Definition of the month #07: Cyberattacks

            DEFINITION OF THE MONTH #07- “This is really a war — with offense on one side, and institutions, organizations and schools on the other, defending against an unknown adversary” (1) said Mr. Ben-Oni, the Chief Security Officer at IDT Corp, a telecom company severely hit by the Ransomware attack last May. As cyberattacks are increasing at an unprecedented rate, the threat they embody is put at the forefront of security concerns. This article will attempt to untangle the complexity of cyberattacks with its legal ambiguity and discuss the implications of considering the latter as genuine unconventional acts of warfare. The article’s aim is to invite the reader to ponder the need for a creation of an international legal framework for cyberspace. Finally, this article seeks to consider the potential routes looking forward such as a transnational convention on cybersecurity without threatening one’s personal liberties online.

        The underlying assumption of this article is the belief that cyberspace is indeed the new battlefield and ought to be considered as such by states and non-political actors in order to face the realities of the world we live in. Indeed, as the Pentagon, which formally recognizes it as a new domain of warfare (2), cyberspace is now akin to land, space and sea.

 

English

credits: amazingmantra

 Definitions

There is no unique and internationally-recognized definition of cyberattacks per se. However, in our latest article related to cyberattacks, we defined the latter in consequentialist terms by looking at the cyber act in terms of its aim. As Ann Hathaway, a scholar on this topic, opines: “any aggressive action taken by a state actor in the cyber domain” which has aspirations that are political or relate to national security purpose then the cyber act can be called a “cyberattack”(3). As M. Gervais, a Berkeley Professor explains, a cyberattack is defined by a “deliberate disruption or corruption by one state of a system of interest to another state”: the “target state” (4). For instance, the Russian’s interference in the last presidential election in the United States serves as an epitome of such threat and reveals the salience of this issue. Given the lack of clear definition, it is hard to draw a line with other cyber acts such as espionage or sabotage which can be associated to cybercrimes perpetrated by non-state private actors (5). It is important to note that the media tends to overtly use the term “cyberattack” although the political aspirations of the latter have not been verified.

 

The rise of cyberattacks

It is undeniable that the internet and cyberspace-- which  refers to the virtual world of computers and describes their associated global network (6)-- offers by itself new avenues for malicious acts. Yet what is the appeal of such attacks?

First of all, they are cost-effective insofar as they can be undertaken remotely and with very little risk of repercussion since they operate anonymously. This entails that cyber-attacks are by nature asymmetric. Indeed, the low cost of computing devices compared to expensive traditional weapons means that cyber attackers or hackers do not have to build expensive weapons to pose a genuine threat to state actors (7). A few computers suffice to jeopardize the operations of an economy, steal confidential information and threaten a country’s global logistics network.

Moreover, they offer a myriad of possible targets and thus increase the range of attacks (8). The latest Petya (or non-Petya) cyberattack of June 27th (9) showcases the range of attacks possible. From stopping the metros in Kiev to impeding the smooth operations of factories and hacking the Ukrainian government’s computer systems, attacks can spread internationally without any repercussion and cause havoc on a global scale (10).

In addition, cyberattacks are increasingly used due to their “own developmental weaknesses.” (11)  In other words, unlike traditional provocations, they do not come hand in hand with retaliatory acts. It is this low associated cost that attracts hackers. In fact, evidence is mounting that the responsible agents behind the recent Wannacry cyberattack in May that affected more than 150 countries and 300 000 individuals’ computers are a group of extremely well trained North Koreans hackers (12). There is no need for a sophisticated conventional military arsenal if a country masters the art of cyberattacks.

 

What consequences for civilians?

 

While cyberattacks are steadily on the rise, their political aspirations are still to be explored and understood. In my latest article, I exposed the threats that cyberattacks embody; the most mind-boggling being their influence on democratic processes and a country’s vital institutions such as the NHS that was paralyzed due to the last Wannacry cyberattack (13). Such attacks do not cause mass casualties and deaths yet they have the capacity to jeopardize an entire society. In fact, their direct or indirect impact on innocent civilians is undeniable. Several questions arise...With such destructive power, can cyberattacks be compared to weapons of war that disrupt peaceful relations between states? Given the danger they embody should they be grounded in a legal framework? Should states be obliged to follow legally binding rules and be allowed to act in self-defense if an imminent cyber threat would arise?

 

The legal conundrum of cyberwar

 

If we were to answer positively to all the former questions, then cyberattacks ought to be recognized as tantamount to acts of warfare. Yet, in the evolving context of new technologies, cyberattacks raise difficult line-drawing problems. Indeed, for them to be considered as non-conventional weapons of war they need to be theoretically grounded in a war framework. Yet, many challenges arise in the process of defining cyberwarfare.

