Intelligence organizations are racing to collect cyber intelligence in efforts to identify and monitor the development, use and sale of offensive cyber capabilities by individual actors, criminal organizations, terrorist groups and nation states. This is a formidable undertaking to say the least. Consider the facilities and infrastructure needed to make a tank. Now think about the facilities and infrastructure needed to make a cyber weapon. All you need is ambition coupled with a laptop, Internet connection, programming skills, a search engine for research and maybe a couple of books – all of which are openly available. Add to that the hacker underground and black-market for malicious code and sale of newly discovered vulnerabilities and you have everything needed for the development and sale of cyber weapons.
Using that as a backdrop consider the implications of the Stuxnet, Duqu and Flame cyber weapons that were used against Iran and the heightened attention cyber attacks against the rogue-nation are currently receiving. Now factor in that on June 21st Iran announced on State TV that they had discovered yet another “massive cyber attack” against its nuclear facilities. These widely publicized cyber attacks have caught the attention of many malicious actors, opportunists and militaries around the world.
There are those calling for cyber arms control treaties to mitigate this growing risk. Critical to the success of any such treaty is a trust but verify program that must accompany any such program. When you consider the extremely limited infrastructure required to develop and/or deploy a cyber weapon, how could you ever think a verification program would be of any use. Just think about all the issues we have had with a verification program on the development of chemical, biological and nuclear weapons systems and the infrastructure required for those initiative and compare it to the extremely limited infrastructure required for a cyber weapon that could be developed and launched from an Internet Café. I and other firmly believe we are in a cyber arms race and a Cyber Arms Control Treaty would be virtually useless.