杏吧原创

US cyberweapons have been stolen and there’s nothing we can do

Malicious code exploits are the new weapons of war, but can we ever reach international agreement on how they should be used and who gets to control them?
internet room
Weaknesses are everywhere
Mel Evans/AP/REX/Sutterstock

US INTELLIGENCE agencies have been looking pretty stupid recently. Since last year, a group called the Shadow Brokers has been releasing cyberweapons stolen from the US National Security Agency. The WannaCry ransomware attack that knocked out computers across the world and shut down UK hospitals earlier this year, was powered by one of these weapons, exploiting a vulnerability in Microsoft code.

The NSA is not sure how many other pieces of its arsenal have been leaked. 鈥淭he US is battling a rearguard action with respect to its reputation,鈥 says at King鈥檚 College London.

If the US had lost control of a nuclear warhead, there would be global outrage, because a web of international treaties govern these dangerous weapons. But cyberweapons, which could cripple a nation鈥檚 infrastructure, come under no such regulations.

鈥淚f the US had lost control of a nuclear warhead, there would be global outrage鈥

You might think this is just the stuff of techno-thrillers, and certainly the word 鈥渃yberweapon鈥 is overly dramatic for what is ultimately mere lines of code. But malicious software is causing real harm. Countries like Ukraine are attacked regularly, which the nation has linked to Russia. With NATO recently asking members to contribute their alongside tanks and aircraft, we need a global conversation about how these weapons are used.

Last month, the US kicked off that discussion with a concerning the disclosure of vulnerabilities in computer systems, just like the one used by the WannaCry attackers. The new rules outline how it will decide when to inform software manufacturers of zero-day vulnerabilities 鈥 bugs it has found that may be exploited to cause harm.

Could these guidelines mark the beginning of arms control for cyberweapons? And if so, is the US on the right track? 鈥淚t鈥檚 a very early tentative first step in that direction,鈥 says Stevens.

The guidelines describe basic trade-offs that must be considered before any disclosure. On one hand, telling a software firm that it has a dangerous bug allows it to patch the code and protect users. On the other, keeping that bug secret lets the US government exploit it. The guidelines say a review board should take the decision and then inform the US Congress about it.

But the guidelines are policy, not legally binding regulation. And Edward Snowden, who exposed the secret US surveillance programme in 2013, has criticised loopholes that allow certain vulnerabilities to be exempt from disclosure. 鈥淭he public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones,鈥 he .

There鈥檚 also the matter of who decides what to disclose. The review board is almost exclusively from the security and intelligence agencies, with no representatives from the public or software firms.

In any case, zero-day vulnerabilities are just one weapon in a digital arsenal. Think of a house, says cybersecurity researcher at Stanford University. A zero-day lets you pick the lock on the front door, but that鈥檚 not much use if you can鈥檛 get near the house in the first place.

For example, the Stuxnet worm, thought to have been created by the US and Israel to attack Iran鈥檚 nuclear facilities, was delivered by an infected USB stick, because the target computers weren鈥檛 connected to the internet. 鈥淭his policy is far from a complete disclosure of the US鈥檚 capabilities,鈥 says Smeets.

But even if it were, any meaningful cyberweapon policy must involve many countries. 鈥淚t鈥檚 essential we have an international conversation about this,鈥 says Stevens. Establishing how countries expect each other to behave would also prevent escalation, says international law researcher at the London School of Economics. 鈥淲e鈥檙e all trying to avoid outright conflict.鈥

Software stockpile

So what would arms control look like for cyberweapons? For other weapons, it requires establishing clear thresholds and agreeing on an inspection process that ensures the thresholds are met. With cyberweapons this would be difficult, or even impossible.

