You're not making cyberweapons, are you?

Eugene Kaspersky has called for talks to limit the production of cyberweapons, but could the result be an intrusive inspection regime affecting every business?
Written by Stilgherrian , Contributor

There was nothing particularly new in Eugene Kaspersky's address to the National Press Club in Canberra on Thursday. The chief executive officer and chairman of Russian information security giant Kaspersky Lab is currently giving the world what The Irish Times called his seemingly endless "roadshow on cyber-nasty woes of modern life".

Indeed, he covered much the same ground as he did in the conversation that I recorded with him back in May — but more polished.

The key difference is that we now live in a post-Snowden world, and the key takeaway for Australia from Edward Snowden's revelations is that Julian Assange is no longer important. Well played, Eugene, well played.

So, Kaspersky in a nutshell. There are three things to worry about: Cybercrime, cyber espionage, and attacks on critical infrastructure in cyberspace. (Kaspersky cybers more than any human being should ever be allowed, but for some reason, it sounds right in a Russian accent.) Cybercrime is "huge", but we're getting it under control. Cyber espionage is "extremely dangerous" for international trust, and we need to limit it somehow. And the big one, the potential for devastating attacks on critical infrastructure, is what keeps him awake at night — and he'd like to see some international cooperation in limiting the risk there, too.

For the most part, I've been sceptical of the idea that a massive, coordinated strike on a nation's industrial control systems — everything from power grids and transportation systems to datacentre air conditioning systems and prison cell doors — could bring a nation to its knees in some digital-apocalyptic SCADAgeddon.

Industrial control systems (ICS) are woefully insecure, yes, and all manner of industrial control networks have been connected to the internet in that perennial "victory" of momentary convenience over security common sense. But as ICS security experts have pointed out, knowing how to hack into controller number 75454, say, is only the first step; you then need to know what controller 75454 actually does, and you need to understand how it interacts with the rest of the system before you can take control.

Now, I'm not so sure. As 2013 has unfolded, we've seen a steady stream of evidence that cyber espionage — OK, I said it — has been taking place on a vast scale. Perhaps the plans that explain controller 75454's role were scooped up long ago, along with the system's operating manual — or along with the address of the kindergarten where the operator's children spend their days, oh so vulnerable.

"Espionage did exist, it does exist, and will exist in the future," Kaspersky said, and it's the job of intelligence agencies to prepare a nation with the knowledge it needs to win any future conflict. And given the scale of digital weapons development that F-Secure's chief research officer Mikko Hypponen discussed last year, it strikes me as quite feasible that all of the pieces to deliver a coordinated strike are already under development, even if they're not yet ready to deploy.

With a digital arms race apparently already under way, Kaspersky has called for international cooperation to limit the production and use of cyberweapons — much like the Strategic Arms Limitation Talks (SALT), Strategic Arms Reduction Treaty (START), and the Comprehensive Nuclear-Test-Ban Treaty that took an axe to the number of American and Soviet nuclear weapons and helped wind back the nuclear escalation of the Cold War.

The key problem with any sort of arms treaty is verification. How do you know that the participating nations are sticking to the rules?

With nuclear weapons, physics is your friend. Hidden plutonium has its natural enemy in the Geiger counter. Arrays of uranium centrifuges mean huge buildings that show up in satellite imagery, or at least underground facilities requiring obvious work to build. Nuclear tests have a distinctive seismic signature.

But cyberweapons can be crafted by individuals and constructed in a garage or — cliché alert! — bedroom. A cyber research lab looks like any other office building — and, indeed, is just an office building, until the very moment its workers start manufacturing weapons.

An entire cyber arsenal can be hidden on a microSD card, smaller than a fingernail and easier to conceal.

It seems to me that trying to axe digital weapons productions creates a phenomenally difficult verification problem.

At last month's Breakpoint conference in Melbourne, Michael Sulmeyer, a senior fellow at the Center for Strategic and International Studies in Washington DC, pointed out that we already have an international framework for handling dual-use technology — that is, technology that can be used for both peaceful and military aims — namely, the Wassenaar Arrangement.

The Wassenaar Arrangement is all about paperwork, compliance, and inspections. But tracking the movement of nuclear fuel rods, guided missiles, and the precision lathes needed to shape submarine propellers is one thing. Tracking the movement of a few megabytes of code is quite another.

When any office can be an arms factory, when any memory device can be chock full o' weapons, just how invasive for every business would a digital arms verification process have to be for us to trust it? And what would it cost?

Isn't there a proverb, "Be careful what you wish for"?

Careful with that axe, Eugene...

Stilgherrian travelled to Canberra as a guest of Kaspersky Lab.

Editorial standards