In June 2010, software programmer Sergey Ulasen was working for a small Belarusian anti-virus company when he discovered a computer worm, soon to be known as Stuxnet. Although a common hazard for the casual PC user, this particular worm revived a definitional debate on the meaning of war and conflict, and prompted discussion on the deployment of operational strategies by states in cyberspace.
Stuxnet differed from other worms on two aspects.First, it inflicted damage on critical infrastructure by targeting a particular configuration of a specific type of industrial-control system, as opposed to simply causing disruption by breaching information security components. Second, the actor who engineered the worm may not be an individual or even a group of individuals, but sovereign states.
As the United Nations is about to vote on a new binding treaty on telecommunication, can a normative solution to state-sponsored cyber attacks bring peace to cyberspace?
Three months after Ulassen discovered the Stuxnet worm, multiple security firms independently came to the conclusion that the target of the worm was an industrial control facility; it aimed at destroying Iranian nuclear centrifuges. Although Iranian officials initially denied that the worm had affected its nuclear plant, a report from the International Atomic Energy Agency noted that 984 centrifuges had been taken offline at Iran’s Natanz plant between June 2009 and June 2010. Additionally, Iran’s President Mahmoud Ahmadinejad announced at a press conference in November 2010 that “they [enemies of Iran] succeeded in creating problems for a limited number of our centrifuges with the software they had installed”.1 For some security experts, this was sufficient proof that the worm had caused physical damage to the centrifuges.
Not only was the worm destructive, it was elaborate; it had tricked the monitoring system by feeding it with previously recorded values from the sensors while the attack was taking place. The technical knowledge required to programme such a worm is not widespread; the attacker needed a high level of intelligence and funding to develop this sophisticated weapon.
In June 2012, a reporter from the New York Times claimed to have had access to unnamed official sources alleging that Stuxnet was the result of a joint US-Israeli manoeuvre to delay the Iranian nuclear enrichment programme. Suspicion of US-Israeli involvement in Stuxnet grew as computer security experts began to unpick another worm, Flame, capable of a wide variety of spying activities including taking screenshots and recording audio conversations. Flame, as well as another intelligence-gathering worm named Duqu, specifically targeted computers operating in Arab countries deemed hostile to Israel and appeared to embed spying modules that may have informed the Stuxnet project.2
In June 2012, a reporter from the New York Times claimed to have had access to unnamed official sources alleging that Stuxnet was the result of a joint US-Israeli manoeuvre
The Stuxnet worm was not the first incident where a computer worm caused physical damage. In 2000, a rejected potential employee of an Australian local council who had installed part of the sewage systems used his credentials to open up the sewage valves, flooding the downstream city of Maroochy. Yet what was different about the Stuxnet incident is that it spurred many political and strategic questions:
If a given state has the capacity to attack, is it also correctly equipped to defend such threats?
What is the legal status of such acts of cyber sabotage?
Defence Against a Future Stuxnet
Stuxnet was a wake-up call to the risks faced by the weak security of industrial control systems. Many critical national infrastructures (e.g. pipelines, electrical grids, traffic management systems) implement industrial control systems. As an indicator of their criticality, control systems may operate processes that cannot be stopped for more than five minutes a year. The criticality of the processes also implies that patching (correcting security holes) or probing (testing for known vulnerabilities) needs to be planned long in advance.
Even a port scanning (looking for open points of access) or a ping (to test the reachability of a system) can result in unintended consequences. For example, the US National Institute of Standards and Technology reported a ping inducing a three-meter long factory arm to pivot at 180 degrees, potentially causing physical damage to workers.3 Yet despite their criticality, many of these industrial systems are connected online: anyone with an internet connection can look for them simply using a web browser. Additionally, many of them still run the default usernames and passwords.
Fuelled by fear and lacking real unbiased data, it has been difficult to assess the extent of the threat to industrial systems. In December 2011, the US Congress started working on a legal act, the Cybersecurity Act of 2012 (S.2105), to force private operators of control systems to submit reports of attacks to a mandated authority. Collecting such data would help assess the extent of the threat in order to devise the best policy to counter it. The Bill, not yet enacted, is in line with the US commitment to ‘enhance states’ ability to fight cyber crime’, as outlined in the ‘International Strategy for Cyberspace’. Launching a worm such as Stuxnet onto an information system is already a domestic crime in the US; such legislation would not change the criminal responsibility of the perpetrators.
Yet if the perpetrator is a state, it begs the question if it is a crime under international law to launch a cyber attack. Does the current international legal framework suffice to cover cyber attacks emanating from states?
Despite their criticality, many industrial systems are connected online and anyone with an internet connection can look for them
Much of the current international legal framework, for instance the Council of Europe Convention on Cybercrime, focuses on domestic implementation of cyber crime, defined as breaches of information security, or on the use of computer to further support a criminal act. It also enables legal cooperation between states on cyber crime, but does not rule on the state as a perpetrator. The other set of norms that could ban ‘cyber attacks’ is if one considers them as an act of war; it is only in this case that the law of arms conflict then becomes relevant. Before delving into the issues surrounding cyber attacks as an act of war, we need to consider what it means for a state to be responsible for cyber attacks.
The International Court of Justice set the threshold for state responsibility in attacks in the 1984 case US v. Nicaragua by requiring ‘effective state control’ and not only logistical support from the state.4 If officials in the US government were involved in Stuxnet, as the New York Times claimed, it seems a priori that the court could hold the state liable for damages caused by Stuxnet. Yet there are many uncertainties surrounding attribution of cyber-incidents that can prevent a court from convicting a state, or that can thwart the execution of punitive deterrent strategies for the victim state.
Computer mediated communication has enhanced the difficulty of identifying agents. This is largely due to the means used to carry out the attribution process based on the unravelling of a number (the IP address in the case of the Internet) which is easily masked, and identifying a machine or network of machines, some of whom are quite possibly owned by innocent and unaware participants, rather than a more visible individual or group.
If the agent is an individual, states have historically enacted legal procedures to counter-balance the rise of technology supporting the enhancement of anonymity. Similarly, legal acts have recognised the IP address as part of personal data so magistrates could use digital evidence in courts, and fostered the use of transactional data to identify the agent in the first place, raising at the same time concerns over privacy. But if the agent is a state, attribution is a fraught scientific, political and diplomatic process with few certainties.
International law makes the distinction between jus ad bellum, that regulates the right to engage in armed conflict, and jus ad bello, that regulates the conduct of armed conflicts. Only the former is of interest to assess if cyber attacks constitute legally an act of war. The main texts regulating jus ad bellum are Article 2.4 of the United Nations Charter that bans the ‘threat or use of force against the territorial integrity or political independence of any state’, and Article 51 that allows for retaliation following an act of force.
It appears that the US considers a cyber attack with physical indirect consequences as an act of war. The US therefore interprets the term ‘force’ as including coercion, which a cyber attack can provide the means to do. Yet considering a ‘cyber attack’ as an act of war is far from being deprived of issues.
Thomas Rid, a researcher at the War Studies Department at King’s College London, notes that all cyber attacks to date constitute merely a form of sabotage (‘attempt to destroy or weaken a system’), espionage, or subversion (‘to undermine the authority, the integrity, and the constitution of an established authority or order’).6 An act of war on the other hand, according to military strategist Clausewitz, needs to be lethal, instrumental, and political.
The Stuxnet example is an illustration of an overt act of sabotage involving espionage, but being neither instrumental nor lethal. Espionage is ‘neither legal nor illegal’ under international law as few countries have ratified treaties banning it.7 In short, following customary law, the widespread practice of espionage by all the states indicates to some extent its legality in the international legal system, although many states ban espionage domestically. Therefore, Duqu and Flame do not count as ‘use of force’, nor as weapons, as they were merely intended to spy.
Other authors, such as the information warfare expert John Arquilla and the legal scholar Jonathan A. Ophardt, argue that cyber attacks cross the threshold of ‘use of force’ considered by the United Nations.8 Furthermore, it has been suggested that the use of the term ‘cyber warfare’ has tended to add hype to the debate, and lead to a difficult assessment of the situation with proponents considering worst-case scenarios that may be misrepresentative.
Far from resolving this academic dispute over the traditional restrictive or modern definition of ‘war’, the legal status of cyber attacks may soon be settled following a United Nations treaty to come at the end of 2012.
A Treaty Banning Cyber Attacks?
In 2002, member states of the International Telecommunication Union, a United Nations specialised agency, reached a consensus to update the main binding treaty regulating telecommunications, the International Telecommunication Regulations dating from 1988. The update will ensure the treaty encompasses new modes of communication, such as the internet, as well as new threats. Member states are due to vote on the final treaty during the World Conference on International Telecommunications in Dubai in December 2012.
Despite the important impact on internet governance of the regulations, much information concerning the treaty has remained confidential, sparking criticisms from non-governmental organisations involved in ensuring sound internet policy (e.g. the Electronic Frontier Foundation and the Internet Society). However, some information has leaked out about how states seized this opportunity to regulate ‘cyber attacks’.
The legal status of cyber attacks may soon be settled following a United Nations treaty to come at the end of 2012
China was the first state to mention cyber-security into the debate. In September 2011, it submitted to the United Nations General Assembly an ‘International Code of Conduct for Information Security’ along with Russia, Tajikistan and Uzbekistan. As the security expert Jeff Carr noted, the suggested code of conduct did not include provisions for cooperation in criminal cases, and left ample room not to ban the use of espionage technologies.
China reiterated this call and promoted the use of attacks as a defence strategy. It also wishes that states retain an important role in protecting ‘user information security’.9 However, by not defining security, censorship and any other content, blocking mechanisms could fall under such a call. In response, other states – including Algeria, Egypt and Portugal – shared their intent to draft their own texts on cyber security, but have yet to do so.
Australia, Canada and the US refused to touch upon cyber security, noting that it goes beyond the scope of the regulations and of the mandate of the International Telecommunication Union. Answering queries about counter spamming measures, they argued that this field was too fast-changing to be included in a treaty. However, Côte d’Ivoire sought to insert the concept of harm and malicious code transmitted ‘by any telecommunication facility or technology, including Internet.’10
Harm relates to ‘attack’ and may be more suited to describe breaches of information security. Harmful relates to the decrease of a person’s welfare, be it in economic, physical or psychological terms. Computer-related incidents are more likely to fit within the category of harmful than attack. A worm slowing down a system for instance, is expressed as a loss of time, or as an increase in stress and anger, posing an annoyance to the user, and hence is ‘harmful’.
Meanwhile, calling annoyances ‘attacks’ presupposes the action was harmful, aggressive and potentially violent, which may not be the case. Such a wording would ban cyber attacks, but has not been retained in the current final draft. Instead, the final draft encompasses an article talking of ‘strengthening security’ and ensuring stability’ of the internet. While Stuxnet, Duqu and Flame breach these articles, sanctions for the instigators remain very limited.
The current draft articles do not include banning state sponsored cyber attacks, despite calls to do so. Industrialised states such as Australia, Canada and the US that rely intensively on information systems appear to have prevented such moves, instead preferring to rely on internal counter measures.
It remains to be seen if a normative approach to deter cyber attacks would be effective. It appears that, in the short-term at least, strategies to develop defence, deterrent and counter-attack capabilities are likely to precede legal and regulatory attempts to combat cyber attacks