InfoSec 2013: Security Big Guns Back Cyber Weapons Non-Proliferation Treaty

Some of the biggest players in the security industry have backed calls for a cyber weapons non-proliferation treaty, akin to the 1970 agreement that sought to stop nations building nuclear arms.

The deal covering nuclear weapons has been ratified or agreed to by most of the world’s powers, including many of those now alleged to be carrying out widespread cyber attacks, such as China, Russia and the US.

The treaty has three main pillars: non-proliferation to stop the spread of nuclear weapons, disarmament and the right to peacefully use nuclear energy.

Cyber weapons agreement

Art Coviello, chairman of RSA, the security arm of storage giant EMC, told TechWeekEurope he would like to see something similar covering cyber. Coviello, who has been told by American officials the US and the British have the most capable cyber teams on both offensive and defensive sides, said one motivation should be the fear that non-Western militaries will get more capable.

“Why wait until the other guy develops the nuclear weapon before we start having some level of constructive engagement on this?” he asked.

“We have to have the equivalent of a Nuclear Non-Proliferation Treaty for cyber.”

He believes that if such an agreement is not formed, it will play into the hands of the cyber criminals who make money from governments by selling malicious hacking tools.

“China will scream and yell and stamp their feet and say they’re being hacked. Guess what? They are, by the same criminals [as everyone else], or their own brand of criminals,” Coviello added.

“As long as nations don’t agree to cooperate amongst themselves, the terrorists, rogue nation states, criminals and to some extent hacktivists will get a free ride. And they love it, they benefit from it because some of them are playing nation states off of one another.”

Eugene Kaspersky, CEO of the Russian security giant that carries his surname, said he would “definitely support such an agreement”.

“Moreover, I have been promoting such an idea for some time now. I believe this problem will be solved in the same way that problems of chemical, biological and nuclear weapons were in the past,” Kaspersky told TechWeek.

“We must have an international agreement on cooperation, non-proliferation and non-use of cyber weapons. I believe that nation states will soon come to realise the risks of unfolding cyber weapons, and then put an end to, if not developing, at least the application and distribution of cyber weapons.

“I do understand that governments are hardly going to stop using and developing cyber-espionage tools, for intelligence will always exist as long as states themselves will. But I firmly believe that cyber weapons targeted at critical infrastructure must be forbidden.

“Cyber weapons are relatively cheap to produce, are effective, mostly go undetected, leave their authors anonymous, and can be easily replicated. And they’re hard to defend against. And they have unpredictable side effects. In all – a lethal cocktail that could lead to potentially grave consequences if ending up in the wrong hands.”

Doubts

There has been much talk at the InfoSecurity 2013 conference this week around the rise in cyber espionage, as research pointed to the increasingly global nature of state-sponsored hacking. Most espionage still comes from China, according to reports from US-based firms FireEye and Verizon, but every major nation is now believed to be involved in Internet-led attacks.

British companies are getting pummelled, according to government-sponsored research, which claimed 90 percent of UK firms had been breached in the last year. The worst attacks are costing large businesses as much as £850,000 on average and small businesses up to £65,000.

Governments have set up various bodies attempting to facilitate cross-border collaboration to fight illegal online activity, such as Europol’s recently-established European Cybercrime Centre (EC3), but there have been no agreements covering what constitutes an act of war in cyber space.

There have been very few state sponsored destructive cyber attacks, with only Stuxnet known to have caused a severe impact, toying with centrifuge controls at an Iranian nuclear facility. But much more is believed to be going on under the radar.

Some believe the situation is irrecoverable, as nations build up the cyber arms of their militaries, knowing much of what they do can be denied.

Mikko Hypponen, chief researcher at F-Secure, is a lot more cynical than Coviello and Kaspersky of the likelihood of a pan-global agreement. “It’s way, way too late for that. That would never happen.”

What do you know about Internet security? Find out with our quiz!