I happened to attend Kaspersky Labs’ Cyber Conference 2012: IT Security in the Age of Cyber Warfare in Cancun, the same conference that resulted in this feature piece on its CEO, Eugene Kaspersky.
I moderated a panel that included representation of two sides of an ongoing battle of the minds between those at the ITU who favor an international treaty on cyberspace under the auspices of the United Nations and the Council of Europe who argue that the Budapest Convention is already in place and should serve as the model.
I talked to Kaspersky on this topic. His reasoning is simple: the cyber domain is just like the real world, and in the real world we have treaties and oversight agencies to monitor adherence to them. It works for nuclear weapons, biological and chemical, so why not cyber?
Kaspersky suggests the equivalent of the International Atomic Energy Agency. The IAEA has 154 member states and seeks to regulate the peaceful use of atomic energy. It was established in 1957 by a separate treaty outside the UN. It employs 2,300 people around the world.
- Video: Eugene Kaspersky Interview
While Kaspersky acknowledges that it is much easier to create cyber weapons than it is to construct a bomb, he believes that the existence of a treaty will at least establish that a signatory is breaking international law if they engage in cyber attacks.
I can imagine that the concept of such a treaty and regulatory body will not gain much traction in the military academies and think tanks around the world. Why restrict a nation’s options in war fighting – especially when cyber weapons are inexpensive (compared to fighter jets, tanks, and aircraft carriers) and could reduce the overall level of force required to achieve an end goal?
On top of the reluctance of military strategists there are potentially insurmountable issues around definitions. What is a cyber weapon for instance? Kaspersky limits his definition of cyberwar to the use of cyber weapons to cause physical damage. To date, only Stuxnet fits that definition.
But cyber weapons can be deployed to disrupt command and control without physical destruction. They can also be used to garner situational awareness, i.e., espionage, as apparently Duqu and Flame are purposed.
How would an international body treat open source tools that are already freely available and widely deployed, such as Metasploit for exploiting vulnerabilities, or LOIC, used for denial of service attacks, or the thousands of pieces of malware already used for nefarious purposes?
This debate is going to rage for quite a while. There will be no short term resolution and we will see an escalating arms race and cyber weapons incorporated in most arsenals long before we see any international agreement to restrict cyber arms.