鈥淲hen people started talking about cyber arms control a few years ago, they thought they could apply their experience with nuclear or chemical arsenals and have a treaty within 10 years,鈥 says Smeets. 鈥淣ow they鈥檙e realising cyber is unique.鈥

lines
Held for ransom
Damien Meyer/AFP/Getty Images

With conventional weapons, you can try to limit the number a country has and the potential damage they could do. The 1974 Threshold Test Ban Treaty prohibits nuclear weapons of more than 150 kilotons, for example. But with cyberweapons, such measures are impossible, because malicious code can propagate unpredictably, as happened with WannaCry. 鈥淵ou can鈥檛 just look at the code and say this will cause X amount of damage,鈥 says Smeets.

Even if you agreed thresholds, it would be hard to monitor them. Inspectors can visit nuclear enrichment facilities and audit missile stockpiles. But how would you inspect a cyberweapons programme? 鈥淵ou can鈥檛 go through every USB stick that exists in a country,鈥 says Smeets.

Finally, tools to exploit zero-day vulnerabilities can only be weapons if they remain secret. Inspections that reveal their existence would make them worthless; something no country will accept, says Smeets.

Rather than focusing on the weapons, Smeets thinks we should be more concerned about proliferation. We might be able to persuade countries not to trade cyberweapons with rogue states, say. And if we can鈥檛 control the weapons themselves, countries could reach agreement on acceptable use, such as no targeting critical infrastructure or financial systems.

Arimatsu says we may not even need an arms control treaty for cyberweapons. International law already governs what states can and cannot do. If a country violates another nation鈥檚 sovereignty or inflicts damage within its borders, it doesn鈥檛 matter how it was done.

鈥淚nspectors can visit nuclear facilities, but how would you inspect a cyberweapon programme?鈥

The trouble is that when countries get together to talk about cyberweapons, they find a lot to disagree about. In 2004, the United Nations set up the Group of Governmental Experts (GGE) to improve the security of the world鈥檚 computer and telecoms systems. After years of talks, the 25 member states agreed in 2013 that . 鈥淭hat was a huge breakthrough,鈥 says Arimatsu. 鈥淏ut then they had to agree how it applied.鈥

After more negotiations, the whole project fizzled out this June. The GGE failed to deliver a report because it couldn鈥檛 agree what it should say. Michele Markoff, the GGE鈥檚 US representative, claimed some countries seemed to believe there should be no constraints on their online actions. 鈥淭hat is a dangerous and unsupportable view, and it is one that I unequivocally reject,鈥 .

Smeets thinks the talks collapsed because countries couldn鈥檛 agree what kind of place the internet should be. Most Western nations believe in a free and open internet. Some, like China, believe we should have online borders that are governed and protected as extensions of a nation. Others, like Cuba, fear the militarisation of cyberspace.

That鈥檚 not an unreasonable concern. In June, NATO announced that it would strengthen its cyberdefences, sharing more technology and know-how between its 29 member states. NATO has also decided that a cyberattack can trigger Article 5 of its treaty, which means an attack on one NATO state will be considered an attack on all 鈥 with the real possibility of retaliation. A response could involve a return cyberattack, sanctions or even the use of conventional weapons.

Some, like Stevens, believe the GGE meeting was our last chance for widespread international agreement on these issues. The most we can hope for now is for a few countries, like the US, to lead by example, he says.

But there鈥檚 yet another thorn. When cyberweapons are used, it can be hard to know who deployed them 鈥 and harder still to prove it without risking security.

Take that house again. You could have CCTV that spots someone breaking in. You may know who the person is, but if you show your evidence you are telling people about your security system. 鈥淣ext time you want to get into my house, you鈥檒l know how to avoid the cameras,鈥 says Smeets.

So, cyberspace remains a shadowy place. 鈥淚t鈥檚 unlikely we will get international agreements on the use of these weapons,鈥 says Smeets. 鈥淎nd even if we do, they will be non-enforceable.鈥

Arimatsu is more optimistic. She predicts that when more countries have been hit by cyberattacks, they will reconvene. 鈥淪tates are selfish,鈥 she says. 鈥淚f they see their own rights being violated, they will want to invoke international law.鈥

This article appeared in print under the headline 鈥淏an the bug?鈥

Topics: Computer crime / Nuclear technology / Weapons