Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Cyber Arms Control a Lost Cause?

Posted by timothy on from the gentlemen-do-not-read-each-other's-mail dept.

Nicola Hahn writes In light of a classified document regarding state-sponsored cyber ops, the editorial board at the New York Times has suggested that the most constructive approach to reducing the spread of cyber threats would be to "accelerate international efforts to negotiate limits on the cyberarms race, akin to the arms-control treaties of the Cold War."

While such advice is by all means well-intentioned there are significant differences between nuclear weapons and malware that would make treaty verification problematic. Not to mention that the history of the Cold War itself illustrates that certain countries viewed arms control treaties as an opportunity to secretly race ahead with their own covert weapons programs. Rather than take on the Sisyphean task of trying to limit the development of offensive cyber technology, why not shift national priorities towards creating robust, fault-tolerant, systems that render offensive tools ineffective?

47 comments

  1. Problems is not the systems... by Anonymous Coward · · Score: 1

    ... it's the human beings behind them.

    We really need to look at the human beings and fix their flawed perceptions and psyche instead.

  2. UN router oversight. by Anonymous Coward · · Score: 0

    Thats what we need, UN permission to run apps on my router. DD-WRT will become a weapons grade router software and be banned.

  3. I hope not by Jedi1USA · · Score: 5, Funny

    I really want cyber arms.

    But not if I can't control them.

    That would be embarrassing.

    --
    My old sig was REALLY stoopid.
  4. Shuda Nuked The Norks by Anonymous Coward · · Score: 0

    Taught them all a lesson that you want to play with fire, then BURN IN HELL!

  5. In reply... by Anonymous Coward · · Score: 5, Insightful

    In reply to: why not shift national priorities towards creating robust, fault-tolerant, systems that render offensive tools ineffective?

    Because then it would be more difficult for the NSA to spy on us?

    1. Re:In reply... by fustakrakich · · Score: 1

      Well, we won't make them that robust.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:In reply... by duck_rifted · · Score: 1

      Then they won't render offensive tools *that* effective.

    3. Re:In reply... by duck_rifted · · Score: 1

      *ineffective (facepalm)

      While you guys figure out the cyberwar, I'm going to think about whether typo reduction is a lost cause. (shaking my head)

  6. Do both? by Anonymous Coward · · Score: 0

    Wouldn't it make more sense to do both? Make efforts toward more secure systems but through continued, mutual antagonism, cause the other side to not give up on their security posture.

  7. Yes by NostalgiaForInfinity · · Score: 1

    Next question?

  8. I object to the term by Anonymous Coward · · Score: 0

    The term "cyber arms" is an attempt to change the perception of IT security to something that needs to be regulated.

    1. Re:I object to the term by rossdee · · Score: 2

      If it is Cyber Arms then we are allowed then under the 2nd amendment

    2. Re: I object to the term by Anonymous Coward · · Score: 0

      IT MUST be regulated. If it had been right from the start we wouldn't have to deal right now with massive job losses due to automation and internet-enabled outsourcing. Social issues must take precedence over technology, and computer nerds must pay.

    3. Re: I object to the term by Anonymous Coward · · Score: 0

      This! Let's start a great pogrom against nerds! Torches and pitchforks! Lynch mobs! Necklacing! Drawing & quartering!

    4. Re: I object to the term by Anonymous Coward · · Score: 0

      No need to overdo it. Punch a screwdriver through an eye socket will be enough.

  9. Don't be naive by Anonymous Coward · · Score: 2, Funny

    why not shift national priorities towards creating robust, fault-tolerant, systems that render offensive tools ineffective?

    Bad idea. That would interfere with domestic spying priorities.

  10. Wrong advice for nuclear weapons too by mi · · Score: 2

    While such advice is by all means well-intentioned

    Well-intentioned, but still wrong — even in the case of nuclear weapons. For all the treaties, both USA and USSR retained enough nukes to destroy each other (and, probably, the rest of the planet) many times over — officially.

    Unofficially it put the US, where the government is (somewhat) accountable to citizens, at a disadvantage — we had to abide by the agreements, while the rulers of USSR — unafraid of inquisitive lawmakers and "nosy" journalists — did not.

    Cyber-weapons are even worse in this regard, because their use and development can be delegated to a nominally private organization or even a person — the way Russia's propaganda war is already delegated too.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Wrong advice for nuclear weapons too by AuMatar · · Score: 1

      It didn't put either of us at a disadvantage. We had enough to destroy them 10x over. Being able to do it 20x over doesn't make us any more powerful. Now when you start getting down towards the 1x threshold you might have a point.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    2. Re:Wrong advice for nuclear weapons too by mi · · Score: 1

      We had enough to destroy them 10x over. Being able to do it 20x over doesn't make us any more powerful.

      Of course, it does. Your logic only works, if all missiles available will remain operational and reach their targets if launched.

      But that's not a valid assumption. Consider, for example, the possibility of one side's launchers — submarines, bombers, mobile launchers, or stationary silos — being disabled and/or taken-over somehow. They aren't run always by the best, unfortunately...

      If a mere handful of such installations need to survive for us to remain capable of annihilating the enemy, they would not risk it. But, if our counter-attack requires, say, 50% of them to be operational, the enemy might attempt such an action.

      Similar arithmetic applies, if the target's defenses are deemed capable of destroying a significant fraction of incoming missiles. Russia already fears our interception technology, for example, and has its own. If such defenses can take out 90% of the incoming, you do need to fire 10x more. And you better use 20x more to be sure...

      --
      In Soviet Washington the swamp drains you.
    3. Re:Wrong advice for nuclear weapons too by king+neckbeard · · Score: 1

      You also don't actually need to get to total annihilation for the effectiveness of MAD to apply.

      --
      This is my signature. There are many like it, but this one is mine.
    4. Re:Wrong advice for nuclear weapons too by Anonymous Coward · · Score: 0

      But, if our counter-attack requires, say, 50% of them to be operational, the enemy might attempt such an action.

      50% requirement?!

      Let's look at the most extreme case. Suppose your opponent can even deliver one single warhead successfully through your defenses to one of your major cities, after your preemptive attack.

      From your PoV, you lose. The war will cost you more than you stand to gain.

      Changing that 1 to 10 or 100 or 1000 doesn't alter your decision.

  11. Heh by Anonymous Coward · · Score: 1

    Yes, let's control something that requires only a computer and an internet connection to make, and can be essentially untraceable. It will work. Trust me.

  12. cyber-arms left the ban barn by turkeydance · · Score: 1

    a long time ago in a galaxy far, far away....

  13. YES !!!! by Anonymous Coward · · Score: 0

    I don't see the need for discussion on this one as the answer is most obviously yes in the affirmative. Just ask Mr Edward Snowden. So Yes and Yes is the complete answer you can now all put down your keyboards.

  14. Arms control only works if attribution is possible by kye4u · · Score: 1
    One of the biggest differences between the two types of warfare is that attribution is non-trivial in cyber. So even if agreements were made between two or more countries, how can you verify that they are enforced if you can't determine who authored/deployed the illegal malware?

    In traditional warfare, which often relies on kinetic weapons, its pretty straightforward to trace the trajectory of a weapon back to where it was deployed

    why not shift national priorities towards creating robust, fault-tolerant, systems that render offensive tools ineffective?

    Defense is more expensive and takes longer to develop because it is only as strong as the weakest link. You have to make sure the entire perimeter is secure by eliminating as many holes as you can.
    On the offensive side, you only need to find one hole. As a consequence, offense is relatively cheap and the costs are typically associated with the initial R&D. After the initial R&D, cyber weapons can be replicated with virtually zero-cost.

  15. Exactly! Recognizing irony is key... by Paul+Fernhout · · Score: 2

    As I wrote here: http://www.pdfernhout.net/reco...
    " Military robots like drones are ironic because they are created essentially to force humans to work like robots in an industrialized social order. Why not just create industrial robots to do the work instead?
    Nuclear weapons are ironic because they are about using space age systems to fight over oil and land. Why not just use advanced materials as found in nuclear missiles to make renewable energy sources (like windmills or solar panels) to replace oil, or why not use rocketry to move into space by building space habitats for more land?
    Biological weapons like genetically-engineered plagues are ironic because they are about using advanced life-altering biotechnology to fight over which old-fashioned humans get to occupy the planet. Why not just use advanced biotech to let people pick their skin color, or to create living arkologies and agricultural abundance for everyone everywhere?
    These militaristic socio-economic ironies would be hilarious if they were not so deadly serious. Here is some dark humor I wrote on the topic: A post-scarcity "Downfall" parody remix of the bunker scene. See also a little ironic story I wrote on trying to talk the USA out of collective suicide because it feels "Burdened by Bags of Sand". Or this YouTube video I put together: The Richest Man in the World: A parable about structural unemployment and a basic income.
    Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic institutions in many ways. Despite probably having more computing power per square foot than any other place in the world, they seem not to have thought much about the implications of all that computer power and organized information to transform the world into a place of abundance for all. Cheap computing makes possible just about cheap everything else, as does the ability to make better designs through shared computing. I discuss that at length here: http://www.pdfernhout.net/post...
    There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all. ...
    The big problem is that all these new war machines and the surrounding infrastructure are created with the tools of abundance. The irony is that these tools of abundance are being wielded by people still obsessed with fighting over scarcity. So, the scarcity-based political mindset driving the military uses the technologies of abundance to create artificial scarcity. That is a tremendously deep irony that remains so far unappreciated by the mainstream.
    We the people need to redefine security in a sustainable and resilient way. Much current US military doctrine is based around unilateral security ("I'm safe because you are nervous") and extrinsic security ("I'm safe despite long supply lines because I have a bunch of soldiers to defend them"), which both lead to expensive arms races. We need as a society to move to other paradigms like Morton Deutsch's mutual security ("We're all looking out for each other's s

    --
    A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
    1. Re:Exactly! Recognizing irony is key... by currently_awake · · Score: 3, Insightful

      You assume that conflict is about getting needed resources, it's not. It's about control. It's about power over others.

    2. Re: Exactly! Recognizing irony is key... by Anonymous Coward · · Score: 0

      Easily the least insightful tl/dr copypasta I've witnessed in some time. If you were a puppy, I'd rub your face in that mess. You should be ashamed of yourself.

    3. Re:Exactly! Recognizing irony is key... by pepty · · Score: 1
      Meh, most of it is about money. Speaking of which,

      shift national priorities towards creating robust, fault-tolerant, systems that render offensive tools ineffective

      Sounds like the first bullet point for a series of hugely profitable, multi-generational government contracts, doncha think?

    4. Re:Exactly! Recognizing irony is key... by Paul+Fernhout · · Score: 1

      And a major reason people want to control other people is... getting needed resources. :-)

      Of course, since "needed resources" for some people can include specific mates (who need to be impressed or dominated or whatever), there is complexity there. James P. Hogan talks about the issue of achieving status in a post-scarcity economy in his 1982 sci-fi novel "Voyage From Yesteryear".
      http://en.wikipedia.org/wiki/V...

      But, while prestige and status of a country relative to other countries is a cause of war (including to deter aggression), the personal level of status is rarely the reason entire nations are convinced into going to war. That is true even if personal status among leaders may have something to do with why leaders try to convince their countries to foolishly go to war.

      For example, in this survey of the causes of war in 2008, every one except the top one of "ideological change" essentially comes down to control of resources.
      "Why wars happen"
      http://www.economist.com/node/...

      And I'd suggest even "ideological change" most often has a strong component of access to resources in order to manage them in specific ways (for example, having enough territory to implement some vision of some form of law or politics).

      Anyway, this is a complex topic. There are many lists of reasons on why wars happen. I'm trying to say that issues of perceived scarcity drive a lot of them. Also, scarcity-thinking also often keeps people on a treadmill where they never seem to have time to learn about alternative ways of handling conflict than knee-jerk violence. And then further, fighting over perceived scarcity with super powerful tools of abundance (like computer code that can cause billions of potentially useful things to happen all at once across the world) is what creates the biggest current risks (like nuclear war). Without these tools of abundance like computers, communications, nanotech, biotech, nuclear power, advanced materials, rocketry, and so on, we would not be worried about the end of the human race by just some few people in one small area throwing rocks at each other.

      --
      A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
    5. Re:Exactly! Recognizing irony is key... by swell · · Score: 1

      Paul-

      I appreciate your interest in saving humanity, and your interest in promoting your web site, and your interest in promoting your ideas. In general, I appreciate your promotional zeal.

      But you will die, as I will, as we all will. We will be forgotten. Despite your promotional zeal, you will be forgotten. If 100,000 people accept your ideas it won't make any difference. I understand there is an ego issue for you and similar crackpots, but the bottom line is that you won't make much difference.

      So consider relaxing a bit. Smoke a joint, have a beer, find a girlfriend. Now, doesn't that make it all better?

      --
      ...omphaloskepsis often...
  16. or we could take the opposite approach by Gravis+Zero · · Score: 1

    if people attack anything that is known to be vulnerable then we actually might get some decent software security! putting our heads in the ground isn't going to solve the fundamental issue that we have wildly insecure systems.

    --
    Anons need not reply. Questions end with a question mark.
  17. Why is government help needed? by Anonymous Coward · · Score: 0

    The idea that only the government has the resources to thwart hacking attempts is ridiculous. If anything, a person's own government is the most dangerous player in all of this. They (five eyes and more) have demonstrated a desire to collect everything about everyone and have the ability to arrest and injure you. How is freedom possible under such a system?

    Hacking on the other hand is in nearly every case limited solely to an economic impact. Take the section on Iran DDoSing financial institutions in the linked article. What sort of impact did that have? I haven't heard of massive outages among US financial companies. The only recent problems in the financial sector have been through their own doing, not from a denial of service attack. It's a joke that the federal government is investing so heavily in stopping such trivial "attacks". Sony should be ashamed to have had run such a poor security operation, and instead they're held up as a reason to double investment in a surveillance state aimed chiefly against its own citizens. Fuck that.

    1. Re: Why is government help needed? by Anonymous Coward · · Score: 0

      Here are few examples of hacks with potentially large impacts:

      http://www.businessinsider.com/nsa-director-yes-china-can-shut-down-our-power-grids-2014-11

      http://www.cnn.com/2009/US/04/21/pentagon.hacked/index.html

      http://www.cnet.com/news/hackers-make-off-with-at-least-300-million-in-bank-heists/

  18. Re:Arms control only works if attribution is possi by Marginal+Coward · · Score: 1

    One of the biggest differences between the two types of warfare is that attribution is non-trivial in cyber.

    Agreed. Another point is that unlike nuclear weapons, cyber weapons can easily be developed and used by non-state players such as terrorists and criminals. (We've seen quite a lot of the latter.) In contrast, one of the saving graces of nuclear weapons has always been that you can't build them in your garage. Therefore, even if a cyber warfare treaty is created and adhered to faithfully by all nations involved, the problem isn't solved. And the smaller nations that haven't even signed the treaty have a relatively low barrier to entry.

    Cyber weapons from nations are different from similar "weapons" from non-nations only in terms of the resources available to create them, that is, their level of sophistication. Therefore, if treaties really worked, they would limit only the sophistication of the malware. So, it seems to me that the only thing that can be done is to employ the best possible defensive measures - and expect them to fail on occasion. That's pretty-much what most of us now do at home and work anyway.

    In my own case, I recently uninstalled Kaspersky from all my computers, since it's based in Moscow, which is the capital of a country which is increasingly at odds with the US, where I live. I did that after a Russian-born friend of mine told me that he wouldn't have Kaspersky on his computer. But as sophisticated as Kaspersky is, I have no way to be sure they didn't leave something juicy behind in case Mr. Putin later wants to put the hurt on us. Of course, one could argue that the anti-virus software I replaced it with also could be used as an attack vector, but at least its parent company is based in my own country.

