LSC 524.Final Assignment Cyber Warfare.Angela J.A. KENT December 13, 2012 Introduction1 Cyber warfare has yet to be fully realized at the international level. While cyber attacks and cyber security strategies remain prevalent and robust, a persistent cyber warfare campaign between nation-states has not yet occurred, but may be on the horizon. To this end, most nation-states2 recognize the importance of planning for the possibility of cyber warfare. However, national cyber strategies tend to focus on cyber security measures, rather than pursuing or preparing to defend against a cyber warfare campaign. As a form of warfare, cyber warfare is not a new phenomenon. When viewed through a Westphalian3 lens, international laws and treaties of war become models for analyzing cyber warfare threats against and attacks on nation-states. Predictions of whether nation-states will move towards cyber warfare campaigns, will be dependant on technological advancements and international law on cyberspace. Scope note For the purposes of this paper, cyber attacks can be considered an act of war.4 That is, cyber warfare is a legitimate concern because cyber attacks can reach the levels of 1 This report attempts to address the role of cyber warfare. Is cyber warfare here? How serious should nation-states be taking cyber warfare? 2 “Nation-state” and “state” will be used interchangeably, where the the former is the principal term used in international relations writings. 3 This geopolitical theory places nation-states as the primary actors within the international global system. States, and only states, have primacy over non-state actors because they hold power that no other entity can provide to citizens, such as military security. The Peace of Westphalia is seen as the beginnings of the modern nation-state system. See: The New Oxford Companion to Law online. (2012) 4 For other views on cyber warfare realities, Government Technology (2012) asked conference attendees whether cyber warfare was a real or imagined threat. 1 armed aggression and lethality. Cyber attacks can fall along a broad scale: from nuisance and inconvenience on one end, to lethal on the other. 5 Consider the scenario in which critical infrastructure system,6 like that of an air space control system, is hacked into and causes an airplane crash. The results of such an attack have the same lethal consequences as would other types of warfare. In accepting this premise, we can then apply both historic warfare campaigns and laws of war frameworks to determine the effect of cyber warfare on nation-states. This report focuses on “cyber”7 as it relates to computers, information systems, and networks. Second, it focuses on “warfare” as an engagement of activities (i.e. tactics, strategies, and operations) against an adversarial nation-state. Examples of warfare include nuclear, chemical, and guerilla warfare, among many others. Third, this report focuses on the effect of cyber warfare on nation-states. While individuals and subnational groups are directly affected by cyber threats, attacks, crimes, and even inconveniences, it is the national consequences that is of primary concern. Cyberspace Cyberspace has multiple definitions and is often applied in a numerous and inconsistent ways (GAO, 2012). Much like older technological developments and new frontiers, an agreement among states is not an inevitability. Thus, cyber warfare remains far from 5 A related matrix that can be developed and applied to other countries is the “Effectiveness Against US Difficulty for Adversary” graph. The Joint Warfighting Center (US) established this matrix to incorporate “information warfare” capabilities. See: appendix and Joint Warfare Center (1997), p.16 6 In fact, cyber security national strategies continue to focus on defending critical infrastructure systems. See for example: Alexander and Swetnam (1999) and Cordesman and Cordesman (2002). The former is a collection of U.S. statutes entitled cyber and information warfare, but focuses on critical infrastructure protection. The latter deals primarily with cyber warfare and infrastructure protection. 7 The terms “cyber” and “information” will be used interchangeably, with the former being the principal term that encompasses both future and traditional information warfare, which include Psychological Operations (PSYOPS) and focuses on controlling messages, not just the medium. 2 reaching international consensus. Nonetheless, surveying other forms of warfare, as well as historic and current international laws is one way of surmising how nation-states may handle cyberspace in the near future. Warfare As a military strategy, warfare is the application of a particular weapon to attack or conduct war against another state (The New Oxford Companion to Law, 2012). To this end, state-led cyber warfare activities include: hacking into another country’s media networks;8 attacking online financial assets;9 launching denial of services campaigns; and disrupting critical infrastructure networks.10 While such cyber attacks occur on a micro level (i.e. sub-state level), these examples have all been attributed to a state government. From the examples noted above, the key characteristics to take note of are (1) a state’s ability to weaponize technology; (2) the presence of specific political intent; and (3) the ability to couple cyber components with traditional warfare measures. To be sure, states have followed this path to warfare for past weapons and technologies as well. To gain a sense of this evolution, consider that the weaponization of technology can be dated back to the late 18th century. With the development of explosives, the use of “Explosive 8 Israeli-Palestine, Operation Cast Lead (2008) and Russian-Chechen War (1997-2001). See: Carr (2010). 9 Kosovo War. See: Silver (2002). For information on the Indian-Pakistan cyber activities see Unnithan (2011) 10 “...China is by far the most active transgressor. It employs thousands of gifted software engineers who systematically target technically advanced Fortune 100 companies. The other biggest offenders are Russia and, recently, Iran (the suspected source of the Shamoon virus that crippled thousands of computers at Saudi Arabia's Aramco and Qatar's RasGas in August). America and its allies are by no means passive victims. Either America, Israel or the two working together almost certainly hatched the Stuxnet worm, found in 2010, that was designed to paralyse centrifuges at Iran's Natanz uraniumenrichment plant. The Flame virus, identified by Russian and Hungarian experts this year, apparently came from the same source. It was designed to strike at Iran by infecting computers in its oil ministry and at targets in the West Bank, Syria and Sudan” (Economist, 2012) 3 Projectiles under 400 Grammes Weight” was one of the first international agreements to limit actions leading up to or being used during war (Hughes, 2009).11 To note, international agreements that define and limit warfare were established through debate and compromise among states. When cyber warfare is eventually debated, it will be no less controversial than its predecessors. The continuing challenges of monitoring and controlling the presence of nuclear weapons is an exemplar to this point. Because nuclear materials have dual (i.e. peaceful) purposes, it is difficult to determine whether states are amassing nuclear capabilities for peace or war. The same is true for cyber capabilities. The ability to wage a cyber war is technologically possible. The challenge however, is the ability to sustain a campaign; possess a high-level of coordination across multiple resources; and amass financial and human resources. These capabilities belong solely to states, as they are the only entities that can amass armies and create money (i.e. state instruments). Lastly, it is worth emphasizing that attacks are only one component of warfare. That is, while cyber attacks can be launched by non-state entities, cyber warfare remains only within the reach of states’ capabilities. Cyber attacks vs. cyber warfare For most nation-states, protecting against cyber attacks remains their immediate, and sometimes only, national cyber security goal. Developing cyber warfare strategy, on the other hand, remains a longer-term policy interest. This dichotomy is best seen in the 11 For an outline of international laws and treaties throughout the centuries, please review full chapter Carr (2010). 4 national cyber strategies of the United States’ (US) (United States National Security Council nd), and other countries, both small and large (Ventre 2012). Thus, while nation-states continue to thoroughly address cyber security, little has been done in the way of monitoring state-run cyber warfare programs. While the US does track China’s cyber capabilities (US-China Economic and Security Review Commission, 2009), little is found on any sort of broad government strategy; that is, (i.e. how the US would actually protect against or respond to a Chinese cyber warfare campaign). This is likely the case because nation-states have an interest in keeping both offensive and defensive capabilities hidden or limited, so that adversaries have limited knowledge of one’s strengths and weaknesses. It remains the role of intelligence services to find evidence of the cyber equivalent to nuclear warheads. A second challenge to developing a cyber warfare strategy is that cyber warfare may occur as a de facto method of warfighting. As was the case with guerilla warfare, the type of war was determined by the nature of the battlefield. Cyber warfare could certainly emerge on the cyberspace battlefield in a very similar way. The makings of such a battle can be found in the current use of drone strikes (Hyacinthe, 2012) for one, and the preparations for cyberspace operations, for another: “...prepare to, and when directed, conduct full spectrum military cyberspace operations.” (US Army Cyber Command, nd). International laws While states are focused on protecting and defending against cyber attacks, moving into a cyber warfare domain is still on the horizon. Although the evolution of information and 5 communications technology is unpredictable, when new weapons emerge international law has been created to hedge against possible areas of conflict. As with previous technological advancements, nation-states will seek ways to control and gain advantage over other nation-states through the acquisition and control of new weapons and warfare methods.12 The historical development of international laws on other borderless domains like air, sea, and space (Shawhan, 2001)13 provides one model for determining whether cyberspace is a codifiable domain. One reason why nation-states may be interested in codifying cyberspace is the ability to control the information that flows into one’s borders. As Hare (2009) succinctly states: “[b]orders can be equally important in cyberspace because borders define boundaries of sovereignty...regardless the domain and the ability to locate them physically. As long as threats are directed at nation-states, and legitimate response actions are retained by the state, they will remain important actors and their borders will continue to be relevant.” “Cyber borders” control and monitor the flow of information, while protecting against cyber attacks. Yet, the closest comparison to date on cyber border laws are being used by dictators in North Korea, Iran, and Syria, and are being applied control their populations. Another model worth considering is that of international space law. In this scenario nation-states explicitly decide how cyberspace is divided and controlled. Rather than responding out of a sense of cyber insecurity, nation-states are motivated to promote 12 One observer estimated “in 10 to 20 years experts believe we could see countries jostling for cyber supremacy” Arie (2009). 