ETHICS IN CYBER WARFARE

ETHICS IN CYBER WARFARE

By

Lt Gen S R R Aiyengar, PVSM,AVSM ,VSM (Retd)

 Introduction

            The idea of ‘ethics’ as pertaining to conflict in the newly identified cyber domain is becoming increasingly recognized as an important sub-set of military ethics. The range of significant topics include  background policy considerations regarding the conditions under which  a cyber attack might be morally justified and increasingly questions about the appropriate professional conduct of ‘cyber warriors’.

Current times have witnessed yet another dramatic shift in the denomination of global power with the rise of cyber power. And such power can be wielded by both state and non-state actors with minimal resources. The advent of widespread and increasingly troublesome cyber attacks, in combination with the intentional proliferation of misinformation, has equally affected private and public sector entities. Militarily, cyber power has been the most influential instrument of the past two decades. Both cyber power and cyber space have been at the heart of new concepts and doctrines of war. Across the levels of conflict, from insurgency to main-force conventional warfare, cyber power has become an indispensable element of modern technology-based military capability.

The digital world has brought about a new type of clear and present danger: cyber war. Since information technology and the internet have developed to such an extent, that they have become a major element of national power. Cyber war has become the drumbeat of the day as nation-states are arming themselves for the cyber battle space. Many states are not only conducting cyber espionage, cyber reconnaissance and probing missions; they are creating offensive cyber war capabilities, developing national strategies, and engaging in cyber attacks with alarming frequency. Increasingly, there are reports of cyber attacks and network infiltrations that can be linked to nation-states and political goals. What is blatantly apparent is that more financial and intellectual capital is being spent figuring out how to conduct cyber warfare than for endeavors aiming at how to prevent it. In fact, there is a lack of international dialogue and activity with respect to the containment of cyber war. This is unfortunate, because the cyber domain is an area in which technological innovation and operational art have far outstripped policy and strategy, and because in principle, cyber warfare is a phenomenon which in the end must be politically constrained.¹

Understanding the Threats in Cyberspace

Recent actions in cyberspace make it appear as if we are experiencing a dangerous trend towards more sophisticated and dangerous actions in cyberspace that could lead to escalation and eventual international cyber war. Russian interference in U.S. elections, the Sony hack, the Office of Personnel Management (OPM) espionage campaign, the wave of ransom ware hacks, and the 2015 Ukrainian power outage affecting 225,000 customers are but a few examples of this phenomenon. Many analysts have framed these violations as representing an era of ever more sophisticated and dangerous cyber conflict.² It is becoming accepted that we have entered an era where cyber conflict is tolerated because governments are not responding and cannot respond properly to malicious actions in cyberspace. ³ So far the reality is more benign. We are seeing the rise of nation-state and commercial cyber espionage and crime, but not yet cyber war.  

There is no universally accepted definition of cyber warfare. According to one general definition “cyber warfare refers to a massively coordinated digital assault on a government by another, or by large groups of citizens. It is the action by a nation-state to penetrate another nation’s computers and networks for the purposes of causing damage or disruption.” But it adds that “the term cyber warfare may also be used to describe attacks between corporations, from terrorist organizations, or simply attacks by individuals called hackers, who are perceived as being warlike in their intent.”⁴. Another definition is: “Cyber warfare is symmetric or asymmetric offensive and defensive digital network activity by states or state-like actors, encompassing danger to critical national infrastructure and military systems. It requires a high degree of interdependence between digital networks and infrastructure on the part of the defender, and technological advances on the part of the attacker. It can be understood as a future threat and fits neatly into the paradigm of Information Warfare.”⁵

Cyberspace, the novel 5th space of warfare after land, sea, air, and space, is all of the computer networks in the world and everything they connect and control via cable, fiber-optics or wireless. It is not just the Internet – the open network of networks.⁶  From any network on the Internet, one should be able to communicate with any computer connected to any of the Internet’s networks. Thus, cyberspace includes the Internet plus lots of other networks of computers, including those that are not supposed to be accessible from the Internet.⁷

