Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council brings up an interesting thought about how diplomacy is shaping how we view cyber warfare.
In an article over on usnews.com Mr. Healey brings up some interesting points about how we are approaching cyber warfare using a two-pronged approach. One approach is to say to other countries to stop it, and the other approach by pursuing our own cyber warfare process. According to Mr. Healey this inherently complicates diplomatic processes as he states:
Which choice will observers believe the president has made? America insists it wants a secure and peaceful cyberspace while sabotaging Iranian facilities with Stuxnet. Our government argues Chinese industrial espionage is completely unacceptable, but that disruptive and preemptive covert attacks are not escalatory but an acceptable norm. U.S. diplomats struggle to remain credible trying to convince Russia and China that the United Nations Charter and Geneva Convention apply to cyber conflicts. Nations question the U.S. model for peaceful Internet governance with the result that proposals from China, Russia, and even Iran get more support than those from U.S. diplomats. Source: USNews.com
While I am troubled by what I am seeing in the cloud networks, and Amazon Cloud Computing is going to, if they are not already, have a huge impact if the cold war ever gets hot, we also need to step back and take a look at where we are going in relationship to diplomacy and process.
It is trivial to find a zero day and exploit it, there are many exchanges that will sell them. Every government if they have any dream of a cyber warfare capability will buy them. We have rules in place for responsible disclosure, that work for some companies, but generally government tends to buy them and bury them. They are an open active way of getting the spyware into a governments computer networks, and a viable and valuable tool in any warfare toolkit.
While I can talk about setting up an international cyber warfare treaty, I am literally no one on the national or international stage. We have a legitimate need for both defensive and offensive cyber warfare tools, but how we manage those tools and how data gets back to the public via the news or strategic leaks, or even capture and reverse engineering of the malware is what will define cyber warfare going forward. There are a lot of reasons why we need to have a viable toolset, but we also need to know what the potential ramifications of those tools are.
Sometimes I think we develop capability without really understanding how they should be used to achieve strategic or tactical goals. We have stuxnet which did damage and achieved both a strategic (stop Iranian Nukes), and a tactical advantage (keep Israel from preemptive hard bomb strikes). Brilliant until Stuxnet started spreading into Indonesia, and making a hard appearance in the USA. All using the same controls vulnerability, that was not shared with the company that made those controls. Tools like this do not have a half life and they cannot be contained to one company or one region. That is something we are missing in the process. Companies are slow to patch and update. Developers who do not understand the hack will have a hard time filling the hole.
In the mean time our diplomats are trying to say stop hacking us, while we are developing a devastating and effective offensive and defensive cyber warfare capability. The tools are easy to create, the data is there to exploit, the treaty is missing, and the kids are playing on the internet. We need to have a more cogent plan than we seem to have, and it is time for us to take a deeper look as an industry what we are doing, and how we should be securing our networks against an increasing likelihood of something bad happening on the network that is nation state sponsored.