Cyber War: Fact from Fiction in the shadow of the Tallinn Manual

Thursday, October 04, 2012

Rafal Los


Recently at InfoSec Nashville, Howard Schmidt did a fireside chat style keynote where he answered pre-vetted questions from another gentleman who was asking them.

It was all relatively the same thing we've heard for a while now from Mr.. Schmidt, who is a long-time veteran of the school of hard-knocks security in the real world and government, until he brought up a conversation between him and another of his colleagues (I don't recall who, but it doesn't really matter) that basically had him disagreeing that (a) we were engaged in an (paraphrasing) "open cyber war" and (b) we (I assume he meant the 'good guys') were winning. Mr.. Schmidt said he did not believe we were engaged in a cyber war and that we definitely weren't losing.

Hold the phone. Has he read the news lately? Maybe browsed the data breach archives?

A colleague of mine who is knowledgeable in these matters made some interesting comments to this.  First, that by the only reasonable definition of such [the Tallinn Manual] we are not engaged in any cyber war.  Therefore, if we're not engaged in a cyber war, we cannot win or lose.  Fair point... Moreover, he took exception to citing data breaches as evidence of cyber war.

I completely understand the point... so much so that I started digging through this 215 page behemoth of a document to try and understand what a cyber war defined by International Law and the UN is.  Starting on page 18 in the Scope portion we see references to physical or kinetic force and starting on page 25 clear implications that the normal rules of violation of sovereignty (attacking another nation's sovereignty) to cause damage certainly seems to quality - although as you can see in point 6 the International Group of Experts could not agree whether the placement of malware that cause no physical damage constitutes a violation of sovereignty.  Reading on it becomes abundantly clear that  two things are needed to call something a cyber war - a violation of sovereignty that causes physical damage, and/or the use of force.  The rest of the manual is a page-turned that basically reads like a rule-book for when and how we can understand what the rules of cyber-space law are.

It is abundantly clear to me that very few people who talk about "cyber war" (including yours truly) really understand what they're saying - this document certainly educated me plenty, although I'm still far from an expert in the matter.

I know Mr.Schmidt is a very intelligent man so I kept listening for his rationale and what he cited was that in spite of all of the incidents that have transpired in recent times, businesses were still able to continue, the country was still operational in the cyber realm, and there weren't any catastrophic events which I assume means the heavy loss of human life. Before I read through the Tallinn Manual I would have disagreed - now I can see he's dead right.  The reason is there hasn't been 'catastrophic damage' done or a loss of life in the violation of United States sovereignty.

The thinking that even though hacks and breaches have clearly transpired on behalf of nation-states and non-attached hacker assets as well, they haven't impacted us (the Sovereignty of the United States) significantly is what separates espionage, fraud and hacking from cyber war.

Whatever you believe breaches cost the US economy, when you add in the preparation, investigation, clean-up, and residual losses the money that simply vaporizes is staggering. I've heard people quote as high as several billion US dollars in losses. This figure doesn't count the money we spend as businesses and tax payers (through the government spending) on hoping to stave off attack and breach. In an economic climate that teeters on recession again at the drop of any more bad indicators - even if the loss is $1Bn ... is that insignificant?  Of course not, but again, fraud and even international espionage do not cyber war make... we're still missing physical damage and loss of life.

What is interesting is all the "poking and prodding", as Scot says, in which we have "un-named sources" being cited to attribute attacks such as Stuxnet to the US fanning international tensions.  The case you've read of an oil company in the Middle East called Aramco which had near 30,000 computers bricked by a cyber-based attack is interesting but spoke to mainly financial loss, and as Scot points out had questionable impact and even more questionable sources... and little is known due to the information blackout on the case.  This is clearly a very complicate geo-political issue, and maybe the prelude to something bigger, but alas again not cyber war.

The extremely complicated Advanced Persistent Attack (APT) attack that took the inner-most secrets from security company RSA and then used those secrets to attack and exfiltrate top-secret military and defense information from our defense contractors were clearly espionage and theft of Intellectual Property.  Whether it was perpetrated by a foreign nation or some rogue group of hackers and even if it's a prelude to something bigger coming - we're still lacking the primary event of physical damage in the violation of sovereignty.

As I've learned - Cyber War has a necessary kinetic component resulting from the violation of Sovereignty and the eventual loss of life.

What we have so far is best described as guerilla war, not open warfare. Guerilla warfare,or more specifically guerilla incursions, clearly fits this current model - because you'll see small incursions strategically placed to cause specific damage performed by non-official military assets on the (suspected) payroll of a nation-state for the purpose of espionage. By damage I refer here to Intellectual Property (IP) theft, financial damage, or other non-kinetic activities. The rest reads like a good spy novel from the Cold War.

Are we involved in open (cyber) warfare? Definitely not.  I would say that we are definitely involved in a played-down Cold War style set of guerilla incursions aimed at strategic assets and targets ... all to the end of espionage or financial damage. This hasn't yet moved to loss of life or direct confrontation - but that may simply be a matter of time.

As far as whether we're winning or losing... the point is moot.  If there's no war, we're not winning or losing. The problem is that it's easy to get drawn into cyber war, I know I've fallen victim myself, mainly because there are few decent definitions of such an event.  But if you dig deep, and look hard you'll find experts that have defined there to be 2 key components of a cyber war - kinetic action, and the violation of sovereignty leading to a potential loss of life.  We've seen the beginnings of this, and have certainly seen violations of sovereignty - but we've not seen both conditions met.  Is it just a matter of time?  My Magic 8 Ball is broken, so I don't know.

Special thanks to Scot Terban, aka @Krypt3ia, for contributing to this piece and pointing out the Tallinn Manual.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cyberwar Cyber Security Attacks Howard Schmidt
Post Rating I Like this!
Doug DePeppe The Tallinn Manual was an initiative of NATO to outline how the Law of Armed Conflict might apply to the cyberspace domain. It is not official NATO policy, nor international law espoused by the UN. It's a good document with strong analysis, provided the premise is valid: that the entire structure of international law prior to the Internet Age applies to the Internet Age. If it does, then it's probably a valid articulation of the legal framework for cyberwar. I'm withholding judgment whether traditional Law of Armed Conflict, in all its aspects, applies to cyberspace.

If you recall, the post 9/11 Bush Administration pronounced the Preemption Doctrine. It was controversial under international law. An explanation was provided by Vice President Cheney: “Should we be able to prevent another, much more devastating attack, we will, no question. This nation will not live at the mercy of terrorists or terror regimes.”

So, when a nation perceives a grave threat to sovereignty and security, the framework of international law may not provide much of a barrier to a nation's self-interests. Moreover, international law only survives through comity, reciprocity, and mutual respect for the rule of law. If nations find that framework unsuitable in cyberspace, it will not play a role.

Finally, the historic underpinnings of our international framework derive from the aftermath of the 30 years war and the Treaty of Westphalia. Fundamental to that treaty was a respect for national sovereignty. Yet, that sovereignty was perceived as a nation's physical borders. In other words, nations would respect each others sovereignty as reflected by their territorial borders, and accepted norms on the high seas, and so on. Still, it was a 'borderful construct'. Today, the Internet has no borders (certainly not territorial borders like the Westphalia model). Accordingly, should the Westphalia-based international framework for war apply in the cyberwar context? I'm less certain that it should.
Don Eijndhoven Excellent article Rafal, I read it with much interest. Of course, Doug's information is correct too but unfortunately it may not be relevant. The Tallinn Manual is very likely to be tauted as the next best thing since sliced bread, even though I have questions about its usefulness - ESPECIALLY because it is what Doug describes: Just a summation of existing laws to the subject.

We should consider that the physical element was never in question when the original treaties, legal frameworks and concepts were written. It doesn't mean that they are automatically unusable for Cyber, but it DOES mean that we need to start looking more to the spirit of the thing rather than its literal statements. I find it disconcerting that people such as Howard Schmidt don't seem to take this into account.

Lets be frank here: with the publication of Unrestricted Warfare in '96, the Chinese essentially told us "This is what we'll be doing the next 30 years". Not only have they kept word, but other countries are now following suit because the West is limiting itself to self-imposed senseless rules and regulations. This is worrying and needs to change.

Also, I do not agree with the assertion that cyberspace doesn't equate with national sovereignty. See my earlier article Boundless Nonsense on why that is.

Thanks again for writing this Rafal!
Rafal Los This is going to be one of those unfortunate topics where we're going to be sick of hearing about it long before it starts to make any sense.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.