Âé¶ą´«Ă˝

US cyberweapons have been stolen and there’s nothing we can do

Malicious code exploits are the new weapons of war, but can we ever reach international agreement on how they should be used and who gets to control them?
internet room
Weaknesses are everywhere
Mel Evans/AP/REX/Sutterstock

US INTELLIGENCE agencies have been looking pretty stupid recently. Since last year, a group called the Shadow Brokers has been releasing cyberweapons stolen from the US National Security Agency. The WannaCry ransomware attack that knocked out computers across the world and shut down UK hospitals earlier this year, was powered by one of these weapons, exploiting a vulnerability in Microsoft code.

The NSA is not sure how many other pieces of its arsenal have been leaked. “The US is battling a rearguard action with respect to its reputation,” says at King’s College London.

If the US had lost control of a nuclear warhead, there would be global outrage, because a web of international treaties govern these dangerous weapons. But cyberweapons, which could cripple a nation’s infrastructure, come under no such regulations.

“If the US had lost control of a nuclear warhead, there would be global outrage”

You might think this is just the stuff of techno-thrillers, and certainly the word “cyberweapon” is overly dramatic for what is ultimately mere lines of code. But malicious software is causing real harm. Countries like Ukraine are attacked regularly, which the nation has linked to Russia. With NATO recently asking members to contribute their alongside tanks and aircraft, we need a global conversation about how these weapons are used.

Last month, the US kicked off that discussion with a concerning the disclosure of vulnerabilities in computer systems, just like the one used by the WannaCry attackers. The new rules outline how it will decide when to inform software manufacturers of zero-day vulnerabilities – bugs it has found that may be exploited to cause harm.

Could these guidelines mark the beginning of arms control for cyberweapons? And if so, is the US on the right track? “It’s a very early tentative first step in that direction,” says Stevens.

The guidelines describe basic trade-offs that must be considered before any disclosure. On one hand, telling a software firm that it has a dangerous bug allows it to patch the code and protect users. On the other, keeping that bug secret lets the US government exploit it. The guidelines say a review board should take the decision and then inform the US Congress about it.

But the guidelines are policy, not legally binding regulation. And Edward Snowden, who exposed the secret US surveillance programme in 2013, has criticised loopholes that allow certain vulnerabilities to be exempt from disclosure. “The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones,” he .

There’s also the matter of who decides what to disclose. The review board is almost exclusively from the security and intelligence agencies, with no representatives from the public or software firms.

In any case, zero-day vulnerabilities are just one weapon in a digital arsenal. Think of a house, says cybersecurity researcher at Stanford University. A zero-day lets you pick the lock on the front door, but that’s not much use if you can’t get near the house in the first place.

For example, the Stuxnet worm, thought to have been created by the US and Israel to attack Iran’s nuclear facilities, was delivered by an infected USB stick, because the target computers weren’t connected to the internet. “This policy is far from a complete disclosure of the US’s capabilities,” says Smeets.

But even if it were, any meaningful cyberweapon policy must involve many countries. “It’s essential we have an international conversation about this,” says Stevens. Establishing how countries expect each other to behave would also prevent escalation, says international law researcher at the London School of Economics. “We’re all trying to avoid outright conflict.”

Software stockpile

So what would arms control look like for cyberweapons? For other weapons, it requires establishing clear thresholds and agreeing on an inspection process that ensures the thresholds are met. With cyberweapons this would be difficult, or even impossible.

“When people started talking about cyber arms control a few years ago, they thought they could apply their experience with nuclear or chemical arsenals and have a treaty within 10 years,” says Smeets. “Now they’re realising cyber is unique.”

lines
Held for ransom
Damien Meyer/AFP/Getty Images

With conventional weapons, you can try to limit the number a country has and the potential damage they could do. The 1974 Threshold Test Ban Treaty prohibits nuclear weapons of more than 150 kilotons, for example. But with cyberweapons, such measures are impossible, because malicious code can propagate unpredictably, as happened with WannaCry. “You can’t just look at the code and say this will cause X amount of damage,” says Smeets.

Even if you agreed thresholds, it would be hard to monitor them. Inspectors can visit nuclear enrichment facilities and audit missile stockpiles. But how would you inspect a cyberweapons programme? “You can’t go through every USB stick that exists in a country,” says Smeets.

Finally, tools to exploit zero-day vulnerabilities can only be weapons if they remain secret. Inspections that reveal their existence would make them worthless; something no country will accept, says Smeets.

Rather than focusing on the weapons, Smeets thinks we should be more concerned about proliferation. We might be able to persuade countries not to trade cyberweapons with rogue states, say. And if we can’t control the weapons themselves, countries could reach agreement on acceptable use, such as no targeting critical infrastructure or financial systems.

Arimatsu says we may not even need an arms control treaty for cyberweapons. International law already governs what states can and cannot do. If a country violates another nation’s sovereignty or inflicts damage within its borders, it doesn’t matter how it was done.

“Inspectors can visit nuclear facilities, but how would you inspect a cyberweapon programme?”

The trouble is that when countries get together to talk about cyberweapons, they find a lot to disagree about. In 2004, the United Nations set up the Group of Governmental Experts (GGE) to improve the security of the world’s computer and telecoms systems. After years of talks, the 25 member states agreed in 2013 that . “That was a huge breakthrough,” says Arimatsu. “But then they had to agree how it applied.”

After more negotiations, the whole project fizzled out this June. The GGE failed to deliver a report because it couldn’t agree what it should say. Michele Markoff, the GGE’s US representative, claimed some countries seemed to believe there should be no constraints on their online actions. “That is a dangerous and unsupportable view, and it is one that I unequivocally reject,” .

Smeets thinks the talks collapsed because countries couldn’t agree what kind of place the internet should be. Most Western nations believe in a free and open internet. Some, like China, believe we should have online borders that are governed and protected as extensions of a nation. Others, like Cuba, fear the militarisation of cyberspace.

That’s not an unreasonable concern. In June, NATO announced that it would strengthen its cyberdefences, sharing more technology and know-how between its 29 member states. NATO has also decided that a cyberattack can trigger Article 5 of its treaty, which means an attack on one NATO state will be considered an attack on all – with the real possibility of retaliation. A response could involve a return cyberattack, sanctions or even the use of conventional weapons.

Some, like Stevens, believe the GGE meeting was our last chance for widespread international agreement on these issues. The most we can hope for now is for a few countries, like the US, to lead by example, he says.

But there’s yet another thorn. When cyberweapons are used, it can be hard to know who deployed them – and harder still to prove it without risking security.

Take that house again. You could have CCTV that spots someone breaking in. You may know who the person is, but if you show your evidence you are telling people about your security system. “Next time you want to get into my house, you’ll know how to avoid the cameras,” says Smeets.

So, cyberspace remains a shadowy place. “It’s unlikely we will get international agreements on the use of these weapons,” says Smeets. “And even if we do, they will be non-enforceable.”

Arimatsu is more optimistic. She predicts that when more countries have been hit by cyberattacks, they will reconvene. “States are selfish,” she says. “If they see their own rights being violated, they will want to invoke international law.”

This article appeared in print under the headline “Ban the bug?”

Topics: Computer crime / Nuclear technology / Weapons