Blog

Cyber-Warfare:The conundrum behind missives and missiles

Copyright Notice [1]

Cyber-space, a term spawned from one’s imagination, presently denotes a very real yet intangible realm, in which exercise of power can have consequences that may very well escape one’s imagination.

It would seem fair to say that cyber-warfare, amongst other cyber related subjects, has impregnated itself with stellar speed into most of our socio-political and legal daily topics. During the last couple of years, and in a relatively condensed timeframe, the majority of online news websites have integrated the term cyber into their permanent rubrics. Indeed, the “hottest” political subjects tend to by cyber related.

The purpose of this article, however, is to address certain considerations that pertain to the ever increasing peril of international cyber combat, be it defined as war in the conventional sense, or otherwise. The reason for my reluctance to nitpick on the exact categorization of combat at this stage is simple. Primarily, IT law is proving to be a unique legal discipline in its own right, as will be discussed at greater length below, and thus the absence of an international legal framework pertaining thereto precludes one to competently superimpose upon it non-IT legal definitions, that enjoy international legal recognition. Secondly, as will be seen, the particular (artificial) nature of cyber-space prevents one to look upon the relationship between two or more entities in it, in the exact manner as if it were the case in natural space.

Therefore, the only known legal terms relevant to this article that can be applied in both natural space and cyber-space are assault and defence.

1. The Assaulter

Once upon a time, someone posed a question relative to the comparison of actual (i.e. natural) space and cyber-space that at first glance seemed naively simple, but proved to be quite to the contrary in retrospect. The question was:

“What are the fundamental differences between space and cyber-space save the obvious biological existence in the former?”

For the sake of both clarity and brevity, let us hereinafter refer to the question as “the difference between existence and e-xistence.” The reason why these terms are used is to differentiate between the notions of space and occupying space, i.e. existing in it. Although we may satisfy ourselves with distinguishing between natural space and cyberspace, the way in which we manifest ourselves in either deserves special consideration. It is due to this reason that I believe that one exists in natural space, while one e-xists in cyberspace. I am further of the opinion that this demarcation, however it may seem to some as unnecessary at this point, will prove itself to be of importance in the not so distant future. This will be the subject of a subsequent article.

Although it is true that the foregoing question can be looked upon from a myriad of perspectives, contingent upon the type of social science applied, for the purpose of the subject of this article, four key differences seem to “pop up”. We shall call them The Ghost Factor, The One Man Army Factor, The Universal Calibre Factor, and The Clay Pigeon Factor. Let us thus address each one in turn and then assess the sum of the problem raised by this article.

The Ghost Factor simply pertains to, as one may infer from its name, the invisibility of the assaulter. One is bound to raise an eyebrow at this point, considering the well known achievements in remote-control technology, stealth technology (including active camouflage), in modern warfare. The Ghost Factor actually refers to a paradox.

Namely, when contemplating assault in the legal sense, the traditional questions asked are:

  1. Who (executed the assault)?
  2. When (was the assault executed)?
  3. Wherefrom (was the assault executed)?
  4. Where (did the damage occur)?
  5. Why (was the assault executed, i.e. what was the motive behind the assault)?
  6. With what (was the assault executed/ damage inflicted)?

The answer to the foregoing gives us the possibility to ascertain the existence of the ingredients of (criminal) liability, i.e. the actus reus (act) and the mens rea (intent).

It can be said with a healthy degree of certainty that any criminally relevant feasance and/or nonfeasance must be inspected through the foregoing considerations.

Having said that, it can hardly be contested that no matter how stealthy the assaulter may be in existence, his physical presence, or the physical presence of his weapon, is an unavoidable fact of the hitherto known laws of physics. This in turn guarantees tangible evidence of the assault.

On the other hand, the physical presence of both the assaulter and/or his weapon is clearly omitted in an assault that takes place in e-xistence, and thus no physical evidence is available. Granted, there may certainly be scores of e-clues left behind, but in the event of a mere electricity blackout, you can kiss them goodbye for the most part. This in turn means that of the previous six questions, only one can be answered with adequate and immediate certainty (where did the damage occur), while the answer to the rest of them can be rather elusive (at least most of the times).

