Reports of a new computer virus, dubbed “Flame,” have raised alarms about a new era of cyber threats. While countries are increasingly reliant on cyberspace for their very survival — it is now part of the social, economic and security infrastructure — it remains a largely unregulated domain; worse, behavioral norms in cyberspace remain underdeveloped.
Fortunately, Flame is not the catastrophic piece of malware that the media has portrayed. That does not mean, however, that we can continue to be so laissez faire about devising rules and norms to govern cyberspace, particularly its strategic dimensions.
Flame was recently discovered by Kaspersky Labs, an Internet security company that was asked by the International Telecommunications Union (ITU) to analyze malware (software written to do “bad” things to computers) it found on computers in Iran and the Middle East. The malware was designed to commit espionage: It stole files, captured keystrokes, turned microphones on and off remotely (allowing conversations to be heard and recorded), and intercepted network traffic, among other things.
The resulting analysis prompted the ITU to plan to issue “the most serious (cyber) warning we have ever put out,” said an ITU official. In particular, the warning is to identify Flame as a tool that can be used against critical infrastructure.
Flame is an intriguing virus. It is huge — about 20 megabytes in size and consisting of more than 650,000 lines of code — making it one of the largest pieces of malware ever written.
Computer analysts note that the size of the virus reflects the many tasks it was designed to do, as well as a deliberate attempt to obfuscate Flame’s origins and purposes. Mr. Eugene Kaspersky, head of the company that bears his name, calls Flame a new phase in cyberwarfare.
Other experts disagree. They note that much of the code is old and widely available on the Internet. They also point out that virtually every new piece of malware that is discovered is quickly labeled “the worst ever.”
And remember, Flame is primarily a tool for espionage; it does not destroy equipment like the Stuxnet virus, which infected an Iranian nuclear plant and ruined its centrifuges.
More troubling, those skeptics see political designs in the ITU warning. Questions have also been raised about the relationship between Kaspersky Labs and the Russian government, which is pushing, along with China, for greater regulation of the Internet, in particular a ban on the use of certain types of cyberweapons. This warning helps make the Russian case; ITU officials dismiss any suggestion that they are pushing a particular agenda.
The revelations about Flame came just as American newspapers were reporting that U.S. Presidents George W. Bush and Barack Obama authorized cyberattacks against Iranian nuclear facilities, using the Stuxnet virus. There have long been suspicions that the malware originated in either the U.S. or Israel, both governments of which have vowed to halt the Iranian nuclear programs.
While neither government is prepared to comment on its cyberwarfare programs in general, and Stuxnet or Flame in particular, the complexity and sophistication of the viruses suggests that governments are involved.
But those remain mere suspicions, and that is one of the real problems of security on the Internet. There is what experts call “an attribution problem” in cyberspace: It is hard, if not impossible, to ascertain where an attack came from.
In the real world, a missile leaves a vapor trail that can be traced back to discover its origins. A good hacker can disguise “fingerprints” and leave a false trail, working through computers around the world that have only the remotest of connections to the source of the attack. Moreover, even when a geographic location can be specified, there is no assurance that the particular actor is a government employee or a nonstate actor. And rest assured that governments are exploiting that opacity to employ private citizens to do their dirty work for them.
Experts worry that the proliferation of such tools by governments will make it even easier for nonstate actors to get involved. Once a piece of malware is in the public domain, anyone can download and adapt it for their own purposes.
It is unlikely that governments learned one of the most important lessons of the Cold War — namely that the nonstate actors (which we often refer to as terrorists) whom they employ for particular purposes do not stay bought. Instead, they use their unique skills and knowledge for their own purposes.
In short, hackers cannot be turned on and off at will. (And the hacker psychology is such that even attempting to do so can generate blowback.)
Even if the threat posed by Flame has been exaggerated, the need for norms and standards for behavior in cyberspace is compelling. Unfortunately, the mere articulation of such norms is meaningless in the absence of a capacity to enforce them.
The sad truth is that no government is likely to share access to its most valued cyber assets — which is what is ultimately demanded if an international authority is to work. Agreed-upon standards that are enforced by individual governments are likely the best we can do.
The success of any system demands considerable confidence- building measures so that governments will at least share information. Indeed, the very readiness to provide transparency can be one such measure.
Governments must be also be prepared to limit the development of some technologies or doctrines. If that sounds unrealistic, it should be remembered that every arms control effort during the Cold War faced the same complaint.