnerable to cyber attacks. The only solution lies in a collective agreement to give up cyber weapons.
Instead, the US has now told the world that it sees the cyber space as a new domain that it needs to control militarily, and therefore its new command the Cyber Command is explicitly tasked with developing offensive weapons. This is the US Government’s official answer: the only peace that it wants is through full spectrum domination of the world; the Peace of the Hegemon.