To quote O. Sami Saydjari, of the cyber-security consultancy Cyber Defense Agency and a former program manager of information assurance at the Defense Advanced Projects Agency (DARPA):

“The source field can be changed [spoofed] by an attacker to make it seem like it’s coming from someplace it’s not,”[2]

This should not come as a surprise, as anyone with the requisite equipment and know how can stage a cyber-attack from anywhere on the globe, for whatever reason, against whomever, and the effect and repercussions of said attack can be delayed. Moreover, the “weapon” i.e. computer code with which the assault was executed, may very well be innovative and difficult to immediately understand.

Where then lays the aforementioned paradox of The Ghost Factor? It lays in the unequivocal proof of the assaulter’s presence in e-xistence. Namely, although it may be next to impossible to determine who the assaulter is, the fact that someone was present is inerasable. To put it another way, while in existence an assaulter can simply physically leave a space (regardless of whether he has executed the assault), in e-xistence the fact of his presence was recorded by a sequence of a flowing binary code that is, like time, immune to arrest and is therefore meticulously recorded, archived and stored in some server, somewhere.

The One Man Army Factor pertains to the fact that in e-xistence one man (or a few men) may effectively execute a cyber assault against a significantly disproportionate larger target, in terms of manpower, equipment and information databases. By contrast, in existence, such a prospect is possible only in fiction. The technology of the internet renders this possible. Moreover, this factor, in concert with The Ghost Factor, means that one or few can effectively perpetrate their assault through a vast array of channels using Botnets.[3] Take for instance the cyber attack that took place in January of 2009. A group of hackers assaulted Israel’s internet infrastructure during the military offensive in the Gaza Strip. Focusing government websites, the attack was executed by “at least 5.000.000 computers.”[4] Surely the attack was not planned nor performed by so many individuals, as the laws of probability render such a possibility impossible. Thus using available technology, one person, or a relatively small number of persons, can easily abuse many badly protected third party computers to commit a highly effective and damaging cyber assault.

The One Man Army Factor can be further be considered through the fact that the “currency of power” changes through time. Namely, humanity has witnessed that power was wielded throughout history by those who acquired wealth through the conquest of the physical world. The new age seems to belong to those who achieve wealth through the conquest of the metaphysical world. It follows that technological outweighs physical prowess nowadays. Consequently, a relatively small entity, be it a state or non-government organisation, can exercise influence that is quite disproportional to its size.

The Universal Calibre Factor relates to the fact that every cyber attack, no matter how complex or simple, is carried out by an electric signal. There are no grandiose and puny electric signals, nor can such a signal be discerned or categorised in any comprehensive way. It is the message that it carries that makes all the difference. However, the nature of that message, or rather, the nature of its contents, can be, in most cases, ascertained only tardily, upon strike. If for instance a target were to be engaged by an intercontinental ballistic projectile, chances are that the perpetrator is not an individual or a band of rogues. One can only infer that the assaulter is a complex organisation with considerate logistical and financial resources. In comparison, the electrical impulse that may hit one’s private computer and the one that may hit a governmental internet infrastructure is, to put it in pedestrian terms, made of the identical stuff. Therefore, the “calibre of the projectile” is little (if any) evidence of the possible identity of the attacker.

How can then one competently identify the “man” and the “means” of any given cyber attack. Even if one could, how could one accomplish the task in a timely fashion, so as to achieve an effective deterrent or mount an appropriate defence? How does one ascertain what is a reasonable response, especially in the context of the use of force for the purpose of defence?

Unlike the previous factors that pertain to the assaulter, The Clay Pigeon Factor refers to the victim, i.e. the assaulted. In conventional warfare, almost any threat is discernable and its avoidance is a matter of natural instinct. We dodge bullets and knives, run from explosions, fires and projectiles, cover our faces from gasses etc. In contrast, literacy is a precondition of timely recognising a threat in cyber-warfare (and cyberspace in general). Pure instinct is insufficient. If any hope of peace is to be expected, both present and future generations must be computer literate and have a basic understanding of the cyber fibre of which cyberspace is made of. Otherwise, not only will the victim be clueless of when he was hit and by what, he will be further clueless of the long term repercussions of the assault.

