DDoS - a legitimate form of protest?

The cyber attacks against supporters and opponents of Wikileaks have generated a fair bit of debate about whether or not DDoS can be a legitimate form of protest. I tend to side with the "nays" on this one.

Sure, DDoS could be compared to a sit in, but with infinitely lower entry threshold. One does not need to travel anywhere, or actually waste their time "sitting", and very often does not risk dealing with law enforcement - the computer can protest on their behalf all night long. It's more like throwing nails on a freeway and going home.

But my main argument against protest DDoS is that it can then be used for any cause. Attacks against Radio Free Europe? It's cool, they just protestin'! As can be seen from the Wikileaks affair, both sides in there are using cyber attacks to get their message across. Is this truly what we want? I dont like you, so I have the right to DDoS you? I have the right for free speech and the right for making stupid people shut up?

Cyber Security Conference in Georgia

I was in Tbilisi last week and spoke at the Georgian Cyber Security and IT Innovation conference. The first day focused solely on cyber security topics. Agenda and materials are available here. As expected, the 2008 Russia-Georgia war and its cyber component came up in several presentations.

My talk on Volunteers in Cyber Conflict was based on a number of papers I have written on the subject. While I have focused on the offensive (and illegal) hactivism/patriotic hacking so far, I am in the process of switching gears and focusing on the defencive (and official) use of volunteers. For example, the reserve cyber units in US military, the WARP system in UK and the Cyber Defence League in Estonia. I believe there is great merit in harnessing the skills and resources of security specialists and enthusiasts for a constructive purpose.

What does CCD COE do?

I get this question a lot.

Well, while there are a lot of things that will not make it into limelight, our people do publish some of the work in public academic conferences and journals.

CFP: International Conference on Cyber Conflict

Finally, the CFP for our own conference is out. The International Conference on Cyber Conflict is the third conference in the series organized by CCD COE. This year, we also have IEEE as a co-sponsor. The conference will take place 07-10 June 2011 in Tallinn, Estonia.

As for the CFP [pdf]:

In 2011 the conference will focus on the combination of defensive and offensive aspects of Cyber Forces and will combine different views on cyber defense and operations in the current and envisaged threat environments. All this shall not be limited to military perspective.

Legal, strategic and technical submissions are welcome on equal grounds.

Researchers and practicians are encouraged to submit papers covering novel and scientifically significant practical works related to 2011’s topics via our web portal. Accepted papers - after passing the peer-review - will be published in the conference proceedings provided in hard cover and digitally though IEEE Xplore.

Paper submission deadline is 20 JAN 2011.

Article in FutureGov Magazine

I recently wrote an article for FutureGov Magazine about the events in Estonia in 2007. Although my intent was to tone down the hype surrounding the incident, the final "independent" editing process managed to come up with a intro paragraph about "cyber war", even though I had specifically avoided this term in the article itself. I guess that is the risk one takes with media.

The article is available in the August-September issue [large pdf!], on pages 70-72.

Hacker Halted in Miami

I have been in Miami this week, attending the Hacker Halted Conference. Among the workshops that closed the conference today was the Cyber Security Forum Initiative (CSFI) event, where I got to speak about my research (Volunteers in Cyber Conflicts) next to some other interesting characters, like Roger Kuhn and Jeff Bardin. The talk went well, which is a good thing as it is based on an early prototype of my upcoming PhD thesis.

Update: Paul de Souza's post on the CSFI workshop

Interview explosion

I gave an interview to Baltic News Service (BNS) on Friday. Instead of writing it up as one article, they chose to create a bunch of short pieces that are currently flooding some news portals in Estonia. For a casual observer, it looks like I have personally launched a massive frontal assault on cyber awareness issues. Interesting development, although unintentional.

CFP: ECIW 2011

I am back from my summer hiatus and ready to kick-start another year of cyber conflict studies. Let's start with the CFP to the 10th European Conference on Information Warfare and Security (ECIW). This time it is held in Tallinn, Estonia. It is hosted by the Institute of Cybernetics at Tallinn University of Technology, in collaboration with the CCD COE. I will be serving as the local Program Chair, so I hope to see some of you there.

