Last November, Kim Won-Soo, Under Secretary-General and High Representative for Disarmament Affairs in the UN, pointed out that “a cyber-attack on critical infrastructure or, in a nightmare scenario, a nuclear or chemical facility, is becoming a real prospect that must be actively guarded against”.
Indeed, nations are heading into an era of ‘cyber arms races’ and malicious code is now described as a weapon of mass destruction (WMD) by several international organizations.
Additionally, experts and officials highlight that future nuclear arsenals will be ‘cyber enabled’, and governments should therefore seek to establish high levels of cyber security. There are many risks: a malicious cyber code could infiltrate sensitive nuclear information, corrupt or manipulate monitoring data, or undermine the physical protection of nuclear facilities by creating false alerts.
One of the key issues related to cyber threats is the proliferation of so-called Zero-Day Exploits (ZDE). A ZDE is an undisclosed software vulnerability that can be exploited by hackers for as long as the vulnerability remains undetected and countermeasures have not been taken. Anyone in a position to build malware – either a hacker or ‘State attacker’ – can exploit such unknown vulnerabilities to steal data, spy on users, map out systems, and even “prepare targeted equipment for carefully-timed destruction.”
There is an expanding global market – in some countries, not illegal – for the purchase of ZDEs by governments, industries and other organisations. This market appears to be largely unregulated and operates under secrecy.
In the same fashion that disrupting WMD proliferation takes a number of measures, tackling ZDEs may require a net of tools including security and safety standards, technical remedies, and traditional non-proliferation instruments.
In broad terms, nuclear security is founded on international treaties, bi-lateral agreements and confidence building measures, and utilises safety and security measures, monitoring and verification mechanisms, and strategic trade controls.
Policy makers could draw on lessons from nuclear security efforts when contemplating ways to address cyber security concerns. In addition, and given the linkages between nuclear and cyber threats, policy makers should consider addressing such issues through existing mechanisms and organisations. The IAEA, for instance, published guidance on ‘Computer Security at Nuclear Facilities’ as early as 2011. Although certain mechanisms, such as traditional monitoring activities, may not provide much value for detecting cyber weapons, other existing instruments may provide a suitable approach.
One of the most promising approaches for dealing with cyber weapons may be trade controls. The proliferation of ZDEs and so-called ‘intrusion software’ present a dual-use problem. The same technology and software used by researchers and companies to develop proofs of concept to demonstrate vulnerabilities and test countermeasures can also be used for spying on governments and citizens, or even as a cyber weapon against critical infrastructure and industry activities. In order to counter these threats, trade controls may be useful for a number of reasons:
- They are relatively flexible measures originating in international arrangements – the Multilateral Export Control Regimes (MECRs) – that are politically binding but implemented through national means of legislation and enforcement.
- Their norm-building function could stimulate the adoption of international norms and standards in the cyber security area.
- They represent agile frameworks in the sense that they have been progressively adjusted to monitor sensitive flows of items and technologies while prohibiting only a limited number of exports. In addition to this, they offer trade facilitations, such as ‘general licenses’ in the EU and ‘license exemptions’ in US, for compliant exporters exporting to less risky destinations.
- They already control transfers of technology, including technical data and technical assistance, required for the development, production or use of items included in the control lists.
- They have controlled information security technologies and certain types of software (e.g. for encryption) for several years. In 2013, the Wassenaar Arrangement introduced controls on systems, equipment and components (as well as technology and software) specially designed or modified for the generation, command and control, or delivery of intrusion software.
- They offer a number of exemptions, such as those for software and technologies ‘generally available to the public’ or falling ‘in the public domain’.
Despite these advantages, trade controls represent only one type of measure for addressing cyber security threats, and the black market for ZDEs would not vanish without further measures ranging from regulatory standards for trading ZDEs to the adoption of due diligence measures by companies and research institutes.
Additionally, trade control laws are not without problems of their own. They often use excessively broad language or set ambitious rules without necessarily providing credible or practical means to enforce such provisions. For example, the outcry amongst the ICT community following the Wassenaar Arrangement’s introduction of controls on intrusion software is not overly unjustified, and may lead to revision of such controls.
A related problem is that export control authorities themselves often have a hard time interpreting and implementing challenging provisions and exemptions, especially when it comes to technology and software controls. Presumably, the inclusion of more types of technologies would require additional resources and relevant expertise.
Still, trade controls provide an appropriate avenue for preventing the proliferation of most sensitive information security technologies and software. The recent European Commission proposal for an ‘upgraded’ export control system suggests the introduction by the EU of additional controls in certain mass surveillance systems and related software, with the aim to defend human rights in countries with repressive regimes and protect Member-States’ national security interests. The subsequent objections by industry stakeholders and the scepticism of several EU Member-States, however, hint at the problems identified above.
Thus far, States have opted to take action at the national level by building sovereign clouds of servers and preparing defences against cyber strikes. However, States would be well served to apply lessons learned from international CBRN governance to the control of malware.
The on-going work undertaken by the UN Governmental Group of Experts in the field of Information and Telecommunication Security and the EU Directive on Security of Network and Information Systems are examples of the very few multilateral initiatives that currently exist. Initiatives undertaken in the framework of MECRs – which have proven effective in the control of nuclear, chemical and conventional weapons – may provide momentum and stimuli for addressing cyber threats.
Christos Charatsis is an Expert on Strategic Trade Controls, Non-Proliferation and International Security, University of Liege.