Cyber Lawfare: Establishing Norms for Use of Cyber Weapons

1 12 2012

by Max Blumenthal

Cyberwar is upon us. That is the call being issued by top American cyber experts in the wake of increased attacks from Iran and China. The U.S. is also stepping up its offensive cyber capabilities. As Secretary of Defense Leon Panetta stated, “We are facing the threat of a new arena in warfare that could be every bit as destructive as 9/11” (Thompson). These attacks are often directed at private enterprises that are considered critical infrastructure, such as banks and utility companies. In conventional warfare, there is a clear distinction between attacking strategic targets and protecting civilians. In cyberwar, no such distinction currently exists. One way of beginning to protect civilians in a cyber conflict is to create a treaty for international humanitarian law for cyberwarfare (Schneier). This treaty should be modeled after previous international humanitarian law, such as the Geneva Conventions and arms limitations treaties.

Geneva Conventions

The four Geneva Conventions are internationally agreed upon rules for nation-state conduct in warfare created after the tragic loss of life for tens of millions of civilians during World War II. The first Geneva Convention requires states to protect wounded soldiers as well as refrain from targeting medical personnel in a combat zone. The second Convention allows neutral parties to care for the wounded without being attacked by either side of a conflict. The third Convention extends protections for non-State actors, while the fourth Convention prevents collective punishment. Additional protocols prevent perfidy and indiscriminate attacks on civilians targets or total war (Red Cross).

In cyberwarfare, attacks should also respect these established norms. Perhaps the most important, yet most challenging to enforce, of these conventions is the prohibition against perfidy. Neil Rowe, of the Naval Postgraduate School, argues that most cyber-attacks are a form of perfidy in that they masquerade as a legitimate program, but carry a malicious payload. When the payload is discovered, some attacks may try to frame another target to avoid reprisal attacks. Rowe suggests that to prevent wrongful attribution of an attack, digital signatures could be required on cyber weapons to reduce the risk of collateral damage (Rowe).To allow for concealment of an attack while still providing attribution, these “signatures could be hidden steganographically”. The fourth Geneva Convention also offers an important  rule for cyberwarfare, prohibition against collective punishment. Unrestricted cyberwarfare should be eliminated. This means attacks on vital civilian systems, such as water treatment facilities and the financial system, should not occur because they provide little military benefit, but create massive civilian harm.

Arms Limitation or Weapons Ban

The Strategic Arms Limitation Talks Agreements (SALT I and SALT II) sought to halt Soviet and American nuclear ballistic missile launcher production. In cyberwar, an arms limitation treaty has been championed by Russian and China and recently won the consideration of the United States (Gorman).Such a treaty could allow for cyber weapon development and usage for certain military systems, but outright ban weapons that seek to attack civilian infrastructure or military command and control systems. The greatest difficulty with such an agreement is enforcement. Unlike a physical weapon, it fairly easy to conceal a cyber weapon from inspectors (Goldsmith). Also, a treaty does not necessarily prevent countries from giving weapons technology to non-state actors, the main road-block for U.S. adoption of the Russian proposal.

In contrast to an arms limitation treaty, an all out ban on certain weapons has also proven effective for certain weapons. For example, the Biological Weapons Convention prohibits the production and use of biological and toxic arms in warfare. The reason for an all-out ban on biological weapons is that this kind of warfare was deemed indiscriminate and “abhorrent” (Red Cross) even in war. Poorly designed cyber weapons have the potential to have significant unintended consequences. For example, a U.S. cyber attack on Iraq’s financial system in 2003 was prevented, because “Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc” (Markoff and Shanker). Like an arms limitation treaty, enforcement would be difficult, but inspectors will only need to find evidence of a cyber weapon’s development instead of determining the target of the weapon. Bruce Schneier recognizes that while this may be the ideal policy, a ban on “unaimed or broadly targeted weapons” (Schneier) would also have a significant positive effect and be easier to implement.

Conclusion

Besides a number of enforcement concerns, a treaty’s effectiveness is also hindered by the gray area that separates cyber war and cyber espionage. A treaty would need to govern computer network attacks, but still allow for computer network exploitation. An all out cyber weapons ban is unlikely to happen, but it is possible that certain weapons, such as those that target SCADA units, or targets could be banned. An arms limitation treaty offers a more moderated approach that allows for some production and testing of weapons, but requires an unrestricted inspections, which may be difficult for rival nations to agree to. Finally, a treaty for cyberwarfare provides an opportunity to establish rules of engagement in cyberspace and has the potential to improve protections for civilians and limit the development and deployment of cyber weapons determined to be so destructive that they are immoral, even in warfare.

_______________

  1. Goldsmith, Jack. “Cybersecurity Treaties: A Skeptical View.” 9 March 2011. Hoover Institute Task Force on National Security and Law. 29 October 2012                   <http://media.hoover.org/sites/default/files/documents/FutureChallenges_Goldsmith.pdf&gt;.
  2. Gorman, Siobhan. “U.S. Backs Talks on Cyber Warfare.” 4 June 2010. Wall Street Journal. 29 October 2012                   <http://online.wsj.com/article/SB10001424052748703340904575284964215965730.html&gt;.
  3. Markoff, John and Thom Shanker. “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk.” 1 August 2009. New York Times. 29 October 2012                   <http://www.nytimes.com/2009/08/02/us/politics/02cyber.html?_r=0&gt;.
  4. Red Cross. “Chemical and biological weapons.” 29 October 2010. International Committee of the Red Cross. 29 October 2012 <http://www.icrc.org/eng/war-and-law/weapons/chemical-biological-weapons/overview-chemical-biological-weapons.htm&gt;.
  5. —. “The Geneva Conventions of 1949 and their Additional Protocols.” International Committee of the Red Cross. 29 October 2012 <http://www.icrc.org/eng/war-and-law/treaties-customary-    law/geneva-conventions/index.jsp>.
  6. Rowe, Neil. “War Crimes from Cyberweapons.” Journal of Information Warfare 6.3 (2007): 15-25.
  7. Schneier, Bruce. “Cyberwar Treaties.” 14 June 2012. Schneier on Security. 29 October 2012<http://www.schneier.com/blog/archives/2012/06/cyberwar_treati.html&gt;.
  8. Thompson, Mark. “Panetta Sounds Alarm on Cyber-War Threat.” 12 October 2012. Time. 29 October   2012 <http://nation.time.com/2012/10/12/panetta-sounds-alarm-on-cyber-war-      threat/#ixzz2A9hs0hIX>.




Cyber warfare capabilities

4 08 2012

China has largely been seen as a formidable player in the burgeoning battle for cyber supremacy. Over the past few years, Western governments have begun to stand up their own cyber warfare capability. How far have we come and how far do we have to go? The threat of cyber attacks continues to manifest itself. There is considerable debate as to the risk involved or the motivation, but one thing cannot be denied. Systems and networks are compromised every day. As a result, the United States has begun to invest resources in the realm of cyber defense and cyber attack capabilities.

Realistically, our ability to cultivate a force of network defenders seems somewhat elementary. This is a discipline which not only requires a fundamental education in the legal considerations of defending (or attacking) networks, but also a healthy education “in the trenches”. Network defense capabilities rely on the disciplines of protection, information assurance, and computer and network forensics. Network attack relies on strategy, evasion, research, subterfuge, and a little luck. There are also ethical considerations when determining how to create a force of network attackers. We have little legislation that governs offensive action over the network. While we are increasing our cyber warfare capability in the military, there is minimal published doctrine governing the deployment of this capability.

Additionally, we must be careful in how we evaluate the cyber domain when cultivating our cyber capabilities and, of course, waging cyberwar. Rand researcher Martin C. Libicki argues that our cyber capability should be largely focused on defense rather than offense because “something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace” (Libicki, 2009). In essence, it is much more difficult to uncover and reuse reliable attack vectors than with conventional warfare. The lifespan of a kinetic weapon system is measured in years, but a cyber attack vector lifespan may only be measured in days, especially if cyber enemies are aware of their own vulnerabilities and their enemy’s ability to exploit them. The monetary investment required to create an operational force of network attack specialists, that can quickly uncover and exploit vulnerabilities may be too great. It can be argued then that recruiting and growing network defense specialists is indeed a smarter strategy for cyber warfare.

There are commercial organizations that teach network defense and attack skills, under the standard of “ethical” hacking, but this is an entirely different subset of hacking that isn’t necessarily suited to actual warfare. The military may indeed be the only place that can appropriately train this skillset. Certainly, many penetration testers were curious system or network administrators that were quick learners and had a knack for hacking. For them, the challenge of accessing a system through unconventional means was a bit of a rush. Many hackers have taught themselves how to attack systems. But this type of education doesn’t seem to support the type of warfare that a mature government and civilization would prefer to wage. For instance, self-taught hackers may specialize in a particular area. A cyber defense force would require personnel with a firm grounding in multiple attack vectors and disciplines.

Dr. Mark Maybury, Chief Scientist of the United States Air Force said “without the right talent we are not going to be able to do anything” (Brownlow, 2012) in terms of defending and exploiting the cyber domain. This lack of talent is a challenge that the Air Force is heavily focused on resolving for the future. Creating a pipeline of cyber warriors seems somewhat futuristic, but the decision to do so is becoming

more urgent. Many colleges are beginning to offer programs in cybersecurity (or a similarly named area of study). However, many of these programs prescribe a healthy dose of defense or incident response centric courses (criminal investigation or computer forensics), yet minimal instruction in attack methodologies or hands-on vulnerability assessment courses. For example, Utica College’s Cybersecurity program focuses heavily on cybercrime investigations. They do offer a system vulnerability assessment course, but it is an elective. The United States Air Force teaches an undergraduate network warfare training course which is starkly different from civilian collegiate offerings. A major difference is its use of mission simulators and network emulators that create an environment where targets are identified and exploited based upon strategic scenarios. This is the type of training that can adequately cultivate a force of network defenders.

In order to position ourselves as a formidable presence in the cyber domain, and to protect our national assets, we must smartly invest in the creation of a reliable cyber defense force. Fundamental cyber defense or security offerings at the collegiate level are one method, while military specific training is another. These methods rely on an appropriate evaluation of the cyber domain and the best way to defend it. An offensively focused strategy may not be the most efficient way to deter cyber attacks, and so new doctrine may be necessary to appropriately define our strategy.

_______________

Brownlow, C. (2012, Jul 19). Top AF scientist: ‘Airmen key to cyberspace success’. Retrieved 07 22, 2012, from The Official Website of the U.S. Air Force: http://www.af.mil/news/story.asp?id=123310613

Libicki, M. C. (2009). Cyberdeterrence and Cyberwar. Arlington: Rand Corporation.





The Art of Cyber War

9 12 2011

In my blog on Sep 23, I have discussed about applying the strategic principle from the ancient Chinese military treaties, “The Art of War” that knowing your enemy is the key to win a battle, we will finish the discussion by analyzing the last 1/3 of probability to win a Cyber War (CBW).

It is critical that we master the advanced technologies and acquire the insight of our capacity as well as our enemy, but without strategic methodology to apply our knowledge and techniques, we won’t have the full confidence to win the war as SunZi would have.

We need to not only secure the nation-wide critical infrastructure but also individual networks as the impact of an attack can be spread from any corner of Cyber space to the massive major network backbone structure. Therefore, we need to implement different strategies according to hieratical structure. To build a centralized secure control over national critical cyber network such as Dem, Drinking water system, Bank, Hospital, Energy, Transportation, Government Network, and Commercial Nuclear Reactors, etc is at the top of this hierarchy. For private institutions, we need to have a designed secure control that fits into particular needs of an individual institute such as the network secure needs would be much different between General Motor and Google, and Papa John’s Pizza Restaurant.  For individual users like students, there should be a several security control service offered by the institution the users work for or affiliated to. The security system from the top of hierarchy to the bottom should be connected or associated in a large database that can trace or track the connections between each incident in order to better prevent the spread of the attack to major infrastructure.

