Inside Cyber Warfare Part 4

Israeli Retaliation.

Israel and its supporters have also partic.i.p.ated in this cyber conflict in a couple of ways. The Israeli government is behind an effort to recruit supporters who speak languages other than Hebrew-mostly new immigrants-to flood blogs with pro-Israel opinions. The Israel Defense Forces has hacked a television station belonging to Hamas. Supporters of Israel have also been hacking pro-Palestinian Facebook groups, using fake login pages and phis.h.i.+ng emails to collect the login details of group members.

According to the administrators of Gaza Hacker Team, pro-Israel activists are also pressuring hosting companies to cut off service to hacker websites. After the Gaza Hacker Team defaced the Kadima party website, they reported that their US-based hosting company denied them service after being subjected to "Jewish" pressure.

Perhaps the most creative tactic employed by Israel's supporters is the development of a voluntary botnet. Developed by a group of Israeli hacktivists known as Help Israel Win, the distributed denial of service tool called Patriot is designed to attack anti-Israel websites.

Once installed and executed, Patriot opens a connection to a server hosted by Defenderhosting.com. It runs in the background of a PC and does not have a configurable user interface that would allow the user to control which sites to attack. Rather, the server at Defenderhosting.com likely updates the client with the IP addresses to target.

Help Israel Win describes itself as "a group of students who are tired of sitting around doing nothing while the citizens of Sderot and the cities around the Gaza Strip are suffering." Their stated goal is to create "a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel." The Help Israel Win website is registered to Ron Shalit of Haifa, Israel.

Control the Voice of the Opposition by Controlling the Content in Cybers.p.a.ce: Nigeria.

Cyber wars are not always fought between states or between nonstate actors; sometimes they are fought between a government and its political opponents. This is precisely the case in Nigeria, where the Information Minister Dora Akunyili, with the support of Nigeria's President Umaru Yar'adua, has launched a $5 million campaign to support and create government-friendly websites. The objective, according to a June 16, 2009, news report filed by Saharareporters, is "to do everything to ensure that websites like yours (saharareporters.com) and others are stopped from taking root in Nigeria."

Additionally, the plan calls for paying forum administrators to create discussion threads about topics created by Akunyili that will serve to cast the administration in the most favorable light.

A third plank of the plan accelerates the arrest and detention of opposition bloggers at airports or other entry points into Nigeria. Civil actions against negative posters could include the filing of a libel lawsuit against them by the government.

Are Nonstate Hackers a Protected a.s.set?.

It would seem so. Instances of prosecution of Russian or Chinese hackers involved in foreign website attacks are so few as to be statistically insignificant. A news article written by Xinhua News Agency writers Zhou Zhou and Yuan Ye ent.i.tled "Experts: Web Security a pressing challenge in China" for China View (August 8, 2009) relates the pervasive security challenges China's online population, which numbers almost 340 million, faces. The only illegal acts prosecuted by the PRC are online attacks causing financial harm to China; for example, two men from Yanbian County in Jilin Province were recently arrested and prosecuted for breaking into online banking systems and stealing 2.36 million yuan ($345,269 US). All other types of attacks, according to Li Xiaodong, deputy director of the China Internet Network Information Center (CNNIC), fall into a "grey area."

Similarly, in the Russian Federation, the police are interested only in arresting hackers for financial crimes against Russian companies. Hacking attacks cloaked in nationalism are not only not prosecuted by Russian authorities, but they are encouraged through their proxies, the Russian youth a.s.sociations, and the Foundation for Effective Policy.

Chapter 3. The Legal Status of Cyber Warfare.

Although cyber warfare has been around for a decade or so, it still has not been well defined. As of this writing, there is no international treaty in place that establishes a legal definition for an act of cyber aggression. In fact, the entire field of international cyber law is still murky.

The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) published a paper on the subject in November 2008 ent.i.tled "Cyber Attacks Against Georgia: Legal Lessons Identified." In it, the authors discuss possible applicability of the Law of Armed Conflict (LOAC) to the cyber attacks that occurred during the Russia-Georgia War of August 2008.

LOAC, also known as the International Humanitarian Law, relies on two primary rule groups: jus ad bellum and jus ad bello, which is Latin for "justice to war" and "justice in war," respectively. In other words, there are rules for how a country proceeds to a state of war and, once there, for how it conducts its war effort.

On May 8, 2009, the head of the US Strategic Command, US Air Force General Kevin P. Chilton, was quoted in Stars and Stripes as saying "[t]he Law of Armed Conflict will apply to this domain." It is still unclear how many other nations will adopt that same approach, particularly the Russian Federation and the People's Republic of China.

Amit Sharma, deputy director of India's Ministry of Defense-Defense Research and Development Organization, prefers a different approach, one styled after the Mutually a.s.sured Destruction (MAD) model of nuclear deterrence: You can talk endlessly about the law of armed conflict, but a treaty would not be achieved. ... The only viable solution is one of cyber deterrence.

According to a June 27, 2009, New York Times article ent.i.tled "US and Russia Differ on a Treaty for Cybers.p.a.ce": Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.

The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cybers.p.a.ce more secure against criminal intrusions, their work will also make cybers.p.a.ce more secure against military campaigns, American officials say.

These areas of dispute are reflected in the multiple faces of cyber aggression: Cyber attacks against government or critical civilian websites or networks without accompanying military force Cyber attacks against government or critical civilian websites or networks with accompanying military force Cyber attacks against internal political opponents Cyber intrusions into critical infrastructure and networks Acts of cyber espionage How many of these real-world attacks should be considered acts of cyber warfare? All? None? Only those that can be attributed directly to a nation-state?

The first thing to realize is that legally there is no such concept as an act of war, cyber or otherwise. The UN Charter lays out when a nation-state can use force in self-defense against an act of aggression, but it refers entirely to armed conflict. Other treaties may provide a better framework for establis.h.i.+ng definitions for cyber aggression, and these are thoroughly examined in a 2009 paper by Scott Shackleford ent.i.tled "From Nuclear War to Net War: a.n.a.logizing Cyber Attacks in International Law," published in the Berkeley Journal of International Law (BJIL), Vol 25 No 3.

Shackleford lists a few treaty regimes that may be useful in constructing an international cyber treaty: Nuclear nonproliferation treaties.

The Antarctic Treaty System and s.p.a.ce law.

United Nations Convention on the Law of the Sea (UNCLOS).

Mutual Legal a.s.sistance Treaties (MLAT).

Nuclear Nonproliferation Treaties.

Nuclear nonproliferation treaties are designed to limit the spread of nuclear weapons at the very earliest stages of development, i.e., at the nuclear reactor level. They were used most recently in Iran when it refused to fully cooperate with the International Atomic Energy Agency (IAEA).

Nonproliferation treaties work because the components of creating a nuclear device are highly restricted and closely monitored by the IAEA as well as by various governments that have their own agencies monitoring such activities (e.g., US Nuclear Emergency Support Team [NEST]).

Unfortunately, the genie is already out of the bottle when it comes to the components of cyber warfare. Everything that an attacker needs is in wide distribution and freely available or available at a reasonable price. That pretty much kills the effectiveness of any proposed nonproliferation-type treaty aimed at keeping states from engaging in or developing a cyber warfare capability.

While there has been some hyperbole on the part of military officials in Russia and the United States around the issue of scale and proportionality in response to a large-scale cyber attack,[2] neither nation has a policy to deal with it.

Can a cyber attack rise to the level of a nuclear attack? Not in and of itself, but a sufficiently large-scale cyber attack that takes down critical networks and in turn results in systemic failures of safety systems at nuclear power plants could have devastating consequences, including loss of life.*[2] For example, "Russia retains the right to use nuclear weapons first against the means and forces of information warfare, and then against the aggressor state itself" (Col. V.I.Tsymbal, 1995); cyber warfare is "a close third behind the proliferation of weapons of ma.s.s destruction and the use by terrorists of a nuclear, biological, or chemical weapon" (former CIA Director John Deutch, 1996).

The Antarctic Treaty System and s.p.a.ce Law.

Cybers.p.a.ce has frequently been compared to outer s.p.a.ce, as both are boundless and unregulated. Surprisingly, there is no prohibition against using outer s.p.a.ce as a weapons platform unless it involves the use of nuclear weapons, which is prohibited by international treaty, and/or such weapons are placed on a planetary body such as the moon, which is also prohibited. The void in between, however, is still unregulated.

