252 104 2MB
English Pages 429 Year 2015
Cyber-Attacks and the Exploitable Imperfections of International Law
Cyber-Attacks and the Exploitable Imperfections of International Law By
Yaroslav Radziwill
LEIDEN | BOSTON
Library of Congress Cataloging-in-Publication Data Radziwill, Yaroslav, author. Cyber-attacks and the exploitable imperfection of international law / by Yaroslav Radziwill. pages cm Based on author’s thesis (doctoral — University of Warwick, 2014) issued under title: Cyber-attacks and international law : imperfections of a stagnant legal regime. Includes bibliographical references and index. ISBN 978-90-04-29833-0 (hardback : alk. paper) — ISBN 978-90-04-29830-9 (e-book) 1. Information warfare (International law) 2. Cyberspace operations (Military science) I. Title. KZ6718.R33 2015 341.6’3—dc23 2015023019
This publication has been typeset in the multilingual “Brill” typeface. With over 5,100 characters covering Latin, ipa, Greek, and Cyrillic, this typeface is especially suitable for use in the humanities. For more information, please see brill.com/brill-typeface. isbn 978-90-04-29833-0 (hardback) isbn 978-90-04-29830-9 (e-book) Copyright 2015 by Koninklijke Brill nv, Leiden, The Netherlands. Koninklijke Brill NV incorporates the imprints Brill, Brill Hes & De Graaf, Brill Nijhoff, Brill Rodopi and Hotei Publishing. All rights reserved. No part of this publication may be reproduced, translated, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from the publisher. Authorization to photocopy items for internal or personal use is granted by Koninklijke Brill nv provided that the appropriate fees are paid directly to The Copyright Clearance Center, 222 Rosewood Drive, Suite 910, Danvers, ma 01923, usa. Fees are subject to change. This book is printed on acid-free paper.
This book is dedicated to my wonderful, lovely wife Maarja.
∵
Contents Preface ix Abbreviations x Glossary xiv 1 Introduction 1 1.1 Introduction 1 1.2 Objectives and Research Questions 4 1.3 Structure of the Book 9 1.4 Choice of Terminology 11 1.5 Conclusion 14 2 Theoretical Framework 15 2.1 Introduction 15 2.2 Legal Framework 15 2.3 Political Component 28 2.4 Conclusion 39 3 Cyber-Threat 40 3.1 Introduction 40 3.2 The Hypothetical Threat 40 3.3 Reported Cyber-Incidents 57 3.4 Conclusion 83 4 Cyber-Space 85 4.1 Introduction 85 4.2 Territoriality of Cyber-Space 86 4.3 Sovereignty over the Virtual Realm 95 4.4 Jurisdiction in Cyber-Space 109 4.5 Conclusion 123 5 Cyber-Strikes and Jus ad Bellum 125 5.1 Introduction 125 5.2 Cyber-Attacks and the Use of Force 126 5.3 Cyber-Attacks and Self-Defense 142 5.4 Cyber-Attacks and Aggression 160 5.5 Conclusion 171
viii
contents
6 Humanitarian Law Perspective 173 6.1 Introduction 173 6.2 General Applicability of International Humanitarian Law 174 6.3 Principle of Humanity 181 6.4 Necessity and Proportionality in Jus in Bello 195 6.5 Principle of Distinction 201 6.6 Deception 214 6.7 Principle of Neutrality 218 6.8 Conclusion 223 7 Cyber-Terrorism 225 7.1 Introduction 225 7.2 Terrorism and Cyber-Terrorism as Legal Concepts 226 7.3 Conventional Cyber-Terrorism 243 7.4 Escalated Conventional Cyber-Terrorism: Jus ad Bellum 247 7.5 Archaic Cyber-Terrorism: Jus in Bello 257 7.6 Conclusion 265 8 Role of International Organizations 266 8.1 Introduction 266 8.2 United Nations as Part of the Problem 267 8.3 United Nations as Part of the Solution 277 8.4 Role of Other International Organizations 301 8.5 Conclusion 310 9 Conclusion 312 9.1 Introduction 312 9.2 Validity of the Idea 312 9.3 A Way Forward 321 Appendix 1—Toolkit of a Modern-Day Cracker 323 Appendix 2—Normative Model for Command Authorities ( Jus ad Bellum) 330 Appendix 3—Direct Participation in Hostilities: A List of Academic Examples 332 Bibliography 337 Index 400
Preface In April 2007, Estonia’s attention was focused, for the most part, on the violent riot resulting from the relocation of the Bronze Soldier and on the police brutality pertaining to the suppression of that riot. During this period, Estonia became a target for a number of cyber-attacks. As an Estonian national from Tallinn and an undergraduate student at the University of Tartu at the time, I witnessed these cyber-strikes and had the experience of seeing their consequences firsthand. Moreover, as an Estonian Russian, I understood the broader context of the issue and could follow the reactions to the cyber-offensive in both major ethnic communities. In my experience, the 2007 cyber-attacks were barely noticeable. I could access the Internet as usual and no extraordinary interference was encountered. While the inability to enter my bank (Hansapank) online at one point may or may not have been due to the ongoing cyber-offensive, such problems were not uncommon anyway. Neither ethnic group generally (Estonians nor Estonian Russians) seemed to care particularly about the few cyber-attacks that were visible. Website defacements were viewed as ordinary hooliganism, no more damaging than the physical defacement of Anton H. Tammsaare’s statue with a concise, untranslatable Russian insult to Estonia’s prime minister. Considering my personal experience, it is still surprising to see scholarly descriptions of the 2007 cyber-attacks as severe, devastating and crippling, causing fear and mental anguish among the population. The exaggerated danger of something so minor seems to undermine the seriousness of the threat that severe cyber-attacks could have. In fact, the discrepancy between how the 2007 cyber-strikes felt and how they were perceived abroad is one of the factors that inspired me to write a book on this topic. As work progressed, I came to realize that academic views ranged from those skeptically denying the possibility of cyber-attacks causing any damage whatsoever to those that promise “cyber-apocalypse”. The same range of attitudes vis-à-vis cyber-security were encountered in the practical realm, be it the Council of Europe’s Committee of Experts on Terrorism, the NATO Cooperative Cyber-Defense Center of Excellence or the United Nations Counter-Terrorism Implementation Task Force. Thus, while the present book focuses on how international law applies to cyber-warfare, it aims to ensure that cyber-threats are presented in a realistic light, without overemphasizing the danger, but also without giving them too little weight.
Abbreviations 3D Three-Dimensional 9/11 11 September 2001 ACHR African Court on Human and Peoples’ Rights AmJIL American Journal of International Law ANZUS Security Treaty between the United States, Australia, and New Zealand AP Additional Protocol to the Geneva Conventions AU African Union CCDCOE NATO Cooperative Cyber Defense Center of Excellence CERT Computer Emergency Response Team CETS CoE Treaty Series CIA US Central Intelligence Agency CIS Commonwealth of Independent States CODEXTER CoE Committee of Experts on Terrorism CoE Council of Europe CTITF UN Counter-Terrorism Implementation Task Force CTS Consolidated Treaty Series CUP Cambridge University Press DDoS Distributed Denial of Service DISEC Disarmament and International Security Committee DoD US Department of Defense DoS Denial of Service DNS Domain Name System DPKO UN Department for Peacekeeping Operations DPRK Democratic People’s Republic of Korea DRC Democratic Republic of Congo ECHR European Convention on Human Rights ECOWAS Economic Community of West African States ECtHR European Court of Human Rights EICAR European Institute for Computer Antivirus Research EJIL European Journal of International Law ENDC Estonian National Defense College ENISA European Network and Information Security Agency ESIL European Society of International Law ETA Basque Homeland and Freedom (Euskadi Ta Askatasuna) EU European Union EUR Euro
abbreviations
FARC FBI G20 GBP GC GPS HC HCA IACHR IAEA ICAO ICC ICISS ICJ ICLQ ICRC ICTR ICTY IDF IEEE ILC ILJ ILM IMO IMEI IMSI Interpol
xi
Revolutionary Armed Forces of Colombia—People’s Army (Fuerzas Armadas Revolucionarias de Colombia—Ejército del Pueblo) US Federal Bureau of Investigation Group of Twenty British Pound Sterling Geneva Convention (1–4)1 Global Positioning System Hague Convention (1–4; 1–14)2 Annex to a Hague Convention Inter-American Commission on Human Rights International Atomic Energy Agency International Civil Aviation Organization International Criminal Court International Commission on Intervention and State Sovereignty International Court of Justice International & Comparative Law Quarterly International Committee of the Red Cross International Criminal Tribunal for Rwanda International Criminal Tribunal for the former Yugoslavia Israel Defense Forces Institute of Electrical and Electronics Engineers International Law Commission International Law Journal International Legal Materials International Maritime Organization International Mobile Equipment Identifier International Mobile Subscriber Identity International Criminal Police
1 Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 31; Convention (II) for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 85; Convention (III) Relative to the Treatment of Prisoners of War (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 135; Convention (IV) Relative to the Protection of Civilian Persons in Time of War (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 287. 2 Hague Conventions (I–IV) (adopted 29 July 1899, entered into force 4 September 1900) 26 Martens Nouveau Recue 2nd Ser; Hague Conventions (I–XIV) (adopted 18 October 1907, entered into force 26 January 1910) 3 Martens Nouveau Recueil 3rd Ser.
xii IP IRA ISP ISPAC IT ITU KGB
abbreviations
Internet Protocol Irish Republican Army Internet Service Provider International Scientific and Professional Advisory Council Information Technology International Telecommunication Union USSR Committee for State Security (Komitet Gosudarstvennoy Bezopasnosti) LAN Local Area Network LED Light-Emitting Diode LNOJ League of Nations Official Journal LNTS League of Nations Treaty Series MAC Media Access Control MI6 British Secret Intelligence Service (Military Intelligence, Section 6) MIN Mobile Identification Numbers MMS Multimedia Messaging Service MP3 MPEG Music File Layer 3 MPEG Moving Picture Experts Group NASA US National Aeronautics and Space Administration NATO North Atlantic Treaty Organization NORAD North American Aerospace Defense Command NY New York NYU New York University OAU Organization of African Unity OIC Organization of Islamic Cooperation OSCE Organization for Security and Cooperation in Europe OUP Oxford University Press P5 Five Permanent Members of the UNSC PC Personal Computer PCIJ Permanent Court of International Justice PRC People’s Republic of China R2P Responsibility to Protect RAND Research and Development Corporation RAT Remote Administration Tool SAARC South Asian Association for Regional Cooperation SCO Shanghai Cooperation Organization SD Secure Digital SIM Subscriber Identity Module SMS Short Messaging Service
abbreviations
TCP TMC U4P UAV UBS UC UK UN UNCLOS UNGA / GA UNHCR UNICRI UNIDIR UNITA UNODC UNSC / SC UNSG / SG UNTS UN ICT US / USA USB USD USSR WGIG WMD WSIS WTC WW2 WWW
xiii Transmission Control Protocol Tobias Michael (Carel) Asser Uniting For Peace Unmanned Aerial Vehicle Union Bank of Switzerland University of California United Kingdom of Great Britain and Northern Ireland United Nations UN Convention on the Law of the Sea UN General Assembly UN High Commissioner for Refugees UN International Criminal Research Institute UN Institute for Disarmament Research National Union for the Total Independence of Angola (União Nacional para a Independência Total de Angola) UN Office on Drugs and Crime UN Security Council UN Secretary-General UN Treaty Series UN Information and Communication Technologies United States of America Universal Serial Bus US Dollar Union of Soviet Socialist Republics UN Working Group on Internet Governance Weapon of Mass Destruction World Summit on the Information Security World Trade Center Second World War World Wide Web
Glossary Anonymous (group): A group term for multi-national, unaffiliated, unnamed hacktivists and protesters, united by various causes. Anti-Virus: Software that detects and removes malware. Backdoor: A pre-installed vulnerability in software, firmware or hardware that allows undocumented and direct access at the attacker’s discretion. Botnet: A network of computerized devices, which are secretly (see zombies) or openly (see script-kiddies) controlled by skilled cyber-attackers (most often, over the Internet). Brute Force: A tactic that presupposes trying all possible letter and number combinations to guess logins and passwords. Chip: A set of integrated electronic circuits. Computerized Device / System: A computer that processes data or a device capable of performing similar functions (e.g., a smartphone). Counter-Hacking: Accessing and launching counter-attacks against an aggressive system in cyber-space. Cracker: A computer-expert who participates in cyber-attacks with malicious intent. Also sometimes called a black hat hacker. Critical Infrastructure: Facilities and networks that are vital for the normal functioning of a society. Cyber-Attack: An act of unauthorized altering, deleting, disrupting, damaging or suppressing data within targeted computerized systems or networks. Cyber-Espionage: An act of accessing or storing classified data located in cyber-space. Cyber-Infrastructure / Information Infrastructure: Hardware (e.g., network cables) that makes virtual existence of cyber-space possible. Cyber-Space / Cyber-Realm: Virtual realm created as a result of the use of information technology. Cyber-Strike: See Cyber-Attack. Cyber-Terrorism: A cyber-attack that results in an act of terror prohibited by the existing legal instruments. Cyber-Warfare: Exchange of cyber-strikes and conventional attacks between parties to a conflict. Cyber-Zone / Virtual Zone: A delimited section of cyber-space. Data: Information that is held or processed by a computerized system. DDoS (Distributed DoS) Attack: DoS attack that originates from multiple sources and is channeled to a single destination (e.g., via zombie botnets). Defacement: Visual corruption of webpages.
glossary
xv
Digital Media Frame: A small monitor (in the form of a picture frame) that displays various images. Domain Name: Character transcription of an IP address of a computer connected to a network. DNS (Domain Name System): A software system that translates domain names into IP addresses. DoS (Denial of Service) Attack: A method of externally overwhelming and shutting down servers by simultaneously sending a large number of requests for information. Facebook: The most famous and popular social network (in 2014). File: Transferrable group of data found under one name, accessible to users and their devices. Firewall: A virtual defense mechanism that filters incoming and outgoing network traffic. It can include hardware and software components. Firmware: Software permanently embedded in hardware. Flash Memory Card: A removable data storage device, smaller and flatter than a USB. Forum: Website meant for online discussions. GPS (Global Positioning System): A satellite-based system that provides location coordinates on Earth. Hacker: A computer-expert that participates in cyber-attacks for ethical reasons (e.g., to protect a network). Also known as a white hat hacker. Hacktivism: Politically-motivated cyber-attacks. Hard Disk: A rarely removed internal data storage device in a computer. Hardware: Physical devices and parts of a computerized system. Honeypot: A fake network created to attract and expose crackers. Information Space: A distributed area of related electronic data and general information available to individuals. Information Warfare: Method of warfare involving filtering available data meant to influence the consciousness of the enemy or a population. Instant Messaging Program: Software that allows real-time discussions in cyber-space. Internet: A network of interconnected computerized devices and networks that forms the main part of cyber-space. IP (Internet Protocol): A set of pre-agreed virtual addresses that make sending information between computerized systems over the Internet possible. ISP (Internet Service Provider): An organization or company that offers direct Internet access to users. IT (Information Technology): Technology that processes electronic data. Keyboard Layout: Keyboard’s key arrangements.
xvi
glossary
Keylogger: A sniffer software that records and transmits data that a user types on a keyboard. Laptop: A small, portable computer. Log: A report on hardware or software activity. Logic Bomb: A malicious piece of software that activates at a pre-arranged time or upon invocation of a specific command. Login: A combination of username and password that allows access to a program. Malware: Malicious software used to facilitate or carry out cyber-attacks. Malicious Program / Software: See Malware. Media Access Control: A virtual address assigned by manufacturer that identifies a computerized device on a network. Network: A virtual link between multiple computerized systems and their components. Network Protocol: Pre-agreed network addresses of data transmissions. Notebook: See Laptop. NSA: US National Security Agency Offline: Not connected to or taking place outside of the Internet. Online: Connected to or taking place on the Internet. OS (Operating System): A complex underlying software that enables the use of hardware and other software by a user. Packet: Batch of data sent as part of network communication. Password: A secret phrase used for cyber-device authentication. Peer-to-Peer: A method of online data exchange that simultaneously shares files and resources between participating computerized systems without the use of a server. Plug and Play: Technology that allows computers to automatically discover and configure a device attached thereto. Port: Endpoint of cyber-communications (as interpreted by a server). PRISM: An ongoing surveillance program of the NSA that, inter alia, involves direct access to data, accumulated by major US corporations. Root Name Servers: Thirteen virtual super-servers that are responsible for the functioning of the Internet generally and DNS specifically. Router: Technology consisting of hardware and software that facilitates data transmission between networks and computerized devices by forwarding packets. SCADA (Supervisory Control and Data Acquisition): A computerized control system that monitors and regulates physical industrial processes. Screenshot: An image depicting elements on screen, as they are visible to a user at a particular moment.
glossary
xvii
Script: A part of source code that initiates particular processes. Script-Kiddie: A person who uses downloaded malware to participate in cyber-attacks without understanding how it works. Server: A computer running software that provides online services to users and their devices upon request. Sniffer: A program that intercepts data in cyber-space (e.g., logins and passwords). Smartphone: A computerized mobile phone. Software: Programs intended for computerized systems. Social Media: Unofficial online media, making use of social networks. Social Network: A website or service that facilitates social relations online. Source Code: Contents of a program or a website. Spam: Unsolicited virtual correspondence. Spoof: A fake imitation of an object online or a network address (e.g., IP). Stuxnet: A computer worm that is, inter alia, responsible for destruction of centrifuges at the Iranian nuclear enrichment facility Natanz in 2009. TCP (Transmission Control Protocol): A sub-class of shared network protocols that enables two computerized devices to communicate. Trojan: A malicious program that appears to perform a legitimate function. Twitter: A social network that allows posting short messages (up to 140 characters each). Update: A renewal of installed software, inter alia, to fix discovered flaws. USB (Universal Serial Bus) Device / Stick: A small, removable data storage device. User: A person who operates a computerized device. Username: Name used for cyber-device authentication. Virus: A malicious self-replicating code that inserts itself into existing files. Web-Camera: A camera that can directly transmit video online. Website / Webpage: Virtual page(s) accessible over the Internet. WWW (World Wide Web): A network of linked webpages on the Internet. Worm: A self-replicating standalone malicious program. Zero-Day: Exploitable vulnerability known only to a small number of people, including the attackers. Zombies: Infected computerized devices stealthily used for malicious purposes, primarily as part of botnets.
Chapter 1
Introduction 1.1 Introduction International law sometimes struggles to respond to the introduction of new weapons and tactics. In some cases, a major catastrophe has to occur before the legal community tackles the issues that caused it. Even then, it takes years to finalize and agree upon a common approach to a particular problem. Until this happens, state governments (that is people who rule and exercise executive control over a state) and international lawyers are forced to operate with the existing legal instruments, even if these instruments are not perfectly suitable. Today, we see the emergence of a new threat, unimaginable until the late 20th century: cyber-attacks. These are used increasingly as an individual and composite tool in warfare. More and more states tend to view malicious software (and cyber-attacks generally) as a weapon, which is evidenced by their military doctrines and calls for action.1 Although electronic signals (and, to a lesser extent, high-technology light beams or radio-waves) are the main ways to deliver malware to their destination, experts such as Davis Brown or William Boothby go as far as to compare cyber-attacks with the use of a gun.2 Even the biggest cyber-attacks to date have not caused direct fatalities. However, as the global infrastructure becomes more and more computerized and interconnected, there is a growing possibility that cyber-attackers or cyber-terrorists will find a weakness in one of the systems, exploit it and cause loss of life, serious damage or even jeopardize the existence of a state. Should such an event happen, depending on the amount of damage, governments’ resolve and various other factors, cyber-strikes could provoke reactions similar to the ones of 9/11. Nevertheless, the response to Al-Qaeda’s terrorist attacks of 2001 was based, largely, on the existing legal instruments, already developed by the time of the 1 For instance, see US Department of Defense, “Strategy for Operating in Cyberspace” (US Department of Defense 2011) 3 accessed 1 August 2015; International Code of Conduct for Information Security, Annex to UNGA 66/359 (14 September 2011) UN Doc A/66/359, op para. 2. 2 Davis Brown, “A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict” (2006) 47(1) Harvard ILJ 184–185; William H. Boothby, “Methods and Means of Cyber Warfare” (2013) 89 International Law Studies 389.
© koninklijke brill nv, leiden, ���5 | doi ��.��63/9789004298309_002
2
Chapter 1
attack. Correspondingly, it is not unreasonable to expect international law to keep up with the impending threat of cyber-warfare. Logic dictates that increasing cyber-attacks should provoke meaningful evolution of international law.3 Over the last 20 years, the Russian Federation, supported by other Shanghai Cooperation Organization (SCO) members, has made a number of suggestions to develop a separate international treaty that would govern cyber-warfare and ensure information security of sovereign nations.4 Such proposals continue to meet persistent opposition from the United States and some of its allies, who actively assert that the existing international law is sufficient to tackle cyberwarfare. Various American scholars imply that accepting Russia’s proposals should be resisted, as they might undermine online freedoms or pose a threat to national security of the United States of America.5 Moreover, some Western experts view Russian suggestions (alongside its other “multilateral arms control initiatives”) as a “propaganda tool”.6 The US unquestionably plays a dominant role in international affairs and exercises unparalleled levels of control over the Internet, inter alia, due to the location of major global corporations and root name servers on its soil. It is, therefore, very unlikely that an effective treaty will emerge without its participation. Lack of special agreements signifies that the already-existing
3 See generally ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC Finalized by Martti Koskenniemi (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 15; ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 10: “New types of specialized law do not emerge accidentally but seek to respond to new technical and functional requirements”. 4 The idea of a separate treaty on information warfare was introduced by the Russian Federation as early as 1995—see Franz-Stefan Gady, Greg Austin, “Russia, The United States, And Cyber Diplomacy: Opening the Doors” (Report, EastWest Institute 2010) 15 accessed 1 August 2015. See generally Dorothy E. Denning, “Obstacles and Options for Cyber Arms Controls” (Arms Control in Cyberspace, Berlin, June 2001) 6 accessed 1 August 2015. 5 See John F. Murphy, “Cyber War and International Law: Does the International Legal Process Constitute a Threat to U.S. Vital Interests?” (2013) 89 International Law Studies 339; Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 832. 6 See Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 220.
Introduction
3
legal regime remains the default system for governing cyber-warfare.7 Even if a special treaty regulating cyber-attacks in war were to emerge in the future, it would not easily supersede current jus ad bellum and jus in bello obligations, but would rather clarify and build upon them. For these reasons, the importance of the existing legal framework for cyberwarfare cannot be overstated and, as such, it must be subjected to rigorous study. The present book contributes to this goal by examining imperfections of international law that can be exploited and which, in theory, could be the reason why certain governments prevent law’s development in the field of cyber-warfare. It should be mentioned that, although the question of jurisdiction over actors who launch serious cyber-strikes, is raised in one of the chapters,8 the work itself does not concentrate on small-scale cyber-crime, and instead focuses on cyber-attacks within the jus ad bellum and jus in bello contexts.9 For this reason, little attention is paid to the 2001 Council of Europe (CoE) Convention on Cybercrime (or to the laws of cyber-peace in general). Although undoubtedly an important instrument, it is not capable of adequately regulating use of force or cyber-attacks in war; what is considered a criminal act in peacetime may become legal in armed conflicts when an entirely different set of norms applies. The purpose of this particular chapter is to introduce the book. It is divided into three parts. The first part outlines questions that the book seeks to answer and objectives that drive it. It identifies its place within the existing scholarly literature, highlighting its original view on the problem of regulating cyber-warfare.
7 For similar opinions, see Wolf H. von Heinegg, “The Tallinn Manual and International Cyber Security Law” (2012) 15 Yearbook of International Humanitarian Law 9–10; David Turns, “Cyber War and the Concept of Attack in International Humanitarian Law” in Dan Saxon (ed.), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff 2013) 218; William A. Owens and others, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies Press 2009) 3; Deborah Schneider, “Cyber Security Keynote Address” (FSC-PC.DEL/30/10, United States Mission to the OSCE 2010) iv accessed 1 August 2015. 8 See Chapter 4. 9 Some scholars like Dieter Fleck believe that cyber-crime must not be ignored, although tackling all criminal activity online seems unnecessary in the present book, particularly in light of an ongoing cyber-arms race on state military level—see Dieter Fleck, “Searching for International Rules Applicable to Cyber Warfare—A Critical First Assessment of the New Tallinn Manual” (2013) 18(2) Journal of Conflict & Security Law 335.
4
Chapter 1
The second part describes the structure of the book and explains the importance of different chapters, which are categorized in order to best address problems under consideration. Notably, a more detailed description will precede each chapter. The third part sheds light on the most important terms employed throughout the book. While the Glossary briefly defines more specific terminology, the third part clarifies at length why preference is given to the term “cyber-attack” rather than to the possible alternatives. Furthermore, the concepts of “cyberattack” and “cyber-space” are explained, as they are used here. 1.2
Objectives and Research Questions
Although this book is primarily an academic examination of the law governing cyber-warfare, it can also have practical use for policy-makers and experts in position to influence decisions in the field of international security. It sets out to examine how current international law reacts to the introduction of a new concept of cyber-attack and to determine whether it is prepared, in its current state, to deal adequately with the dangers that actors bring into the international arena. In response to the reluctance of certain governments to develop new written norms on cyber-attacks, this book argues that international law features a substantial amount of significant imperfections that can be exploited in cyber-warfare. Two main propositions underpin this idea. Firstly, although cyber-attacks do not have solid customary norms regulating them, the current jus ad bellum and jus in bello (within their larger framework of international law) are generally capable of accommodating the new threat with the help of available instruments and institutions. Secondly, despite this general fitness for purpose, the existing norms leave uncertainties, deficiencies and gaps that can be exploited to the detriment of international law’s cogent development. Exploitation, in this context, stands for making use of the existing imperfections in order to justify a desired, often politically motivated action. It can occur before the act (as part of a preparatory or public relations campaign), during the act (as part of a practical justification) or after the act (to present the latter in a favorable light). While legal uncertainties, deficiencies and gaps can be exploited by nonstate actors and individuals (for example, military personnel engaged in cyber-warfare), the role of the main exploiters in this book is played by
Introduction
5
governments. After all, it is their previous negligence or manipulations that could have resulted in international law having imperfections in the first place. Considering the stagnation in the field of cyber-warfare regulation, one should keep in mind that only powerful governments have the means to artificially preserve these imperfections in order to enable their continued exploitation. At the same time, it is prudent to remember that international law generally provides the basis for making a decision on whether particular state conduct is legal or illegal. For obvious reasons, greater clarity in law can help judges (both international and domestic) assign responsibility and issue fair court rulings should such a need arise where cyber-attacks are concerned. In addition, as state behavior can be constrained not only by legal means, but also through shared morals of its population (especially, in democratic societies), lack of clarity should be seen as an obstacle to building such moral constraint that could, in turn, reduce law’s exploitation. The main question that must be raised, therefore, is how fit for the purpose of addressing the threat and reality of militarized cyber-attacks is current international law? Answering this question will help understand the adaptability of existing instruments and reveal any legal uncertainties, deficiencies and gaps that governments may seek to exploit in the context of cyber-warfare. Furthermore, the answer should demonstrate that, although cyber-attacks are a new threat, they are not a danger to international law itself: cyber-attacks by their nature do not threaten the existing legal environment nor the basic premises of international law. The main question entails asking a number of subsidiary questions, which facilitate the analysis by dividing the former and outline the scope of the primary enquiry: 1) 2) 3) 4) 5)
What threats do cyber-attacks pose in reality? Can they claim human lives and damage states? To what extent do the current legal understandings of territoriality, sovereignty and jurisdiction cover cyber-space? Under which conditions can cyber-strikes be characterized as use of force, armed attacks, acts of aggression or terrorism? How will this influence their place in the existing legal framework? How well do humanitarian norms adapt to cyber-warfare? What has been the role of the United Nations (UN) and other international organizations so far in preventing threats to peace and security in cyber-space? What should be their role in determining suitable responses to this new danger?
6
Chapter 1
As this book reveals exploitable imperfections of international law, the analysis would not be complete without addressing these imperfections themselves. Therefore, a subsidiary question addressed is: how should international law be transformed to minimize the possibility of exploitation? Cyber-attacks are the focus of this book for three reasons: 1) 2) 3)
According to available reports, they are becoming more frequent and serious, and have the potential of causing similar effects and damage that a conventional armed attack would cause;10 Currently, elements of cyber-warfare and its treatment under international law are not fully explored in academic literature, and there is insufficient comprehensive critique on this subject generally; The emerging interpretive legal framework covering cyber-attacks and acts of cyber-terrorism itself is in its infancy and necessitates examination and critique.
The last two points are fundamental to the focus of the present book. The existing academic literature that is mostly available in the form of articles and conference papers, represents “pieces of a puzzle” that hardly make up a complete picture. As active legal experts learn more about the technical aspects of cyber-warfare, their positions continuously evolve, sometimes leading to contradictions. Various conclusions are rarely viewed together in one context. David Wall noted that in the modern world, “where new technologies shape the social and the social shapes new technologies the lines between science fiction and science fact become more and more blurred”.11 It is no secret that the media is prone to exaggerating different threats in order to maintain the attention of the general population.12 Likewise, cyber-security companies
10 Unlike acts of terrorism, ordinary cyber-strikes are rarely visible to the public. Today, information about cyber-attacks themselves is mostly available from journalistic sources. Very often the latter are used in academic publications and official reports with or without due accreditation. As they constitute the initial sources of information, as such, they are used in the present book (especially in Chapter 3), although due caution is always shown in approaching them. 11 David S. Wall, “Cybercrime and the Culture of Fear” (2008) 11(6) Information, Communication & Society 878. 12 See Bruce Schneier, “Threat of ‘Cyberwar’ has been Hugely Hyped” (CNN, 7 July 2010)
accessed 1 August 2015. See generally Jerry Brito, Tate Watkins, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” (2011) 3(1) Harvard National Security Journal 44.
Introduction
7
might be interested in preserving the feeling of danger over cyber-attacks, inter alia, for financial gain. However, academics also fall into the trap of being carried away with their risk-assessment, revealing a lack of full understanding of the technological issues that they analyze. To name a few questionable examples, Katharina Ziolkowski talks about future “micro-mechanical organisms [spreading] via the Internet”.13 Heather Dinniss mentions malware that could explode and melt monitors.14 Michael Schmitt confessed at a number of conferences that, until recently, he thought that a “cloud” (an online program-running service)15 had physical electromagnetic substance. Estonia, apparently, had cut the Internet to the rest of the world during the 2007 attacks,16 and was saved by the “heroic efforts” of its specialists.17 David Turns describes potential effects of cyber-strikes as “stuff of nightmares”.18 Maura Conway calls Stuxnet a botnet, while it obviously is not.19 Considering these examples, the present work views not only legal observations, but also technological descriptions critically, aiming to provide an objective and realistic picture of cyber-warfare capabilities. A significant number of important books and studies have tackled cyberwarfare.20 However, like those before them, they give little attention to certain important legal matters (for instance, socio-economic use of force, cyberterrorism and peacekeeping in the virtual realm). This allows the present book 13 Katharina Ziolkowski, “Computer Network Operations and the Law of Armed Conflict” (2010) 49(1–2) Military Law and the Law of War Review 79. 14 Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 259. One can also contest the idea that a computerized system and malware can represent a “booby trap”—a device clearly meant to be physical in nature—see ibid., 258; Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R44. 15 See Mark Johnson, Cyber Crime, Security and Digital Intelligence (Gower 2013) 99–102. 16 Mario Golling, Björn Stelte, “Requirements for a Future EWS—Cyber Defence in Internet of the Future” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 138. See also Preface to the present book. 17 Sheng Li, “When Does Internet Denial Trigger the Right of Armed Self-Defense?” (2013) 38(1) Yale JIL 201. 18 Turns (n. 7) 213. 19 See Maura Conway, “Against Cyberterrorism: Why Cyber-Based Terrorist Attacks are Unlikely to Occur” (2011) 54(2) Communications of the Association for Computing Machinery 26. Stuxnet is further discussed in sub-chapter 3.3.1. 20 Recent examples include the Tallinn Manual (n. 14); Dinniss (n. 14); Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014); Jeffrey Carr, Inside Cyber Warfare: Mapping the Underworld (2nd edn, O’Reilly Media 2011).
8
Chapter 1
to fill existing gaps in literature and contribute to the academic knowledge in the field of international law. In 2013, an important publication was released, which is currently the primary source and point of reference for contemporary experts specializing in the topic of cyber-warfare. This publication, formally known as the Tallinn Manual on the International Law Applicable to Cyber Warfare (hereinafter referred to in this book as the Tallinn Manual) represents a product of a joint three-year work by 46 credited scholars (42 of whom have legal background), led by Michael Schmitt. Despite its name, this product features substantive academic commentaries, which to date represent the most comprehensive interpretative framework on international law pertaining to cyber-warfare. Notably, opinions of the manual’s authors were sometimes split on important issues, highlighting and “radicalizing” existing legal uncertainties.21 As such, the manual cannot be ignored and is addressed in the present book.22 The Tallinn Manual is formally divorced from the North Atlantic Treaty Organization (NATO) and nation states’ doctrines.23 However, can it become an effective legal source of international law in the future? At least three factors indicate that it examines legal issues from a predominantly pro-Western position and, as such, it may be flawed, should be approached with caution and, when relevant, critiqued.
21 Oliver Kesser, Wouter Werner, “Expertise, Uncertainty, and International Law: A Study of the Tallinn Manual on Cyberwarfare” (2013) 26(4) Leiden JIL 795, 806, 810. Note that the opinions in the Tallinn Manual are often divided into a clear “majority” and a “minority”. When no vast majority was present during the creation of the manual, the expression “some authors” was used instead. 22 The present book uses a special system of referencing the Tallinn Manual. ChXCY refers to Comment Y in Chapter X of the publication. SX stands for Section X. RXCY refers to Comment Y in Rule X. RX indicates that Rule X should be seen generally. 23 Tallinn Manual (n. 14) 31. Note that this is also the case for Tallinn 2.0—a follow-up project, which concentrates on “peacetime international law”—see comment-reply of Liis Vihul in Liis Vihul, “The Tallinn Manual on the International Law Applicable to Cyber Warfare” (EJIL: Talk!, 15 April 2013) accessed 1 August 2015. Fleck (n. 9) 334–335, 348, 350–351 seems to ignore the connection between the upcoming Tallinn 2.0 and the Tallinn Manual in his criticism of the latter, although he does mention a “book” on peacetime issues being written by Michael Schmitt.
Introduction
9
Firstly, the pro-Western position can be deduced from the specific approach that the publication takes, as highlighted later in this book (for instance, the Tallinn Manual fails to deliver an analysis of the potential sovereignty over cyber-space). Secondly, significant reliance is placed on military manuals of NATO states to, inter alia, prove the existence of customary norms. Thirdly, little creativity is shown when it comes to lex ferenda. Instead, the manual seems to fortify the position of those Western governments that wish to preserve the existing international law (and, by extension, its exploitable imperfections). Although it extensively examines the same jus ad bellum and jus in bello fields as this book, the late arrival of the Tallinn Manual resulted in the present work having an independent approach that runs parallel and challenges, rather than just builds upon the publication. Effectively, this turns the present book into a critique of the manual: the author strives to evaluate the conclusions of the Tallinn Manual and, where their validity is challenged, to provide meaningful intellectual alternatives. Finally, a few scholars have so far only scratched the surface of the main problem discussed in this work.24 Its value, therefore, lies in the fact that it provides a legal study that considers in-depth existing exploitable imperfections of jus ad bellum and jus in bello in regulating cyber-attacks. Having outlined the objectives and research priorities, the chapter structure of this work is set out below. 1.3
Structure of the Book
The current book is composed of nine chapters, structured in a way to facilitate examination of international law and its applicability, as well as to identify imperfections, which governments may be interested in exploiting. Arguments advanced in each chapter build upon the conclusions reached previously.
24 See generally Michael J. Glennon, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies; Matthew C. Waxman, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)” (2011) 36(2) Yale JIL; Michael N. Schmitt, “The Law of Cyber Warfare: Quo Vadis?” (2014) 25 Stanford Law and Policy Review 4 accessed 1 August 2015.
10
Chapter 1
The first chapter is the present Introduction. Chapter 2 provides insights into a theoretical perspective adopted in this book, addressing the nature of international law and the notion of its imperfections. While this chapter highlights general legal theories that could be applicable, it argues in favor of a distinctive theoretical framework. Chapter 3 provides a realistic evaluation of the technical capabilities of cyber-attacks in order to demonstrate that the topic is serious enough to warrant a meaningful response in international law. As a secondary goal, the technical analysis is meant to set a base for arguing that the cyber-threat does not represent an insurmountable challenge to jus ad bellum and jus in bello, does not require a legal revolution and can be met with ordinary proactive reforms, which, at the moment, are not forthcoming. Chapter 4 provides a conceptual framework on cyber-space itself, as a primary realm that makes cyber-warfare possible. Using the lens of the principles of territoriality, sovereignty and jurisdiction, it begins to explore relevant international norms for imperfections that may exist. Chapter 5 continues this quest specifically in the sub-discipline of jus ad bellum. While acknowledging that the jus ad bellum framework is sufficient to address cyber-attacks generally rising to the level of the use of force and beyond, it highlights a number of exploitable deficiencies, gaps and uncertainties. Chapter 6 performs a similar task in relation to jus in bello. It identifies those imperfections of international humanitarian law that governments may be interested in. Chapter 7 deals with cyber-terrorism as a special case of cyber-attack both in jus ad bellum and jus in bello contexts. Building upon the previous two chapters, it concentrates on the terrorism-related inadequacies of international law that can be exploited. Chapter 8 provides a broader picture by focusing the attention on deficiencies, uncertainties and gaps pertaining to tackling the cyber-threat through the existing methods and instruments of collective security: primarily, by the UN and, secondarily, NATO. While critical of their input to the overall problem of exploitability of international law’s imperfections (due to flawed design, passiveness, non-use of resources, lack of coordination, impartiality and political exploitation), this chapter also views these organizations as important tools in the potential solution to this issue. Chapter 9 concludes the book and assesses the arguments made throughout the chapters jointly. It further outlines the necessary standards and sets out the principles upon which a plan of action may be constructed to most efficiently and effectively reduce exploitation of international law’s imperfections, promote abuse-free, peaceful and stable environment in cyber-space and, if necessary, set an example for action in respect of other future weapons.
Introduction
1.4
11
Choice of Terminology
What is the meaning of “cyber-attack” and “cyber-space” and why are they preferred in the current work? Although these and other terms are briefly explained in the Glossary, for the sake of consistency and clarity throughout this book, these questions are answered at length below. 1.4.1 Cyber-Attack Different sources use miscellaneous terms to describe the threat central to this book. These terms are formed by combining words such as “information”, “Internet”, “hacking”, “computer”, “network”, or “cyber”, with “attack”, “strike”, “operation”, “war”, “warfare”, or “terrorism” and so on. Despite the fact that the resulting expressions are often used to designate the same acts, some terms are not fit to accurately define the menace. For example, “information warfare”, preferred by the SCO, is a much wider concept entailing psychological operations, mind control, propaganda, as well as voice and video manipulation. Concentrating on the “Internet” is unjustified due to the ongoing misuse of other, non-Internet-based networks. At the same time, tying the malicious threat to “hacking” is unethical among information technology (IT) experts (the word “cracking” should be, and is used instead throughout this book).25 “Computer network attack” is better. However, since nowadays strikes can target or be carried out from mobile phones and other “smart” devices, emphasis on the word “computer” seems inaccurate. One might argue that “computer” is actually a device that processes data and, as such, it already includes smartphones and similar portable systems.26 However, “computer” is still largely associated with laptops, notebooks and personal computers (PCs), and the use of that word may be confusing. “Network attack” alone, on the other hand, lacks specificity.
25 “Hacking” in the true meaning of the term does not involve breaking into computerized systems to perform malicious action, but rather refers to an extraordinary style of programming. 26 See Convention on Cybercrime (adopted 8 November 2001, entered into force 1 July 2004) 185 CETS (Cybercrime Convention) Art 1(a): “‘computer system’ means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data”. See also Tallinn Manual (n. 14) 258: “Computer: A device that processes data”.
12
Chapter 1
Ziolkowski believes that, in light of the terms employed in the UN Charter, the word “attack” is frequently used without necessary diligence.27 Is this argument valid and powerful enough to overrule its use? At least three factors indicate that it should not be. Firstly, one cannot automatically associate the word “attack” with terms employed in jus ad bellum and jus in bello, as it has a rich history of describing attempts at violence, regardless of their scale.28 Secondly, academics already use this word to designate “methodology for action [. . .] rather than [. . .] the scale of the action’s effect”.29 Thirdly, it is actively used by IT experts to refer to minor operations in cyber-space (for example, “brute force attack” or “distributed denial of service (DDoS) attack”).30 The most appropriate term, therefore, is “cyber-attack”, which will be given preference in this book. In contrast to the possible alternatives used by academics, it is, short, clear, reasonably comprehensive and well-established.31 For instance, according to the NATO glossary, it incorporates the computer network attack as one of its types.32 Consequently, to avoid confusion, “cyber-attacks” (as a working definition) will refer, throughout this book, to unauthorized acts that are meant to alter, delete, disrupt, damage or suppress data within targeted cyber-systems or networks.33 Where required to avoid repetition, “cyber-attack” will be used interchangeably with “cyber-strike”. The expressions such as “cyber-warfare” and “cyber-terrorism” are employed within their more specialized contexts. At this point, it is also imperative to explain the meaning of the term “cyber-space”.
27 Katharina Ziolkowski, “Ius Ad Bellum in Cyberspace—Some Thoughts on the ‘SchmittCriteria’ for Use of Force” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 296. 28 Notably, international lawyers do not object to the use of the word “piracy” in the cybercontext, nor should it be the case with “attack”. 29 Owens and others (n. 7) 11. 30 “DDoS attack” is a term of art, which will be fully explored in Chapter 3. 31 Consider, for instance, the relatively recent term “cyber operation”, increasingly popularized by the Tallinn Manual (n. 14) 7, or the early, yet somewhat inaccurate term “cyberwar”—see John Arquilla, David Ronfeldt, “Cyberwar is Coming!” (1993) 12(2) Comparative Strategy 141. 32 NATO Standardization Agency, “NATO Glossary of Terms and Definitions” (AAP-6, NATO 2010) 2-C-12. 33 I.e. acts that the CoE Convention on Cybercrime defines as “data interference” and “system interference”—see Cybercrime Convention (n. 26) Arts 4–5.
Introduction
13
1.4.2 Cyber-Space Nowadays, “cyber-space” is characterized as the “fifth domain of war” by some academics, states, as well as the NATO alliance.34 Building upon this foundation, the term is defined here as the virtual realm created by the use of information technology.35 Currently, the Internet occupies the biggest part of cyber-space. Evolving from an idea of a “Galactic Network” that was meant to connect computers and allow users to exchange data and ideas, it became a “network of networks” (or a “network of people”)36 that delivers information in dividable packets travelling through different nodes “that result in the fastest communication”.37 TCP (Transmission Control Protocol) and IP (Internet Protocol) “allow the networks and the computers attached to them to [. . .] find other computers attached to the Internet”.38 That makes information exist in a practically constant state of availability, even when network resources are limited.39 Aside from the Internet, “cyber-space” (as a working definition in this book) is also deemed to include a virtual universe created by isolated, non-Internet 34 For instance, see Christy Marx, Battlefield Command Systems of the Future (Rosen Publishing 2006) 14; Jeffrey L. Caton, “Beyond Domains, Beyond Commons: Context and Theory of Conflict in Cyberspace” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 158. 35 For similar definitions, see Clarke, Knake (n. 6) 70; Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem” in Franklin D. Kramer, Stuart Starr, Larry K. Wentz (eds.), Cyberpower and National Security (Potomac Books 2009) 28; Stephen K. Gourley, “Cyber Sovereignty” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 278. 36 Robert Koch, Björn Stelte, Mario Golling, “Attack Trends in Present Computer Networks” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 278. 37 Kai Burmeister, “Jurisdiction, Choice of Law, Copyright, and the Internet: Protection Against Framing in an International Setting” (1999) 9(2) Fordham Intellectual Property, Media & Entertainment Law Journal 629; Matthew Burnstein, “A Global Network in a Compartmentalised Legal Environment” in Katharina Boele-Woelki, Catherine Kessedjian (eds.), Internet. Which Court Decides? Which Law Applies? (Kluwer Law International 1998) 23; Jonathan A. Ophardt, “Cyber Warfare and the Crime of Aggression: the Need for Individual Accountability on Tomorrow’s Battlefield” (2010) 9(1) Duke Law & Technology Review 11; Uta Kohl, “Eggs, Jurisdiction, and the Internet” (2002) 51(3) ICLQ 569. 38 Graham J. Smith, Internet Law and Regulation (Sweet & Maxwell 2007) 1. Notably, by 2014, more than 90% of the Internet traffic still used the IP version 4 (IPv4) as opposed to the more secure IPv6. 39 Jack L. Goldsmith, Tim Wu, Who Controls the Internet?: Illusions of a Borderless World (OUP 2006) 3.
14
Chapter 1
based networks and interconnected hardware components of all computerized systems.40 This has relevance in light of the fact that some malware is deliberately programmed to avoid the Internet and relies on other ways of distribution (for example, USB devices). 1.5 Conclusion This introductory chapter has established the basic groundwork for the present book, identifying its structure, terminology and objectives. It is clearly indicated that the book questions how fit existing international law is for the purpose of addressing cyber-attacks and argues that it features a substantial amount of significant deficiencies, gaps and uncertainties that can be exploited. Here, for the sake of clarity and coherence of the debate, a deeper look into conceptual approach is required. For this reason, the next chapter will introduce, explain and justify the theoretical approaches adopted in this book.
40 In fact, cyber-space, in the broader sense, existed as early as 1970 (when the first Pulsar LED electronic watch was created) or even 1961 (within the first electronic desktop calculator ANITA).
Chapter 2
Theoretical Framework 2.1 Introduction Having introduced the book in the previous chapter, it is imperative to outline the theoretical framework that is employed here. The present chapter identifies the applied conceptual approaches and clearly indicates the theoretical vantage point assumed in this book in relation to international law and its imperfections that can be exploited in the context of cyber-attacks. It consists of two parts. The first part examines the essence of international law (with particular emphasis on jus ad bellum and jus in bello). Furthermore, it highlights sources relevant to the analysis and justifies concentration on government-run states as the primary actors in the international arena. The second part addresses the political component of international law, exploring theories influenced by the discipline of international relations. This is done as part of the search for the most suitable mode of intellectual interpretation required for tackling the main problem identified in the Introduction. 2.2
Legal Framework
What is the nature of international law and its imperfections? Which sources should be consulted? Who are the main actors? The scope of inquiry and the stated arguments necessitate answering these questions before proceeding to examination of the technical aspects of cyberattacks and more substantive matters related to international law in the subsequent chapters of this book. 2.2.1 Nature of International Law Generally, international law is a set of common norms regulating state relations, their mutual conduct and treatment of individuals under their control.1 1 Anthony Aust, Handbook of International Law (2nd edn., CUP 2010) 4. For discussion of norms’ universality, see Emmanuelle Jouannet, “Universalism and Imperialism: The True-False Paradox of International Law?” (2007) 18(3) EJIL 381; Hans Kelsen, Principles of International Law (The Lawbook Exchange 1952) 3.
© koninklijke brill nv, leiden, ���5 | doi ��.��63/9789004298309_003
16
Chapter 2
These legal norms are traditionally developed by states themselves, who are guided in this process by the political interests of their governments and by their desire to facilitate relations with other international actors or, in some cases, to establish control over them.2 That being said, international law has evolved from a product meant to simply promote the cooperation between nations into a mechanism that also regulates the behavior of states and international organizations themselves (including those that create the norms).3 This development is reflected in the early history of the debate regarding the nature of international law. Two classic theories dominated international legal thinking before the 20th century: natural law and positivism. Both are, to a limited extent, addressed in the present book, although neither plays a dominant conceptual role. They are rather balanced against each other as reflections of factors, which influence the reality of what is international law today. Natural law is an early European idea of universal, divine norms, shared by humans on a subconscious level, provided by God or nature. This theory is grounded in morality, which stems or at least ought to stem from human nature, and its focus lies on moral obligations in adopting legal norms and in complying with them.4 The positivist model rejects natural law. For instance, Hans Kelsen criticized natural law for its (unreasonable) belief “that it is possible to obtain from our insight in nature, that is, from our knowledge of facts, a knowledge of what is right and wrong”.5 As an alternative, positivists argue that binding norms are, in effect, nothing more than expression of states’ will. Positivism motivates the present book to use a normative set of primary international law sources (addressed in the following sub-chapter).6 On the other hand, only relying upon classical positivism is not prudent, especially in light of the wars of the last century, which took the axiom of “dura lex sed lex” to unacceptable heights, and proved its unsustainability. A partial return to natural law from positivism in the 20th century resulted in the emergence of concepts (sometimes driven by individuals or non-
2 Martin Dixon, Textbook on International Law (7th edn., OUP 2013) 13. 3 Ibid. 4 Brian Bix, “On the Dividing Line Between Natural Law Theory and Legal Positivism” (2000) 75(5) Notre Dame Law Review 1615. 5 Kelsen (n. 1) 310. 6 See generally Samantha Besson, “Theorizing the Sources of International Law” in Samantha Besson, John Tasioulas (eds.), The Philosophy of International Law (OUP 2010) 185.
Theoretical Framework
17
governmental organizations)7 that influence the behavior of sovereign states. Cumulatively, these concepts are called obligations erga omnes (owed to all states) and non-derogable jus cogens.8 Among them, one can list: 1) the principle of legality, which prohibits punishments for previous non-criminalized behavior, 2) the Martens Clause, which subjects all new weapons and methods of warfare to “laws of humanity” and “public conscience”, as well as 3) the idea of “just war”, which is reflected in the UN Charter. Using jus cogens as a base, today, one can distinguish between international law’s subjective and objective elements. Subjective ones are those created and influenced by states together, those that reflect a balance of power between nations. Objective elements represent universal obligations (erga omnes) that states impose upon themselves as a sign of moral maturity, civility of a nation. Although some overlap between them exists, one should admit that subjective and objective elements evolve separately, as the former belongs to the sphere of influence of positivism and the latter—natural law. 2.2.2 Sources of International Law Discussion of the nature of international law inevitably leads to the inquiry regarding its sources, particularly in the context of the purposes set in the present book. A good starting point for determining the sources of international law is the widely accepted list in Article 38(1) of the International Court of Justice (ICJ) Statute, which mentions international conventions, international custom, general principles of law, “judicial decisions and the teachings of the most highly qualified publicists”.9 The first three categories are considered primary (equal in their importance), whereas case-law and academic teachings are regarded as auxiliary sources of international law.
7 See generally ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC Finalized by Martti Koskenniemi (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 158. 8 See Vienna Convention on the Law of Treaties (adopted 23 May 1969, entered into force 27 January 1980) 1155 UNTS 331, Art. 53: “[jus cogens] is a norm accepted and recognized by the international community of States as a whole as a norm from which no derogation is permitted and which can be modified only by a subsequent norm of general international law having the same character”. See also Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep, para. 83. 9 Statute of the International Court of Justice (adopted 26 June 1945, entered into force 24 October 1945) Art. 38(1).
18
Chapter 2
All five categories are relied upon in this book, which adopts the logic of the ICJ in matters relating to international law’s sources and their importance. Thus, these categories deserve more attention here. 2.2.2.1 International Conventions The Permanent Court of International Justice held in the Lotus case that “[t]he rules of law binding upon States [. . .] emanate from their own free will as expressed in conventions or by usages generally accepted as expressing principles of law”.10 Lex scripta, which comprises international conventions, treaties and codified rules, indisputably represents the most obvious source of legal norms. After all, it is the possibility to enter into contracts and to subject themselves to the pacta sunt servanda principle that makes states the primary subjects of international law.11 For this reason, international conventions are the legal source most favored by positivists, although interpretations of the written norms can still be pursued with natural law in mind. Today, very few conventions directly deal with what goes on in cyber-space and none of them deal with cyber-warfare. As implied in the Introduction, this may result from the fact that certain governments deliberately prevent legal developments in this field. Nevertheless, lack of conventions on cyber-warfare does not necessarily mean that other treaties or written norms are not relevant. In fact, they are; as will be shown in the subsequent chapters, documents such as the UN Charter, the Geneva and Hague Conventions preserve their utmost importance. 2.2.2.2 Customary Law Nowadays, customs are recognized as an important source of international law since states voluntarily acknowledge obligations binding upon them (to the satisfaction of legal positivists), inter alia, by their conduct.12 When such acknowledgement, called opinio juris, accompanies uniform state practice itself, it becomes part of the existing law (lex lata). Opinio juris can stem from silent acceptance of others’ behavior, whereas state practice can be deduced from “governmental actions, [. . .] legislation,
10 SS “Lotus” (France v Turkey) [1927] PCIJ Rep Series A No 10, 18. 11 Samantha Besson, “Sovereignty, International Law and Democracy” (2011) 22(2) EJIL 378– 379. See also John O’Brien, International Law (Routledge-Cavendish 2001) 47. 12 See Roozbeh B. Baker, “Customary International Law in the 21st Century: Old Challenges and New Debates” (2010) 21(1) EJIL 176.
