Keep Cyberwar Narrow
For too many Americans, “cyber warfare” is an amorphous concept that conjures everything from Hollywood’s Die Hard 4.0 to the blue screen of death on our personal computers.
The absence of a clear understanding of what cyber warfare is—and more importantly, what it is not—continues to present challenges to even the most experienced technologists and policy makers responsible for the safety of global networks and the laws and policies that govern cyberspace. Even these experienced professionals all too often confuse cybercrime and espionage with cyber attacks and cyber warfare. These are all very different phenomena and call for responses that fall under mutually exclusive sections of U.S. Code, making it increasingly important that discussions of malicious cyber activities are accurately described.
Although I focus on functions and platforms for armed attacks in cyberspace, if there is political will, there is always a risk of escalating a case of espionage or crime to international armed conflict.
Business vs. National Security
In common parlance, people conflate “cyberspace” with the “Internet,” and “cyber attack” with “cyber exploitation” or “denial of service disruption.” This is, in part, due to a conflation of information and communication technologies (ICT) that are used globally with industrial control systems (ICS), which are not the same. Societies rely on ICS to deliver utilities and other services on which life in the twenty-first century depends. A recent executive order issued by President Obama takes a necessary step toward distinguishing between ICT and ICS systems, but confusion still remains in defining cyber attacks.
Cyberspace includes both open, multifunction networks like the Internet, and closed, fixed-function networks like industrial or building control systems. The two types of networks are fundamentally different. On the one hand, open, multifunction networks rely on the principle of network utility maximization. That is, the great the number of users on the network, then the greater the utility of the network. On the other hand, closed, fixed-function networks must assure that information travelling from sensors to operators is always available, trusted and authentic.
Should ICS processes fail, equipment damage, physical destruction and loss of life will occur. Indeed, several incidents have already taken place where widespread destruction was the result of an ICS malfunction. One such example is the 2009 San Bruno, California pipeline explosion. This disaster was caused by an electronic anomaly and resulted in a massive explosion, causing death and destruction. This is an example of what could be caused by a cyber attack, and lends support for the need to distinguish between cyber crime/espionage and cyber attack.
Existing international legal frameworks provide clarity on how law and policy should treat instances of cyber attack. The Tallinn Manual on the International Law Applicable to Cyber Warfare, perhaps the most comprehensive work on the issue today, offers the definition of a cyber attack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Cyber events breaching the threshold of armed attack require the use of cyberweapons. These differ substantially from other malicious code. While a cyberweapon can be software designed to manipulate industrial control functions, it can also be hardware flaws introduced into critical systems. Due to the complexity of ICS, the skill level required to discover zero-day vulnerabilities, as well as the infrastructure required to find targets, gain access and execute the attack requires significant financial and human capital. To date, only Stuxnet has risen to the level of a cyber incident that could be considered an armed attack under international law, since it caused the physical destruction of objects. Although the Shamoon virus impacting the critical energy sector destroyed virtual records, these were restored without widespread destruction or physical injury. Given that the target of Shamoon was on business processes and not ICS systems, the incident did not rise to the level of a cyber attack.
Some argue that illicit system access could, at the flip of a switch, cause destruction, which is what makes cyber warfare “different.” This oft cited claim is groundless. Remote access tools (RAT), such as Gauss, could serve the same function as a laser guiding a weapon to the final target. But a targeting laser is only part of a weapons system. A missile’s warhead is the actual object in the weapon system creating destructive effects. Similarly, in the case of a cyberweapons, a separate package has to be developed to exploit vulnerabilities and cause physical effects resulting in death or destruction. Given the unique characteristics of an ICS, a cyberweapon could not create an effect without being tailor-made for a specific target’s digital and physical environment. In short, this requires ICS schematics, network maps, application developers, cryptographers and a virtual environment replicating the target to the sensor or weapons tests before deployment. Arguing otherwise is akin to making a claim that a SEAL commander would turn a reconnaissance mission on its first foray into Abbottabad into an all-out assault against the bin Laden compound, and expect a high likelihood of success. Both instances require diligent preparation prior to execution.
Threats to Peace and Acts of Aggression
Below the threshold of cyber attack are incidents and events that are aggressive but do not rise to the level of armed attack. The U.S. financial-service DDOS disruptions are an example of aggression. The theft of U.S. intellectual property by Chinese hackers is an example of cyber espionage. While such cases may have negative impacts on economic security, it is the right political circumstances that could cause national leadership to consider such an event casus belli, not the event itself. The acts of disrupting business services or stealing data are not an armed attack. Despite private-sector arguments to the contrary, industrial espionage is not cyberwarfare and would not require an armed response by the government. Instead, a crime has occurred that may have been prevented with better information security. Federal reform of laws such as the Computer Fraud and Abuse Act could allow private sector firms to protect themselves by actively responding to thefts of data—to include destroying what was stolen.
Discussions of cyber crime and cyber espionage must be clearly separated from discussions of cyber warfare. While we are certainly in a cyber Cold War, we are not in an international armed conflict in cyberspace. By continuing to employ terms interchangeably the current discussion is drifting from issues of information security to issues of national security that warrant a military response. The paradigm required to address cyber crime and cyber espionage is not the same as that required to succeed in cyber warfare. Developing a clear distinction between various types of malicious cyber activity is critical as technologists and policy makers attempt to develop the means necessary to protect valuable information and critical infrastructure alike. The time for gross generalizations and sweeping assertions is at an end.
Cyber espionage, crime and war are very different and necessitate responses under different parts of the law. Consistency of definitions is essential. There cannot be a system of definitions for legal scholars and a conflicting system of definitions for the policy maker, technologist and layperson. It is on clear, common definitions and language that domestic policy and global norms of behavior will be built. Clarifying definitions will permit for the establishment of policy tools, such as escalatory ladders.
Embargo and trade sanctions might be the correct approach in milder cases of gross intellectual-property theft, and serve as a warning of severe penalties to come should something escalate from cyberespionage to attack. In the early hours of malicious cyber events, the United States should diplomatically address criminal disputes. Claiming all malicious actions as cyberwarfare could result in threats of retaliation that, in a real cyberwar, could be discounted as a bluff. Vigorously grasping the situation we are in, rather than fearfully reacting and making desperate pronouncements, will prevent misperception by our adversaries and the public alike.
We should not be concerned with cyberwarfare, but with war. If there is ever a war between great and emerging great powers, we must assume that cyberweapons will be used—and apply the Law of Armed Conflict to their use until a more formal treaty or convention can be negotiated, signed and ratified.
Panayotis A. Yannakogeorgos is Research Professor of Cyber Policy and Global Affairs at the Air Force Research Institute. The views expressed here are solely those of the author and do not in any way represent the views of the Air Force Research Institute, the Air University or the United States Air Force.
Image: Wikimedia Commons/Semplicemars. CC BY-SA 3.0