Although cyber warfare has been around for a decade or so, it still has not been well defined. As of this writing, there is no international treaty in place that establishes a legal definition for an act of cyber aggression. In fact, the entire field of international cyber law is still murky.
The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) published a paper on the subject in November 2008 entitled “Cyber Attacks Against Georgia: Legal Lessons Identified.” In it, the authors discuss possible applicability of the Law of Armed Conflict (LOAC) to the cyber attacks that occurred during the Russia-Georgia War of August 2008.
LOAC, also known as the International Humanitarian Law, relies on two primary rule groups: jus ad bellum and jus ad bello, which is Latin for “justice to war” and “justice in war,” respectively. In other words, there are rules for how a country proceeds to a state of war and, once there, for how it conducts its war effort.
On May 8, 2009, the head of the US Strategic Command, US Air Force General Kevin P. Chilton, was quoted in Stars and Stripes as saying “[t]he Law of Armed Conflict will apply to this domain.” It is still unclear how many other nations will adopt that same approach, particularly the Russian Federation and the People’s Republic of China.
Amit Sharma, deputy director of India’s Ministry of Defense—Defense Research and Development Organization, prefers a different approach, one styled after the Mutually Assured Destruction (MAD) model of nuclear deterrence:
You can talk endlessly about the law of armed conflict, but a treaty would not be achieved. ... The only viable solution is one of cyber deterrence.
According to a June 27, 2009, New York Times article entitled “US and Russia Differ on a Treaty for Cyberspace”:
Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.
These areas of dispute are reflected in the multiple faces of cyber aggression:
Cyber attacks against government or critical civilian websites or networks without accompanying military force
Cyber attacks against government or critical civilian websites or networks with accompanying military force
Cyber attacks against internal political opponents
Cyber intrusions into critical infrastructure and networks
Acts of cyber espionage
How many of these real-world attacks should be considered acts of cyber warfare? All? None? Only those that can be attributed directly to a nation-state?
The first thing to realize is that legally there is no such concept as an act of war, cyber or otherwise. The UN Charter lays out when a nation-state can use force in self-defense against an act of aggression, but it refers entirely to armed conflict. Other treaties may provide a better framework for establishing definitions for cyber aggression, and these are thoroughly examined in a 2009 paper by Scott Shackleford entitled “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law,” published in the Berkeley Journal of International Law (BJIL), Vol 25 No 3.
Shackleford lists a few treaty regimes that may be useful in constructing an international cyber treaty:
Nuclear nonproliferation treaties
The Antarctic Treaty System and Space law
United Nations Convention on the Law of the Sea (UNCLOS)
Mutual Legal Assistance Treaties (MLAT)
Nuclear nonproliferation treaties are designed to limit the spread of nuclear weapons at the very earliest stages of development, i.e., at the nuclear reactor level. They were used most recently in Iran when it refused to fully cooperate with the International Atomic Energy Agency (IAEA).
Nonproliferation treaties work because the components of creating a nuclear device are highly restricted and closely monitored by the IAEA as well as by various governments that have their own agencies monitoring such activities (e.g., US Nuclear Emergency Support Team [NEST]).
Unfortunately, the genie is already out of the bottle when it comes to the components of cyber warfare. Everything that an attacker needs is in wide distribution and freely available or available at a reasonable price. That pretty much kills the effectiveness of any proposed nonproliferation-type treaty aimed at keeping states from engaging in or developing a cyber warfare capability.
While there has been some hyperbole on the part of military officials in Russia and the United States around the issue of scale and proportionality in response to a large-scale cyber attack,[2] neither nation has a policy to deal with it.
Can a cyber attack rise to the level of a nuclear attack? Not in and of itself, but a sufficiently large-scale cyber attack that takes down critical networks and in turn results in systemic failures of safety systems at nuclear power plants could have devastating consequences, including loss of life.
