LSC 524.Final Assignment Cyber Warfare.Angela

LSC 524.Final Assignment
Cyber Warfare.Angela J.A. KENT
December 13, 2012
Introduction1
Cyber warfare has yet to be fully realized at the international level. While cyber attacks
and cyber security strategies remain prevalent and robust, a persistent cyber warfare
campaign between nation-states has not yet occurred, but may be on the horizon. To
this end, most nation-states2 recognize the importance of planning for the possibility of
cyber warfare. However, national cyber strategies tend to focus on cyber security
measures, rather than pursuing or preparing to defend against a cyber warfare
campaign.
As a form of warfare, cyber warfare is not a new phenomenon. When viewed through a
Westphalian3 lens, international laws and treaties of war become models for analyzing
cyber warfare threats against and attacks on nation-states. Predictions of whether
nation-states will move towards cyber warfare campaigns, will be dependant on
technological advancements and international law on cyberspace.
Scope note
For the purposes of this paper, cyber attacks can be considered an act of war.4 That is,
cyber warfare is a legitimate concern because cyber attacks can reach the levels of
1
This report attempts to address the role of cyber warfare. Is cyber warfare here? How serious should
nation-states be taking cyber warfare?
2
“Nation-state” and “state” will be used interchangeably, where the the former is the principal term used in
international relations writings.
3
This geopolitical theory places nation-states as the primary actors within the international global system.
States, and only states, have primacy over non-state actors because they hold power that no other entity
can provide to citizens, such as military security. The Peace of Westphalia is seen as the beginnings of
the modern nation-state system. See: The New Oxford Companion to Law online. (2012)
4
For other views on cyber warfare realities, Government Technology (2012) asked conference attendees
whether cyber warfare was a real or imagined threat.
1
armed aggression and lethality. Cyber attacks can fall along a broad scale: from
nuisance and inconvenience on one end, to lethal on the other. 5 Consider the scenario
in which critical infrastructure system,6 like that of an air space control system, is hacked
into and causes an airplane crash. The results of such an attack have the same lethal
consequences as would other types of warfare. In accepting this premise, we can then
apply both historic warfare campaigns and laws of war frameworks to determine the
effect of cyber warfare on nation-states.
This report focuses on “cyber”7 as it relates to computers, information systems, and
networks. Second, it focuses on “warfare” as an engagement of activities (i.e. tactics,
strategies, and operations) against an adversarial nation-state. Examples of warfare
include nuclear, chemical, and guerilla warfare, among many others. Third, this report
focuses on the effect of cyber warfare on nation-states. While individuals and subnational groups are directly affected by cyber threats, attacks, crimes, and even
inconveniences, it is the national consequences that is of primary concern.
Cyberspace
Cyberspace has multiple definitions and is often applied in a numerous and inconsistent
ways (GAO, 2012). Much like older technological developments and new frontiers, an
agreement among states is not an inevitability. Thus, cyber warfare remains far from
5
A related matrix that can be developed and applied to other countries is the “Effectiveness Against US Difficulty for Adversary” graph. The Joint Warfighting Center (US) established this matrix to incorporate
“information warfare” capabilities. See: appendix and Joint Warfare Center (1997), p.16
6
In fact, cyber security national strategies continue to focus on defending critical infrastructure systems.
See for example: Alexander and Swetnam (1999) and Cordesman and Cordesman (2002). The former is
a collection of U.S. statutes entitled cyber and information warfare, but focuses on critical infrastructure
protection. The latter deals primarily with cyber warfare and infrastructure protection.
7
The terms “cyber” and “information” will be used interchangeably, with the former being the principal
term that encompasses both future and traditional information warfare, which include Psychological
Operations (PSYOPS) and focuses on controlling messages, not just the medium.
2
reaching international consensus. Nonetheless, surveying other forms of warfare, as
well as historic and current international laws is one way of surmising how nation-states
may handle cyberspace in the near future.
Warfare
As a military strategy, warfare is the application of a particular weapon to attack or
conduct war against another state (The New Oxford Companion to Law, 2012). To this
end, state-led cyber warfare activities include: hacking into another country’s media
networks;8 attacking online financial assets;9 launching denial of services campaigns;
and disrupting critical infrastructure networks.10 While such cyber attacks occur on a
micro level (i.e. sub-state level), these examples have all been attributed to a state
government.
From the examples noted above, the key characteristics to take note of are (1) a state’s
ability to weaponize technology; (2) the presence of specific political intent; and (3) the
ability to couple cyber components with traditional warfare measures. To be sure, states
have followed this path to warfare for past weapons and technologies as well. To gain a
sense of this evolution, consider that the weaponization of technology can be dated
back to the late 18th century. With the development of explosives, the use of “Explosive
8
Israeli-Palestine, Operation Cast Lead (2008) and Russian-Chechen War (1997-2001). See: Carr
(2010).
9
Kosovo War. See: Silver (2002). For information on the Indian-Pakistan cyber activities see Unnithan
(2011)
10
“...China is by far the most active transgressor. It employs thousands of gifted software engineers who
systematically target technically advanced Fortune 100 companies. The other biggest offenders are
Russia and, recently, Iran (the suspected source of the Shamoon virus that crippled thousands of
computers at Saudi Arabia's Aramco and Qatar's RasGas in August). America and its allies are by no
means passive victims. Either America, Israel or the two working together almost certainly hatched the
Stuxnet worm, found in 2010, that was designed to paralyse centrifuges at Iran's Natanz uraniumenrichment plant. The Flame virus, identified by Russian and Hungarian experts this year, apparently
came from the same source. It was designed to strike at Iran by infecting computers in its oil ministry and
at targets in the West Bank, Syria and Sudan” (Economist, 2012)
3
Projectiles under 400 Grammes Weight” was one of the first international agreements to
limit actions leading up to or being used during war (Hughes, 2009).11
To note, international agreements that define and limit warfare were established through
debate and compromise among states. When cyber warfare is eventually debated, it will
be no less controversial than its predecessors. The continuing challenges of monitoring
and controlling the presence of nuclear weapons is an exemplar to this point. Because
nuclear materials have dual (i.e. peaceful) purposes, it is difficult to determine whether
states are amassing nuclear capabilities for peace or war. The same is true for cyber
capabilities.
The ability to wage a cyber war is technologically possible. The challenge however, is
the ability to sustain a campaign; possess a high-level of coordination across multiple
resources; and amass financial and human resources. These capabilities belong solely
to states, as they are the only entities that can amass armies and create money (i.e.
state instruments). Lastly, it is worth emphasizing that attacks are only one component
of warfare. That is, while cyber attacks can be launched by non-state entities, cyber
warfare remains only within the reach of states’ capabilities.
Cyber attacks vs. cyber warfare
For most nation-states, protecting against cyber attacks remains their immediate, and
sometimes only, national cyber security goal. Developing cyber warfare strategy, on the
other hand, remains a longer-term policy interest. This dichotomy is best seen in the
11
For an outline of international laws and treaties throughout the centuries, please review full chapter Carr
(2010).
4
national cyber strategies of the United States’ (US) (United States National Security
Council nd), and other countries, both small and large (Ventre 2012).
Thus, while nation-states continue to thoroughly address cyber security, little has been
done in the way of monitoring state-run cyber warfare programs. While the US does
track China’s cyber capabilities (US-China Economic and Security Review Commission,
2009), little is found on any sort of broad government strategy; that is, (i.e. how the US
would actually protect against or respond to a Chinese cyber warfare campaign). This is
likely the case because nation-states have an interest in keeping both offensive and
defensive capabilities hidden or limited, so that adversaries have limited knowledge of
one’s strengths and weaknesses. It remains the role of intelligence services to find
evidence of the cyber equivalent to nuclear warheads.
A second challenge to developing a cyber warfare strategy is that cyber warfare may
occur as a de facto method of warfighting. As was the case with guerilla warfare, the
type of war was determined by the nature of the battlefield. Cyber warfare could
certainly emerge on the cyberspace battlefield in a very similar way. The makings of
such a battle can be found in the current use of drone strikes (Hyacinthe, 2012) for one,
and the preparations for cyberspace operations, for another: “...prepare to, and when
directed, conduct full spectrum military cyberspace operations.” (US Army Cyber
Command, nd).
International laws
While states are focused on protecting and defending against cyber attacks, moving into
a cyber warfare domain is still on the horizon. Although the evolution of information and
5
communications technology is unpredictable, when new weapons emerge international
law has been created to hedge against possible areas of conflict. As with previous
technological advancements, nation-states will seek ways to control and gain advantage
over other nation-states through the acquisition and control of new weapons and
warfare methods.12
The historical development of international laws on other borderless domains like air,
sea, and space (Shawhan, 2001)13 provides one model for determining whether
cyberspace is a codifiable domain. One reason why nation-states may be interested in
codifying cyberspace is the ability to control the information that flows into one’s
borders. As Hare (2009) succinctly states:
“[b]orders can be equally important in cyberspace because borders define boundaries of
sovereignty...regardless the domain and the ability to locate them physically. As long as threats
are directed at nation-states, and legitimate response actions are retained by the state, they will
remain important actors and their borders will continue to be relevant.”
“Cyber borders” control and monitor the flow of information, while protecting against
cyber attacks. Yet, the closest comparison to date on cyber border laws are being used
by dictators in North Korea, Iran, and Syria, and are being applied control their
populations.
Another model worth considering is that of international space law. In this scenario
nation-states explicitly decide how cyberspace is divided and controlled. Rather than
responding out of a sense of cyber insecurity, nation-states are motivated to promote
12
One observer estimated “in 10 to 20 years experts believe we could see countries jostling for cyber
supremacy” Arie (2009).
13
Further information: DePaul University College of Law. (nd) (international aviation law); United Nations
(UN) Committee on the Peaceful Uses of Outer Space (international space law); and the “Freedom of the
Seas” principle (codified in the UN Conventions of the Law of the Sea).
6
and protect technological advancements because they control how those technologies
can be used and best serve their advantage.
These models present two different scenarios of how cyber warfare may emerge. They
are based on differing views and approaches to cyberspace. One views cyberspace as
unclaimed territory and the other views cyberspace as a pre-set battlefield. The
battlefield model aligns best with cyber security methods, while “cyberspace as a new
frontier” best aligns with developing cyber warfare strategies. Ultimately, until there is a
better understanding14 and agreement on the instruments of cyberspace, tangible
interpretations of cyber warfare remain limited.
Principal cyber warfare challenges for nation-states
If nation-states begin to focus more on cyber warfare strategies, attribution becomes a
central policy goal. The challenge of attribution may be another reason why states
choose to focus on cyber attacks and cyber security, rather than cyber warfare (Erik,
2012). Cyber attacks only require states to protect and not necessarily to identify the
source of the attack. Cyber warfare, on the other hand, requires attribution. Not only is
cyberspace one of the most anonymous battlefields to date, but the general ability to
track any kind of weapons programs remains a challenge.
Not only is cyber warfare a fairly anonymous activity, but it is also susceptible to
asymmetrical warfare. State-on-state warfare is the chosen type of war for many nations
states. For this reason, states are motivated to try an make cyber warfare a symmetrical
war. One only needs to cite the US’ residual challenges of asymmetrical and non-state
14
A telling example of the current decentralization of thought on cyber security strategies can be found in
a current GAO (2012) report: “DOD’s organization to address cyber security threats is decentralized and
spread across various offices, commands, military services, and military agencies.”
7
wars on terrorism, drugs, and “Al-Qaeda”15 to understand the challenges of asymmetric
wars. States may begin doing this by implementing some or all of the international laws
and norms discussed above. Because international law is a state-based instrument,
nation-states may choose to control cyberspace and/or cyber weapons through
international laws and agreements.
Nation-states are likely to act on the idea of making cyber warfare a more symmetrical
war. This is because the combination of anonymity and sub-state empowerment (via the
Internet and communications technology in general) threatens the legitimacy of the
state and disrupts the current world order. There is evidence that cyberspace has
transcended ideas of citizenship and identify away from the nation-state.16 Nonetheless,
even if this is the case, there are numerous actions that would need to occur before
cyber warfare could unravel a centuries old system. The more likely scenario is a
country, like China, amassing cyber warfare capabilities and launching a sustained
campaign against the United States or another nation-state.
Conclusion
Protecting against cyber attacks remains the primary interest and focus for most federal
governments. Though cyber attacks will continue to be waged by state and non-state
entities alike, cyber warfare will more likely be conducted and successfully executed by
a nation-state. While states may also sponsor cyber attacks, like state-sponsored
terrorism, cyber warfare will require a greater degree of state involvement and visibility.
15
Recent statements by the Pentagon’s General Counsel have brought to the surface this tension: “US
official points to end of 'war on terror'. (2012, December 1). Al Jazeera. Retrieved from
http://www.aljazeera.com/news/americas/2012/12/20121210645962539.html
16
Globalization and nationalism literature cover the various theories and debates on this possible
paradigm shift. For writings that incorporate cyber warfare, see for example Hare (2009).
8
The ability of nation-states to defend against a cyber war is dependent on technological
evolution and the speed at which international laws and treaties can be created and
modified. Federal governments should take cyber warfare seriously because whether a
concerted attack comes from another state or non-state entity, the result is the same: an
insecure populace. Citizen insecurity weakens a nation-state’s monopoly over power, as
citizens look to other non-state entities to align and ally with. In fact, greater
international cooperation and coordination to avoid cyber warfare among states, may
assist with combating cyber attacks from non-state entities.
Predicting how cyber warfare will evolve should include these two considerations: the
nation-states’ abilities to (1) organize and retain primacy over non-state entities and (2)
defeat or co-opt technologically-empowered transnational and sub-national entities.
Regardless of whether nation-states continue along the path of cyber security or branch
out into the international law of cyberspace, states should be preparing for cyber
warfare. Finally, by following the war-worn road of international law, nation-states may
find an easier pathway to cyber domain dominance over their non-state counterparts.
9
APPENDIX 1
Source: Joint Warfighting Center (1997).
Warfare is a sustained campaign of resources and support. In addition to having the
technological capabilities and weapons (“Difficulty for Adversary”) to sustain a cyber
warfare campaign, adversaires must consider the level of effectiveness their campaign
will have on their target. Thus, while cyber attacks may be easier to launch, their impact
may be limited, particularly if their target has strong cyber security defenses. Cyber
warfare, on the other hand, may be both difficult for adversaries to achieve and have a
low effect on their target.
This graph is a useful analytical model that could easily be updated to take into account
technological advancements in cyber offensive measures and defensive capabilities.
Additionally, it could be adapted and applied to other countries.
10
References
Alexander, Y., & Swetnam, M. S. (1999). Cyber terrorism and information warfare.
Dobbs
Ferry, N.Y: Oceana Publications.
Arie, J. S. (2009). Cyber warfare operations: Development and use under international
law. The Air Force Law Review, 64, 121-173. Retrieved from
http://search.proquest.com/docview/195184823?accountid=11091
Carr, J. (2010). Inside cyber warfare. Beijing: O'Reilly.
Cordesman, A. H., Cordesman, J. G., & Center for Strategic and International Studies
(Washington, D.C.). (2002). Cyber-threats, information warfare, and critical
infrastructure protection: Defending the U.S. homeland. Westport, Conn: Praeger.
DePaul University College of Law. (nd). International aviation law institute. Retrieved
from http://www.law.depaul.edu/centers_institutes/aviation_law/
D'Souza, Nikhil, Cyber Warfare and State Responsibility: Developments in International
Law (May 16, 2011). Available at SSRN: http://ssrn.com/abstract=1842984 or
http://dx.doi.org/10.2139/ssrn.1842984
Erik, M. M. (2012). Cyber 3.0: The department of defense strategy for operating in
cyberspace and the attribution problem. The Air Force Law Review, 68, 167-206.
Retrieved from
http://search.proquest.com/docview/1020878866?accountid=11091
Government Technology. (Producer). (2012). Rsa 2012: Is the "cyber warfare" scare
real
or imagined?. [Web Video]. Retrieved from http://www.youtube.com/watch?
v=LO9KBJCMAHs
Hare, F. “Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber
Security?” In Czosseck, C., & Geers, K. (2009). The virtual battlefield:
Perspectives on cyber warfare. Amsterdam: Ios Press
Hughes, R. “Towards a Global Regime for Cyber Warfare.” In Czosseck, C., & Geers, K.
(2009). The virtual battlefield: Perspectives on cyber warfare. Amsterdam: Ios
Press
Hype and fear; cyber-warfare. (2012, Dec 08). The Economist, 405, 62. Retrieved from
http://search.proquest.com/docview/1223834330?accountid=11091
Hyacinthe, B. (2012). Law of armed conflicts applied to i-warfare and information
11
operations: How and under what legal framework should surgical NATO and U.S.
military drone strikes be conducted? Paper presented at the 313-IX. Retrieved
from http://search.proquest.com/docview/1035293549?accountid=11091
Joint Warfighting Center. Joint Warfighting Center, (1997).Concept for future joint
operations. Available http://www.iwar.org.uk/rma/resources/jv2010/concepts-jv2010.pdf
Shawhan, K. J. (2001). Vital interests, virtual threats. reconciling international law with
information warfare and united states security. (Master's thesis, Air University).
Silver, D. B. (2002). Computer network attacks as a use of force under article 2(4) of the
United Nations charter. In M. Schmitt & B. O'Donnell (Eds.),Computer Network
Attack and International Law(Vol. 76, pp. 73-98). Available
http://permanent.access.gpo.gov/gpo3920/Naval-War-College-vol-76.pdf
United Nations. (2012). United nations treaties and principles on space law. Available at
http://www.oosa.unvienna.org/oosa/en/SpaceLaw/treaties.html
United States. Government Accountability Office, (2011). Defense department cyber
efforts DOD faces challenges in its cyber activities (GAO-11-75). Available
http://www.gao.gov/new.items/d1175.pdf
United States National Security Council. (nd). The Comprehensive National
cyber security Initiative. Available:
http://www.whitehouse.gov/sites/default/files/cyber security.pdf
United States Army. (nd). USCYBERCOM. Retrieved from
http://www.arcyber.army.mil/org-uscc.html
Unnithan, S. (2011, Mar 21). Inside the indo-pak cyber wars. India Today, Retrieved
from
http://search.proquest.com/docview/857795612?accountid=11091
US-China Economic and Security Review Commission. (2009). Capability of the
People’s Republic of China to Conduct Cyber Warfare and Computer Network
Exploitation. Available
http://permanent.access.gpo.gov/lps123422/NorthropGrumman_PRC_Cyber_Pa
per_FINAL_Approved%2520Report_16Oct2009.pdf
US-China Economic and Security Review Commission. (2012). Report to Congress
(Section 2 China’s Cyber Activities, p. 147) Available
http://www.uscc.gov/annual_report/2012/2012_Report-to-Congress-table.pdf
Ventre, D. (2012). Cyber conflict: Competing national perspectives. London: ISTE.
12
Westphalian system. In (2012). The New Oxford Companion to Law online (Ed.),
http://www.oxfordreference.com.proxy.library.georgetown.edu/view/10.1093/acre
f/9780199290543.001.0001/acref-9780199290543-e-2329
13