Stop Cyberweapons Now, Tomorrow may be too Late

 

Prabir Purkayastha

Rishab Bailey

 

 This paper presents the need for a treaty to ban cyberweapons and cyberwar, and also to ensure that networks, and in particular the public telecommunications and the Internet networks are not used for offensive military purposes.

 

Why is such a treaty necessary?

Cyberspace is increasingly being militarised and used for offensive military operations. Considering that the Internet is becoming a necessary part of the global information, and communications network this represents a big threat to the future of the world.Damaging a country’s infrastructure systems and networks can result in physical damage to property and people and even loss of life. Such attacks can take down a country’s electrical grid, water and sewage systems, cause flooding by opening dam gates and even set in motion a Bhopal or Fukushima like disaster. Even more worrying, is if one country can control nuclear and other weapons systems of other countries around the world – all of which are operated through computerized control systems.As more and more critical infrastructure resources around the world are maintained and operated through computer control systems, ensuring the security of these installations from targeted attacks is critical. The damage caused by the US and Israel to Iranian centrifuges in Bushehr (using the Stuxnet virus) is only one example of cyber offensive operations. Such attacks on nuclear reactors, dams, hazardous chemical facilities, etc., can cause enormous damage to a country. Edward Snowden has shown how the US and its closest allies (constituting the Five Eyes + Israel) have compromised the entire global network and turned it essentially into a war machine – we now know for instance that the NSA carried out over 230 offensive cyber operations in just one year (2011).[1] Thanks to Snowden we know that the NSA has subverted nearly all the devices that run our and by extension our country’s vital infrastructure. Perhaps the most dangerous part of the surveillance that Snowden has revealed are the Computer Network Exploitations[2]—CNE. These are software implants in other countries’ networks that have the ability not only to tap into the data streams of these networks but also to disable these networks—they are cyber weapons that have been armed and can be activated with just a single command. Fifty thousand such CNE’s have been reported to have been implanted in global telecom networks. The implants persist through software and equipment upgrades and can therefore lie dormant for long periods of time till triggered.Obama’s Presidential Policy Directive 20[3] (which authorizes targets for cyberattacks) clearly shows that foreign networks[4] have been penetrated and their security systems are already compromised. Vital infrastructure of other countries have been pre-targeted and waits only a command to trigger a cyber attack.[5]

The fact that the most powerful and richest nations are devoting increasing resources to defensive and offensive cyberwar capabilities creates a clear imbalance of power and can encourage those powerful states to engage in offensive cyber attacks on others. The attack by the US and Israel on Iran’s Natanz facilities is one example of this.

 

Though it is generally recognized that long standing rules of Customary International Law governing conflict do apply to the area of cyberwarfare[6] as well, there are no treaty provisions that ban or limit cyber warfare.

 

The US use of cyber weapons against Iran[7] is the first instance of the use of a cyberweapon. Various experts have held[8] that it was a huge mistake. The scary figure is the estimation that Stuxnet virus that took down the centrifuges in Natanz would have taken about 100 million dollars to develop — a big sum for an individual or an organization but pocket change for a country. And today, all vital infrastructure in all countries are run by control systems that have “computers” embedded in them and therefore fair targets for such attacks — just as the centrifuges in Natanz are.

 

Bruce Schneier, one of the world’s leading security experts has written[9] on the need for a treaty banning cyberwar, “We’re in the early years of a cyberwar arms race. It’s expensive, it’s destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.”

 

It is not enough that cyberwar be banned, but the ability to wage such forms of war by also banning the development, deployment of cyberweapons must also take place.Due to the nature of the online medium and cyberweapons and cyber attacks, there is a need to update and clarify the norms and laws governing the issues in a binding international treaty.

 

Such a treaty is necessary to inter alia to clarify, the scope of cyberwar, what constitutes cyberweapons, and the actions that may follow in International law to prohibit the development and deployment of cyber weapons. For instance, at what point in time does the right to self-defence start and what are appropriate responses to such an attacks? It will also need to deal with the scope of the application of international humanitarian law / the laws of armed conflict to this domain (and therefore the applicability of important concepts such as the protection of civilians and so on).

 

Demilitarization of the Internet is essential to ensure that the Internet is used for productive purposes rather than an instrument of warfare – it is necessary that this be recognized by states in a binding and enforceable instrument. We already have precedents for such regulation in the form of treaties governing disarmament in outerspace, Antarctica, as well as treaties regulating the use of chemical and biological weapons.

