Between Two Nerds: Cyber weapons - Risky Bulletin

Summary

Risky Business News: Episode Summary
Title: Between Two Nerds: Cyber Weapons
Release Date: November 18, 2024
Host: Risky.biz
Guests: Tom Uren and Gruk

Introduction

In this milestone 100th episode of Risky Business News, hosts Tom Uren and Gruk delve deep into the contentious and complex topic of cyber weapons. Reflecting on their earlier discussions from the fledgling days of their podcast, they explore the definitions, implications, and practical challenges surrounding cyber weapons in today's cybersecurity landscape.

Celebrating 100 Episodes and Revisiting Cyber War

Tom Uren (00:03):
"Hello, everyone, this is Tom Uren and I'm here with the Gruk for another between two nerds discussion."

The episode commences with Tom and Gruk acknowledging their achievement of reaching episode 100, reminiscing about their third episode which also touched on cyber warfare. This nostalgic reflection sets the stage for a comprehensive analysis of cyber weapons.

Defining Cyber Weapons: A Critical Analysis

Tom Uren (00:39):
"We don't really like the term cyber weapons."

Tom introduces the central theme by expressing a mutual distaste for the term "cyber weapons." He references a 2018 paper he authored for the Global Commission for the Stability of Cyberspace, aiming to define cyber weapons and explore cyber arms control.

Gruk (03:45):
"Like what? As is or without modification... BitLocker encrypts their drives and."

Gruk challenges Tom’s definitions, questioning whether specific malware qualifies as cyber weapons based on their functionality and dual-use nature. They debate whether the payloads or distribution mechanisms constitute the weapon itself.

Tom Uren (04:30):
"So, like, nitpicking."

Tom concedes to Gruk's detailed examination, highlighting the complexities in categorizing malware like WannaCry and NotPetya as cyber weapons under a narrow definition.

The Dual-Use Dilemma and International Control

Tom Uren (02:53):
"Can we set up some sort of international scheme to stop the spread?"

Tom explores the possibility of international regulation akin to the Chemical and Biological Weapons Conventions, positing that cyber weapons are inherently dual-use and challenging to restrict.

Gruk (06:42):
"So literally nothing that applies to cyber at all."

Gruk underscores the difficulty in applying traditional arms control preconditions—such as limiting capability development to states and ensuring verification of compliance—to the cyber domain.

Tom Uren (07:12):
"Perhaps there’s a common interest because most states want to hold on to their secret cyber weapons."

Tom suggests a tenuous common interest among states in retaining cyber capabilities, albeit without strong evidence or consensus.

Proliferation and Stockpiling: Misconceptions and Realities

Gruk (10:11):
"Cyber stockpiling and cyber proliferation, please, sir."

The conversation shifts to the concepts of cyber proliferation and stockpiling. Gruk argues that unlike traditional weapons, cyber exploits have a fleeting utility and are difficult to stockpile effectively due to their short lifespan and the rapid evolution of software environments.

Tom Uren (17:16):
"So, this is, I guess, a harm minimization strategy."

Tom summarizes Gruk’s perspective as a harm minimization strategy rather than outright prohibition, emphasizing pragmatic approaches to cyber weapon management.

Gruk (17:19):
"Which as we know governments love going for, as opposed to prohibition."

Gruk contends that governments are more inclined towards regulation and control rather than banning cyber capabilities, perceiving it as a more feasible approach.

Case Studies: EternalBlue, WannaCry, and NotPetya

Tom Uren (20:10):
"Eternal Blue worked for a long time, Right?"

Using the infamous EternalBlue exploit and its role in WannaCry and NotPetya attacks as a case study, Tom and Gruk dissect the implications of exploit stockpiling and subsequent leaks.

Gruk (22:24):
"It’s stockpiling. What are you going to do with a warehouse full of nectarines?"

Gruk metaphorically illustrates the futility of stockpiling exploits, emphasizing that outdated or patched exploits lose their value quickly.

Tom Uren (22:27):
"NSA did everyone a favor by using it for 10 years."

They discuss the controversial decision by the NSA to retain EternalBlue, debating whether its prolonged use was ultimately beneficial or detrimental to global cybersecurity.

The Role of Private Actors and Counterproliferation Strategies

Gruk (12:46):
"That's how you stop them developing their own tools."

Gruk introduces the idea of counterproliferation through controlled sale of spyware by private actors like NSO Group. He argues that selling sophisticated spyware can suppress indigenous development and maintain oversight over its usage.

Tom Uren (14:09):
"Is your 4D chess hypothesis here that they've gone, we would rather them buy it from us and not be able to use it against us?"

Tom probes the strategic rationale behind this approach, questioning its feasibility and ethical implications.

Gruk (14:37):
"Absolutely. We would rather they buy it from us and not make their own."

Gruk affirms his stance, suggesting that controlled distribution of cyber tools can be a strategic deterrent against uncontrolled proliferation.

Challenges in Legislative and Civil Society Consensus

Tom Uren (16:06):
"Trying to limit the damage by abusive spyware. There are these two camps."

Tom outlines the diverging viewpoints between governments, which see legitimate uses for spyware, and civil society groups that advocate for complete prohibition, highlighting the difficulty in achieving consensus.

Gruk (17:59):
"So what you were saying before reminded me so much of drug addicts."

Gruk employs an analogy comparing exploit stockpiling to drug addiction, emphasizing the ongoing need for fresh exploits and the challenges in maintaining control over exploit factories.

Vulnerability Management and the Futility of Stockpiling

Gruk (24:20):
"Vulnerability decay, I guess. What's the point in stockpiling?"

Gruk discusses the concept of vulnerability decay, where software updates and changes render stockpiled exploits obsolete, further undermining the practicality of cyber weapon stockpiling.

Tom Uren (25:49):
"And you can see that a bit in NSO Group malware."

Tom points to real-world observations of how exploit providers like NSO Group must continually adapt their tools, as seen in gaps following software patches.

Rethinking Cyber Offensive Strategies: Transparency and Minimalism

Gruk (30:40):
"To dispel the myths, to sort of just make it a lot more clear what's actually possible and what isn't."

Gruk emphasizes the need for transparency and realistic assessments of cyber capabilities to mitigate misunderstandings and unrealistic fears about cyber weapons.

Tom Uren (30:50):
"So I guess now looking back at the paper... why worry about it?"

Reflecting on his 2018 paper, Tom questions the current relevance of cyber weapons given their limited decisiveness and the evolving nature of cyber threats.

Conclusion: A Pragmatic Approach to Cyber Weapons

In their concluding remarks, Tom and Gruk advocate for practical strategies over theoretical frameworks in managing cyber weapons. They suggest that harm minimization and controlled distribution, coupled with transparency and continual adaptation, are more effective than attempts at outright prohibition or rigid stockpiling.

Gruk (31:48):
"Ransomware is not using new exploits or novel techniques... That's not relevant."

Gruk highlights that the most pressing issue in cybersecurity is not state-sponsored cyber weapons but rather ubiquitous threats like ransomware, which operate independently of advanced exploit stockpiling.

Tom Uren (31:55):
"Premise was entirely misguided."

Acknowledging their critical stance, Tom concedes that previous assumptions about the utility and management of cyber weapons may have been flawed, underscoring the need for ongoing dialogue and reassessment in the field.

Final Thoughts

Tom and Gruk’s in-depth discussion offers a sobering examination of cyber weapons, challenging conventional narratives and proposing nuanced strategies for their management. By dissecting definitions, scrutinizing stockpiling practices, and emphasizing the importance of transparency, the episode provides valuable insights for cybersecurity professionals, policymakers, and enthusiasts alike.

Notable Quotes:

Tom Uren (00:33):
"We spoke a long time ago about cyber war episode BTN number three..."
Gruk (03:20):
"Like, novichok is a fertilizer or something."
Gruk (05:45):
"Like weapons. Is that where you're going now?"
Gruk (14:46):
"Absolutely. If it's subsidized by the EU..."
Gruk (17:19):
"Which as we know governments love going for, as opposed to prohibition."
Gruk (22:24):
"Vulnerability decay... What's the point in stockpiling?"
Gruk (30:40):
"To dispel the myths, to sort of just make it a lot more clear what's actually possible and what isn't."

This episode of Risky Business News serves as a comprehensive exploration of the complexities surrounding cyber weapons, urging listeners to rethink established paradigms and consider more effective, realistic approaches to cybersecurity challenges.