Cyber Arms Treaty Is A Must But It Will Take A Major Incident To Spur Action

Cyber Arms Treaty Is A Must But It Will Take A Major Incident To Spur Action


Nations won’t act on risk of cyber weapons until something goes wrong, warns Kaspersky’s David Emm

The creation of a cyber arms agreement between nations that limits or bans the use of cyber weapons will occur only after something “bad” has happened, according to Kaspersky Lab security researcher David Emm.

Emm told V3 that he believes such a treaty is vital, as cyber weapons, such as Stuxnet, Flame, Duqu and Black Energy, are increasingly developed and deployed against critical systems.

“We’ve got to have a mechanism whereby governments, nations sit down and say: ‘You know that we need rules and regulations, just as we don’t use nuclear and chemical weapons,’ and we know most signatories will agree to that,” he said.

However, Emm is dubious that this will occur until a major incident forces the issue.

“We need to get to the point where we have cyber arms limitations and that might well come, but I think something bad has to happen before there will be enough impetus to do it,” he said.

Cyber weapons have already had real-world impacts, most notably with the Stuxnet attack against Iranian nuclear facilities and BlackEnergy used against Ukrainian power plants late last year.

Kaspersky regularly tracks such incidents, although Emm said that it has recently gone slightly quiet on this front. However, this doesn’t mean that attacks or new threat vectors have been created but that they remain undetected.

A digital kitemark
Emm also told V3 that a digital kitemark is needed to help ensure that internet-connected devices, from Internet of Things (IoT) sensors to toys, follow basic security practices.

Emm said that recent incidents, such as the discovery that hackers could access WiFi networks via a Hello Barbie doll, showed that security is not being considered when looking at new technology ideas.

This situation is only going to get worse as more internet-connected products enter the consumer and business worlds.

Emm explained that manufacturers could use a digital kitemark to show that they have built in the necessary controls such as encrypting data sent over WiFi, or that software can be patched.

“If you buy a child’s toy and it’s not fire retardant or doesn’t have the build quality that a child’s toy needs there will be an issue and it will get fixed,” he said, adding that kitemarks give the assurance to parents that these vulnerabilities are covered.

“We don’t have a digital kitemark but it may be that we need one. Parents can’t be expected to know about technology at an in-depth level, in the same way that they don’t know if it’s fire retardant. But having a kitemark gives that assurance.”

Emm suggested that the government should lead on such an initiative, as it is unlikely that global cyber agreements it can be reached individually in the UK.

The government could do it unilaterally, he said, and say: ‘If you want to sell these things here, you need to go through this.’

Threat Intel

via News ≈ Packet Storm

June 17, 2016 at 08:18AM