 

A complex task

 

First and foremost, problems of attribution and establishing responsibility arise. Indeed, in traditional warfare, legal combatants (14) are identifiable in a straightforward manner. In contrast, with cyberattacks, “it is not always possible to discern quickly or accurately who launched or directed an attack” (15). In fact, the only certainty regarding the latest cyberattacks is that the origin of the malware comes from  leaked NSA hacking tools, but the malicious actors behind it are unknown (16).Thus, a question will often be left unanswered: who is to be blamed and thus legally responsible for the wrongful act?

In addition to this technical problem, legal complications arise. Indeed, if cyberattacks are to be considered as acts of war then should they be considered as genuine “use of force”? If so, then cyberattacks could be integrated into international law and prohibited under the UN Charter Article 2(4): “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state”(17). However, this entails even greater legal implications. Indeed, the factual bases for asserting or contesting a violation of Article 2(4) and claiming the right of armed self-defense under Article 51 “will be subject to great uncertainty, debate, opacity, and lack of verifiability” (18). How can states claim self-defense if the originators are unknown or uncertain?

Moreover the "movements" and "terrain" of cyber-warfare can be dispersed across global information networks and will often be carried out on private infrastructure. Hence, cyberattacks involve private entities which cannot have recourse to the legal procedure of self-defense as stipulated by the UN Charter. Indeed, cyberattacks entail the “move from state-actors to private actors” which departs from conventional warfare parties (19). Thus, to conceptualize cyberattacks as genuine acts of war presupposes a redefinition of the traditional legal concept of war. Some believe that the international legal framework should overcome these complications and adapt to the modern world we live in.

 

Towards an evolution of the legal framework of war?

 

Indeed, the other school of thought claims that the difficulties are not a barrier, rather cyberattacks have to be defined and recognized as non-traditional acts of war. The latter are traditionally confined to means associated with “force, violence and lethality” (20) which lies in stark contrast with the unpalatable nature of cyberattacks. Hence, as John Stone, a Senior lecturer of War Studies at King’s College London posits: “we encounter a definitional problem because the means of war and warfare tools” have not evolved and adapted to the modern world we live in and are “under-specified”. For cyberattacks to be considered as warfare we need to depart from the traditional characterization of war as implying “physical force” and acknowledge their “bloodless nature” (21). Violence does not have to be synonymous with human casualties but rather coercion and destruction and obstruction of peace. In fact this approach is adopted by the ICRC which claims,since 2011, that the “employment of cyber capabilities in armed conflict must comply with all the principles and rules of IHL, as is the case with any other weapon, means or method of warfare”. Such approach argues that the cyber battlefield can no longer remain lawless.  


Beyond the traditional legal framework

 

Putting aside the question of whether cyberattacks are tantamount to acts of war, the latter ought to be regulated and taken seriously given their innumerable occurrences and unquestionable damage. Indeed, the technical barriers should not prevent legal scholars and the international community to regulate the cyber battlefield and impose constraints. The inclusion of cyberattacks into the traditional international law of war regime (jus in bello) is not a prerequisite for its regulation and associated penalties. In fact, most cyberattacks do not unfold in a context of war.  Yet, given the recurrence of cyberattacks and the harmful consequences on the political order and on citizens, many people call for the legislation of such new “weapons”. A transposition ought to be found for non-conventional warfare.

 

A wake-up call for regulation

 

Many institutions and individuals have called for a transposition of a legal framework to the cyberspace. For instance Microsoft is strongly advocating for the creation of a Digital Geneva Convention (22). The latter would regulate and allow the monitoring of the use of new devices that are used as weapons by imposing new legally-binding laws. It would also aim to reduce the number of victims and ensure that states engaging in cyber-attacks would be punished adequately and dissuaded to undertake malware hacking. Moreover, this modern convention implies the increasing need to involve third parties as mediators, such as technology companies, that ensure the convention’s implementation, “just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross” (23). Thus, a preventive and dissuading paradigm needs to be adopted. This can be reached in a myriad of ways that have hitherto been overlooked.

 

Finding a balance between regulation and liberty

 

Regulating cyberspace for the sake of security “does not mean it should be wrapped in redtape” (24) and impede personal freedoms. Indeed, the openness online is invaluable equally as the innovation stemming from it. A holistic approach needs to be adopted “combining technology, policy, education and human over-sight” which requires collaborative action. The international community ought to recognize the importance of an international regime of laws regulating cyperspace. As of right now, only the Talinn Manual exists-  a non-binding report on how international law applies to cyberwarfare (25)- written by a group of experts mandated by NATO. They claim that although the techniques and technology employed in times of war have evolved in our modern world, international humanitarian law still applies and ought to be respected by states.

