The US Cyber Command announced its first task; combating ISIS. It is perhaps likely that the military had been conducting intelligence operations to collect as much information as possible about the group, helping to develop a sound battlefield picture. Except, unlike traditional warfare, this operation will be carried out within a relatively new domain, that is the internet. Hence, the dawn of cyber warfare has arrived.
The emergence of this relatively new kind of combat comes with a clumsy entrance. Currently, there does not exist a set of universally excepted rules or laws around cyber warfare. Added to this, conducting cyber attacks is fairly straightforward. Anybody with a PC and access to the internet, along with a certain level of knowledge and skills in computer coding, can be involved in the many cyber battles which take place every day. Also, there are many distinct differences between cyber warfare and traditional warfare that further complicate the matter. But this may very well be the future that the world will have to cope with, and so dealing with the unparalleled complexities will be critical
Attack, Attack, Attack!
There has always been certain principles and customs of which armed conflict has been subject to. International Humanitarian Law (IHL) is a legal framework which provides just that. It helps to ensure that non-participants in armed conflict are protected from the effects or war, as well as restricting certain methods and means of warfare. There are other agreements or treaties which aim to lay out similar rules, such as the 1993 Chemical Weapons Convention. Overall, however, there are certain limitations and rules that must be followed if countries are bound by such legalities.
Applying these laws to cyberspace is not all that simple. To begin with, IHL aims to regulate acts of armed conflict between two or more States. But in the context of cyber, exactly what constitutes an armed attack remains unclear. Heather Harrison Dinniss, a Senior Lecturer at the International Law Centre of the Swedish Defence University, says that there is, to an extent, broad agreement on the definition of an attack in the digital world. Many countries agree that where death, physical injury or damage to property takes place, this sufficiently constitutes an attack. Equally, IHL focuses on the idea of ‘physical consequences’ when determining what can be classed as an attack. Under these classifications, non-physical means of psychological or economic warfare escape the definition of an attack under IHL. Thus, some cyber operations may not necessarily be classed as a type of attack.
Cyber attacks penetrating the computer systems of critical infrastructure may, however, constitute as an attack. The potential for physical injury or property damage to take place as a result of such an act would label such cyber operations as an attack under IHL. This could be applied to a cyber attack suffered by Ukrainian power stations in December when around 80,000 people temporarily lost access to electricity. This attack may therefore be classed as an attack in the context of IHL. But even so, such attacks rarely take place since there are such high stakes for the attacker.
It is the more low-level attacks which are more tricky. For example, for attacks that involve the wiping of a machine’s memory, but where no physical harm occurs, IHL’s interpretation of an attack may not necessarily apply. In 2012, the world’s biggest oil company, Saudi Aramco, suffered a cyber attack which resulted in the memory of 30,000 workstations being wiped. However, no machines were actually damaged nor were any other property, but the computers operating in the facility were not functional for around a week. With IHL’s definition of an attack, this would not be classed as such, even though it did cause some kind of damage. With other international bodies too, such as the UN or NATO, cyber attacks often fall below the threshold of international armed conflict.
Cyber attacks on computer systems controlling critical infrastructure, like the one suffered by Ukraine, is possible, but may be rarer. Such attacks require a great degree of skill and intelligence of which most people do not have. However, some countries have invested lots of resources and money into bolstering their cyber capabilities to conduct a range of these lower-level attacks. In June 2015, the US Office of Personal Management was subject to data breach resulting in the data of millions of US government employees being leaked. The Justice Department blamed China, based on the knowledge of security experts who studied the nature of the attack and concluded that it most likely did come from China. According to numerous reports at the time, as a result of the data leak, the CIA swiftly pulled spies out of China fearing that their identities may be known to Chinese authorities. Later that year, US President Barack Obama met with Chinese President Xi Jing Ping to ease tensions between the two countries. The US, too, has been known to conduct numerous cyber attacks on China and other nations; Stuxnet provides as an example.
Even though no computers were physically damaged as a result of the attack, there was certainly other kinds of damage which came about. However, under IHL or other laws regulating armed conflict and, this still fell below the threshold. Yet, even if lawyers and politicians apply cyber attacks to such frameworks, there remains other complexities to also consider.
Drawing the Line
When a country has been attacked, its military will then devise and then execute an appropriate response to that attack while keeping within the limits of international law. Proportionality is, therefore, a key concept of warfare. The idea here is that any retaliation from a country to an attack should be proportional, and not excessive, to the military advantage obtained by the initial attacker. The advent of cyber warfare, however, highlights another legal problem; proportionality and rules of engagement in cyberspace.
Defending against attacks involves developing a good deterrence strategy. This is when nation states devise ways to ensure that discourages other states from attacking or acting aggressively towards them. There are two types of deterrence. The first type aims to focus on deterring specific countries. For instance, the US claims that the devastating attacks on Sony Pictures Entertainment came from North Korea. As a result, the US, based on this claim, may devise strategies or policies which discourage North Korea from attacking the US again in the future. The second type of deterrence is much broader. The US could also choose to devise strategies or policies which aim to discourage any country from attacking or acting aggressively towards the US.
In cyber, there currently does not exist a threat that can deter online actors from attacking others parties in cyberspace. Consequently, numerous cyber attacks take place on the internet every second. Implementing any sort of control or standards, therefore, is extremely difficult. Furthermore, computers and internet connection continue to become more accessible for more people every year. Microsoft reckons that 4.7 billion people will be online by 2025. Many of these users can be potential adversaries which nation states will have to cope with. Attacks may come from all angles, in different forms and with different impacts. All of these probable factors makes it quite difficult to deter adversaries from attacking networks and computer systems, compromising data and causing digital destruction.
Another problem is that countries are generally very unwilling to reveal their cyber capabilities publicly. To say that transparency in cyber warfare is rare is an understatement; in reality, it’s essentially non-existent. Whether it be Stuxnet, the attack on Sony or “Red October” virus discovered in 2012, no countries own up to their actions. It is also difficult to trace back to where an attack originated from; more sophisticated attackers will often cover their tracks by leaving a trail leading to other computers as opposed to their own.
Amending On the Go
There has been some progress made in recent times. In 2013 and 2015, a UN GGE (Group of Governmental Experts) published reports revealing that some consensus had been reached on how international law could be applied to cyberspace. Additionally, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in 2009 came up with the Tallinn Manual, a document produced by international law scholars and practitioners, also lays out possible frameworks to regulate cyber warfare and how current international legal frameworks could be applied. But nothing yet is binding, meaning that cyber warfare is still a step into the unknown.