Cyber Warfare (11 page)

If future attacks resulted in death as a consequence of an attack on the power grid, the responsible civilians could face physical attacks. This could potentially include the kind of drone death strikes the Obama administration has used liberally throughout the world.

Might the U.S. be allowed to initiate counter cyber attacks against China?

The U.S. government has increasingly accused China of sweeping government-endorsed hacking and intellectual property theft. President Obama recently threatened economic
consequences
if the cyber intrusions continue. The Tallinn Manual would address the Chinese use of cyber attacks in rule seven. Rule seven states when there is insufficient evidence of a suspected attack originating from a government network, a victim state may attribute the operation to that state where there is an indication that the state in question is associated with the operation.

This could be significant, as some attacks have reportedly been traced back to Chinese military networks. The new guidelines make it clear that the U.S. Department of Defense's USCYBERCOM could also respond in kind with counterattacks, as the guidelines state that cyber attacks on hostile foreign governments are valid if carried out in self-defense.

Lastly, based upon the new guidelines, and the historical use of cyber attacks by the United States, was the Stuxnet attack on Iranian nuclear facilities legal?

The guidelines revive questions about the legality of the U.S. and Israel's
pre-emptive
strike on Iran's nuclear capabilities with Stuxnet. If the Pentagon's rules, and now NATO's rules, call cyber attacks an act of war, the question is whether the past two administrations were within the law in ordering the Stuxnet operation.

Article 1, Section 8 of the U.S. Constitution, the foundation of the U.S. government, clearly grants Congress the power:

The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;

To raise and support armies, but no appropriation of money to that use shall be for a longer term than two years
.

Article 1 typically required the President to receive Congressional permission to go to war. This section of the constitution has been abandoned somewhat as the Executive Branch uses semantics to circumvent its requirements.

In summary, the new manual adopted by NATO is simply a suggested guideline for NATO members but is not considered an accepted rule of law. NATO has no power to enforce its provisions, although member states are encouraged to do so. It should be noted that the document is rather ambiguous in its language at times, and at others makes it clear that the participating member states did not agree on a number of issues. If the Tallinn Manual does not have the force and effect of law and is just considered a guideline, then:

How does a victim state respond to a state-sponsored cyber attack?

As cyber terrorism and cyber vandalism become more prevalent, policymakers will be challenged to develop appropriate responses to destructive cyber intrusions. As the quantity and intensity of cyber intrusions have increased, governments have been placed under significant pressure to retaliate. Raising public awareness in light of the allegedly state-sponsored attacks on Sony Pictures and the Sands Casino has helped bring the issue to the forefront. But finding an opportune, proportionate, legal, and acceptable response is complicated by the difficulty in assessing the damage to national interests and the frequent use of state sponsored hacktivists. Most nation-states have plausible deniability, frustrating efforts to declare attribution. Experience suggests that most policy responses have been ad hoc.

In determining the measured response to a state-sponsored cyber intrusion, policymakers will need to consider three important factors—the intelligence community’s confidence in its determination of responsibility, the economic or physical impact of the cyber attack, and the options available to the victim.

While these factors will help create an appropriate response to a disruptive or destructive cyber attack, policymakers will also need to consider additional steps before responding. First, policymakers will need to work with the private sector to determine the effect of an incident on their operations. Second, governments should publicly announce a series of preplanned response options to act as a deterrent while being cognizant of the potential impact of any response on political, economic, intelligence, and military interests.

As the number of highly disruptive and destructive cyber attacks grows, governments remain uncertain as to an appropriate response. In non-digital national security matters, policy responses to the state-sponsored activity are well defined. The government can expel diplomats in response to a spying scandal and use force in response to an armed attack. Clear and established policy responses such as these do not yet exist for cyber attacks for two reasons.

First, assessing the damage caused by a cyber incident is a time-consuming, complicated process. It can take weeks, if not months, for computer forensic experts to accurately and conclusively ascertain the extent of the damage done to an organization’s computer networks. For example, it took roughly two weeks for Saudi authorities, with the assistance of the FBI, to understand the extent of the damage of the ARAMCO incident, which erased data on thirty thousand of Saudi Aramco’s computers. Although this may be quick by computer forensics standards, by comparison, the military can conduct a damage assessment from a non-cyber incident in as little as a few hours.

Second, attributing cyber intrusions to their state-sponsor will always be a significant challenge. Masking the true origins of a cyber attack is relatively easy. States often use proxies or compromised computers in other jurisdictions to divert attention from the real attacker. For example, when the group calling itself the Cyber Caliphate claimed responsibility for taking French television station TV5 Monde off the air with a cyber attack in April 2015, it used the television station’s own social media accounts to post content in support of the self-proclaimed Islamic State. French media reported two weeks later that Russian state-sponsored actors, not pro–Islamic State groups as originally alleged, were likely behind the incident. Even when attribution is determined, it is not guaranteed that domestic or foreign audiences will believe the claim unless officials reveal potentially classified methods used to ascertain the identity of the perpetrator. Disclosure of the attacker could potentially damage intelligence assets. Under the increased public awareness and pressure associated with cyber attacks, responses are likely to be made quickly with incomplete evidence and will attract a high degree of public skepticism. This creates substantial exposure for policymakers who rush to judgment. Quick damage assessments could lead to an overestimation of the impact of an incident, causing a state to respond disproportionately. Misattributing an incident could cause a response to be directed at the wrong target, creating a diplomatic crisis.

