|“||The next Pearl Harbor we confront could very well be a cyber attack.||”|
- -- Secretary of Defense Leon Panetta
A cyberattack (also called a computer network attack and CNA) is
|“||malicious computer code or other deliberate act designed to alter, disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.||”|
Cyberattack (CyA) refers to
|“||actions combine computer network attack (CNA) with other enabling capabilities (such as, electronic attack (EA), physical attack, and others) to deny or manipulate information and/or infrastructure.||”|
|“||the use of deliberate actions — perhaps over an extended period of time — to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks. Such effects on adversary systems and networks may also have indirect effects on entities coupled to or reliant on them."||”|
|“||[a]n attack, via cyberspace, targeting an enterprise's use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure, or for destroying the integrity of the data or stealing controlled information.||”|
The malicious code can be directed against computer processing code, instruction logic, or data. The code can generate a stream of malicious network packets that can disrupt data or logic through exploiting a vulnerability in computer software, or a weakness in the computer security practices of an organization. This type of cyberattack can disrupt the reliability of equipment, the integrity of data, and the confidentiality of communications.
Cyberattacks are increasingly designed to silently steal information without leaving behind any damage that would be noticed by a user. These types of attacks attempt to escape detection in order to remain on host systems for longer periods of time.
Self-sustaining cyberattacks increasingly depend on "botnets," or groups of malware-infected computers (also called "zombies") that can be used to remotely carry out attacks against other computer systems. It is also expected that as mobile communication devices are incorporated more into everyday life, they will be increasingly targeted in the future for attack by cybercriminals.
Cyberattacks on U.S. information networks can have serious consequences, such as disrupting critical operations, causing loss of revenue and intellectual property, or loss of life. Distinctions between crime, terrorism, and war tend to blur when attempting to describe a computer network attack (CNA) in ways that parallel the physical world.
For example, if a nation state were to secretly sponsor non-state actors who initiate a CNA to support terrorist activities or to create economic disruption, the distinction between cybercrime and cyberwar becomes less clear. Because it is difficult to tell from where a cyberattack originates, an attacker may direct suspicion toward an innocent third party. Likewise, the interactions between terrorists and criminals who use computer technology may sometimes blur the distinction between cybercrime and cyberterrorism. It also may be the case that individuals providing computer expertise to a criminal or terrorist may not be aware of the intentions of the individual that requested the support. So far, it remains difficult to determine the sources responsible for most of the annoying, yet increasingly sophisticated attacks that plague the Internet. Given the difficulty in determining the originator of the cyber intrusions or attacks, some argue that unlike responding to traditional criminal acts, the focus should be on the act rather than the perpetrator and the threshold for launching defensive and offensive actions should be lowered.
Forms of cyberattacks Edit
The types and techniques of cyberattacks commonly used include:
Objectives of cyberattacks Edit
The objectives of a cyberattack include the following four areas:
- Loss of integrity, such that information could be modified improperly.
- Loss of availability, where mission critical information systems are rendered unavailable to authorized users;
- Loss of confidentiality, where critical information is disclosed to unauthorized users; and,
- Physical destruction, where information systems create actual physical harm through commands that cause deliberate malfunctions.
Publicity would be also one of the primary objectives for a terrorist attack. Extensive coverage has been given to the vulnerability of the U.S. information infrastructure and to the potential harm that could be caused by a cyberattack. This might lead terrorists to feel that even a marginally successful cyberattack directed at the United States may garner considerable publicity. Some suggest that were such a cyberattack by a terrorist organization to occur and become known to the general public, regardless of the level of success of the attack, concern by many citizens may lead to widespread withdrawal of funds and selling of equities.
Benefits of cyberattacks Edit
Cyberattacks have characteristics that can vastly enhance the reach and impact of their actions, such as the following:
- Attackers do not need to be physically close to their targets to perpetrate a cyberattack.
- Technology allows actions to easily cross multiple state and national borders.
- Attacks can be carried out automatically, at high speed, and by attacking a vast number of victims at the same time.
- Attackers can more easily remain anonymous.
A number of factors in the current security environment provide would-be attackers with significant advantages over those trying to protect the large-scale networks and interconnected IT systems on which society increasingly depends. An attacker needs to find only one vulnerability; the defender must try to eliminate all vulnerabilities. Powerful attack tools, including automated tools for malicious actions, are now freely available for downloading over the Internet to anyone who wants them, and little skill is required to use them. The resources – including training and equipment – needed to launch potentially harmful attacks are not only readily available but relatively inexpensive compared to the costs of securing systems, networks, and information and responding to attacks.
As a result, some classes of attacks can be initiated with little sophistication. Although these attacks are not generally significant threats to systems that are kept patched and well secured, they are effective against the many unpatched and poorly secured systems connected to the Internet, and contribute to a background level of ongoing malicious network activity. The automated tools that can be used by people with relatively little skill or knowledge continue to multiply, and are gradually increasing in capability in step with improvements in cyber security and information assurance technologies. Attackers also have the ability to exploit vulnerable third-party machines to launch their attacks.
Negative consequences of cyberattacks Edit
Those that fall victim to successful cyberattacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
Weapons for cyberattacks Edit
Weapons for cyberattacks have a number of characteristics, including:
- They are easy to use with high degrees of anonymity and with plausible deniability, making them well suited for covert operations and for instigating conflict between other parties;
- They are more uncertain in the outcomes they produce, making it difficult to make estimates of deliberate and collateral damage; and
- They involve a much larger range of options and possible outcomes, and may operate on time scales ranging from tenths of a second to years, and at spatial scales anywhere from “concentrated in a facility next door” to globally dispersed.
U.S. Space Command Edit
On October 1, 2000, U.S. Space Command at Peterson Air Force Base, Colorado, assumed operational responsibility for the CNA (Computer Network Attack) mission for the Department of Defense. U.S. Space Command now takes the military lead in defending DoD networks, as well as offensive information operations as an element of defending U.S. systems. CNA operations may also include counterterrorism and support of U.S. military forces deployed in crisis or conflict.
Application of international law Edit
Application to computer network attacks Edit
There is no way to be certain how the principles of international law will be applied by the international community to computer network attacks. As with other developments in international law, much will depend on how the nations and international institutions react to the particular circumstances in which these issues are raised for the first time.
If we were to limit ourselves to the language of Article 51 of the UN Charter, the obvious question would be, “Is a computer network attack an ‘armed attack’ that justifies the use of force in self-defense?”
If one focuses on the means used, we might conclude that electronic signals imperceptible to human senses do not closely resemble bombs, bullets, or troops. On the other hand, it seems likely that the international community will be more interested in the consequences of a computer network attack than in its mechanism. It might be hard to sell the notion that an unauthorized intrusion into an unclassified information system, without more, constitutes an armed attack. On the other hand, if a coordinated computer network attack shuts down a nation’s air traffic control system along with its banking and financial systems and public utilities, and opens the floodgates of several dams resulting in general flooding that causes widespread civilian deaths and property damage, it may well be that no one would challenge the victim nation if it concluded that it was a victim of an armed attack, or of an act equivalent to an armed attack.
Even if the systems attacked were unclassified military logistics systems, an attack on such systems might seriously threaten a nation’s security. For example, corrupting the data in a nation’s computerized systems for managing its military fuel, spare parts, transportation, troop mobilization, or medical supplies may seriously interfere with its ability to conduct military operations. In short, the consequences are likely to be more important than the means used.
If the international community were persuaded that a particular computer network attack or a pattern of such attacks should be considered to be an “armed attack,” or equivalent to an armed attack, it would seem to follow that the victim nation would be entitled to respond in self-defense either by computer network attack or by traditional military means in order to disable the equipment and personnel that were used to mount the offending attack.
In some circumstances it may be impossible or inappropriate to attack the specific means used in an attack (e.g. because the specific equipment and personnel used cannot be reliably identified or located, or an attack on the specific means used would not be effective, or an effective attack on the specific means used might result in disproportionate collateral damage). Where the specific means cannot be effectively attacked, any legitimate military target could be attacked, including intelligence and military leadership targets, as long as the purpose of the attack is to dissuade the enemy from further attacks or to degrade the enemy’s ability to undertake them.
There has been some support for the proposition that a nation has an inherent right to use force in self-defense against acts that do not constitute a classic armed attack. This view is supported by the inclusion in the UN General Assembly’s definition of aggression of acts that do not entail armed attacks by a nation’s armed forces, such as the unlawful extension of the presence of visiting forces, or allowing a nation’s territory to be used by another state “for perpetrating an act of aggression against a third State.”
U.S. practice also support this position, as demonstrated in the 1986 bombing of Libyan command and leadership targets to persuade Libya to stop sponsoring terrorist attacks against U.S. interests, and in the 1998 attack on the Iraqi military intelligence headquarters to persuade Iraq to desist from assassination plots against former President Bush.
A contrary view was expressed in the International Court of Justice’s 1986 ruling in Nicaragua v. United States that the provision of arms by Nicaragua to the leftist rebels in El Salvador did not constitute an armed attack on El Salvador, so it could not form the basis of a collective self-defense argument that would justify armed attacks in response, such as laying of mines in Nicaraguan waters or certain attacks on Nicaraguan ports, oil installations and a naval base — acts that were “imputable” to the United States. The Court also said it had insufficient evidence to determine whether certain cross-border incursions by Nicaraguan military forces into the territory of Honduras and Costa Rico constituted armed attacks. The extent to which Nicaragua’s conduct would justify El Salvador and its ally the United States in responding in ways that did not themselves constitute an armed attack was not before the Court. The opinion of the court nevertheless provides some support for the proposition that the provocation must constitute an armed attack before it will justify an armed attack in self-defense.
It seems safe to say that the issue of whether traditional armed force may be used in self-defense in response to provocations that are not technically regarded as armed attacks is far from settled, and that the positions taken by states may be sharply influenced by the nature of the events concerned, together with all attendant policy and political considerations.
By logical implication, to the extent that a nation chooses to respond to a computer network attack by mounting a similar computer network attack of its own, the issue of whether the initial provocation constituted an armed attack may become a tautology. If the provocation is considered to be an armed attack, the victim may be justified in launching its own armed attack in self-defense. If the provocation is not considered to be an armed attack, a similar response will also presumably not be considered to be an armed attack.
Accordingly, the question of the availability of the inherent right of self-defense in response to computer network attacks comes into sharpest focus when the victim of a computer network attack considers acting in self-defense using traditional military means. The issue may also arise if the response causes disproportionately serious effects (e.g., if a state responded to a computer network attack that caused only minor inconvenience with its own computer network attack that caused multiple deaths and injuries).
As in all cases when a nation considers acting in self-defense, the nation considering such action will have to make its best judgment on how world opinion, or perhaps a body such as the International Court of Justice (ICJ) or the UN Security Council, is likely to apply the doctrine of self-defense to electronic attacks. As with many novel legal issues, we are likely to discover the answer only from experience.
It seems beyond doubt that any unauthorized intrusion into a nation’s computer systems would justify that nation at least in taking self-help actions to expel the intruder and to secure the system against reentry. An unauthorized electronic intrusion into another nation’s computer systems may very well end up being regarded as a violation of the victim’s sovereignty. It may even be regarded as equivalent to a physical trespass into a nation’s territory, but such issues have yet to be addressed in the international community.
Furthermore, the act of obtaining unauthorized access to a nation’s computer system creates a vulnerability, since the intruder will have had access to the information in the system and he may have been able to corrupt data or degrade the operating system. Accordingly, the discovery that an intrusion has occurred may call into question the reliability of the data and the operating system and thus reduce its utility.
If an unauthorized computer intrusion can be reliably characterized as intentional and it can be attributed to the agents of another nation, the victim nation will at least have the right to protest, probably with some confidence of obtaining a sympathetic hearing in the world community.
An “active defense” against computer network attacks Edit
A persistent foreign intruder who gains repeated unauthorized entry into a nation’s computer systems by defeating a variety of security measures or who gains entry into a number of computer systems may demand a different response. Such behavior may indicate both that there is a continuing danger and that coercive measures are necessary to stop the intruder’s pattern of conduct. Similarly, there may be a right to use force in self-defense against a single foreign electronic attack in circumstances where significant damage is being done to the attacked system or the data stored in it, when the system is critical to national security or to essential national infrastructures, or when the intruder’s conduct or the context of the activity clearly manifests a malicious intent.
If it is capable of doing so, in such circumstances the victim nation may be justified in launching a computer attack in response, intended to disable the equipment being used by the intruder. Disabling one computer may or may not defeat a state-sponsored operation. It may, however, serve as a “shot across the bow” warning of more serious consequences if the offending behavior continues. It is also an action unlikely to come to public attention unless one of the two governments announces it, making it a potentially useful measure for conflict avoidance.
Conducting a responsive computer network attack as a measure of self-defense against foreign computer network attacks would have the major advantage that it would minimize issues of proportionality, which would be more likely to arise if traditional military force were used, such as firing a cruise missile at the building from which a computer network attack is being conducted. Either response would likely be analyzed on the basis of the traditional criteria of necessity and proportionality.
If it is impractical to focus an attack on the equipment used in the provocation, any legitimate military target may be attacked. The primary value of being able to demonstrate a nexus between the provocation and the response is to be able to argue the likely therapeutic effect of the force used in self-defense. As a practical matter, the next most attractive target after the equipment used in the provocation may be the offending nation’s communications systems, or its military or intelligence chain of command.
The consequences of a large-scale campaign of computer network attacks might well justify a large-scale traditional military response. A Russian academic took this argument to its extreme in a published statement to the effect that Russia reserves the right to respond to an information warfare attack with nuclear weapons.
As stated above, the discussion up to this point has assumed we know who an intruder is, and that we are confident in characterizing his intent. In practice, this is seldom the case, at least in the early stages of responding to computer intrusions. The above legal analysis may change if the identity and location of an intruder is uncertain, or if his intent is unclear.
Identification of the originator of an attack has often been a difficult problem, especially when the intruder has used a number of intermediate relay points, when he has used an “anonymous bulletin board” whose function is to strip away all information about the origin of messages it relays, or when he has used a device that generates false origin information. Progress has been made, however, in solving the technical problem of identifying the originator of computer messages, and reliable identification of the computer that originated a message may soon be routinely available. Attribution may also be provided by intelligence from other sources, or it might be reliably inferred from the relationship of the attack to other events.
Locating the computer used by the intruder does not entirely solve the attribution problem, however, since it may have been used by an unauthorized person, or by an authorized user for an unauthorized purpose. A parent may not know that the family computer is being used for unlawful attacks on government computer systems. Universities, businesses, and other government agencies may be similarly unaware that their computer systems are being misused. The owner of a computer system may have some responsibility to make sure it is not being used for malicious purposes, but the extent of such responsibility, and the consequences of failing to meet it, have apparently not been addressed in any U.S. or foreign statute or court decision.
These considerations should make us cautious in implementing any “active defense” system for government computer systems. Nevertheless, circumstances may arise in which the urgency of protecting critical information systems from serious damage may warrant adoption of a properly designed “active defense.”
Similarly, characterization of an intruder’s intentions may be difficult. Nevertheless, such factors as persistence, sophistication of methods used, targeting of especially sensitive systems, and actual damage done may persuasively indicate both the intruder’s intentions and the dangers to the system in a manner that would justify use of an “active defense.” As with attribution, there may be useful intelligence on this issue from other sources, or it may be possible to reliably infer the intent of the intruder from the relationship of the attack to other events.
A determination that an intrusion comes from a foreign country is only a partial solution to the attribution problem, since the attack may or may not be state-sponsored. State-sponsored attacks may well generate the right of self-defense. State sponsorship might be persuasively established by such factors as signals or human intelligence, the location of the offending computer within a state-controlled facility, or public statements by officials. In other circumstances, state sponsorship may be convincingly inferred from such factors as the state of relationships between the two countries, the prior involvement of the suspect state in computer network attacks, the nature of the systems attacked, the nature and sophistication of the methods and equipment used, the effects of past attacks, and the damage which seems likely from future attacks.
Attacks that cannot be shown to be state-sponsored generally do not justify acts of self-defense in another nation’s territory. States jealously guard their sovereign prerogatives, and they are intolerant of the exercise of military, law-enforcement, and other “core sovereign powers” by other states within their territory without their consent.
When individuals carry out malicious acts for private purposes against the interests of one state from within the territory of a second state, the aggrieved state does not generally have the right to use force in self-defense against either the second state itself or the offending individual. Even if it were possible to conduct a precise computer network attack on the equipment used by such individual actors, the state in which the effects of such an attack were felt, if it became aware of it, could well take the position that its sovereignty and territorial integrity had been violated.
The general expectation is that a nation whose interests are damaged by the private conduct of an individual who acts within the territory of another nation will notify the government of that nation and request its cooperation in putting a stop to such conduct. Only if the requested nation is unwilling or unable to prevent recurrence does the doctrine of self-defense permit the injured nation to act in self-defense inside the territory of another nation.
The U.S. cruise missile strikes against terrorists camps in Afghanistan on August 20, 1998, provides a close analogy in which the United States attacked camps belonging to a terrorist group located in the territory of a state which had clearly stated its intention to continue to provide a refuge for the terrorists. At some point, providing safe refuge for those who conduct attacks against another nation becomes complicity in those attacks. At a minimum, the offended nation is authorized to attack its tormenters, the terrorists. As complicity shades into the kinds of active support and direction that are commonly called “state sponsorship,” military and leadership targets of the host state may themselves become lawful targets for acts of self-defense.
Attacks on insurgents or on terrorists and other criminals using a neutral nation’s territory as a refuge may also be justified when the neutral state is unable to satisfy its obligations. During the Vietnam war, the United States attacked North Vietnamese military supply lines and base camps in Cambodia after the Cambodian government took the position that it was unable to prevent North Vietnam from making such use of its territory. This principle might justify using active defense measures against a computer intruder located in a neutral nation if the government of the neutral nation declared it had no way to locate the intruder and make him stop, or if its behavior made it clear that it could not or would not act, or even if the circumstances did not allow time for diplomatic representations to be effective. As an analogy, it seems unlikely that a nation would complain very loudly if its neighbor nation returned fire against a terrorist sniper firing from its territory.
In summary, the international law of self-defense would not generally justify acts of “active defense” across international boundaries unless the provocation could be attributed to an agent of the nation concerned, or until the sanctuary nation has been put on notice and given the opportunity to put a stop to such private conduct in its territory and has failed to do so, or the circumstances demonstrate that such a request would be futile.
Nevertheless, in some circumstances the National Command Authority (NCA) might decide to defend U.S. information systems by attacking a computer system overseas, and take the risk of having to make an apology or pay compensation to the offended government. Among the factors the NCA would probably consider would be the danger presented to U.S. national security from continuing attacks, whether immediate action is necessary, how much the sanctuary nation would be likely to object, and how the rest of the world community would be likely to respond.
There need be less concern for the reaction of nations through whose territory or communications systems a destructive message may be routed. If only the nation’s public communications systems are involved, the transited nation will normally not be aware of the routing such a message has taken. Even if it becomes aware of the transit of such a message and attributes it to the United States, there would be no established principle of international law that it could point to as being violated.
Even during an international armed conflict, international law does not require a neutral nation to restrict the use of its public communications networks by belligerents. Nations generally consent to the free use of their communications networks on a commercial or reciprocal basis. Accordingly, use of a nation’s communications networks as a conduit for an electronic attack would not be a violation of its sovereignty in the same way that would be a flight through its airspace by a military aircraft.
A transited state would have somewhat more right to complain if the attacking state obtained unauthorized entry into its computer systems as part of the communications path to the target computer. It would be even more offended if malicious logic directed against a target computer had some harmful effect against the transited state’s own equipment, operating systems, or data. The possibility of such collateral damage would have to be carefully considered by the state launching any such attack. If there were a high potential for such collateral damage to transited systems, the weapon might even be considered to be an “indiscriminate” weapon incapable of being reliably directed against a legitimate target.
There are at least two ways in which the availability of improved technology may affect the active-defense equation. First, it might be argued that as a government acquires the ability to build better firewalls and other security systems it will be harder to argue that an active defense is “necessary.” This argument might be raised even if the target government has failed to install all possible technological security measures on the system that is under attack. This demanding approach to “necessity” finds little support in the practice of nations.
The focus of self-defense analysis is on events as they unfold, and not as they might have been if different budgeting and acquisition decisions had been made sometime in the past. If such systems are in place, however, their apparent effectiveness should be taken into account in deciding whether active defense measures are necessary. This does not mean that a nation has no right of self-defense where a first attempted intrusion fails, or even when a series of intrusions fail.
If an attacker is permitted to continue mounting a campaign of such attacks it may learn by trial and error, it may employ other capabilities, or it may stumble onto a point of vulnerability. Just as an infantry unit exercising the right of self-defense may pursue a force that breaks off an attack and attempts to retreat until the attacker ceases to be a threat, decisions on taking measures of self-defense against computer network attacks must take into account the extent to which an attacker continues to present a threat of continuing attacks.
Another possible implication of a defender’s technological prowess may arise when a nation has the capacity for graduated self-defense measures. Some may argue that a nation having such capabilities must select a response that will do minimal damage. This is a variant of the argument that a nation possessing precision-guided munitions must always use them whenever there is a potential for collateral damage. That position has garnered little support among nations and has been strongly rejected by the United States. There is broad recognition that the risk of collateral damage is only one of many military considerations that must be balanced by military authorities planning an attack.
One obvious consideration is that a military force that goes into a protracted conflict with a policy of always using precision-guided munitions whenever there is any potential for collateral damage will soon exhaust its supply of such munitions. Similarly, military authorities must be able to weigh all relevant military considerations in choosing a response in self-defense against computer network attacks. These considerations will include the probable effectiveness of the means at their disposal, the ability to assess their effects, and the “fragility” of electronic means of attack (i.e., once they are used, an adversary may be able to devise defenses that will render them ineffective in the future).
In the process of reasoning by analogy to the law applicable to traditional weapons, it must always be kept in mind that computer network attacks are likely to present implications that are quite different from the implications presented by attacks with traditional weapons. These different implications may well yield different conclusions.
It may be possible to specify certain information systems that are vital to national security — both government systems and key civilian infrastructure systems. This process should serve both to give such systems high priority for security measures and also to identify a class of systems any attack on which would immediately raise the issue of whether an active defense should be employed. This should not, of course, eliminate consideration of using an active defense against attacks on systems not on such a “vital systems” list where the circumstances justify such action.
For example, a vigorous attack that threatens to overwhelm an information system not on the “vital systems” list but that performs an important national security function could be a more valid occasion to use active defense measures than would be a trivial and easily defeated attack on a designated “vital system.” A list of “vital systems” would serve primarily as a alert mechanism that would bring about a prompt high-level evaluation of all the circumstances.
In addition, it would be useful to create a process for determining when the response to a computer intrusion should shift from the customary law enforcement and counter-intelligence modes to a national defense mode. Such a process should include (1) a statement of general criteria to be applied; (2) identification of officials or agencies that will be involved in making the decision; and (3) procedures to be followed.
There are of course a variety of treaty obligations that will have to be considered before adopting an “active defense” against foreign computer network attacks. There are also a variety of domestic legal concerns that will have to be addressed.
- ↑ The U.S. Army Concept Capability Plan for Cyberspace Operations 2016-2028, at 21.
- ↑ Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, at 10-11.
- ↑ Electricity Subsector Cybersecurity Risk Management Process, at 61.
- ↑ U.S. Army Training and Doctrine Command, Cyber Operations and Cyber Terrorism, Handbook No. 1.02, Aug. 15, 2005, p.II-1 and II-3.
- ↑ CF Disclosure Guidance: Topic No. 2: Cybersecurity.
- ↑ News Release, Sep. 29, 2000.
- ↑ Article 51 provides that: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”