For too many Americans, “cyber warfare” is an amorphous concept that conjures everything from Hollywood’s Die Hard 4.0 to the blue screen of death on our personal computers.
The absence of a clear understanding of what cyber warfare is—and more importantly, what it is not—continues to present challenges to even the most experienced technologists and policy makers responsible for the safety of global networks and the laws and policies that govern cyberspace. Even these experienced professionals all too often confuse cybercrime and espionage with cyber attacks and cyber warfare. These are all very different phenomena and call for responses that fall under mutually exclusive sections of U.S. Code, making it increasingly important that discussions of malicious cyber activities are accurately described.
Although I focus on functions and platforms for armed attacks in cyberspace, if there is political will, there is always a risk of escalating a case of espionage or crime to international armed conflict.
Business vs. National Security
In common parlance, people conflate “cyberspace” with the “Internet,” and “cyber attack” with “cyber exploitation” or “denial of service disruption.” This is, in part, due to a conflation of information and communication technologies (ICT) that are used globally with industrial control systems (ICS), which are not the same. Societies rely on ICS to deliver utilities and other services on which life in the twenty-first century depends. A recent executive order issued by President Obama takes a necessary step toward distinguishing between ICT and ICS systems, but confusion still remains in defining cyber attacks.
Cyberspace includes both open, multifunction networks like the Internet, and closed, fixed-function networks like industrial or building control systems. The two types of networks are fundamentally different. On the one hand, open, multifunction networks rely on the principle of network utility maximization. That is, the great the number of users on the network, then the greater the utility of the network. On the other hand, closed, fixed-function networks must assure that information travelling from sensors to operators is always available, trusted and authentic.
Should ICS processes fail, equipment damage, physical destruction and loss of life will occur. Indeed, several incidents have already taken place where widespread destruction was the result of an ICS malfunction. One such example is the 2009 San Bruno, California pipeline explosion. This disaster was caused by an electronic anomaly and resulted in a massive explosion, causing death and destruction. This is an example of what could be caused by a cyber attack, and lends support for the need to distinguish between cyber crime/espionage and cyber attack.
Existing international legal frameworks provide clarity on how law and policy should treat instances of cyber attack. The Tallinn Manual on the International Law Applicable to Cyber Warfare , perhaps the most comprehensive work on the issue today, offers the definition of a cyber attack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Cyber events breaching the threshold of armed attack require the use of cyberweapons. These differ substantially from other malicious code. While a cyberweapon can be software designed to manipulate industrial control functions, it can also be hardware flaws introduced into critical systems. Due to the complexity of ICS, the skill level required to discover zero-day vulnerabilities, as well as the infrastructure required to find targets, gain access and execute the attack requires significant financial and human capital. To date, only Stuxnet has risen to the level of a cyber incident that could be considered an armed attack under international law, since it caused the physical destruction of objects. Although the Shamoon virus impacting the critical energy sector destroyed virtual records, these were restored without widespread destruction or physical injury. Given that the target of Shamoon was on business processes and not ICS systems, the incident did not rise to the level of a cyber attack.
Some argue that illicit system access could, at the flip of a switch, cause destruction, which is what makes cyber warfare “different.” This oft cited claim is groundless. Remote access tools (RAT), such as Gauss, could serve the same function as a laser guiding a weapon to the final target. But a targeting laser is only part of a weapons system. A missile’s warhead is the actual object in the weapon system creating destructive effects. Similarly, in the case of a cyberweapons, a separate package has to be developed to exploit vulnerabilities and cause physical effects resulting in death or destruction. Given the unique characteristics of an ICS, a cyberweapon could not create an effect without being tailor-made for a specific target’s digital and physical environment. In short, this requires ICS schematics, network maps, application developers, cryptographers and a virtual environment replicating the target to the sensor or weapons tests before deployment. Arguing otherwise is akin to making a claim that a SEAL commander would turn a reconnaissance mission on its first foray into Abbottabad into an all-out assault against the bin Laden compound, and expect a high likelihood of success. Both instances require diligent preparation prior to execution.