17 January 2017

How Should We Think About Cyber War, Where Rules Remain to be Written?


by Aaron Lang

The recent hack of the Democratic National Committee (DNC) and the United States’ subsequent decision to impose retaliatory sanctions against Russia poses an important question: what does international law have to say about state-sponsored cyberattacks? Unfortunately, and perhaps unsurprisingly, the answer is, very little. While technological innovation races ahead at warp speed, international law has lagged behind.

There are no international treaties on cyber warfare. The Budapest Convention on Cybercrime, is concerned with bad non-state actors in cyberspace—cybercriminals—not with state or state-sponsored actors. Russia and China have proposed an International Code of Conduct for Information Security, which would require a pledge by states not to “use information and communications technologies, including networks, to carry out hostile activities or acts of aggression.” But the proposal has failed to make much headway.

Others have looked to the traditional laws of war; specifically, the jus ad bellum (the law governing a state’s resort to force) and the jus in bello (the law governing a state’s conduct during war). The Tallinn Manual, drafted by a group of experts under the auspices of NATO, distills from the laws of war ninety-five rules that, the drafters say, ought to govern cyber warfare. Those rules would, for instance, allow a state victim of a cyberattack to take “proportionate countermeasures, including cyber countermeasures.” The manual is not a treaty, of course, and thus it is not binding on states.

But some have noted serious problems with grafting the laws of war onto cyber warfare. For instance, the laws of war traditionally apply only when an attack causes physical damage or bodily injury. A cyberattack like that involved in Stuxnet—the malware that caused the malfunction of hundreds of centrifuges in an Iranian uranium enrichment facility—might qualify under this traditional rubric.[1] But the DNC hack, harmful though it may have been to the integrity of the U.S. electoral process, might not. Nor might other devastating cyberattacks that cause neither physical nor property harm, like the 2007 Distributed Denial of Service (DDoS) attacks in Estonia.[2]

There is also a serious problem plaguing defense against cyberattacks in general: the problem of attribution, or tying a cyberattack to a specific actor (in the case of a cyberattack amounting to an act of war, the attribution must be to some state actor).[3] For the most part, the laws of war assume an attacker is known or knowable.[4] Perpetrators of cyberattacks, however, typically disguise themselves behind multiple false identities. Consider the DNC hack: The Department of Homeland Security and the FBI released a report identifying two perpetrators, Advanced Persistent Threats (APTs) 28 and 29. The report provides no less than 46 pseudonyms for the APTs—including the “Dukes” and the “Cozy” and “Fancy Bear,” identities that have been reported in the media. The means by which some of the DNC documents were leaked add to the attribution problem: they were leaked through the fake “hacker persona,” Guccifer 2.0.

Further complicating an already murky area, a report from the Congressional Research Service divides bad cyber actors into five categories—cyberterrorists, cyberspies, cyberthieves, cyberwarriors, and cyberactivists. The authors admit that the lines between these categories are not so clear; after all, “a hacker targeting the intellectual property of a corporation may be . . . both a cyberthief and a cyberspy.” And an actor in any of the five categories might or might not be connected to a state actor.

Sorting out these various practical and conceptual problems means that it will likely be a while before international law catches up with technology. The upshot is that recent events serve as an important reminder to continue to be proactive about cyber security. The DHS/FBI report, which offers a litany of “mitigation strategies,” has helped at least one entity—a Vermont utility company—rid a computer of the DNC malware. Taking into consideration these and other security strategies will be crucial given the legal uncertainty surrounding state-sponsored cyberattacks.

[1] For more information on Stuxnet, see Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (2014).

[2] See Heather Harrison Dinniss, Cyber Warfare and the Laws of War 54 (2012).

[3] See Duncan B. Hollis, An e-SOS for Cyberspace, 52 Harv. Intl. L.J. 374, 397-404 (2011).

[4] See id. at 393-96.

No comments: