The first time I got an understanding of the Russian view of computer security was while I was having drinks in a Moscow restaurant with Eugene Kaspersky of Kaspersky Lab. We talked about the record-setting cold outside, then the subject moved to what he referred to as cyber criminals. It was clear that like the other Russian security experts I'd been talking to on that trip, Kaspersky had a much broader view of security than I'd found in the U.S.
The discussion continued through more than a few glasses of the famed Russian Standard vodka while we talked about the growing danger Kaspersky saw in Internet-based crime, and about the state-sponsored cyber crime he saw growing out of it. At the time, much of this was a revelation to me. In the U.S., we were used to thinking about computer security as a targeted attack by hackers wanting to prove themselves or by virus writers plying their trade mostly out of sheer evil.
Kaspersky saw a broader problem. The criminals were doing what they did for a profit motive, and they kept doing it because it worked. They were able to trap enough people with phishing scams, and able to get enough personal information through the theft of data from businesses that they made a lot of money. But he also worried about the greater risks that were sure to come when national governments started sponsoring attacks.
Now that discussion has finally surfaced enough that it's being talked about in public, it's also clear that the Russian view of cyber crime and cyber warfare is totally different from the U.S. view. Russia sees cyber warfare as an attack on the security of the state, and wants a treaty to control the use of cyber attacks for military purposes. The U.S .is avoiding the subject. At a recent meeting on the topic, the U.S. and Russia have finally agreed to start talking about this.
But the fact is, there's an underlying problem that keeps the U.S. from being too ready to agree. While today the single greatest source of state-sponsored cyber attacks is probably China, the U.S. isn't far behind. In fact, the U.S .military has been at the forefront of using cyber attacks in preparation for military operations. Even as far back as 1990, the U.S. softened up Iraqi defenses by attacking their digital infrastructure first, so that they would be less effective when the bombs started to fall.
In fact, former Director of National Intelligence Mike McConnell thinks that the rest of the world got the idea from the U.S. during Desert Storm. So it's little wonder that the U.S. is reluctant to enter into an agreement that would tie its hands in a type of warfare that has proven itself to be so effective.
But this presents a problem. If we don't reach some sort of accommodation with the rest of the world, we stand to lose a great deal. Right now, the only defense we have against China's persistent attacks on our government and commercial infrastructure is to spend more money defending ourselves, and to create a bigger government agency to oversee this. Meanwhile, other nations, seeing the U.S. conducting a cyber war without constraint, have little reason to hold back themselves.
So the Russians have a point. As was the case with nuclear weapons, the fact that we can do something doesn't mean we should do it. Right now, we probably have the ability to destroy the economy of a nation if we set our mind to it. So do the Russians, the French, the British and the Israelis. So too do the Chinese, probably the Indians, and much of Western Europe. In the process, your company gets a big target on its back.