Cyberspace has frequently been compared to outer space, as both are boundless and unregulated. Surprisingly, there is no prohibition against using outer space as a weapons platform unless it involves the use of nuclear weapons, which is prohibited by international treaty, and/or such weapons are placed on a planetary body such as the moon, which is also prohibited. The void in between, however, is still unregulated.
One of the obstacles in applying this analogy to cyber attacks is that few nations have or can reasonably expect to have the ability to wage war in outer space, whereas over 120 nations have the ability to wage war in cyberspace. Another problem is a difference in the threat potential of a cyber attack compared to launching a nuclear weapon from space. There is no one cyber attack that can be compared to the devastation caused by one nuclear weapon, although theoretically the use of a mega-sized botnet like Conficker C involving millions of zombie computers might come close to delivering a network equivalent.
An alternative to banning a type of weapon in a domain is to ban all weapons in a domain, similar to the Antarctic Treaty System (ATS). Under that treaty regime, Antarctica is off-limits to all types of military development by any nation and is to be used only for peaceful purposes. This won’t analogize for cyber warfare because it’s impossible to differentiate between code used for peaceful purposes and code used for malicious purposes.
Another problem with the Antarctic analogy is that no recognizable boundaries exist in cyberspace and there are very few reliable ways to artificially create them. Recently, an attack against US government websites originated from a server on US soil via a VPN connection with a server in the UK that controlled a number of command and control servers scattered among other nations that in turn directed a botnet to attack South Korean and US government websites. The South Korean Intelligence Service, along with the press and Rep. Pete Hoekstra (R-Michigan), were convinced that the attacks originated in North Korea. The congressman called for the US military to lauch a counter cyber attack against the North Koreans. Had the congressman had his way and the actual source of the attack been targeted, the city of Miami might never have been the same.
UNCLOS stands for the United Nations Convention on the Law of the Sea treaty. Like outer space, the oceans offer a comparable analogy to cyberspace in their vastness and in how nations have agreed to interact in what we identify as international waters.
Problems arose with UNCLOS III when the United States, Germany, and the UK balked at the UN’s attempts to institute technology transfer requirements. Technology, it seems, consistently poses challenges to any treaty regime that attempts to regulate its development—a foreshadowing of the legal difficulties that are present with acts of cyber warfare. In other words, if technology transfer hit a wall with UNCLOS, things aren’t going to get any easier with a cyber warfare treaty modeled after it.
Mutual Legal Assistance Treaties are a catch-all for individualized cooperation agreements between nations, such as joint law enforcement efforts, extradition treaties, and so on. The United States currently appears to be pursuing this approach, whereas the Russian Federation prefers the analogy of treating cyber warfare as a weapon of mass destruction (WMD) and banning its use under an appropriate treaty regime.
The New York Times reported on June 27, 2009, that Russia and the United States were butting heads on how to approach cyber warfare from an international perspective. Russia’s position is that it should be modeled after the Chemical Weapons Treaty or other arms control-type treaties, whereas the United States would prefer to engage international law enforcement in cooperating more closely to catch cyber criminals. Many cyber criminals are also engaged as nonstate hackers during times of cyber conflict, so this strategy would have a two-tiered benefit of securing the Web against acts of cyber crime and cyber warfare.
One Russian argument against the US position was published in Moscow Military Thought (March 31, 2007) entitled “Russian Federation Military Policy in the Area of International Information Security: Regional Aspect”:
International legal acts regulating relations arising in the process of combating cyber crime and cyber terrorism must not contain norms violating such immutable principles of international law as noninterference in the internal affairs of other states, and the sovereignty of the latter.
Moreover, politically motivated cyber attacks executed on orders from governmental structures can be qualified as military crimes with all the ensuing procedures of investigation and criminal persecution of the culprits. Besides, military cyber attacks can be considered as a subject of international public law. In this case, we should speak about imposing restrictions on development and use of computers intended to bring hostile influences to bear on objects in other states’ cyberspace.
In any event, the military policy in the area of international information security where it involves opposition to cyber terrorism and cyber crime should be directed at introducing international legal mechanisms that would make it possible to contain potential aggressors from uncontrolled and surreptitious use of cyber weapons against the Russian Federation and its geopolitical allies.
Clearly, Russia was formulating its policy in this area prior to 2007, and it has not changed in the years since. Although the reason expressed is one of national sovereignty and noninterference, such a position also protects Russia’s key strategic asset in its cyber arsenal: its own population of highly educated, patriotic hackers who are more than willing to fight on their country’s behalf in the domain of cyberspace.
Interestingly, Shackleford does not address the LOAC at all in his paper, which goes to show just how diverse the opinions are of legal experts who focus on this field. Instead, he attempts to make the case that:
The best way to ensure a comprehensive approach to lessening the occurrence of IW is through a new international accord dealing exclusively with state-sponsored cyber attacks in international law, including the creation of a standing emergency response body along the lines of WCERT proposed above. The United States should drop its opposition to such a treaty regime. Without such an organization, the international community will lurch from case-to-case with the worry that next time, the case of Estonia may resemble merely a step along the way to Net War Version 2.0. When IW reaches the scale of nuclear war, a new and distinct regime incorporating elements of existing international law, notably IHL, is required lest nations risk systemic infrastructure crashes that not only will cripple societies, but could quite possible shake the Information Age to its foundations.
If the LOAC is used as a guideline to determine what is and is not cyber warfare, the attack must conform to certain rules. First, LOAC applies only once armed conflict has been initiated. Next, cyber incidents that correspond with the armed conflict must be attributable to a specific government. Then there is the issue of harmful intent. Did the cyber incident cause injury or damages (monetary, physical, or virtual)?
Attribution can be direct or indirect, according to international law as interpreted in “Cyber Attacks Against Georgia: Legal Lessons Identified” authored by Eneken Tikk et al. (NATO, 2008). According to Tikk and her team:
The governing principle of state responsibility under international law has been that the conduct of private actors—both entities and persons—is not attributable to the state, unless the state has directly and explicitly delegated a part of its tasks and functions to a private entity. A shift in this rigid paradigm can be observed in the developments of recent years: e.g. the International Criminal Tribunal for the former Yugoslavia in the Tadic case 104 and further by the international community in relation to the U.S. Operation Enduring Freedom in 2001. However, the current view for attribution still requires some form of overall control by the state.
The legal precedents referred to in the preceding quote are worth reading. Each follows with a brief summary of its import:
- Jinks, D. “State Responsibility for the Acts of Private Armed Groups,” Chicago Journal of International Law, 4 (2003), 83–95, p.88.
“In the Nicaragua case, the International Court of Justice (ICJ) noted that the state may be held responsible for the conduct of private actors only if it executed effective control over such actors. Hence, the ICJ could not hold the United States responsible for the conduct of the contra rebels, because the United States did not exercise effective control over the contras. The Court also noted that, in order for the conduct of private actors to give rise to legal responsibility of the state, it would have to be proved that the state indeed had effective control over the conduct of private actors.”
- Prosecutor v. Tadic—ICTY Case No. IT-94-1, 1999; Jinks, p.88–89.
“The Tadic case lowered the threshold for imputing private acts to states and concluded that states only need to exercise overall control over private actors in order to attribute to the state any unlawful acts of the actors. The ICTY in its reasoning held that the ‘effective control’ criterion of the ICJ was contrary to the very logic of state responsibility and that it was inconsistent with state and judicial practice.”
- Jinks, supra note 103, p.85–87.
“Compared to the Tadic case, the U.S. Operation Enduring Freedom in turn lowered the threshold for attribution because the U.S. sought to impute al Qaeda’s conduct to Afghanistan simply because its official regime Taliban had harboured and supported the terrorist group (irrespective of whether Afghanistan exercised effective or overall control). The international community among with several important international organisations endorsed the U.S approach and determined that under international instruments the attacks of September 11 constituted armed attacks which triggered the U.S inherent right of self-defence. The UN, NATO and the OAS also attributed the terrorist attacks of al Qaeda to the Taliban regime.”
