W. Alex Sanchez
Research Fellow, Council on Hemispheric Affairs
August 3, 2012
Guest Blogger, W. Alex Sanchez, Research Fellow at the Council on Hemispheric Affairs, and participant in the International Cybersecurity Dialogue, introduces the issues surrounding cyber arms dealing, especially as they relate to Latin America.
In a way, the Stuxnet virus is not that surprising. Washington and Tel Aviv, just like Washington and London, have a historical “special relationship;” hence it is not astounding at all that binational operations include defense-related initiatives, such as dealing with a common foe (in this case, Iran). But what kind of precedent has been set by this inter-state cyber initiative? And what can we expect in the future? Malware can be acquired online fairly easily as many websites allow hackers to upload basic malware programs for download. Usually these viruses target basic software like chat programs, cracking product keys for professional software like Windows or Adobe Suite, and Trojans that can be sent to infect other computers. There are also IP addresses where, for the right price, more sophisticated malware programs can be quickly acquired. But these exist in the (borderline) illegal part of the internet and several governments are already formulating laws to catch up to the ever changing virus technology. But what about the future of legal cyber weapons trade?
The trade of conventional weapons between nations is a multi-billion dollar industry that circles the entire globe because trading such expensive weapons as warships, battle tanks and missiles can be a lucrative economic activity. States like the U.S., Russia, China and Israel are major conventional weapons suppliers, but even states not usually known for their strong militaries make a generous profit from weapons manufacturing. For example, Sweden’s SAAB produces high quality missile systems, such as AT4 anti tank weapons. But even when it comes to conventional weapons trade, there are limits of how far countries are willing to sell others regarding destructive weapons and state-of-the-art technology. For example, for several years Russia has delayed the delivery of its modern S-300 defense system to Iran (though, the Israeli government argues the contrary). There are also several treaties, ratified by a plethora of states, that impose limits to the type of weaponry they will sell each other; although, unfortunately, some of them are not always upheld.
But when it comes to cyber weapons, the developed cyber nations have yet to adopt rules and place limits on what kind of software can be exchanged or sold either between nations or a private company and governments. For example, much has been written lately of the controversial spyware known as FinFisher, produced by the UK-based Gamma group, and how it may have been used by the government of Bahrain to help crack down on protesters in that Arab state.
As an international security analyst for the Council on Hemispheric Affairs, my focus centers on defense issues that relate to Latin America and the Caribbean. Hence, it is part of my job to see how the development of cyber security affairs in the Global North (which I regard as the U.S., Europe, Israel, Russia and China), will affect Latin America in the coming years. This becomes even more important when we take into account that Latin America continues to be a region that is plagued with inter-state tensions that, in a worst-case scenario, could end in inter-state warfare (though it is worthy to highlight that this has been thankfully scarce in the past decades). For example, there is an ongoing maritime border dispute between Peru and Chile (the two countries have been at odds with each other since a 19th century war), and occasional flares between Colombia and Venezuela (like after an incident in 2008 that included a Colombian military raid in Ecuador to attack a guerrilla base there, subsequently Caracas almost declared war against Bogota to protect Quito’s sovereignty). The point here is, while Latin America has been slow to come around to the cyber world, this is rapidly changing, and cyber security is catching on. For example, Brazil’s army recently created a center for cyber defense. If we also take into account that a number of countries, besides Brazil, have experienced major economic growth in recent years, similar to Mexico and Peru, then the question becomes a matter of when, not if, cyber weapons will become a factor in Latin American military affairs.
Therefore, it becomes a necessity to begin some kind of international regulatory system for cyber weapons. In a few years, Stuxnet-like operations may not come just from some of the world’s most developed states, but regional powerhouses with more localized domestic national security interests. What should the role of the cyber powers be at that point? Could the government in Lima, a historical U.S. ally in Latin America (though of course not at the same level of Tel Aviv or London), approach Washington and ask to purchase cyber weapons capable of knocking out Chile’s electric grid as a mean to use as a dissuasive weapon to deter any possible conventional military threat from Santiago (another U.S. ally)? Or how about if Bogota, another close US ally, asks for spyware or more offensive software, should tensions flare up once again with Venezuela (repeatedly accused by the U.S. of being lax, at best, on fighting drug trafficking and for President Hugo Chavez’s friendship with the Iranian government). Finally, should London place limits on Gamma if it plans to sell its spyware to a Latin American state which is known for its crackdown on human rights?
While drafting this commentary I consulted a number of IT programmers, much more versed in coding and malware than myself. The obvious consensus was that, just like with conventional weapons, cyber weapons have to be custom made. A government cannot simply buy a virus and expect it to automatically adapt itself to the desired target; it must be formatted accordingly. Hence, the future of cyber arms trades, just like with conventional weapons, will rely not only on the sale of the software but also on educating the cyber-experts of the recipient government by supplying governments or companies. As one software programmer explained to me, “I wonder about the extent to which it’s possible for a cyber-weapons trade to exist—unless we think of the programmers (not their programs) as the weapons. Engineering competence isn’t easily transferred.”
My far-smarter-than-me colleague also mused how
“if your first [offensive] attempt is only half-successful and detected, it could give the opponent a chance to improve their defenses before any real damage is done. So if you’re the attacker, I would guess that a mere support contract isn’t going to suffice; you’ll want to have the programmers in house, and you want to have regular meetings with them, see their testing environment, and generally try to improve confidence that the attack is actually going to work on the first try. Any program of sufficient complexity, no matter how competent the programmer, is going to fail in various ways at first.”In other words, what limits should be placed on not only technology but also the human component when it comes to manufacturing and trading cyber weaponry?
Finally, should there be limits regarding the type of cyber weapons that can be sold? Such software can range from defensive programs (i.e. state-of-the-art firewalls) to more offensive ones like spyware (which raises the question whether this can constitute a declaration of war if detected by the targeted nation), or others I consider “cyber weapons of mass destruction” (capable of bringing down a city or nation’s electric or communication grids). Such issues and questions are problematic enough today when we see only a handful of cyber-developed nations who happen to be close allies with each other (i.e. U.S. and the UK or U.S. and Israel). Reaching consensus on cyber weapons’ transfers will only become more problematic in the near future when other developing states (i.e Brazil, Mexico and Peru, to name a few, in Latin America), turn more of their resources to cyber weaponry to protect national interests.