Cybersecurity and Cyberwar (21 page)
Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
But discrimination also matters when judging the ethics of these attacks. At face value, Stuxnet would seem to have been incredibly indiscriminant. While limited in its promiscuity compared to prior malware, this was a worm that still got around. It infected not just targets in Iran but thousands of computers across the world that had nothing to do with Iran or nuclear research. Many lawyers see this facet of cyber weapons as proof of their inherent violation of “prevailing codes of international laws of conflict, as they go beyond just the original target and deliberately target
civilian personnel and infrastructure
.”
While Stuxnet lacked discretion under the old way of thinking, its very design prevented harm to anyone and anything beyond the intended target. This kind of discrimination was something never previously possible in a weapon. As George Lucas, a philosopher at the US Naval Academy, wrote in an assessment of Stuxnet's ethics, “Unless you happen to be running a large array of exactly
984 Siemens centrifuges
simultaneously, you have nothing to fear from this worm.”
In effect, judging the ethics of Stuxnet and cyber weapons more generally turns on which part of the story you care about most. Do you focus on the fact that this new kind of weapon permitted a preemptive attack and in so doing touched thousands of people and computers who had nothing to do with Iran or nuclear research? Or do you focus on the fact that the cyber strike caused far less damage than any previous comparable attack and that the weapon was so discriminating it essentially gave new meaning to the term? Are you a cyber weapon half full or half empty kind of guy?
History may render the ultimate judgment of Stuxnet, however. As Ralph Langner put it, the fascinating new weapon he discovered “could be considered a textbook example of a âjust war' approach. It didn't kill anyone. That's a good thing. But I am afraid this is only a short-term view. In the long run it has opened
Pandora's box
.”
“Be it resolved by the Senate and House of Representatives of the United States of America in Congress assembled, that the state of war between the United States and the Government of Bulgaria, which has thus been thrust upon the United States, is
hereby formally declared
.”
This June 5, 1942, text describes the last time the United States actually declared war. The declaration covered the minor Axis powers, who were feeling left out after the first postâPearl Harbor vote to go to war against Nazi Germany, Japan, and Italy. In the years since, America has sent troops to Korea and Iraq and launched airstrikes into places like Yugoslavia, Cambodia, and Pakistan, but the United States has not formally declared war on another state. Wars have been declared on various other things, however: President Johnson's 1964 “Nationwide War on the Sources of Poverty”; Nixon's 1969 “War on Drugs”; and what some conservative leaders more recently claim is a secret “
War on Christmas
.”
The disconnect between an actual state of war and the far more frequent uses and misuses of the concept of “war” is important to keep in mind when discussing a term like “cyberwar.” War is used to describe an enormously diverse set of conditions and behaviors, from a state of armed conflict between nations (World War II) to symbolic contestations (New York City's “war on sugar”). As for “cyberwar,” the term has been used to describe everything from a campaign of cyber vandalism and disruption (the “Russian Estonian cyberwar,” as it is too often called) to an actual state of warfare utilizing cyber means. Indeed, in 2010
The Economist
ran a cover story on cyberwar that portrayed it as everything from military conflict to credit card fraud.
Defining cyberwar need not be so complicated. The key elements of war in cyberspace all have their parallels and connections to warfare in other domains (the real kind, not the symbolic “war between the sexes” kind). Whether it be war on land, at sea, or in the air, or now in cyberspace, war always has a political goal and mode (which distinguishes it from crime) and always has an element of violence. Currently, the US government's position is that to meet this definition of the use of force, a cyberattack would have to “proximately result in death, injury or
significant destruction
.” That is, even if conducted through cyber means, the effect must be physical damage or destruction. To provide a parallel, a plane dropping bombs is engaged in air warfare; a plane dropping leaflets, not so much.
Knowing when cyberwar begins or ends, however, might be more challenging than defining it. Most wars don't actually have the clear start and negotiated ends that World War II had. Instead, their starts and ends blur. For instance, the United States may not have formally declared war on North Korea in 1950, but it's hard to argue that a conflict in which 5.3 million perished was just a “police action,” as President Truman called it at the time. In turn, while the Korean War, as the history books record it, has never formally ended with a peace treaty, the actual fighting ceased in 1953.
Cyberwar's lines can be just as fuzzy. “We in the US tend to think of war and peace as an on-off toggle switchâeither at full-scale war or enjoying peace,” says Joel Brenner, former head of counterintelligence under the US Director of National Intelligence. “The reality is different. We are now in a constant state of conflict among nations that rarely gets to open warfare.⦠What we have to get used to is that even countries like China, with which we are certainly not at war, are in
intensive cyberconflict with us
.”
This may be where cyberwar has more in common with more informal concepts of conflict like the Cold War, during which constant conflict didn't actually result in direct, open violence. Indeed, the editor of
Foreign Policy
magazine, David Rothkopf, has argued we may be entering the era of the “cool war,” not only because of the remote nature of the attacks but because “it can be conducted indefinitelyâpermanently, evenâ
without triggering a shooting war
. At least, that is the theory.”
“The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered
an attack against them all
.”
This sentence opens Article 5 of the Washington Treaty, which in 1949 established the North Atlantic Treaty Organization, or NATO. It is one of the most important passages ever written in international politics. These simple words outlined the concept of “collective defense,” which created the most successful alliance in history. This “All for one, one for all” approach to sharing risk and response allowed the United States and its allies to stand together, taking them from the start of the Cold War to the fall of the Berlin Wall and beyond, including their collective response to the 9/11 attacks on the United States and subsequent deployment half a world away to Afghanistan.
But in April 2007, NATO and its collective defense ideals faced a twenty-first-century test. A new alliance member, Estonia, was one of Europe's most wired states. The majority of its citizens conducted everything from their banking to their voting online. Suddenly, Estonian banks, media web pages, and government websites were hit with a large-scale denial of service attack. While the attack resulted from a series of botnets that had captured over a million computers in seventy-five countries, as we read about earlier, Estonia quickly pointed the finger at its neighbor Russia, with whom it was embroiled in a political dispute over the move of a statue
honoring Russian soldiers
from World War II. Estonia's foreign minister called for help, believing that the massive cyberattack threatened its security and hence the alliance's as a whole. It argued that under the Washington Treaty
NATO was obliged to defend
against this start of a new “cyberwar.”
While they were concerned about the attacks, however, the other members of NATO didn't think Article 5 applied. Estonia was being bullied in cyberspace, but no one was dead or hurt and no property was actually destroyed or damaged. It didn't look like the start of a war, at least as NATO understood it, and certainly wasn't worth the alliance risking an actual war with Russia. Instead, the defense ministers of NATO waited a few weeks to issue a joint statement deploring the cyberattacks and sent technical experts to aid Estonia in unblocking its networks. Amusingly, while NATO's political
leaders judged that the cyberattacks were not an act of war, NATO's Department of Public Diplomacy later created a
short film about the episode
entitled
War in Cyberspace
.
The Estonia case is instructive because it shows the back and forth that takes place between old laws and new technologies, especially when it comes to the question of what constitutes an act of war in the cyber realm. Much of today's thinking on the laws and statecraft of war dates to the postâWorld War II 1945 UN Charter and 1949 Geneva Conventions. The challenge is that concepts developed back when computers used punch cards don't necessarily apply as clearly to the cyber realm.
In international law, for instance, an “aggression” that would justify going to war is described by the UN Charter as a “use of force against the
territorial integrity ⦠of a state
.” The problem is that this assumes only a physical world of clearly demarcated borders. This was perfectly acceptable back in 1945 but not in the contemporary world; cyberattacks don't use physical force, take place in a geographic realm, nor necessarily involve only states.
That old laws are growing more challenging to apply doesn't mean, however, that the cyber world is the Wild West. There are nascent efforts to either update the old codes or create new ones. For example, after the confusion over the Estonia incident, the NATO Cooperative Cyber Defence Centre of Excellence commissioned twenty law professors to formally examine how the known laws of war apply to cyberspace, in a document entitled the “
Tallinn Manual
on the International Law Applicable to Cyber Warfare.” The manual laid out their ideas on everything from what self-defense might mean in the cyber world to a controversial (but logical) argument that any civilian fighting in a cyberwar loses legal protections as a civilian. While an important effort, it has no legal standing, and obviously a number of nations outside of NATO, such as Russia, were less than enthusiastic about the manual's findings. Even more, certain NATO members like the United States were not quick to embrace the manual they had sponsored.
The reality is that the “process of formalizing rules for cyberspace will likely take decades given the differing priorities among various governments,”
reports
Foreign Policy
magazine. This seems to leave a massive vacuum in the interim. So until the old treaties are updated or new ones are accepted for the cyber world, there is
a third option: apply existing laws' basic principles and values to cyberspace.
Charles Dunlap
, a military lawyer who retired as a US Air Force major general and now teaches at Duke University Law School, notes, “A cyber attack is governed by basically the same rules as any other kind of attack.”
The primary way to determine when a cyberattack constitutes the kind of “use of force” that legally justifies war is to weigh its effects. What did the act do to the real world, regardless of the fact that it happened via cyber means? Look to the amount of damage, caused or intended, and establish parallels.
Focusing on impact is important because it recognizes that not all attacks have to involve traditional armed violence. Indeed, in international law an enemy that uses unarmed means to intentionally divert a river to flood a neighboring state or set fires to burn wildly across the border would still be committing an armed act of aggression
equivalent to the use of gun
s for the same effect.
The same logic applies in reverse. You wouldn't go to war if someone defaced your posters in the street, so neither should a government if an enemy defaces its websites. By comparison, when the action causes death and destruction, the discussion moves into the realm of war. If your power plant explodes in a fiery blast that kills thousands, whether the cause was an actual bomb or logic bomb is not a major distinguishing factor.
The real challenge is the gray area in the middle, incidents between destruction and disruption, such as a denial-of-service attack. When it was under attack, Estonia wanted NATO to declare that its sovereignty had been violated, which would have triggered the collective self-defense article of the NATO treaty. In the virtual world perhaps it had been, but not in the physical world. Here again, even these seemingly new forms of attack have parallels to guide us. While they may not have imagined cyberspace, the 1940s-era statesmen who wrote the UN Charter did imagine things like the interruption of “postal, telegraphic, radio, and other means of communications.” Such interruptions were certainly frowned upon, but they did not constitute war. Professor James Hendler, former chief scientist at the Pentagon's Defense Advanced Research Projects Agency (DARPA), says that in the case of Estonia, the attacks were “
more like a cyber riot
than a military attack.” It was disruptive, but it wasn't war.
Another example in Estonia's neighborhood serves as illustration. In 2008, the nation of Georgia also got in a dispute with its larger neighbor. Just as in Estonia, Georgian websites suffered denial-of-service attacks, as we saw earlier, thought to have been coordinated by Russian sources. The attacks crippled the websites' operations for several days and limited the Georgian government's ability to communicate with its people and the outside world. At the same time, several brigades of Russian tanks crossed into Georgia, and Russian bombers and missiles pummeled the country, causing over 1,300 casualties. The difference in impact was stark. The cyberattacks alone were not war, but a war was clearly taking place.
