by Bobby Akart
Lastly, based upon the new guidelines, and the historical use of cyber attacks by the United States, was the Stuxnet attack on Iranian nuclear facilities legal?
The guidelines revive questions about the legality of the U.S. and Israel's pre-emptive strike on Iran's nuclear capabilities with Stuxnet. If the Pentagon's rules, and now NATO's rules, call cyber attacks an act of war, the question is whether the past two administrations were within the law in ordering the Stuxnet operation.
Article 1, Section 8 of the U.S. Constitution, the foundation of the U.S. government, clearly grants Congress the power:
The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;
To raise and support armies, but no appropriation of money to that use shall be for a longer term than two years.
Article 1 typically required the President to receive Congressional permission to go to war. This section of the constitution has been abandoned somewhat as the Executive Branch uses semantics to circumvent its requirements.
In summary, the new manual adopted by NATO is simply a suggested guideline for NATO members but is not considered an accepted rule of law. NATO has no power to enforce its provisions, although member states are encouraged to do so. It should be noted that the document is rather ambiguous in its language at times, and at others makes it clear that the participating member states did not agree on a number of issues. If the Tallinn Manual does not have the force and effect of law and is just considered a guideline, then:
How does a victim state respond to a state-sponsored cyber attack?
As cyber terrorism and cyber vandalism become more prevalent, policymakers will be challenged to develop appropriate responses to destructive cyber intrusions. As the quantity and intensity of cyber intrusions have increased, governments have been placed under significant pressure to retaliate. Raising public awareness in light of the allegedly state-sponsored attacks on Sony Pictures and the Sands Casino has helped bring the issue to the forefront. But finding an opportune, proportionate, legal, and acceptable response is complicated by the difficulty in assessing the damage to national interests and the frequent use of state sponsored hacktivists. Most nation-states have plausible deniability, frustrating efforts to declare attribution. Experience suggests that most policy responses have been ad hoc.
In determining the measured response to a state-sponsored cyber intrusion, policymakers will need to consider three important factors—the intelligence community’s confidence in its determination of responsibility, the economic or physical impact of the cyber attack, and the options available to the victim.
While these factors will help create an appropriate response to a disruptive or destructive cyber attack, policymakers will also need to consider additional steps before responding. First, policymakers will need to work with the private sector to determine the effect of an incident on their operations. Second, governments should publicly announce a series of preplanned response options to act as a deterrent while being cognizant of the potential impact of any response on political, economic, intelligence, and military interests.
As the number of highly disruptive and destructive cyber attacks grows, governments remain uncertain as to an appropriate response. In non-digital national security matters, policy responses to the state-sponsored activity are well defined. The government can expel diplomats in response to a spying scandal and use force in response to an armed attack. Clear and established policy responses such as these do not yet exist for cyber attacks for two reasons.
First, assessing the damage caused by a cyber incident is a time-consuming, complicated process. It can take weeks, if not months, for computer forensic experts to accurately and conclusively ascertain the extent of the damage done to an organization’s computer networks. For example, it took roughly two weeks for Saudi authorities, with the assistance of the FBI, to understand the extent of the damage of the ARAMCO incident, which erased data on thirty thousand of Saudi Aramco’s computers. Although this may be quick by computer forensics standards, by comparison, the military can conduct a damage assessment from a non-cyber incident in as little as a few hours.
Second, attributing cyber intrusions to their state-sponsor will always be a significant challenge. Masking the true origins of a cyber attack is relatively easy. States often use proxies or compromised computers in other jurisdictions to divert attention from the real attacker. For example, when the group calling itself the Cyber Caliphate claimed responsibility for taking French television station TV5 Monde off the air with a cyber attack in April 2015, it used the television station’s own social media accounts to post content in support of the self-proclaimed Islamic State. French media reported two weeks later that Russian state-sponsored actors, not pro–Islamic State groups as originally alleged, were likely behind the incident. Even when attribution is determined, it is not guaranteed that domestic or foreign audiences will believe the claim unless officials reveal potentially classified methods used to ascertain the identity of the perpetrator. Disclosure of the attacker could potentially damage intelligence assets. Under the increased public awareness and pressure associated with cyber attacks, responses are likely to be made quickly with incomplete evidence and will attract a high degree of public skepticism. This creates substantial exposure for policymakers who rush to judgment. Quick damage assessments could lead to an overestimation of the impact of an incident, causing a state to respond disproportionately. Misattributing an incident could cause a response to be directed at the wrong target, creating a diplomatic crisis.
Applying traditional analysis in the military world to the new digital one, governments should consider three aspects of the cyber attack before developing an appropriate response.
