The world we live in now is globalizing at a rapid pace, ushering in a new era of technology that is revolutionizing almost every aspect of life. Technology has reached a pinnacle level in the global landscape. It is a part of nearly every aspect of everyday life, and even more now a part of the governments and militaries of the world over. Computers have become a necessary part of our world, assisting in almost all transactions, data transmissions, information storage, normal and strategic operations of major infrastructures, military operations and productivity, and have established themselves in a host of other critical arenas of our lives.
While computers have made life easier for millions of people worldwide, they do not come without their pitfalls. The advent of integrated computer systems and networks has given rise to the Internet, one of the tools for which society has connected itself with and through. With the benefits we receive from this new technology, societies have at the same time accepted its risks. Society and governments have built a reliance on these technologies and that has made them vulnerable to foreign and domestic attack.
The Internet has opened a gateway for one’s enemies to attack and disrupt in a new and potentially devastating way. In a recent publication on Cyber-warfare, The Center for the Study of Technology and Society explains, “…however, once the Internet became an international phenomenon, its main asset (decentralized communication) became a potential Achilles’ Heel”. It is clear that some form of the internet is here to stay, and it must be understood that if it stays unregulated in its current form then its vulnerabilities are here to stay as well.
As an open portal for access to major sectors of our society and the world over, the internet has become a focus for governments, militaries, terrorists, organized crime, domestic and foreign businesses, NGO’s, IGO’s and individuals. As a result of the interest in this decentralized form of communication, the internet should be a topic of major concern for the International community. The internet, which has potentially billions of users and has connected the world in a way never seen before, has at the same time become a focus of attention for use in attacking and harming others (states, individuals, and businesses) by implementing devices and tactics as a means of disrupting enemies, whatever the actor and cause they represent may be.
Cyber-warfare, the focus of this report, is a new form of war that has been birthed by the advent of the Internet. This emerging threat has created a new battlefield where wars are already being fought. It has its origins in the revolutionary technologies of the 20th century and is a host to various motivations and actors alike. Utilizing such methods as Web vandalism, disinformation campaigns, the gathering of secret data, disruption of military operations in the field, and by attacking critical infrastructure, entities and individuals can destabilize and damage their targets as effectively as employing bombs or weapons of mass destruction, at less than half the costs. Governments and businesses can engage in espionage now without ever leaving the confines of their offices and countries of origin. Individuals can now wreak havoc to any target by the simple act of a keystroke while sitting in their living rooms. Cyber-warfare even threatens the very sacred notion of state sovereignty as international bodies are forced to grapple with concepts such as aggressive acts of war versus espionage.
Cyber-warfare is a reality, and it is creating an emerging legal conundrum for domestic and international governing bodies. Thus far, the international community has yet to create a coherent body of laws that cover specifically information operations. As of today there are no real or clear legal pathways to deal with or even address the intricacies of cyber-warfare. This is where I will make my suggestions to International Law for the benefit of peace and security within the International Community. Throughout this essay I will make many suggestions to help the International Community establish a coherent body of documents to refer to when looking at cyber-warfare as well as a way to eventually develop a legal framework for states and actors to follow. It is clear that International Law is in need of a clear path to dealing with cyber-warfare and a way to categorize the information operations that are conducted by actors in the international community.
This new battlefield has future implications that society is only beginning to realize. Cyber-warfare’s effects will change the global landscape and shape the future of business, law and warfare itself. It is this new threat to international peace and security that looms on the forefront of our future in this technologically dependent world. Cyber-warfare is poised to become a menace to society if not taken seriously by those responsible for our protection.
The world is in dire need of a solution to this new threat, and as this is a global matter, it is clear that the time for a convention on cybercrime is at hand. As of 2000, only negotiations for a convention on cybercrime were in progress under the guidance of the Council of Europe, with U.S. participation. It is now up to the International community to develop a body of coherent distinctions and laws that can govern information and internet operations to ensure that if a belligerent uses information technologies to cause harm, these acts can be sufficiently evaluated under the laws of war and relevant humanitarian laws.
The process of determining appropriate definitions and laws governing cyber-warfare and establishing permanent bodies to have jurisdiction over this arena will take time and until a conclusion to these matters can be reached, we as an international community will still need a way to address this topic. In my opinion, the current Geneva Convention with special attention to article 51 in conjunction with international common law, the humanitarian principles under the laws of war, and the past rulings by international bodies on proportionality and necessity should be the governing entities of cyber-warfare until conclusive and permanent institutions of oversight and governance can be established.
Cyber-Warfare: Intro to Topic
Our information technologies and technology dependent infrastructures demand attention from those who provide security and create and appropriate policy for the protection of the United States as well as the International Community. Cyber-warfare is a new reality, and a new threat to our way of life that must be addressed, on a level that rivals the threat posed from weapons of mass destruction. Yet because this threat is little understood by most, the threat is not yet taken as seriously as it should be by those in power, especially on the international level.
Most people can tell you what weapons of mass destruction are, and they can easily see the threat that they pose as a device designed for harm and subsequently most people can also explain what cyber-warfare is on a general level, but almost none of them grasp the extent to which cyber-warfare can cause damage. When discussing cyber-warfare it is necessary to understand what exactly “cyber-war” is. Most would agree that cyber-warfare is the use of computers and the Internet in conducting warfare in cyberspace by application of destructive force on various systems and institutions. The general term as described here is at its most basic level, the foundation for defining cyber-warfare and cyber-attacks. The Center for the Study of Technology and Society explains more clearly that the conventional definitions of war (an armed conflict between nations) and terrorism (potentially motivated violence aimed to influence an audience) do not strictly apply, so “cyber-warfare” and “cyber-terrorism” are often used as an umbrella term for electronic attacks that are not merely criminal in nature. Many nations and non-governmental actors have and will continue to use computer networks to stage attacks against their oppositional targets, and not just within sectors that one might expect.
For years, information and its transmission has been a central component of government and military activity as well as an asset to all parts of the business and political arenas. It is understood by experts that critical information must move from place to place even if an entire region and its computers are destroyed. This concept is what led to the development of the Internet. Originally designed and used as a military tool, the Internet has grown and spread into the private and business sectors of everyday life. Now it is in almost every home and business in the United States (including the government) and essentially the world for that matter which is the major reason the international community needs to face this new threat to peace and security head on as soon as possible.
The Internet is now accessible to anyone with a computer and modem and it provides a direct link to the United States, or any country for that matter, at multiple levels. Nations and NGO’s or NGA’s can and have used cyber-warfare to inflict damage to the major nations of the world and the threat is just now beginning to be realized. Cyber-warfare is extremely complex and is difficult to identify, calculate damage caused by attacks, determine intent, and assess when a calculated attack is underway. It is for this reason that important questions need to be answered concerning codified definitions of acts and operations, states’ rights to/for defense, remedies to damage, techniques for mitigating destruction, prevention, international legal classifications, jurisdiction of entities to govern cyber-war in order to ensure compliance with international laws and treaties, and finally the legal ramifications when violations of international laws occur.
Cyber-warfare Defined
Although the first task that the international community should do is create a legal body that could began the process of accepting definitions for the internet domain and cyber-war, as well as determining where each case would be reviewed and where jurisdiction will reside, this matter is a presumption that will be discussed later in the essay. First, it is beneficial to establish basic understandings and definitions for various aspects of cyber-warfare and attacks.
As defined earlier in the introduction, cyber-warfare or sometimes termed information warfare or information operations has been used in respect to military techniques that target opponents various electronic infrastructures. Information operations, or specifically the physical attacks on information systems, psychological operations, jamming of radar and radio signals and even some forms of “hacking”, have been employed on numerous occasions by multiple actors for some time now. This has led some, including myself, to consider these types of actions as “traditional”, subject to the international laws of war, to include the principle of distinguishing between combatants and non-combatants. It is important for us to understand the various ways that actors conduct cyber-warfare. There are many ways that one’s enemies can conduct cyber-warfare including but not limited to:
1. Web Vandalism: Foreign opponents can deactivate or deface government or military Web pages. As well as attack public sites and businesses.
2. Using Disinformation Campaigns: The Internet is a popular tool for finding news, and can be used to spread mis- and disinformation to affect a population’s beliefs or psychology. The net can also be used as a platform for rhetoric to incite and or mobilize sympathizers.
3. Gathering of Secret Data: Classified information that is not handled securely can be intercepted and tampered with. Foreign espionage has always been a threat, but now there is a less a need for operatives to be at risk in order to infiltrate a location.
4. Disruption in the field: Military activities that are carefully coordinated and dependent upon electronic communications transmitted over computers and satellites can be disrupted. Opponents can block, intercept and re-direct these vital communications, or pollute them with false orders or responses severely endangering the soldiers and missions.
5. Attacking critical infrastructure: Many components of a national critical infrastructure- electricity, water, fuel, communications, and transportation- are surprisingly vulnerable to concerted electronic attack. Serious domestic disasters, including financial meltdown, are very possible.
These are only some of the new developing threats that cyber-warfare presents to the global landscape and the technologically dependent future. It is clear how vulnerable the world is to this new threat, as well as the potential that cyber-warfare has to inflict catastrophic damage to our country and any country connected to a decentralized communication web.
Now that the methods of attack have been discussed we can look at some of the structures that may be targeted and the means by which they may target them. The earlier definition of cyber-attack also includes a list of possible targets and describes an introduction to computer network attacks popularly known as “hacking”. The previous definition which includes offensive information warfare is that it refers to the application of digital force against military or civilian information assets and systems, against computers and networks which support the air traffic control systems, stock transactions, financial records, currency exchanges, Internet communications, telephone switching, credit record, credit card transactions, the space program, the railroad system, the hospital systems that monitor patients and dispense drugs, manufacturing process control systems, newspaper and publishing, the insurance industry, power distribution and utilities, all of which rely heavily on computers. This list above involves civilian and government systems, and involves systems that may span across traditional border boundries of other countries. For these reasons, it is important that the international community look to the Geneva Convention, the traditional laws of war and the humanitarian laws and treaties for any aspect of cyber-war and cyber-attacks. This matter is not simply segregated to the militaries or governments of the world.
As for the issue surrounding “hacking”, this too should fall under the auspices of the Geneva Convention and the laws of war. The act of “hacking” seems to be a tricky subject and one that is hard to pinpoint when looking for actors involved and their motivations. Thus, “hacking should be treated as a criminal matter that can have international legal implications if evidence suggests state sponsored involvement in the “hacking”. Since “hacking” can be perpetrated by private and governmental actors, it must be accountable in both domestic and international courts. Countries, under Article 51 of the Geneva Convention can employ defensive means when “hacking” is underway, but should refrain from offensive operations until the incident can be reviewed by an appropriate body. Since the effects of “hacking” can be great, this is even more reason for an expeditious formation of laws and conventions for dealing with this threat.
As countries realize the implications of international attention to state sponsored acts of cyber-attack, the possibility for war by proxy will increase dramatically. For this reason, cyber-warfare and cyber-attacks should be classified as a form of “asymmetrical warfare”. Cyber-warfare is a direct threat to state sovereignty and thus should be considered under current laws of war as an aggressive, planned attack against another country that is on the same level as nuclear warfare. This distinction could reduce the willingness of states to sponsor or participate in cyber-warfare, then limiting the occurrences to simple cases of criminal “hacking”. As the damage from this warfare can be extensive, it is also necessary that the matter be evaluated within the context and jurisdiction of the laws of war until such time that a convention can determine the appropriate arena for jurisdiction. The fact that there exists a distinction between combatants and non-combatants that is internationally recognized, leads to the understanding that any cyber-attack that effects or involves either designation would be subject to the laws governing war as expressed in the international laws of war. No state or individual actor can then legally claim any other laws as governing these types of activities.
