November 25, 2011
Call for Action: Internet Should Become a Military-Free Zone.
What is the difference between a nuclear missile and malware?
It’s not a trick question – malware can seize control of a missile, but a missile can’t be used to destroy malware. With the right tools a missile can be diverted by malware, but no amount of firepower can divert rogue software once it is active.
Unlike traditional weaponry, malware can replicate itself ad infinitum. And while a missile can often be controlled in some way, malware tends to attack indiscriminately: nobody knows who it will harm, which corners it will worm its way into. On the inscrutable trajectories of the web, as soon as some black hat launches a malicious program to make some quick cash anything can happen. It’s impossible to calculate what effect it will have, what might be affected by accident and how it could even boomerang back to harm its creators. People tend to make mistakes in everything they do – and writing code, malicious or otherwise, is no exception. There are numerous examples of this kind of “collateral damage” – read my previous post about the fortunes of the Internet .
At least we are now seeing some joint efforts to combat cybercriminals.
The security industry is tightening the screws on them, and the big boys like Microsoft are getting involved. Other different non-commercial and intergovernmental organizations are joining in as well. Governments are beginning to understand that the Internet can be a highway to hell, and are waking up to the need to do something about it. So we are seeing some progress.
However, I’m more concerned about another side of Internet security. The tricks of a cybercriminal will seem trifling compared to a large-scale cyberwar on the web. Yes, you read it correctly – a web cyberwar! This is where things start getting much more complicated and murky.
These are the facts.
Firstly, the military in different countries is busy creating dedicated cyber-units and “forging” cyber-weapons (examples include: the US, India, the UK, Germany, France, the EU, NATO, China, South Korea, and North Korea).
Secondly, cases of industrial espionage and acts of sabotage are common knowledge (see news about high-profile attacks with nation states behind like Stuxnet and Duqu).
Thirdly, news about carefully planned attacks is being revealed at an alarming rate (well, we all have a notion who the bad guys behind them are). A new term has even been coined for it: APT.
There is no doubt that all this is only the tip of the iceberg. Whenever we uncover a new Stuxnet-style malicious program it turns out that:
- The malware “blew its cover” because of a mistake or by accident.
- It has been quietly “sitting” in various networks for a long time already and we can only guess what it has been up to there.
- Many technical features of the malware – and the motivation of its creator – are still shrouded in guesswork.
Can you see where I’m going with this?
Clearly, we are sitting on a powder keg, we are sawing through the branch that the entire Internet is sitting on, and the whole world’s infrastructure is sitting right next to it. The military is gradually turning the Internet into one big minefield. A single keystroke could potentially unleash such chaos that nobody will be left unaffected. The misguided push of a button could bring everything to a halt – not just computers. The chain reaction would engulf things in the real world, as well as the virtual one – nuclear power stations, perhaps. That could see a network conflict quickly escalate into a military one. It’s not hyperbole which prompted the US to equate hacker attacks with an invasion – they clearly understand the possible consequences. The more we look at it, the scarier it gets.
It gets worse. This malware, militarized or not, has code errors. A fly landed on the programmer’s keyboard, it was Friday evening or the testers didn’t test it properly – anything can happen. A standard bug in standard software usually has a containable effect – at most the computer system will collapse, a power turbine will stop or, in the worst case, something, somewhere comes crashing down. In the case of a conventional guided missile it may explode at the wrong time or in the wrong place. But with the new wave of military malware, an error can have truly catastrophic consequences. What if the rogue code reaches not just the intended target, but all similar objects around the world? How can it distinguish between real and unintended targets? If malware targets a specific [nuclear] power station, but ends up striking all [nuclear] power stations, what then? The Internet has no limits, and most power stations are built to one of a fairly small set of standards. Although there might be just one target, the number of potential victims can be much bigger – and they could be anywhere in the world.
I sincerely hope that I’m not being a Cassandra here, as it was the case with self-propelled worms and attacks aimed at industrial projects. I would VERY MUCH like to be mistaken.
This military malware is backed up by top-notch professionals, generous financing, and access to powerful technical and material resources. Without that, how do you think anyone could customize Stuxnet for Iranian centrifuges? Then we have the golden key of digital certificates, currently the guarantee of trust on the web (another alarm bell, by the way). I can only guess at the cyber-weapons that are primed and ready, but the future does not look promising. The whole area is beyond the control of society – it’s almost anarchy with everyone doing whatever they want. As Stuxnet shows, the missile comparison is already very accurate – malware can cause the same results as a conventional military weapon.
Although, there is a difference.
Any weapons, especially weapons of mass destruction, along with nuclear technology in general, are more or less controlled and regulated, at least in theory. The UN has its Atomic Energy Agency, there is an international system of non-proliferation agreements and the UN Security Council reacts strongly to any attempts to join the nuclear club (as Iran has discovered). Of course, politics, subterfuge and double standards all play a role here – but that has nothing to do with the idea I’m describing here.
And the idea is as follows.
Considering the fact that peace and world stability strongly relies on the Internet, an international organization needs to be created in order to control cyber-weapons. A kind of International Atomic Energy Agency but dedicated to the cyberspace. In an ideal world it would replicate the nuclear security structures we already have, and apply them to cyberspace. In particular, we should regard the use of cyber-weapons as an act of international aggression and put it on a par with cyber-terrorism.
Ideally, the right way would be to proclaim the Internet a military-free zone – a kind of cyber-Antarctica. I’m not sure if that disarmament is possible. The opportunity has been missed already, investments made, the weapons produced, the paranoia is already here. But nations at least need to agree on the rules and controls concerning cyber-weapons.
I realize that implementing this idea will be far from easy. Society still regards computers and the Internet as a virtual reality, toys which have nothing to do with actual life. That’s just plain wrong! The Internet is very much part of everyday reality! And I’ve outlined above what this complacency could lead to. This subject has already been under discussion for several years in the confines of security professional circles. I am simply the first to go public.
And please, remember the first and most important rule of security!
— Don’t kill Cassandra! Please! —