Actions in cyberspace, the fifth and newest domain of war, can differ greatly from the four physical domains: air, sea, land, and space. Unlike in the physical realm where an action constituting an act of war is violent, instrumental, and political, cyber attacks—which are directed at information—do not have to be. In fact, no cyber attack to date has met all three of these criteria.⁸ Rather, the vast majority of cyber attacks are better characterized as subversion, espionage, or sabotage, all of which are well-accounted for in international law.⁹

Although there has not yet been a “cyber Pearl Harbor,” there is a great deal of research regarding possible moral and legal responses to such an event. Probably the most comprehensive articulation of these responses is found in the Tallinn Manual written by a group of experts hosted by the North Atlantic Treaty Organization’s (NATO’s) Cooperative Cyber Defense Center of Excellence. Written in the after­math of widespread directed denial of service operations against Estonia in 2007, the manual essentially argues unless a cyber attack entails some physical harm, it cannot constitute an act of war.¹⁰This conclusion ignores the potentially devastating disruption cyber operations could cause even without physically harming anyone or anything.

Notably, the use of military force that is violent, instrumental, and political is always attributable in the other four domains, at least eventu­ally; when they are not, they are not proper acts of war.¹¹ If war is a contest of wills, then in the physical world it matters whose wills are in conflict—a point complicated when an attack cannot be attributed to any particular state. There is, in fact, a great deal of evidence that the attacks on Estonia were not directed by the Russian government as some claim, but rather the attacks were conducted by angry Russian hackers who used the Internet to coordinate a largely automated response to the Estonian government’s removal of a World War II monument from a public square. Whether the Russian government would not or could not intervene may be in question in this case. Given such uncertainty, however, these kinds of cyber operations raise questions regarding how states can hold one another responsible for malicious cyber activity when none has the capability of exercising sovereignty over cyber actors oper­ating in the state’s territory. The situation is further complicated when malicious cyber activities seem to originate in territories of states that are not a party to a particular conflict and who may be on friendly terms with the affected state. Such a dynamic could challenge how the inter­national community views and respects state sovereignty in the future.

Cyber-resources also raise questions that military means in the physical realm typically do not. Namely, because cyber-resources can avoid physical harm while attaining a great deal of disruption, some argue they are morally preferable.¹² This point further suggests their relatively nonlethal nature should permit rethinking preventive war doctrine as well as preemptive operations against an adversary even in the absence of imminent physical attack. If the Israeli attack on a presumed Syrian nuclear facility in 2013 that used cyber attacks to preemptively shut down Syria’s air defense systems avoided a larger and more destructive military operation, perhaps the criteria for permissible preventive and preemptive actions should be revised.¹³

Cyber weapons also complicate the application of the traditional just war principles of discrimination and proportionality because military and civilian networks are often indistinguishable and targeting one could have similar effects on the other.

Criteria for ethical attacks

Ethics starts with laws.  International laws of war (“jus in bello”) try to regulate how wars can be legally fought.  The Hague Conventions (1899 and 1907) and Geneva Conventions (1949 and 1977) are the most important.  While most cyber war attacks do not appear to fall into the category of “grave breaches” or “war crimes” as per the 1949 Geneva Conventions, they may still be illegal or unethical.  Article 51 of the 1977 Additional Protocols of the Geneva Conventions prohibits attacks that employ methods and means of combat whose effects cannot be controlled or whose damage to civilians is disproportionate, and Article 57 says “Constant care shall be taken to spare the civilian population, civilians, and civilian objects”; cyber weapons are difficult to target and difficult to assess in their effects.  The Hague Conventions prohibit weapons that cause unnecessary suffering; cyber-attack weapons can cause mass destruction to civilian computers that are difficult to repair.¹⁴  (Arquilla, 1999) generalizes on the laws to suggest three main criteria for an ethical military attack: noncombatant immunity during the attack, proportionality of the size and scope of the attack to the provocation (i.e. non-overreaction), and that the attack does more good than harm.  All are difficult to guarantee in cyberspace.  Nearly all authorities agree that international law does apply to cyber warfare (Schmitt, 2002).

