The Evolution of a Hostile Cyberspace and Why You Should Care

The Evolution of a Hostile Cyberspace and Why You Should Care

  1. Crime and War to Replace Smileys and Hearts?

Cyberspace provides a basic infrastructure for work, reading news and sending hearts and smileys on social media. If you hear the words “cyberspace” and “cyber attacks” it might bring to mind a science fiction-like scene of aliens battling with code somewhere in the matrix. ‘Cyberwar’ may not be a concern to you at the moment. The reality is that cyberspace could soon be concerned with more weapons than smileys.

The statistics speak for themselves: in 2017 an estimate of 611,141 web attacks were blocked every day[1] and the cost of global cybercrime in 2017 is estimated to $ 600 billion.[2] The persons behind these attacks and crimes are mostly criminals and vigilantes. These are scary private actors, but enhancing the capability of cyber law enforcement may arguably control them. State actors targeting each other through hostile cybermeans is to many a much more unnerving trend.[3] This hostile state practice and its implications could be one of the greatest challenges facing our generation of leaders. And yet, it seems like it is a task that neither our leaders nor the civil society is prepared to discuss or handle in a conscientious way.[4]

The knowledge gap between what the average person knows about cybersecurity and cyberwarfare, and what is actually happening, should be a concern to everyone. In this blog post, I will first explain what cyberspace is and what law applies. Next, I will turn to some examples of infamous cyberattacks involving state actors and then comment on current cyber strategies adopted by states to meet these threats. Finally, I will present some thoughts about the problem of the cyber-knowledge gap and the way forward for law in cyberspace.

  1. What is Cyberspace and What Law Applies?

There is no universally agreed upon definition of what constitutes “cyberspace.”[5] The Pentagon has tried to define it and has so far come up with cyberspace as “the global domain within the information environment consisting of the interdependent network and information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”[6] This term is both so broad and incomprehensible that, for most of us, we might as well continue to coin the term like the novelist Gibson did in the Neuromancer, as “a consensual hallucination experienced daily by billions of legitimate operators…”[7]

Defining the space where it all happens is hard enough. Defining what international legal norms should apply has not only proven to be hard, but many nations do not even want to. For differing reasons, China, Cuba and Russia do not acknowledge that international law and the right to self-defense necessarily applies to cyberspace.[8] This was made clear during the now dead in the water UN negotiations concerning what legal norms apply in cyberspace.[9] Other nations, like the US and UK, acknowledge the application of international law in cyberspace, but refrain from taking a stance that most of the stuff happening in cyberspace rises to the level of unlawful breach of sovereignty.[10] This school of thought has been termed the school of “sovereignty as a principle,”[11] whilst others, perhaps especially those rooting for the application of the soft law principles of the Tallinn Manual[12], belong to the school of what we may call “sovereignty as a rule.”[13]

The “sovereignty as a principle” school is likely the most pragmatic approach as state practice within cyberspace is still in its infancy. It allows flexibility for what are considered “legal responses” to the most frequent cyber incidents, as long as they are defined in the “grey zone” not rising to the level of illegal interference or intervention.[14] At the same time, it may be argued that this approach first and foremost favours the state actors on the scene of international cyberwarfare that has the capability of deterring these incidents in a meaningful way. For the nations that do not have the capability of responding in cyberspace it may be better to be able to point to a breach of sovereignty and respond with non-cyber countermeasures. On the other hand, allowing non-cyber countermeasures to cyberattacks rising to the level of intervention or interference could lead to unwanted escalation of hostilities.

The downside of keeping it pragmatic is that without clear rules of what is and is not accepted state action in cyber space, we might end up with a fearful virtual society favouring the strongest states. The capabilities of cyberweapons become more powerful and sophisticated by the minute. As we shall see in some examples below, the attackers are hard to identify and for many nations it is impossible to respond by cybermeans.

3. Stuxnet and Estonia: Cyber Weapons With Real-World Consequences

Examples of cyberhacks and cybercrime are myriad. Cyberwars and weapons are not. This may both be due to the covert nature of the cyber military operations, but also due to the fact that these hostilities and capabilities are still developing. However, there are a few notable exceptions.

The first example of a large-scale cyberweapon with real-world consequences is the infamous “Stuxnet”-malware targeting the Iranian nuclear facilities.[15] The malicious code (malware) infected the computers controlling a part of the nuclear program causing them to self-destruct by making the centrifuges speed up or slow down.[16] It successfully took down almost a thousand centrifuges (P-1 machines) by simply manipulating software.[17] European security consultants detected Stuxnet in 2010 when the malware infected thousands of computers running the same operating system as the one it was meant to target. It was so sophisticated that it did not cause actual harm anywhere, but the nuclear facility in Iran.[18] The cyberweapon was allegedly created by the NSA and the Israeli intelligence agency as part of operation “Olympic Games.”[19] The security analyst part of the team that exposed Stuxnet stated that the malware was all about “destroying its targets with utmost determination in military style.”[20] What Stuxnet shows us is that a cyberweapon may in itself consist of mere code, but can cause significant real-world damage to essential infrastructure and business. Former CIA Director, Michael Hayden, stated that Stuxnet was a ”game changer” and went so far as to compare its implications to that of Hiroshima in 1945.[21] Whether or not people agree to the latter statement, they probably do agree that capabilities of weapons like Stuxnet can only improve and that we are already part of a cyber arms race.[22]

Another example of cyberweapons that had notable real-world consequences is the attack on Estonia in 2007. The “hacktivist”[23], or as some say “cyber terrorist,”[24] attack on Estonian governmental functions remains one of the most notorious cyberattacks in Europe so far. The attack came as a response to the decision to relocate a statue in tribute to the Soviet liberation of Estonia from the Nazis.[25] The Russian minority in Estonia reacted with an uproar that included cyberattacks on key governmental and economic institutions.[26] The Estonian society was, at the time, one of the most digitally progressed societies in the world as they relied heavily on cyberspace when developing their own public and private institutions after the fall of the Soviet Union.[27] This vulnerability enabled the cyberattackers[28] to paralyze vital governmental and economic institutions for weeks on end by targeting the media, intergovernmental communications, and online banks.[29]  Ten years after the Estonian attack, an Estonian cyber defense expert stated that a major difference between cyberattacks and kinetic force is that a cyberattack “allow you to create confusion, while staying well below the level of an armed attack. Such attacks are not specific to tensions between the West and Russia. All modern societies are vulnerable.”[30]

These are just some examples of how cyberweapons is becoming a part of state practice and warfare. Below we shall see how different state actors have responded to this threat in different ways.

4. Cyber Strategies: is ‘Offense by Defense’ the Best Way Forward?

Governments all over the world experience cyber hostilities on a daily basis. The “cyber threat” is on the top of most governmental agendas though few leaders can truly say they understand its ramifications. It took the US government 15 years to finally present a brand new National Cyber Security Strategy this September.[31] To get some perspective of how “long” 15 years is in cyberspace, it is worth reminding ourselves that this means the last strategy was launched a whole four years before the first iPhone came.[32] For those of you who feel like that is just like yesterday, it certainly does not feel like that to the “digital” generation.

This new US cyber strategy carries one major message to other state actors: the gloves are off – we will “defend forward” to deter malicious actors.[33] In other words, offense is the new defense. Some critics have pointed out that this aggressive strategy may remove critical resources from defending essential infrastructure from attack and lead to unnecessary escalation of hostilities.[34] Others, like the former Director of the National Security Agency, Admiral Michael Rogers, firmly hold that the aggressors in cyberspace will not be deterred by anything less than a firm and rapid response.[35] With the memories of meddling in the 2016 US presidential elections by Russian actors still fresh in mind, you may sympathize with this combative approach.

At the same time, it is important to keep in mind that a national cyber strategy need not be first and foremost aggressive. The European Union approach is an example of this.[36] Although the EU is not a military power with a common defense for Europe, the Union is still an important actor in Cyberspace, particularly regarding the importance of a common trade market.[37] Their cyber strategy, first published in 2013 and renewed in 2017, emphasizes the importance of building a safe, prosperous, and open cyberspace relying on fundamental rights and freedoms.[38]

The EU and US are longstanding allies. Despite their different approaches in cyberspace they will likely remain cyberfriends. China is another story all together. China is one of four states explicitly coined as long-term strategic threats to the US and its allies in the new US strategy.[39] A Chinese cybersecurity analyst recently commented upon the cyber strategy and expressed concerns about how “defending forward” may look a lot like early attack for the ones experiencing the “defense”.[40] She compared the situation of power balance in cyberspace to the one of the Cold War, warning that we are at a crossroads in cyberspace where “one route may point toward achieving general stability, while the other may lead to chaos and conflict”.[41]

The question one might ask in light of this discussion is what legal order de lege ferenda we should or should not work towards in cyber space. Although the UN effort to reach consensus on cyber space regulation did not succeed, there are other attempts to facilitate state cooperation on cyber legal norms in the making.[42] Should it be a lawless space for the survival of the fittest or should we adopt the existing framework of international law applicable for the use of force and in armed conflict? Or should we instead aim for completely new norms and principles adopted through a treaty? And perhaps more importantly, are the stakeholders capable of discussing the technical nature of cyberspace and cyberwarfare in a meaningful way?

Hope for a Peaceful Cyberspace and the Need for Cyber Knowledge

The rules that govern the use of force and the conduct of war in the ‘real world’ originate from hundreds of years of custom and treaties. Meanwhile, much of the emerging hostilities may utilize cyberweapons with both cyber and real-world consequences. As noted above, without clear rules of state action in cyberspace, one could ask whether we are moving in the wrong direction, towards a state practice of “the survival of the fittest” approach. Cyberweapon capabilities are not, as far as we know, anywhere close to the danger that nuclear weapons present. Yet, Stuxnet showed us that hatching cyberweapons with the capability of disruption of essential infrastructure was already a reality in 2005.[43] Without the will to regulate the attacks happening in cyberspace, one may end up with a fearful international community reminiscent of the Cold War. Or perhaps even more fearful, as the problem of attribution in cyberspace keeps the attacker in the dark and the victim in the unknown.[44]

Internationalists remain hopeful that we will reach a consensus on cyber legal norms that aim for a peaceful coexistence in this space by prohibiting the use of force. In the event it is not possible for states to coexist peacefully, then the law of armed conflict must make it clear that virtual civilian life and infrastructure is as well worth protecting as they are in the ‘real’ world.

Cynical minds might argue that there is no point in trying to establish international law in cyberspace when many states do not even comply with existing custom and conventions in the ‘real’ world. That the idea of international rule of law is just as much a hallucination as Gibson deemed cyberspace to be in 1984. Of course, they do have a point. All sides of the conflict in Yemen and Syria prove this point everyday. The western and eastern nations fighting and funding the wars demonstrate disregard and distain for the law of armed conflict and the value of human life as civilians are slaughtered[45] and children starve in the thousands[46].

It is true that many states do not comply with the rules, but the point still stands. It is worth aspiring for an international legal order in cyberspace. In spite of our daily news feed, international law is more often respected than not.[47] History has also shown us that adversaries can go from hostile competition to peaceful cooperation, just as US and Russia did with the outer space program.[48] It is better to strive for a cyber rule of law where some states comply, than none at all. Real-world consequences emerge from actions in cyberspace. If we create rules we may legitimately expose breaches of them, and hope that this leads to more civil conduct and the de-escalation of emerging conflicts.

Whatever the major players in the field of cyber-international relations decide, we should all, as citizens of the virtual world, be able to understand cyberspace in order to hold our governments accountable – and at the moment we do not.[49] The term “cyber threats in cyberspace” probably still produce a little sci-fi feeling for us all. Both public and private institutions need to take steps to close the cybersecurity knowledge gap. If not, we will end up with a world where only the techy people speak the language of power and influence.

[1] Statista. Global number of web attacks blocked per day from 2015 to 2017 (in 1,000s). (2018), https://www.statista.com/statistics/494961/web-attacks-blocked-per-day-worldwide/. [Cited 12/01/2018]

[2] Lewis, James. ”Report: Economic Impact of Cybercrime—No Slowing Down”, McAfeee and the Center for Strategic and International Studies (CSIS), (2018), p. 4. [https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=5fee1c652573999d75e4388122bf72f5&tag=ec&eid=18TL_ECGLQ1_CT_WW&elqCampaignId=23163] [Cited: 11/13/2018]

[3] Wheeler, Tara. ”In Cyberwar There are no Rules,” ForeignPolicy.com, 09/12/2018. [https://foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no-rules-cybersecurity-war-defense/] [Cited 11/13/2018]

[4] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 4.

[5] As far as I have been able to understand through my research.

[6] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 13.

[7] Gibson, William. Neuromancer. New York, ACE Books, 1984, p. 51.  See also Shachtman, Noah. ”26 years after Gibson, Pentagon Defines ’Cyberspace,’” Wired, 05/23/08. [https://www.wired.com/2008/05/pentagon-define/] [Cited: 12/14/2018]

[8] Bowcott, Owen. ”Dispute along cold war lines led to collapse of UN cyberwarfare talks”, The Guardian, 08/23/017. [https://www.theguardian.com/world/2017/aug/23/un-cyberwarfare-negotiations-collapsed-in-june-it-emerges] [Cited 12/01/2018].

[9] Schmitt, Michael and Liis Vihul. “International Cyber Law Politicized:  The UN GGE’s Failure to Advance Cyber Norms”, Justsecurity.com, 06/30/2017. [https://www.justsecurity.org/42768/international-cyber-law-politicized-gges-failure-advance-cyber-norms/] [Cited: 12/01/2018]

[10] Waxman, Matthew. ”U.K. Outlines Position on Cyberattacks and International Law,” Lawfareblog, 05/23/2018. [https://www.lawfareblog.com/uk-outlines-position-cyberattacks-and-international-law] [Cited 12/01/2018]

[11] Schmitt, Michael. ”In Defense of Sovreignty in Cyberspace,” Justsecurity, 05/08/2018. [https://www.justsecurity.org/55876/defense-sovereignty-cyberspace/] [Cited: 12/12/2018]

[12] Schmitt, Michael N. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rhode Island, Cambridge University  Press, 2017.

[13] Watts, Sean and Theodore T. Richard. ”Baseline Territorial Sovereignty and Cyberspace,” Lewis & Clark Law Review, 03/16/2018. Available at SSRN: https://ssrn.com/abstract=3142272, p. 856-858.

[14] See e.g. Schmitt, Michael. ”In Defense of Sovreignty in Cyberspace,” Justsecurity, 05/08/2018. [https://www.justsecurity.org/55876/defense-sovereignty-cyberspace/] [Cited: 12/12/2018]

[15] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 115.

[16] Ibid, p. 116.

[17] Broad, William J, John Markoff and David E. Sanger. ”Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” The New York Times, 01/15/2011. [https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html] [Cited: 12/05/2018]

[18] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 116.

[19] Ibid, p. 118.

[20] Broad, William J, John Markoff and David E. Sanger. ”Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” The New York Times, 01/15/2011. [https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html] [Cited: 12/05/2018]

[21] Shinkman, Paul D. ”Former CIA Director: Cyber Attack Game-Changers Comparable to Hiroshima,” US News, 02/20/2013. [https://www.usnews.com/news/articles/2013/02/20/former-cia-director-cyber-attack-game-changers-comparable-to-hiroshima] [Cited: 02/12/2018].

[22] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 118.

[23] Herzog, Stephen. ”Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security, Vol. 4, No. 2: 49-60, 2011. p. 49. [Available at SSRN: https://ssrn.com/abstract=2807582]

[24] Richards, Jason. ”Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security,” International Affairs Review at Elliot School of International Affairs George Washington University, Volume XVIII, No. 1: 2009. [http://www.iar-gwu.org/node/66]

[25] Herzog, Stephen. ”Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security, Vol. 4, No. 2: 49-60, 2011. p. 50. [Available at SSRN: https://ssrn.com/abstract=2807582]

[26] Ibid.

[27] Dycus, Stephen et. al.  National Security Law, 6 th Edition, Aspen Publishers, 2016, p. 447.

[28] The attacks were for the most Distributed Denial of Service Attacks, (DdoS), which entails flooding the targeted websites with fake access requests effectively prohibiting the access of real requests.

[29] Dycus, Stephen et. al.  National Security Law, 6 th Edition, Aspen Publishers, 2016, p. 447.

[30] McGuinness, Damien. ”How a cyber attack transformed Estonia,” BBC News, 04/27/2017. [https://www.bbc.com/news/39655415] [Cited 12/05/2018]

[31] US Department of Defense. White House Releases First National Cyber Strategy in 15 Years. https://dod.defense.gov/News/Article/Article/1641969/white-house-releases-first-national-cyber-strategy-in-15-years/ (09/21/2018).  [Cited 11/03/2018]

[32] Ritchie, Rene. ”11 years ago today, Steve Jobs introduced the iPhone,” iMore, 01/09/2018. [https://www.imore.com/history-iphone-original] [Cited: 10/14/2018]

[33] US Department of Defense. Summary of Department of Defense Cyber Strategy. (2018), p. 1. [https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF] [Cited: 11/12/2018]

[34]Wolff, Josephine. ”Opinion: Trumps Reckless Cybersecurity Strategy,” The New York Times,10/0272018. [https://www.nytimes.com/2018/10/02/opinion/trumps-reckless-cybersecurity-strategy.html]

[35] Rogers, Michael. Public speaking event hosted by Center for Security Research and Education at Penn State Law. State College, 11/13/2018.

[36] European Commission. Cybersecurity package ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’. (2018), https://ec.europa.eu/digital-single-market/en/news/cybersecurity-package-resilience-deterrence-and-defence-building-strong-cybersecurity-eu [Cited: 10/14/2018]

[37] Bleiberg, Joshua and Darrell M. West. ”The benefits of a Digital Single Market in Europe and the United States,” Brookings Techtank Blog, 06/17/2015. [https://www.brookings.edu/blog/techtank/2015/06/17/the-benefits-of-a-digital-single-market-in-europe-and-the-united-states/] [Cited: 11/12/2018]

[38] European Commission, General Secretary. (2017)  Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, 09/13/2017. [https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1505294563214&uri=JOIN:2017:450:FIN] [Cited 11/17/2018]

[39] US Department of Defense. Summary of Department of Defense Cyber Strategy. (2018), p. 1. [https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF] [Cited: 11/12/2018]

[40] Jinghua, Lyu. ”A Chinese Perspective on the Pentagon’s Cyber Strategy: From ‘Active Cyber Defense’ to ‘Defending Forward,’” Lawfareblog, 10/19/218. [https://www.lawfareblog.com/chinese-perspective-pentagons-cyber-strategy-active-cyber-defense-defending-forward] [Cited: 12/02/2018]

[41] Ibid.

[42] Schmitt, Michael and Liis Vihul. “International Cyber Law Politicized:  The UN GGE’s Failure to Advance Cyber Norms”, Justsecurity.com, 06/30/2017. [https://www.justsecurity.org/42768/international-cyber-law-politicized-gges-failure-advance-cyber-norms/] [Cited: 12/01/2018]

[43] Zetter, Kim. ”An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, 11/03/2014. [https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/] [Cited 12/01/2018]

[44] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 150.

[45] Reuters. ”Syrian Observatory says war has killed more than half a million,” Reuters, 03/12/2018.[https://www.reuters.com/article/us-mideast-crisis-syria/syrian-observatory-says-war-has-killed-more-than-half-a-million-idUSKCN1GO13M] [Cited 12/01/2018]

[46] Karasz, Palko. ”85,000 Children in Yemen May Have Died of Starvation,” The New York Times, 11/21/2018. [https://www.nytimes.com/2018/11/21/world/middleeast/yemen-famine-children.html] [Cited: 12/1/2018] See also: Elbagir, Nima et. al. ”Made in America Shrapnel found in Yemen ties US bombs to string of civilian deaths over course of bloody civil war,” CNN, 09/2018. [https://www.cnn.com/interactive/2018/09/world/yemen-airstrikes-intl/] [Cited 12/01/2018]

[47] ICRC. Frequently asked questions on the rules of war. (2016), https://www.icrc.org/en/document/ihl-rules-of-war-FAQ-Geneva-Conventions [Cited: 14/12/2018]

[48] Kruger, Hanna. ”In Space, U.S. and Russia Friendship Untethered,” NBC News, 09/30/2017.  [https://www.nbcnews.com/news/us-news/space-u-s-russia-friendship-untethered-n806101] [Accessed 12/12/2018]

[49] Sanger, David E. ”The age of cyberwar is here. We can’t keep citizens out of the debate,” The Guardian, 07/28/2018. [https://www.theguardian.com/commentisfree/2018/jul/28/cyberwar-age-citizens-need-to-have-a-say] [Cited: 12/06/2018]

Leave a Reply