Cyberwarfare: Hype or New Threat?

Recent years have witnessed phenomenal hype surrounding the idea of cyberwarfare, fueled by high-profile cyberattacks on large companies, banks and governments, and the media’s frequent use of the term. Countries, too, are increasingly encountering cyberattacks. Spectacular attacks on Estonia, Georgia, Iran and Saudi Arabia have been politically motivated. Consequently, the topic has become the subject of international debate and government planning. After all, states and their governments are themselves increasingly employing cyber techniques, whether for surveillance or espionage, communication or optimizing the deployment of armed forces. Today’s weapon systems are networked and rely on digital technologies, engendering the debate surrounding the development, procurement and use of semi-automated armed drones. Such unmanned systems are only controllable if they have data connections, computer systems and ground stations. They are just as much a part of cyberspace as many other civilian and military systems. The Pentagon now refers to cyberspace as a “new domain of warfare”. For governments, armed forces, and society at large, this raises the question of how to promote peaceful use of the cybersphere, defend against future threats, and establish effective democratic control.

Western societies have long advocated an “open, secure and peaceful Internet”, at the same time as Western militaries prepare for electronic combat in cyberspace. Given constant technological advancement, new military applications and uses of military force will always produce ethical, international law, and security challenges for individual soldiers and for the community of states. Under what conditions are cyberattacks permissible? What is an appropriate response to a cyberattack? How can we protect ourselves against these attacks? What principles of International Humanitarian Law are applicable, and where are provisions lacking? It first needs to be established whether such a thing as cyberwarfare will actually happen in the future, and what the possible implications are for militaries and societies. Then we need to examine whether current international agreements are sufficient for limiting a cyberwar, and what specific responsibilities this entails for societies, governments, militaries and individual users.

Several mutually overlapping debates are concerned, in part, with the future of the “global, free and open” Internet, also in view of efforts by individual states to gain control over national and global infrastructure (“Internet governance”). There is also a fear that the Internet could increasingly be used for militarily motivated cyberattacks. In the event of war, attacks could be directed not only against traditional military targets, but also against private and public infrastructure, bringing modern life to a standstill. If communication infrastructure such as the Internet or electricity supply is out of action for any length of time, key social functions are interrupted, putting a sustained burden on any modern society. Thirdly, militaries might not only conduct hostilities in the Internet, for example, but also respond to cyberattacks with conventional tools of war, and attack vital elements of cyberspace by “kinetic means”.

What is cyberwarfare? Can war be fought in the Internet?

Cyberwarfare is understood to mean a coordinated cyber offensive by one country on the government or civilian information networks of an enemy country, with intent to disrupt, disable or destroy their computer systems or information networks. The prefix “cyber” (derived from the Greek term steering), however, is today used rather imprecisely in a wide variety of domains encompassing messaging, the Internet and telephone networks. Cyberattacks, i.e. gaining illegal access to third-party computer systems for the purpose of data surveillance, manipulation or data theft, are now an everyday occurrence in the Internet. Targets are often large companies, but also include military networks and governments. Since every user has access to the Internet, it is often unclear who is behind the attacks and what their motives are. Damage is often limited and purely economic. Malicious software, used to block Internet sites or steal data, is generally accessible. Attack routines are becoming more complex, for instance deploying botnets to launch coordinated remote-controlled attacks via compromised computers in different countries. In 2007, non-intrusive denial-of-service (DOS) attacks shut down bank and government online services in Estonia. Cyberattacks today are also byproducts of real conflicts, such as in the Ukraine or Syria, where websites of parties involved in the conflict are attacked. Meanwhile more complex, intrusive attacks by viruses or trojans can cause substantially greater damage, especially if they affect critical infrastructure such as the electricity supply or financial system.

Indications of cyber offensive tools

The discovery of Stuxnet in 2010 marked the first known time that malicious software had been successfully used to conduct cyber sabotage, when a combination of spyware and controller malware was used to infiltrate the controversial uranium enrichment plant in Natanz, Iran, and directly destroy several hundred centrifuges. It would be fair to call the Stuxnet worm the first digital, targeted “cyber weapon”. Cyber offensive tools consist of program codes that gain access to a logical or physical environment and have the capability to disable or destroy real objects. It is not known whether usable cyber weapons in fact already exist, but there are indications that cyber offensive weapons are being developed in a few countries, notably the United States. In 2012, the Pentagon research agency DARPA invited tenders for the “Foundational Cyberwarfare (Plan X)” project, which sets out to research “innovative approaches” to cyberwarfare. The Pentagon’s Defense Science Board in 2013 advocated forming a legion of “cyber warriors” and developing “world class cyber offensive capabilities”. The Snowden revelations also brought to light a secret NSA department that had been conducting “tailored attacks” against Chinese IT systems for 15 years. Presidential Policy Directive 20 (PPD-20), signed by U.S. President Obama on October 20, 2012, is extremely telling. It calls upon the relevant agencies to develop “offensive cyber effect operations” (OCEO) and draw up a list of potential targets. Other countries will not wait idly as such developments take place. The likelihood of a cyber tools arms race is mounting along with the number of cases of cyberespionage attempting to spy out possible attack options, such as the U.S. has long accused China of perpetrating. 

Ambivalent security measures

A study by the United Nations Institute for Disarmament Research (UNIDIR) in Geneva shows that many countries are setting up and including cyber commands in their regular armed forces and national defense; 114 nations had established cyber protection programs in 2012.  The number almost doubled compared with 2011. Purely civilian programs exist in 67 countries, while 47 states give their militaries an additional role and include forms of cyberwarfare in their military planning and organization. So far only six nations have published military cyber strategies. According to media reports, 17 countries state that they are developing “offensive capabilities”. For the most part, however, it remains unclear what this means in detail. Overall, there is a lack of transparency regarding the respective fields of application and capabilities. Shedding more light on the various activities is an urgent task for international diplomacy.

Cyberwarfare certainly differs from conventional warfare in important respects. Computer software codes used as a cyber weapon generally exploit vulnerabilities in enemy computer systems or networks. Deep technological insights are therefore an essential requirement here. It takes a certain amount of time to launch a defensive response to a bits and bytes offensive. Moreover, the impact of cyber weapons is non-lethal in the first instance. In view of the complexity of the technology, it is difficult to predict what the potential damage might be. A cascade of collateral effects could occur, as could unintended consequences. Anonymity in the worldwide web makes attribution for an attack harder or impossible. The infrastructure of the Internet is mostly operated by businesses, including multinational Internet providers, meaning that governments do not have any direct access. Furthermore, disruptive cyber tools are “one-shot weapons”, whose effects are easily limited by suitable countermeasures once they become known. At the same time, however, attacks on critical infrastructure can cause particularly serious harm. In terms of a strategic cyberwar, there are two conceivable scenarios. One is that in a crisis situation, a country under attack could itself launch a cyber offensive and so escalate the crisis. Alternatively, following a heavy, protracted cyber offensive, a country might retaliate with “kinetic weapons” and so start a conventional war. It is conceivable that in the future, real combat action will be accompanied with cyberattacks on media and also against the enemy military, and furthermore that states are already preparing for such scenarios.