Cyber-war Evidence
The U.S. government and other governments as well as their militaries have been studying the existence of cyber-warfare for years. The U.S. Joint Vision 2020 report was quoted as noting that operations within the information domain will become as important as those conducted in the domain of sea, land, air, and space. The threat of cyber-warfare is now a reality, as the war is on the verge of entering the stage of “full-swing”. John Hamre was quoted as stating to Congress that we are at war right now and that we are effectively in a cyber-war.
Last year alone, the Defense Department was targeted by hackers nearly 75,000 times, which led the military in a response to form the Joint Functional Component Command for Networks Warfare. Along with these attacks, China is reportedly developing a fourth branch of the People’s Liberation Army that is devoted solely to cyber-warfare and it has been rumored to be engaged in “sniping” with Taiwan and attacks against the U.S. have been traced back to China. In 1999, according to expert testimony before the Senate, a band of Russian hackers were responsible for stealing an enormous amount of research and development secrets from U.S. corporate and government entities in an operation that was nicknamed by American Intelligence as codename Moonlight Maze. Even recently, the Associated Press reported a Romanian national was indicted on charges of hacking into more than 150 U.S. government computers causing disruptions that cost NASA, the Energy Department and the Navy nearly $1.5 million. Evidence for the start of this new type of warfare is clear and present, signaling the beginning of a new era of combat and clearly marking the need for an international consensus on rules governing cyber-warfare and cyber-attacks.
Case Studies
As of today there are multiple cases involving cyber-attacks that have made their way to various courts:
Air Force Rome Lab (1994):
In March of 1994, system administrators at Rome Lab in New York found their network under attack. The Air Force dispatched teams to investigate and traced the attacks to an ISP in New York, then Seattle, Washington. Two hacker handles were identified as Kuji and Datastream Boy. Informants recognized the hackers from the United Kingdom and the U.S. military contacted Scotland Yard. Scotland Yard discovered that the hacker was “phreaking” (using a computer to trick phone lines) through Columbia and Chile to New York, defrauding telephone companies and the New York ISP as a jumping off point to attack Rome Lab. The hacker was under surveillance by Scotland Yard and was observed targeting NATO Headquarters, Goddard Space Flight Center, and Wright-Patterson Air Force Base. Over eight countries were used as conduits for these systematic attacks. An arrest warrant was finally issued after the hackers stole data from the South Korean Atomic Research Institution. After evidence was presented, over 150 intrusions were monitored by Rome Lab from 100 different points of origin. Datastream Cowboy, a 16 year old British student pled guilty in British courts and was issued a fine. His mentor, Kuji, who turned out to be a 22 year old Israeli technician was found not guilty as no laws in Israel applied to this incident.
Eligible Receiver (1997):
This was the first Information Warfare exercise in the United States which demonstrated the ease and vulnerability of civilian and governmental systems to cyber-attacks. It could be viewed as a wake-up call to the international community that is concerned with international terrorism and proxy warfare.
Over a period of 90 days, thirty-five people calling themselves “The Red Team”, using off-the-shelf technology and software, posed as a rogue state that, while rejecting direct military confrontation with the United States, attacked vulnerable U.S. information systems. Goals of the Red Team included concealing their identity and to delay or deny any U.S. ability to respond militarily. A number of attacks were made against power and communications networks in Oahu, Los Angeles, Colorado Springs, and St. Louis, Chicago, Detroit, Washington, DC, Fayetteville, and Tampa.
Although many of the results of the simulation are still classified, Gen. Campbell, head of the Pentagon’s Joint Task Force-Computer Network Defense wrote that Eligible Receiver demonstrated our lack of preparation for coordinated cyber-attacks and attacks on civilian infrastructure. Many other experts have since commented on Eligible Receiver as a revealing exercise, demonstrating that we must be better prepared to deal with potential attacks against governments and civilians alike.
The examples above clearly demonstrate the need for involvement by the international community as this is a global issue. As technology allows attacks to touch multiple countries and can affect civilian infrastructure, the issue now involves state sovereignty and the laws of war and the Geneva Convention.
Conclusions
The cyber-war is raging on right now, but the sounds of its weapons are not the percussion from the explosion of bombs, but rather the sound of constant tapping from the keys on a computer keyboard. The evidence of this war clearly points to a significant threat to our military and our society as well as the international community as a whole. Cyber-warfare is taking shape and will surely transform the militaries and the policies of world governments as they must adapt to this new technology and tool of war. Governments seem to be taking this threat very seriously and the hope is that politicians and the world will too. Jason Lee Miller, a writer for Security Pro News wrote recently that in a pre-internet world, no country was under constant attack with bombs bursting at the gates 24/7. But this is what that amounts to, and the international governing bodies need to be vigilant about protection.
Cyber warfare is the way of future world wars, involving lightning fast ways of taking down entire infrastructures. Governments must be prepared to defend against this threat, and at the same time, they must be able to inflict the equivalent amount of damage to an enemy by the same means. As governments and militaries vamp up their cyber-warfare abilities and defenses, the international governing bodies must keep up with developing laws and rules to ensure that peace and security is maintained.
America is taking steps towards this direction, although they have yet to fully commit enough resources to handle this new threat appropriately. Still, even as a few governments seem willing to endorse international conventions on cyber-warfare, at the same time they are moving to develop ways at fighting a cyber-war rather than preventing one. Reuters reported that the Defense Department was considering hacking into Serbian computer networks to disrupt operations and basic civilian services…but the Pentagon refrained from doing so because of uncertainties and limitations surrounding the emerging field of cyber-warfare. As computers are revolutionizing all aspects of life, militaries around the world are stepping up the development of cyber weapons and defense systems. Soldiers at computer terminals, safely stationed in the United States, can now defend our country and invade foreign networks to shut down electrical facilities, telephone services, transportation and crash financial systems. CNN News reported this month that the U.S. Air Force is setting up a new four-star command to fight in cyberspace. The news source reported:
“The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace” this is according to Air Force Secretary Michael Wynne at an industry conference.
It is clear that the military recognizes the threat and the potential for weaponry that cyber-warfare presents to the future. In December of 2005, the Air Force mission statement was amended to include cyberspace as an operational area, along with air and space. This is exactly the things that the United States military and government need to began to do to prepare to deal with this new type of warfare and this is exactly the reason that we need an international governing body that can deal with cyber-warfare. As this is not yet in existence, it is essential that cyber-warfare be under the auspices of the laws of war and the Geneva Conventions.
Still, even as the military is slowly taking notice and responding to the threat of cyber-warfare, it and the government and businesses of the United States are not moving quickly enough to safeguard against this dangerous threat. The 8th Air Force Commander Lt. Gen. Robert Elder noted that although the focus of U.S. efforts until now has been on defense, we’ve come to realize there are a lot of things that we can do in the cyberspace domain that would be good for national security.
The different branches of our defenses are taking notice and mobilizing forces to deal with this threat, but it needs to be coordinated, funded and enacted faster than it is currently. The focus of the defense department should revolve around a standardization of operations, finding and training personnel, making the case to politicians for more resources, and educating the public as well as private business of this new threat and how to prevent it from damaging private civilian sectors. We need to protect our data, and eliminate the chances that adversaries have at attacks by detecting, denying, disrupting, and destroying their source of transmissions. But at the same time, the United States should be adamant about involving international agencies and governing bodies in the development of this new arena.
Congress seems to be making some progress toward this goal. Currently awaiting passage is a house bill, the Cybersecurity Information Act, which would reduce the liability and antitrust action, while strengthening the responsibility of private business to maintain adequate security of information. It is also the responsibility of Congress to appropriate the necessary funds needed to deal with this new war and emerging threat appropriately before we have a major unexpected catastrophic event like 9-11 or Pearl Harbor. Also, the president passed E.O. PDD-63 which calls for the national government to control and secure infrastructures from both physical and cyber-attacks. The plan which is extensive, details the creation of an agency dedicated to the security and coordination of sectors of infrastructure that are vulnerable to cyber-attacks. It also details the need for coordinated efforts between multiple agencies and potentially international agencies for the protection of civilian infrastructure. This could be a model for a future agency or coordinated efforts within the international community to protect civilian infrastructure worldwide.
Still, with the threat of full scale cyber-war, and the constant bombardment of hacking attacks to U.S. systems, we must venture into this emerging threat with caution and regard for current policies and rules of engagement. Before the United States engages in cyber-warfare, the legalities and potential consequences of such coordinated attacks should be weighed. In 2000, the Defense Departments top legal office issued a series of guidelines warning that misuse of cyber attacks could subject U.S. authorities to war crime charges. The U.S. and the governments of the world must still apply the same “law of war” principles to cyber-warfare as they do to conventional warfare, avoiding collateral damage and indiscriminate attacks. This would mitigate violations of human rights and war crime laws while setting standards to establish appropriate world policy for cyber-warfare that currently does not exist.
The untested state of U.S. and other world powers “cyber arsenals” should motivate policymakers to create laws and institute policy that addresses this new type of warfare. Thus far the U.S. appears to be leading the world in this mission. Near the end of 2000, the Pentagon issued a fifty page document containing guidelines that instructed commanders to be wary of targeting civilian institutions such as banking systems, stock exchanges and universities regardless of the bloodless effect of cyber weapons. Yet not all governments would agree with the U.S. guidelines for rules of conduct for this new type of warfare. The Post noted in an article in 2000 when referring to these codes of warfare for the U.S. that Russia is challenging this view. Other countries such as China, have not openly opposed the rules for conduct, but have declined to comment on the issue, leaving their ambivalence as a sign that they do not intend to honor such rules. On the other hand, some countries have chosen to take another approach by gathering support for a United Nations resolution calling for guidelines on this type of warfare and the banning of dangerous information weapons. All these differing stances outline the marks of a political and military battle that is going to be a major issue for the coming future.
The emerging threat of our future and the future of our children is no longer that of only bombs and bullets, but now includes the virtual world of cyberspace. A new threat has emerged with the integration of technology into all aspects of our lives. The technology that has made our lives so much better has not come without its risks and trade-offs. Opening our military and our critical infrastructures to the Internet has made them vulnerable to attack from our enemies domestically and abroad.
The consequences of coordinated attacks in cyberspace has prompted the militaries of the world to label and design a new type of warfare, aptly named cyber-warfare. The weapons of this war do not explode, or rip or tear at our flesh, but instead maim and rip and tear at our very critical infrastructures that we depend so dearly upon. The militaries and the governments of the world have begun to respond to this new threat with the formation of Internet Warfare units and policies that are starting to take aim at this emerging threat.
In December, the FBI was initiated into this war as it began to issue levels of warnings for the threat of cyber attacks from potential hackers. As has been demonstrated, the internet is here to stay and so is our need for technology to operate our society. What we must do now is recognize the vulnerabilities that this dependence has created and we must act quickly to create policies and safeguards to defend against the new threats posed by cyber-warfare.
Cyber-warfare and cyber-attacks are a new threat to society, but these types of warfare should not be viewed as deviating from “traditional”. This is simply a new way to attack and harm others and is thus subject to all the laws of war and the Geneva Conventions. Until a legitimate and legal international body is formed, conventions attended and ratified, and definitions and laws codified and enacted, cyber-warfare and cyber-attacks must be subject to international law and the laws of war. Individuals must comply with the Geneva Convention and be subject to the punishments of violating humanitarian laws if civilians are harmed by the effects of cyber-warfare. A new ear is upon us and the international community must move quickly to ensure peace and security remains intact, lest we fall victim to a lesser known destructive force, that of cyber-war.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment