At a cybersecurity conference in Tel Aviv Wednesday, the Russian antivirus expert who discovered the Flame computer virus, a type of malicious software, appealed to the U.S. and Israel to cease deploying cyberweapons. They “are a very bad idea,” he said. “My message is: stop doing this before it’s too late.” How right Eugen Kaspersky was.
Until now, cyberwarfare has been largely confined to Hollywood or to the prophecies of a few Cassandras warning darkly of a “digital Pearl Harbor” or “Cybergeddon”. But two closely linked events last week should give everyone cause for concern. An arms race in cyberspace is a distinct reality.
The first was the discovery of Flame, a “malware” virus recently flying around the fibre-optic cables and phone lines of the Middle East, seizing control of computers, vacuuming up their data and bending them to the will of whoever created this mischievous code.
While computer security specialists are not worried about the impact of the virus on individual victims, they are shocked that Flame has been going about its business for several years without anybody having noticed it. They calculate that millions of dollars must have been invested in creating the virus to ensure it remained undetected.
In a second development, three days after the news about Flame, the New York Times journalist David Sanger revealed that the U.S. had been behind the development and deployment of Flame’s most notorious predecessor, Stuxnet, which targeted Natanz, Iran’s uranium enrichment facility. The American admission will act as a starting gun: countries around the world can now argue that it is legitimate to use malware pre-emptively against their enemies.
The U.S. had previously denied any involvement in Stuxnet. Last week’s revelation appears to be an attempt by the White House to reject allegations by Mitt Romney, Barack Obama’s rival in the presidential race, that the president is soft on Iran. It also strengthens the impression that the White House is getting closer to Israel, another plus for Mr. Obama’s campaign.
However, these short-term benefits will be obscured by the long-term adverse consequences of the cavalier deployment of advanced cyberweaponry.
Given the relentless attacks that rain down on the networked systems of large institutions, it is of course essential for states to manage a defensive wall against intrusion, be it politically or criminally motivated. Our dependency on the Internet is such that a major disruption to the web could inflict immense damage on the economy.
Washington’s doctrine for cyberspace emphasises the need to protect its systems. Eighteen months ago, the U.S. designated it the fifth military domain, complementing land, sea, air and space. Some senior Pentagon officials have suggested that the U.S. would react to an attack by deploying both conventional weapons and cyberweaponry.
But sending Stuxnet out into the wild goes well beyond this. There are no agreements regulating the use of malware for military purposes. America has frequently appealed to Russia and China to co-operate in stemming the spread of malfeasance on the web. So its decision to use malware itself will not win friends. Other countries will infer that to ensure their security, they will have to ramp up their cybercapability.
The pre-emptive act against Iran sets an ugly precedent. Countries that feel threatened or have a grievance will be tempted to develop and use disruptive cybertechnology. There is no legal framework restraining intelligence agencies or the military from investing in and then testing these weapons.
The implications are grave. Regardless of its original purpose or target, malware does not usually discriminate. Somehow Stuxnet escaped Natanz, whose computers are not connected to the Internet, and infected 50,000 machines around the world. Once circulating so widely, viruses attract the Interests of hacking groups, cybercriminals and intelligence agencies, who can copy and adapt them for their own ends.
Recently, for example, Bavarian police unwittingly allowed some specialist surveillance software to slip on to the web. The program was so intrusive that Germany’s highest court had deemed it unconstitutional. It was almost immediately spotted and copied by Europe’s oldest hacking group, the Chaos Computer Club, a relatively benign organisation. But there is no knowing who else has picked up the software or even started using it.
Before it is too late, cyberspace needs to be integrated into agreed principles about warfare in the other domains. The starting point should be to outlaw the release on to the internet of malware like Flame or Stuxnet, which is as likely to affect civilian networks as any presumed targets. Playing military games with powerful viruses is not merely an assault on our civil liberties as Internet users. In the long run it will prove a threat to all of our security.
The writer is author of ‘DarkMarket: How Hackers Became the New Mafia’