Cybersecurity guru Eugene Kaspersky has called for an international cyber-weapons treaty because, he says, there's is no feasible way to defend all of our critical network infrastructure against cyber attacks. His reason sounds like a good one. Unfortunately, it won't work, according to CIO.com blogger Constantine von Hoffman. Here's why.
By Constantine von Hoffman, CIO
It was inevitable: We have cyber war, so somebody was going to call for a treaty to limit cyber weapons. Weapons treaties have a long history of failure, and this idea seems like more pacifist, liberal wooly-headed thinking. However when you consider who’s calling for it – Eugene (“Labs”) Kaspersky, cybersecurity extraordinaire – and why he is doing so, you pretty much have to give it a second look.
Speaking at the CeBit 2012 conference in Australia, Kaspersky said the world’s governments need a treaty to limit cyber weapons. The reason? He knows of no feasible way to protect a nation’s power grid and other industrial systems. To do so, Kaspersky said, would take millions of engineers and a substantial amount of time. And we don’t have either.
Cyber weapons can damage a physical object as badly as a traditional weapon. I’m afraid that there’s only one way that they can be protected and that’s international agreements against cyber weapons, same as was done with nuclear weapons, chemical weapons and biological weapons.
It is no accident that Kaspersky pointed out this last group of weapons. The treaties aimed at limiting the use or size of conventional weapons have at best failed outright and at worst actually increased the pace of the arms race. Conventional weapons aren’t scary enough. However, nuclear, biological and chemical (NBC) weapons, are. So the world’s governments have taken a solemn pledge to never use them against any other nation that also has them.
Mutually assured destruction has prevented nations from flinging nukes at other nations with nukes for six decades. You can’t hide the use of nukes, and this has prevented nations from using them on anyone else. Many major powers–certainly the United States and the U.S.S.R.–used bio and chem weapons during conflicts in Vietnam, Afghanistan and elsewhere. Some minor powers–including former CIA employee-of-the-month Saddam Hussein–also used them, mostly on their own citizens.
If a weapons treaty is going to succeed it either has to ban the use of irrelevant items or items that are exceptionally difficult to defend against. “Dumdum” or expandable bullets have–mostly–not been used by the armies of the world since 1899. Why? Plenty of other bullets are just as effective.
Similarly, some cyber weapons can become irrelevant because successful defensive measures can eventually be created. Cyber weapons as a class, though, are impossible to defend against and their potential impact is very, very scary. They are also very, very easy to use without getting caught. So even if the world signed a treaty, it would be easy to evade.
The other issue is what the political science types  call “non-state actors”–what everyone else calls terrorists. It is at least as easy for them to create and use cyber weapons as it is for any government. Even if you could be sure no other government would launch a cyber attack, you’d still have to worry about things like this story from today’s news: Al Qaeda Calls For Virtual Terrorism.
Yes, as Mr. Kaspersky pointed out, defending all this is close to impossible – but what is the other option?