13 Further information: DePaul University College of Law. (nd) (international aviation law); United Nations (UN) Committee on the Peaceful Uses of Outer Space (international space law); and the “Freedom of the Seas” principle (codified in the UN Conventions of the Law of the Sea). 6 and protect technological advancements because they control how those technologies can be used and best serve their advantage. These models present two different scenarios of how cyber warfare may emerge. They are based on differing views and approaches to cyberspace. One views cyberspace as unclaimed territory and the other views cyberspace as a pre-set battlefield. The battlefield model aligns best with cyber security methods, while “cyberspace as a new frontier” best aligns with developing cyber warfare strategies. Ultimately, until there is a better understanding14 and agreement on the instruments of cyberspace, tangible interpretations of cyber warfare remain limited. Principal cyber warfare challenges for nation-states If nation-states begin to focus more on cyber warfare strategies, attribution becomes a central policy goal. The challenge of attribution may be another reason why states choose to focus on cyber attacks and cyber security, rather than cyber warfare (Erik, 2012). Cyber attacks only require states to protect and not necessarily to identify the source of the attack. Cyber warfare, on the other hand, requires attribution. Not only is cyberspace one of the most anonymous battlefields to date, but the general ability to track any kind of weapons programs remains a challenge. Not only is cyber warfare a fairly anonymous activity, but it is also susceptible to asymmetrical warfare. State-on-state warfare is the chosen type of war for many nations states. For this reason, states are motivated to try an make cyber warfare a symmetrical war. One only needs to cite the US’ residual challenges of asymmetrical and non-state 14 A telling example of the current decentralization of thought on cyber security strategies can be found in a current GAO (2012) report: “DOD’s organization to address cyber security threats is decentralized and spread across various offices, commands, military services, and military agencies.” 7 wars on terrorism, drugs, and “Al-Qaeda”15 to understand the challenges of asymmetric wars. States may begin doing this by implementing some or all of the international laws and norms discussed above. Because international law is a state-based instrument, nation-states may choose to control cyberspace and/or cyber weapons through international laws and agreements. Nation-states are likely to act on the idea of making cyber warfare a more symmetrical war. This is because the combination of anonymity and sub-state empowerment (via the Internet and communications technology in general) threatens the legitimacy of the state and disrupts the current world order. There is evidence that cyberspace has transcended ideas of citizenship and identify away from the nation-state.16 Nonetheless, even if this is the case, there are numerous actions that would need to occur before cyber warfare could unravel a centuries old system. The more likely scenario is a country, like China, amassing cyber warfare capabilities and launching a sustained campaign against the United States or another nation-state. Conclusion Protecting against cyber attacks remains the primary interest and focus for most federal governments. Though cyber attacks will continue to be waged by state and non-state entities alike, cyber warfare will more likely be conducted and successfully executed by a nation-state. While states may also sponsor cyber attacks, like state-sponsored terrorism, cyber warfare will require a greater degree of state involvement and visibility. 15 Recent statements by the Pentagon’s General Counsel have brought to the surface this tension: “US official points to end of 'war on terror'. (2012, December 1). Al Jazeera. Retrieved from http://www.aljazeera.com/news/americas/2012/12/20121210645962539.html 16 Globalization and nationalism literature cover the various theories and debates on this possible paradigm shift. For writings that incorporate cyber warfare, see for example Hare (2009). 8 The ability of nation-states to defend against a cyber war is dependent on technological evolution and the speed at which international laws and treaties can be created and modified. Federal governments should take cyber warfare seriously because whether a concerted attack comes from another state or non-state entity, the result is the same: an insecure populace. Citizen insecurity weakens a nation-state’s monopoly over power, as citizens look to other non-state entities to align and ally with. In fact, greater international cooperation and coordination to avoid cyber warfare among states, may assist with combating cyber attacks from non-state entities. Predicting how cyber warfare will evolve should include these two considerations: the nation-states’ abilities to (1) organize and retain primacy over non-state entities and (2) defeat or co-opt technologically-empowered transnational and sub-national entities. Regardless of whether nation-states continue along the path of cyber security or branch out into the international law of cyberspace, states should be preparing for cyber warfare. Finally, by following the war-worn road of international law, nation-states may find an easier pathway to cyber domain dominance over their non-state counterparts. 9 APPENDIX 1 Source: Joint Warfighting Center (1997). Warfare is a sustained campaign of resources and support. In addition to having the technological capabilities and weapons (“Difficulty for Adversary”) to sustain a cyber warfare campaign, adversaires must consider the level of effectiveness their campaign will have on their target. Thus, while cyber attacks may be easier to launch, their impact may be limited, particularly if their target has strong cyber security defenses. Cyber warfare, on the other hand, may be both difficult for adversaries to achieve and have a low effect on their target. This graph is a useful analytical model that could easily be updated to take into account technological advancements in cyber offensive measures and defensive capabilities. Additionally, it could be adapted and applied to other countries. 10 References Alexander, Y., & Swetnam, M. S. (1999). Cyber terrorism and information warfare. Dobbs Ferry, N.Y: Oceana Publications. Arie, J. S. (2009). Cyber warfare operations: Development and use under international law. The Air Force Law Review, 64, 121-173. Retrieved from http://search.proquest.com/docview/195184823?accountid=11091 Carr, J. (2010). Inside cyber warfare. Beijing: O'Reilly. Cordesman, A. H., Cordesman, J. G., & Center for Strategic and International Studies (Washington, D.C.). (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, Conn: Praeger. DePaul University College of Law. (nd). International aviation law institute. Retrieved from http://www.law.depaul.edu/centers_institutes/aviation_law/ D'Souza, Nikhil, Cyber Warfare and State Responsibility: Developments in International Law (May 16, 2011). Available at SSRN: http://ssrn.com/abstract=1842984 or http://dx.doi.org/10.2139/ssrn.1842984 Erik, M. M. (2012). Cyber 3.0: The department of defense strategy for operating in cyberspace and the attribution problem. The Air Force Law Review, 68, 167-206. Retrieved from http://search.proquest.com/docview/1020878866?accountid=11091 Government Technology. (Producer). (2012). Rsa 2012: Is the "cyber warfare" scare real or imagined?. [Web Video]. Retrieved from http://www.youtube.com/watch? v=LO9KBJCMAHs Hare, F. “Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?” In Czosseck, C., & Geers, K. (2009). The virtual battlefield: Perspectives on cyber warfare. Amsterdam: Ios Press Hughes, R. “Towards a Global Regime for Cyber Warfare.” In Czosseck, C., & Geers, K. (2009). The virtual battlefield: Perspectives on cyber warfare. Amsterdam: Ios Press Hype and fear; cyber-warfare. (2012, Dec 08). The Economist, 405, 62. Retrieved from http://search.proquest.com/docview/1223834330?accountid=11091 Hyacinthe, B. (2012). Law of armed conflicts applied to i-warfare and information 11 operations: How and under what legal framework should surgical NATO and U.S. military drone strikes be conducted? Paper presented at the 313-IX. Retrieved from http://search.proquest.com/docview/1035293549?accountid=11091 Joint Warfighting Center. Joint Warfighting Center, (1997).Concept for future joint operations. Available http://www.iwar.org.uk/rma/resources/jv2010/concepts-jv2010.pdf Shawhan, K. J. (2001). Vital interests, virtual threats. reconciling international law with information warfare and united states security. (Master's thesis, Air University). Silver, D. B. (2002). Computer network attacks as a use of force under article 2(4) of the United Nations charter. In M. Schmitt & B. O'Donnell (Eds.),Computer Network Attack and International Law(Vol. 76, pp. 73-98). Available http://permanent.access.gpo.gov/gpo3920/Naval-War-College-vol-76.pdf United Nations. (2012). United nations treaties and principles on space law. Available at http://www.oosa.unvienna.org/oosa/en/SpaceLaw/treaties.html United States. Government Accountability Office, (2011). Defense department cyber efforts DOD faces challenges in its cyber activities (GAO-11-75). Available http://www.gao.gov/new.items/d1175.pdf United States National Security Council. (nd). The Comprehensive National cyber security Initiative. Available: http://www.whitehouse.gov/sites/default/files/cyber security.pdf United States Army. (nd). USCYBERCOM. Retrieved from http://www.arcyber.army.mil/org-uscc.html Unnithan, S. (2011, Mar 21). Inside the indo-pak cyber wars. India Today, Retrieved from http://search.proquest.com/docview/857795612?accountid=11091 US-China Economic and Security Review Commission. (2009). Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation. Available http://permanent.access.gpo.gov/lps123422/NorthropGrumman_PRC_Cyber_Pa per_FINAL_Approved%2520Report_16Oct2009.pdf US-China Economic and Security Review Commission. (2012). Report to Congress (Section 2 China’s Cyber Activities, p. 147) Available http://www.uscc.gov/annual_report/2012/2012_Report-to-Congress-table.pdf Ventre, D. (2012). Cyber conflict: Competing national perspectives. London: ISTE. 12 Westphalian system. In (2012). The New Oxford Companion to Law online (Ed.), http://www.oxfordreference.com.proxy.library.georgetown.edu/view/10.1093/acre f/9780199290543.001.0001/acref-9780199290543-e-2329 13
© Copyright 2024