Cyber Arms Control Pipedreams: Why Attempts to Limit Malware Development Are Destined to Fail
As the extent of the NSA’s offensive programs becomes public knowledge, the editorial board at the New York Times has recommended that the United States government try to jam the lid back on Pandora's Box by engaging in “international efforts to negotiate limits on the cyberarms race.” The editorial board then references Cold War arms-control treaties as a model for future efforts. Yet the history of the Cold War demonstrates that arms-control treaties don’t always pan out. Moreover the inherent nature of malware engineering makes the detection of treaty violations nearly impossible.
For example, in 1972 the Nixon administration participated in an international treaty with the United Kingdom and the Soviet Union to ban the production of bioweapons. Unfortunately, the Soviets interpreted the 1972 Biological Weapons Convention as a go-ahead to aggressively pursue an initiative that eventually scaled up into hundreds of tons. According to Kanatjan Alibekov, the first deputy director of the Biopreparat, Soviet researchers were up to their necks in biological WMD:
“In the ’70s and beginning of ’80s the Soviet Union started developing new biological weapons—Marburg infection biological weapon, Ebola infection biological weapon, Machupo infection, [or] Bolivian hemorrhagic biological weapon, and some others.”
Seven years after treaty’s ratification approximately 100 people died under suspicious circumstances in the Russian city of Sverdlovsk. The Soviets initially claimed that the deaths were caused by tainted meat. Over a decade later President Boris Yeltsin admitted that the deaths were a result of a clandestine military operation.
Keep in mind that manufacturing bioweapons on an industrial scale required the Soviets to build dozens of facilities and employ thousands of people. An undertaking that wasn’t easy to conceal, especially with CIA specialists conducting exhaustive “all source analysis” to ferret out treaty violations. Nevertheless the USSR ran the world’s biggest illicit program right under the CIA’s nose. And they got away with it for years.
Developing malware is nowhere near as involved. Software engineers don’t need fermenting vats two stories tall. Offensive cyber technology tends to be small and easy to conceal. Agencies like the NSA can develop malware anywhere, with little or no logistical footprint, using compartmentalized cells of engineers hunkered down in unremarkable office spaces. Try spotting something like that with a spy satellite!
Furthermore, if a nation were to break a cyberarms treaty and deploy outlawed malware, spies would no doubt utilize anonymity technology in conjunction with anti-forensics to throw off investigators. Classified documents leaked to the press indicate that intelligence services, as a matter of standard operating procedure, use foreign commercial cover to launch false flag operations. The reason that we have definitive information about the authorship of Stuxnet and Equation Group malware is that U.S officials openly claimed responsibility.
Rather than trying to discourage other countries from building malware, why not promote national policies that work to render offensive technology inert? Cyber-attacks succeed on behalf of sloppy engineering. In part because hi-tech companies are allowed to treat security breaches as a negative externality. And also as a result of the NSA’s industry-wide campaign of subversion. In other words, poor cyber security is a matter of official policy. Vulnerabilities persist because deep sources of wealth and power benefit from them.
The arms control mindset presumes the top-down worldview of cyber security a priori, where spies undermine our collective cyber security under the rubric of national security and CEOs sell substandard products on behalf of quarterly profits. Let’s reset American priorities to implement cyber-security from the bottom up so that everyone has access to relatively high levels of security.