24 September 2015

Protecting the unprotectable: How do you spare the innocent in an online conflict?

September 22, 2015

Targeting an ambulance on a physical battlefield could be a war crime, so how do you stop the same thing happening in an online conflict? 















In war, ambulances, hospitals, and other non-combatants are protected by recognised emblems like the Red Cross and Red Crescent, and deliberately targeting them in a battle zone can be considered a war crime.

But how can that protection be extended to prevent attacks, deliberate or otherwise, on humanitarian assets if the war is a digital one?

Legal experts generally agree that the protection hospitals or medical convoys are accorded during standard warfare should also be respected on the digital battlefield, but there is no clear way of identifying which IT systems should be safeguarded.

A paper published in the RUSI Journal earlier this month suggests a framework for how such issues could be handled in a future conflict.

Figuring out how to demarcate the IT and communications systems of hospitals or other protected bodies is far harder online than it is offline. Thanks to cloud computing, for example, many different organisations may share the same infrastructure: working out exactly which bits are being used by a medical clinic and which by the army is extremely hard.

"There is a clear case for removing any large data sets from systems that may be regarded as military objectives, and - by storing data on different hardware and in different locations - for separating the systems used to support civilian activity and those underpinning military action," the paper says.

And it's not just a problem about where data should be stored: when it comes to internet infrastructure, it's even harder as data usually routes via the shortest path so separating out civilian and military traffic across the internet would be all but impossible.

Just to add to the complications, the status of an object can change, too: for example, in a conventional war, a dam which may normally be a protected site could later be designated a legitimate target if it were providing resources for military units.

The paper, The Geneva Conventions and Cyber-Warfare, suggests three main technical options for digital 'markings' of non-miliatry assets. Such markings could help protect non-combatant systems prior to an assault, they could allow an attacker's reconnaisance tools to automatically identify any protected systems, or, in the case of autonomous cyberweapons, they could be configured to avoid attacking such systems.

One technical option the authors suggest is to use special top-level domains - like .medical or .museum, or adding protective markers to a particular IP range. Alternatively, organisations could attach a warning banner to indicate the protected status of systems and applications. Another option would be to create a set of special markers in network traffic that would enable civilian traffic to be easily visible in network flows.

While such a mechanism might help protect hospitals, museums, or dams from inadvertent damage, it is unlikely to protect them from attacks by groups that ignore the Geneva Conventions anyway, and could even identify these soft targets to attackers. "Currently, the reality is that the majority of transnational cyber-attacks are carried out by non-state actors and are outside what is considered to be traditional interstate armed conflict," the paper notes.

No comments: