On Capitol Hill on Thursday, the National Security Agency director, Lt. Gen. Keith Alexander said the threat to U.S. computer networks was growing, with “hundreds of thousands of probes” daily. Alexander, who is slated to head a new cyber command to deal with this, characterized as “uncharted territory” the prospect of the United States launching cyber-based retaliation against future computer attacks.
The day before, I had a chance to interview a leading Russian cyber security official for his perspective. I asked Vladislav Sherstuyuk, a retired general who heads the Institute of Information Security Issues at Moscow State University and sits on the nation’s National Security Council, whether Russia was developing offensive cyberweapons. Through a translator, he gave me this reply: “It is not only Russia. It’s just the 21st century. It is because of the high technology. We didn’t invent the Internet. It was not Russia who invented the Internet. Without Internet there would be no cyberweapons, cyberattacks.”
A report late last year by the computer security company McAfee–a report based on interviews with third party experts–said that Russia, the United States, China, France, and Israel were all developing the capacity to attack and cripple computer networks including those that run critical infrastructure such as power grids.
Sherstuyuk hosted a cybersecurity conference this week in Garmisch-Partenkirchen, Germany, that represented his country’s efforts to set the rules of engagement. The meeting was noteworthy in that it was the first such Russian-sponsored event attended by White House and State Department officials. Russia wants to forge a kind of cyber arms-control agreement, but the United States is primarily interested in forging formal agreements to fight cybercrime.
Sherstuyuk explained his position to me. “Today we are talking about information weapons, about cyberweapons, and there is much in common between nuclear and cyberweapons, because cyber weapons can affect a huge amount of people as well as nuclear,” he said. “But there is one big difference between them. Cyberweapons are very cheap, almost free of charge.”
Even as such weapons are being developed, nations are increasingly trying to work together to fight crime and ward off such attacks. Hence the scene Wednesday night at the Hotel Nessen in Partenkirchen, where platters of pork and ham and shots of schnapps–sponsored by the Russian Interior Ministry–were passed around to the 140 attendees including researchers or government officials from India, China, Israel, and other nations, besides the United States.
But different nations are coming at the problem from different perspectives. The White House has set cybercrime as the highest priority. The White House senior director for cybersecurity, Christopher Painter went to the conference to tell the Russian hosts Tuesday that “the predominant threat we face is the criminal threat–the cybercrime threat in all of its varied aspects.” Online bank fraud and other such crimes that have been extremely costly to U.S. companies. (Russia is one major source of such crime, but the country has declined to sign a crime-cooperation convention, objecting to a provision that would allow law enforcement to access its networks.)
Russia has other priorities. Sherstuyk told me that Russia is itself more concerned about the use of the Internet by terrorists to recruit, organize, plan, and execute conventional attacks inside Russia. Just two weeks ago, two female suicide bombers detonated inside the Moscow subway system, killing 39 people. “We have no examples of cyberterrorism yet,” the general said, referring to attacks on computer networks. “So [the issue] is more about information that you can get from Internet, information about forthcoming terrorism attacks, so we can watch airport and railway stations to observe whether there are attacks or not.”
If there is one concern on which all parties agree, it is the need to be better able to determine who is doing the attacking–a problem known as “attribution.” It can be difficult or impossible to determine whether rogue hackers or a national defense ministry is behind an attack, such as those targeting Estonia’s computer networks in 2007. Improving attribution could be achieved by reducing online privacy, but it also could be achieved through better cooperation between nations to share existing information. “We want to make trust, and help set the rules in the information sphere,” the retired general told me. “And I bet that there are many things that we can do together.”
In written answers to the Senate Armed Services Committee prior to his testimony Thursday, Alexander said it is “reasonable to assume that returning fire in cyberspace” is lawful. His written answers were posted by The Washington Post here.
At the Tuesday dinner, various toasts were made, but none more lusty than the one made by a Russian attendee honoring Sherstuyuk himself. “Hoorah, Sherstuyuk!” he cried. Painter, who is a veteran federal computer crimes prosecutor, did his best to contribute to the merriment. Asked to make a toast, he offered a few guarded comments. Then he gamely told a joke about a hacker who was granted three wishes from a genie, on the condition that other hackers would get twice what he had wished. The first wish was for one million credit card numbers. The second was for a supercomputer to break cryptographic keys. The third was that he be able to donate one of his kidneys.