Page 12 - index
P. 12
smoke and eventually shutdown. The point is that these ill-protected machines form the
cornerstone of public-dependent infrastructure yet are wholly unprepared against the many
facets of cyber hostility. This increasing risk, however, is not confined solely to the industrial
sector - it infiltrates the individual as well. In 2008, University of Michigan computer scientist
Kevin Fu demonstrated hacking ‘into a combination heart defibrillator and pacemaker to induce
potentially fatal electric jolts’. At the time, the discovery was coupled with fears over Vice-
President Dick Cheney’s pacemaker who, as a precaution, disabled the pacemaker's Wi-Fi to
prevent any compromise. Only a year prior, the security company McAffee claimed ‘they'd found
a way to hack into an insulin pump to make it release 45 days worth of insulin in one go’.
Considering this challenge to the individual’s and public’s safety, the call for a limit on
detrimental cyber technology cannot come any sooner. I salute and agree with Eugene
Kaspersky, CEO of Kaspersky Labs, when he said ‘we must have an international agreement on
cooperation, non-proliferation and non-use of cyber weapons… [and] that cyber weapons
targeted at critical infrastructure must be forbidden’.
Patently, there is an urgent need for states to realign their focus on cyber issues towards
restricting the use of sinister capabilities. Governments, however, remain confounded by a
plethora of nebulous cyber definitions, perpetuated mostly by an ill-informed press under the
‘cyber warfare’ tag. Without clear terms of reference, it is impossible to impose these much-
needed limitations. To the trained eye, it is widely acknowledged that a cyber-weapon is not
classified or legally defined by its intrinsic properties but by the effect it causes. I liken this to the
‘repurposed candlestick’. You know what I mean - Colonel Mustard, in the library, with the
candlestick - clearly the candlestick was not designed for murder but was an effective weapon
nonetheless. An example of this is the malware and remote-access trojan Duqu: who’s purpose
and function was to collect data and assets in preparation for the attack by the Stuxnet Worm.
Although Duqu’s setup was not inherently destructive, it was a fundamental component of the
larger weapon at hand, Stuxnet. Such capabilities have become readily available with the
widespread dissemination of blueprints and malicious hardware throughout public fora.
Development costs of quasi-Stuxnet technology can now be as little as $10,000 - facilitated by a
highly-profitable, intangible and opaque cyber black-market. If nation states are to reduce ease-
of-access and restrict the use of harmful cyber capabilities, they must first formalise the terms of
exactly what it is they are restricting.
With this in mind, the struggle to hold back the perennial tide of malignant cyber attacks is
considerable in the extreme. Whilst governments appear content to utilise the fifth domain as a
strategic resource, most have shirked the responsibility of securing this new global common.
Subsequently, individual, group and even state actors enjoy carte blanche to exploit cyber for
their own sinister intent. Embryonic legislative attempts such as the European Cyber
Convention illustrate that states have been preoccupied with the low-hanging fruit of cyber crime
whilst neglecting to deal with the more-difficult unregulated use of weaponised cyber technology.
Though there has been some progress to demarcate the utility of agreed cyber capabilities -
most notably with the Multilateral Export Control Regime (MECR) and the 1996 Wassenaar
Arrangement - it is not enough! States need to lean in and meaningfully engage in developing a
framework document that clearly defines the various strands of sinister cyber activity. As a hand
rail, I use the acronym TWESC that helps label the various categorisations that exist like Cyber:
Terrorism, Warfare, Espionage, Sabotage and Crime. Critically, it is essential states give deep
consideration to mapping restrictions from the existing four dimensions of warfare to the fifth
where appropriate and relevant and enshrine them in law.
12 Cyber Warnings E-Magazine – January 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