  19. Betteridge's Law by Anonymous Coward · · Score: 0

    Actually doesn't apply here. Wow.

  20. Re:Arms control only works if attribution is possi by Anonymous Coward · · Score: 0

    "attribution is non-trivial" This point is the reason why so many people are worried about a nuclear device ending up in the hands of a non-state actor. US nuclear doctrine has always been centered on the idea of MAD. If any of the major nuclear armed countries were to attack the US with nuclear weapons the US could retaliate immediately and the citizenry would support the decision.If a non-state actor used a nuclear weapon there could not be any immediate response because it would take time to investigate how the perpetrator obtained a the nuclear weapon. If it took 6 months a year or more time to find the supplier would people support launching a retaliatory nuclear strike? Making treaties or laws concerning cyber attacks a gigantic waste of time. The internet is an attack-counter attack environment and will remain so no matter how much time and money the governments around the world throw at it. And while a lot of people are having hysterics over the NSA the criticism is never expressed in the proper context. You cannot really judge the NSA unless you include all the other intelligence services around the world. Russia and China are just 2 examples of countries with wide ranging intelligence services that the NSA tries to keep in check.

  21. Banning Math by Anonymous Coward · · Score: 0

    Really just stop and think (I know it is a strenuous task for those in Washington). It is banning math. When you are dealing with the trivially and infinitely replicatable you should just quit while your ahead and focus on more useful tasks. Abolish the agencies that singlehandedly make you and the world less secure.

  22. Hopefully it all works out by bcoinbilly · · Score: 1

    Cyber bans would be a good thing. Making sure these crimes are cleaned up will go along way for a safer cyber-space.

  23. Wrong Question by Kirth · · Score: 1

    The only people that CAN be interested in offensive capabilties are small communities (activists, terrorists, freedom fighters, whistleblowers), because they themselves are not vulnerable.

    Any nation state on the other hand MUST be concerned about closing each and any vulnerability, because it puts them at risk. If it doesn't put the secret agency at risk, it will at least put their allies at risk: All the other branches of government, and companies deemed highly important for the running of the country (power, water, telecommunications).

    So it's UTTER STUPIDITY to have bodies within your government working on "offensive capabilities". They are in fact WORKING AGAINST YOU.

    The difficulty is probably to get the governments to realize this; but then, the problem is basically solved.

    --
    "The more prohibitions there are, The poorer the people will be" -- Lao Tse
  24. Because by Anonymous Coward · · Score: 0

    Making robust, fault tolerant software is hard.....it's easier to have a sham quid pro quo negotiation because diplomacy will solve our problems

  25. Reducing the spread of cyber threat .. by lippydude · · Score: 1

    'the editorial board at the New York Times has suggested that the most constructive approach to reducing the spread of cyber threats would be to "accelerate international efforts to negotiate limits on the cyberarms race, akin to the arms-control treaties of the Cold War."'

    I would have thought the solution is to built 'computer' that can't so easily be hacked. DDOD attacks only being feasable because of all those hacked Windows desktops out there in cyberspace.

    IRAN -- Current Topics, Interaction with GCHQ

    " Iranian Cyber Attacks: Iran continues to conduct didtribituted denial-of-service (DDOS) attacks against numerous U.S. financial institutions and is currently in the third phase of a series of such attacks that began in August 2012."

  26. If we'd kept individual hacking (Truth Exposing) by Deliveranc3 · · Score: 1

    Legal, this wouldn't be so ugly.

    Do these guys remember that Mitnick got 50 life sentences with no outside contact?

  27. Imagine all the Chinese Hackers by Deliveranc3 · · Score: 1
    DDOSing russian virus writers.

    Imagine all the NSA, protecting Personal Computers Toodaaayyyy.... oh oh oh...

    John Lenno(i)n

    Second Joke: Remember Independance Day , the film where Aliens blow up the white house? And are stopped by a basic computer virus? They're frikken OSS utopianists! With laser beams!

  28. Probably by RuffMasterD · · Score: 1

    I can't even control my meat arms when I',m sober.

    --
    Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence