Wednesday, March 31, 2010

Georgia 2008 and Cyber Neutrality

I happened across an article [pdf] about neutrality in cyberspace by Korns and Kastenberg. In the article, the authors analyze an aspect of the 2008 Georgia cyber conflict that usually receives little attention: the fact that the Georgian government moved some of its online services to other countries during the war. Specifically, the authors worry about what this means to the neutrality of the host countries.

While they raise an interesting question, I do have some issues.

First, there is the question of whether US lost neutral status in the Russia-Georgia war by hosting some services:
"The fact that American IT companies provided assistance to Georgia, a cyber belligerent, apparently without the knowledge or approval of the US government, illustrates what is likely to become a significant policy issue."
Were Georgian websites under attack? Yes, no doubt. Was this a part of the Russian war campaign? Maybe, but at least officially the Russians deny their involvement. Well, if neither belligerent takes responsibility for the attacks, then we can't really refer to Georgia as a "cyber belligerent" (what does this mean, anyway?). We are left with attacks that do not amount to war, but crime or political hactivism, and I am unaware of any international prohibition on cooperating against criminals or hactivists - even on the business level. Besides, blaming Georgia for this decision is similar to arresting the victim of a street mugger, as the only known party in the criminal act.

Then there is the question of the type of aid that was provided to Georgia (citing a Supreme Court decision):
"If the US government establishes a strict position of neutrality, American industry may provide nonmilitary and humanitarian support to a belligerent, but firms are required to halt all commerce that militarily aids a combatant."
I believe this is undiscovered country. Presumably, the drafters of this document kept in mind the physical goods industry, whereas in cyberspace we are mostly concerned with services. Is hosting a government public relations website "commerce that militarily aids a combatant"? I would argue against that, because otherwise US would have to pull the plug on EVERYTHING every time there is a conflict where US remains neutral (although there is a question whether US was truly neutral in this case, as illustrated in the paper).
"Under a traditional international law rubric, to remain neutral in a cyber conflict a nation cannot originate a cyber attack, and it also has to take action to prevent a cyber attack from transiting its Internet nodes."
Since US is one of the leading nations harboring ISPs with questionable practices, and is also home to a large number of malware infected computers (bots in a botnet), then any time you have a large DDoS attack, US is likely to be on the "attack source" list [to be fair, the authors have also covered this aspect]. I consider it quite likely that at least some US-based computers were used against the Georgian sites during the war. If the Russian Federation was behind the attacks, does this mean that US lost its neutrality and became a belligerent? Again, I would say no. It would be great if US could clean up its part of the Internet, though.

The rest of the paper does a quick analysis of several potentially applicable laws and treaties. Again, while I do not agree with all of their conclusions, they have done a very good job of pulling together thought-provoking concepts. I highly recommend reading it.

These are just some first reactions, but I can see that I need to do some deep thinking on the subject.

Korns, S.W., Kastenberg, J.E. (2008) "Georgia’s Cyber Left Hook." Parameters: 38.4 : 60-76. U.S. Army War College. Available at:

Friday, March 26, 2010

C6 preliminary agenda published

The CCD COE Conference on Cyber Conflict preliminary agenda is now published. Please take a look and see if something interesting catches your eye. If so, the registration is also open and I look forward to seeing you in June.

Friday, March 19, 2010

Eureka! I've discovered ... science blogging?

Every once in a while you accidentally stumble on something interesting and beneficial, and you can't help but wonder why you had not seen it before. Because these things rarely hide, you just don't look for them.

This is what happened to me when I followed a random series of interesting links and ended up in the ScienceBlogs. Wait, what? Well, obviously, if you come to think about it, such a thing must exist. In multiple forms, even: Wiki, ResearchBlogging, InsideHigherEd, etc. Boy, do I have things to read ...

I think, I'll start with science blogging. [here, here, here, here, for starters]

Unfortunately, as is often the case with walking down these narrow and twisted paths, I no longer remember, which article or post started me down this particular road. However, I hope that the links in this story will help out someone else and I can call it even, in the grand scheme of things.

Tuesday, March 16, 2010

Cyber Warfare a WMD?

Some comments on the BBC story on USCybercom, which I picked up from USCybercom Watch:
"Not everyone is convinced of USCybercom's military value. One US official at the London conference said that if cyber warfare was a WMD it was only a weapon of "mass disruption, not destruction"."
Only, indeed. While I agree that the effect of cyber warfare is more disruptive than destructive, I cannot agree with the implication this quote seems to make. Just because you cannot blow things up with something does not mean that it is not important. ENIGMA, anyone? Actually, the example by Professor Kuehl in the beginning (bomb v cyber op) illustrates the benefit of cyber very well.

Secondly, military value does not equal WMD. Infantry is not considered a WMD, so surely it cannot have military value? Clearly, this is nonsense. However, I am afraid I am doing injustice to the unnamed speaker at the conference, who may have had something entirely different in mind.

Thirdly, let's forget about the whole WMD thing. It overly complicates issues by raising emotions from nothing. Cyber operations can and do happen every day and and we do not see "mass destruction" in the headlines. Yes, in theory, a cyber attack could have global and devastating effects (for example, by creating a cascading failure in the power grid), but this is a fringe case. Most cyber operations would be far more limited in scope, aiming for operational/strategic effects through tactical level cyber operations. And as for battlefield damage, cyber operations are perhaps best viewed as a way to maximise the effects of kinetic/thermic/EM weapons.

Wednesday, March 10, 2010

Cyber Conferences

Here are some cyber conferences that might be of interest, in chronological order (disclaimer: I will take part in all of them):

The International Conference on Information Warfare and Security (ICIW), April 8-9 in Dayton, Ohio, US. This is an academic conference with peer reviewed proceedings and covers a wide range of topics from PSYOPS to cyber operations. I will be presenting a paper titled "Cyberspace: Defininition and Implications".

The SMi Conference on Cyber Defence, May 17-18 in Tallinn, Estonia. This is a professional conference that is leaning a bit towards military approaches. I am invited to give a talk there.

The CCD COE Conference on Cyber Conflict (C6), June 16-18 in Tallinn, Estonia. The Conference is a mix of academic and professional presentations and will also publish peer reviewed proceedings of the academic content. There are three tracks: Legal, Strategy and Technical Solutions. I will be managing the Strategy track. I have written about this event before in here and here. Registration is now open.

The European Conference on Information Warfare and Security (ECIW), July 1-2 in Thessaloniki, Greece. This is an academic conference with peer reviewed proceedings and covers a wide range of topics from PSYOPS to cyber operations. I will be chairing the Cyber Conflict mini-track and presenting a paper titled "Proactive Defence Tactics Against On-Line Cyber Militia".

Oh yeah, did I mention that the registration is open for the C6?

Monday, March 8, 2010

On offensive operations in cyberspace

This year started out in full gear for me and it seems that this is the first week where I can take a breath and write down some of my thoughts.

Last week I was invited to give a talk at one of many cyber defence/IA related conferences in Europe. As is often the case, the question of offensive cyber operations came up. It seems that whenever this happens, the automatic (and politically correct) answer is: well, the military can't plan an offensive cyber campaign, because most likely they will not be able to identify the actor behind the incoming cyber attacks (the attribution problem). They are right, counterattacks in cyberspace can be tricky.

However, this misses the point completely. Who says that cyber operations have to be symmetric (targeting only cyber aggressors with cyber ops). There is every reason for the military to plan and prepare offensive cyber operations for various military situations. When a military is deployed to fight someone, then the target should already be identified and is not necessarily limited to cyber operatives.

It makes sense to consider different ways to achieve a military objective: aerial bombardment, naval blockade, precision drone strikes, landing a division of Marines, cutting off C2 with cyber attacks, jamming radio communication with EW, threatening with nukes, etc. In fact, according to the principle of least harm, it is consceivable that the commander should FAVOR cyber attacks over more lethal options, if the end result is the same.

There is no good reason to limit the options of the commanders in the doctrine-writing phase between conflicts. Sure, there are legal issues, attribution issues, collateral damage issues and so on - as is the case with drone strikes, for example. And yet the drones are in the sky today. It just shows that where there is a will, there is also a way.

The only real counterargument for offensive cyber is that we don't want to see it on the battlefield (like nukes, bio and chem). However, clearly this is a Genie that we cannot force back into a bottle. Potential adversaries, both state and non-state are already using cyber attacks on a daily basis. Therefore, it makes sense to include this option in the play book of the commanders of the future.

It should be noted that I am not advocating military use of cyber attacks on a daily basis, but only in conflict situations and against "legal" targets. I am also aware that the whole "legal" issue is far from solved and most likely will not be solved in any reasonable timeframe.