In his new film Zero Days, Alex Gibney uses the Stuxnet weapon created by the US and Israel as a context and pretext to talk about cyber weapons, cyber war and call for cyber peace.

A “zero day” is a technical term for a software bug. It that can be used to break into a computer through a vulnerability that no one, not even the software maker, knows exists. There is a big market for zero days; whoever has one, knows they can get into your machine any time they like and you have zero days to prepare or protect against the intrusion. Some adversaries are willing to pay big dollars in order to intrude, while companies and individuals are also prepared to pay high prices in order to patch their systems and prevent reputational damage.

The Stuxnet worm contained 4 zero days and was an attack on an Iranian nuclear facility designed to slow down and speed up centrifuges enriching uranium. Stuxnet demonstrated the potential impact cyber weapons could have on physical infrastructure and equipment, as well as the danger that such malware could reproduce through civilian networks. It is viewed as the first cyber attack.

Gibney uses a trick in his film to make the viewer believe there might be a new national security whistleblower. In fact this actor gives voice to disgruntled intelligence agency workers who spoke to Gibney off the record to confirm precise details and confirmation that an arms race is underway with potentially catastrophic consequences. The character explains the NSA’s TAO – Tailored Accessed Operations unit as two parts macho military and 2 parts geek, describes the CIA’s leading role in putting implants into machines, and reveals that Stuxnet was just the beginning when compared to Nitro Zeus, a set of weapons designed to totally inhabit Iran’s systems – critical infrastructure, banks, communications, transportation – with the option of taking them down and out. Apparently these NSA, CIA and TAO folks are angry about the secrecy, too afraid to come forward but have spoken to Gibney because they want a mature public debate about the dangerous capabilities under development and deployment.

Gibney has some success in communicating this difficult issue visually and in using the Stuxnet example to show the intense secrecy shrouding these weapons created by the intelligence community that penetrate networks in order to spy or to degrade, disrupt or destroy them. The fact that they do both – espionage and warfare, areas covered by different parts of states and different categories of law – means they pose entire new combinations of challenges that defy the logic of current policy, legal and technical categorisations or silos.

I’ve been worrying about this issue for a while now and here is my crude summary of what I see:

The potential for these weapons to cause grave harm is gravely underestimated.   Essential services and systems in the financial, education, health, transport, media and communications sectors are increasingly based on the Internet, relied upon by all governments and billions of organizations and individuals. Treating the Internet as a military battlefield places the digital future at risk and is poor security policy and risks future innovation that Internet development offers.

The peace and disarmament people can’t get their heads around it. Cyber attacks do not resemble traditional armed attacks and traditional arms control and disarmament approaches are rooted in an ‘industrial’ conception of military technology – large-scale, inorganic, assembled and mechanized.

Most human rights and digital rights organisations can only think about cyber weapons in terms of privacy. But they are much more than that. The mainstream human rights organisation folks are terrified that if any new norm or instrument is even discussed, that human rights standards could be rolled back. Whether from weariness, post traumatic stress or perception that this issue is too political, they use the word ‘premature’ like it’s an argument, lie back and think of Geneva, while actual human rights activists return to the bloody, ripped and mutilated person with a face and a name in front of them and don’t feel they have the luxury of working on theoretical or futuristic dangers.

An invisible arms race is underway and most governments care about this issue only to the extent that they haven’t yet caught up. Over 100 governments are developing or deploying offensive cyber weaponry, with the US investing remarkable sums and normalising and legitimising the building of a new type of arsenal through the Department of Defence Strategy for Operating in CyberSpace of 2011 and April 2015. The race we are seeing on the part of governments is an attempt to exploit the absence of controls for maximum first mover advantage. US Presidential Policy Directive 20 authorizes targets for cyber attacks and clearly shows that foreign networks have been penetrated and their security systems already compromised. 

No adequate prevention, coordination or control measures are exercised over such cyber weapons, practices and their effects on people. Elaborating expectations, principles, rules, procedures and norms offers many benefits to everyone reliant upon the Internet – its ongoing existence and the protection of fundamental rights and freedoms online and offline. In order to achieve a sustainable cyberspace, consensus is needed on definitions and rules specific to the potential threat of weaponized software code and the harmful and violent use of cyber space. Common understanding of what constitutes ‘armed’ cyber attack is needed, as well as what acceptable, necessary and proportionate forms of defence might comprise.

Russia first introduced a resolution to the General Assembly in 1998 on this issue, under the title of ‘Developments in the field of information and telecommunications in the context of international security.’ The resolution has been adopted without a vote each year, except when the United States cast a sole negative vote from 2005 to 2008. On 12 September 2011, Russia, China, Tajikistan and Uzbekistan proposed an international code of conduct for information security.  A week later, Russia published a draft Convention on Information Security. The west hates it because it introduces the concept of sovereignty in the cybersphere, which they like to think of as a commons when the potential for new rules are being discussed, and privatise the hell out of it the rest of the time.

The only mechanism the US will allow on this issue at the UN are Groups of Governmental Experts (GGEs), groups of 20 or so governments that write non binding reports. The first failed to reach consensus in 2005; however, the 2010, and 2013 efforts were able to issue substantive consensus reports. The 2013 report was issued 2 weeks after the Snowden revelations came to light, so another was immediately triggered and reported in June 2015 and showed some progress in affirming that international law applies online, and also in affirming that states should not allow attacks to be launched from their territories and calling for increased exchanges of information. Le Sigh. Another of these closed groups is underway, meets for the first time in August 2016 and reports to the General Assembly in 2017. Can’t wait.

While there is a general agreement that existing international law prevails in cyberspace, law by analogy is impractical and inadequate. On April Fools Day 2015 President Obama declared a cyber emergency, which was extended to continue beyond 1 April 2016. In November 2015, US legislators called for the development of an E-Neva Convention, similar to the Geneva Conventions. Secretary of State John Kerry and National Security Advisor Susan Rice were called upon to “begin a process of clarifying international law and regulations around cyber warfare and cyber attack.”

A global collaborative resilience effort, similar to the preparation for the Y2K threat, is needed. Such an effort could see governments working together and with relevant actors such as ISPs to achieve zero botnets. While some botnet attacks are merely mischievous, a botnet of 10 million hosts could paralyze the network infrastructure of a nation.

Bruce Schneier, one of the world’s leading security experts has written on the need for a treaty banning cyberwar: “We’re in the early years of a cyberwar arms race. It’s expensive, it’s destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.”

Some concrete ideas that have come up in discussions:

1. WAKE UP!

2. Establish a standing and international body, an Computer Emergency Response Team that would share information among nations and relevant actors, monitor incidents, mitigate misunderstandings and ensure that states or the international community as a whole does not respond to false alarms.

3. Initiate consultations towards negotiation that codify definitions and measures to limit the humanitarian and human rights impact of weaponizable information and pervasive monitoring towards a ban on offensive cyber weapons

4. Stress the principle of “meaningful human control” over weapons as a key ‘red-line’ principle, without which weapons are illegitimate, whether tangible physical instruments (such as landmines or autonomous weapons systems) or weaponized software code.
 
5. Include military / security software, plans and related technologies on their Arms Trade Treaty National Control Lists of “Parts and Components” (Article 4 & 5).