After discussing the iteration of international law in the question of attribution, Tikk breaks it down to a more basic legal principle: that of agency (i.e., has a person acted as an agent of a state, and do his actions equate to actions by the state?). Also, could the state have acted to prevent the harmful actions of the private party if it chose to?
In the case of Georgia and Estonia, Tikk and her team concluded that there is not sufficient evidence to prove state involvement, which is a requirement for the agency argument.
International agreements are being discussed as this book is written that will clarify the legal standing of nations and nonstate actors in cyber events, conflicts, and war.
The following sections address cyber attacks that have occurred since the Russia-Georgia conflict of August 2008, all of which have been characterized by various media sources as acts of cyber war. The question that this chapter aims to address is: how accurate is that depiction?
On the July 4, 2009, weekend and continuing into the following week, a DDoS attack took down US and South Korean government and commercial websites for indeterminate periods of time. The South Koreans believed the government of the Democratic People’s Republic of Korea (DPRK) or its agent was responsible, whereas no formal opinion as to attribution was expressed by any US officials.
During the disputed Iranian presidential elections of June 14, 2009, hundreds of thousands of irate Iranians protested the results. One of the forms of protest was the use of DDoS attacks directed against Iranian government websites, using the popular social software service Twitter as an organizing platform.
In June 2009, the president of Tatarstan’s website was knocked offline and Internet access was lost in an attack he attributes to the Russian Federal Security Service (FSB).
On April 21, 2009, the Wall Street Journal reported that security around the Pentagon’s multi-billion-dollar Joint Strike Fighter project was compromised and several terabytes of data were stolen by unknown hackers presumed to be from the People’s Republic of China.
On July 4–6, 2009, a relatively small-scale DDoS attack of unknown origin was launched against about 25 US government websites, some of which became inaccessible for several days, including the Federal Trade Commission and the Department of the Treasury, while others on the target list, such as the White House website, were unaffected. A second and third wave of these attacks were launched in the following days against South Korean government websites (see ).
On January 18, 2009, a DDoS attack shuttered two to three of the nation’s four ISPs for several days, denying Internet access to most of the population during a time of growing political unrest. It is still unclear who was responsible, but at least three theories have been floated around:
It was the Russian government in an attempt to force the Kyrgyzstan president to close the Manas Air Base to US traffic.
The Kyrgyzstan president hired nonstate Russian hackers for the purpose of denying the Internet as a medium to opposition parties.
It was the result of a power struggle between competing ISPs.
Along with Israel’s military action against Hamas bases in the Palestinian National Authority in December 2008 (designated Operation Cast Lead), literally thousands of Israeli and Arabic websites were defaced, both government and civilian. (See Chapter 2 for a thorough look at the Gaza cyber war.) Hackers involved allegedly included members of the Israeli Defense Forces and Hamas, which makes this one of the few cyber events that involved official state involvement.
As reported by Concerned Africa Scholars on December 2008, in a paper entitled “The Glass Fortress: Zimbabwe’s Cyber Guerilla Warfare,” the Mugabe government has been silencing its opposition through jamming techniques on its airwaves and the Internet, as well as by monitoring all email traffic from domains ending in .zw. Both sides reportedly engaged in defacing websites and launching DDoS attacks. At the time the paper was written, these attacks had been occurring for at least five years.
On September 23, 2008, in anticipation of the first anniversary of the Saffron Uprising, the government launched DDoS attacks against three websites that support the monks: The Irrawaddy, the Oslo-based Democratic Voice of Burma (DVB), and the New Era in Bangkok. The newspaper the Australian covered the story that day, reporting:
The concerted attacks—which appear to originate in China, Russia and Europe as well as Burma—can only be the work of agents of the Burmese Government and may be an effort to compensate for its failure last year to stem the flow of images showing vast columns of unarmed demonstrators and their eventual dispersal under a rain of bullets and truncheons.
A representative of DVB reported that the attacks appeared to be coming from sites in Russia and China, which, if true, would indicate that the Myanmar government outsourced the attacks.
The answer to the question posed earlier about which of the previously discussed events qualifies as an act of cyber war is “none of the above.” As of this writing, there is no legal entity known as “cyber war”; the only issue that has been defined by international agreement is a nation’s right to self-defense when attacked, and that applies only to the traditional manner of attack, i.e., “armed” attack.
The assortment of cyber attacks listed earlier, ranging from internal attempts to silence opposition movements (Zimbabwe, Kyrgyzstan) to state-employed hackers taking out strategic websites (Israel, the Palestinian National Authority), illustrates just how malleable this domain can be. Furthermore, it would be incredibly naive to think that every permutation of this domain has been seen by now, which raises the importance of regular war-gaming or other types of forward-thinking exercises. This, unfortunately, is not a universally agreed-upon strategy.
The Center for Strategic and International Studies (CSIS) issued a report in February 2009 entitled “The 20 most important controls and metrics for effective cyber defense and continuous FISMA compliance.” The following appeared in the report:
A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that “offense must inform defense.” In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008. That new proposed legislation calls upon Federal agencies to:
Establish security control testing protocols that ensure that the information infrastructure of the agency, including contractor information systems operating on behalf of the agency, are effectively protected against known vulnerabilities, attacks, and exploitations (emphasis added).
This is an extremely short-sighted approach to security. A tier-one hacker’s favorite pursuit is the discovery of a zero-day exploit, which means finding a vulnerability in the software that no one else has yet discovered. To look only to the past as a defensive strategy means that our cyber security protocols will always be playing catch-up.
With the risk of discovery almost nil, a disputed legal status, and little in the way of unified international law enforcement collaboration, the cyber domain is today’s equivalent of the untamed American West during the 1800s. Keyboards have replaced revolvers and hackers are the new gunslingers. However, as with the other analogies, this one breaks down in one important respect: land is a physical, three-dimensional entity, and cyberspace is an electronic terrain that does not occupy physical space, yet through it flows ever-increasing amounts of data that may control physical processes.
From an adversary’s point of view, this is an ideal fighting ground. He can enter it unseen to conduct espionage or offensive attacks and escape without fear of being detected. The cost of entry is low, and a single person can have a significant impact (with the help of a botnet that can be rented or purchased). Furthermore, in many countries, including the United States, cyber attacks defenses are scattered, uneven, and lack any coordination or consistency. Political infighting and the elevation of economic and health care challenges in the Obama White House pushed the issue of cyber security so far down the priority ladder that one prime candidate after another announced lack of interest in the position of cyber coordinator that President Obama announced in early 2009. The position was finally filled on December 22, 2009, with the appointment of Howard Schmidt.
One sign of the growing frustration over how to defend against cyber attacks was seen in August 2009 when the US Marine Corps announced a total ban on all social networking sites (SNS) on NIPRNET:
Not everyone agrees with the USMC’s new policy, including the chairman of the joint chiefs of staff, who said in an interview with Next.gov:
“Obviously we need to find right balance between security and transparency,” Adm. Mike Mullen Tweeted (http://twitter.com/TheJointStaff) after the Marine Corps said (http://www.nextgov.com/nextgov/ng_20090804_3800.php?oref=topnews) it would ban social networking sites. “We are working on that. But am I still going to tweet? You bet.”
While the US Department of Defense continues to study the issues surrounding the use of social media, the UK Ministry of Defense released its social software guidelines for service members on August 5, 2009.
The UK approach to managing its Defense Ministry personnel’s online activities is much saner and safer than an outright ban. The solution lies in discussion and training. A ban would simply drive the unwanted behavior underground, where it would morph into something potentially even more dangerous and unmanageable.
[2] For example, “Russia retains the right to use nuclear weapons first against the means and forces of information warfare, and then against the aggressor state itself” (Col. V.I.Tsymbal, 1995); cyber warfare is “a close third behind the proliferation of weapons of mass destruction and the use by terrorists of a nuclear, biological, or chemical weapon” (former CIA Director John Deutch, 1996).