First, they should understand the level of confidence that their intelligence agencies have in attributing the incident. Digital forensics is not perfect, although there have been great strides in intelligence agencies’ ability to attribute malicious activity. The degree of certainty must have a direct impact on the action taken. For example, if the level of attribution is low, policymakers will be limited in their choice of response even if the severity of the attack is high. They may choose a less valuable retaliatory target to limit the odds of escalation and international criticism. There may also be instances where there is so little evidence for the source of the attack that the victim may choose not to respond.
Second, policymakers should assess the cyber incident’s effects on physical infrastructure, society, the economy, and national interests. The answers to these questions will significantly impact the level of response. Several inquiries come to mind. What was the physical damage caused by the cyber intrusion? Was there any impact on critical infrastructure? What type of essential services is affected? Has the incident caused significant economic loss or loss of confidence in the markets? What was the incident’s impact on national security and the country’s reputation?
Third, policymakers should consider the range of diplomatic, economic, and military responses at their disposal, from a quiet diplomatic rebuke to a military strike. As the guidelines outlined in the Tallinn Manual submitted to NATO, responses need not be limited to cyberspace. Depending upon the answers to the questions above, nothing bars a state from using other options, although each carries its risks, as is always the case when responding to an attack—military or digital.
Cyber responses can be taken in addition to diplomatic, economic, and military activity. However, they would most often be delivered covertly and could be difficult to develop quickly. The responses would likely involve cyber espionage, after an assessment of a target’s vulnerabilities, and a custom exploit attack designed to implement the measured response. As an example, Stuxnet reportedly took years to develop and deploy. Although states may outsource their retaliation to a proxy, doing so c
ould limit their control over the response and lead to an escalation of activity. Therefore, policymakers are likely to concentrate on other levers of power, outside the cyber realm, in addition to what they may do covertly via cyber tools.
Given the likely pressure governments will feel to respond to significant cyber attacks, policymakers need to develop a response framework before a disruptive or destructive cyber incident occurs. Although each response will be case specific, a structure will enable policymakers to consider their options quickly.
As with other areas of international relations, proportionality emerges through state practice. When one country levies economic sanctions, the sanctioned country often responds in kind. For example, Russia responded to U.S. sanctions over its annexation of Crimea with sanctions of its own. This same logic applies to cyberspace. While there may be pressure to respond aggresively to deter future attacks, accepted international standards require that states only take forcible measures necessary and proportionate to repel or defeat a destructive cyber attack successfully. International law limits the scale, scope, duration and intensity of any actions a victim state may take. Furthermore, a proportional response may pave the way for international coalition building, encouraging the isolation and punishment of the attacker while avoiding the likelihood of escalation.
If a country is the victim of state-sponsored website defacement, a public denouncement is likely the most appropriate response. Moving up the scale, any activity that begins to manipulate or destroy data would potentially require diplomatic action, such as the traditional expulsion of diplomats if the incident affects the victim’s economy. Once the economy is adversely affected, a range of economic responses can be used in coordination with diplomatic pressure, from freezing financial transactions by the sponsoring nation-state to levying international sanctions. Should an incident cause physical damage, a policymaker could consider a military option as an appropriate and proportional response, from military posturing to attack, depending on the incident’s severity. All of these options can be complemented with cyber or covert action, which should also be proportionate to the damage caused by the incident to gain international acceptance.
The United States should begin developing its policy response framework by first working with the private sector, particularly in critical infrastructure. Our nation’s power grid is a priority for attackers, making it important for infrastructure operators to be involved in the development of a framework. The nation’s utilities should advise the government on incidents that affect their operations and report the severity of any incident before a response is formulated.
The growing threat of cyber warfare provides nation-states with a complex set of decisions to make—from understanding the severity of the incident to assessing appropriate responses to take, while continually evaluating the risks involved in formulating a response. As the threats to our nation grow, our government needs to address these issues in depth.
PART FIVE
Cyber Attacks as Acts Of War
Chapter Eleven
Does Cyber Vandalism fall short of An Act of War?
Military and national security operations in cyberspace have made headlines with increasing frequency.
Security companies for several years have documented massive cyber-espionage by the Chinese military against the United States—both private and public sectors. As discussed, the Department of Justice responded by indicting five Chinese military officers for computer hacking, economic espionage, and other offenses directed at American nuclear power, metals, and solar products companies.
Snowden’s allegations of massive cyber spying by the National Security Agency and close American allies have raised worldwide fears about the security and privacy of the Internet.
Russia and Iran have been accused of launching covert cyber espionage against political and economic targets in the U.S. According to reports, it appears Russian hackers attempted to place a digital bomb inside the NASDAQ stock exchange networks.