As we know, the two latest cyberattacks (Wannacry and non-Petya) have caused havoc due to a leak of hacking tools from the NSA. Although, leaks can sometimes shed light on unknown practices, they can also jeopardize the security of a nation. In fact, Golan Ben-Oni, the global chief information officer at IDT which was hit by the attack in April that used the NSA’s hacking tools (26) is pleading for the NSA to “take a leadership role in working closely with security and operating system platform vendors such as Apple and Microsoft to address the plague that they’ve unleashed”. Regulation is necessary to avoid a cyber “arms race’. Indeed, according to Julian Assange, the WikiLeaks founder, a parallel can be drawn between the proliferation of conventional weapons and the non-conventional weapons of cyberspace as "there is an extreme proliferation risk in the development of cyber 'weapons’ which results from the inability to contain them combined with their high market value” (26).

 

            This article has aimed to spark a debate regarding cyberattacks albeit the lack of universal definition. Given the context of rising cyberattacks, it is now urgent that the international community adapts to the new battlefield we are confronted with. Cyberspace ought to be embedded in a legal framework. Regulations will serve many purposes. Indeed, an internationally binding convention could not only make offenders legally accountable but could also protect potential victims and safeguard their private liberties. Putting aside the complex question of considering cyberattacks as synonymous with international wrongful acts of illegal use of force, the former ought to be prevented. This task presupposes that the international community and legal scholars redefine the traditional conceptualization of warfare and adapt to the new technological era. If not lawfully regulated, cyberattacks will continue to spread globally.This view is embraced by Brad Smith the President of Microsoft, who urges the international community to” take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world” (27).

 

By Gabrielle Dorey, research assistant at CIPADH

Works cited: 

1. New York Times, “A Cyberattack the World Isn’t Ready For”, Nicole Pearlroth, 22th june 2017

Available at: https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html?partner=rss&emc=rss&_r=0

2. Foreign Affairs, “Defending a New Domain” by William J. Lynn III, 2010

Available: https://www.foreignaffairs.com/articles/united-states/2010-09-01/defendi...

3. Hathaway, Crootof. “The Law of Cyber-Attack”, Yale Law School, 2012.

Available on: http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=4844&cont...

4. Michael Gervais, Berkeley Journal of International Law, Cyber Attacks and the Laws of War, 2012

http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf

5. Hathaway, Crootof. “The Law of Cyber-Attack”, Yale Law School, 2012.

Available on: http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=4844&cont...

6. Christensson, Per. "Cyberspace Definition." TechTerms. 2006

available at: https://techterms.com/definition/cyberspace.

7. Foreign Affairs, “Defending a New Domain”

8.Clarke, Richard A., & Knake, R.K. 2012, Cyber war: the next threat to national security and what to do about it, 1st. Ecco pbk. edn, Ecco, Enfield;New York.

9. Le Figaro, “Une cyberattaque mondiale frappe des entreprises et des administrations”, 28 june 2017

Available at:

http://www.lefigaro.fr/secteur/high-tech/2017/06/27/32001-20170627ARTFIG00256-de-grandes-entreprises-dont-saint-gobain-en-france-victimes-d-une-importante-cyberattaque.php

10. New York Times, “Cyberattack Hits Ukraine Then Spreads Internationally”, 27/06/2017

Available at: https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html?ribbon-ad-idx=3&src=trending&module=Ribbon&version=context&region=Header&action=click&contentCollection=Trending&pgtype=article)

11. Foreign Affairs,  Jarno Limnéll, Thomas Rid “Is Cyberwar Real?”, 04/2014

Available at: https://www.foreignaffairs.com/articles/global-commons/2014-02-12/cyberwar-real

12. Foreign Policy, B. Moore, J. R. Corrado, “North Korea Proves You Barely Need Computers to Win a Cyberwar”,  06/06/2017

http://foreignpolicy.com/2017/06/05/north-korea-proves-you-barely-need-computers-to-win-a-cyberwar/

13. The Guardian, “NHS cyber-attack causing disruption one week after breach”, 19/05/2017

14. Geneva Conventions and their first 1977 Additional Protocols Geneva Conventions and their first 1977 Additional Protocols

More information on the ICRC’s “The Practical Guide to Humanitarian Law” available at: http://guide-humanitarian-law.org/content/article/3/combatants/

15.  Yale Journal of International Law,Matthew C. Waxman, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)”, 2011

Available at:

http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1403&context=yjil

16. New York Times, “Cyberattack Hits Ukraine Then Spreads Internationally”

17. UN Charter

Available at: http://www.un.org/en/sections/un-charter/chapter-i/

18. Yale Journal of International Law,Matthew C. Waxman, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)”, 2011

19. How to integrate individuals into international law? Thomas Rid, Ben Buchanan “Attributing Cyber Attacks”, journal of Strategic Studies, volume 38, 2015.