Please feel free to circulate this CFP:

This is a call for papers for 10th European Conference on Information Warfare and Security being held at The Institute of Cybernetics at the Tallinn University of Technology, Tallinn, Estonia on the 7-8 July 2011.

The 10th European Conference on Information Warfare and Security (ECIW) is an opportunity for academics, practitioners and consultants from Europe and elsewhere who are involved in the study, management, development and implementation of systems and concepts to combat information warfare or to improve information systems security to come together and exchange ideas. There are several strong strands of research and interest that are developing in the area including the understanding of threats and risks to information systems, the development of a strong security culture, as well as incident detection and post incident investigation. This conference is continuing to establish itself as a key event for individuals working in the field from around the world.

Please consider submitting to this conference. We are interested in the entire range of concepts from theory to practice, including case studies, works-in-progress, and conceptual explorations. The conference committee welcomes contributions on a wide range of topics using a range of scholarly approaches including theoretical and empirical papers employing qualitative, quantitative and critical methods.

Case studies and work-in-progress/posters are welcomed approaches. PhD Research, proposals for roundtable discussions, non-academic contributions and product demonstrations based on the main themes are also invited.

You can find calls for papers for these tracks at:

http://academic-conferences.org/eciw/eciw2011/eciw11-call-papers.htm

The ECIW conference proceedings are:

· listed in the Thomson Reuters ISI Index to Scientific and Technical Proceedings (ISTP/ISI Proceedings)

· listed in the Thomson Reuters ISI Index to Social Sciences & Humanities Proceedings (ISSHP)

· listed in the Thomson Reuters ISI Index to Social Sciences & Humanities Proceedings (ISSHP/ISI Proceedings).

· indexed by the Institution of Engineering and Technology in the UK.

Conference publications are submitted for accreditation on publication. Please note that depending on the accreditation body, this process can take several months.

Please feel free to circulate this message to any colleagues or contacts you think may be interested.

Another paper published at ECIW

Last week I was at the 9th European Conference on Information Warfare and Security (ECIW 2010) in Thessaloniki, Greece. This is an academic conference, so most of the attendants were also speakers. The information about the proceedings is available here. I hosted the Cyber Conflict mini-track, which consisted of five papers, including mine:

Ottis, R. (2010) Proactive Defence Tactics Against On-Line Cyber Militia. In Proceedings of the 9th European Conference on Information Warfare and Security, Thessaloniki, Greece, 01-02 July. Reading: Academic Publishing Limited, p 233-237. [link]

The main idea of my paper was that in order to defeat a loose network of cyber vigilantes (on-line cyber militia), one can potentially adopt a more proactive stance and use various (offensive) information operations. It should be noted that this is only a theoretical exercise, as some of the options considered may be against the laws and regulations of the host country.

If you have any feedback or suggestions for reading material in the similar vein, please let me know.

Two papers published at C6

I have updated the publications tab with two papers that were published in the proceedings of the upcoming Conference on Cyber Conflict. As is always the case, by the time they went to print I already had some ideas for changing them. Nevertheless, here they are:

• Lorents, P. and Ottis, R. (2010) Knowledge Based Framework for Cyber Weapons and Conflict. In Czosseck, C. and Podins, K. (Eds.) Conference on Cyber Conflict. Proceedings 2010. Tallinn: CCD COE Publications, p 129-142.[link]
• Ottis, R. (2010) From Pitch Forks to Laptops: Volunteers in Cyber Conflicts. In Czosseck, C. and Podins, K. (Eds.) Conference on Cyber Conflict. Proceedings 2010. Tallinn: CCD COE Publications, p 97-109. [link]

Any comments and feedback welcome.

There are those who know...

Only two weeks until the Conference on Cyber Conflict! While this and some other projects keep me busy, I wanted to point you to a great story over at ubiwar. This discussion has developed over a few days in various other blogs as well.

The issue is about people with access to classified material making authoritative statements, because they "know how things really are". However, since what they know and how they know it is classified, they will not follow through with argumentation. A person who has no access to the classified material has no way of verifying the correctness of the claim, so he has to take it on faith.

My short stance on this is - if it is classified, shut up about it. One, it is not helpful for the open debate. Two, classified is not equivalent to correct. Three, "classified" may refer to something that does not exist.

CFP: IEEE S&P - Cyber Conflict

IEEE SECURITY & PRIVACY CALL FOR PAPERS

Special Issue on Cyber Conflict
(Sept./Oct. 2011 issue)

Deadline for abstract submissions: 15 June 2010
Full papers due: 1 October 2010

Guest editors:
Thomas A. Berson (Anagram Laboratories)
Dorothy E. Denning (Naval Postgraduate School)

In 2007, Estonia was the target of massive denial-of-service attacks over the controversial relocation of a Soviet-era war memorial. Although the attacks leveraged botnets scattered all over the world, they were believed to originate in Russia or with persons of Russian descent. The following year, Georgia was the victim of similar attacks in conjunction with a ground confrontation with Russia. Meanwhile, large-scale cyber espionage operations into US military networks, computers belonging to the Dalai Lama and the government of India, critical infrastructures, major companies including Google, and various other targets have been traced back to China.

These incidents offer a glimpse into a future where cyberspace plays a key role in conflicts involving either or both nation-states and non-state actors. Over a hundred countries are reportedly developing capabilities for cyber espionage and cyber attack – capabilities that many individual hackers, criminals, and spies already possess and freely use.

These developments have raised numerous questions, including: What constitutes an act of war in cyberspace? How does the law of armed conflict apply to cyber attacks? Do we need international treaties governing cyber conflict? Can cyber attacks be deterred or pre-empted? Can we detect and analyze cyber attacks with sufficient speed and certainty as to limit their damages and determine attribution? Should states be responsible for attacks conducted by their citizens or using computers in their territory? What are the security implications of cyber conflict? What are the privacy implications?

IEEE Security & Privacy magazine seeks papers on all aspects of cyber conflict, including technology, policy, legal, ethical, operational, and strategic issues, especially as they relate to security and privacy. Papers can provide a broad overview or more in-depth coverage of a specific topic, country, or case study.

Authors should submit abstracts of 100-500 words as plain text or a .pdf file to dedennin@nps.edu by June 15. Authors whose abstracts fall within the scope of the issue will then be invited to submit full papers to the journal for peer-review. Papers will be due October 1 and should not exceed 6,000 words. The writing should be down-to-earth, practical, and original. Articles that are accepted for publication will be professionally copyedited according to the IEEE Computer Society style guide.

Visit www.computer.org/portal/pages/security /author.xml for information about the magazine, including article guidelines.

Hostage Deterrence

Today I happened to hear yet another discussion about the impossibility of deterrence in cyberspace, when I realized that it may not be entirely true.

While I agree that in the conventional sense, cyberspace does not support the concept of deterrence very well (lack of attribution), I think there is a special case where it might work. Consider a situation, where Nation A develops a credible offensive cyber capability and announces a policy that regardless of attribution, if a critical cyber attack were launched against it, it would automatically launch a critical cyber attack against Nation(s) B(,C,D, ...). In that highly controversial case, Nation A would actually have a deterrent against the other Nation(s) in question.

In other words, Nation B is effectively deterred from launching a critical cyber attack against Nation A.

Obviously, the weak point here is that any Nation X may do a false flag or anonymous attack in order to make Nation A to attack Nation B without cause. That is why it is not normal deterrence, but something you might call "hostage deterrence". Has anyone come across such a thing before, either in theory or in practice?

Baltic Cyber Shield 2010

I spent the first two days of this week engaged in a multinational distributed cyber defence exercise - Baltic Cyber Shield. It was a tech-centric exercise organized by CCD COE and various Swedish defence organizations, particularly the Swedish National Defence College and the Swedish Defence Research Agency. The Estonian Cyber Defence League, a volunteer cyber defence organization, also provided invaluable support. All in all, about 100 people from about 10 countries took part in the exercise.

According to the scenario, six blue teams (3 Swedish, a Latvian, a Lithuanian and a NATO team) of up to ten experts were deployed to take over compromised and poorly set up networks targeted by an extremist environmental group's "cyber warfare division" (multi-national red team). The exercise was distributed, so the participants performed the defence and attack missions remotely.

I must say it was a lot of fun. As expected, there were all kinds of issues, but in the end, everything went quite well. The attackers were able to maintain a steady push, compromising well over a hundred systems over the two days, while the defenders tried different strategies to maintain their services while locking the attackers out of their networks.

