The Flame virus caught the attention of the media with sensational headlines such as one that appeared May 28 on CNET News, “Massive Targeted Cyber-Attack in Middle East Uncovered.” Not long after discovery of the malware in a few thousand computers in Iran and the region, the head of the U.N. International Telecommunications Union urged countries to avoid the threat of global cyberwar.
Meanwhile, the Pentagon has approved an organizational framework for greater offensive cyber capabilities as former senior U.S. officials advise Congress to enact cybersecurity legislation. In the midst of the excitement, what is the proper response to this type of sophisticated malware heralded as a potent cyber weapon?
In Iran, a member of the government Computer Emergency Response Team estimated the data-mining Flame virus was potentially more harmful than the Stuxnet worm in 2010, which destroyed nearly 1,000 nuclear enrichment centrifuges. Distributed by removable media or local networks, the Flame virus copies keyboard entries, sifts through emails and text messages, captures screen shots, and records microphone sounds.
Designed so it can do much more, Flame-infected computers scan for and query Bluetooth devices to build social profiles. Flame comes in at 20 megabytes, 20 times larger than Stuxnet, and has a command-and-control network of 50 to 80 domains registered throughout the world for built-in and downloadable modules. Flame does share portions of code with Stuxnet and, for instance, exploits a vulnerability in the same printing routine.
Does the source of Flame matter in fashioning a proper response? The target and malware complexity raise suspicions that it originated from a government.
Regardless, any acknowledgement of cyber weapon use could allow other nations to consider this an act of cyberwar and serve as justification for similar attacks by terrorists or hackers. Malware code can be copied, modified and proliferated for use in intrusions or attacks on nearly any system. including vulnerable infrastructures.
Iranian leaders claim the massive data loss caused by Flame is tantamount to an attack. Iranian technicians battling to contain the virus resorted to severing Internet links to the oil ministry, drilling rigs and the Kharg Island terminal for most crude oil exports.
Flame might bear the hallmarks of an attack, but the malware does not appear intended to disrupt or destroy an adversary’s critical cyber systems, assets or functions, as defined in a 2010-2011 memorandum from the vice chairman of the U.S. Joint Chiefs of Staff. While Stuxnet qualifies as an attack, Flame should only be considered as an act of digital espionage.
Strikingly, espionage in peacetime is not defined or prohibited in international law. At most, Flame qualifies as an offense against the confidentially, integrity and availability of computer data and systems under the Council of Europe Convention on Cybercrime.
A broader international framework starts with principles for governing behavior in cyberspace, such as those proposed in 2011 at the London Conference on Cyberspace attended by 60 nations. All delegates agreed to first develop confidence-building measures under the U.N. Group of Government Experts and regional groups. Many scholars say such measures should include agreeing on norms for state behavior, and taking responsibility for activities of individuals in their own territories.
The applicability of international laws, given challenges of participation, verification and compliance, suggests the necessity for national solutions. Under the inherent right of self defense, any counter-operation must be defensive, not retaliatory, in nature, and must comport with the legal requirements of necessity and proportionality.
The commander of U.S. Cyber Command recently acknowledged the legal obligation to “conduct cyber operations to defend the United States, its allies, and its interests, consistent with the Law of Armed Conflict.”
Rules of engagement and deciding who responds to cyber attacks against critical infrastructure and private corporations remain uncertain. Difficulties in clearly determining the source in a timely manner hinder responsive options.
Although Flame was used only for intelligence collection, it could have exposed the systems it infiltrated to malicious intent. In the U.S., two legislative answers are working in the Senate. The Cybersecurity Act of 2012 (S 2105), sponsored by Sen. Joe Lieberman, I-Conn., among others, would create a regulatory scheme to designate covered critical infrastructure, identify risk-based cybersecurity performance requirements and require owners to certify they’ve set up security measures to meet those requirements or submit to a third-party assessment.
But concerns exist over higher costs to the private sector, inappropriate disclosures of proprietary information and exposure to civil liability. Another bill, SECURE IT(S 2151), introduced by Sen. John McCain, R-Ariz., and seven co-sponsors, stresses public-private collaboration over coercion.
The Cyberspace Policy Report issued by the Pentagon emphasizes a whole-of-government approach, integrating the capabilities of interagency partners, global industries and international agencies to prevent, contain or resolve aggression in cyberspace.
The key is embracing norms that enable responsible use of the cyber domain as well as sharing threat information and best practices to encourage cooperation. Partnership over regulation appears to be the best response to the Flame virus and future malicious acts.
Scott Jasper, a lecturer at the Center for Civil-Military Relations at the U.S. Naval Postgraduate School and editor of “Conflict and Cooperation in the Global Commons.”