Applying traditional analysis in the military world to the new digital one, governments should consider three aspects of the cyber attack before developing an appropriate response.

First, they should understand the level of confidence that their intelligence agencies have in attributing the incident. Digital forensics is not perfect, although there have been great strides in intelligence agencies’ ability to attribute malicious activity. The degree of certainty must have a direct impact on the action taken. For example, if the level of attribution is low, policymakers will be limited in their choice of response even if the severity of the attack is high. They may choose a less valuable retaliatory target to limit the odds of escalation and international criticism. There may also be instances where there is so little evidence for the source of the attack that the victim may choose not to respond.

Second, policymakers should assess the cyber incident’s effects on physical infrastructure, society, the economy, and national interests. The answers to these questions will significantly impact the level of response. Several inquiries come to mind.
What was the physical damage caused by the cyber intrusion
?
Was there any impact on critical infrastructure
?
What type of essential services is affected
?
Has the incident caused significant economic loss or loss of confidence in the markets
?
What was the incident’s impact on national security and the country’s reputation
?

Third, policymakers should consider the range of diplomatic, economic, and military responses at their disposal, from a quiet diplomatic rebuke to a military strike. As the guidelines outlined in the Tallinn Manual submitted to NATO, responses need not be limited to cyberspace. Depending upon the answers to the questions above, nothing bars a state from using other options, although each carries its risks, as is always the case when responding to an attack—military or digital.

Cyber responses can be taken in addition to diplomatic, economic, and military activity. However, they would most often be delivered covertly and could be difficult to develop quickly. The responses would likely involve cyber espionage, after an assessment of a target’s vulnerabilities, and a custom exploit attack designed to implement the measured response. As an example, Stuxnet reportedly took years to develop and deploy. Although states may outsource their retaliation to a proxy, doing so could limit their control over the response and lead to an escalation of activity. Therefore, policymakers are likely to concentrate on other levers of power, outside the cyber realm, in addition to what they may do covertly via cyber tools.

Given the likely pressure governments will feel to respond to significant cyber attacks, policymakers need to develop a response framework before a disruptive or destructive cyber incident occurs. Although each response will be case specific, a structure will enable policymakers to consider their options quickly.

As with other areas of international relations, proportionality emerges through state practice. When one country levies economic sanctions, the sanctioned country often responds in kind. For example, Russia responded to U.S. sanctions over its annexation of Crimea with sanctions of its own. This same logic applies to cyberspace. While there may be pressure to respond aggresively to deter future attacks, accepted international standards require that states only take forcible measures necessary and proportionate to repel or defeat a destructive cyber attack successfully. International law limits the scale, scope, duration and intensity of any actions a victim state may take. Furthermore, a proportional response may pave the way for international coalition building, encouraging the isolation and punishment of the attacker while avoiding the likelihood of escalation.

If a country is the victim of state-sponsored website defacement, a public denouncement is likely the most appropriate response. Moving up the scale, any activity that begins to manipulate or destroy data would potentially require diplomatic action, such as the traditional expulsion of diplomats if the incident affects the victim’s economy. Once the economy is adversely affected, a range of economic responses can be used in coordination with diplomatic pressure, from freezing financial transactions by the sponsoring nation-state to levying international sanctions. Should an incident cause physical damage, a policymaker could consider a military option as an appropriate and proportional response, from military posturing to attack, depending on the incident’s severity. All of these options can be complemented with cyber or covert action, which should also be proportionate to the damage caused by the incident to gain international acceptance.

The United States should begin developing its policy response framework by first working with the private sector, particularly in critical infrastructure. Our nation’s power grid is a priority for attackers, making it important for infrastructure operators to be involved in the development of a framework. The nation’s utilities should advise the government on incidents that affect their operations and report the severity of any incident before a response is formulated.

The growing threat of cyber warfare provides nation-states with a complex set of decisions to make—from understanding the severity of the incident to assessing appropriate responses to take, while continually evaluating the risks involved in formulating a response. As the threats to our nation grow, our government needs to address these issues in depth.

PART FIVE
Cyber Attacks as Acts Of War

Chapter Eleven
Does Cyber Vandalism fall short of An Act of War?

Military and national security operations in cyberspace have made headlines with increasing frequency.

Security companies for several years have documented massive cyber-espionage by the Chinese military against the United States—both private and public sectors. As discussed, the Department of Justice responded by indicting five Chinese military officers for computer hacking, economic espionage, and other offenses directed at American nuclear power, metals, and solar products companies.