We examine here the application of these concepts to cyber war attacks (or “cyber-attacks”), attacks on the computer systems and computer networks of an adversary using “cyber weapons” built of software and data (Bayles, 2001; Lewis, 2002).  A first problem is determining whether one is under cyber-attack (or is a defender in “information warfare”) since it may not be obvious (Molander & Siang, 1998).  (Manion & Goodrum, 2000) notes that legitimate acts of civil disobedience, such as spamming oppressive governments or modifying their Web sites, can look like cyber-attacks and need to be distinguished by their lack of violence.  (Michael, Wingfield, & Wijesekera, 2003) proposed criteria for assessing whether one is under “armed attack” in cyberspace by implementing the approach of (Schmitt, 1998) with a weighted average of seven factors: severity, immediacy, directness, invasiveness, measurability, presumptive legitimacy, and responsibility.  Effective cyber-attacks are strong on immediacy and invasiveness (most subvert an adversary’s own systems).  But they can vary greatly on severity, directness, and measurability depending on their methods; there is no presumption of legitimacy for cyber-attacks; and responsibility is notoriously difficult to assign in cyberspace.  These make it hard to justify counterattacks to cyber-attacks.

Damage assessment for cyber-attacks

Damage assessment is difficult in cyberspace.  When a computer system does not work, it could be due to problems in any number of features; for instance, code destruction caused by a virus can be scattered throughout the software.  Unlike with conventional weapons, determining how many places are damaged is difficult since often damage is not apparent except under special tests.  This encourages more massive attacks than necessary to be sure they cause sufficient damage.  The difficulty of damage assessment also makes repair difficult.  Damage may persist for a long time and its cumulative effect may be great even when it is subtle, so noncombatant victims of a cyber-attack could continue to suffer long afterwards from attacks on military computers that accidentally spread to them, as with attacks by chemical weapons.  Repair can be accomplished by just reinstalling software after an attack, but this is often unacceptable since it loses data.¹⁵  With "polymorphic" or shape-changing viruses, for instance, it may be hard to tell which software is infected; if the infection spreads to backup copies, then reinstalling just reinfects.  Computer forensics (Mandia & Prosise, 2003) provides tools to analyze computer systems after cyber-attacks, but their focus is determining the attack mechanism and constructing a legal case against the perpetrator not repair of the system. 

Determining the Perpetrators and Victims

Even if an attack minimizes collateral damage, it can be unethical if it cannot be attributed.  It can be difficult to determine the perpetrator of a cyber-attack because most attacks must be launched through a long chain of jurisdictions enroute to the victim.  Route-tracing information is not available on all sites, and even when it is available, stolen or guessed passwords may mean that users have been impersonated.  So a clever attacker can make it appear that someone else has launched the attack, although this violates the prohibition in international law against ruses like combatants wearing the wrong uniforms.  In addition, a cyberspace attacker may not be a nation but a small group of individuals or even a single individual acting alone.  So just because you have traced an attack to a country does not mean that country is responsible.  This makes counterattack difficult to justify in cyberspace, as well as risking escalation even if it correctly guesses the attacker. ¹⁶ Legally and ethically, people should be responsible for software agents acting on their behalf (Orwant, 1994) so unjustified indirect attacks and counterattacks are as unethical as direct attacks.

Intended victims of attacks may also be unclear, which also makes it difficult to legitimize counterattacks.   Suppose an attack targets a flaw in a Microsoft operating system on a computer used by an international terrorist organization based in Pakistan.  Is this an attack on Pakistan, the terrorist organization, or Microsoft?  Nations often think that attacks within their borders are attacks on the nation, but if the nation does not support the terrorist group, it would be unfair to interpret it as the target.  Multinational corporations like Microsoft have attained the powers of nation-states in their degree of control of societies, so they can certainly be targets too.  But chaos can ensue if entities other than nation-states think they can wage war.

Tallinn Manual

Between 2009 and 2013 a group of 20 international law experts labored to produce the Tallinn Manual on the International Law Applicable to Cyber Warfare.  The manual was a response to claims that cyberspace was a legal void during armed conflict. The experts, consisting of both practitioners and distinguished international law scholars, unanimously concluded that the existing norms of international law applied fully in cyberspace, although in certain circumstances the nature of cyberspace might require a degree of interpretation to fit the cyber context.  Although States were initially hesitant to embrace the project, the Tallinn Manual has been widely accepted as a generally accurate restatement of the international law governing cyber operations during an armed conflict or a hostile exchange between States.

A number of issues that were addressed in the Manual continue to be characterized as unsettled in non-legal communities.  This tendency is skewing the debate over cyber operations.  Prominent among these is confusion regarding law surrounding governing responses to cyber attacks.  All of the experts involved in the project agreed that it was legally permissible to respond to cyber attacks by kinetic means, and vice versa. The question is not so much the nature of an attack, but its intensity. Forceful responses, whether kinetic or cyber in nature, are only lawful in response to a cyber attack rising to the level of an “armed attack”, as that term appears in Article 51 of the UN Charter. Forceful cyber or kinetic responses to cyber attacks falling below that threshold are only permissible with UN Security Council authorization. Absent that authorization, States may only respond consistent with the law of “countermeasures”, which does not permit the use of cyber or kinetic actions.

The Tallinn Manual only addresses hostile cyber operations that implicate the UN Charter’s provisions on the use of force or that occur during an ongoing armed conflict.  The NATO Cooperative Cyber Defence Centre of Excellence, sponsor of the Tallinn Manual project, had launched a follow-on three-year project (Tallinn 2.0) to examine malicious cyber operations at lower levels of intensity.¹⁷

The Tallinn Manual 2.0, published by Cambridge University Press, is the most comprehensive analysis of how  existing international law applies to cyber operations. Authored by nineteen international law experts, the  Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations , is the updated and considerably expanded  second edition of the 2013 .

Tallinn Manual on the International Law Applicable to Cyber Warfare , an influential  resource for legal advisers around the world. The drafting of the Tallinn Manual 2.0 was facilitated and led by the  NATO Cooperative Cyber Defence Centre of Excellence.The Tallinn Manual 2.0 analysis rests on the understanding that the pre-cyber era international law applies to cyber operations, both conducted by and directed against states. This means that cyber events do not occur in a legal vacuum and thus states have both rights and bear obligations under international law.

The focus of the original Tallinn Manual was on the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self-defence, and/or occur during armed conflict. Tallinn Manual 2.0 adds a legal analysis of the more common cyber incidents that states encounter on a day-to-day basis, and that fall below the thresholds of the use of force or armed conflict.

As such, the 2017 edition covers a full spectrum of international law as applicable to cyber operations, ranging from peacetime legal regimes to the law of armed conflict. The analysis of a wide array of international law principles and regimes that regulate events in cyber space includes principles of general international law, such as the sovereignty and the various bases for the exercise of jurisdiction. The law of state responsibility, which includes the legal standards for attribution, is examined at length. Additionally, numerous specialised regimes of international law, including human rights law, air and space law, the law of the sea, and diplomatic and consular law are examined within the context of cyber operations.¹⁸

Ethical Hacking¹⁹

The term "ethical hacker" has received criticism at times from people who say that there is no such thing as an "ethical" hacker. Hacking is hacking, no matter how you look at it and those who do the hacking are commonly referred to as computer criminals or cyber criminals. However, the work that ethical hackers do for organizations has helped improve system security and can be said to be quite effective and successful.¹⁹

Ethical hacking and ethical hacker are terms used to describe hacking performed by a company or individual to help identify potential threats on a computer or network. An ethical hacker attempts to bypass system security and search for any weak points that could be exploited by malicious hackers. This information is then used by the organization to improve the system security, in an effort to minimize or eliminate any potential attacks.

For hacking to be deemed ethical, the hacker must obey the following rules:

4 Expressed (often written) permission to probe the network and attempt to identify potential security risks.

4 You respect the individual's or company's privacy.

4 You close out your work, not leaving anything open for you or someone else to exploit at a later time.

4 You let the software developer or hardware manufacturer know of any security vulnerabilities you locate in their software or hardware, if not already known by the company.

