Christopher Painter, coordinator for cyber issues for the U.S. State Department, declined to comment on a Wall Street Journal report Tuesday that said the Pentagon was considering a policy that could classify some cyberattacks as acts of war. He said the report was based on material that had either not been released or discussed yet.
He did, however, say that U.S. President Barack Obama's recent cybersecurity strategy covered a myriad of different aspects, ranging from international freedoms to governance issues and challenges facing the military.
"We don't need a new treaty," he told The Associated Press as he arrived for an international cybersecurity summit in London. "We need a discussion around the norms that are in cyberspace, what the rules of the road are and we need to build a consensus around those topics."
New cyber attacks are being perfected so quickly that the world needs a nonproliferation treaty to control their creation and use, the chairman of one of the world's largest telecommunications companies said Wednesday.
Michael Rake of BT Group PLC warned that world powers are being drawn into a high-tech arms race, with many already able to fight a war without firing a single shot.
"I don't think personally it's an exaggeration to say now that basically you can bring a state to its knees without any military action whatsoever," Rake said. He said it was "critical to try to move toward some sort of cyber technology nonproliferation treaty."
The suggestion drew a mixed response from cyberwarriors gathered in London for a conference on Internet security, although at least one academic praised it for highlighting the need to subject online interstate attacks to some kind of an international legal framework.
Cyberweapons and cyberwarfare have increasingly preoccupied policymakers as hacks and computer viruses grow in complexity.
Recent high-profile attacks against Sony Corp. and Lockheed Martin Corp. have made headlines, while experts described last year's discovery of the super-sophisticated Stuxnet virus — thought to have been aimed at sabotaging Iran's disputed nuclear program — as an illustration of the havoc that malicious programs can wreak on infrastructure and industry.
"You can close vital systems, energy systems, medical systems," Rake said. "The ability to have significant impact on a state is there."
The threat grows every day. Natalya Kaspersky, co-founder of anti-virus software provider Kaspersky Lab ZAO, said Internet security firms were logging some 70,000 new malicious programs every 24 hours. Shawn Henry, executive assistant director of the FBI, said that last year alone his agency arrested more than 200 cybercriminals.
How to deal with that threat was the topic of the two-day summit organized by the EastWest Institute, an international think tank which gathered hundreds of law enforcement officials, business leaders, academics and security consultants for talks in the British capital.
Rake's proposal for a nonproliferation treaty lacked detail, but it was one of several calls for some kind of an international treaty governing cyberspace. Hamadoun Toure, head of the United Nations telecommunications agency, said that "we all know that the next war, if it was to take place, would take place in cyberspace."
He added that the best way to win such a war was to ensure that it didn't happen in the first place.
But those working in the field were divided about the wisdom of any cybersecurity treaty. Francis Delon, France's secretary-general for national defense and security, said it was too early for work toward an international pact because policymakers were still coming to grips with the ways that states — and criminals — could strike at each other over the Internet.
The question was one of "pure pragmatism," he said. "The ground's just not ready for it."
As for some kind of cyberweapon nonproliferation treaty, Delon seemed dismissive. Asked whether it was even feasible to track software programs — thousands of which can fit on a single tiny memory stick — in the same way that the international community monitors ballistic missiles or nuclear material, he chuckled.
"I think you've answered your own question," he said.
But some said the analogy between malicious viruses and nuclear weapons was appropriate. Solange Ghernaouti-Helie, a cybersecurity expert at the University of Lausanne in Switzerland, noted that both were capable of causing catastrophic collateral damage far beyond their original targets.
She suggested that Toure's International Telecommunication Union could act as a kind of online version of the International Atomic Energy Agency, which polices member states' nuclear programs with inspections and monitoring. She noted that there already is an international body, the Malaysia-based Global Response Center, devoted to monitoring worldwide cyberthreats. Perhaps it could do the job?
In any case, she said, "we can't accept that we can do nothing."
Paisley Dodds contributed to this report.
SOURCE: The Associated Press