 

What is cyber warfare?

 

There has been much debate about what exactly the term ‘cyberwarfare’ means and the absence of an established definition is one of the first issues that ought to be addressed in any international efforts to demilitarise the Internet. The definition of a cyberwar, much like any traditional war, must rely on the effects of the attack (in any determination of whether a ‘cyberwar’ exists). The only real difference to a traditional use of force (constituting a war) is that such a war is conducted using computers or computer networks – either by damaging networks themselves or by using computers and computer networks to cause damage to objects / people by damaging vital infrastructure and installations.The term ‘cyberattack’ is defined as either “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”[10] or as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.[11]We believe that a cyberwar is the launch of a cyberattack by one state against another, using software or code that is intended to: prevent the use of an essential computer network and thereby damage critical infrastructure or substantially impair the ability of essential services to function orcause physical damage to property or people including loss of life, or both.The key issue is the effect that such a weapon – physical damage either by disabling systems, or by making systems behave in a way that causes physical damage. Cyberwar as referred to above refers exclusively to actions carried out against a computer system or network that result in situations that would, if carried out through traditional means, be construed an act of war, with physical harm to people and/or property. In order to constitute cyberwar, the actions must be of such a scale as to constitute a use of force (or threat of a use of force) as required under Article 2(4) of the UN Charter.Accordingly, States must agree to prohibit the creation of software or code that can reasonably lead to cyberwar. Creation of such software or code would constitute weaponisation of software and therefore a cyberweapon. Any international treaty on the subject must prohibit both the development and deployment of such weapons, as well as cyberwar.   Private individuals and organisations cannot be the protagonists in cyberwar though they may commit cyber attacks / cyber crimes. Cyberwar is an issue between sovereign states (even if indirectly acting through intermediaries). However, this will necessitate clarifying, in the context of the Internet, rules regarding the establishment of state responsibilities of which international law already has various precedents.The primary disagreement on the definition of cyber warfare seems to be about whether actions constituting “information terrorism”, disinformation, and so on would constitute cyber warfare.[12] We believe that the primary issue is physical harm and damage being caused to people and property by cyber attacks and any global proscription must be restricted to such issues rather than any attempts to stop the spread of disinformation etc. which could also be construed as ‘divergent’ views and hamper free speech. Cyberwar must also be outlined as different from various other concepts that are often confused such as cybercrime / online crime and cybersecurity, automated weapons and the use of robots, Internet fraud and ID theft, spamming / phishing, spyware / trojans / bots, surveillance, electronic warfare, cyber exploitation etc. While these are all genuine problems concerning the (mis)use of the Internet, they do not constitute cyberwar and must be treated separately.Cyber exploitation and surveillance by and large look to collect data from either the public or government sources by actions which are generally probing in nature, nondestructive, and attempt to remain as low profile as possible. They do not generally cause any physical damage or loss of life and will not usually prevent usage of a computer resource (as this would negate the point of conducting the surveillance in the first place). However, computer network exploitations or “logic bombs” that are capable of taking down telecommunications networks and other vital infrastructure controls would fall under the category of cyberweapons and need to banned under any global agreement.Electronic warfare is broadly understood to mean “military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy”[13] and is clearly different in scope and nature from cyberwar.Broadly speaking, automated weapons defer from cyber weapons as they generally utilise computer technology to enhance the ability of traditional weapons systems. They do not specifically target computer networks or systems. Intelligent weapons (or ones that can learn from their environment and do not necessarily need a human handler) do not generally attempt to destroy computer systems and networks ‘from within’ but use computer systems to enhance their own abilities. Therefore a drone may be automated to fire missiles when certain prearranged conditions are met, but this would not constitute a cyberattack or cyberwar. While such weapons do constitute new threats to global peace and disarmament, they must be dealt with separately as still constituting conventional weapons systems (even if advanced).

 

What is already in place and what is missing?

There are essentially no existing international agreements that would restrain cyber warfare. The Russian government has been pushing for UN treaty to address conflict in cyberspace since 1998, though there has been little movement on this count.

 

The US has so far blocked all attempts to initiate a cyberwar treaty arguing that such a treaty is not enforceable/required (and that it is better to focus on issues of cybercrime), while at the same time steaming ahead with its cyberwar preparations. Some noises have been made from time to time about the willingness to sign a treaty, for instance with Russia around 2010, but no progress has been made.[14]

 

An attempt to examine the applicability of traditional international law mechanisms to the cyber realm was made in 2009. The NATO Cooperative Cyber Defence Centre of Excellence convened an international group of legal scholars and practitioners to examine the issue of how to interpret international law in the context of cyber warfare. The meeting produced a document, known as the Tallinn Manual on the International Law Applicable to Cyber Warfare which is an academic and non-binding study. The document importantly leaves no doubt that the applicability of traditional rules of warfare to the cyber arena.
Some simple measures that would have protected the network of one country from another were proposed to be included in the International Telecommunications Union’s (ITU’s) 2012 International Telecommunication Regulations (ITR’s), which include an article calling for cooperation to improve network security. However, this treaty has not been signed by most developed countries (most notably the USA). Such cooperation could conceivably act as a restraint on some types of cyber attacks, but the scope of the ITU is limited to peaceful use of telecommunications, so it is not clear whether any ITU instrument could in fact constrain cyberwar.

 

Proposals for a treaty or other agreements

International legal frameworks such as the United Nations[15], Council of Europe, NATO[16], Organization of American States[17] and the Shanghai Cooperation Organization have all provided different and often ambiguous legal structures. Despite the importance of the issue, all these bodies have failed to agree to an effective legal framework that can govern all cyberattacks, mainly due to opposition of the USA and its allies.[18]Various proposals to deal with cyberwar have been discussed in the UN on the insistence of Russia, which has moved several resolutions to draw attention to the potential use of cyber technologies for purposes “inconsistent with the objectives of maintaining international stability and security” – notably at the First Committee of the UN General Assembly[19].

So far these efforts have only resulted in the creation of various Expert Groups (which have submitted reports in 2010[20] and 2013[21]). These reports have generated several recommendations, including that States sustain a dialogue regarding “norms of responsible state behaviour” and consider adopting confidence building measures “to help increase transparency, predictability and cooperation”. The 2013 report also included the significant affirmation that “international law, and in particular the Charter of the UN, is applicable [in cyberspace].”, and that “State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory” and that “States must meet their international obligations regarding internationally wrongful acts attributable to them.”

On 27 December 2013, the UN General Assembly unanimously adopted resolution 68/243, in which it took note of the outcome of the 2012/2013 Experts Report and requested the Secretary-General to establish a new Group of Experts that would report to the General Assembly in 2015. The new Group of Government Experts (GGE), with 20 experts, held its first meeting in New York in July 2014, and elected Brazil as the Chair. The Group will have three more meetings in 2015.The First Committee Resolution dated October 18, 2013, directs the establishment of a further Expert Committee with an expanded mandate that would include, in addition to the study of threats and cooperative measures, the issues of the use of information and communication technologies in conflicts and how exactly international law applies to state use of these technologies. This GGE is to begin its work in 2014 and to report its findings to the 70^th session of the General Assembly in 2015.

 

Conclusions

It is clear that the US, which believes it leads the world in cyberwar and cyberweapons capabilities regards all attempts to restrict cyberwar or cyberweapons as unilateral disarmament. In some sense, it is the same issue that came up when nuclear disarmament was discussed in the post-war period. The US, which was the only nuclear power at that time, believed that it would be able to maintain its nuclear monopoly for at least a decade. Though the Truman administration had proposed the Baruch Plan in 1946[22], it had conditions that the US knew the Soviet Union would not accept, and turned down the alternate Soviet proposals for a total ban on nuclear weapons. Not only are the beliefs in such a monopoly dangerous, the dangers of such weapons to the Internet – and its ubiquitous role in almost all spheres of our activities today – are an enormous threat. There has been a talk of balkanisation of the Internet. What is not realised is that the biggest threat to balkanisation comes – not from independent domain names and IP addresses outside the ICANN as argued– but from the threat that such weapons pose to the domestic network of countries. The balkanisation of the Internet would then be seen as a protective measure to the threat of cyberweapons from other networks and countries.We must try and build a broad unity and movement, among not only Internet activists but also the peace and disarmament activists around the world, to ban cyberweapons and cyberwar right now. We have a small window of opportunity to stop cyberweapons. Tomorrow may be too late.Note: This paper has used, as a basis, Sally Burch’s, “Notes on the Need for a Cyber Peace Treaty”, Just Net Coalition, June 2014, available at http://justnetcoalition.org/notes-need-cyberpeace-treaty-english

 

Authors: The authors, Prabir Purkayastha and Rishab Bailey are with Society of Knowledge Commons, India and also a part of the Just Net Coalition.

 

References:·

Tikk-Ringas, Eneken, 2012. Developments in the Field of Information and Telecommunication in the Context of International Security: Work of the UN First Committee, ICT4Peace, http://www.ict4peace.org/wp-content/uploads/2012/08/Eneken-GGE-2012-Brief.pdf··      AM Rutkowski, WA Foster, SE Goodman, Multilateral Cyber Security Solutions: Contemporary Realities, Public Interest Report, Spring 2012, http://www.cistp.gatech.edu/publications/multilateral-cyber-solutions-contemporary-realities··      Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Berkeley Journal of International Law, Vol 27:1, http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CBsQFjAA&url=http%3A%2F%2Fscholarship.law.berkeley.edu%2Fcgi%2Fviewcontent.cgi%3Farticle%3D1368%26context%3Dbjil&ei=BDnXU_ewNsO6uATV9oDoAQ&usg=AFQjCNEgGmPrXRLwDNOfQnsKTaMKqsTvpA&bvm=bv.71954034,d.c2E··      Rex Hughes, A Treaty for Cyberspace, International Affairs 86: 2 (2010) 523–541, http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB0QFjAA&url=http%3A%2F%2F21stcenturywiener.org%2Fwp-content%2Fuploads%2F2013%2F11%2FA-Treaty-for-Cyberspace-by-Hughes.pdf&ei=5DjXU_2iF4yjugTopYDIAg&usg=AFQjCNFc_iiaG_rVd8NQsuFt-NGzybcewQ&bvm=bv.71954034,d.c2E··      William A. Owens, Kenneth W. Dam, and Herbert S. Lin, editors, Committee on Offensive Information Warfare, National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CBsQFjAA&url=http%3A%2F%2Fwww3.nd.edu%2F~cpence%2Feewt%2FOwens2009.pdf&ei=MDjXU7yRD8O2uATni4DIBw&usg=AFQjCNFOSG-r4Ut6SJ0FmyFL26qLF3NPQA&bvm=bv.71954034,d.c2E··      Shahrooz Shekaraubi, The Wild West of Cyberwarfare, International Policy Digest, February 26, 2014, http://www.internationalpolicydigest.org/2014/02/26/the-wild-west-of-cyberwarfare/··      Colin Crawford, Stuxnet, Cyber Security Conflict, Article 2(4) and the continuum of culpability, http://works.bepress.com/colin_crawford/1/·

• Siobhan Gorman, US Backs Talks on Cyber Warfare, The Wall Street Journal, June 4, 2010,

http://online.wsj.com/news/articles/SB10001424052748703340904575284964215965730?KEYWORDS=cybersecurity&mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052748703340904575284964215965730.html%3FKEYWORDS%3Dcybersecurity

 

Reading Material:

 

• Resolution of the UN General Assembly at its 58^th Session, A/RES/58/199 dated January 30, 2004
• Prepared by an International Group of Experts
at the Invitation of
The NATO Cooperative Cyber Defence Centre of Excellence, ed. Michael Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare, Campbridge University Press, 2013.
• Dr. Hamadoun Toure and the Permanent Monitoring Panel on Information Security World Federation of Scientists, The Quest for Cyber Peace, International Telecommunications Union, January 2011.
• World Federation of Scientists, Erice Declaration on Principles for Cyber Stability and Cyber Peace, August 2009.

 

[1]           http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html

[2]           Report: NSA-planted malware spans five continents, 50,000 computer networks, http://arstechnica.com/tech-policy/2013/11/report-nsa-planted-malware-spans-five-continents-50000-computer-networks/

[3]           http://www.theguardian.com/world/interactive/2013/jun/07/obama-cyber-directive-full-text

[4]           https://www.schneier.com/blog/archives/2013/06/us_offensive_cy.html

[5]                http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story_1.html Perhaps the most dangerous part of the surveillance that Snowden has revealed, are the Computer Network Exploitations—CNE’s.

[6]           United States set forth its position on the matter in the International Strategy for Cyberspace: “[t]he development of norms for State conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Long-standing international norms guiding State behaviour—in times of peace and conflict—also apply in cyberspace”. White House Cyber Strategy at 9. Also refer to the Tallinn Manual on the International Law Applicable to Cyber Warfare, Prepared by the International Group of Experts
at the Invitation of
The NATO Cooperative Cyber Defence Centre of Excellence, ed. Michael Schmitt, Cambridge University Press, 2013.

[7]
Prabir Purkayastha, Stuxnet and now Flame: The US and Israel Continuing Cyber War against Iran

http://newsclick.in/international/stuxnet-and-now-flame-us-and-israel-continuing-cyber-war-against-iran

[8]    http://www.networkworld.com/article/2189472/security/stuxnet-cyberattack-by-us-a–destabilizing-and-dangerous–course-of-action–security-expert.html

[9]    Bruce Schneier, Cyberwar Treaties, https://www.schneier.com/crypto-gram-1206.html#2

[10]         Rule 30 of the Tallinn Manual on the International Law Applicable to Cyber Warfare, Prepared by the International Group of Experts
at the Invitation of The NATO Cooperative Cyber Defence Centre of Excellence, ed. Michael Schmitt, Cambridge University Press, 2013.

[11]         William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CBsQFjAA&url=http%3A%2F%2Fwww3.nd.edu%2F~cpence%2Feewt%2FOwens2009.pdf&ei=MDjXU7yRD8O2uATni4DIBw&usg=AFQjCNFOSG-r4Ut6SJ0FmyFL26qLF3NPQA&bvm=bv.71954034,d.c2E

[12]         While the US government mostly takes on an objective-based definition of cyberthreats, the Shanghai Cooperation Organization, on the other hand, adopts a more expansive means based definition of cyberwarfare to include the dissemination of information to undermine political, economic and spiritual stability in a country. Tom Gjelten, Seeing the Internet as an Information Weapon, NPR, September 23, 2010, http://www.npr.org/templates/story/story.php?storyId=130052701. This difference is illustrated for instance when members of the Shanghai Cooperation Organisation in September 2011, proposed to the UN Secretary General a document called “International code of conduct for information security”. This approach was not endorsed by western countries who argued that this approach would lead to political censorship of the Internet. See http://en.wikipedia.org/wiki/Cyberwarfare

 

[13]         See generally US Department of Army, Field Manual 3-36, Electronic Warfare in Operations 1-4 (Feb. 25, 2009), available at http://www.e-publishing.af.mil/shared/media/epubs/afdd3-12.pdf. cf. Colin Crawford, Stuxnet, Cyber Security Conflict, Article 2(4) and the continuum of culpability, http://works.bepress.com/colin_crawford/1/. The Tallinn Manual defines electronic warfare as “The use of electromagnetic (EM) or directed energy to exploit the electromagnetic spectrum. It may include interception or identification of EM emissions, employment of EM energy, prevention of hostile use of the EM spectrum by an adversary, and actions to ensure efficient employment of that spectrum by the user-State.”

[14]         Siobhan Gorman, US Backs Talks on Cyber Warfare, The Wall Street Journal, June 4, 2010,         http://online.wsj.com/news/articles/SB10001424052748703340904575284964215965730?KEYWORDS=cybersecurity&mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052748703340904575284964215965730.html%3FKEYWORDS%3Dcybersecurity

[15]         http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_58_199.pdf

[16]         http://www.ccdcoe.org/249.html      [16]

[17]         http://www.oas.org/juridico/english/cyb_pry_strategy.pdf

[18]             Shahrooz Shekaraubi, The Wild West of Cyberwarfare, International Policy Digest, February 26, 2014, http://www.internationalpolicydigest.org/2014/02/26/the-wild-west-of-cyberwarfare/

[19]         The issue was taken up at the 68^th Session of the 1^st Committee, and the resolution titled “Developments in the field of information and telecommunications in the context of international security”, A/C.1/68/L.37,is available at http://www.un.org/ga/search/view_doc.asp?symbol=A/C.1/68/L.37.

Also see http://www.un.org/News/Press/docs/2010/gadis3419.doc.htm, http://www.un.org/News/Press/docs/2009/sgsm12108.doc.htm, and more generally http://opencanada.org/features/the-think-tank/comments/cyber-security-takes-the-floor-at-the-un/

[20]         Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/65/201, http://www.un.org/disarmament/topics/informationsecurity/

[21]         Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/68/98, http://www.un.org/disarmament/topics/informationsecurity/

[22]   Joshua Williams, The Quick and the Dead, http://carnegieendowment.org/2005/06/16/quick-and-dead/eg7