FRAMING THE PROBLEM
In the twenty-first century, information is the key coin of the realm. Nations rely on information and information technology (IT) to ever-increasing degrees. Computers and networks are integral for most business processes, including payroll and accounting, tracking of sales and inventory, and research and devel- opment (R&D). Delivery of food, water, energy, transportation, healthcare, and financial services all depend on IT, which is itself a major sector of the economy. Modern military forces use weapons that are computer controlled. Coordina- tion of actions of military forces depends on networks that allow information about the battlefield to be shared. Logistics for both civilian and military activ- ities depend on IT-based scheduling and optimization.
But bad guys also use IT. Criminals use IT to steal intellectual property and commit fraud. Terrorists use IT for recruitment, training, communications, and public outreach, often in highly sophisticated ways, although to date they are not known to have used IT to commit destructive acts. And as the U.S. government is exploring various ways of using cyberspace as an instrument of national policy to create political, military, diplomatic, economic, or business advantages, other nations—some of them with interests that do not align with those of the United States—are doing the same.
One commonly used definition of dual-use technology is “technology intended for beneficial purposes that can also be misused for harmful purpos-
es.”1 This article focuses on the governance of specific applications of IT (or
research aimed at developing such applications) designed and intended to create specific negative effects on a target’s computer or communications system or the information inside it, being carried through it, or being processed within it and which can be used for both beneficial and harmful purposes. In the lexicon
of this article, these specific applications are “cyber weapons.”2 The negative
effects of possible concern are effects on integrity (in which data or computer operations are altered with respect to what users expect), effects on availability (in which services provided to users of the system or network are unavailable when expected), and effects on confidentiality (in which information that users expect to keep secret is exposed to others).
Note the distinction between effects and purpose. A gun is designed to
have negative effects on objects and people. But in the hands of the good
guys, (e.g., the police), its use is beneficial to society.3 Guns are misused for
harmful purposes primarily when they are put into the hands of the bad guys (e.g., criminals). Similar comments apply to applications of IT with negative effects. For example, a negative effect of a specific program might be to render ineffective the encryption capabilities of a targeted system. In the hands of the good guys, the purpose may be benign or societally beneficial—consider, for example, the properly authorized use of such a program by a law enforcement agency against a computer used by criminals. But if the same computer program performing the same task were used by a terrorist or criminal (e.g., used against a government computer containing classified information or a corporate com- puter holding confidential business plans), that purpose would be regarded as a harmful or nonbenign misuse.
When the use of a cyber weapon affects the integrity or the availability of a service, it is usually classified as a cyberattack. More generally, cyberattack refers to the use of cyber weapons to alter, usurp, deny, disrupt, deceive, degrade, or destroy computer systems or networks used by an adversary or competitor or the information and/or programs resident in or transiting these systems or net- works. The activities may also affect artifacts connected to these systems and networks—examples of such artifacts, often called cyber-physical devices, include
1. See, for example, National Research Council, Biotechnology Research in an Age of Terrorism (Washington, D.C.: National Academies Press, 2004); and Seumas Miller and Michael J. Selgelid, “Ethical and Philosophical Consideration of the Dual-Use Dilemma in the Biological Sciences,” Science and Engineering Ethics 13 (4) (2007): 523–580. The definition used in the life sciences contrasts with what might be called a “traditional” definition of dual-use technology; namely, technology that has both civilian and military applications. This traditional definition is used by the U.S. government (15 CFR 730.3) and the European Commission (see “Dual-Use Export Controls,” updated January 28, 2016, http://ec.europa.eu/trade/creating-opportunities/ trade-topics/dual-use/).
2. The term weapon is not entirely satisfactory in this context, since in noncyber contexts a weapon is usually an artifact that is used to destroy or damage human beings or other objects. However, this author knows of no other word that is any better, and many that are worse. 3. Although not all uses of guns by police are societally beneficial, such uses are not the intent of supplying guns to police officers.
generators, radar systems, and physical control devices for airplanes, automobiles, and chemical manufacturing plants. A cyberattack might be conducted to prevent authorized users from accessing a computer or information service (a denial of service attack), to destroy computer-controlled machinery, or to destroy or alter critical data (e.g., timetables for the deployment of military logistics).
When the use of a cyber weapon compromises the confidentiality of infor- mation that is intended to be kept secret from unauthorized parties, it is usually classified as a “cyber exploitation.” (Press accounts often use the term cyber-
attack when the activity conducted is actually cyber exploitation.) More gener-
ally, cyber exploitation refers to the use of cyber weapons to obtain information resident on or transiting through a system or network. The information sought is information that the target wishes not to be disclosed. For a company, such information may include trade secrets, negotiating positions, R&D informa- tion, or other business-sensitive information. For a nation, such information may include intelligence information, the strength and disposition of military forces, military plans, communications with allied nations, and so on. Of par- ticular interest is information that will allow the perpetrator to conduct further penetrations on other systems and networks to gather additional information.
In general, a cyber weapon requires both penetration and payload. (Select- ing the targets on which cyber weapons are used is a matter of command and control of those weapons.)