At the space that is most vulnerable such as a database center of a Cloud Computing Facility, there should be a continuously upgrading and transforming secure management to lead the game with hackers who are similar to virus in terms of constantly transforming and upgrading as well. To take control of virus, we have to keep create new vaccines.





Cyberspace – the next battlefield

5 11 2011

America intervened in Libya on March 19,2011 as part of the NATO led coalition to save the lives of thousands of people.  The first line of attack in the intervention could have been a computer worm as opposed to the cruise missiles that were actually fired. After intense deliberations the US government dropped the plans to use Cyberwarfare to disrupt the Libyan governments air defense system[1]. One of the main reasons was that the US government was worried that this would set a wrong precedent for other countries like Russia and China. But the fact that this was discussed in length for such a high profile intervention shows that Cyberwarfare is here to stay.

Cyberwarfare is defined as the “actions taken by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption”[2]. It has grown in prominence in the last few years though none of the governments admit it adopting it publicly. It has been reported that Pentagon and other military contractors frequently repel attacks on their systems emanating from Chinese and Russian government. The American government has also been alleged to have carried out an Cyberattack on Iran’s nuclear systems using Stuxnet computer worm that has apparently delayed Iran’s ability to produce nuclear fuel.

Cyberwarfare can be carried out thorough many different modes. A very common mode of attack has been to send phishing emails tainted with malicious software to specific people in vital organizations like military.  Once these people click on the infected link, the intruder gains control of the particular machine and infiltrate the organizations other computers. Cyberwarfare targets include government infrastructure, databases, networks and any other communication systems.

Cyberwarfare can be launched without executing a physical attack. Thus the material loss to the attacking country is minimal. For example, if a country’s ‘command and control’ system is attacked and disabled without using riskier tactics like bombing, the country could be defeated, if not at least crippled through cyber attacks.

Cyberwarfare also has some limitations. Unlike a traditional war it cannot be launched immediately and this was another reason the US government didn’t adopt this tactic during the Libyan intervention. It requires significant digital snooping to identify potential entry points. According to James Andrew Lewis[3], “It’s the cyberequivalent of fumbling around in the dark until you find the doorknob” [4].

In Sum, Cyberspace has the potential to be the battlefield where the next big war is fought.


[2] Clarke, Richard A. Cyber War, HarperCollins (2010)

[3] James Andrew Lewis is a senior fellow at the Center for Strategic and International Studies where he specializes in technology and national security.





Cyber Warfare and the Increased Need for Protection

21 09 2011

The stereotype that only small groups or individuals with limited resources can be threats to information security is no longer a valid norm.  Now such threats have gone mainstream and even governments have become more actively involved as defenders and attackers. We may not realize it but we are currently observing the dawn of what can arguably be the next generation of combat, cyber warfare.  This form of assault has become a serious threat that only recently caused our own government to invest seriously in the technology to defend itself.1 Recent reports indicate that instances of system security exploitation have been on the rise, without any sign it will decrease in the near future.2

Threats to information security are originating more frequently from larger entities that have more resources at their disposal. One such example is the recent allegation from Google back in June that hackers from China infiltrated email accounts of senior U.S. officials and hundreds of other individuals in and outside of the United States. A similar attack occurred back in 2010 and Google believes in both instances that the Chinese government was responsible.3  The Chinese have denied all accusations despite evidence to the contrary. Though this particular instance was not malicious in nature it demonstrates that governments are participating in cyber attacks in order to enhance their own agenda.

A great example of an effective cyber war attack in action occurred back in July of 2010, when a computer worm called Stuxnet was discovered by the public.  It was the first exposed malware that infiltrators and destabilizes industrial schematics among other advanced capabilities.  The worm program is most famous for having targeted and impaired Iranian uranium enrichment facilities, basically setting Iran’s nuclear research back by about ten years.  No one has claimed responsibility but many have speculated that because the software was extremely sophisticated it could have only been designed “with nation-state support.”4  Evidence has indicated that the attack was a joint effort accomplished by Israel and the United States.  This is one instance of cyber warfare; many more attacks of this magnitude probably occur but are kept secret for one reason or another.

The use of the Stuxnet program also demonstrates how cyber attacks can be applied with the intention of maintaining peace rather than imposing damage (Iran was planning to use enriched uranium technology to create nuclear weapons among other things).  However, there have been rumors that parts of the code which belong to the worm design are now in the hands of those who could use it to strike at the US and Europe.  Despite the apparent ability to implement  stealth assaults on its enemies, it has been speculated that the US, Europe, and other countries lack the infrastructure protection necessary to stop a Stuxnet type assault.  While there are safety measures in place, they are often outdated.  Ralph Langner, one of the first analysts of the Stuxnet program was interviewed this week by the Washington Post and he stated, that despite almost a decade of cyber security and warfare knowledge, the US and others have not adopted any significant protocols for protecting against cyber terrorism.5   Mr. Lagner and many like him believe that only a serious attack on infrastructure will cause the public to finally repair weaknesses in the system.

On numerous occasions it has been reported to the public that the United States has been lacking in its efforts to improve its cyber security capabilities.  Only a year ago former NSA director Mike McConnell stated to the Washington Post that, “The United States is fighting a cyber-war today, and we are losing.”6  The last few years have seen only minor improvements that focus more on military security rather than civilian protection.  As the country waits for the proper legislature to be passed that will allow for increased initiative to improve information security, reports are beginning to show that future attacks have the potential of being more destructive. The current head of the NSA, General Keith Alexander, warned at a conference this week that the cyber war is diverging from current tactics of theft and system sabotage to harmful attacks “that (could) cause widespread power outages and even physical destruction of machinery”7 There are instances of this type of occurrence in other countries, like in Russia during 2009 while an offline dam turbine generator was being repaired, a computer 500-miles away re-started it, sending the turbine into the air before it exploded.

The motive behind using software as an assault weapon is that it is inexpensive to implement and most targets are unable to retaliate against the attackers.  As of now the cyber war will continue indefinitely until progress is made in the field of Information Security that effectively prevents and defends against such attacks.  As we can see from the examples above that it is difficult to defend against cyber warfare, especially since, “there is no coherent picture of who is targeting what and which systems and services are potentially vulnerable to cyber attack.”8 While there are instances that show governments, like Israel and the US, actively participating in the cyber war to accomplish constructive outcomes, there is plenty more that could be done.  In the meantime, entities with the right resources continue to wage the cyber war in order to further their agenda, more often for nefarious purposes rather than for good.

___________________________

[1] Gerry Smith, “Former Government Officials Stand To Profit From Cybersecurity Boom,” (9/15/2011) http://www.huffingtonpost.com/2011/09/15/former-government-officials-cybersecurity-boom_n_958790.html.

2 Kuala Lumpur, “Cybersecurity Incidents Continue to Increase,” (9/20/2011) http://www.thesundaily.my/news/150756.

3 Amir Efrati, “Google Discloses China-Based ‘Hijacking’ of Gmail Accounts,” (6/2/2010) http://tinyurl.com/ChinaGoogleWSJ.

4 Chloe Albanesius, “Report: Stuxnet Worm Attacks Iran, Who Is Behind It?,” (9/27/2010) http://www.pcmag.com/article/print/254978.

5 Jason Ukman, “After Stuxnet, Waiting on Pandora’s Box,” (9/20/2011) http://www.washingtonpost.com/blogs/checkpoint-washington/post/after-stuxnet-waiting-on-pandoras-box/2011/09/20/gIQAOkw0hK_blog.html.

6 (Smith, “Former Government Officials Stand To Profit From Cybersecurity Boom”)

7 Warwick Ashford, “Cyber Attacks Are Becoming Lethal,” (9/20/2011) http://www.computerweekly.com/Articles/2011/09/15/247897/Cyber-attacks-are-becoming-lethal-warns-US-cyber-commander.htm.

8 (Ashford, “Cyber Attacks Are Becoming Lethal”)