Keep Cyberwar Narrow
For too many Americans, “cyber warfare” is an amorphous concept that conjures everything from Hollywood’s Die Hard 4.0 to the blue screen of death on our personal computers.
The absence of a clear understanding of what cyber warfare is—and more importantly, what it is not—continues to present challenges to even the most experienced technologists and policy makers responsible for the safety of global networks and the laws and policies that govern cyberspace. Even these experienced professionals all too often confuse cybercrime and espionage with cyber attacks and cyber warfare. These are all very different phenomena and call for responses that fall under mutually exclusive sections of U.S. Code, making it increasingly important that discussions of malicious cyber activities are accurately described.
Although I focus on functions and platforms for armed attacks in cyberspace, if there is political will, there is always a risk of escalating a case of espionage or crime to international armed conflict.
Business vs. National Security
In common parlance, people conflate “cyberspace” with the “Internet,” and “cyber attack” with “cyber exploitation” or “denial of service disruption.” This is, in part, due to a conflation of information and communication technologies (ICT) that are used globally with industrial control systems (ICS), which are not the same. Societies rely on ICS to deliver utilities and other services on which life in the twenty-first century depends. A recent executive order issued by President Obama takes a necessary step toward distinguishing between ICT and ICS systems, but confusion still remains in defining cyber attacks.
Cyberspace includes both open, multifunction networks like the Internet, and closed, fixed-function networks like industrial or building control systems. The two types of networks are fundamentally different. On the one hand, open, multifunction networks rely on the principle of network utility maximization. That is, the great the number of users on the network, then the greater the utility of the network. On the other hand, closed, fixed-function networks must assure that information travelling from sensors to operators is always available, trusted and authentic.
Should ICS processes fail, equipment damage, physical destruction and loss of life will occur. Indeed, several incidents have already taken place where widespread destruction was the result of an ICS malfunction. One such example is the 2009 San Bruno, California pipeline explosion. This disaster was caused by an electronic anomaly and resulted in a massive explosion, causing death and destruction. This is an example of what could be caused by a cyber attack, and lends support for the need to distinguish between cyber crime/espionage and cyber attack.
Existing international legal frameworks provide clarity on how law and policy should treat instances of cyber attack. The Tallinn Manual on the International Law Applicable to Cyber Warfare, perhaps the most comprehensive work on the issue today, offers the definition of a cyber attack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Cyber events breaching the threshold of armed attack require the use of cyberweapons. These differ substantially from other malicious code. While a cyberweapon can be software designed to manipulate industrial control functions, it can also be hardware flaws introduced into critical systems. Due to the complexity of ICS, the skill level required to discover zero-day vulnerabilities, as well as the infrastructure required to find targets, gain access and execute the attack requires significant financial and human capital. To date, only Stuxnet has risen to the level of a cyber incident that could be considered an armed attack under international law, since it caused the physical destruction of objects. Although the Shamoon virus impacting the critical energy sector destroyed virtual records, these were restored without widespread destruction or physical injury. Given that the target of Shamoon was on business processes and not ICS systems, the incident did not rise to the level of a cyber attack.