By LTjg Christopher Bertke
How do we translate the Law of Armed Conflict into a digital world?
As warfare has changed throughout the ages, the weapons, means and ethics have also changed. It is widely agreed upon that wars are not, and should not be, waged like they used to be in the advent of steel or gunpowder. With sophisticated weaponry and software, the battlefield is slowly shifting from a physical one, to a digital one. Why waste a missile to shoot down an enemy missile when you simply tap into its software remotely and turn it off? This example is more of an extreme one, but it not completely irrelevant. As reported by USA Today, “records obtained by USA TODAY through the Freedom of Information Act, show DOE components reported a total of 1,131 cyberattacks over a 48-month period ending in October 2014. Of those attempted cyber intrusions, 159 were successful” (Reilly, 2015)
Going back to how warfare is changing, it seems to be morphing into a war on information. Bank account numbers, security access, private citizens’ patents, defense contract information, and even nuclear launch codes are all stored digitally somewhere. Just as the Laws of War for active conflict has changed, the laws governing cyberwarfare must also change. Existing, overarching guidelines should be rewritten as laws that merit a physical response if necessary.
RELATION TO US
How we justify war matters. Currently, the only way to justify active conflict is if it is in defense of the nation’s assets or territory from similar active, physical threats. There are not many doctrines that clearly determine the rules for physical engagement following a cyber-attack.
During Bush’s time as president, the presidency proposed a doctrine called “Bush’s Doctrine.” It justified the use of force if the “defending” nation knows it will be attacked. This could become hypocritical very quickly. As one nation shows a display of power of the coast of Korea for instance, this could be seen as a threat and allow the nation to respond. This could create accidental (or even purposely cause) war.
With an increasingly wired world and defense network, many governments and private citizens of multiple countries have the capability to launch sophisticated cyberattacks. The Laws of War and Laws of International Conflict were not written with cyberspace in mind. Such things did not even exist yet. Patrick Lin states that there is a gap in policy, but also that there is a larger gap between developing the ethics behind the policies (Patrick Lin, Rowe, & Allhoff, 2012).
Do laws exist for cyber-attacks? Well, not really. Returning to the attacks on the US Energy Department, let us say that a successful Denial of Service (DoS) attack was successful and shut down power to the grid section supplying the Pentagon. How would the government respond? If we pinpointed the attack are we allowed to react physically? The U.S. National Research Council has tried to answer these questions in the past, but other countries are less than willing to look at law regarding the “free” internet.
It is written and well understood that the only just cause for entering war with another body is defense to an aggressor’s attack. This is a good definition, but aggression is understood to imply human lives are in danger or threatened. This makes it hard to justify an armed response to a cyber-attack that may not cause direct harm to anyone like a conventional weapon would. Furthermore, how could the United States prove that this IP address that initiated the attack came from a foreign states military or government? IPv4 (the current addressing protocol using on the web) has its limits and the same IP address could be found in multiple locations. It could have easily been a private citizen just trying to ruffle feathers. The Atlantic published an article that states “it may be difficult to distinguish an attack from espionage or vandalism, neither of which historically is enough to trigger a military response (Patrick Lin, Rowe, & Allhoff, 2012). This is true. In no sense has the US gone to war from simple vandalism. Even during the Cold War, when espionage was popular, it still remained a “cold” war after spies were captured. Some aggression could easily be seen as aggression, however. Is merely installing malicious software on a network an act of aggression? Or is it simply judged by the intent to do harm? This could be compared to installing a landmine. It’s not currently hurting anyone… but easily could be triggered to do so.
A DoS attack on a military network could interfere with an ongoing scenario. A power grid shutting down could be construed as targeting civilians and infrastructure. A lesser but still serious case was the denial-of-service cyberattacks on media-infrastructure websites in the country of Georgia in 2008, which prevented the government from communicating with its citizens (Reilly, 2015).
Discrimination must exist in armed conflict to be considered just. We must minimize collateral damage whenever possible. It’s clear that hacking a certain computer and aiming a DoS attack at civilian versus military power grids could be discriminatory. “If victims use fixed Internet addresses for their key infrastructure systems, and these could be found by an adversary, then they could be targeted precisely.” (Lin, 2012). Computer viruses are just that… Viruses. They cannot be controlled just as a biological weapon cannot be controlled.
America isn’t just a victim either. For example, it is believed that the Stuxnet Worm of 2010 was created by the US government to target programmable logic controllers in Iran. Using a USB drive, the worm found its way into the nuclear facilities in Iran and shut them down. This eventually trickled into the civilian industry and started affecting industries in Germany, India, Malaysia, and Denmark, (Schneier, 2010). It didn’t act criminal, but certainly acted on a specific target, and worked. The “Doctrine of Double Effect” could be used here. The collateral, civilian market damage was indeed unintended, but again, a DoS attack on a power grid could leave millions without means to store food which could lead to starvation. Is this an attack on a nation’s infrastructure, or the civilians themselves?
If China hosts a computer virus kills an American power grid to 10 million people and 2 million die from various reasons, is it just to launch a nuclear missile on a 2 million population town in China? The proportionality of war must be conserved here, too. A small cyberattack shouldn’t be answered with a militarized force, but where is the line drawn? Are human lives, lost capitol, or seized assets the equalizer medium in which we assign the proportionality? “A single malfunction in software can cause widely varied symptoms; thus a victim may think they have been harmed more than they actually have, motivating a disproportionate counterattack.” (Allhoff, 2012).
Possibly the most important aspect of cyberwarfare, this determines what targets are legitimate. The principle of attribution is to clearly identify attackers, defenders, neutrals, and innocents. Just as terrorism ignores this principle, cyberwarfare does potentially as well. This increases the risk of collateral damage if the attacked party were to react. For example, we can look back to the Stuxnet virus’ lack of attribution. Nothing was really done in reaction to the release of the virus. The attackers remained silent. Doing so made Iran unable to counterattack.
Attribution must be used to let nations place blame and counterattack. There will need to be international agreements similar to (if not appended to) the Genevan Convention’s list of laws in armed conflict. This would be the best way to hold nations accountable. Using IPv6 is one way to make attribution easier. With IPv4 only having 4 billion address combinations, IPv6 has 4 times the amount, (Beal, 2010). It would give each computer, phone, tablet, server, or satellite a specific, unique address over the entire Earth.
This principle discusses deception that that deliberately breaches the trust in which armed conflict is fought in. Examples of this in armed conflict include misusing the Red Cross, pretending to be a civilian, or pretending to surrender and then attacking an enemy once within range. Perfidy does not translate well into the digital world unless we clearly determine which targets are illegitimate. While some methods of deceit are ok, (luring to an ambush, misinformation, camouflage), how does one ethically lure an enemy to “click on this banner to win $1000!” We see these banners on the internet all the time. Why not use them to deploy an infrastructure crippling virus? If killing with any poison is highly illegal in war (Allison & Goldman, 2011), even ones that are more humane than gunshots to the body, justifying all means of cyberattack become difficult. With these existing paradoxes in armed conflict, one could assume that the digital guidelines for perfidy will not be clearly explained any time soon.
If a cyber war was waged, the responsibilities of damage from the waging parties must be assigned. Even in armed conflict, once a victor has been “chosen”, both sides hold responsibilities to stabilize the region and regain composure. Once there has been a “cessation of hostilities” in a cyber war, who picks up the damage? This war could be fought 10000 miles away with 10000 computers and no loss of life recorded. Patrick Lin argues that this is morally superior to armed conflict. When damage done is to data or programs, the originals may be restorable perfectly from backup copies, something that has no analogy with guns and bombs, (Patrick Lin, Rowe, & Allhoff, 2012). Then what is the point… If it is simply a battle for information, there arguably isn’t a need for a Law of Digital Conflict.
While most of the scenarios outlined in this paper are hypothetical, some have actually happened. In a growing digital world where everything is being connected, rules need to be internationally agreed upon to prevent (or aid) attacks on data stores and digital systems. The “free” internet is becoming less free and more restricted as we see more confidential data being stored in clouds and servers. This will help protect the privacy of nation’s citizens and ensure that a more cruel method of warfare is not born without rules.
Allison, E., & Goldman, R. K. (2011). Illegal or Prohibited Acts. Retrieved from Crimes of War.
Beal, V. (2010, January 10). Differences Between IPv6 and IPv4? Retrieved from webopedia: http://www.webopedia.com/DidYouKnow/Internet/ipv6_ipv4_difference.html
Patrick Lin, Rowe, N., & Allhoff, F. (2012, June 5). Is it Possible to Wage a Just War? Retrieved April 1, 2016, from The Atlantic: http://www.theatlantic.com/technology/archive/2012/06/is-it-possible-to-wage-a-just-cyberwar/258106/
Reilly, S. (2015, September 11). Energy Dept Struck by cyber Attacks. Retrieved from USA Today: http://www.usatoday.com/story/news/2015/09/09/cyber-attacks-doe-energy/71929786/
Rowe, N. C. (2007). Ethics of Cyber Attacks. In A. Colarik, & L. Janczewski, Cyber War and Cyber Terrorism. Hershey, PA: The Idea Group.
Schneier, B. (2010, October 7). The Story Behind the Stuxnet Virus. Retrieved April 1, 2016, from Forbes: http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html
Christopher Bertke is a Naval Officer attending the Cryptologic Warfare Officer Basic Course at Corry Station, Pensacola.