Penetration requires a mechanism for gaining access to the system or net-
work of interest (e.g., through the Internet, by physical intrusion) and taking advantage of a vulnerability in the system or network. Vulnerabilities may be accidentally introduced through a design or implementation flaw (often called a “bug”), or introduced intentionally (e.g., by an untrustworthy insider). Before a vulnerability is known to the supplier of the system or network (and thus before it can be repaired), a system with that vulnerability can be penetrated by an adversary who does know of it. When an adversary uses a vulnerability that is unknown to others to effect penetration, it is termed a “zero-day” penetration or compromise, since the victim will have had zero days to respond to it.
Payload is the term used to describe the mechanism for affecting the vic-
tim’s system or network after penetration has occurred. The payload is a pro- gram that executes after the cyber weapon has entered the computer system
of putative interest;4 payload execution may result in the weapon reproducing
and retransmitting itself, destroying files on the system, or altering files. Pay- loads can be designed to do more than one thing, and these things can happen at different times. If a communications channel is available, payloads can be remotely updated. (And in some cases, the function of the payload is performed by a human being who has gained remote access to the computer in question through use of a penetration mechanism.)
4. The qualifier “of putative interest” accounts for the possibility that the payload may find itself in a computer system that the attacker did not intend to attack; in this case, payload execution may have negative effects on the wrong system.
From the standpoint of the victim, one of the most problematic aspects of cyber weapons arises from the fact that the payload—and only the payload— determines whether the weapon is used for damaging or destructive actions (attacks) or nondestructive actions (exploitation/espionage). Even after rec- ognizing an intrusion into a system or network, the victim usually cannot be
certain whether the purpose of that intrusion is destructive or nondestructive.5
Some of the most important characteristics of cyber weapons are as follows: • The use of a cyber weapon can lead to results that vary from the utterly
insignificant to destruction over a large scale. Similarly, the duration and spatial scale of a cyber weapon’s impact can span many orders of magnitude. But any given cyber weapon almost certainly is not designed to span such a range.
• A given cyber weapon can often be used only once because a penetration that takes advantage of a system or network vulnerability usually reveals the vulnerability. If the victim repairs the vulnerability, a later use of the same weapon may not succeed.
• Obtaining a large-scale and long-lasting impact from the use of a single cyber weapon can be highly challenging. Large-scale impact may well require simultaneous attacks against a large number of heterogeneous targets, and such heterogeneity means that a different attack would have to be crafted against each target type. Long-lasting impact may require repeated strikes against the targets of interest, and any vulnerability whose presence resulted in serious negative effects is likely to be repaired quickly, making that vulnerability unusable in the future.
• The effects of using a cyber weapon may or may not be significantly delayed in time from the moment of penetration. That is, the payload may not execute immediately once penetration has been effected. • The successful use (launch) of a cyber weapon generally depends heavily
on accurate, detailed, and timely information about the target (and what is connected to it). Such information may be gathered through the use of a variety of methods, including the use of other cyber weapons. In the absence of such information, the use of any given cyber weapon may have no effect whatsoever.
• The effects of using a cyber weapon remain unknown until the payload executes (or until all of the payload is available for analysis).
• The use of a cyber weapon is plausibly deniable under many circum- stances—the so-called attribution problem. High-confidence attribution
5. In some contexts, certain forms of espionage—for example, involving ships, submarines, or aircraft as the collection platforms—have been seen as military threats, so the mere fact that a given action might count as espionage (among other things) does not mean that the action in question must be regarded as “only” espionage. See, for example, Roger D. Scott, “Territorially Intrusive Intelligence Collection and International Law,” Air Force Law Review 46 (1999): 217–226, http://www.afjag.af.mil/shared/media/document/AFD-090108-036.pdf.
of such use to an entity that can be held responsible is most difficult when the weapon in question has never been used before (which means there is no historical record with which to compare), when the respon- sible entity has maintained perfect operational security (which means the victim has no other sources of intelligence on which to make a judg- ment), and when the judgment needs to be made quickly. Conversely, when these conditions are not true, attribution is often much easier. • A given cyber weapon may or may not be self-propagating. Self-propa-
gation refers to the ability of software to duplicate itself on one system and then to take advantage of connections to other systems to spread to those systems. Depending on the weapon’s programming, self-prop- agation may be limited or unlimited. To the extent that the computing environments of affected systems constitute a monoculture, self-propa- gation is dangerous because the same program can affect all of the sys- tems involved. But if the relevant computing environments are different from one another, similar effects on all of the systems are unlikely to be the result. A cyber weapon that is not self-propagating affects only the system against which it is targeted, except to the extent that failures in that system may affect other systems connected to it.
