You're not making cyberweapons, are you?

You're not making cyberweapons, are you?

Summary: Eugene Kaspersky has called for talks to limit the production of cyberweapons, but could the result be an intrusive inspection regime affecting every business?

TOPICS: Security

There was nothing particularly new in Eugene Kaspersky's address to the National Press Club in Canberra on Thursday. The chief executive officer and chairman of Russian information security giant Kaspersky Lab is currently giving the world what The Irish Times called his seemingly endless "roadshow on cyber-nasty woes of modern life".

Indeed, he covered much the same ground as he did in the conversation that I recorded with him back in May — but more polished.

The key difference is that we now live in a post-Snowden world, and the key takeaway for Australia from Edward Snowden's revelations is that Julian Assange is no longer important. Well played, Eugene, well played.

So, Kaspersky in a nutshell. There are three things to worry about: Cybercrime, cyber espionage, and attacks on critical infrastructure in cyberspace. (Kaspersky cybers more than any human being should ever be allowed, but for some reason, it sounds right in a Russian accent.) Cybercrime is "huge", but we're getting it under control. Cyber espionage is "extremely dangerous" for international trust, and we need to limit it somehow. And the big one, the potential for devastating attacks on critical infrastructure, is what keeps him awake at night — and he'd like to see some international cooperation in limiting the risk there, too.

For the most part, I've been sceptical of the idea that a massive, coordinated strike on a nation's industrial control systems — everything from power grids and transportation systems to datacentre air conditioning systems and prison cell doors — could bring a nation to its knees in some digital-apocalyptic SCADAgeddon.

Industrial control systems (ICS) are woefully insecure, yes, and all manner of industrial control networks have been connected to the internet in that perennial "victory" of momentary convenience over security common sense. But as ICS security experts have pointed out, knowing how to hack into controller number 75454, say, is only the first step; you then need to know what controller 75454 actually does, and you need to understand how it interacts with the rest of the system before you can take control.

Now, I'm not so sure. As 2013 has unfolded, we've seen a steady stream of evidence that cyber espionage — OK, I said it — has been taking place on a vast scale. Perhaps the plans that explain controller 75454's role were scooped up long ago, along with the system's operating manual — or along with the address of the kindergarten where the operator's children spend their days, oh so vulnerable.

"Espionage did exist, it does exist, and will exist in the future," Kaspersky said, and it's the job of intelligence agencies to prepare a nation with the knowledge it needs to win any future conflict. And given the scale of digital weapons development that F-Secure's chief research officer Mikko Hypponen discussed last year, it strikes me as quite feasible that all of the pieces to deliver a coordinated strike are already under development, even if they're not yet ready to deploy.

With a digital arms race apparently already under way, Kaspersky has called for international cooperation to limit the production and use of cyberweapons — much like the Strategic Arms Limitation Talks (SALT), Strategic Arms Reduction Treaty (START), and the Comprehensive Nuclear-Test-Ban Treaty that took an axe to the number of American and Soviet nuclear weapons and helped wind back the nuclear escalation of the Cold War.

The key problem with any sort of arms treaty is verification. How do you know that the participating nations are sticking to the rules?

With nuclear weapons, physics is your friend. Hidden plutonium has its natural enemy in the Geiger counter. Arrays of uranium centrifuges mean huge buildings that show up in satellite imagery, or at least underground facilities requiring obvious work to build. Nuclear tests have a distinctive seismic signature.

But cyberweapons can be crafted by individuals and constructed in a garage or — cliché alert! — bedroom. A cyber research lab looks like any other office building — and, indeed, is just an office building, until the very moment its workers start manufacturing weapons.

An entire cyber arsenal can be hidden on a microSD card, smaller than a fingernail and easier to conceal.

It seems to me that trying to axe digital weapons productions creates a phenomenally difficult verification problem.

At last month's Breakpoint conference in Melbourne, Michael Sulmeyer, a senior fellow at the Center for Strategic and International Studies in Washington DC, pointed out that we already have an international framework for handling dual-use technology — that is, technology that can be used for both peaceful and military aims — namely, the Wassenaar Arrangement.

The Wassenaar Arrangement is all about paperwork, compliance, and inspections. But tracking the movement of nuclear fuel rods, guided missiles, and the precision lathes needed to shape submarine propellers is one thing. Tracking the movement of a few megabytes of code is quite another.

When any office can be an arms factory, when any memory device can be chock full o' weapons, just how invasive for every business would a digital arms verification process have to be for us to trust it? And what would it cost?

Isn't there a proverb, "Be careful what you wish for"?

Careful with that axe, Eugene...

Stilgherrian travelled to Canberra as a guest of Kaspersky Lab.

Topic: Security


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Convenience sets the stage for attacks.

    Back when the internet consisted of a few thousand academics (i.e. "geeks"), and required "geek" level knowledge of one's own and neighboring servers to use it at all, and every step of a process had to be typed in manually, it was possible to be at least 99 percent sure one had not DONE anything to allow malware to get into one's system. But the more GOOD things are being done automatically, to make things more convenient for users, the more ways there are for malware to take over automatically, so that even "geeks" may not spot the best hidden programs, and thus have to take SOMETHING on trust. The biggest things we ALL have to take on trust in order to get any useful work done are the OS vendor and the security system vendor, because EITHER of those COULD be working for the "bad guys" (whoever one considers bad guys at any one time), and thus could hide malware from their customers.
    • Well, even if the OS vendor is trustworthy... OR the security vendor..

      You STILL cannot tell if they aren't working against you.

      Even if they don't intend to, they still do. Especially closed source vendors.

      Without being able to look (which includes paying someone else to look) you cannot know if they aren't distributing malware. Just look at the recent problems cause the British health service- the antivirus vendor wiped out thousands of their systems just due to a mis-identification.

      Just like a virus wiping out your systems.
  • Dog and pony shows

    A lot of security efforts today are mostly dog and pony shows. The TSA, blade and glare, greetings at most airports come to mind. Throw in a few heavy handed examples, like strip searching small children and denying an 80 year old Medal of Honor recipient boarding because the TSA agent didn't know what it was, and you get the idea. Never mind that a couple of martial arts trained terrorist could storm the cabin, disable the pilots and take control without any less then a few ounces containers of breast milk for weapons. The point being it makes the public think they are safer but doesn't do much to actually make them safer. The same applies to suggestions and efforts like the one mentioned in this article.

    What we really need is an end to anonymous internet access, tough punishment for those caught in violation and retribution for those effected by cyber attacks. Whoever designed programs that allow you to post something while pretending to be someone else would be a good place to start. You can't listen to 10 minutes of radio without hearing some pitch about identity theft but ISPs and internet account access providers just let it go on thousands of times daily. Mention it to them and they just shrug it off.

    I read a story about a guy who tracked down the person that hacked his website and broke the fingers on both of the hackers hands. That's a bit extreme but making it easy to identify offenders, by making anonymous access a thing of the past, and providing a small claims court type resolution of violations, with fines based on the cost of reparations and investigations and mandatory internet access blocking for those found in violation, might make nonprofessional attacks diminish. Serious attacks should be dealt with more severely. Huge fines and imprisonment come to mind. Providing we fix the prison system first but that is for another post.
  • Cyberweapons Pah

    Peashooters. Just pray some lunatic doesn't cross HIV with Influenza.
    Alan Smithie
  • causes condensa...tion!

    hmm, wrong song