Is an International Cyber Regulatory Agency Needed?

Thursday, August 30, 2012

Richard Stiennon


I happened to attend Kaspersky Labs’ Cyber Conference 2012: IT Security in the Age of Cyber Warfare in Cancun, the same conference that resulted in this feature piece on its CEO, Eugene Kaspersky.

I moderated a panel that included representation of two sides of an ongoing battle of the minds between those at the ITU  who favor an international treaty on cyberspace under the auspices of the United Nations and the Council of Europe  who argue that the Budapest Convention is already in place and should serve as the model.

I talked to Kaspersky on this topic. His reasoning is simple: the cyber domain is just like the real world, and in the real world we have treaties and oversight agencies to monitor adherence to them. It works for nuclear weapons, biological and chemical, so why not cyber?

Kaspersky suggests the equivalent of the International Atomic Energy Agency.   The IAEA has 154 member states and seeks to regulate the peaceful use of atomic energy. It was established in 1957 by a separate treaty outside the UN. It employs 2,300 people around the world.

While Kaspersky acknowledges that it is much easier to create cyber weapons than it is to construct a bomb, he believes that the existence of a treaty will at least establish that a signatory is breaking international law if they engage in cyber attacks.

I can imagine that the concept of such a treaty and regulatory body will not gain much traction in the military academies and think tanks around the world. Why restrict a nation’s options in war fighting – especially when cyber weapons are inexpensive (compared to fighter jets, tanks, and aircraft carriers) and could reduce the overall level of force required to achieve an end goal?

On top of the reluctance of military strategists there are potentially insurmountable issues around definitions. What is a cyber weapon for instance? Kaspersky limits his definition of cyberwar to the use of cyber weapons to cause physical damage. To date, only Stuxnet fits that definition.

But cyber weapons can be deployed to disrupt command and control without physical destruction. They can also be used to garner situational awareness, i.e., espionage, as apparently Duqu and Flame are purposed.

How would an international body treat open source tools that are already freely available and widely deployed, such as Metasploit for exploiting vulnerabilities, or LOIC, used for denial of service attacks, or the thousands of pieces of malware already used for nefarious purposes?

This debate is going to rage for quite a while. There will be no short term resolution and  we will see an escalating arms race and cyber weapons incorporated in most arsenals long before we see any international agreement to restrict cyber arms.

Possibly Related Articles:
Information Security
Regulation Cyberwar Cyber Security Attacks Stuxnet Kaspersky cyber weapon International Law International Telecommunications Union
Post Rating I Like this!
Jayson Wylie I don't believe the ITU has the capacity or the acumen to handle what is going on in the wild. They concern themselves mostly with logistics and physical connectivity across the globe.

How effective is the UN. I wrote a blog on how I felt about this trend and feel that some state nations have the upper hand.

In my work I see far more attacks coming from APNIC networks than any other. I presume CN. And some of the sources are notorious for attacks. I at least know they are not directed APT's

For global negotiations and states adhering to the 'rules' is going to be a struggle because espionage benefits some more than being the 'good' state following the rules.

Hate to bring out China as an example but they have the Great Firewall. What do they use it for? Censorship.

What don't they use it for? Egress attacks out of their country to control the citizen population from causing harm to other sovereign nations.

I saw a news show of a CN 10K count hacking cell. Then, I saw CN authorities arrested 10k or so hackers. Jail time? Probably not. They may stick them to the machine.

Iran? very interested in cyber warfare and somewhat competent. Hasn't been in US diplomatic relations for some 30 odd years. ITU will not regulate their activities like the UN Nuclear regulators can't do anything either.

It's a pipe dream to think that Global Regulation is a possibility. It won't be by the ITU who is being push into this role by states notorious for being adversarial to the US or very active in cyber activities. It is in there own interests and not for the interest of the greater good.

Don't be snow blinded by a good idea. Not everyone with adhere and there is not a UN punitive reaction that will change minds.
Richard Stiennon Great observations Jayson. Thanks. I agree and apparently most of the people I talked to in DC this week agree with your analysis as well.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.