2. The Battlefield

Humans naturally perceive within the context of their surroundings. Thus one may appear large merely because he is in a small room, or a bearer of ill intention may seem less of a threat just because he is physically far away.

Let us attempt to apply the foregoing fact to the internet, or the cyberspace, i.e. the ambient in which one e-xists.

At the risk of stating the obvious, cyberspace cannot be viewed in the conventional physical sense. There is no notion of proximity. This means that any and every threat is as immediate as it gets. It follows that any effective deterrent is contingent upon constant and instantaneous combat readiness. Is this a realistic task? What kind of equipment and training does such a duty actually entail?

The US has made an attempt to prepare itself by establishing its Cyber Command back in 2009.[5] At present, the countries which are believed to have the most developed cyber warfare capabilities are the United States, China, Russia, Israel and the United Kingdom.[6]

Although the know how of each of these countries’ particular cyber defence tactics are understandably guarded as confidential, one thing is clear, all of them are undergoing a process of attuning to a completely novel battlefield. It seems though that one of the main differences between conventional warfare and cyber warfare is the ability to recognise the battlefield. The reason is simple, every battlefield in history had two distinguishing factors; its location and time of combat. Even in the great world wars, no belligerent has ever grasped the entire globe as the battlefield at a particular given time. The architecture of the internet has rendered the location of a potential place of confrontation indiscernible.

The reason behind this is much more than the blatant absence of the ability to view a potentially hostile environment coherently.

Unlike natural space that is regulated by the laws and customs of men, the internet, a man made invention, hitherto paradoxically remains the apex terra nullius, a metaphysical no man’s land in which everyone is “fair game” and everything is “up for grabs”. Let us dedicate some thought to some of the reasons behind this phenomenon.

As previously emphasized, natural space is divided into socio-political entities, each of which is duly furnished with a set of agreed upon rules. Some of these rules are laws, other remain customs. At any rate, the natural and gradual progression of social maturity culminated in the attempt to harmonize said customs into local laws, and subsequently, local laws into international law. It is due to this fact that we consider customs, local laws, bilateral and multilateral agreements, jurisprudence, as the sources of international law. In such a way, each recognised international legal subject has had, at least a technical chance, to contribute to international governance and thereby has secured the important ability of being able to understand the mechanics and origins of a “global law”. In the case of international law, the “pyramid of knowledge” was indeed built as gravity intended, from the foundations upwards.

The case of the internet is quite the opposite. It flooded into human society as soon as it was given the carte blanche for commercial use in 1991 and from then on metastasized into the omnipresent (and increasingly omnipotent) human sidekick we know today. Internet skipped its “first date” with humanity. There were no introductions, nor was there any bashful courting aforehand. In fact, one can safely say that the internet “just happened”. It soon immersed itself in every pore of human existence, from the realm of privacy to the realm of profession, and became the daily tool of both the pauper and peer alike. Only when all the said diverse persons commenced to use it for their equally diverse purposes did it become abundantly clear that the toy was gradually becoming the horse of Troy. The tardy response of the global intelligentsia, accidental or otherwise, left the internet to grow without parental guidance. The internet has grown from a super convenience to the supreme conduit we know today. The vast majority of our thoughts are shared through cyberspace, be it for the purpose of communication or inquiry. Moreover, a considerable portion of us are abandoning existence and are seeking recluse in e-xistence. In other words, the internet’s content has long stopped being benign, and is now comprised of information that can make or break.

In any event, the internet became intertwined with every aspect of the modern civilisation. It transcends classes, borders, oceans and continents. Despite this, it is not regulated by an international code. In fact, it is an inevitable fact that any future international set of regulations pertaining to the internet will precede the adoption of local laws relative to the subject in the case of a vast majority of countries. Although one of the main reasons is an unequal technological development of various states, another equally understandable cause is the fact that the individual legislative bodies of states cannot possibly keep pace with the daily progression of internet content and events which, consequently, means that there is not a chance that states can meet and offer their individual respective contributions to a “global internet law”. In other words, unlike the case of international law, states will have to adopt local laws and even adapt their customs to a certain extent to an imposed global regulation – global internet law. On the brighter side, this fact will find acceptance with those who believe in the unlikely myth that the pyramids were built from top downwards.