Theoretical Framework
19
diplomatic notes, [. . .] official statements, government manuals”, as well as other displays of adherence to unwritten legal norms.13 Here, it should be mentioned that due attention in this work is dedicated to the United Nations resolutions and other so-called soft law documents (including declarations, recommendations, guidelines, codes of conduct and so on), as undeniable factors influencing and reflecting the formation of customary law.14 Customary norms can be codified in the form of conventions, while conventions can give rise to customary obligations.15 Nevertheless, unlike specific norms arising out of treaties that states adopt, identifying binding customs is problematic per se due to, inter alia, persistent objections (freeing states from being bound by those norms that the state objects against), the difficulty of abandoning the accepted and outdated customs, as well as frequent violations.16 The present book acknowledges that the existing customary law applies indirectly in the context of cyber-warfare: customs developed for another purpose have not yet been purposefully tested in the new environment of cyberspace. Identifying applicable norms is complicated in light of cyber-attacks, which are still yet to see consistent state practice or opinio juris (or even conscious expression of opinio necessitatis, for that matter)17 and which are sometimes concealed by the involved governments themselves or by the relevant corporations, which do not desire disclosure of their software or hardware vulnerabilities.18 2.2.2.3 General Principles of Law One may argue that general principles of law are positivist in nature, as they were largely borrowed from domestic legal systems: as such, they have undergone a process of “objectivization”, either through previous court practice or 13 Aust (n. 1) 6. 14 See generally O’Brien (n. 11) 98–99; Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, para. 188. 15 Aust (n. 1) 7. 16 See Joel P. Trachtman, “Persistent Objectors, Cooperation, and the Utility of Customary International Law” (2010) 21(1) Duke Journal of Comparative & International Law 232; Rosalyn Higgins, Problems & Process: International Law and How We Use It (OUP 1994) 20. See generally David J. Bederman, “Acquiescence, Objection and the Death of Customary International Law” (2010) 21(1) Duke Journal of Comparative & International Law 44–45. 17 See generally Tarcisio Gazzini, “The Rules on the Use of Force at the Beginning of the XXI Century” (2006) 11(3) Journal of Conflict & Security Law 320–321. 18 See generally Michael J. Glennon, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies 380.
20
Chapter 2
codification.19 Nevertheless, Article 38 of the ICJ Statute specifically refers to this source as “the general principles of law recognized by civilized nations”, a phrase emerging as a result of political compromise between positivists and natural law supporters.20 General principles were not always seen by all as a distinctive source of international law. Particularly, Soviet academics viewed them rather as a “specific legal phenomena”.21 Nevertheless, today, they are widely recognized and there is nothing to indicate why this book should not pay attention to principles relevant in warfare generally (for instance, the principle of self-preservation).22 2.2.2.4 Judicial Decisions and Scholarly Opinions As in the case of conventions, international judicial decisions do not yet tackle cyber-warfare, although domestic courts increasingly concern themselves with cyber-attacks and what could, arguably, be defined as cyber-terrorism. The present book pays significant attention to jurisprudence of international courts, tribunals, and, where applicable, domestic decisions of international importance, because case-law (including advisory opinions) plays an important role in interpreting conventions, identifying the existence of customary norms and relevant legal principles. When it comes to the existing academic literature, the latter also makes noteworthy proposals as to the regulation of cyber-attacks. Yet, in a technologically and politically diverse world, these proposals have to be taken critically. Thus, assessment of potential candidates for the status of “most highly qualified publicists” must remain realistic, and the reality today is that no author has been officially recognized as a publicist of such level. Ian Scobbie suggests that the most probable candidate for this role is Michael Schmitt, whose “views on computer network attacks and information warfare [. . .] inform, if not structure, the current legal appreciation of these issues”.23 Indeed, it is hard to dispute that. Today, Schmitt is quoted more often than other academics in this field. Moreover, he has made a notable
19 Vladimir D. Degan, Sources of International Law (Martinus Nijhoff 1997) 137. 20 Gennadii M. Danilenko, Law-Making in the International Community (Martinus Nijhoff 1993) 173–174. 21 Godefridus J. Hoof, Rethinking the Sources of International Law (Kluwer Law 1983) 132. 22 See Bin Cheng, General Principles of Law as Applied by International Courts and Tribunals (CUP 2006) 29. 23 Ian Scobbie, “Some Common Heresies About International Law” in Malcolm D. Evans (ed.), International Law (OUP 2003) 64.
Theoretical Framework
21
contribution to scholarship that concerns interpretation of international law in light of cyber-attacks. That being said, Schmitt’s ideas fall very neatly into one of the preexisting academic groups (pro-Western), defined by the political interests of different international organizations and their members. In this book, it will be shown that the Shanghai Cooperation Organization’s (SCO) position (Eastern) on information security is challenging that of North Atlantic Treaty Organization (Western) in questions regarding the essence of cyber-space, potential claims of sovereignty therein and even the extent to which cyber-warfare should be regulated. Another relevant “clash” involves the Western position coming into conflict with that of the Organization of Islamic Cooperation (Islamic) in matters of terrorism regulation, particularly when it comes to immunity of state forces and armed resistance to occupation. These two questions are the cornerstone of the lengthy and somewhat fruitless negotiations of the Comprehensive Convention on International Terrorism in the United Nations General Assembly. Like Schmitt, most contemporary authors who openly write about cyberwarfare (and who are mentioned in this book) belong to the Western group, not by nationality, but by the virtue of their writings. This is also the case with the so-called independent International Group of Experts that authored the Tallinn Manual (introduced in the previous chapter) under NATO patronage. This obvious division of scholarship into the Western, Eastern, and Islamic, for whatever reason it may be, makes it hard to identify the authors who satisfy the neutrality criteria necessary for their works to become a legal source (if only subsidiary). On the other hand, it should be added here that case-law and opinions of distinguished academics are considered subsidiary to the main sources of international law for an obvious reason: states do not directly participate in their creation (although they can influence their adoption by suggesting various interpretations of the primary sources). This fact not only reflects the positivist position, but also the (partially) surviving tradition of law-making being a prerogative of states. Indeed, it is important to highlight that only the main sources of international law can provide a guaranteed common denominator for state action in cyber-space. Auxiliary sources, while certainly helpful (from an academic point of view) in suggesting what the right interpretation might be, should not be exclusively relied upon. Even the Tallinn Manual is only a set of private opinions on how some of the legal issues pertaining to cyber-warfare could be resolved. This does not mean that the international community will accept these interpretations. In fact, due to its pro-Western nature (as mentioned above), some elements of the Manual will almost certainly be rejected by
22
Chapter 2
members of the SCO and, possibly, other states. This is openly admitted by one of the Tallinn Manual’s main authors and editors, Wolf von Heinegg, who also adds that the publication “does not meet the requirements of Article 38 (1) (d)” of the International Court of Justice Statute.24 Similarly, the case-law of the ICJ, an organ meant to clarify and develop international law, is not always respected.25 While it would be helpful if the Court gave an advisory opinion on applicability of jus ad bellum and jus in bello to cyber-attacks, such non-binding opinions can be generally disregarded by states or international organizations.26 Notably, the ICJ’s competence and decisions even in contentious cases (with pre-recognized jurisdiction) are sometimes rejected.27 2.2.3 Fragmentation of International Law Absent a clear set of legal sources that would apply to cyber-attacks, some reductionism of international law (that is splitting it into lesser constituents for the purpose of analysis) is not only healthy, but also remains crucial in identifying its uncertainties, gaps and deficiencies, which is the purpose of this book. In doing this, should one consider international law’s sub-regimes (particularly, jus ad bellum and jus in bello) as fragmented? A Study Group of the International Law Commission (ILC Study Group), led by Martti Koskenniemi and others, addressed the issue of “splitting up of the law into highly specialized ‘boxes’ that claim relative autonomy from each other and from the general law”.28 Acknowledging the “differing pursuits and preferences of actors in a pluralistic (global) society” and the fact that primary international law sources (sometimes spontaneously) result from compromises reflecting “conflicting motives and objectives”, the ILC Study Group argued that normative hierarchies should be determined on an ad hoc basis
24 Wolf H. von Heinegg, “The Tallinn Manual and International Cyber Security Law” (2012) 15 Yearbook of International Humanitarian Law 11–12. 25 See generally James A. Green, The International Court of Justice and Self-Defence in International Law (Hart Publishing 2009) 172. 26 See generally Mahasen M. Aljaghoub, The Advisory Function of the International Court of Justice (1946–2005) (Springer 2005) 225. 27 See Constanze Schulte, Compliance with Decisions of the International Court of Justice (OUP 2004) 404. 28 ILC Study Group, Koskenniemi, “Fragmentation” (n. 7) paras. 13, 482–483; ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 8.
Theoretical Framework
23
with a particular problem in mind.29 Furthermore, while noting the inherently different priorities in varying sub-regimes, the ILC Study Group rejected the notion of self-contained branches of international law per se.30 Some international judges previously argued that the legality of the use of force has little meaning for the application of humanitarian law.31 However, one cannot easily deny a close link between jus ad bellum and jus in bello, particularly when an “armed attack” could serve as the beginning of an international armed conflict. Furthermore, the two regimes mentioned above are not isolated from other legal branches. For example, terrorism is increasingly seen as an act of war. International criminal law prohibits the crime of aggression that requires a use of force, as well as war crimes committable only in the context of an armed conflict. Thus, at least when discussing warfare, one has to agree with the ILC Study Group’s approach. Separate analysis of international law’s branches in this book should not be seen as accepting the position that sub-regimes of international law are self-contained.32 2.2.4 Legal Imperfections One scholar correctly observed that, while international law is not a perfect system, neither are any domestic law systems.33 Thus, to criticize the existing legal regime simply due to the fact that it has imperfections would be unreasonable. On the other hand, international law can be criticized for generally failing to live up to its purpose. This determines the theoretical bearing of the present work, which seeks to prove not simply that international law is imperfect, but that there are a substantial number of significant imperfections. The major bulk of legal norms related to jus ad bellum and jus in bello (that lie in the focus of the present book) were developed in the 20th century with a particular mission in mind: as a regulatory regime, international law was meant to represent a sufficiently clear framework that ensures a stable, safe 29 ILC Study Group, “Fragmentation” (n. 28) para. 10; ILC Study Group, Koskenniemi, “Fragmentation” (n. 7) paras. 16, 34, 484–486. 30 ILC Study Group, Koskenniemi, “Fragmentation” (n. 7) paras. 192–193, 488, 492. 31 Wilhelm List and Others (The Hostages Trial) (Judgment) [1949] Nuremberg US Military Tribunal 59; Separate Opinion of Judge Kooijmans in Armed Activities on the Territory of the Congo (DRC v Uganda) (Judgment) [2005] ICJ Rep, para. 58. 32 See generally Von Heinegg (n. 24) 13, who argues that “‘international cyber security law’ [. . .] encompasses rules and principles derived from multiple branches of international law”. 33 Dixon (n. 2) 2.
24
Chapter 2
and just environment in the international arena, which, for that purpose, minimizes room for exploitation and misinterpretation. Where international law fails to meet this objective due to inadequate regulation, it is imperfect. Therefore, in the present book, the word “imperfections” is used as a collective term to denote uncertainties, deficiencies and gaps of the legal regimes under consideration (primarily, jus ad bellum and jus in bello). “Uncertainty” signifies existence of a vague norm, which lacks clarity and which, for that reason, can be understood differently by different actors. “Deficiency” refers to a norm which can be reasonably believed to have become inadequate for the purpose for which it was created. In case a norm does not exist, but there is a reasonable expectation for it to be present (to regulate a particular situation or scenario), a “gap” in law exists. One may argue that the vagueness of international law allows it to better acclimatize to the ever-changing backgrounds in which it is used. Yet, it would be an incorrect assumption. Vagueness and imperfections interfere with the very purpose of international law described above. In reality, it is the general, natural-law-inspired, all-encompassing approaches that were deliberately used in creating some norms, and which allow for a successful adaptation to social, economic and technological changes (unless this process is manually suspended for political reasons). The Martens Clause is the most obvious example here, as it ensures that international humanitarian law applies to all technology and tactics not yet subjected to lex specialis. So, why do legal imperfections emerge? As implied in the preceding chapter, they are a result of previous manipulation and negligence.34 Since solid international law can only be developed by states that are driven by the politics of their governments, the latter can choose which norms to make or leave imperfect. On the other hand, as long as the general system of law works to the satisfaction of states and governments concerned, there is little incentive for them to improve it, especially if reforms threaten to cause “diminution of state power”.35 Finally, an assumption can be made that preexisting uncertainties, deficiencies and gaps can be deliberately and continuously maintained by state governments, which contribute to the stagnation of international law in the field of cyber-warfare. Nevertheless, the research focus here clearly lies on the legal imperfections themselves and, although the present book considers the prospect of “egoistic” governments exploiting these imperfections, political, psychological and social motivations for such behavior are not explored deeply. 34 See sub-chapter 1.2. 35 Dixon (n. 2) 14.
Theoretical Framework
25
2.2.5 Main Actors In the context of legal theory, one is inevitably faced with a question of whether the pre-existing state-centric system remains intact. It is addressed here next, followed by the discussion of the role of international organizations, as well as non-state actors and corporations (as a special category of non-state actors). 2.2.5.1 States This study employs a classic form of legal research, based on the examination of the normative framework and practice of state and non-state actors who have the capability to carry out cyber-attacks and participate in cyber-warfare. Both positivist and naturalist schools have an equally strong claim to subregimes of international law, which the present book examines. However, if one takes into account the historical and political perspectives, the importance of which cyber-attacks reanimate, it becomes apparent that the most effective analysis necessitates a theoretical perspective that realistically recognizes the central role of states in warfare, both as the main decision-makers and actors in the international arena. History does provide examples where influence of internal or external populations played a decisive role in the replacement of state leadership. However, vacuum, created as a result of a coup is quickly filled with people that replace this leadership, leaving the external state structure intact. For this reason, although this work clearly indicates that only governments at a given moment (and not the states themselves) can have the human desire to exploit legal imperfections, Philip Allott’s argument that international law is humanity’s self-constituency, meant to serve common goals of all peoples, should be rejected in favor of that of state centrality, advanced by Emer de Vattel.36 The latter author, in his attempt to combine naturalism with positivism, correctly argues that natural law is followed by nations to the extent demanded by their conscience, unless states willingly bind themselves by “positive law of nations”.37 While, in this case, concentrating on a state (as run by governments) is justified by the scope of the present book, it does not go as far as to claim that arguments about human centrality may not hold power outside discussions of warfare. On the contrary, it should be obvious that international law features 36 See generally Philip Allott, The Health of Nations: Society and Law Beyond the State (CUP 2002) 297. 37 Emer de Vattel, The Law of Nations, or, Principles of the Law of Nature, Applied to the Conduct and Affairs of Nations and Sovereigns: A Work Tending to Display the True Interest of Powers (Thomas M. Pomroy 1805) 53–54; 56–57.
26
Chapter 2
regimes that are entirely focused on the person as the main addressee. After all, is that not the mission of “human rights”? The same can be said, for instance, about Thomas Franck’s criteria of “legitimacy”38 and “fairness”,39 which predict whether states will follow a particular legal norm or not. In the context of cyber-warfare, “fair” is what governments subjectively determine to be “fair” for themselves, for their state and for the world community as a whole, although these concepts may be more objective when applied in other legal regimes. 2.2.5.2 International Organizations As of the 20th century, states belong to and operate in global bodies like the UN and organizations of a more limited scope, such as NATO, SCO or the European Union. What are their roles from a theoretical perspective? First of all, since states (as run by governments) are the main decisionmakers in the field of international law, they require forums where they can discuss different proposals and compromise. Thus, international organizations (a product of international law themselves)40 provide a positivistic platform for creating new laws and interpreting old ones. For example, a major part of conventions are negotiated and adopted in the United Nations. The role of such organizations in eliminating international law’s imperfections, therefore, is invaluable. Secondly, and particularly when it comes to the smaller regional or military organizations, they can be used for joint action and fortification of the political position of those states that desire to take a certain action. Organizations like NATO and the EU are often vocal about violations of the laws of warfare and ensure that a group of states act as one in imposing sanctions, conducting military operations and so on. As mentioned in the preceding chapters, this type of behavior often has a spill-over effect in legal scholarship, where one can distinguish the lines between pro-Western, pro-Eastern, and pro-Islamic positions with regards to international law.41 Thirdly, while international organizations represent communities of states, they sometimes include non-state actors, non-governmental organizations 38 See Thomas M. Franck, The Power of Legitimacy Among Nations (OUP 1990) 25. 39 See Thomas M. Franck, Fairness in International Law and Institutions (OUP 1998) 3–4. 40 See generally Christopher C. Joyner, “Conclusion: The United Nations as International Law-Giver” in Christopher C. Joyner (ed.), The United Nations and International Law (CUP 1997) 435–436. 41 See sub-chapter 2.2.2.4.
Theoretical Framework
27
and even individuals as observers, who are meant to represent the world population. In addition, the staff and working groups of organizations include independent experts without any obvious political affiliations. Through these “representatives”, the world community can hope to exert some influence on the decisions made by individual governments, particularly through the development of soft law. As Michael Glennon notes: [L]egal order is hardly de-void of coercion. The system does not rest upon pure, unfettered consent by all within it; policymakers within States often do things that they don’t want to do and refrain from doing things that they do want to do. Other States, international organizations, nongovernmental organizations and influential national elites all exercise various forms of power; all narrow States’ ability to choose freely.42 However, the global community and the world’s peoples are often too weak to challenge the most powerful governments in reality, particularly when it comes to the area of national security (to which cyber-attacks are increasingly assigned). Their impact, therefore, remains limited. 2.2.5.3 Non-State Actors Nowadays, non-state actors launch a significant number of cyber-attacks. In addition to states, the non-state actors are becoming more regulated under international law. This is particularly true when it comes to warfare. For instance, following the 9/11 terrorist attacks, groups like Al-Qaeda are seen as actors capable of launching “armed attacks” within the context of Article 51 of the UN Charter. National liberation movements, as well as organized groups participating in non-international armed conflicts are directly regulated by the Geneva Conventions. Non-state actors, therefore, are recognized as important international actors in this book (albeit, secondary to states as the main actors of international law). It is important to acknowledge the rising role of corporations as relevant non-state actors. These legal entities have long been subjected to cyber-attacks, eventually leading to their heavy investment in IT security.43 This, in turn, has resulted in their having the most advanced cyber-defense (and logically, cyberoffense) capabilities, which exceed those of many states. In other words, the know-how, relative autonomy of operations, significant funding and structured 42 Glennon (n. 18) 374. 43 See Gaurav Jain, “Cyber Terrorism: A Clear and Present Danger to Civilized Society?” (2005) 3(44) Information Systems Education Journal 6.