International efforts to regulate cyberwarfare

Western countries such as the United States and the EU regard the most important part of the global cybersphere – the Internet – as a global res communis omnium (like the high seas and space) and an economic resource that should remain “free, secure and open” for users. Against this political background and in view of the pace of technological change in both the civilian and the military cyber sector, international and regional organizations and groups of nations have initiated conferences, dialogs and studies on how to improve global cybersecurity. NATO too has picked up on the cyber theme and begun to develop a cyber defense capability, which it is coordinating among its member countries. Its Strategic Concept 2010 talks about cyberattacks potentially reaching “a threshold that threatens national and Euro-Atlantic prosperity, security and stability”. It does not set out a clear position on the question of how the alliance would respond to a cyberattack. At the invitation of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, an international group of lawyers was asked to examine whether and how international legal norms and practices are applicable to cyberwarfare. The results were published in March 2013 as the Tallinn Manual.  Containing 95 rules, each with a commentary, it reaches the conclusion that cyberspace is not a legal vacuum, that the UN Charter applies to cyber-to-cyberattacks, and that states are responsible for cyber infrastructure and activities originating from it on their territory. With regard to the prohibition of the use of force laid down in Article 2 (4) of the UN Charter, Rule 10 states: “A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful”. It follows from this that a state under attack can exercise its right of self-defense under Art. 51. Accordingly, an extensive cyberattack could very well lead to a conventional war. The exact criteria for when a cyber operation reaches the threshold of an “armed attack” depend on the individual case. Espionage or data theft that result in an interruption to non-existential cyber services can be ruled out. Since there are no exact criteria for determining when the “armed attack” threshold is exceeded in cyberspace, there is a danger of preventive military action being legitimized by the side under attack, and of kinetic attacks against cyber targets becoming “wageable”. Nevertheless, the Tallinn Manual provides an interesting basis for further discussion of the applicability of international law to activities in cyberspace. At UN level, in June 2013 a fifteen-strong Group of Governmental Experts (GGE) presented a report to the UN Secretary-General which calls for actions in four categories to promote a “peaceful, secure, open and cooperative ICT environment.”  The experts suggest that greater consideration should be given to norms, rules and principles governing the responsible behavior of states, based on existing international law, and that “confidence-building measures” (CBMs) should continue to be developed, which can help to prevent further escalation in a crisis. The report contains a list of possible CBMs that could serve as a basis for international agreements. These range from exchanging information about national cyber strategies to establishing regional consultation mechanisms and mutual reporting of cyber incidents. A new UN expert group is currently continuing this work, as are regional organizations such as the Organization for Security and Cooperation in Europe (OSCE). In December 2013, the OSCE Ministerial Council adopted an initial list of CBMs which the OSCE participating states voluntarily commit to implementing. These range from exchanging national views on ICT security, to increased cooperation and consultation, to developing a joint terminology. Individual states have now also initiated bilateral consultations and “cyber dialogs,” for example between the United States, Germany, Japan and Russia, while the U.S. and Russia have now set up a kind of “red telephone” to warn each other about cyber incidents.

Despite these useful efforts, so far there is still no generally accepted definition in international law of terms such as “cyber offensive weapon” or “strategic cyberwar”, or any agreed system of damage classification or effective protection concepts for the cyber realm. Strict limits should be imposed on the eavesdropping activities by intelligence services for which the technical capabilities now exist. Beyond bilateral agreements, there would appear to be an urgent need to strengthen international law with provisions for data protection and the protection of privacy. Criteria and new instruments are necessary to prevent blanket mass surveillance. Industrial espionage should be prohibited, as should mass storage of data for long periods of time regardless of any suspicion of wrongdoing. Parliaments and international organizations, not intelligence services, are responsible for establishing such principles. A single set of rules should be established within the European Union to give EU citizens the right to view data and facilitate its deletion. The computer industry should be required to enhance cyber security and create greater transparency about the data it uses. Users need more information about cyber security and better training in how to use technology safely. For a timely early warning and more effective crisis management, the relevant authorities, key Internet service providers and research institutes should jointly develop technologies and procedures for better analysis and detection of attack patterns and better defense. Joint exercises and sharing data from forensic analyses are just as important here as mutual technical assistance, regularly sharing experience, and joint table-top or expert exercises by concerned states. It should also be examined whether confidence-building control mechanisms for verification, such as have been tried and tested in the military field, are transferrable. Above all else, the task for international cybersecurity policy is to prevent a digital arms race. During the Cold War era, “confidence and security building measures” (CSBMs) and arms control were important instruments that served at least to prevent an “accidental war” or excessive rivalry in armaments. The establishment of a “red telephone” between the United States and Russia is encouraging. It should set an example for similar efforts between these states and the EU. The agenda at UN level should include the development of principles and instruments of responsible conduct as well as the first CBMs. The OSCE has already adopted an initial list of CBMs to promote transparency, stability and predictability among participating states with regard to the use of information and communication technologies. A first step is the voluntary exchange of national perspectives on national and transnational threats, and on the respective roles of government organizations, strategies and programs. Within the framework of the OSCE, such a process can be fleshed out and become more firmly established through regular meetings of national experts. It would be useful if a database was available for OSCE participating states to record national cyber policies and their respective actors. In subsequent confidence-building steps, the OSCE states could provide each other with details of their respective military cyber components, visit each other’s cyber defense centers and conduct joint exercises in this area. In the longer term, agreement on conventions to contain military cyberattacks is advisable.