Lorsque les États-Unis ont lancé une cyberattaque massive contre l'Iran le mois dernier, ils ont annoncé "une nouvelle ère de guerre sur Internet", selon Arun Vishwanath, expert en cybersécurité. Comment les conflits cybernétiques pourraient-ils modifier la nature de l'internet ? Pourquoi les États-Unis sont-ils particulièrement vulnérables à ces menaces ? Et à quoi ressemblerait une "convention de Genève numérique" ?
ALEX WOODSON: Welcome to Global Ethics Weekly. I'm Alex Woodson from Carnegie Council in New York City.
This week I spoke with Dr. Arun Vishwanath, chief technology officer at Avant Research Group, a cyber security research and advisory firm. Arun previously taught at the University of Buffalo. As he puts it on his website, arunvishwanath.net, he studies the "people problem" of cyber security.
Last month, Arun wrote an article for The Washington Post entitled "The Internet is already being weaponized. The U.S. cyberattack on Iran won't help." This was the basis of our conversation.
We talked briefly about the actual attack but more about how it signals a new era of cyberwar, how it could change the nature of the Internet, and why a country like the United States is especially vulnerable to cyber threats.
For now, calling in from Buffalo, New York, here's my talk with Arun Vishwanath.
Just to start, you wrote a Washington Post article called "The Internet Is Already Being Weaponized. The U.S. Cyberattack on Iran Won't Help." If we could just start there, what is the cyberattack? Could you just give us a brief overview of what happened last month between Iran and the United States?
ARUN VISHWANATH: First, some caveats. We don't exactly know what we did, what the Pentagon did, but all indications are, and we're getting this from multiple sources—we're getting it from sources within the Pentagon, we're getting it from sources in the White House—the idea was that we launched a massive cyberattack on Iranian facilities.
Now, what are these facilities? We're assuming they are some of their nuclear facilities, the centrifuges and so on and so forth, that they have been working on. It could also be something unrelated to it, it could be their core system. But regardless, there was this shock on the administration unofficially, and then there was a lot of bragging going on that we had launched a massive cyberattack in retaliation for all the events that were leading up to it in the last couple of weeks.
It is the first time in the history of the Internet, if you want to call it that, where we've had a nation-state—in this case, ourselves—going out and essentially saying, "Hey, you know what? We conducted a cyberattack. We attacked another nation."
Now, the reason for me writing this piece was that this isn't the first time a nation has meddled in another nation—we've had it happen to us, usually we're the ones who receive a lot of it—nor is this the first time that we have done something to others. There is always a lot of covert stuff that goes on, everything from espionage to trying to disrupt industrial operations, and a lot of nations have been doing it, but no one has ever come out and said, "Hey, you know what? We actually did this and we are now using this against you."
This is a particularly troubling trend. It's a completely new thing, of all the many new things we have seen coming out of Washington these days, in the last couple of years, with the new administration, but this is a sea change in the way we look at warfare.
That was the impetus behind writing this piece, the one that you're referring to, that came out in The Washington Post in early July.
ALEX WOODSON: You said that this attack was a troubling development. What exactly about this is most troubling to you?
ARUN VISHWANATH: What's particularly troubling is, number one, when you start using the Internet and weaponizing it and openly claiming that you're attacking people, there's always a reaction to this, and the reaction usually is defensive, often leads to defense. The kind of offense that we are engaging in right now essentially leads to others trying to come up with either defenses or other offensive operations. So, number one, we start telling the world that, "Hey, this is a new realm of attack, and if we can do it to others, anyone can do it to us and to others as well, right?"
The Russians have been doing this in different parts of Eastern Europe, in the Baltic States and so on. But now that we're openly claiming that we're doing it, everyone else is going to start openly claiming they're doing it. That's the big-picture problem here, number one.
Number two, what it does, though, is it kind of puts everybody on notice and it says, "Hey, you know, cyber is not just the Internet, it's not social media, it's not just posting and liking and sharing information and searching for information"—all the big-picture things that basically, if you think about what happened in the last 25 years, our lives have changed dramatically primarily because of the Internet and all the other technologies that came along with it. Now we are saying, "Hey, you know what? This is no longer just an area where we innovate and we do business and we transact and do the things that we all like to do. This is also a place where there's warfare, where that data could be used against you, where that access can be used to do something against your nation."
That creates a whole series of events. This is going to catalyze a massive change in how nations look at the Internet. No longer is the Internet just seen as a technology, it's seen potentially as a weapon. That's a very troubling trend. You know, you go down that rabbit hole and that takes you down a path where we've only started to some extent, but it doesn't bode well.
ALEX WOODSON: This attack happened about a month ago. Have you noticed anything specific in the last month? Where are we now?
ARUN VISHWANATH: Sure. What we're going to start noticing right now are the reactions. First, right now we haven't had any confirmation coming out from our administration. The Iranians already claimed that there was an attack and it didn't do much and all that, but this is just political posturing and the short end of it, right?
But the impact of this is not going to be just immediate. It's going to be in the mid-term to the long-term stage, where what's going to happen is now increasingly nations are going to be much more suspecting of these technologies, number one.
Number two, everyone is going to start trying to come up with kill switches, right? We're going to say, "Hey, if you're a nation out there, you're going to have a kill switch for this technology which essentially could be used against you." So you're going to have that development.
That has already started to some extent. First, you are going to start seeing this in poorer nations. You see this in parts of Africa, where people are shutting down the Internet whenever there is internal strife. That's the antithesis of what we want. We want information to flow. We want ideas to come in and out. Everybody from journalists to just the people in the nation need to be able to communicate as to what's going on, and we're now having kill switches developed for the Internet.
The other thing that's going to start happening, everybody is starting developing—again this is why it's a mid-term to a long-term problem—is we're going to start developing operating systems that are off the grid so to speak. What I mean by "the grid" is off the Internet as we know it, and we'll create these parallel networks that we think cannot be attacked. That is a sort of an arms race that begins, where actually basically we start creating parallel Internet networks.
That is starting to happen. You know that the Chinese government has heavily invested in operating systems and proprietary systems—you know the Russians are also trying to do this, coming up with operating systems and proprietary systems—that somehow are taking the best of the Internet but making it something that cannot be accessed from the outside.
So we know these developments are starting and it is just going to accelerate. Once we start seeing nations use it to attack others, especially the ones who have it—like us.
ALEX WOODSON: Yes, I was actually going to bring that up. I saw an article on Vice by Mahsa Alimardani. She was saying that Iran is tightening controls already to make the Internet more insular, which is what you were saying.
ARUN VISHWANATH: Right.
ALEX WOODSON: It's just interesting that as the Internet is developing, we could have a situation where nations are maybe less connected when we all thought this would connect the world in lots of different ways.
ARUN VISHWANATH: Correct. And that's essentially what happens, right? I mean you start developing information islands that are geographically—what used to be in the old days you used to build castles and build moats around them, and now you have to build moats around the Internet.
ALEX WOODSON: Yes.
ARUN VISHWANATH: The way to do it is digitally, and the way you do it digitally is create your own operating system. You create your own networks that run parallel but distinct from the main Internet.
That has a huge impact on really human development on the larger level, economic development as we know it. If you really think about what has made the Internet what it is, it's this uniformity of operating systems, there's just a few of them. There's a uniformity of language at the machine end of it, there's just one or two of them. This uniformity has given rise to all these global platforms like Facebook and Twitter, which are everywhere. So if you start coming up with parallel networks and operating systems and devices that only run on certain operating systems, you're basically undercutting that movement that made the last 25 years of phenomenal human accelerated growth possible.
If you think about the economics of the world, we are just so much better off today than we were, let's say, even 20 years ago.
ALEX WOODSON: Just to go back to the attack it seems like one of the biggest differences of the attack is the fact that it was kind of not announced, but it was basically confirmed, by the administration. Is that the correct way to phrase it?
ARUN VISHWANATH: It has not been confirmed officially, but it has been confirmed by a lot of different sources very close to the administration and from the administration. Everybody has stayed anonymous, but they essentially confirmed it, without going public and saying, "Yes, we did it."
We know for a fact that they did this. We know there was talk going into this. We know the moves were already there. Moseley has been talking about this for a while, the offensive use of cyber. We know that that was the thrust of a lot of the changes that were happening in the administration, the post-Obama administration. Things were moving more towards the Pentagon when it came to cyber.
There was this talk of cyberoffensive, cyberattacks. It's a very forward-looking, robust, almost warlike policy that we came up with the Internet, and this is in many ways one of the first indicators of how that's going to happen and play out. This is one of many more to come in my view.
ALEX WOODSON: Do you get a sense that these leaks were strategic in some ways?
ARUN VISHWANATH: Yes, I believe so. I believe they were strategic. I don't think there were a lot of attempts to conceal the fact that we did it because I think, given the events that were leading up to it, there was almost a need to demonstrate that we were doing something.
That in itself tells you how big cyber is today in the larger scheme of warfare. A cyberattack is tantamount to an attack. So it is considered retaliation, I guess, the way we have positioned it.
That opens a whole new set of tactical issues that nations are going to use on each other. Once we say, "Hey, you know what? Cyberattack is retaliation," then the next country that wants to retaliate against another one, the first thing they're going to move to is cyber. We've not had an event where a nation has attacked another nation's infrastructure through a cyberattack and resulted in a retaliation, but now we may.
ALEX WOODSON: Your article also deals with the fact that, as you put it, America has a lot of targets in the cyber realm. Which ones are most vulnerable to an attack from an adversary like Iran right now?
ARUN VISHWANATH: Look, when it comes to attacking someone back, let's look at what these nations actually do. Cyber has been a place where there's a lot of asymmetric warfare.
For instance, if you look at what happened to Sony Pictures, think about Sony Pictures in 2014. You had this massive ransomware attack. It cost Sony—I'm not exactly sure of the numbers, but we're talking about at least $100 million, give or take, to remedy this massively embarrassing breach. And the breach is not just embarrassing publicly, but you're losing talent, you're losing human capital that has been invested, the [chairperson] gets fired—you know, all the stuff that goes with it.
So if you look at the realm of cyber and look at how these attacks come back, you have nations that are very low-tech, like North Korea, that are able to successfully penetrate Sony Pictures, which is by far one of those technological giants out there. And how do they do it? They use social engineering, they use "spear phishing," they use relatively low-tech attacks to respond. These low-tech attacks had a massive hundred-million-dollar cost associated with them.
So when we look at these attacks, when we look at the surface—what I mean by "surface" is the number of vulnerable points we have, just by having more users, we have more vulnerable points. So in the last year or year and a half we've had two massive ransomware attacks that most people don't talk about.
One is in Atlanta we had a massive ransomware attack. I believe the court system was down. In Baltimore the entire city government was shut down for almost a month because of a massive ransomware attack. All these attacks are coming from other nation-states. We believe that a lot of the handiwork behind these attacks is North Korea. Some of the signatures appear to be North Korean hackers, or at least the type of ransomware that's being used seems to have a North Korean blueprint to it, for lack of a better word.
So that's how they attack: they disrupt, they undermine, and it costs us a ton of money to get back on our feet. That's what's going to probably happen more often than not, and it's already happening with high frequency and regularity. We just don't report it that much anymore.
We are much more vulnerable just by the very fact that we have more users, we have more people using the Internet, we have more things we rely on. If you compare North Korea, with maybe a handful of ISP service providers, and you look at the City of Baltimore, and one massive ransomware attack and the entire city administration is down for a month. The court systems are down, the hospitals are down, the police system is down. You can't write tickets, you can't go to court, all the paperwork—everything is lost. When you look at the cost of these attacks and how much of an influence it has on us relative to them, they can use a very low-tech attack and get back at us, whereas we can't do the same back to them because they just don't have that many users, they don't have that many connections, they don't have many people relying on the Internet. They're still doing things the old-school way.
In this asymmetric kind of warfare, we are more likely to suffer a bigger consequence because we have a lot of open ports on them. What I mean by "ports" is we have a lot of unprotected users susceptible to allow these kinds of attacks.
ALEX WOODSON: Just a general question. What has been the reaction of your colleagues over the last month? Do you think that people—and I don't mean just people you work with, I mean people around the world, people in your field—are aware that we are in a new era of cyberwarfare? Are people reacting strongly enough do you think?
ARUN VISHWANATH: I don't think people are reacting strongly enough. To be very honest, I think there's so many things going on right now that it's unclear what is the reaction and what is exaggerated.
The problem today is people don't know what to react to. People are fatigued with reaction in so many ways. Look at Washington today and that's kind of like what we get. There's just so much noise coming out of there, and through all of that there are some signals.
At least in the realm of cyber it's unclear what's going on. Even what used to be a ransomware attack on a city would be front-page news. They barely make it. Most people don't even know that there were these massive attacks that happened all in the last year. There are multiple cities that went down and are coming back up and are limping back to normalcy. These were big events.
But we don't have—I think the American public, and I think the global media itself, is trying to figure out what to cover, there's so much going on.
So there isn't that much of a reaction, which was the impetus behind this piece. It was basically saying, "Hey, we've got to pay attention to these things. We've got to bring this to the public's attention and to the policymaking audience's attention, saying, 'This isn't something minor. This is a major deal, this is a big deal.'" When you look at what technologies are coming up, you look at how much we're dependent on it, and you look at how critical this technology is to the world itself as we know it, then you realize that we're playing with fire here.
ALEX WOODSON: Just a couple more questions to wrap up.
Another thing you wrote in your Washington Post article was that the world should agree that the Internet should not be used as a battlefield. That seems like a very big thing to ask right now.
ARUN VISHWANATH: I know.
ALEX WOODSON: But I think it's a great thing to work for. So what are some ways that we can work toward this?
ARUN VISHWANATH: We have to look at the Internet more—"What is the Internet?" or "What is the value of the Internet?"—before we start weaponizing it.
Like I said, when we look at human development over the last 15 years to 20 years, every major leap that we've had in terms of connectivity, in terms of our ability to even just transport ideas, to create development, to create jobs—everywhere from back-office processing to call centers which low-cost nations have been able to provide—to just development in general.
The Internet, everything went wireless, to smartphones, to 5G—everything that we're talking about today would not have been possible if not for this singular technology which is the backbone of pretty much everything in the world I would say. If we value this technology—and this technology is a public good but it's a global good—we've got to come up with some way to say, "When a nation or nations will have an advantage on it"—the nations that have an advantage will tend to be the ones who have the most invested in technology." Ourselves, we are a great example of that.
When the countries that have it start using it now as a weapon, the countries down the chain start also reacting to this and start trying to figure out how to weaponize it themselves.
This is something we saw with nuclear technology. When we look at how it is, the nations that have it don't sign a non-proliferation agreement. Most of the major treaties that are out there about nuclear are signed by the nations that don't have nuclear weapons because once you realize, Hey, what are we playing with here? Then we have to hold on to these things. What is the cost for people when that technology goes into the wrong hands? Today we are suffering from those consequences. They were forever worried about that.
Before we go down that road, we have the maturity of 150 years of various technologies, nuclear being one of the great examples. When nuclear technology was new, it was a promise of eternal electricity. We forget that in the 1940s we were talking about nuclear power plants, and today, if you watch The Simpsons, the nuclear power plant is a joke. Back in the 1930s and 1940s and 1950s, we were talking about empowering the world. So here is a technology that eventually became a mechanism for war fighting, and ending now siloed in a few nations that are still holding on to it.
We don't want the Internet to go down that road. We don't want this to become a technology of a Germany or a technology that's purely used for offense or where people are building defenses and creating what I call a "digital Iron Curtain." You create trading blocs with technologies that speak to each other, especially with artificial intelligence (AI) and all these new things coming out. That's the worry.
So we've got to come together at this point and say, "Hey, this is off-limits. Let's not weaponize it."
It's one thing to use it, even influence a campaign. We've got to start talking about these things a bit more openly and saying, "What's an influence campaign? What can we use and what can't we? And when we have war, what are those technologies on the Internet that are off-limits to the world?"
I think we have, as the world has come together, some level of maturity here. I think countries with the technology, like us, need to take the lead on it rather than trying to take the lead in co-opting it.
ALEX WOODSON: Yes. I saw a few different articles mentioned a Cyber Geneva Convention as a bit of a framework.
ARUN VISHWANATH: Right. That's a great way to think about it. I have read a few of them. That is a great way to think about it.
And think about right now what is happening: we've moved from thinking about cyberattacks from a policing standpoint to almost a military standpoint. This switch that is happening is what I'm really worried about because what we do others follow. That's a big concern.
Rather than talking about it in military terms, let's go back to talking about it in police terms and let's talk about groups like Interpol getting involved in cyberattacks, rather than this being siloed within nations with the power to use it right now. And that power only lasts for a while before someone comes up with a different strategy around it.
So a Geneva Convention—let's get people together. Let's come up with a Bill of Rights for the Internet, for instance, and say, "Here are the things that people in most nations should protect and keep off-limits when it comes to war fighting."
ALEX WOODSON: Yes. I think it's a good way to look at it because we're always going to have adversaries and we're always going to be engaged in some type of conflict, I think. So you have to ——
ARUN VISHWANATH: Right.
ALEX WOODSON: A Geneva Convention is a way of saying, "Yes, but we need rules for this new era."
ARUN VISHWANATH: Rules for a technology that we cannot do without, let's be honest about it. And those rules can be two-way. It doesn't only have to be when there is war, it can also be how nations treat their own people.
For instance, you have dictatorships that basically in today's world shut down the Internet when they want to keep their people under check, right? We've got to have a mechanism to say, "Hey, well, that's a human rights violation right there."
ALEX WOODSON: Yes.
ARUN VISHWANATH: But we can't do that yet because we don't see the Internet as critical, something that people should have a right to. So we don't see it there yet, but that's where the discussion's got to lead to.
The first thing that happens in any country out there—we've seen this in Africa and we see this in North Korea, for instance—the one thing they control is information, and today controlling information is the Internet.
We have this technology that we all understand is of value. Let's, rather than trying to start fighting wars with it and trying to take advantage of what we have right now as an advantage, eventually making everybody else defensively come against us and then come up with other options to the technology, let's try to protect it.
ALEX WOODSON: That was Arun Vishwanath, chief technology officer at Avant Research Group.
I'm Alex Woodson. Thanks for listening to Global Ethics Weekly.