Wednesday, September 22, 2010

NPR CyberWar Part One: I Beg to Differ

This morning on National Public Radio, we heard a story about "CyberWar" and some of the problems that the growing reality of CyberWar is going to present.

I'll have to review the transcript more carefully, but from the first pass listen as I drove to work this morning, I believe I disagreed with every single point in the entire story. I'll try to break that down a bit here, using the story from the NPR website, Extending the Law of War to Cyberspace as my guide.

(All of the "Declarations" that I am responding to are quoted from that guiding article.)

Most Important Development in Decades?

Declaration: "The emergence of electronic and cyberwar-fighting capabilities is the most important military development in decades"

Response: Actually, if we're counting "decades", my top nominations would be the Unmanned Aerial Vehicle and the GPS-guided munitions such as the JDAM: Joint Direct Attack Munition.

CNN's headline last year was one I agree with How robot drones revolutionized the face of warfare as was more fully explained in P.W. Sanger's Wired for War: The Robotics Revolution and Conflict in the 21st Century.

The biggest benefit of the UAV's is of course that they protect our soldiers from harm, while allowing missions that would never have been completed before or that could only have been completed with extreme risk to life and limb.

Likewise, Strategy Page's article How Precision Weapons Revolutionized Warfare gives a good outline on the revolution of extremely precise weapons, packed with the right size explosive to blow up exactly what you are shooting at.

When is CyberWar Equal to Armed Attack?

Declaration: "If nations don't know what the rules are, all sorts of accidental problems might arise," says Harvard law professor Jack Goldsmith. "One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be an act of war."

Response: There is no agreed upon definition of "Use of Force" between nations even for non-cyber incidents. This came out in the answer to a question that was put to General Keith Alexander, now the commander of the US Cyber Command from his NSA post at Fort Meade, Maryland, during his confirmation hearings. The question he was asked was:

Does DOD have a definition for what constitutes use of force in cyberspace, and will that definition be the same for U.S. activities in cyberspace and those of other nations?

His answer:

Article 2(4) of the UN Charter provides that states shall refrain from the threat or use of force against the territorial integrity or political independence of any state. DOD operations are conducted consistent with international law principles in regard to what is a threat or use of force in terms of hostile intent and hostile act, as reflected in the Standing Rules of Engagement/Standing Rules for the Use of Force (SROE/SRUF).

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force. Thus, whether in the cyber or any other domain, there is always a potential disagreement among nations considering what may amount to a threat or use of force.

My point is not so much to disagree with the NPR statement here, as to point out that it is EXACTLY the same problem we have in every other kind of warfare. Cyber isn't special in this regard. Was the downing of an Chinese plane in a collision with a US spy plane an act of war in 2001? Was the North Korean torpedo attack back in May an act of war? Was the Israeli bombing of buildings in Gaza an act of war? It has always been true that each attacked country gets to decide.

More answers along this line of reasoning from General Alexander are available in his published Q&A available from Washington Post.

Rogue Actions vs. State-Sponsored

Declaration: "One important consideration is whether the attack is the work of a lone hacker, a criminal group or a government. The law of war applies primarily to conflict between states, so truly rogue actions would not normally be covered."

Response: What defines "state" action? There have been Congressional hearings on this very subject, as I discussed in my July 2010 blog post, The Future of Cyber Attack Attribution. There have also already been multiple occasions where the victim accused a state of attacking and the state denied the accusation. In the case of Russian cyber-attacks against Georgia prior to the August 2008 invasion of South Ossetia, it was clear that there were some populist activities, as I wrote in the article Evidence that Georgia DDOS Attacks Are Populist in Nature, but the coupling of the Russian tanks driving through town would seem to support the theory that at least some of the cyber attacks were designed to take out C2 ability and especially the ability of the state to communicate with the governed. In the Estonian DDOS (pdf) of May 2007, it was clear that the attack was not "by" the government, but rather by the Russian "Nashi" youth movement, possibly incited to action by the government, and possibly even using some government computers as part of the attacking DDOS.

The concept that individuals could wage cyberwar was nicely stated in the January 1999 report by mi2g: "Cyber Warfare: The Threat to Government, Business, and Financial Markets"

Historically war has been classified as physical attacks with bombs & bullets between nation states. It was beyond the means of an individual to wage war.

Today, in the Information Age, the launch pad for war is no longer a runway but a computer. The attacker is no longer a pilot or soldier but a civilian Hacker. An individual with relatively simple computer capability can do things via the internet that can impact economic infrastructures, social utilities and national security. This is the problem we face in moving from the industrial world to the Information Age, which is the essence of Cyber War.

I suppose I mostly agree with this point, except to say that there are many ways, such as the Estonia example, where a country may be so clearly involved in inciting their citizenry to "cyber attack" that a nation-level response may be warranted.

Civilian Infrastructure Attacks

Declaration: "A direct attack on a civilian infrastructure that caused damage, even loss of life of civilians, would, I think, be a war crime." - Professor Daniel Ryan, National Defense University

Response: Didn't the United States blow up electrical plants, television and radio stations, bridges, roads, runways, and water treatment plants during the two Iraq Wars? Were those war crimes, too? Professor Ryan? We have to use a consistent definition. If its not a war crime to attack civilian infrastructure kinetically, why is it a war crime to do so electronically?

Electrical Grid Targeting?

Declaration: "Former CIA Director Hayden, a retired Air Force general, suggests using common sense. One example of an attack that should be illegal, he says, would be the insertion of damaging software into an electrical grid."

Response: Why would it be illegal to damage the electrical grid with software, when elsewhere THIS YEAR General Hayden said that the electrical grid was a fair target? Hayden talked about hacking power grids at Black Hat back in July. CNET's coverage of that talk "U.S. military cyberwar: What's off-limits?" includes this thinking:

Power grids are another example of where traditional military doctrine may need to shift, Hayden said. "A power grid is, according to traditional military thought, a legitimate target under some circumstances," he said. "Mark 82s are kind of definitive and it's a one-way switch--that thing's kind of gone." (An MK-82 is a general-purpose, 500-pound unguided bomb used by the U.S. military since the 1950s.)

But destroying, or at least thoroughly disabling, a power grid through an offensive cyberattack means penetrating it well in advance. And if there are dozens of different nations stealthily invading a grid's computers and controllers all the time, it's probably not going to be stable. "There are some networks that are so sensitive that maybe we should just hold hands and hum "Kumbaya" and agree they're off limits," he said. "One is power grids...You can't just have 23 different intelligence services hacking their way through the electrical grid."

So, its ok to use an MK-82 to blow up power plants, but it should be illegal to insert software into them because that might damage them. What kind of messed up logic is that?

Hostile Intent

Declaration: The purpose of the activity is also relevant. Michael Hayden, having directed both the National Security Agency and the CIA, would not include an effort by one country to break into another country's computer system to steal information or plans. "We don't call that an attack," Hayden said at a recent conference on hacking. "We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time."

Response: Hayden's definition would, I suppose, be consistent with Richard Clark's definition in his new book CyberWar: The Next Threat to National Security and What to Do About It . He says CyberWar is "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."

Several organizations have attempted to define "CyberWar" and the definition continues to evolve. "CyberWar" was probably first used by Eric Arnett in his paper "Welcome to Hyperwar" in the Bulletin of the Atomic Scientists, where it referred to war by robotic soldiers. The terms "NetWar" and "CyberWar" were both defined by RAND in their report CyberWar is Coming! part of the larger nineteen chapter monograph, "In Athena's Camp: Preparing for Conflict in the Information Age", published in 1992, where the term "NetWar" was used to describe PsyOps via the Internet, while "CyberWar" was closer to its current definition.

But should CyberWar NOT include Espionage?

Much more recently, David Wilson's excellent article for ISSA Journal in June 2010, When Does Electronic Espionage or a Cyber Attack become an "Act of War?" lays out an excellent set of definitions and conditions. In his article he quotes FBI Deputy Assistant Director for Cyber, Steve Chabinsky as telling the FOSE government IT Trade Show in March that:

A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that's so great it could "challenge our country's very existence."

Wilson's argument, supported by Chabinsky's quote, is that "electronic espionage" can be far more pervasive than traditional espionage, and that "a nation will have to decide how much pain it is willing to endure, and where it believes the international community’s tolerance lies, assuming they care, before retaliating
against electronic attacks or invasions to its networks."

I totally agree with Mr. Wilson. The placement of the line in the sand may be somewhat arbitrary, but its quite possible for cyber espionage to become so pervasive as to pose a risk to national security worthy of an armed response.

Ninety-Five Percent?

Declaration: "Computers don't always have signs over them that say, 'I'm a military target' [or] 'I'm a civilian target,' " says Harvard's Goldsmith. "Also, the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks."

Response: The Department of Defense has more than 7 million computers. I don't know how Army works, but I know the Navy Marine Corps Internet was at one time the largest private Intranet on the entire planet. The US Army has maintained a stand-alone Intranet since at least 2001, and has repeatedly had headlines about it being the largest stand-alone network in the world. Soldiers don't call down an airstrike and then update their Facebook pages and do a little online banking as the implication seems to infer.

No One is Going to Get Caught

Declaration: If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means that a devastating attack might leave no "signature" or trace of its origin.

"Since we know that that's going to happen all the time," Baker says, "and no one is going to get caught, to say that [a cyberattack] is a violation of the law of war, is simply to make the law of war irrelevant."

Response: The "untraceable" network attack, despite the movie by EJ Hilbert and friends, is a myth that we are working hard to dispel at the UAB Computer Forensics Research Laboratory. What we call "untraceable" today usually means "too much work for too little reward, so nobody bothers to trace it." I think many of my colleagues in security research would love to take on the challenge of some of these "untraceable" events. Let's buy one fewer B2 Bomber this year and put that extra $2.2 Billion towards making a concerted effort to prove this one wrong. Shoot. I'll do it for half that!

For more interesting reading on CyberWar, I strongly recommend:

Congressional Research Service Report: Information Operations and Cyberwar: Capabilities and Related Policy Issues

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.