LONDON
(AP) — America’s new cyber czar said Wednesday that international law
and cooperation — not another treaty — was enough to tackle
cybersecurity issues for now.
Christopher
Painter, coordinator for cyber issues for the U.S. State Department,
declined to comment on a Wall Street Journal report Tuesday that said
the Pentagon was considering a policy that could classify some
cyberattacks as acts of war. He said the report was based on material
that had either not been released or discussed yet.
He
did, however, say that U.S. President Barack Obama’s recent
cybersecurity strategy covered a myriad of different aspects, ranging
from international freedoms to governance issues and challenges facing
the military.
“We
don’t need a new treaty,” he told The Associated Press as he arrived
for an international cybersecurity summit in London. “We need a
discussion around the norms that are in cyberspace, what the rules of
the road are and we need to build a consensus around those topics.”
New
cyber attacks are being perfected so quickly that the world needs a
nonproliferation treaty to control their creation and use, the chairman
of one of the world’s largest telecommunications companies said
Wednesday.
Michael
Rake of BT Group PLC warned that world powers are being drawn into a
high-tech arms race, with many already able to fight a war without
firing a single shot.
“I
don’t think personally it’s an exaggeration to say now that basically
you can bring a state to its knees without any military action
whatsoever,” Rake said. He said it was “critical to try to move toward
some sort of cyber technology nonproliferation treaty.”
The
suggestion drew a mixed response from cyberwarriors gathered in London
for a conference on Internet security, although at least one academic
praised it for highlighting the need to subject online interstate
attacks to some kind of an international legal framework.
Cyberweapons and cyberwarfare have increasingly preoccupied policymakers as hacks and computer viruses grow in complexity.
Recent
high-profile attacks against Sony Corp. and Lockheed Martin Corp. have
made headlines, while experts described last year’s discovery of the
super-sophisticated Stuxnet virus — thought to have been aimed at
sabotaging Iran’s disputed nuclear program — as an illustration of the
havoc that malicious programs can wreak on infrastructure and industry.
“You
can close vital systems, energy systems, medical systems,” Rake said.
“The ability to have significant impact on a state is there.”
The
threat grows every day. Natalya Kaspersky, co-founder of anti-virus
software provider Kaspersky Lab ZAO, said Internet security firms were
logging some 70,000 new malicious programs every 24 hours. Shawn Henry,
executive assistant director of the FBI, said that last year alone his
agency arrested more than 200 cybercriminals.
How
to deal with that threat was the topic of the two-day summit organized
by the EastWest Institute, an international think tank which gathered
hundreds of law enforcement officials, business leaders, academics and
security consultants for talks in the British capital.
Rake’s
proposal for a nonproliferation treaty lacked detail, but it was one of
several calls for some kind of an international treaty governing
cyberspace. Hamadoun Toure, head of the United Nations
telecommunications agency, said that “we all know that the next war, if
it was to take place, would take place in cyberspace.”
He added that the best way to win such a war was to ensure that it didn’t happen in the first place.
But
those working in the field were divided about the wisdom of any
cybersecurity treaty. Francis Delon, France’s secretary-general for
national defense and security, said it was too early for work toward an
international pact because policymakers were still coming to grips with
the ways that states — and criminals — could strike at each other over
the Internet.
The question was one of “pure pragmatism,” he said. “The ground’s just not ready for it.”
As
for some kind of cyberweapon nonproliferation treaty, Delon seemed
dismissive. Asked whether it was even feasible to track software
programs — thousands of which can fit on a single tiny memory stick — in
the same way that the international community monitors ballistic
missiles or nuclear material, he chuckled.
“I think you’ve answered your own question,” he said.
But
some said the analogy between malicious viruses and nuclear weapons was
appropriate. Solange Ghernaouti-Helie, a cybersecurity expert at the
University of Lausanne in Switzerland, noted that both were capable of
causing catastrophic collateral damage far beyond their original
targets.
She
suggested that Toure’s International Telecommunication Union could act
as a kind of online version of the International Atomic Energy Agency,
which polices member states’ nuclear programs with inspections and
monitoring. She noted that there already is an international body, the
Malaysia-based Global Response Center, devoted to monitoring worldwide
cyberthreats. Perhaps it could do the job?
In any case, she said, “we can’t accept that we can do nothing.”
Paisley Dodds contributed to this report.
The Telecommunication Union’s response center
SOURCE: The Associated Press