One of the obstacles in applying this a.n.a.logy to cyber attacks is that few nations have or can reasonably expect to have the ability to wage war in outer s.p.a.ce, whereas over 120 nations have the ability to wage war in cybers.p.a.ce. Another problem is a difference in the threat potential of a cyber attack compared to launching a nuclear weapon from s.p.a.ce. There is no one cyber attack that can be compared to the devastation caused by one nuclear weapon, although theoretically the use of a mega-sized botnet like Conficker C involving millions of zombie computers might come close to delivering a network equivalent.

An alternative to banning a type of weapon in a domain is to ban all weapons in a domain, similar to the Antarctic Treaty System (ATS). Under that treaty regime, Antarctica is off-limits to all types of military development by any nation and is to be used only for peaceful purposes. This won't a.n.a.logize for cyber warfare because it's impossible to differentiate between code used for peaceful purposes and code used for malicious purposes.

Another problem with the Antarctic a.n.a.logy is that no recognizable boundaries exist in cybers.p.a.ce and there are very few reliable ways to artificially create them. Recently, an attack against US government websites originated from a server on US soil via a VPN connection with a server in the UK that controlled a number of command and control servers scattered among other nations that in turn directed a botnet to attack South Korean and US government websites. The South Korean Intelligence Service, along with the press and Rep. Pete Hoekstra (R-Michigan), were convinced that the attacks originated in North Korea. The congressman called for the US military to lauch a counter cyber attack against the North Koreans. Had the congressman had his way and the actual source of the attack been targeted, the city of Miami might never have been the same.

UNCLOS.

UNCLOS stands for the United Nations Convention on the Law of the Sea treaty. Like outer s.p.a.ce, the oceans offer a comparable a.n.a.logy to cybers.p.a.ce in their vastness and in how nations have agreed to interact in what we identify as international waters.

Problems arose with UNCLOS III when the United States, Germany, and the UK balked at the UN's attempts to inst.i.tute technology transfer requirements. Technology, it seems, consistently poses challenges to any treaty regime that attempts to regulate its development-a foreshadowing of the legal difficulties that are present with acts of cyber warfare. In other words, if technology transfer hit a wall with UNCLOS, things aren't going to get any easier with a cyber warfare treaty modeled after it.

MLAT.

Mutual Legal a.s.sistance Treaties are a catch-all for individualized cooperation agreements between nations, such as joint law enforcement efforts, extradition treaties, and so on. The United States currently appears to be pursuing this approach, whereas the Russian Federation prefers the a.n.a.logy of treating cyber warfare as a weapon of ma.s.s destruction (WMD) and banning its use under an appropriate treaty regime.

United States Versus Russian Federation: Two Different Approaches.

The New York Times reported on June 27, 2009, that Russia and the United States were b.u.t.ting heads on how to approach cyber warfare from an international perspective. Russia's position is that it should be modeled after the Chemical Weapons Treaty or other arms control-type treaties, whereas the United States would prefer to engage international law enforcement in cooperating more closely to catch cyber criminals. Many cyber criminals are also engaged as nonstate hackers during times of cyber conflict, so this strategy would have a two-tiered benefit of securing the Web against acts of cyber crime and cyber warfare.

One Russian argument against the US position was published in Moscow Military Thought (March 31, 2007) ent.i.tled "Russian Federation Military Policy in the Area of International Information Security: Regional Aspect": International legal acts regulating relations arising in the process of combating cyber crime and cyber terrorism must not contain norms violating such immutable principles of international law as noninterference in the internal affairs of other states, and the sovereignty of the latter.

Moreover, politically motivated cyber attacks executed on orders from governmental structures can be qualified as military crimes with all the ensuing procedures of investigation and criminal persecution of the culprits. Besides, military cyber attacks can be considered as a subject of international public law. In this case, we should speak about imposing restrictions on development and use of computers intended to bring hostile influences to bear on objects in other states' cybers.p.a.ce.

In any event, the military policy in the area of international information security where it involves opposition to cyber terrorism and cyber crime should be directed at introducing international legal mechanisms that would make it possible to contain potential aggressors from uncontrolled and surrept.i.tious use of cyber weapons against the Russian Federation and its geopolitical allies.

Clearly, Russia was formulating its policy in this area prior to 2007, and it has not changed in the years since. Although the reason expressed is one of national sovereignty and noninterference, such a position also protects Russia's key strategic a.s.set in its cyber a.r.s.enal: its own population of highly educated, patriotic hackers who are more than willing to fight on their country's behalf in the domain of cybers.p.a.ce.

The Law of Armed Conflict.

