Segmenting Cyberwarfare to Aid in the Formation of Ethical Policy and Law

By Scott Van Hoy*

Introduction

Breaching computer infrastructure has become a relatively easy task for skilled hackers, making cybersecurity an increasingly hot topic. The importance of the information stored on computer systems and society’s overall reliance on computer systems is substantial, leading to concerns regarding how to manage the security of technology. If a hacker gains access to government networks, the resulting damage may cause greater disruption than physical damage to property or people. A skilled hacker can also alter computer systems in ways that result in physical damage to humans or machines. A cyberattack and the subsequent cyberdefense when used as part of a military strategy is referred to as cyberwarfare.

Cyberwarfare has become the all-encompassing term for cyberattacks. Cyberwar and conventional war are often discussed under the same ethical and legal frameworks, masking the type of cyberattack beneath the term. Addressing cyberwarfare as a general term for a high-tech war could result in ethical dilemma considering the legal frameworks of war would not adapt to the technology’s capabilities. In order to aid in ethical decision making during cyberconflict, cyberwarfare should be addressed as three different types of war: conventional cyberwarfare, infrastructural cyberwarfare, and information cyberwarfare. Only after policy and lawmakers acknowledge this segmentation can cyberwarfare be addressed ethically among the international community.

Background

Cyberwarfare has posed a unique set of challenges to military and government leaders over the last few decades, and continues to be an ongoing discussion worldwide. From cars to our electrical power grid, computers control the world around us. The capabilities to hack and recode technology create a new domain of warfare that has already been tested and proven in the international community.[1]

In 1982, a Soviet Trans-Siberian oil pipeline explosion was observed by a United States infrared satellite.[2]  This explosion was the most violent non-nuclear explosion ever observed by satellite, and was the equivalent of three kilotons of TNT.[3]  It is accepted that the explosion was caused by the United States’ Central Intelligence Agency (CIA).[4]  The CIA supposedly hacked into the pipeline’s control system and altered the pressure specifications for the pumps, values, and turbines.[5] The resulting high pressure caused the explosion.[6]  There were no human casualties recorded.[7]

In 2005 and 2007, Brazil experienced power outages in two of its largest cities.[8]  Over three million residents lost power for two days, and the cause was proven to be a result of hackers breaching Brazil’s energy infrastructure.[9]  Cyberweapons can be used without the victim ever knowing who committed the attack, and entire cities can be plunged into darkness without leaving a trace of who committed the attack, or why the attack was committed.[10]

When Iran’s uranium enrichment capability increased in the early 2000s, the United States developed a digital weapon to slow Iran’s production.[11] In 2009, the United States deployed Stuxnet, a program designed to increase the revolutions per minute of the centrifuges that enriched the uranium. Centrifuges began to fail, and in the first five months Iran’s centrifuge count was reduced from 4,592 to 3,936 due to Stuxnet.[12])

Then in 2015, the United States’ Office of Personnel Management (OPM) was hacked.[13]  The OPM attack compromised the personal information of 22.1 million government employees, including their social security numbers, performance evaluations, and names of friends and family.[14]  The Washington Post reported that U.S. officials believe this breach is potentially the most damaging “cyber heist” in U.S. government history.[15]  China has not been officially named as the OPM attacker; however, the common narrative among government officials is that China is conducting “traditional espionage” via cyber means against the United States.[16]

International Interpretations

There is a human element to cyberwarfare that is not as clear as the 1s and 0s of the cyber world. Some ethical and legal frameworks of conventional warfare that have been established and accepted may no longer be valid in the digital age. For example, the rightful application of just war theory is debatable when trying to determine if a cyberattack is considered an armed attack.[17]  One argument is that a cyberattack with no human casualties will never justify war because an armed attack results in, and could be defined by, physical harm or loss of life.[18]  Another argument is that a malicious attack, whether it physically harms a person or not, is considered an armed attack due to the unknown second and third order effects, thus justifying war.[19]

Debates such as the just war theory discussion could continue for decades only to result in uncertain ethical responses to cyberwarfare. So long as governments treat cyberwarfare and conventional warfare within the same legal and ethical frameworks, government officials will struggle to agree on an ethical way to manage new cybertechnologies. For example, the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), which includes the United States, focuses on connecting humanitarian and international law to identify what actions are just in a cyberwar.[20] The CCDCOE defines a cyberattack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects,”[21] and recognizes cyberwarfare as a cyberattack authorized by state actors.[22]  Combining the definitions, cyberwarfare is considered to be an extension of conventional war with loss of human life and infrastructure, placing cyberwar within the current just war theory and the law of armed conflict. However, the CCDCOE’s Tallinn Manual, the leading manual on the “international law applicable to cyber warfare,” states that the application of the law of armed conflict can be problematic due to the difficulty in identifying the originator, the intent, and the outcome of the attack.[23]

The Shanghai Cooperation Organisation (SCO) consists of six member states including Russia and China.[24] The SCO defines cyberwarfare as “the dissemination of information ‘harmful to the spiritual, moral, and cultural spheres of other states.’”[25] The SCO’s member states have concerns over the concept of uncontrolled information exchange,[26] an idea that when combined with their definition of cyberwar, may lead to unethical responses to cyberattacks. If a country were to hack into an SCO country’s television stations and modify service, this disruption would fall within the SCO’s definition of cyberwar. Since the SCO does not define the barriers between cyberwar and conventional war, a cybertelevision attack may justify war the same as if it were a kinetic attack.

Cyberwarfare Segmentation

The different interpretations of cyberwarfare in the international community will not likely be resolved in the near future due to the dissimilar opinions of the SCO, CCDCOE, and other supranational organizations. Each of the definitions lead to different outcomes and reactions to cyberwar, none of which will fall perfectly within current international law. In order to attempt to justify what is and is not ethical during a cyberwar, cyberwarfare should be broken down into three different categories of cyberwarfare, which can be referred to as the cyberwarfare segmentation model. The first category is conventional cyberwarfare, the second is infrastructural cyberwarfare, and the third is information cyberwarfare.

Conventional cyberwarfare best represents the CCDCOE’s definition of cyberwar, where cyberwarfare is an extension of conventional warfare.[27] Conventional cyberwarfare assumes that a cyberattack will result in the direct or indirect death or physical harm to humans.[28] When there is no longer physical harm to people, but instead physical infrastructure is damaged and widespread disruption occurs, the result is infrastructural cyberwar.[29] The Brazilian power outage, oil pipeline explosion, and the Stuxnet cases show the effectiveness of infrastructural cyberattacks. These same attacks also had the potential to initiate conventional cyberwar. For example, if the Siberian oil pipeline explosion killed the operator, or the power outage directly led to civilian deaths, then it would be an example of conventional cyberwar.[30]

Information cyberwarfare is the act of cyberespionage or information disruption.[31] When hackers gained access into the OPM database and captured the personal information of 22.1 million U.S. government employees, the hackers conducted an information cyberattack on the United States. No human lives were lost and there was no infrastructural damage or physical disruption; thus, only cyberespionage and information disruption occurred.

The lack of segmentation in international law results in both legal yet unethical responses, and illegal yet ethical responses to cyberwar. The United Nations Charter Article 51 declares that self-defense is the only justification for an armed attack, making preemptive strikes illegal.[32]  In addition, the International Committee of the Red Cross (ICRC) and the law of armed conflict declare that civilians are protected and must never be targeted.[33]  With the changing ethical landscape of just war, it is debated that information cyberwar can be used preemptively and target noncombatants if used responsibly to prevent conventional war, which according to the ICRC and the U.N. Charter is unlawful. In the Stuxnet case, the cyberattack on Iran could be considered an armed attack if the attack is not segmented and realized as an infrastructural cyberattack. Thus, by the U.N. Charter, Iran could have responded legally, but not ethically, with a kinetic attack. Without segmentation, the U.N. Charter also infers Stuxnet was an illegal armed attack against Iran, thus the United States was ethically, but not legally, conducting a preemptive strike.

The Shanghai Cooperation Organisation has a much broader definition of cyberwarfare and uses different ethical and legal frameworks for determining what is and is not legal war.[34]  Although the SCO cooperates with the international laws set forth by the United Nations,[35] its broad definition of cyberwarfare leaves room for a broad interpretation of legality, especially for the definition of “armed attack.”[36]  This open interpretation of the U.N. Charter could lead to a response that is legal yet unethical. If the SCO adopts the cyberwarfare segmentation model, it would lay a foundation for further discussion about how to create ethical policies and laws for how to respond to each type of cyberattack, rather than using one term to justify the legality of war.

Both the Stuxnet and SCO examples are derived from the open interpretation of international law set forth by the United Nations. The changing ethical landscape of war resulting from cyberwarfare is consequently changing the legal landscape of war, and the United Nations has not yet taken significant steps to adapt to this form of 21st century conflict. International law often attempts to relate cyberwarfare to conventional warfare, creating laws that may lead to unethical responses to cyberattacks. To ensure ethical laws are established to regulate cyberwarfare, the U.N.’s CCDCOE and the SCO should adopt the cyberwarfare segmentation model to help reevaluate the morality of current international law.

 


*Scott Van Hoy. University of Illinois, MS Technology Management, 2016.

[1] Chris Domas, The 1s and 0s Behind Cyber Warfare, TED (Oct. 2013), https://www.ted.com/talks/chris_domas_the_1s_and_0s_behind_cyber_warfare.

[2] Johann Rost & Robert L. Glass, The Dark Side of Software Engineering: Evil on Computing Projects 118 (2011).

[3] Id.

[4] Id.

[5] Id. at 119.

[6] Id.

[7] Id.

[8] Kevin Poulsen, Report: Cyber Attacks Caused Power Outages in Brazil (Nov. 7, 2009, 12:55 AM), www.wired.com/2009/11/brazil/.

[9] Id.

[10] Guy-Philippe Goldstein, How Cyberattacks Threaten Real-World Peace, TED (Jan. 2010), https://www.ted.com/talks/guy_philippe_goldstein_how_cyberattacks_threaten_real_world_peace.

[11] Kim Zetter, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, WIRED (Nov. 3, 2014, 6:30 AM), www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

[12] Id.

[13] Ellen Nakashima, Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say, Wash. Post (July 9, 2015), www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/.

[14] Id.

[15] Id.

[16] Id.

[17] Michael N. Schmitt, “Attack” as a Term of Art in International Law: The Cyber Operations Context, 4th Int’l Conf. on Cyber Conflict 283, 290–93 (2012), https://ccdcoe.org/publications/2012proceedings/5_2_Schmitt_AttackAsATermOfArt.pdf.

[18] Id.

[19] Patrick Lin et al., Is it Possible to Wage a Just Cyberwar?, Atlantic (June 5, 2012), www.theatlantic.com/technology/archive/2012/06/is-it-possible-to-wage-a-just-cyberwar/258106/.

[20] About Us, NATO Cooperative Cyber Defence Centre of Excellence, https://ccdcoe.org/about-us.html (last visited Sept. 27, 2016).

[21] Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare 106 (2013).

[22] CCDCOE, Cyber Definitions, https://ccdcoe.org/cyber-definitions.html

[23] Schmitt, supra note 21, at 77.

[24] Shanghai Cooperation Organization (SCO), GlobalSecurity.org, http://www.globalsecurity.org/military/world/int/sco.htm (last visited Sept. 27, 2016).

[25] Activities, Shanghai Cooperation Org., http://www.infosco.eu/index.php/aboutsco/activities (last updated Jan. 23, 2013).

[26] Keir Giles, Russia’s Public Stance on Cyberspace Issues, 4th Int’l Conf. on Cyber Conflict 63, 65 (2012), https://ccdcoe.org/publications/2012proceedings/2_1_Giles_RussiasPublicStanceOnCyberInformationWarfare.pdf.

[27] Gal Beckerman, Is cyberwar really war?, The Boston Globe https://www.bostonglobe.com/ideas/2013/09/15/cyberwar-really-war/4lffEBgkf50GjqvmV1HlsO/story.html (last visited Sept. 28, 2016).

 

[28] Nuclear Futures Lab, Cyberwarfare: On Whose Authority?, http://nuclearfutures.princeton.edu/wws353-2015-blog-week09-2/ (last visited Sept. 28, 2016).

[29] Lee Rainie Et al, Cyber Attacks Likely to Increase, Pew Research Center, http://www.pewinternet.org/2014/10/29/cyber-attacks-likely-to-increase/ (last visited Sept. 28, 2016).

[30] Ellyne Phneah, Cyberwarfare Not Theoretical, Can Actually Kill, ZDNet (Nov. 17, 2011, 10:26 AM), www.zdnet.com/article/cyber-warfare-not-theoretical-can-actually-kill.

[31] Fred Schreier, On Cyberwarfare, https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0ahUKEwjjg-fAprLPAhXMy4MKHXidA2UQFghLMAc&url=http%3A%2F%2Fwww.dcaf.ch%2Fcontent%2Fdownload%2F67316%2F1025687%2Ffile%2FOnCyberwarfare-Schreier.pdf&usg=AFQjCNHSti4VD11zqhHbyC36ASV-0RLJ8g&sig2=ynFsHCTuEw0Ev6SaIDl41w (last visited Sept. 28, 2016).

[32] U.N. Charter ch. VII, art. 51, www.un.org/en/sections/un-charter/chapter-vii/.

[33] Protected Persons: Civilians, Int’l Committee of the Red Cross, https://www.icrc.org/en/war-and-law/protected-persons/civilians.

 

[34] Andrew Jones & Gerald Kovacich, Global Information Warfare: The New Digital Battlefield 33 (2015).

[35] United Nations, Cooperation Between UN, Shanghai Cooperation Organization Dynamically Expanding, in Shared Quest for Peace, Prosperity, Says Secretary-General, in Message, http://www.un.org/press/en/2010/sgsm12953.doc.htm (last visited Sept. 28, 2016).

[36] Schmitt, supra note 21.