28
Chapter 2
teams of experts make companies potential perpetrators of cyber-attacks.44 As such, they are already used by some militaries. In theory, in the absence of states’ control, such legal entities can also be guided by the political views of its leadership, or may be interested in destabilizing countries or the world economy for profit. However, corporations often have a legal personality within their host state and many societies pressure them to be more transparent.45 Though this does not preclude prospects of aggressive behavior, this makes them a special category of non-state actors that can be more easily held responsible for various offenses. This means that, aside from the leadership of the corporations and members of the IT teams that may be directly involved in cyber-attacks, companies themselves risk being prosecuted, if the respective legal systems permit it. For these reasons, cyber-attacks launched by companies are likely to be limited and mostly geared towards espionage on competitors. Although future cyber-conflicts may be waged by individual corporations, for the moment they do not merit specialized analysis in this book and shall remain covered by the more general discussions on non-state actors. 2.3
Political Component
Having discussed the essence of international law from a predominantly legal perspective, one should not ignore political factors that exert direct influence on the law’s application. Such factors (especially, the possibility of governments behaving “egoistically”) are crucial considering that legal norms very often emerge as a result of political processes and international law was never meant to be the only thing constraining states’ behavior.46 Definitely, warfare has always been a subject of international relations. Following this logic, political theories on international law become an undividable part of international legal theory itself. The present sub-chapter takes a look at important academic approaches, inspired by international relations, in
44 See Jason Barkham, “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics 105. 45 UN Conference on Trade and Development, “Disclosure of the Impact of Corporations on Society, Current Trends and Issues” (Paper, UN 2004) 4 accessed 1 August 2015. 46 Dixon (n. 2) 3–4.
Theoretical Framework
29
pursuit of establishing the most realistic theoretical vantage point, necessary for analysis of international law’s imperfections in the context of cyber-attacks. 2.3.1 “Political” Theories on International Law Grigory Tunkin believed that “[m]ixing international law with policy inevitably leads to a denial of the normative character of international law, that is to say, to a denial of international law, which becomes buried in policy and vanishes as law”.47 The opposite extreme to Tunkin’s, arguably, “utopian” position is descriptive “non-normative apology” of politics.48 Which view should be preferred in this book? An objective legal approach to cyber-warfare has to reject both extremes and carefully balance between the two to seek a middle ground. While legal norms have to preserve their normative character, one cannot ignore the reality where international law is inseparable from state interests and behavior.49 Neither can one disregard that, while law operates as an “autonomous formal technique”, it is also an “instrument for advancing particular claims and agendas in the context of political struggle”.50 In weighing legal theories inspired by the international relations, one should be wary of their weaknesses. A careful balance in theoretical approach between positivism and natural law on the one plane and between what Koskenniemi calls “apology” and “utopia” on the other should not one-sidedly devaluate international law in light of certain socio-political factors. One notable theory developed by Myres McDougal and Harold Lasswell, the New Haven school of policy-oriented jurisprudence, rejects the notion that international law is a set of norms, instead focusing on the (constantly ongoing) process of authoritative decision-making and its consequences.51 It correctly identifies human beings as the social actors that have the capacity, as well as the desire to make decisions and to influence the law.52 Furthermore, the New Haven school recognizes that policy, together with the way it is formed and transmitted, should, inevitably, be taken into consideration when discussing legal norms.53 47 Grigory I. Tunkin, Theory of International Law (Harvard University Press 1974) 297. 48 See Martti Koskenniemi, From Apology to Utopia: The Structure of International Legal Argument (CUP 2006) 17. 49 Ibid., 18. 50 Martti Koskenniemi, “What is International Law For?” in Malcolm D. Evans (ed.), International Law (OUP 2003) 96. 51 Eisuke Suzuki, “The New Haven School of Jurisprudence and Non-State Actors in International Law in Policy Perspective” (2012) 42 Journal of Policy Studies 44–45. 52 Ibid., 43. 53 Ibid., 44–45.
30
Chapter 2
As early as 1943, McDougal and Lasswell pointed out: None who deal with law, however defined, can escape policy when policy is defined as the making of important decisions which affect the distribution of values. Even those who still insist that policy is no proper concern of a law school tacitly advocate a policy, unconsciously assuming that the ultimate function of law is to maintain existing social institutions in a sort of timeless status quo; what they ask is that their policy be smuggled in, without insight or responsibility.54 The world may be returning to the realist ideology (discussed further) that inspired the creation of the New Haven school in the first place.55 Nevertheless, the application of the latter theory to cyber-warfare would not be easy. For instance, an inquiry into the “policy” of cyber-warfare regulation using the New Haven method would necessitate an analysis of how the framework of potentially applicable norms is communicated to governments, if it is taken into account by them. Causes of cyber-attacks would need to be investigated and the scheme of interactions between states, governments, courts and international organizations explored. Such an inquiry would immediately be hampered by the secrecy that surrounds cyber-attacks and the lack of targeted regulation aimed at cyber-warfare itself, making it inefficient. Furthermore, it should be mentioned that while the New Haven school concentrates on socio-political trends behind authoritative decisions that form international law, it does so with an aggressive American “democratic ideal” in mind.56 While the latter may motivate Western governments to exploit imperfections of international law, one should be careful not to forget that other governments and political systems may be no less interested in such exploitation than the West. Institutionalism that focuses on international structures (especially in its neoliberal form) does a good job at recognizing that “egoistic states [may] seek to maximise their respective interests within existing environmental
54 Myres S. McDougal, Harold D. Lasswell, “Legal Education and Public Policy: Professional Training in the Public Interest,” (1943) 52(2) Yale Law Journal 207. 55 Janet K. Levit, “Bottom-Up International Lawmaking: Reflections on the New Haven School of International Law” (2007) 32(2) Yale JIL 394. 56 See McDougal, Lasswell (n. 54) 206–207, 212, 214, 222, 288, 291; Scobbie (n. 23) 69–71; O’Brien (n. 11) 50–51.
Theoretical Framework
31
constraints”.57 It correctly acknowledges that states’ behavior, while egoistic, tends to be rational and, although they, as the primary actors of international law, operate in an anarchic arena, cooperation between states is possible with the help of institutions.58 The idea of “complex interdependence” advanced by institutionalists Robert Keohane and Joseph Nye reasonably accepts participation of non-state actors in politics.59 According to the theory under consideration, institutions are of particular importance, because despite the lack of a centralized governance structure in international relations, they establish a secure scene for negotiations, as well as a platform for supervising and, if necessary, controlling state behavior.60 This is, arguably, done by increasing the importance of reputation within the international community, providing an already-existing scheme for decision-making, publicizing soft law instruments that serve as guides for state behavior, ensuring that countries are invested into institutions financially and otherwise (which prevents them from easily “pulling out”).61 In addition, institutions are seen as contributing to the control over state behavior by making different issues on the international agenda inseparable, increasing access to information, promoting transparency and mediating disputes.62 Conventions are seen by institutionalists as establishing long-term relations that are giving “rise to stable expectations between states” and increasing the “importance of reputation and the use of reciprocity to enforce obligations”.63 Customary law, like conventions, is meant to reduce uncertainty by offering a stable model of behavior, built around reputation and reciprocity.64 Where simple deterioration of reputation is seen as ineffective, institutions can coordinate the mechanism of collective punishment. A notable example of this is the work of the UN Security Council, which can impose a spectrum of measures (under Chapters VI and VII of the UN Charter) ranging from sanctions to authorizing the use of force against the violators of international law.
57 Christian Reus-Smit, “The Politics of International Law” in Christian Reus-Smit (ed.), The Politics of International Law (CUP 2004) 15, 18. 58 William J. Aceves, “Institutionalist Theory and International Legal Scholarship” (1997) 12(2) American University International Law Review 236, 240, 260. 59 Robert O. Keohane, Joseph S. Nye, Power and Interdependence (2nd edn., Longman 1989) 24. 60 Aceves (n. 58) 241–242. 61 Ibid., 243, 245–247. 62 Ibid., 248–250, 253. 63 Ibid., 257. 64 Ibid., 258, 260.
32
Chapter 2
There are a number of flaws in institutionalism that should be pointed out here. Firstly, it presupposes constantly existing common goals between states or governments that create institutions to constrain their behavior.65 In reality, these goals come into an obvious conflict when military confrontations occur (also in the form of cyber-warfare). Arguments that governments do not use force regionally lose validity in trans-global environment created by virtual cyber-space.66 Secondly, the already-existing institutions can be ignored or manipulated by certain governments, which have enough power to do so. Possibilities of such manipulations may even sometimes determine the level of investment and, as such, keep the level of state dependency on institutions and other states under government control. Had the situation been different, organizations like the UN or NATO would not be criticized as part of the problem (in addition to being part of the potential solution). Thirdly, manipulations and negligence by governments may be present already in the early stages of creation of international institutions, leading to them having structural imperfections. Finally, reputation of the more powerful states can be preserved by heavily relying on the global media propaganda (this notion is developed further). The next theory that could be useful is the critical legal studies. Emerging in the process of annual “critical legal” conferences, it attempts to unmask the policy elements that are underlying legal systems. While the main Conference has now been dissolved, critical legal studies have not entirely lost their relevance today.67 This theory not only rejects determinate nature of the law, arguing that it is veiled politics, but also views it as one of the instruments for preserving unjust hierarchies in the society (in the international law’s case, the society of states).68 The language employed in the law itself is viewed as one meant to “create the illusion of fairness while really legitimizing and furthering the position” of those on top of the hierarchy.69 Indeed, the illusion on the global 65 Anne-Marie Slaughter, “Liberal International Relations Theory and International Economic Law” (1995) 10(2) American University International Law Review 724–726. See also Markus Burgstaller, Theories of Compliance with International Law (Martinus Nijhoff 2005) 99. Note that a similar problem is present in the constitutionalist theory. 66 See generally Keohane, Nye (n. 59) 25. 67 Guyora Binder, “Critical Legal Studies” in Dennis Patterson (ed.), A Companion to Philosophy of Law and Legal Theory (2nd edn., Wiley-Blackwell 2010) 267. 68 Jerry L. Anderson, “Law School Enters the Matrix: Teaching Critical Legal Studies” (2004) 54(2) Journal of Legal Education 201. 69 Ibid., 202.
Theoretical Framework
33
level may be cast in order to keep the weaker states passive and secure, while the more powerful states preserve their dominant positions. This “injustice” is most clear when one considers the unequal state powers in the UNSC, despite the assurances of sovereign equality in the UN Charter. Acknowledgment of historical, political (or, in the case of constructivist thinking, social)70 perspectives should not come at the expense of objectivity of the entire legal system—a sacrifice expected by radical critical legal studies, which reject the possibility of objective norms altogether.71 On the other hand, what one author defines as their moderate form, views only legal interpretations as determined by political (as well as cultural and moral) beliefs.72 For this reason, in the context of the present book, moderate critical legal studies somewhat contribute to identifying an adequate vantage point over the subject of cyber-attacks as regulated by imperfect instruments of law. That being said, critical legal studies cannot be entirely relied upon here due to their focus on societies, which does not take into account the complex relations between states and their governments, as well as the composition of the latter with fluctuating desire and possibilities to exploit the law.73 After dismissing powerful mainstream alternatives, one is left to look at the situation through the prism of realism. An important starting point is the principles formulated by Hans Morgenthau, according to which “politics [. . .] is governed by objective laws that have their roots in human nature”, where “interest [is] defined in terms of power [. . .]—an objective category that is universally valid”, guided by “distinctive [non-universal] intellectual and moral attitude to matters political”.74 In deviating from the classical Morgenthau’s positions, realists continue to preserve a general understanding that states play the main role in the anarchic international arena and that they compete for power.75 International law is believed to reflect this struggle and the balance of power it creates.76
70 Reus-Smit (n. 57) 15, 21–22. 71 O’Brien (n. 11) 52; Andrew Altman, Critical Legal Studies: A Liberal Critique (Princeton University Press 1990) 18. 72 Altman (n. 71) 19. 73 Note that this problem is also shared by liberalism—see generally Slaughter (n. 65) 728. 74 Hans J. Morgenthau, Politics Among Nations: The Struggle for Power and Peace (7th edn., McGraw-Hill 2006) 4–13. 75 Slaughter (n. 65) 722. See also Fernando R. Tesón, A Philosophy of International Law (Westview Press 1998) 41. 76 Reus-Smit (n. 57) 15.
34
Chapter 2
Realism acknowledges that legal rules may be ignored by states, in case it serves their interests.77 This fits well with the reality of contemporary warfare, where existing legal norms are not always complied with. Likewise, lack of lex specialis meant for cyber-warfare, coupled with a frequently expected possibility of remaining anonymous online, make it appealing for states to consider violating laws and to expand dominance by demanding conformity from others.78 The level of threat to national security represented by cyber-attacks ranges and, more importantly, is perceived to range from uncertain to high. Such an atmosphere encourages states and military alliances to strive for security by aggressively seeking advantage (regardless whether that conflicts with interests of other states, or not)—behavior expected by “offensive realism”.79 Furthermore, states may seek to “control and shape their external environment”—conduct predicted by “neoclassical realism”.80 It is acknowledged that realism is sometimes criticized for its indifference to human rights.81 But this is arguably a small concern, in light of the scope of this work. While one may argue that humanitarian law represents an extension of human rights onto the battlefield, the truth is that all but a few basic human rights become formally suspended during armed conflicts. On the other hand, Christian Reus-Smit reasonably notes that realism does not bother to explain how powerful states are constrained in their behavior by international law and how weak actors use it to their advantage.82 Both concerns can be addressed with reference to potential deterioration of reputation upon violation of erga omnes (but not necessarily other) obligations. Here, it should be noted that, as long as erga omnes obligations are not violated, overwhelming military and political force allows the most powerful (but not all) “egoistic” governments to prevent potential retaliation and to use the media as a propaganda tool to preserve their reputation (consider the influence of the pro-Western CNN news channel or the pro-Eastern news agency Russia Today), even if the decisions are not considered rational by parts of
77 Ibid., 16. 78 See Burgstaller (n. 65) 96; Tesón (n. 75) 41. 79 Burgstaller (n. 65) 97. 80 Ibid., 98. 81 See Tesón (n. 75) 52–54. 82 Reus-Smit (n. 57) 17.
Theoretical Framework
35
the local population or internationally and negative political repercussions follow.83 Realism openly admits that individual governments and states may ignore international law. Martin Dixon argues that “[t]here is nothing surprising in this and it is a feature of the behavior of every legal person in every legal system”.84 Yet, as Rosalyn Higgins correctly notes, “[i]t rarely is in the national interest to violate international law, even though there might be short-term advantages in doing so”.85 In the words of Reus-Smit, when deciding on actions in ordinary circumstances “[s]trong states do not invariably ignore [international law], and when they choose to deliberately violate it they do so in the knowledge that as well as incurring political costs their actions will have to be justified as ‘legal’”.86 Consider, for instance, the statement of the legal advisor of the US Depart ment of State Harold H. Koh, who argued: [. . .] compliance with international law frees us to do more, and do more legitimately, in cyberspace, in a way that more fully promotes our national interests. Compliance with international law in cyberspace is part and parcel of our broader ‘smart power’ approach to international law as part of U.S. foreign policy. [. . .] International law is not purely constraint, it frees us and empowers us to do things we could never do without law’s legitimacy. If we succeed in promoting a culture of compliance, we will reap the benefits.87 In line with this, one scholar does not find it surprising “that the United States would advance an expansive interpretation of its rights under international law while simultaneously maintaining a narrow interpretation of its duties”.88 Governments are not interested in outright violation of legal norms when they can instead interpret international law in a way that would justify desired conduct. Such interpretations (and their desired acceptance by the world 83 See generally Andrew T. Guzman, How International Law Works: A Rational Choice Theory (OUP 2008) 9. 84 Dixon (n. 2) 4. 85 Higgins (n. 16) 16. See also Dixon (n. 2) 4, 12–13. 86 Higgins (n. 16) 16. 87 Harold H. Koh, “International Law in Cyberspace” (USCYBERCOM Inter-Agency Legal Conference, 2012) Final Quest 1 accessed 1 August 2015. 88 John Cerone, “Misplaced Reliance on the ‘Law of War’” (2007) 14(1) New England Journal of International & Comparative Law 57.
36
Chapter 2
community) become possible in areas where international law is imperfect, where it features gaps, deficiencies and uncertainties. So, what is the theoretical approach adopted in this book? 2.3.2 Adopted Theoretical Framework Considering the weaknesses of the legal theories mentioned above, in order to achieve objective results, the present book adopts a distinctive theoretical framework. It will serve as a working theory within which an analysis of cyberattacks is undertaken. Why is it better than other conceptual approaches? Although it leans towards realism, it seeks to avoid its imperfections and assimilates the more successful elements of other models. Some may consider it inspired by ration alism that in the purest form argues that “international law emerges from states acting rationally to maximize their interests, given their perceptions of the interests of other states and the distribution of state power”.89 Nonetheless, this work is not meant to fit perfectly with the game theory (an element often relied upon in rationalism) and, particularly, the idea that all states with various forms of government are simultaneously motivated only by self-interest.90 Thus, the theoretical position assumed in this book can be summarized as follows. International law is composed of subjective elements reflecting a balance of power and objective, universal elements ( jus cogens) meant to constrain state behavior. Its main sources are conventions, customs and general principles. Sub-regimes of jus ad bellum and jus in bello are not self-contained and are related to each other and to other legal regimes. Because the regulation of warfare traditionally aimed to ensure more stability, safety and justice in the international arena, the mission of international law remains to facilitate this process by providing a sufficiently clear framework with minimal room for exploitation and misinterpretation. Where international law fails to meet this objective due to inadequate regulation, it is imperfect. Imperfections emerge as a result of previous manipulations and negligence by the norms’ authors. States are the main actors and decision-makers in the international arena. They can belong to and operate in international organizations. States are represented by their governments. Governments’ goals are not universal and they are in conflict when countries are engaged in hostilities with each other.
89 Jack L. Goldsmith, Eric A. Posner, The Limits of International Law (OUP 2005) 3. 90 See generally D. Jeremy Telman, “Non-State Actors in the Middle East: A Challenge for Rationalist Legal Theory” (2013) 46(1) Cornell ILJ 58.
Theoretical Framework
37
If the benefit is sufficiently great, governments may ignore legal norms. That being said, international law (especially jus cogens) is normally complied with by them; instead, governments may interpret legal norms in ways that serve their interests. They, normally, want others to accept these interpretations, as it preserves their good international standing without subjecting them to the risk of sanctions. Having outlined the theoretical framework that provides support for the main idea of this work, it is necessary to take a closer look at the issue of exploiting international law’s imperfections in cyber-warfare itself. 2.3.3 Exploitation of Legal Imperfections in Cyber-Warfare It is hard not to agree with Noam Lubell, when he writes: If we wish to ensure the relevance of the rules to the twenty-first century, it is vital that they are interpreted in light of modern reality. Proposing new interpretations is not the same as saying the law itself is inadequate to deal with new challenges. [. . .] There should be no doubt that existing law can apply to the cyber sphere, but there must be room for new approaches and interpretations that might differ from the manner in which the same law was read in the past.91 [footnote omitted] It would be prudent to consider this in the broader context. The prospective cyber-warfare is shifting security of states, which, until recently, has been defined in terms of landscape and distance, towards security that is independent of geography.92 Inter alia, this results in increased feeling of uncertainty and danger, which provokes proliferation of governments’ ways of interpretation and resorting to realistic approaches. What are the opportunities of exploitation, when it comes to legal regulation of cyber-warfare? Mainly, there are possibilities to insist on a favorable interpretation of international norms that are not certain. This allows governments to prevent their conduct from being definitely qualified as illegal, if it is covered by such an uncertain rule. One can consider an example involving a government that wants to launch cyber-attacks against a foreign state to increase its control over it or to compel it to do (or abstain from doing) a certain act. The government will try to match the current factual situation with existing norms that 91 Noam Lubell, “Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?” (2013) 89 International Law Studies 270–271. 92 See generally Barry Buzan, Ole Wæver, Jaap de Wilde, Security: A New Framework for Analysis (Lynne Rienner Publishers 1998) 59.
38
Chapter 2
allow cyber-strikes in self-defense; a proper match makes it easy to explain to their own population and the world in general why these cyber-attacks are launched in the first place and why they are necessary. If the relevant law is not certain or it features a gap, the government will choose the interpretation which helps it argue that international law does permit self-defense under the present conditions. In this case, the opportunity to exploit a norm is used and potential accusations of illegality are sublimated into political and academic discourse about the “right” interpretation of law. If a government views all such possibilities jointly, it may become interested in preserving the legal regime that enables exploiting many imperfect norms, which regulate cyber-warfare. Since states are expected to develop international law in order to fix its imperfections, hindering its development can be considered an inherently malicious plan. Lastly, before concluding this chapter, one should mention an alternative view voiced by Glennon. According to his logic, international law is experiencing stagnation vis-à-vis cyber-warfare because states do not want to “regulate the pursuit of core security interests based upon speculation”93 (emphasis added). Is he right to argue that since “cyber capabilities are concealed, [. . .] relative capability becomes speculative, leaving States without the ability to evaluate beforehand the apparent advantages and disadvantages that new rules might reify”?94 Two things should be pointed out here. First of all, sensing their real intentions, Glennon himself implies that states may not be willing to limit their freedom of waging cyber-warfare.95 Secondly, the main opponent of the SCO proposals to expand the legal framework on cyber-warfare, the United States, launches a significant amount of cyber-attacks itself. It was reported that in 2011, three-quarters of these cyber-strikes targeted the most powerful SCO states (China, Russia and SCO observer Iran), revealing a particular political agenda.96 Therefore, Glennon’s alternative view on reasons for international law stagnation, by 2015, seems to be outdated.
93 Glennon (n. 18) 379. 94 Ibid. 95 Ibid. 96 Barton Gellman, Ellen Nakashima, “U.S. Spy Agencies Mounted 231 Offensive CyberOperations in 2011, Documents Show” (The Washington Post, 31 August 2013) accessed 1 August 2015.
Theoretical Framework
39
2.4 Conclusion The present chapter identified the theoretical perspective that is most adequate for determining how fit current international law is in addressing militarized cyber-attacks. It sets out the starting point of analysis that, when it comes to international law relating to the use of force and warfare, instead of ignoring legal norms, governments may pursue interpretations that suit them best, ensuring that their actions formally stay within the confines of legality. Such interpretations are most easily advanced where international law is imperfect. With the theoretical framework described in this chapter in mind, the present book will identify international law’s deficiencies, gaps and uncertainties. However, before proceeding with examination of substantive international law in Chapters 4–8, it is necessary to provide an accurate overview of the damaging capabilities of cyber-attacks. This is the purpose of the next chapter, which, on the one hand, demonstrates the seriousness of this threat and, on the other, argues that it can be tackled by properly adopting the already-existing instruments of international law.
Chapter 3
Cyber-Threat 3.1 Introduction The present chapter addresses the nature of the cyber-threat. By looking into hypothetical and real incidents that involve cyber-attacks, it starts to determine whether the consequences suggested by cyber-warfare are so significant as to necessitate a revolution in international law or if the threat and evidence are merely indicative of a need for proactive legal reforms. The chapter is divided into two parts. The first part assesses the damaging capabilities of cyber-attacks, as well as the potential consequences these attacks could have, in order to demonstrate that cyber-strikes represent a serious threat that warrants clarity in international law. This risk-assessment is done with reference to the concept of critical national infrastructure and by providing evidence review of certain objects that may plausibly be targeted by cyber-strikes, if indeed such strikes are not already being effected. The second part provides a review of reported incidents where there is evidence of cyber-attacks having taken place.1 This review begins with life-threatening situations occurring as a result of cyber-strikes, moves on to matters of military importance and concludes with less harmful actions that constitute nuisance for governments, even if they are often perceived as something more serious. Incidents involving designated terrorist organizations are deliberately omitted, as they will be addressed in Chapter 7. 3.2
The Hypothetical Threat
Are cyber-attacks fundamentally extraordinary in the context of military action? What can be seen as the maximum degree of damage that might potentially be achieved in and via cyber-space? As technology is in constant development, understanding the nature and scope of a threat in theory is a necessary first step to assessing the ability of 1 Since, nowadays, information about certain cyber-strikes is primarily available in the form of official statements, press releases and news reports, this chapter utilizes these sources. However, mindful of their uncertain journalistic nature, they are treated with a due degree of caution. © koninklijke brill nv, leiden, ���5 | doi ��.��63/9789004298309_004
Cyber-threat
41
international law to respond should such a threat become a reality. The concept of critical infrastructure provides a good foundation for beginning this task. Indeed, for some, it may even serve as the basis for equating cyber-strikes with the use of force in jus ad bellum.2 After determining the elements of a state’s essential assets, one can then gauge their vulnerability to cyber-attack. 3.2.1 Special Nature of Cyber-Attacks The first question that helps determine the level of the threat and that requires attention, considering the focus of the present book is whether cyber-attacks are fundamentally different from traditional military strikes? In 2009, Graham Todd observed that cyber-strikes, inter alia, can be delivered faster, can have wider effects on a society, require less investment and provide greater degree of anonymity than conventional forms of attack.3 Although these conclusions may be correct, their importance should not be exaggerated. Indeed, cyberattacks can be launched over great distances almost with the speed of light,4 yet some of the most serious ones (for instance, Stuxnet) take months to reach their target.5 Production of malware (malicious software)6 can be free or it can be the result of enormous financial investments. Using programs that aim to wreak havoc in any society may simply result in nuisance, and the development of cyber-forensics slowly decreases the chances of remaining anonymous online. Like ordinary military operations, cyber-attacks have the best chances to be effective when they are “based on accurate intelligence” and are “targetspecific in their design”.7 They cannot result in seizure of land or physical 2 See further the discussion of target-based approach in sub-chapter 5.2.3. 3 Graham H. Todd, “Armed Attack in Cyberspace: Deterring Asymmetric Warfare with an Asymmetric Definition” (2009) 64 Air Force Law Review 68–69. 4 Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 30–31; Karlis Podins, Christian Czosseck, “A VulnerabilityBased Model of Cyber Weapons and its Implications for Cyber Conflict” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 199–200; Jody M. Prescott, “Direct Participation in Cyber Hostilities: Terms of Reference for Like-Minded States?” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 259. 5 Stuxnet is discussed further in this chapter. 6 A collective term that includes viruses, worms, trojans and logic bombs. A wider spectrum of programs and tactics (“toolkit”) that crackers may use are described in Appendix 1 to this book. 7 Paul A. Walker, “Rethinking Computer Network ‘Attack’: Implications for Law and U.S. Doctrine” (2011) 1(1) American University National Security Law Brief 61.
42
Chapter 3
objects, but they can deny access to virtual cyber-space, as well as infrastructure that sustains it. Cyber-strikes have the potential for surgical precision that allows them to target an opponent’s infrastructure with minimal collateral damage.8 That being said, their effects can also be extremely unpredictable. It can be argued that luck plays a major role in the success of cyber-attacks. For instance, malware often needs to exploit fresh vulnerabilities in the targeted system, and the window of opportunity quickly closes once the flaws become obvious during a cyber-strike or when discovered by the opposing party beforehand.9 Yet, luck is also a critical factor in ordinary military operations or acts of terrorism. Therefore, while cyber-strikes may be a new phenomenon, their capacities vary and they are influenced by classic military factors. At this point, it should be mentioned that scarce evidence of military objects being significantly affected by cyber-attacks (with the exception of few reports related to Conficker and other malware)10 indicates that either these objects are, for the most part, invulnerable or that successful cyber-strikes against their systems are deliberately concealed. In any case, the prospect of total cyber-warfare shifts the attention from pure military-on-military engagement to potential attacks against state infrastructure. Thus, in discussing the hypothetical threat, one should consider state security in a broader context. In other words, it is important to outline which cyber-attacks can be most damaging and which represent the biggest danger to a state as a whole. This can be done with reference to what is called critical infrastructure. 3.2.2 Concept of Critical Infrastructure The European Union (EU) comprehensively defines critical infrastructure as [. . .] physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments.11
8 Duncan B. Hollis, “Why States Need an International Law for Information Operations” (2007) 11(4) Lewis & Clark Law Review 1032. 9 See Podins, Czosseck (n. 4) 200. 10 Discussed further in this chapter. 11 European Commission Communication COM (2004) 702 of 20 October 2004 on Critical Infrastructure Protection in the Fight Against Terrorism 3.
Cyber-threat
43
The US12 and the Shanghai Cooperation Organization13 use similar definitions, evaluating the impact of an attack from a national security standpoint. Critical infrastructure should not be confused with conceptually different vulnerable or particularly vulnerable targets mentioned, for instance, in the UN Global Counter-Terrorism Strategy.14 It should also be clearly distinguished from the notion of critical information infrastructure that covers not only computerized systems, but also other, less sophisticated transmitting devices, necessary for the continuous work of critical infrastructure. The exact elements comprising critical infrastructure will no doubt vary from country to country. However, one can outline a common list of industrial and societal sectors that are vital to many technologically advanced states, as reflected in their policy papers.15 These are energy, finance, transport, communications, hazardous materials, emergency services, government, health, water and food. All ten of these sectors are already being targeted by cyber-attackers. When a particular object subjected to cyber-strikes can be realistically grouped under one of these commonly recognized sectors of critical infrastructure, self-defense by the victim-state will be more justifiable in the eyes of the world community (even if there are no casualties). On the other hand, 12 Barack Obama, “Improving Critical Infrastructure Cybersecurity” (Executive Order, The White House 2013) accessed 1 August 2015: “[. . .] systems and assets, [. . .] so vital [. . .] that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”. See also Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, Public Law 107–56, 115 Stat 272 (2001) sec 1016(e). 13 Agreement Between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security (adopted 2 December 2008, entered into force 16 June 2009) Annex I accessed 1 August 2015: “[P]ublic facilities, systems and institutions attacks on which may cause consequences directly affecting national security” (unofficial translation). 14 UN Global Counter-Terrorism Strategy: Plan of Action, Annex to UNGA Res 60/288 (20 September 2006) UN Doc A/RES/60/288, paras. II-18, III-13. 15 See European Commission (n. 11) 3–4; Assaf Y. Keren, Keren Elazari, “Internet as a Critical Infrastructure—A Framework for the Measurement of Maturity and Awareness in the Cyber Sphere” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 120–122; “The National Infrastructure” (Centre for the Protection of National Infrastructure) accessed 1 August 2015; President’s Commission on Critical Infrastructure Protection, “Protecting America’s Infrastructures” (Report, White House 1997) 3–4.
44
Chapter 3
unreasonable allocations of objects to these ten sectors and to critical infrastructure in general may result in international disapproval of the belligerent response. Hence, the present sub-chapter focuses on ten sectors identified above and does not cover more disputable elements, such as national monuments that the US lists as a separate division of its critical infrastructure,16 and which the EU groups under the government sector,17 Norwegian social services and environmental surveillance,18 the US “critical” manufacturing, education or postal services and so on.19 3.2.3 Critical Infrastructure in State Military Exercises Today, different scenarios are identified by academics as the most dangerous.20 However, validity of the cyber-threat to state critical infrastructure is also acknowledged through military exercises. This is particularly true in the West, where information about them is publically available. One example is the famous US training operation Eligible Receiver that, in 1997, emulated a rogue state that avoided open conflict and sought to damage the US information systems instead.21 In addition to causing maximum damage, the team playing the role of the rogue state had to avoid detection and
16 Department of Homeland Security, “Critical Infrastructure Identification, Prioritization, and Protection” (Homeland Security Presidential Directive 7, 17 December 2003) para. 18(6). 17 European Commission (n. 11) 4. 18 Commission for the Protection of Critical Infrastructure, “Protection of Critical Infrastructures and Critical Societal Functions in Norway” (Report to the Ministry of Justice and the Police, Norwegian Government 2006) 5 accessed 1 August 2015. 19 Keren, Elazari (n. 15) 122; US White House, “Fact Sheet: Cybersecurity Legislative Proposal” (Office of the Press Secretary, 12 May 2011) accessed 1 August 2015. 20 See Todd (n. 3) 68 fn. 7; Christopher C. Joyner, Catherine Lotrionte, “Information Warfare as International Coercion: Elements of a Legal Framework” (2001) 12(5) EJIL 836–839; Michael N. Schmitt, Essays on Law and War at the Fault Lines (TMC Asser Press 2012) 9; Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 67–70; Daniel M. Creekman, “A Helpless America? An Examination of the Legal Options Available to the United States in Response to Varying Types of CyberAttacks from China” (2002) 17(3) American University International Law Review 646. 21 Stephen A. Hildreth, “Cyberwarfare” (Report, Congressional Research Service 2001) CRS-4 accessed 1 August 2015.
Cyber-threat
45
prevent the possible US military response.22 It was later stressed that power grids and 911 emergency systems were found to be most vulnerable.23 The 2000 “Black Ice” simulation also reportedly targeted the Supervisory Control and Data Acquisition (SCADA)24 system of the power grid, this time during a theoretical ice-storm.25 It was noted that cyber-attacks managing to shut down electricity for a prolonged period of time would result in degradation of other infrastructure, such as communications or gas industry.26 In the 2000s, other series of cyber-security exercises were reported, undertaken by the US government and some of its allies. These included Cyber Storm (2006) aimed at energy, transportation and communications,27 Cyber Storm II (2008) simulating an attack against “information technology, communications, chemical, and transportation systems”28 and Cyber ShockWave (2010) war games, that, in theory, affected power industry, mobile phone communications and the Wall Street stock exchange.29 Finally, in 2012, reports indicated that official North Atlantic Treaty Organization (NATO) war games encompassed a hostile African country launching cyber-attacks to crash a military aircraft in Hungary and to affect the Alliance’s critical infrastructure.30 Having explored the general concept of critical infrastructure and the growing recognition of its importance in cyber-warfare, one should now consider the prospect of attacks against its individual elements. 22 Ibid. 23 Dorothy E. Denning, “Cyberterrorism” (Testimony Before the Special Oversight Panel on Terrorism Committee on Armed Services, US House of Representatives, 23 May 2000) accessed 1 August 2015. 24 SCADA is a computerized control system that monitors and regulates physical industrial processes. 25 “Utah’s ‘Black Ice’: Cyber-Attack Scenario” (CNN, 21 October 2001) accessed 1 August 2015. 26 Ibid. 27 Patience Wait, “Cyber Storm Exercise Challenged Coordination, Communications” (GCN, 15 September 2006) accessed 1 August 2015. 28 “Cyber Storm 2 Exercise Reveals Security Preparedness” (Computer Weekly, 18 March 2008) accessed 1 August 2015. 29 Ellen Nakashima, “War Game Reveals U.S. Lacks Cyber-Crisis Skills” (The Washington Post, 17 February 2010) accessed 1 August 2015. 30 “Russia Potential Aggressor for NATO” (RIA Novosti, 18 October 2012) accessed 1 August 2015.
46
Chapter 3
3.2.4 Theoretical Attacks and Their Consequences To facilitate the review of the hypothetical dangers to various sectors of critical infrastructure, this section is divided into three sub-sections.31 The first one tackles elements of critical infrastructure crucial for the well-being of a society, which are most vulnerable to cyber-attacks (energy, finance, transport). The second sub-section deals with threats to societal sectors that appear to be more resistant to cyber-strikes (communication, hazardous materials, emergency services and government). The final sub-section tackles those elements of critical infrastructure that are responsible for sustaining life, but which feature insignificant possibilities of severely harming states themselves by cyberstrikes (health, water, food). 3.2.4.1 Most Vulnerable Sectors Logic dictates that analysis of hypothetical threats should begin with highly computerized objects that societies rely upon. First among them are those belonging to the energy sector. A number of successful incursions and attacks against oil and gas industry have already been experienced, making them no longer theoretical. As such, they will be discussed further when assessing reported cyber-strikes. However, electric facilities present a slightly different proposition, which merits examination here. Like other infrastructure, where convenience of remotely managing the facilities is apparent, power stations are connected to each other and to a centralized SCADA system. The North American Electric Reliability Corporation Network is one such example, which was designed in 1997 to allow “ ‘all’ participants in the electric power industry to communicate”, in order to ensure the safe and reliable flow of commercial activities.32 It has been reported that power plants and electricity grids are frequently targeted by cyber-attacks of various intensity.33 Millions are said to be spent 31 While this section focuses on vulnerabilities, the next sub-chapter will, inter alia, explore methods of malware distribution. 32 Jamal Henry, “Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure through International Norms and Agreements” (Working Paper, Center for International and Security Studies at Maryland 2010) 5 accessed 1 August 2015. 33 Siobhan Gorman, “Electricity Grid in U.S. Penetrated by Spies” (The Wall Street Journal, 8 April 2009) accessed 1 August 2015.
Cyber-threat
47
on cyber-security in an attempt to ensure a high level of protection.34 Notably, according to the US Department of Homeland Security, when malware on a USB device infected an unnamed American power plant in 2013, the plant was shut down for three weeks as a precaution.35 Nonetheless, serious socio-economic consequences could result from malicious control exercised over power stations. The extent of the possible harm upon entry into the power station systems was described in the 2010 Report by the US General Accounting Office. According to this report, the attackers could: [1)] [D]isrupt the operation of control systems by delaying or blocking the flow of information through control networks, thereby denying availability of the networks to control system operators; [2)] make unauthorized changes to programmed instructions in [. . .] controllers, change alarm thresholds, or issue unauthorized commands to control equipment, which could potentially result in damage to equipment (if tolerances are exceeded), premature shutdown of processes (such as prematurely shutting down transmission lines), or even disabling control equipment; [3)] send false information to control system operators either to disguise unauthorized changes or to initiate inappropriate actions by system operators; [4)] modify the control system software, producing unpredictable results; and [5)] interfere with the operation of safety systems.36 In 2007, researchers reportedly proved that a cyber-attack can cause a power generator to self-destruct,37 and, in 2012, the Obama administration was said to 34 Brian Wingfield, “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months” (Bloomberg, 1 February 2012) accessed 1 August 2015. 35 See Jim Finkle, “Malicious Virus Shuttered U.S. Power Plant” (Reuters, 16 January 2013) accessed 1 August 2015. 36 “Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems” (Report to Congressional Requesters GAO-04–354, United States General Accounting Office 2004) 15 accessed 1 August 2015. 37 Jeanne Meserve, “Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid” (CNN, 26 September 2007) accessed 1 August 2015.
48
Chapter 3
have held a Senate demonstration of a controlled cyber-attack against the New York City’s power supply.38 Underscoring disastrous effects on other critical infrastructure, some participants allegedly concluded that prolonged lack of electricity in a megalopolis will result in “literally thousands of people dying”.39 Nonetheless, it should be noted that repairing power stations (if they have not been physically damaged) should be a fairly quick process, inter alia, due to the globally existing experience in dealing with recurring blackouts caused by thunderstorms and other disasters. The next vulnerable sector of critical infrastructure that requires attention is transport. Modern cars are equipped with advanced computer systems, which make them susceptible to cyber-strikes. Malware can spread through communication modules, mobile phones, portable MP3 players, navigation systems and other devices meant to automatically connect to vehicle electronics.40 According to reports, it has been proven that such cars can be controlled from outside, without any driver input.41 Among other things, research shows that they can be made to brake and accelerate.42 If successfully executed, such an attack can injure the driver and passengers within the car. Similar problems are likely to arise with the development of the computer-controlled personal rapid transport (podcars). On the macro level, a compromised system responsible for the “smart” ground transport control can result in prolonged traffic jams and, depending on the timing of an attack and weather conditions, vehicle crashes. Not unlike electric power, transport is essential for other types of critical infrastructure. Thus, limitless traffic congestions can lead to food shortages, disruption in its distribution and production, inability to transfer patients between hospitals or to physically reach destinations by the emergency services. Likewise, it can cause problems of hazardous materials transportation. Tampering with the subway grid, rail or train controls is capable of causing even more dangerous consequences, as a carefully planned train wreck (for 38 Eric Engleman, Chris Strohm, “Mock Cyber Attack Used to Pitch Senate Legislation” (Pittsburgh Post-Gazette, 9 March 2012) accessed 1 August 2015. 39 Ibid. 40 Hiro Onishi, “Paradigm Change of Vehicle Cyber Security” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 381–382. 41 “Car Hacked on 60 Minutes” (CBS News, 6 February 2015) accessed 1 August 2015. 42 Ibid.
Cyber-threat
49
example, when a train is passing over a bridge) can lead to a high number of casualties. Another theoretical scenario includes cyber-attacks causing trains to collide or derail with the purpose of spilling toxic materials in transit.43 Furthermore, a cyber-attack can interfere with the proper work of computerized navigational systems of a ship. The sinking of the Italian cruise ship Costa Concordia in January 2012 demonstrates the disastrous consequences that wrong interpretation of navigational data can bring. When it comes to transport, the most vulnerable targets are civilian airplanes, followed by helicopters, which attackers might try to crash. Malware infecting computers onboard an aircraft can lead to pilots flying “blind”, which alone increases the overall risk significantly.44 In 2013, it was reported that an application for Android was constructed that allows uploading navigation commands into planes’ “flight management system”.45 Clearly, any malfunction caused by cyber-attacks while in the air almost automatically threatens to result in a large number of injuries and deaths. Aside from attacking planes directly, cyber-strikes may be launched at the air traffic controls, which play a significant role in ensuring aviation safety. Wrong instructions from these facilities can result in airplanes flying into unsuitable terrain or into each other. Even leaving more direct approaches behind, though 43 See Scott A. Newton, “Can Cyberterrorists Actually Kill People?” (White Paper, SANS Institute 2002) 7–8 accessed 1 August 2015; Jan Kallberg, Rosemary A. Burk, “Cyberdefense as Environmental Protection—The Broader Potential Impact of Failed Defensive Counter Cyber Operations” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 271. Note that, in 2008, a derailment was reported in the Polish city of Lodz, though it turned out to be a result of manipulations with infrared signals and not a cyber-attack—see Graeme Baker, “Schoolboy Hacks into City’s Tram System” (The Telegraph, 11 January 2008) accessed 1 August 2015. 44 Note that more and more systems are being integrated in the contemporary “e-Enabled” airplanes—see Rainer Koelle, Denis Kolev, “Situation Management in Aviation Security—A Graph-Theoretic Approach” in Douglas Hart (ed.), Proceedings of the 8th International Conference on Information Warfare and Security (Academic Publishing International 2013) 126; Stefan A. Kaiser, Oliver Aretz, “Legal Protection of Civil & Military Aviation Against Cyber Infrastructure” in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 320. 45 Liat Clark, “Security Consultant Hijacks Plane’s Navigation System with Android App” (Wired, 11 April 2013) accessed 1 August 2015.
50
Chapter 3
air traffic controls may appear to be disconnected from the Internet, according to some commentators, “there are almost always semi-direct connections through routers shared between the control system and business systems that can be exploited”.46 A final (and somewhat unique) type of transport is spacecraft. Wrong programming or injected malware could, in theory, cause the death of an entire crew and the destruction of a craft upon liftoff. Other possible scenarios could include death upon reentry into the atmosphere, or even in outer space. In 2011, it was reported that NASA’s servers still had a lot of vulnerabilities that could be exploited by cyber-attackers.47 Financial structures constitute the last element of critical infrastructure that needs to be mentioned here, due to their potentially high vulnerability to cyber-attacks. Generally, banking, investment and stock exchange remain one of the most popular targets for cyber-attackers, because of the possibility of causing financial damage. The actual accumulative losses due to cyber-strikes (including cyber-crime) is already estimated in billions of GBP, EUR or USD.48 However, so far, they have had little effect on the general population and merely limited users from accessing online banking for a few hours. Nevertheless, if attackers can mount a large-scale operation that would cause a widespread economic disruption for a prolonged period of time, it would not only result in massive economic losses for the state, but could also cause unfavorable devaluation of currency. Furthermore, an effective cyberattack on the data within financial structures, either by denying the population access to their funds or by launching hyperinflation, could result in mass panic and overall deterioration of social order.
46 Adrian Addison, “Airliners Fly in Face of Cyber Attack Scares” (PhysOrg, 3 November 2010) accessed 1 August 2015. 47 Gabriel Perna, “Report: NASA Vulnerable to Crippling Cyber Attacks” (International Business Times, 29 March 2011) accessed 1 August 2015. 48 Center for Strategic and International Studies, “The Economic Impact of Cybercrime and Cyber Espionage” (Report, McAfee 2013) 3 accessed 1 August 2015. See also UK Cabinet Office, “The Cost of Cybercrime” (Report, Detica 2011) 2 accessed 1 August 2015.
Cyber-threat
51
3.2.4.2 Moderately Vulnerable Sectors Next four sectors under purview are those that promise more resilience, but which, nonetheless, remain considerably vulnerable to cyber-attacks. These are communications, hazardous materials, emergency services and government. It makes sense to begin analysis with satellites that have, so far (at least publicly), avoided any damage from cyber-attacks, yet remain vulnerable state assets, used for reconnaissance and communications.49 Unlike industrial computers, which are connected to SCADA for convenience purposes, such connections are the only way to maintain control over satellites in outer space. Their security systems are less frequently updated, and moreover, many of them share software and have identical flaws, making them vulnerable.50 At least on four occasions, in 2007–2008, American satellites were allegedly “interfered” with, which perhaps indicates that crackers are attempting to gain access to artificial space bodies.51 Aside from the more obvious space-espionage, satellites can be “hijacked” in order to collide them against other objects or debris, causing direct financial and social damage to a state.52 In comparison with other cyber-strikes, due to the physical isolation of space objects, such cyber-attacks would leave little in terms of usable forensic evidence.53 A more popular target is communication systems (including email servers) used by the military. In fact, such systems can be expected to be targeted in almost all serious armed conflicts. Therefore, it is important to highlight that cyber-attacks against such infrastructure can also occur during wars. In the 21st century, the US adopted the concept of “Virtual Battlefield”, which ensures unified command and control of troops, vehicles, surveillance 49 Nasser Abouzakhar, “Critical Infrastructure Cybersecurity: A Review of Recent Threats and Violations” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 6. 50 Jan Kallberg, “Designer Satellite Collisions from Covert Cyber War” (2012) 6(1) Strategic Studies Quarterly 130. 51 See Tony Capaccio, Jeff Bliss, “Chinese Military Suspected in Hacker Attacks on U.S. Satellites” (Bloomberg, 27 October 2011) accessed 1 August 2015. Note also that already in 1997, a Chinese cracker claimed that he “neutralized” a satellite of the PRC—see Kevin Curran, Kevin Concannon, Sean McKeever, “Cyber Terrorism Attacks” in Lech J. Janczewski, Andrew M. Colarik (eds.), Cyber Warfare and Cyber Terrorism (IGI Global 2008) 3. 52 Kallberg (n. 50) 130, 132. 53 Ibid., 131.
52
Chapter 3
equipment, unmanned aerial vehicles (UAVs) and other available weapon systems.54 This is a step forward from the 1997 “American Ring of Fire” concept that allowed the US Naval Force commanders to observe the battlefield in 3D real-time view and to make decisions accordingly.55 As it maximizes effectiveness of overall battle control and facilitates message exchange between different forces, custom virtual battlefields are likely to be adopted by other nations as well (for instance, China or Russia). The presence of such technology provides an opportunity for opponents to undermine military effort and disrupt military communications through cyber-attacks. As noted by Simon Finch, American and British “battlefield systems are Internet-connected, since that’s the easiest way to mesh them together”, although other channels also remain open to the attackers.56 A successful cyber-strike against a “Virtual Battlefield” not only would increase the risk of military losses, but could also pose a significant risk to civilians, in case the army is tricked into opening fire upon them. Furthermore, it can be argued that attackers could reprogram military robots to target civilian objects.57 Finally, tampering with the early-warning and missile launch systems can result in real world damage, not excluding nuclear war.58 When discussing hazardous materials, it should be noted that some chemical and bacteriological laboratories, as well as other institutions can be equipped with computers meant to monitor safety. As such, these computers may be subject to cyber-attacks, threatening to release toxic agents into the environment. Drawing attention to the 1984 Bhopal disaster, which injured more than 200,000 people with methyl isocyanate and other chemicals, one researcher 54 Delibasis, The Right to National Self-Defence (n. 20) 36. See generally Håkan Gunneriusson, Rain Ottis, “Cyberspace from the Hybrid Threat Perspective” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 101; Anssi Kärkkäinen, “Improving Cyber Defence of Tactical Networks by Using Cognitive Service Configuration” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 136, 138. 55 Delibasis, The Right to National Self-Defence (n. 20) 42. 56 See Simon Finch, “Cyber-Terrorism Poses a Serious Threat to Global Security” in Louise I. Gerdes (ed.), Cyber Crime (Greenhaven Press 2009) 37. 57 See Phillip W. Brunst, “Use of the Internet by Terrorists—A Threat Analysis” in NATO Centre of Excellence Defence Against Terrorism (ed.), Responses to Cyber Terrorism (IOS Press 2008) 44. 58 See generally ibid.
Cyber-threat
53
notes that governmental and environmental agencies freely distribute information on industrial targets that contain poisonous elements, making target choice easy for cyber-attackers.59 Like its traditional analogues, atomic power plants are also connected to their respective SCADA systems, so there is no point in reiterating the way cyber-attacks can materialize and cause damage. Nuclear facilities may prove to be a more appealing target for cyber-attackers, due to the possibility of localized nuclear meltdown, which can have significant economic, social and political effects on the targeted state. Objectively, uncontrolled nuclear energy together with ionizing radiation remain extremely hazardous and capable of causing “unspeakable sickness followed by painful death, affect[ing] the genetic code, damage[ing] the unborn and render[ing] the Earth uninhabitable”.60 A cyber-strike that manages to cause a long-lasting catastrophic failure of a nuclear power plant will inevitably affect “health, agricultural and dairy produce and the demography” of thousands.61 Another sector of critical infrastructure susceptible to cyber-attacks is emergency services; it was reported that emergency service numbers have been made unreachable through cyber-attacks at least once in Estonia.62 However, the disruption was too brief to classify it as a real threat. Generally, emergency numbers are not always reachable on first demand, especially during periods of heightened risk (for example, New Year’s Eve). Nevertheless, the possibility of cyber-attacks directly interfering with the telephone exchanges, meant to make calling emergency numbers difficult, persists. For obvious reasons, prolonged disruption can become dangerous, especially when accompanied by disasters, wars or acts of terrorism. Additionally, police cars, fire engines, and ambulances can be slowed down and diverted from their intended destination by tampering with their navigational (for instance, GPS) systems. 59 Newton (n. 43) 8. 60 Dissenting Opinion of Judge Shahabuddeen in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 382. 61 Dissenting Opinion of Judge Weeramantry in Nuclear Weapons Case (n. 60) 464. See also Nuclear Weapons Case (n. 60) para. 35. 62 See “Newly Nasty: Defences Against Cyberwarfare is Still Rudimentary. That’s Scary” (The Economist, 24 May 2007) accessed 1 August 2015. See further the discussion of the 2007 cyber-attacks on Estonia in sub-chapter 3.3.3.5.
54
Chapter 3
Cyber-strikes against the last moderately vulnerable sector of critical infrastructure, government, represent an ambiguous threat, since there is no clear list of assets that belong thereto.63 Out of the more serious theoretical scenarios, one could mention the deletion of prison and immigration databases, tampering with the automatic person identification hardware, the “No Fly” lists or the electronic elections software.64 That being said, compared to other possible cyber-attacks, cyber-strikes targeting the governmental sector will more likely result in harmless and rectifiable consequences. 3.2.4.3 Least Vulnerable Sectors Nowadays, three sectors of critical infrastructure—health, water and food— represent the least level of concern to states, since, at the moment, these sectors minimally rely on computer technology. This does not mean that the cyber-threat level will not rise in case of further computerization. Neither does it mean that, currently, no danger exists at all, especially taking into account the lethal potential that cyber-attacks could have, when targeted against some already-computerized objects. In the context of medical facilities, academics have noted that altering pharmaceutical formulas, tampering with laboratories (for instance, jeopardizing cures, vaccines and health research in general) or even ordinary medical data (for example, mixing up results of analysis or annulling health insurance) can pose a real risk to populations’ health.65 Similar dangers could arise as a result of interfering with computers of blood supply facilities, leading to incorrect transfusions.66 Aside from direct danger to life, such cyber-attacks can subject civilian population to suffering, from mental distress in case of a false positive to physical anguish of incorrect treatment. A more direct approach, suggested by
63 Note that in this sub-section (unlike the book generally) the word “government” is used to refer to a general system of state administration rather than to those people, who rule the state. 64 See generally Delibasis, The Right to National Self-Defence (n. 20) 68–69. Note that Estonian citizens can take part in regional and national elections using their identity cards at any time, from anywhere in the world. This leads to the possibility of influencing the election results, e.g., by using trojans that masquerade as legitimate voting software. 65 Angela Clem, Sagar Galwankar, George Buck, “Health Implications of Cyber-Terrorism” (2003) 18(3) Prehospital and Disaster Medicine 273–274. See generally Anna W. Mathews, “Anthem: Hacked Database Included 78.8 Million People” (The Wall Street Journal, 24 February 2015) accessed 1 August 2015. 66 See Joyner, Lotrionte (n. 20) 850.
Cyber-threat
55
Dimitrios Delibasis, would be attacking a computerized hospital, where lifesupport systems and medicine administration are controlled by computers.67 Cyber-attacks against medical devices, such as wireless pacemakers, prosthetic limbs and other implants that exchange data with hospitals represent another direct threat, as tampering with their programming could cause loss of life.68 For instance, in 2012, a researcher demonstrated that it is possible to wirelessly “deliver a deadly, 830-volt shock” to a pacemaker, using a laptop.69 This opens up a new possibility of cyber-assassinations, where high-ranking officials, who undergo medical treatment or rely on life-supporting devices, can be targeted.70 When discussing the next sector of critical infrastructure, water, it should be noted that computerized systems in the drinking supply networks are sometimes expected to perform routine tasks such as filtering water and monitoring its quality. For that reason, some utility companies in technologically advanced states use computerized maintenance management and are connected to a SCADA system (inter alia, via wireless devices and the Internet),71 which creates dangerous interconnectedness that allows malware to propagate. Cyber-strikes that manage to disturb general water distribution can cause some industrial and financial damage. However, computerized drinking water supplies themselves make an obvious target for cyber-attackers, since they can be seen as essential to human survival and disruption of drinking water is capable of causing suffering through dehydration.72 In more extreme cases, 67 Delibasis, The Right to National Self-Defence (n. 20) 68. 68 See generally Abouzakhar (n. 49) 5. 69 Jeremy Kirk, “Pacemaker Hack Can Deliver Deadly 830-Volt Jolt” (Computer World, 17 October 2013) accessed 1 August 2015. 70 On a side note, it should be mentioned that while the probability of this is low, arson can, in theory, also be committed as a result of cyber-attacks. In a noteworthy experiment of 2011, cyber-security expert Charlie Miller has proven that malware can permanently damage Apple’s laptop battery cells—an act, which hypothetically is capable of starting a fire on its own—see generally John E. Dunn, “Apple Battery Firmware Open to Attack, Researcher Finds” (Techworld, 25 July 2011) accessed 1 August 2015. 71 See Cristina Alcaraz, Gerardo Fernandez, Fernando Carvajal, “Security Aspects of SCADA and DCS Environments” in Javier Lopez, Roberto Setola, Stephen Wolthusen (eds.), Critical Infrastructure Protection: Advances in Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense (Springer 2012) 121. 72 It is known that humans can only survive 2–10 days without drinking water, depending on the outside temperature. Though big cities have a lot of liquid drinks that can replace tap water (from bottled water to Coca-Cola), these will eventually run out.
56
Chapter 3
attackers can try to tamper with the filtering systems in order to pollute a drinking supply or to infect it.73 Dams are other water facilities believed to hold substantial destructive potential if subjected to successful cyber-attacks. So far, only a few insignificant breaches have been reported.74 However, as dams are increasingly connected to SCADA systems and technical details become widely known, the chances of cyber-strikes increase.75 Disconnection from the Internet (for example, reportedly practiced as a precaution at the Hoover Dam),76 does not necessarily save dams from attacks, as malware can also traverse by removable devices, and critical infrastructure generally remains vulnerable to insider threats. Should one also attribute life-threatening potential to such attacks? Malfunctioning torrent controls caused by cyber-strikes could, in theory, flood the surrounding areas, causing widespread physical destruction. Phillip Brunst recalls the Banqiao and Shimantan flood of 1975 in China that resulted in thousands of casualties and concludes that “a deliberate opening of the floodgates could put hundreds or even thousands of people at risk”.77 Similar concerns were recently raised again by Jan Kallberg and Rosemary Burk.78 In reality, unlike the 1975 disaster that was caused by excessive rain, cyberattacks can only result in slow and steady flow of water, due to the design of the dam itself. As rightly observed by Scott Newton, “floodwaters would take hours, and in some cases days, to accumulate”, leaving “residents plenty of time to
73 A possibility envisioned in Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R13C10. 74 E.g., in the Salt River Project in 1994—see Michael E. Kabay, “Attacks on Power Systems: Hackers, Malware” (Network World, 13 September 2010) accessed 1 August 2015. 75 World Federation of Scientists Permanent Monitoring Panel on Information Security, “Toward a Universal Order of Cyberspace: Managing Threats from Cybercrime to Cyberwar” (Report & Recommendations, WSIS-03/GENEVA/CONTR/6-E, ITU 19 November 2003) 10. 76 David Kravets, “No, Hackers Can’t Open Hoover Dam Floodgates” (Wired, 3 February 2011) accessed 1 August 2015. 77 Phillip W. Brunst, “Terrorism and the Internet: New Threats Posed by Cyberterrorism and Terrorist Use of the Internet” in Marianne Wade, Almir Maljević (eds.), A War on Terror? The European Stance on a New Threat, Changing Laws and Human Rights Implications (Springer 2010) 66. 78 Kallberg, Burk (n. 43) 270–271.
Cyber-threat
57
evacuate to higher ground”.79 On the other hand, if a cyber-strike causes internal damage at a facility, for example, mirroring the 2009 turbine’s mechanical failure and subsequent explosion at the Sayano-Shushenskaya hydroelectric power plant, it could create a real risk for its personnel. Last, and presently the least computerized critical infrastructure sector is food. It should be said that some experts believe that certain types of food can be poisoned by a cyber-attack. So, in 1997, Barry Collin suggested a scenario, where attackers “remotely access the processing control systems of a cereal manufacturer, change the levels of iron supplement, and sicken and kill the children of a nation as they eat their food”.80 An even more atrocious scenario envisioned by Collin included altering the infant formula.81 In spite of being significantly less probable than attacks against other critical infrastructure, if successful, cyber-strikes jeopardizing safety of food preparation and processing (or storage)82 may take longer time before they are discovered. In addition, according to Delibasis, since food manufacturing plants often take alarmingly little precautions against cyber-strikes, not only do they seem susceptible to them, but it can also make covering tracks easier for the attackers.83 3.3
Reported Cyber-Incidents
Having discussed the theoretical risks that the development of information technology brought into the international arena, one now needs to enquire as to the extent to which they have already been the subject of realization. This is the next step in understanding, whether international law generally is prepared to meet cyber-threats. The following sections are arranged in order of severity of consequences: life-threatening attacks are identified first, followed by reported security threats and disturbances online.
79 Newton (n. 43) 9. 80 Barry Collin, “The Future of Cyberterrorism” (1997) 13(2) Crime & Justice International accessed 1 August 2015. 81 Ibid. 82 This scenario is suggested in the Tallinn Manual (n. 73) R45C4. 83 Delibasis, The Right to National Self-Defence (n. 20) 69.
58
Chapter 3
3.3.1 Life-Threatening Attacks The very first reported life-threatening cyber-attack in 1982 is attributed to the CIA that made the KGB steal sabotaged chip schematics and software.84 The chips were said to be deliberately designed to pass “Soviet quality tests and then to fail in operation”, while the software itself apparently represented a trojan programmed “to reset pump speeds and valve settings to produce pressures far beyond those acceptable”, thus causing a three-kiloton explosion.85 Though these claims were later contested by ex-KGB agents,86 the exact explosion time was recorded by the North American Aerospace Defense Command (NORAD).87 There were no reported victims in the Siberian-pipeline incident, although that could have been mainly due to the blast’s remote location.88 A three-kiloton explosion is, in rough comparison, one-fifth of the nuclear blast in Hiroshima, so, if the incident did occur, the destructive potential of cyber-attacks is clear.89 To further support this, one may recall the Nigerian pipeline explosion in 2006 that reportedly killed at least 260 people.90 Another potentially lethal case involved unauthorized access at a US research station in the Antarctica. According to the FBI, in Antarctic winter of 2003, Romanian crackers breached a computer network, inter alia, responsible for the well-being and medical support of 58 scientists and contractors.91 One should mention that although the same station’s radio telescope was compromised just months earlier, it did not pose the same level of danger.92 84 William Safire, “The Farewell Dossier” (The New York Times, 2 February 2004) accessed 1 August 2015. 85 Ibid. 86 Anatoly Medetsky, “KGB Veteran Denies CIA Caused ‘82 Blast” (The Moscow Times, 18 March 2004) accessed 1 August 2015. The incident is also disputed, e.g., in Thomas Rid, Cyber War Will Not Take Place (Hurst & Co. 2013) 5. 87 Safire (n. 84). 88 Ibid. 89 “Little Boy” bomb amounted to 15 kiloton—see Yousaf M. Butt, “The EMP Threat: Fact, Fiction, and Response” (Space Review, 2010) accessed 1 August 2015. 90 “Nigerian Pipeline Blast Spurs UN Call for Fuel Management Review” (International Business Times, 29 December 2006) accessed 1 August 2015. 91 “The Case of the Hacked South Pole” (FBI, 18 July 2003) accessed 1 August 2015. 92 Kevin Poulsen, “South Pole ‘Cyberterrorist’ Hack Wasn’t the First” (The Register, 19 August 2004) accessed 1 August 2015.
Cyber-threat
59
Probably the most famous cyber-attack up to date employed the Stuxnet worm and aimed at crippling the Iranian nuclear program.93 It involved a smalldegree health hazard as well, worth mentioning here. Though it was not the first time security at a nuclear facility was compromised (in 2003, the Slammer worm reportedly infiltrated safety monitoring systems of a nuclear power station in Ohio),94 the scope and complexity of Stuxnet were unprecedented. Stuxnet was activated in 2009, leading to a series of technical problems at the Bushehr nuclear power plant, followed by reports of an accident at the Natanz nuclear enrichment facility.95 In 2010, President Mahmoud Ahmadinejad admitted that a cyber-attack had damaged the Iranian enrichment centrifuges.96 Using a combination of mostly non-Internet-based methods to propagate, making use of the four zero-day (previously unknown vulnerability) exploits and stolen Siemens credentials, Stuxnet slowly made its way to its primary target, the Natanz facility.97 Sean Watts suggests that it may have also been monitored, updated and controlled throughout the attack—a difficult prospect, due to the lack of the Internet at the facilities, though not impossible.98 Stuxnet “altered the frequency of the electrical current that powers the centrifuges, causing them to switch back and forth between high and low speeds 93 Note that Stuxnet was in development since 2005—see Geoff McDonald and others, “Stuxnet 0.5: The Missing Link” (White Paper, Symantec Security Response 2013) accessed 1 August 2015. 94 Kevin Poulsen, “Slammer Worm Crashed Ohio Nuke Plant Network” (Security Focus, 19 August 2003) accessed 1 August 2015. This incident lasted only a few hours and did not represent a serious danger, since the infected plant was partially offline and the back-up systems were not affected. 95 Kim Zetter, “Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target” (Wired, 23 September 2010) accessed 1 August 2015; David E. Sanger, “Iran Fights Malware Attacking Computers” (The New York Times, 25 September 2010) accessed 1 August 2015. 96 Christopher Williams, “Iran Admits Cyberattack Hit Nuke Programme” (The Register, 29 November 2010) accessed 1 August 2015. 97 James P. Farwell, Rafal Rohozinski, “Stuxnet and the Future of Cyber War” (2011) 53(1) Survival 24; Nicolas Falliere, Liam O Murchu, Eric Chien, “W32.Stuxnet Dossier” (Paper, Symantec Security Response 2011) accessed 1 August 2015. 98 Sean Watts, “The Notion of Combatancy in Cyber Warfare” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 244.
60
Chapter 3
at intervals for which the machines were not designed”,99 thereby using vibrations and distortions to destroy the devices in the process.100 Centrifuges for nuclear enrichment are extremely fragile, usually work in a vacuum, and in a separate room, therefore, Iranian scientists were not injured. However, since they are handling nuclear materials (in this case, uranium) and gasses, even minor destruction increases the risk of personnel’s contamination. The 2009–2010 incident had serious political ramifications (inter alia, for the future development of international law). On the micro-level, it is estimated that the attack set back the Iranian nuclear program at least one year.101 On the macro-level, according to Dorothy Denning, Stuxnet likely catalyzed the development of new cyber-weapons and was the “forbearer” of upcoming cyber-warfare.102 In 2012, it was revealed that the US and Israel created Stuxnet deliberately to undermine Iran in what is now known as Operation Olympic Games.103 The same year the UK government also reportedly admitted that it had launched cyber-attacks to cause disruption at the Iranian facilities.104
99 Ibid. 100 David Albright, Paul Brannan, Christina Walrond, “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” (Report, Institute for Science and International Security, 22 December 2010) 6 accessed 1 August 2015; Robert Fanelli, Gregory Conti, “A Methodology for Cyber Operations Targeting and Control of Collateral Damage in the Context of Lawful Armed Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 328. 101 David E. Sanger, “America’s Deadly Dynamics With Iran” (The New York Times, 5 Nov ember 2011) accessed 1 August 2015. However, note that generally Stuxnet did not dissuade Iran from pursuing its nuclear program—see Emilio Iasiello, “Cyber Attack: A Dull Tool to Shape Foreign Policy” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 459. 102 Dorothy E. Denning, “Stuxnet: What Has Changed?” (2012) 4(3) Future Internet 684. 103 David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran” (The New York Times, 1 June 2012) accessed 1 August 2015. See also “Snowden Confirms NSA Created Stuxnet with Israeli Aid” (RT, 11 July 2013) accessed 1 August 2015. 104 “UK Admits to Cyber Attack on Iran” (PressTV, 19 July 2012) accessed 1 August 2015.
Cyber-threat
61
3.3.2 Security Threat 3.3.2.1 Gaining Access as a Potential Threat to Military Operations Information is power that increases chances of success in war. Cyberespionage alone does not represent a cyber-attack for the purposes of this book. Nevertheless, it is worth mentioning the most important cases of gaining access to military computer systems and data, as they can constitute preparatory steps for damaging attacks. The following examples give a good overview of targets and show how far attackers can proceed in case they decide to deliberately sabotage military operations. Like many attacks today, the earliest intrusions into military systems were motivated by financial gain. This was the case when Marcus Hess was accused of obtaining information from hundreds of the US military computers and selling it to the KGB in 1987,105 and when a group of Dutch crackers purportedly stole data relating to the Gulf War and offered it to Iraq in 1991.106 In 1994, two young crackers from the UK and Israel accessed one of the US Rome Air Development Center (a research and development laboratory) networks and installed a sniffer that collected sensitive information.107 The facility, at the time, contained research on “artificial intelligence, radar guidance systems, target detection and tracking systems”.108 Nart Villeneuve points out that the system could be easily infiltrated in 1994, due to the total lack of security precautions at the Rome Labs (for instance, employees used common words for passwords).109 On a side note, it should be said that, while one may think that these are mistakes of the past, in 2012, crackers reportedly broke into an email account of the Syrian President Bashar al-Assad just because his password was “1234”.110 105 Stanley H. Kremen, “Apprehending The Computer Hacker: The Collection and Use of Evidence” (1998) 2(1) Computer Forensics Online accessed 1 August 2015. 106 Maura Conway, “Cyberterrorism: Hype and Reality” in Leigh Armistead, Information Warfare: Separating Hype from Reality (Potomac Books 2007) 83. 107 US Senate Permanent Subcommittee on Investigations, “Security in Cyberspace” (Appendix B, Federation of American Scientists, 5 June 1996) accessed 1 August 2015. 108 Ibid. 109 Nart Villeneuve, “Cyberterrorism: A Critical Perspective” (University of Toronto) accessed 1 August 2015. 110 Betsy Isaacson, “Hackers Reveal How They Accessed Syrian President Bashar Assad’s Email Using World’s Worst Password” (The Huffington Post, 7 September 2012) accessed 1 August 2015. 111 US Department of Justice, “Argentine Computer Hacker Agrees to Waive Extradition and Returns to Plead Guilty to Felony Charges in Boston” (Press Release, 19 May 1998) accessed 1 August 2015. 112 David C. Are, “When Does a ‘Hacker’ Become an ‘Attacker’?” (Monograph, School of Advanced Military Studies 1998) 31. 113 Bradley Graham, “U.S. Studies a New Threat: Cyber Attack” (Washington Post, 24 May 1998) accessed 1 August 2015. 114 Joyner, Lotrionte (n. 20) 839–840. 115 Jason Barkham, “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics 68. 116 Are (n. 112) 32. 117 Joyner, Lotrionte (n. 20) 840. 118 Ibid., 840–841. 119 Bob Drogin, “Yearlong Hacker Attack Nets Sensitive U.S. Data” (Los Angeles Times, 7 October 1999) accessed 1 August 2015.
Cyber-threat
63
The last three years saw the discovery of sophisticated automated programs meant for targeted espionage, likely written with the involvement of the military. It was reported that one such program, the Red October (2012), by multiple ways collected information about governmental, diplomatic and research organizations around the world.120 Stars (2011)121 and Mahdi (2012)122 appear to be malware written to specifically collect information about targets in Iran. Duqu (2011), Flame (2012) and Gauss (2012) are other notable malicious programs aimed at the Islamic Republic and other Middle Eastern states. Combining many approaches into one, in 2012, they “intercepted passwords, tracked key presses, recorded sound from an in-built microphone, took screenshots, gathered information on processed files and analyzed network traffic”,123 encrypting information and sending it to an external server afterwards.124 While Duqu, Flame and Gauss are closely related to Stuxnet, only Duqu is believed to be able to unleash similar destructive potential.125 3.3.2.2 Cyber-Interference in Real Military Operations If computerized systems are interfered with during a time of war, it can represent a direct danger to the success of the military operations.
120 Muthoki Mumo, “Kenya Falls Victim to Cyber Attack” (Daily Nation, 16 January 2013) accessed 1 August 2015; Charlie Osborne, “‘Red October’ Malware Spies on Governments Worldwide” (CNET, 14 January 2013) accessed 1 August 2015. 121 “Iran ‘Uncovers Stars Espionage Virus’ ” (BBC News, 25 April 2011) accessed 1 August 2015. 122 Kim Zetter, “Mahdi, the Messiah, Found Infecting Systems in Iran, Israel” (Wired, 17 July 2012) accessed 1 August 2015. 123 Konstantin Bogdanov, “Cyber Arms Race Could Change the World Around Us” (RIA Novosti, 26 June 2012)