Interestingly, Shackleford does not address the LOAC at all in his paper, which goes to show just how diverse the opinions are of legal experts who focus on this field. Instead, he attempts to make the case that: The best way to ensure a comprehensive approach to lessening the occurrence of IW is through a new international accord dealing exclusively with state-sponsored cyber attacks in international law, including the creation of a standing emergency response body along the lines of WCERT proposed above. The United States should drop its opposition to such a treaty regime. Without such an organization, the international community will lurch from case-to-case with the worry that next time, the case of Estonia may resemble merely a step along the way to Net War Version 2.0. When IW reaches the scale of nuclear war, a new and distinct regime incorporating elements of existing international law, notably IHL, is required lest nations risk systemic infrastructure crashes that not only will cripple societies, but could quite possible shake the Information Age to its foundations.

If the LOAC is used as a guideline to determine what is and is not cyber warfare, the attack must conform to certain rules. First, LOAC applies only once armed conflict has been initiated. Next, cyber incidents that correspond with the armed conflict must be attributable to a specific government. Then there is the issue of harmful intent. Did the cyber incident cause injury or damages (monetary, physical, or virtual)?

Attribution can be direct or indirect, according to international law as interpreted in "Cyber Attacks Against Georgia: Legal Lessons Identified" auth.o.r.ed by Eneken Tikk et al. (NATO, 2008). According to Tikk and her team: The governing principle of state responsibility under international law has been that the conduct of private actors-both ent.i.ties and persons-is not attributable to the state, unless the state has directly and explicitly delegated a part of its tasks and functions to a private ent.i.ty. A s.h.i.+ft in this rigid paradigm can be observed in the developments of recent years: e.g. the International Criminal Tribunal for the former Yugoslavia in the Tadic case 104 and further by the international community in relation to the U.S. Operation Enduring Freedom in 2001. However, the current view for attribution still requires some form of overall control by the state.

The legal precedents referred to in the preceding quote are worth reading. Each follows with a brief summary of its import: Jinks, D. "State Responsibility for the Acts of Private Armed Groups," Chicago Journal of International Law, 4 (2003), 8395, p.88.

"In the Nicaragua case, the International Court of Justice (ICJ) noted that the state may be held responsible for the conduct of private actors only if it executed effective control over such actors. Hence, the ICJ could not hold the United States responsible for the conduct of the contra rebels, because the United States did not exercise effective control over the contras. The Court also noted that, in order for the conduct of private actors to give rise to legal responsibility of the state, it would have to be proved that the state indeed had effective control over the conduct of private actors."

Prosecutor v. Tadic-ICTY Case No. IT-94-1, 1999; Jinks, p.8889.

"The Tadic case lowered the threshold for imputing private acts to states and concluded that states only need to exercise overall control over private actors in order to attribute to the state any unlawful acts of the actors. The ICTY in its reasoning held that the 'effective control' criterion of the ICJ was contrary to the very logic of state responsibility and that it was inconsistent with state and judicial practice."

Jinks, supra note 103, p.8587.

"Compared to the Tadic case, the U.S. Operation Enduring Freedom in turn lowered the threshold for attribution because the U.S. sought to impute al Qaeda's conduct to Afghanistan simply because its official regime Taliban had harboured and supported the terrorist group (irrespective of whether Afghanistan exercised effective or overall control). The international community among with several important international organisations endorsed the U.S approach and determined that under international instruments the attacks of September 11 const.i.tuted armed attacks which triggered the U.S inherent right of self-defence. The UN, NATO and the OAS also attributed the terrorist attacks of al Qaeda to the Taliban regime."

After discussing the iteration of international law in the question of attribution, Tikk breaks it down to a more basic legal principle: that of agency (i.e., has a person acted as an agent of a state, and do his actions equate to actions by the state?). Also, could the state have acted to prevent the harmful actions of the private party if it chose to?

In the case of Georgia and Estonia, Tikk and her team concluded that there is not sufficient evidence to prove state involvement, which is a requirement for the agency argument.

International agreements are being discussed as this book is written that will clarify the legal standing of nations and nonstate actors in cyber events, conflicts, and war.

Is This an Act of Cyber Warfare?

The following sections address cyber attacks that have occurred since the Russia-Georgia conflict of August 2008, all of which have been characterized by various media sources as acts of cyber war. The question that this chapter aims to address is: how accurate is that depiction?

South Korea.