Fears are growing that, similar to the outbreak of World War I a century ago, a cyber event—the equivalent of the Serbian gunman’s assassination of the Austro-Hungarian Duke in Sarajevo—could escalate into an outright cyber war with dire consequences around the world.
Cyber warfare is one of the most misused terms in the cyber dictionary. The U.S. Strategic Command defines cyber warfare as: The Creation of effects in and through cyberspace in support of a combatant commander's military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms.
There are traditional definitions as to what constitutes an act of war, and the cyber version is only slightly different. Cyber warfare has been defined as an action, or series of actions, by a military commander or government-sponsored cyber warriors that further his or her objectives, while disallowing an enemy to achieve theirs. Military leaders typically belong to a nation-state or a well-funded, overt and organized insurgency group (as opposed to loosely organized rebels, crime syndicates, etc.). Acting overtly in cyberspace means you are not trying to hide who you are, although it’s relatively easy to mask your tracks. The warriors of today are the cyber version of regular, uniformed forces versus irregular forces.
In 2014, Sony executives, gearing up for the release of Seth Rogen's North Korea-bashing film, The Interview, received an ominous holiday greeting—“We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.” The hackers delivered on their promise, unloading onto the internet an incredible number of emails, employee information, and all sorts of other data. Most of the actual damage involved disclosed personnel records and damaged celebrity reputations. Among other things, producer Mark Rudin called Angelina Jolie a minimally talented spoiled brat for delaying his film projects, and producer Amy Pascal called Leonardo DiCaprio absolutely despicable after he passed on a Steve Jobs biopic.
A few politicians focused on the Sony cyber attack’s political and economic implications. “It’s a new form of warfare that we’re involved in,” Senator John McCain told CNN’s State of the Union, “and we need to react and we need to react vigorously.” Senator McCain’s condemnation was in large part a response to President Obama’s earlier acknowledgment that, while indeed an act of cyber vandalism, the Sony cyber attack doesn’t quite qualify as an act of war. Congressman Mike Rogers, the Republican chair of the House Intelligence Committee, was more reserved in his assessment. “You can’t necessarily say an act of war,” he expressed in an interview with Fox News. Rogers identified the underlying legal problem when he admitted, “We don’t have good, clear policy guidance on what that means when it comes to cyber attacks.”
Was the cyber attack on Sony cyber—vandalism, warfare, or something else? If the Sony cyber attack didn’t cross the line into cyber warfare, what would?
After President Obama stated that the Sony hack was an act of cyber vandalism perpetrated by North Korea—and thus not an act of war, the statement was criticized by politicians, security experts and other members of the public. Before a rush to judgment is made, one must look at what constitutes an act of war. Let’s assume for the sake of this analysis that North Korea did perpetrate the attack. Was the act part of a military maneuver, directed by a commander, with the purpose of denying the enemy freedom of action while providing a tactical advantage on its end? No. The objective was to embarrass a private-sector firm and degrade or deny computing services. Under this analysis, the President is right – it’s clearly not part of a military operation. It’s on the extreme end of vandalism, but that’s all it is.
Few public examples exist of true, overt cyber warfare. Allegations have been made that the U.S., Israel, Russia, China, and Iran have engaged in cyber war at some point, but the accounts either use a looser definition of cyber war.
One of the early candidates for a textbook example of cyber war occurred during the 2008 Russo-Georgian
War. Russia and Georgia engaged in armed conflict with two breakaway republics, South Ossetia and Abkhazia – both located in Georgia. Russia backed the separatists and eventually launched a military campaign. In the days and weeks leading up to Russia’s direct military intervention, hackers originating from within Russia attacked key Georgian information assets. Internet connectivity was down for extended periods of time and official government websites were hacked or completely under the attacker’s control. In addition, internal communications and news outlets were severely disrupted. All of the above would hamper the ability of Georgian military commanders to coordinate defenses during the initial Russian land attack.
Considering the Sony attack as a typical example, or perhaps a cyber attack that causes a financial market crash but, because it does not directly harm people or the infrastructure necessary for preserving life and health, doesn’t meet criteria for a conventional act of war. By accepted definitions of warfare, this may not constitute an act of war against the United States—and thus only cyber vandalism, but the affected companies might disagree.
Chapter Twelve
When is it an act of war? What is an appropriate response?
In 2012, former Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum moored in New York and addressed an audience of business executives. He informed them of one of the most important conversations being held inside the corridors of the United States government.
Pearl Harbor was one of the most tragic moments in American history. Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on that seventh day of December in 1941, killing twenty-four hundred Americans and wounding another thirteen hundred. President Franklin D. Roosevelt called it a date that will live in infamy during his speech asking Congress for a declaration of war.