This article is the second in a series exploring the uneasy relationship between cyberwar and international law. To get up to speed on the issue, check out the first article here.
Murky Terms, Murky Ideas
It’s clear that, at a foundational level, there are serious problems for anyone hoping to create a consistent legal framework to govern cyberwarfare. We just don’t have clarity with our most basic definitions. This may seem inconsequential, but it isn’t, as law thrives off clarity. Previously we looked at how terms directly within the cyber realm are ill-defined. The problem replicates itself with higher order concepts outside cyber, concepts that we’ve largely taken for granted from both a legal and philosophical standpoint, but which cyber is now forcing us to reexamine. It’s incredible, really, that we have to seriously reconsider an idea as simple as: “What is an act of war?”
Here’s an important thing to know: every country has a legal right to self-defence. It’s a right that’s enshrined within Article 51 of the U.N. Charter. The exact language used is “Nothing in the present charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs.” This right is essential to the adoption of the U.N. charter as a pillar of international law, since states don’t buy into legal systems that undercut the defence of their peoples. The key clause within Article 51 is “if an armed attack occurs.” Misread that and a state might find itself sanctioned by the international community for launching an unjustified attack.
Discerning whether you’re the victim of an armed attack is neither a new problem nor one that’s limited to cyber. There are a number of complicating factors, many of which will be alluded to throughout this article series. One of the most basic ones is the problem of attribution. Namely, declaring oneself as being under armed attack requires attributing that attack to *someone*. That’s not always easy, which is something states regularly exploit. The 20th century alone gifts us with a litany of cases in which states mask their actions through indirect or covert warfare, often conducted through non-state actors, terrorists and guerillas for example. Russia’s recent, and messy, invasion of eastern Ukraine is a phenomenal example of this. However, while in traditional warfare these cases are outliers, in cyber the problem is endemic.
Puppets and Mirages
It’s difficult to truly hide responsibility for an attack in traditional warfare. With respect to the invasion of Ukraine, Russia packaged their soldiers as “volunteers”, hoping to obscure their military deployment as a grassroots uprising against the Ukrainian state. It was bold but ultimately unpersuasive. Though it muddled the narrative enough to slow Western retaliation, in the long term there were no shortages of mishaps and accidents that gave away the ruse. Cyber attacks are much harder to attribute, not least of all because they can be launched by proxy computers. Take DDoS (Distributed Denial of Service) attacks as an example. They’re attacks in which massive, global botnets (networks of infected “zombie” computers) flood websites with junk traffic, incapacitating them. By their very nature of being international, remotely controlled, and dispersed, the botnets that underpin DDoS attacks escape simple territorial attribution. If a hostile botnet is located across more than 30 countries, who do you hold accountable? Even locating the computer(s) that direct a botnet might not be a solution. Is the attack being directed by a computer in China, or is that computer itself being controlled by another actor elsewhere? There’s no analogy in traditional warfare. No Chinese soldier can clandestinely hypnotise a legion of Floridan housewives to sabotage American critical infrastructure.
Building on this problem, there’s a fogginess about what kinds of groups count as state actors. The world is rife with “rogue” cyber groups that, while supposedly independent, are often supported, if not sponsored, by their home state. In traditional warfare, a state’s ability to act through non-state actors is limited by the fact that these actors, in virtue of conducting physical warfare, must reside within the physical boundaries of the ”enemy” state. That makes them vulnerable to the enemy’s power. When it comes to cyberwarfare, states leverage groups operating within their own territory. As these groups operate in a jurisdiction in which they’re unlikely to be brought to justice, they act with de facto impunity. This makes them more effective than their traditional counterparts, and also immensely frustrating to deal with. The Internet Research Agency (IRA) is an example of this. It was a key player in the infowar campaign launched to undermine the 2016 American Presidential Elections. It also technically was, and remains, a non-state actor, as its funding came from a Putin-aligned oligarch. Yet its actions are in tandem with Russian foreign policy, and oligarchs often open their wallets at Putin’s directive, so the IRA’s independence is questionable. It’s unlikely that the IRA will ever be brought to justice for its actions. Neither will the Russian state, since it can defer responsibility to a group it has no intention of persecuting. These two players work symbiotically, launching attacks that befuddle the law. In a way, it’s symptomatic of the larger military-civilian nexus regarding cyber.
Sophisticated vs. Basic
Luckily for us, there are caveats to the attribution problem. Some kinds of cyber attacks are much easier to trace than others. It’s partly a question of sophistication. Simpler attacks, such as DDoS attacks, are unattributable because they’re designed to be used in a wide variety of scenarios. This makes them useful, and therefore popular, among a large number of actors, whether that means states, criminal groups, or even just mischievous individuals. This popularity disperses suspicion for any particular attack across a bewildering number of suspects. The flip side of this genericism is that it usually limits the kind of damage these low-sophistication tools can do.
More sophisticated attacks are ones which target unique elements of a system. They are, by their nature, more damaging and tend to be more easily attributed. The most famous case for this is Stuxnet. Stuxnet was a type of malware known as a worm, uncovered in 2010, which infected countless computers across the world. What was notable about it was that it seemed to do nothing. Indeed, it did do nothing, until it found itself within the systems controlling Iran’s nuclear centrifuges. Once within these systems, it caused the centrifuges to spin wildly out of control, leading to their self-destruction, while presenting Iranian technicians with false data showing that nothing was out of the ordinary. Attacks like Stuxnet can be devastating. They are also prohibitively expensive, typically requiring hundreds of thousands, if not millions, of dollars to engineer. While prices are dropping as tools filter into the dark web, these weapons are nonetheless typically limited to state actors and their deep pockets. Beyond the issue of price, sophisticated weapons are attributable due to their specificity. Obviously whoever designed Stuxnet had a vendetta against Iran’s nuclear facilities. You don’t have to be Nancy Drew to figure out why suspicion fell on the United States and Israel, though both deny any involvement. Nonetheless, custom-tailored weapons create room for strong inferences.
Admittedly, however useful, this binary of low-high sophistication weapons is an oversimplification. It should be noted that there are a number of other factors that come into play that can make attacks more or less attributable. Attacks are often abetted by, and associated with, espionage operations. These operations, technically referred to as Advanced Persistent Threats (APTs), are ones in which actors use a complex milieu of tools to achieve a specific objective. That may mean stealing certain information, like personnel files or weapons schemata, or simply maintaining backdoors in enemy systems, through which malicious code can later be inserted. APTs allow lower sophistication tools to be used to greater effect, and are a natural precursor to higher-order tools, since their reconnaissance is used in the design of complex weapons.
Why This Matters
So long as the attribution problem remains unsolved, states will have a difficult time saying, with real conclusivity, who is attacking them. Yes, there are caveats. Yes, we can make inferences. Yes, truly significant attacks are, by their very nature, easier to attribute, such that the problem seems to solve itself. Yet whatever attribution we can achieve is still insufficient. When the stakes are high it’s not enough to prop your actions on inference and insinuation. It may be that attribution will never become easy. If that’s the case, then our international legal systems may have to make some uncomfortable adaptations. Do we, for example, allow countries to justify retaliatory attacks against a country that only likely attacked them? How likely is likely enough? Reevaluating what constitutes acceptable certainty will be an uncomfortable conversation, but probably a necessary one.
Of course, attribution isn’t the sole factor that determines whether something counts as an act of war. War is war because it destroys. What does cyberwar destroy? We’ll be covering that in the next article.
Photo: Greyscale Masks. Via Pexels. Public Domain. CC0 Creative Common License.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors
and do not necessarily represent the views of the NATO Association of Canada.