• The expertise and infrastructure needed to create certain kinds of cyber weapons extend beyond the usual purview of computer scientists. Cyber weapons that are intended to be used against cyber-physical systems— systems or devices that are controlled by computer but have tangible effects in the physical world—also require expertise specific to those systems or devices and also, under some circumstances, test facilities that are a high-fidelity replica of the targets to be attacked. (For example, the Stuxnet worm used to attack Iranian centrifuge facilities was previously tested on facilities located at Dimona, the Israeli nuclear complex in the
Negev Desert.6)
Because cyber weapons can be used for beneficial purposes (i.e., by the good guys) and misused for harmful purposes (i.e., by the bad guys), cyber weapons constitute a dual-use technology of concern. But unlike the case for the analogous dual-use technology in biology (for which there is a well-estab- lished consensus that the use of a biological weapon would define the user as a bad guy), what makes the use of a cyber weapon harmful is very much in the eyes of the beholder.
For example, consider technologies that make it easier for nations to spy on one another. Most nations conduct espionage operations on other nations, and yet no nation wants other nations to conduct similar operations against it. From Nation A’s perspective regarding Nation B, A’s use of espionage against
6. William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011, http://www.nytimes .com/2011/01/16/world/middleeast/16stuxnet.html.
B serves a beneficial purpose, whereas B’s use of espionage against A serves a harmful purpose. Of course, Nation B believes the opposite.
The nations of the world have not agreed that the use of cyber weapons is ipso facto a harmful use, nor have they agreed that only bad guys use cyber weapons or that the development and acquisition of cyber weapons is neces-
sarily something to be avoided.7 For these reasons, much of the governance
discussion in this chapter explores what the world does and does not believe about cyber weapons.
A second example comes from the email people routinely receive. A sub- stantial portion of email traffic consists of “spam”—unsolicited commercial email that is sent in bulk. For the vast majority of recipients, such emails are annoying and in effect constitute a denial of service attack on them. Recipients waste time deleting these emails in search of useful emails in their traffic. But for the senders of such email and a small proportion of those who receive it, the email is beneficial. Senders earn some profit from sending the emails, and some individuals want the products or services offered and respond affirmatively.
So what are the beneficial purposes of cyber weapons? Perhaps the most important purpose is to assist defenders in testing themselves against adversaries. That is, if I want to strengthen my system against a cyber onslaught, I need to take specific measures—and then I need to test my upgraded system to see if indeed it is more robust. Knowledge of possible offensive techniques (using cyber weapons) helps me to design a better defense—and my refraining from developing specific cyber weapons is no assurance that others will do the same.
Who uses cyber weapons for harmful purposes? The range of possible users is large and includes lone hackers acting as individuals; criminals acting on their own for profit; organized crime (e.g., drug cartels); transnational terrorists (per- haps acting with state sponsorship or tolerance); small nation-states; and major nation-states. Moreover, today one can find service providers who will, for a fee, use cyber weapons against targets of the customer’s choosing. The availability of such services enables any party with the appropriate financial resources to cause negative cyber effects, even if that party has no particular technical expertise.
Motivations for using cyber weapons in such operations also span a wide range. One of the most common motivations is financial. Cyber exploitations can yield valuable information, such as credit card numbers or bank log-in credentials; trade secrets; business development plans; or contract negotiation strategies—such information can be sold. Cyberattacks can disrupt the produc- tion schedules of competitors, destroy valuable data belonging to a competitor, or be used as a tool to extort money from a victim.
Another possible motivation is political. A perpetrator might use cyber weapons to advance some political purpose. A cyberattack or exploitation may
7. At times during the Cold War, both the United States and the Soviet Union advocated peaceful applications of nuclear explosives. Although the idea of such applications has largely fallen out of favor, some nations apparently continue to advance that position. Still, the taboo against nuclear explosions—for whatever purpose—is much stronger and globally widespread than any existing norms of behavior regarding the use of cyber weapons.
be conducted to send a political message to a nation, to gather intelligence for national purposes, to persuade or influence another party to behave in a certain manner, or to dissuade another party from taking certain actions.
Still another reason for conducting such operations is personal. The perpe- trator might conduct the operation to obtain “bragging rights,” to demonstrate mastery of certain technical skills, or to satisfy personal curiosities.
Lastly, the use of cyber weapons could be integrated into military opera- tions in much the same way as kinetic weapons. In such scenarios, cyber weap- ons become just another weapon that military commanders might use—in this case, to damage either the system or network directly targeted or the devices connected to it. Individuals with no military affiliation may also wish to use cyber weapons for physically destructive purposes for reasons such as malicious- ness, extortion, or financial gain.
A focus on the governance of cyber weapons means that other governance measures that promote cyber defenses—applications of IT intended to thwart or respond to the operation of cyber weapons—are not central to this chapter. In the big picture of efforts to promote and enhance cybersecurity, this is a big omission, as the vast majority of work on cybersecurity and related governance measures is defensively oriented. But since the vast majority of defensive appli- cations are regarded as benign and because few parties feel a need to govern
benign activities, they fall outside this chapter’s ambit.8 Therefore, this chapter
does not address governance measures focused on defense, such as measures to improve coordination of defensive responses to cyberattacks, to promote and enhance cooperative relationships among law enforcement authorities in different nations in order to enhance their ability to respond to cyberattacks, or to build stronger and more resilient cyber infrastructures. Such measures—and others—are unquestionably important to the governance of security in cyber- space, but the issues associated with the governance of security in cyberspace