20. Thomas Rid, “Cyber War Will Not Take Place”, Journal of Strategic Studies, 05/2011

21. John Stone, “Cyberwar will take place!”, Journal of Strategic Studies, 11/2011

22. Ibid.

23. Microsoft, “The need for a Digital Geneva Convention”, February 2017. Availble on: https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#Mm2KdBzHjZAsHutd.99

24. Ibid.

25. The Economist, “Terror and the internet”, 10/06/2017

26. Talinn Manual. More information available at: https://www.icrc.org/eng/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm

27. New York Times, “A Cyberattack ‘the World Isn’t Ready For’

28. Wikileaks, “Cyber Weapons, the new arms race”.

Available on: https://wikileaks.org/hackingteam/emails/emailid/604766

29. Microsoft, Brad Smith, The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack. 14th of May 2017

Available on https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collect…

 

Bibliography:

 

Newspaper articles:

Forbes, Lisa Brownless, “Why cyberwar is so hard to define”, 07/2015

Available at: https://www.forbes.com/sites/lisabrownlee/2015/07/16/why-cyberwar-is-so-hard-to-define/#3cecb59031f1

 

Foreign Affairs,  Jarno Limnéll, Thomas Rid “Is Cyberwar Real?”, 04/2014

Available at: https://www.foreignaffairs.com/articles/global-commons/2014-02-12/cyberwar-real

 

Foreign Policy, B. Moore, J. R. Corrado, “North Korea Proves You Barely Need Computers to Win a Cyberwar”,  06/06/2017

Available at: http://foreignpolicy.com/2017/06/05/north-korea-proves-you-barely-need-computers-to-win-a-cyberwar/

 

Le Figaro, “Une cyberattaque mondiale frappe des entreprises et des administrations”, 28 june 2017

Available at:

http://www.lefigaro.fr/secteur/high-tech/2017/06/27/32001-20170627ARTFIG00256-de-grandes-entreprises-dont-saint-gobain-en-france-victimes-d-une-importante-cyberattaque.php

 

New York Times, “A Cyberattack the World Isn’t Ready For”, Nicole Pearlroth, 22/06/2017

Available at: https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html?partner=rss&emc=rss&_r=0

 

New York Times, “The Hackers Who Made the Global Cyberattack Possible”, 05/2017 Available at: https://www.nytimes.com/video/world/100000005098901/cyberattack-shadow-brokers-north-korea.html

New York Times, “Cyberattack Hits Ukraine Then Spreads Internationally”, 27/06/2017

Available at: https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html?ribbon-ad-idx=3&src=trending&module=Ribbon&version=context&region=Header&action=click&contentCollection=Trending&pgtype=article)

 

The Economist, “Terror and the internet”, 10/06/2017

Available at: http://www.economist.com/news/leaders/21723110-legal-restrictions-must-be-proportionate-and-thought-through-tech-firms-could-do-more-help

 

The Guardian, “NHS cyber-attack causing disruption one week after breach”, 19/05/2017

 

Academic journals:

GERVAIS, Michael. Berkeley Journal of International Law, Cyber Attacks and the Laws of War, 2012

http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf

 

HATHAWAY, Crootof. “The Law of Cyber-Attack”, Yale Law School, 2012.

Available on: http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=4844&cont...

MATTHEW, WAXMANN. Yale Journal of International Law, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)”, 2011

 

RID, BUCHANAN,  How to integrate individuals into international law? “Attributing Cyber Attacks”, journal of Strategic Studies, volume 38, 2015.

 

RID, T.  “Cyber War Will Not Take Place”, Journal of Strategic Studies, 05/2011

                             

STONE, J. “Cyberwar will take place!”, Journal of Strategic Studies, 11/2011

RODRIGUEZ, Sonia. “LA DÉFINITION DU MOIS #02 - LA GUERRE”

Available at: http://www.cipadh.org/fr/la-d%C3%A9finition-du-mois-02-la-guerre

 

Others:

 

ICRC, “”International humanitarian law and the challenges of contemporary armed conflicts”

Available at: https://www.icrc.org/en/document/international-humanitarian-law-and-challenges-contemporary-armed-conflicts

 

Microsoft, Brad Smith, The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack. 14th of May 2017

Available on https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collect…

 

Talinn Manual. More information available at: https://www.icrc.org/eng/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm

 

Wikileaks, “Cyber Weapons, the new arms race”.

Available on: https://wikileaks.org/hackingteam/emails/emailid/604766

 

 

Category: