Bruce Schneier | ||||
Blog Crypto-Gram Newsletter Books Essays and Op Eds News and Interviews Audio and Video Speaking Schedule Password Safe Cryptography About Bruce Schneier Contact Information |
Schneier on SecurityA blog covering security and security technology. « Teaching the Security Mindset | Main | Cheating in Online Classes » June 14, 2012Cyberwar TreatiesWe're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat. If you read the press and listen to government leaders, we're already in the middle of a cyberwar. By any normal definition of the word "war," this is ridiculous. But the definition of cyberwar has been expanded to include government-sponsored espionage, potential terrorist attacks in cyberspace, large-scale criminal fraud, and even hacker kids attacking government networks and critical infrastructure. This definition is being pushed both by the military and by government contractors, who are gaining power and making money on cyberwar fear. The danger is that military problems beg for military solutions. We're starting to see a power grab in cyberspace by the world's militaries: large-scale monitoring of networks, military control of Internet standards, even military takeover of cyberspace. Last year's debate over an "Internet kill switch" is an example of this; it's the sort of measure that might be deployed in wartime but makes no sense in peacetime. At the same time, countries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame. Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar. The cyberwar arms race is destabilizing. International cooperation and treaties are the only way to reverse this. Banning cyberweapons entirely is a good goal, but almost certainly unachievable. More likely are treaties that stipulate a no-first-use policy, outlaw unaimed or broadly targeted weapons, and mandate weapons that self-destruct at the end of hostilities. Treaties that restrict tactics and limit stockpiles could be a next step. We could prohibit cyberattacks against civilian infrastructure; international banking, for example, could be declared off-limits. Yes, enforcement will be difficult. Remember how easy it was to hide a chemical weapons facility? Hiding a cyberweapons facility will be even easier. But we've learned a lot from our Cold War experience in negotiating nuclear, chemical, and biological treaties. The very act of negotiating limits the arms race and paves the way to peace. And even if they're breached, the world is safer because the treaties exist. There's a common belief within the U.S. military that cyberweapons treaties are not in our best interest: that we currently have a military advantage in cyberspace that we should not squander. That's not true. We might have an offensive advantagealthough that's debatablebut we certainly don't have a defensive advantage. More importantly, as a heavily networked country, we are inherently vulnerable in cyberspace. Cyberspace threats are real. Military threats might get the publicity, but the criminal threats are both more dangerous and more damaging. Militarizing cyberspace will do more harm than good. The value of a free and open Internet is enormous. Stop cyberwar fear mongering. Ratchet down cyberspace saber rattling. Start negotiations on limiting the militarization of cyberspace and increasing international police cooperation. This won't magically make us safe, but it will make us safer. This essay first appeared on the U.S. News and World Report website, as part of a series of essays on the question: "Should there be an international treaty on cyberwarfare?" Posted on June 14, 2012 at 6:40 AM • 39 Comments To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter. CommentsThe politics point toward more militarization of 'cyberspace.' Posted by: Jim Harper at June 14, 2012 7:15 AM See also: Posted by: Jurgen at June 14, 2012 7:18 AM I agree with limiting the tactics and broadly targeted attacks, but how do you limit stockpiles of cyber weapons? Also it would probably be a good idea for any cyber arms treaty to list a class of targets that are 'off limits' entirely. Posted by: Roboticus at June 14, 2012 7:36 AM Cyberweapon is the example of the weapon with lethal and less-than-lethal capabilities which can be ajusted within same type of weapon depending on settings and tragets, and as result consequences. Yes, for international treaties for lethal applications of cyberweapon. No, for less-than-lethal applications Posted by: vasiliy pupkin at June 14, 2012 7:46 AM The treaty could specify the "casus belli" limits of cyberweapons. Example: "If my power grid is knocked out, I will bomb for real the country in control for that." Posted by: treaty at June 14, 2012 7:53 AM In this realm, there'll be little sympathy for governments that actively engage in the same tactics as 'cyber' criminals, and subsequently get targeted themselves. Posted by: Michael at June 14, 2012 7:59 AM I expect the now public use of offensive cyberweapons ie Flame and Stuxnet will just result in more support for projects like OpenBSD and paranoid Linux distros increasing everyone's defensive stance. I see this as a natural process of the market punishing Microsoft for a poor (overly complex, buzzword compliant but riddled with holes) product. The downside is some companies are going to have to start supporting OS's other than Windows XP... Posted by: T at June 14, 2012 8:09 AM I made many of the same points in response to the ISSA Journal May 2012 "Waging War in the Digital Age" (page 34). Posted by: Brett at June 14, 2012 8:19 AM The international community has not been all that effective in dealing with "chop your dollar" spammers in Nigeria, bot rings (whether for spam or other purposes), and Eastern Europe cybercrime gangs because they're underground (as with black programs). For that matter, the international community has not been all that effective dealing with rogue nuclear programs, either, even though we know what countries are running them and probably where the work is being done. So I'm not confident such a treaty would even be effective in reducing cyberwar. The stated purpose of the Can-Spam Act of 2003 was to stop email spam (effective, eh?) but it also limited speech by requiring commercial email to jump through arbitrary hoops. I predict a cyberwar treaty (as with Kyoto and the UN weapons ban) would be targeted at US rights and freedoms, and ignored when some other country does it. Finally, turning Israel and then Iran into smoking heaps would be a lot more disruptive than some software that makes Iranian centrifuges do the hokey-pokey. But there will be retribution and we need to be ready for it. We aren't. Posted by: Al Donaldson at June 14, 2012 8:47 AM I can code a basic "cyberweapon" in a fortnight and something more advanced in 6 months. How ever this would be enforced, monitored? Cyberweapon treaty is just as enforceable as banning rolling up newspapers into millwall bricks. Posted by: Konrads at June 14, 2012 8:47 AM @Konrads: Based on your point, it's clear that anyone who can code will need to be licenced, monitored, pass a security check, and have every keystroke they type logged in the event of an investigation. Let us know if you think you can write a "cyberweapon" in VBA. Those dual-use software munitions from companies like M*******t need to be closely watched. (YES, it's sarcasm!) Posted by: Chris S at June 14, 2012 9:29 AM I hate the term "cyberwar". What most people consider cyberwar is really either espiange or terrorism. I don't consider fraud to fit in with this term at all just as I don't consider robbing a bank to be a war crime. As Bruce has said many times, there are no really new attacks, just new methods for those attacks. Either the goal is to gain intelligence (espionage) or disrupt or cause panic (terrorism). Nothing is new about these except the methods through which they are being done. Posted by: M at June 14, 2012 9:40 AM I've mentioned these problems at length before on this blog including the issues of what is and is not ware as a societal state. As a loose aproximation a society has three main states, 1, At Peace with it's people and those of other nations, But what is a Nation or state? generaly it's an area of land with fairly clear borders and it's own judicial system. The Internet has no georgraphy or borders and no judicial system. Therefore you can not be at war in it... Secondly we call them "Cyber-Weapons" however we forget they are nothing like conventional directed energy/mass weapons. They are at best "cyber-tools" or "cyber-components". In of themselves they do absolutly nothing, they are information without mass and without energy without which they cannot do any harm whatsoever. To do harm they have to get onto a system that will give them the energy or mass to do harm. Thus either no systems or properly issolated or defended systems means that they are impotent. Further we already have treaties that define if and how weapons should be used and if and when a nation is at war. Some go back a century or more. Importantly is the definition of "an act of war" and the doctrine of just and unjust warfare. Prior to a nation being at war the use of a weapon such as a gun is not an act of war except in very special circumstances. It is infact a crime for which most nations already have adiquate laws. Untill a nation is formaly at war it's use of these "cyber-tools' is at beast a crime of "sabotage" or "espionage". It is the missuse of the word "weapon" that gives these war mongering idiots traction for their notions by which they stand to proffit greatly. I just wish that they would stop and inject some reality into their rhetoric before people get seriously hurt. Posted by: Clive Robinson at June 14, 2012 9:51 AM @treaty Which country? How do you know the government of the country was involved? If we go down this line, China, USA, Russia and most of Eastern Europe would be having bombs lobbed at them on a daily basis. Posted by: bob at June 14, 2012 10:08 AM @Clive: "The Internet has no georgraphy or borders and no judicial system. Therefore you can not be at war in it..." Sure you can. It can be a medium to transport war-activities much alike to the air, the oceans, or even space. Posted by: Paeniteo at June 14, 2012 10:26 AM @Clive - Well made - exactly my thoughts. The consequences of us treating these as "wars" can be, at best, causing us to fight these like actual wars and, at worst, cause actual wars to start. @Paeniteo - You can use the Internet as a medium to conduct attacks, but thats not attacking the Internet any more than flying a bomber through the air is attacking the air. Posted by: M at June 14, 2012 10:49 AM One of the potentially interesting issues about "cyberwarfare" is that civilians may in some cases be better armored (and armed) than the military or government that is the usual target. Along those lines, however, are a bunch of considerations involving the laws of war. If you're going to call it warfare and wage it with arms of your military, then at some point you'd better expect someone to try bringing your commanders up in a dock at The Hague. In particular, it's a war crime to indiscriminately attack civilian targets. In something that meets the legal status of a conflict between nations, the military is required to ensure that damage from its attacks is limited to other military and government targets insofar as possible. Posted by: paul at June 14, 2012 11:01 AM On June 8th on the Flame page Jacob posted the following link, www.theatlantic.com/technology/archive/... Which does make very interesting unfortunatly for the article writers they are working from a false assumption that I detailed as a reply to Jacob, www.schneier.com/blog/archives/2012/06/... Posted by: Clive Robinson at June 14, 2012 11:16 AM Doesn't cyberwar have many of the same traits as terrorism? Maybe not always the terror part, but rather the nature of the attack. It's not frontal, it can be launched in targeted ways any where at any time given the will. Cyberwar can't be negotiated between governments since anyone can start an attack. As with terrorism, monitoring and intelligence is really the only way to counter the attacks. Posted by: Phil at June 14, 2012 11:33 AM @ Paeniteo, @Clive: "The Internet has no georgraphy or borders and no judicial system. Therefore you can not be at war in it..." Opps you are correct due to my poor explanation. What I was trying to say is the internet is not a "place" in any excepted meaning of the word. That is it's not a physical place people can inhabit and "fight" in anything approaching a recognisable definition. The "fight" if you could actually call it that occurs not in the Internet but in an InfoSystem effectively on the systems CPU. Further the physical location of the system is effectivly irrelevant because it might not actually be in either of the waring nations. Likewise the flow of information that is the "tool" on it's way to the system might well cross over a very large number of nations physical territory. Thus the "fight" is remote not just to the attackers but the defenders as well even if they are typing at the console of the targeted system. The nearest we can think about this in the physical world is when a "robot system" such as a drone fires a munition at what it thinks is an enemy... The question of attributing the "kill" or "war crime" becomes at best complex... Any way the moral from my error is "take more care when typing on a mobile on a train and worrying about if it's the station to change at..." Posted by: Clive Robinson at June 14, 2012 11:43 AM Would Von Clausewitz consider cyberwar war? I think not. Would Sun Tzu? I am nearly certain he would. I also suspect that he would only modulate the level of cyberwar (presumably more towards intelligence than to sabotage) while attempting to maintain "peace" between nations. Cyberwar certainly seems to be a method for winning the war before the fighting starts. Posted by: wumpus at June 14, 2012 11:52 AM "This definition is being pushed both by the military and by government contractors, who are gaining power and making money on cyberwar fear." 100% agreement. This is not "war". This is certain people and groups trying to drum up fear so that they can grab more public funding. "And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident." I doubt it. Again, because this is not "war". This is about drumming up fear to grab more public funding. "Yes, enforcement will be difficult." Not "difficult". Impossible. Literally impossible. And useless once organizations start implementing decent computer security measures. Which includes NOT trusting the systems that you purchase and NOT connecting anything important to the Internet. Posted by: Brandioch Conner at June 14, 2012 3:18 PM There is the nuclear non-proliferatiom treaty thar Iraq and Iran signed. We invaded Iraq over their WMDs, and are ready to start a war with IAEA compliant Iran. Israel hasn't signed the NPT. They would give "proxy" a new definition in cyberwar. We signed the geneva conventiona and a treaty banning torture and ignore both. Posted by: tz at June 14, 2012 5:11 PM The threat to the Internet is not cyberweapons, that might knock out a few nodes (of billions) for a short time. The real threat is laws passed by power-mad fear-mongerers. Posted by: Meneth at June 14, 2012 5:14 PM Too bad all our governments destroyed their own future when they outlawed all p2p development and sued anybody developing a p2p system because it could be used for (gasp) piracy. I bet a bulletproof network run completely p2p would be pretty awesome against a full scale "cyberwar" attack. GJ RIAA and MPAA lobbyists. Posted by: MerpDerp at June 14, 2012 7:20 PM Limit the militarisation of cyberspace, and increase international co-operation? This is the great global hypocrite USA and its vicious little sidekick Israel we're talking about here... They will always do what they want (may I add the murder of Iranian civilian physicists to tz's list above) and claim plausible deniability when it comes to cyber-sabotage. Posted by: Magnum at June 14, 2012 10:50 PM It *would* be self-enforcing to start open collaboration: government agencies could collect and research how to trace malware samples, find and share and help patch vulnerabilities, etc. Participatng states could pitch in money or loan their agencies' employees to the effort. That requires the mindset that reducing the danger should be the priority, which won't go over well with agencies tasked with *creating* danger to other countries. I bet rules-of-war-type limitations--basically, declarations that if you cross this line some governments will be extra mad and want to make you pay--would be partially effective. Posted by: er, woof at June 15, 2012 1:18 AM @ Phil, It's not frontal, it can be launched in targeted ways any where at any time given the will That covers the same ground as "asymmetric warfare". But importantly to prosecut conventional warfare in the physical world, you need resources specificaly energy and force multipliers that take more energy to make. Cyber-crimes don't require the attacker to use energy except for the initial development, storage and communication of the information. From then on it's the defenders resources that are used. Thus a single directing mind and minimal resources does indeed alow the defeat of a major organisation. Hence the notion of "An Army of One", which gives the conclusion you have come to of, Cyberwar can't be negotiated between governments since anyone can start an attack. @ Brandioch Conner, I doubt it. Again, because this is not "war". This is about drumming up fear to grab more public funding Whilst I agree with your point's about it not being war and mainly FUD for monetary gain. I think Bruce is refering to the fact that it could easily result in actuall physical attack as a retaliatory response. What makes FUD like all propaganda work is it always has an element of the "believable" about it, thus it has significant potential to escalate where "cool heads do not prevail". Whilst the cold war did not go hot there were quite a few occasions where, "political brinkmanship" and even accidents brought it close. In part it was this that gave rise to the notion of Mutually Assured Destruction or MAD. I remember living through quite a chunk of the cold war and remember the various movments such as CND, GreenPeace etc to stop the "stock pile" build up. And worse the attempts by the various Intel organisations to discredit them in various ways (ask a Kiwi who was a young adult back then what they think about the French...). Posted by: Clive Robinson at June 15, 2012 2:56 AM @Clive: Any way the moral from my error is "take more care when typing on a mobile on a train..." No need to be defensive, it was only a nitpick at one of your (as ever) insightful postings ;-) I merely intended to introduce the idea of the internet as a medium that just transports war-actions, similar to the air 'transporting' a cruise missile (which may also fly over non-involved territories on the way to its target, for example). E.g., in the end it wouldn't really matter if Bushehr(?) was hit by a cruise missile fired by a B52 that launched from an airfield in the US (some of the first shots in the 1990/91 gulf war were fired in this way) or by a Stuxnet infection. Posted by: Paeniteo at June 15, 2012 7:56 AM @ Magnum.
Posted by: vasiliy pupkin at June 15, 2012 10:36 AM A group has been working on a "MANUAL OF INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE" since 2010. It will be the equivalent of the manuals that govern warfare on land, sea, and and space. It's known as the Tallinn manual. It will cover Jus Ad bello, jus in bello, definition of cyberweapon. etc. Posted by: David Alexander at June 16, 2012 11:02 AM Obama seems to be taking credit for unauthorized acts of war lately. We really don't need the expense of yet another unauthorized war. Some similar sentiments are expressed here: globalguerrillas.typepad.com/... Posted by: John Galt III at June 16, 2012 4:23 PM As can be seen in this photo, the Iranian ambassador is holding a "smart" phone. CIA/NSA experts believe that that phone has been "jail broken" which increases its destructive capability ten-fold. Experts at the CIA/NSA believe that that "smart" phone contains enough virus code to infect every man, woman and child in America 17 times over. They could completely cripple our national infrastructure and our people. We cannot wait for the "smoking gun" to be a virtual mushroom cloud at the New York Stock Exchange. We must preemptively invade Iran for their violations of the CyberWar Treaty of 2013. That is why we need more treaties that are impossible to enforce or even to verify. They provide the excuse for future wars and military actions. Posted by: Brandioch Conner at June 17, 2012 1:19 PM Speaking of smart phones: Have you heard of any link between the recent "state sponsored" Gmail hacks and malware running on Android phones? Gmail at least on some Android devices is "always on", i.e.; cannot be logged out. If Gmail is hacked/infected, then phones (could be) too. Do you agree? Posted by: GStarr at June 18, 2012 10:02 AM Strategic treaties between the United States and Soviet Union relied on numerous inspections and technical means to verify compliance. It took numerous spy sats to come up with numbers for Soviet arms that were always really just approximations. (The Soviets use to just "accept" our numbers.) How would you even begin to verify compliance in the digital world? How difficult would it be for a Large Corporation let alone a Nation/State to create an environment for testing that was impossible to access or was really a dual use facility? (By day a small data center for the local university, but by night a cyber-weapon training ground....) Either go big or go back to the stone age... Posted by: Dan Macgowan at June 19, 2012 9:45 AM Good points. To go even further on those themes of fostering cooperation and reducing arms races, here is an excerpt from an essay I wrote related to rethinking our security paradigm for the 21st century:
Posted by: Paul Fernhout at June 19, 2012 9:17 PM This rhetoric is just pathetic. Sending packets over the internet does not kill anybody. If this still should happen because of an online attack, then only because someone has been extremely negligent, presumably in a criminal way. There is no war in cyberwar, get over it. Posted by: Bernd at June 19, 2012 10:35 PM As Bruce pointed out, all public signs point to the next few years being chock-full of various attacks. Malware, social engineering, and a whole lot more. So, what happens when the world wakes up and realizes how vulnerable they are? Consider Anderson et al.'s recent study of costs associated with conventional Internet crime. People are spending ten times as much on preventing electronic crime than they're losing to the criminals. By conmparison, lots of Internet 'security' legislation has already failed. I would take this for evidence that most people care about privacy enough to prefer handling their own security. I would propose that therefore, an uncertain world of attacks carries the inevitable consequence of huge demand for the stability of good defenses. And that presents opportunity for clever defenders. As Microsoft did by selling an OS and word processor to the world and Apple a music player, so too might someone get absurdly rich by selling the world real security. Posted by: E at June 20, 2012 6:03 AM There are way too many mixed messages going on about this topic. I heard one report say the commie b's are at least three decades ahead of us in their skillz ( sorry, I couldn't help it ). Then other people say they're not all that. Then someone else says they've already broke in to ghosty db this and/or that. Well, who knows the real truth? Whoever it is, I doubt they're talking about it outside their own circles. Which is reallly frustrating because it hurts my feelings to be left out. Drones and cyberwar. So there will be more non-traditional pilot schools than ever and comp sec students drinking Red Bull on scales such as never been seen in the annals of geekery. Back to that gun debate...if drones become widley used by law enforcement, I bet some will be shot down. "I thought it was damned crow Sheriff!" Posted by: me at June 20, 2012 7:26 PM Subscribe to comments on this entry Post a comment |