Conclusion

Transnational organized criminal groups harness the power of the internet to steal identities and conduct financial crimes; terrorist organizations use cyberspace to recruit fighters and promote their destructive deeds; countries employ cyber tools for espionage while laying the groundwork for military operations in cyberspace; and nations worry about disruptions to  their critical infrastructure. Cyber challenges like these cut across all dimensions and simultaneously cross into political, economic, and social realms. More than ever, citizens, regardless of nationality, are exposed to risks created by cyber insecurity. Reinforced by intelligence assessments, many countries in the world are terming cyber insecurity as a leading national security challenge and a pressing concern for citizens and policymakers alike.²⁰

Because the scale and nature of the challenge are still unclear, it’s critical that we move quickly to create avenues for communication between cyber capable states to identify areas of mutual self-restraint, minimize miscommunication, and manage crises. We also need to develop and test doctrines of cyber deterrence and compellence now — just as we didn’t wait for nuclear Armageddon to develop new doctrines during the Cold War.²¹

Offensive cyber warfare raises serious ethical problems for societies, problems that need to be addressed by policies.  Since cyber weapons are so different from conventional weapons, the public is poorly informed about their capabilities and may endorse extreme ethical positions in either direction on their use.  Cyber weapons are difficult to precisely target given the interdependence of most computer systems, so collateral damage to civilian targets is a major danger, as when a virus aimed at military sites spreads to civilian sites.  Damage assessment is difficult for cyber war attacks, since most damage is hidden inside data; this encourages massive attacks in the hopes of guaranteeing some damage.  Damage repair may be difficult, especially for technologically-primitive victim countries.  For these reasons, some cyber war attacks may be prosecutable as war crimes.  In addition, cyber war weapons are expensive and tend to lose effectiveness quickly after use as they lose their element of surprise, so the weapons are poorly cost-effective.²²

Notes

1 Fred Schreier, ‘On Cyberwarfare’ DCAF HORIZON 2015 WORKING PAPER No. 7.

2. Ian Bremmer. “These 5 Facts Explain the Threat of Cyberwar.” Time 6/19/15, Accessed 8/12/15, http://time.com/3928086/these-5-facts-explain-the-threat-of-cyber-warfare/

3. Dunn-Cavelty, Miriam.“The Normalization of Cyber-International Relations“, in: Olive Thränert, Martin Zapfe (eds) Strategic Trends 2015: Key Developments in Global Affairs (CSS 2015): 83.

4. See: http://definitions.uslegal.com/c/cyber-warfare/

5. Shane M. Coughlan, “Is there a common understanding of what constitutes cyber warfare?,” The University of Birmingham School of Politics and International Studies, 30 September 2003, p. 2.

6. Fred Schreier, ‘On Cyberwarfare’ DCAF HORIZON 2015 WORKING PAPER No. 7

7. ibid.

8. Thomas Rid, Cyber War Will Not Take Place (Oxford: Oxford University Press, 2013), 3.

9. Ibid, xv.

10. Michael Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare: Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defense Center of Excellence (Cambridge: Cambridge University Press, 2013).

11. Rid, Cyber War, 2–3.

12. Ryan Jenkins, “Cyberwarfare as Ideal Warfare,” in Binary Bullets: The Ethics of Cyberwarfare, ed. Fritz Allhoff, Adam Henschke, Bradley Jay Strawser (Oxford: Oxford University Press, 2016), 89–114.

13. David E. Sanger and Mark Mazetti, “Israel Struck Syrian Nuclear Project, Analysts Say,” New York Times, October 14, 2007.

14. Neil C. Rowe- ‘Ethics of cyber war attacks’-U.S. Naval Postgraduate School.

15. ibid.

16 .ibid.

17. Michael N. Schmitt –‘|International Law and Cyberwar: A Response to The Ethics of Cyberweapons,’ February 10, 2014.

18.https://ccdcoe.org/sites/default/files/documents/CCDCOE_Tallinn_Manual

19.http://www.computerhope.com/jargon/e/ethihack.htm _Onepager_web.pdf.

20. Ryan Maness, Derek S. Reveron, John Savage, and Alan Cytryn –‘Creating a Safe and Prosperous Cyberspace: The Path to Ise-Shima Cybersecurity Norms’, Strategy Bridge- August 2, 2017.

21. William Burns –‘The Rules of the Brave New Cyber world’, Foreign Policy: The Magazine .Feb 16, 2017.

22. Neil C. Rowe-‘Ethics of cyber war attacks’, U.S. Naval Postgraduate School.

 GO TO  --    HOME PAGE  -    LIST OF ARTICLES  -  INDEX TO SIGS PRVR