Thanks to the hard work of a lot of dedicated and well-meaning people, Iran doesn’t get the bomb today. Maybe tomorrow, maybe next week, but not today. What does this have to do with cyber security?
What diplomats are trying to do with Iran and nuclear weapons others are trying to do with digital ones through vehicles like the Wassenaar Agreement. Much rending of hair and gnashing of teeth has taken place recently with regards to Wassenaar, which is trying to keep code that can do bad things out of the hands of people who want to do bad things (counter-proliferation in a nutshell). The problem with all such calls for “digital arms control” are the same as they are with nuclear/biological/chemical weapons control:
- As a bad guy who wants dangerous weapons, the probability that I am lying about some or all of what I’ve agreed to is 1.
- The things I let you inspect to help ensure compliance with said agreement are completely controlled by me; you see what I want you to see.
- Even if you try to punish me for violating the terms of the agreement, there are plenty of people in the world who don’t mind helping me.
In addition to the issues cited above, when we’re talking about weapons made of bytes and not isotopes:
- The biggest “arms dealers” and “weapons manufacturers” are not nation states. They will not be sending ministers to the negotiating table (they weren't even invited).
- Building a nuclear weapon is hard, complex, expensive, and dangerous; building a digital weapon is none of these things.
- If you cannot find me, you cannot punish me, and given the rate and volume at which cyber criminals that are caught, tried and jailed worldwide, the probability of you finding me is very close to 0.
And not for nothing, but the impact of digital weapons is nothing like the impact of nuclear weapons. You're going to shut down the grid? That's something the citizens of Hiroshima on 8/6/45 and/or Nagasaki on 8/9/45 would have taken over the alternative. Take me off-line? Life pre-Internet is basically life circa 1976. I was there. It wasn’t that bad.
Getting polite, well-behaved people to agree to be polite and behave well is no real accomplishment. When it comes to dangers from the ‘Net we are talking about a domain that is rude, cruel, and effectively ungovernable. An accomplishment in this arena is going to require people to develop strategies that deal with the world as it is, not how we wish it to be. I am no diplomat, nor do I have a tattoo of von Clausewitz on my lower back, but for what my BTC .00008 is worth:
- -Don’t focus on offense or code. In cyberspace everyone is a potential AQ Khan. Trying to enforce such a regime would be the ultimate exercise in futility. There is no incentive to surrender such a program, and with so many non-aligned and non-state players, no meaningful deterrence scheme.
- Incentivize defense. Not discrete defensive devices or actions per se, but an environment where it is fast and easy for participants – all the polite people – to work together. Bad actors thrive and offense wins not because defense is harder (what everyone who has never done vulnerability research says), but because defense is high-friction and there is no benefit to being a nice guy.
- Strive for resilience: a cyberspace – and physical under-pinnings – able to operate no matter what the bad guys throw at it. That was a key feature of the original (proto?) Internet, but over time we kept adding layers of fragility on top of it, and now we wonder why things break so easily.
I believe all efforts to stop the spread of dangerous things to evil-doers is done with the best intentions, I just don't believe (particularly when it comes to things-cyber) they're very practical or effective. We are faced with very serious problems that do not lend themselves to traditional solutions or legacy thinking, but because we are led by people who are uncomfortable with unconventional solutions and novel thinking, we end up with responses that are well worded, well regarded, and completely unworkable.