Is this course of events detrimental to the future of the “global village”? Can one soundly argue that a fortress can be built from the facade inwards? Can we truly expect the various nations of the world to simply adopt the imposed internet mores and folkways? To put it differently, can one be credible in an attempt to clean his neighbourhood without previously settling his own backyard?

The great Chinese military strategist and politician Zhuge Liang remarked:

First organize the inner, then organize the outer […]

Having quoted Zhuge Liang, let us turn to a recent event in China that took place in December 2017. The Cyberspace Administration of China (CAC), China’s main internet regulator, has organised the 4th World Internet Conference, Wuzhen Summit, at which the Chinese government promotes its concept of “cyber sovereignty”. It should be emphasized that Apple CEO Tim Cook and Google CEO Sundar Pichai attended the event, amongst others.[7] Although the concept of “cyber sovereignty” may be little news to some, it is proper to mention that it is the principle by which a state exercises control over the internet within its borders, including activities pertaining to policy, economy, culture and overall technology.

Can the prospect of state co-governance over the internet lessen the tension caused by the unfathomable scale of the internet and the notorious lawlessness “governing” it?

Major General Hao Yeli[8] eloquently argues in favour of the foregoing:[9]

“Based on the principles of modern international jurisprudence, cyber sovereignty should reflect national rights and responsibilities. No state or government that is responsible and conscientious will ignore the development and security of this new domain. Nor should it reject or obstruct any other countries’ reasonable demands concerning sovereignty and global co-governance. Respect for cyber sovereignty is a prerequisite for international cooperation in this domain, and the basis for the construction of a beneficial cyberspace order.”

Even though the former seems as the ideal solution, at least in theory, another fact regarding the internet may prove to be a serious impediment to the cyber sovereignty thesis.

To begin with, Lawrence Lessig believes that “[a]rchitecture, law, norms and markets together regulate behaviour. Together, they set the terms on which one is free to act or not; together, they set the constraints that effect what is and is not possible. They are four modalities of regulation; they together determine how individuals and states within their scope are regulated.”[10] This means that apart from written statute and market, or social, trends, the very architecture of the internet, its cyber fibre, is a necessary component of its own regulation. Here is the problem; it is the private companies who most significantly contribute to internet’s architecture, not the states. Moreover, there are only a handful of such companies who effectively so contribute. In other words, can one seek effective sovereignty over the internet if he does not command all the requisite tools?  To put it simply, it seems that the prospective belligerents would not be in full control of the battlefield?

The most recent proof of private control of cyberspace, and therefore control over matters relevant to e-xistence can be seen in the ongoing case of Facebook’s Cambridge Analytica scandal. Namely, Facebook’s CEO, Mark Zuckerberg, recently addressed reports by The Observer and The New York Times that were published alleging that London-based firm Cambridge Analytica improperly gained access to the personal data of more than 50 million users.[11] It goes without saying that intelligence is the foundation of power. If intelligence is obviously harvested by private companies, this means that a third party is a necessary ingredient in any notion of a cyber quarrel. How can accountability be determined, and what effective measures can one hope to have at his disposal to prevent such occurrences? If humanity is to be fair, how can it stand by and allow privately held entities such as Palantir and Recorded Future from attaining and processing unimaginative amounts and varieties of personal and other data? What warranties exist to ensure that such data, collected by private enterprises is not forwarded to governmental organizations of certain states?

It is understood that the emphasized difficulties to achieving international cooperation in the domain of cyberspace should not, and definitely must not, discourage sincere and serious attempts to that effect. Recently the Shanghai Cooperation Organisation (SCO)[12] has reported that its member states’[13] experts considered issues pertaining to the creation of a Protected Information and Telecommunications Security System between competent agencies of the SCO Member States, as well as important issues concerning technical cooperation within the SCO framework.[14]

At any rate, borders give humans clarity and security. The human mind, understandably, fears boundlessness as it represents the unknown. Where there is fear, there is impulsive, unpredictable reaction. When unpredictability is espoused with power, mayhem ensues. How can one hope to regulate the boundless and the unknown?

What can mankind hope for with the present scenario in which states have fully operational cyber military capabilities to wage war in a dimension that is not governed by any international legal framework? Can we afford another case of codifying a heinous crime only after it has caused unprecedented damage, as was the case of recognising the crime of genocide after WWII and all previous historical instances thereof?

3. The Intent

Considering the arguments raised thus far, how can one qualify the requisite intent of the assaulter? Although this question will be dealt in greater detail in a following article, it must be mentioned in the context of the issue at hand.

The said absence of an international regulatory framework pertaining to cyberspace leaves us with no choice but to attempt to apply, to the best of our abilities, existing international law to cyber warfare. In this respect, The Tallinn Manual[15] is an example of a comprehensive and noteworthy attempt to ascertain the problem of cyber warfare though existing international law.

One must define the scope of combat. Can a cyber assault, in terms of cyber-warfare, be distinguished as an internal or international act of aggression? The importance of this question is twofold. On the one hand, as Professor Antonio Cassese pointed out, “[c]riminal offences, to amount to war crimes, must also have a link with the international or internal armed conflict”.[16] On the other hand, the ability to clearly grasp the geographical limitations of the cyber operation is an important factor in assessing the intent (mens rea) of the perpetrator. As emphasized in The Tallinn Manual “it may be difficult to ascertain whether a State is controlling a non-State actor’s cyber activities”.[17]

Let us ponder the question of what is a cyber attack. The Tallinn Manual defines a cyber attack as follows:[18]

“A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage to objects.”

According to The Tallinn Manual, “[n]on-violent operations, such as psychological cyber operations or cyber espionage, do not qualify as attacks.”[19] It follows therefore that presently international law considers a cyber attack to be only such attack that results in the manifestation of physical damage. Can a computer database that holds some vital information be considered an “object” in the sense of the cited definition? Although The Tallinn Manual accepts that attacks that cause damage to data can be construed as attacks, nevertheless it seems that the ultimate damage to the material (life or object) is the condition sine qua non for a cyber operation to be qualified as an attack.[20]

International law may require a special intent (dolus specialis, dol aggravé) for certain categories of crimes:

“There is such special intent when an international rule, in addition to requiring the intent to bring about a certain result by undertaking certain conduct (for example, death by killing), also requires that the agent pursue a specific goal that goes beyond the result of his conduct, with the consequence that attainment of such goal is not necessary for the crime to be consummated.”[21]

Bearing in mind the cited quote, let us revisit the cyber attack definition. Namely, it would seem that proving the existence of a special intent in cyber warfare will be a particularly difficult challenge, as it is sufficient that the act of the assaulter can reasonably be expected to cause injury or death to persons or damage to objects. The eventuality of the outcome of the attack gives way to a perilous gray area when assessing the mens rea of the assaulter via cyberspace.

Finally, there is the increasingly pressing question of the role of artificial intelligence (AI) in cyberspace. Thus in the context of assessing intent, lawmakers will be challenged to establish the threshold where human will ends and intelligent automatism begins.

4. Conclusion

Considering the cited particularities of cyber warfare compared to conventional warfare, is it sufficient to apply existing international law or does cyberspace and e-xistence in general warrants its own specific international legal framework?

The status quo seems to be that we are at a constant race with our own invention, the internet. It should seem logical that we should make new rules, as we have an impending new player; artificial intelligence.

Mirko Mrkić, LLM
Attorney at Law
Lecturer of IT Law and Media Law
at the Faculty of Media and Communications,
Singidunum University Belgrade,
Legal Counsellor of Conflux Center

[1] The article was initially published in Anatomy of Cyberwar, a publication of VUZF University and LEDRA College (Dept. of MA in International Relations, Global Economy and Strategic Analysis) and Singidunum University (Dept. of MA in International Relations and Diplomacy) in cooperation with NORAVANK Foundation; 2018
[2] Scientific American – Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers, (Author: Larry Greenemeier), published June 11, 2011
[3] NORTON – https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html – A botnet is […] a string of connected computers coordinated together to perform a task. That can be maintaining a chatroom, or it can be taking control of your computer.
[4] NATO – https://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm
[5] US Strategic Command – www.stratcom.mil/Media/Factsheets/Factsheet-View/Article/960492/us-cyber-command-uscybercom/
[6] World Economic Forum – https://www.weforum.org/agenda/2016/05/who-are-the-cyberwar-superpowers/
[7] Quartz – https://qz.com/1145637/2017-world-internet-conference-tim-cook-and-sundar-pichais-surprise-remarks/, “SPECIAL GUEST Tim Cook and Sundar Pichai’s surprise remarks at China’s “open internet” conference” Author: Josh Horwitz, 4 December 2017
[8] Major General Hao Yeli, Chinese People’s Liberation Army (ret.), is a senior advisor at the China International Institute for Strategic Society and a senior advisor at the China Institute for Innovation and Development Strategy.
[9] “A Three-Perspective Theory  of Cyber Sovereignty”, Major General Hao Yeli (ret.)
[10] Lawrence Lessig, Architecting for Control: Version 1.0, Keynote given at the Internet Political Economy Forum Cambridge Review of International Affairs, Cambridge, UK (May 11, 2000), p. 4.
[11] CNBC – Mark Zuckerberg says he’s ‘really sorry’ about the company’s data scandal, author: Jillian D’Onfro, 22 March 2018
[12] SCO – http://eng.sectsco.org/about_sco/ – “The Shanghai Cooperation Organisation (SCO) is a permanent intergovernmental international organisation, the creation of which was announced on 15 June 2001 in Shanghai (China) by the Republic of Kazakhstan, the People’s Republic of China, the Kyrgyz Republic, the Russian Federation, the Republic of Tajikistan, and the Republic of Uzbekistan. It was preceded by the Shanghai Five mechanism.”
[13] Ibid.http://eng.sectsco.org/about_sco/ – the SCO comprises eight member states, namely the Republic of India, the Republic of Kazakhstan, the People’s Republic of China, the Kyrgyz Republic, the Islamic Republic of Pakistan, the Russian Federation, the Republic of Tajikistan, and the Republic of Uzbekistan;  the SCO counts four observer states, namely the Islamic Republic of Afghanistan, the Republic of Belarus, the Islamic Republic of Iran and  the Republic of Mongolia; the SCO has six dialogue partners, namely the Republic of Azerbaijan, the Republic of Armenia, the Kingdom of Cambodia, the Federal Democratic Republic of Nepal, the Republic of Turkey, and the Democratic Socialist Republic of Sri Lanka.
[14] Ibid. – http://eng.sectsco.org/news/20170519/271457.html
[15] Tallin Manual on the International Law Applicable to Cyber Warfare, General editor Michael N. Schmitt, Cambridge University Press 2013
[16] Antonio Cassese, International Criminal Law, Oxford University Press 2003, p. 49
[17] Supra, Tallin Manual on the International Law Applicable to Cyber Warfare, General editor Michael N. Schmitt, Cambridge University Press 2013, p. 79
[18] Ibid., Rule 30 – Definition of cyber attack, p. 106
[19] Ibid., the Tallinn Manual assigns this statement to The Federal Ministry of Defence of the Federal Republic of Germany, Humanitarian Law in Armed Conflicts Manual (ZDv i5/2) (1992).
[20] The Tallinn Manual emphasizes that “[a]lthough the Rule is limited to operations against individuals or physical objects, the limitation should not be understood as excluding cyber operations against data (which are non-physical entities) from the ambit of the term attack. Whenever an attack on data results in the injury or death of individuals or damage or destruction of physical objects, those individuals or objects constitute the “object of attack” and the operation therefore qualifies as an attack. Further […] an operation against data upon which the functionality of physical objects relies can sometimes constitute an attack”
[21] Supra, Antonio Cassese, International Criminal Law, Oxford University Press 2003, p. 167