As a member of the referee team, I got another good experience, and learned some things that can contribute to my PhD research (the attackers were, after all, supposedly a non-government volunteer group who engaged in politically motivated cyber attacks). Congratulations are in order to the members of Blue 5, a Swedish expert team, who won the exercise.

Next week I will be at the SMi's Cyber Defence Conference in Tallinn.

Cyber Attacks and NATO Article 5

I gave a lecture about malicious uses of cyberspace to an international group in Germany yesterday, and one of the attendees asked me if a cyber attack could ever be a trigger for the collective self defense clause of NATO a.k.a. Article 5.

A very good question.

Allow me to answer via analogy:
1. A cyber attack is either malicious use of commonly available technology (computers, software, network infrastructure, ...) or the use of a cyber weapon (something specifically crafted for causing damage/disruption in cyberspace - such as a DoS tool) in order to create a cyber incident.
2. The ONLY time when Article 5 was actually invoked was in response to the malicious use of commonly available technology (passenger aircraft during 9/11).
3. Therefore, it follows that if the cyber attack causes serious enough harm, it can trigger Article 5 action.

The question that remains, then, is what level and type of harm will cross this threshold. In reality, this will never be set in stone. Likely there will be some cases that will automatically trigger it, however, in the end it will be case by case, as it is with "conventional" attacks.

The Law of Armed Conflict in Cyberspace

Last week I spent three days with a group of law experts, who are trying to figure out how to interpret the current laws of armed conflict (LOAC) for cyberspace. The group is headed by Mike Schmitt, and includes many other heavyweights like Derek Jinks, Ken Watkins, Tom Wingfield and Bill Boothby, just to name a few.

This work is very important, as there are no laws specifically drafted for conflicts in cyberspace or suitable court cases to analyze (to my knowledge). To bridge the gap between the laws written in the (arguably) pre-cyber era and the events that we witness and theorize about today, one needs to make good use of one's imagination. This was my role, I guess - I was one of the "cyber experts" who was tasked to come up with examples and analogies on the spot, while explaining some basic concepts from computer science, informatics, physics, etc. to a crowd who normally deal with the legal issues in the realm of things that kill people and blow stuff up.

I must say it was a wonderful learning experience and I look forward to the next meeting. It also clearly identified some issues that I have not seen discussed (recognized?) by us theoretical/conceptual researchers, who approach the cyber conflict from the de-facto viewpoint (what the technology allows to do and what is actually being done in cyberspace). While we may say that the de-jure viewpoint is outdated and not realistic, we cannot argue that it is, in fact, the law.

Some issues that I personally found interesting (contrasted with the cyber-centric viewpoint) were:

• the legal concepts of armed attack, use of (armed) force and armed conflict in cyberspace, and
  
• the legal status of non-military personnel, who perform cyber attacks during wartime.

While this work is still in its infancy, I hope the resulting manual will settle some of the speculative cyber warfare discussions of today.

Corrupted Science

I recently finished a book by John Grant - Corrupted Science. In it, Grant describes an endless parade of examples where the scientific principles have been violated (sometimes resulting in tragic loss of human life), starting from faking observation data by Ptolemy and Galilei to the illnesses hampering modern science in the US.

I think it should be required reading for aspiring scientists. On the one hand, it demystifies the image of science, which is often seen as something that is absolute, certain (100%) and infallible, while in reality it is often not the case. On the other hand, it urges you to avoid the various pitfalls or mistakes that have happened before, and hopefully make you a better and more moral scientist.

It is especially instructing to see the vast array of examples from recent years. Otherwise, we could just look at the chapter on Hitler's Germany and Stalin's Russia and dismiss it as "ancient" history. However, it is followed by an account of politically corrupted science from the US during the Bush (II) reign.

Volcano Week

I was supposed to go to a workshop in Hungary this week to discuss where the European cybersecurity research is heading and where it actually should go. It seems that the Norse gods had their own agenda, so the workshop was postponed.

So, for now, I will just point you to the workshop's literature [pdf] page, which includes some interesting references.

Paper on Cyberspace

I presented a paper [link] at the 5th International Conference on Information Warfare and Security (ICIW) last week. This year the event was hosted by the US Air Force Institute of Technology, at the Wright Patterson AFB, Dayton, Ohio. If you ever get the chance, I recommend to spend a day or two at the Air Force museum in there (yeah, any less will not do).

Our paper (co-authored by Peeter Lorents) presented some of our work on the cyber terminology. Specifically, in the paper we defined cyberspace as "a time-dependent set of interconnected information systems and the human users that interact with these systems".

It was not our intent to come up with a universal definition (which could be useless), but something that provides a background for our future work. So, basically, it is more like a brick destined to become part of a wall, instead of the wall itself.

While we were at it, we came up with a couple of simple implications from our definition, which are explained in more detail in the paper:

• both offensive and defensive deployments can take place very rapidly in cyberspace
• it is not feasible to map cyberspace accurately
• both attackers and defenders must constantly reconnoiter or patrol the potential area of conflict in cyberspace.

The conference itself had some interesting papers from various angles and I look forward to reviewing a few of those here.

P.S. I moved the publications section to a tab at the top. Under that tab is now the full list, with some papers available via Google Docs.

Georgia 2008 and Cyber Neutrality

I happened across an article [pdf] about neutrality in cyberspace by Korns and Kastenberg. In the article, the authors analyze an aspect of the 2008 Georgia cyber conflict that usually receives little attention: the fact that the Georgian government moved some of its online services to other countries during the war. Specifically, the authors worry about what this means to the neutrality of the host countries.

While they raise an interesting question, I do have some issues.

First, there is the question of whether US lost neutral status in the Russia-Georgia war by hosting some services:

"The fact that American IT companies provided assistance to Georgia, a cyber belligerent, apparently without the knowledge or approval of the US government, illustrates what is likely to become a significant policy issue."

Were Georgian websites under attack? Yes, no doubt. Was this a part of the Russian war campaign? Maybe, but at least officially the Russians deny their involvement. Well, if neither belligerent takes responsibility for the attacks, then we can't really refer to Georgia as a "cyber belligerent" (what does this mean, anyway?). We are left with attacks that do not amount to war, but crime or political hactivism, and I am unaware of any international prohibition on cooperating against criminals or hactivists - even on the business level. Besides, blaming Georgia for this decision is similar to arresting the victim of a street mugger, as the only known party in the criminal act.

Then there is the question of the type of aid that was provided to Georgia (citing a Supreme Court decision):

"If the US government establishes a strict position of neutrality, American industry may provide nonmilitary and humanitarian support to a belligerent, but firms are required to halt all commerce that militarily aids a combatant."

I believe this is undiscovered country. Presumably, the drafters of this document kept in mind the physical goods industry, whereas in cyberspace we are mostly concerned with services. Is hosting a government public relations website "commerce that militarily aids a combatant"? I would argue against that, because otherwise US would have to pull the plug on EVERYTHING every time there is a conflict where US remains neutral (although there is a question whether US was truly neutral in this case, as illustrated in the paper).

"Under a traditional international law rubric, to remain neutral in a cyber conflict a nation cannot originate a cyber attack, and it also has to take action to prevent a cyber attack from transiting its Internet nodes."

Since US is one of the leading nations harboring ISPs with questionable practices, and is also home to a large number of malware infected computers (bots in a botnet), then any time you have a large DDoS attack, US is likely to be on the "attack source" list [to be fair, the authors have also covered this aspect]. I consider it quite likely that at least some US-based computers were used against the Georgian sites during the war. If the Russian Federation was behind the attacks, does this mean that US lost its neutrality and became a belligerent? Again, I would say no. It would be great if US could clean up its part of the Internet, though.

The rest of the paper does a quick analysis of several potentially applicable laws and treaties. Again, while I do not agree with all of their conclusions, they have done a very good job of pulling together thought-provoking concepts. I highly recommend reading it.

These are just some first reactions, but I can see that I need to do some deep thinking on the subject.

Reference:
Korns, S.W., Kastenberg, J.E. (2008) "Georgia’s Cyber Left Hook." Parameters: 38.4 : 60-76. U.S. Army War College. Available at: http://www.carlisle.army.mil/usawc/Parameters/08winter/korns.pdf

C6 preliminary agenda published

The CCD COE Conference on Cyber Conflict preliminary agenda is now published. Please take a look and see if something interesting catches your eye. If so, the registration is also open and I look forward to seeing you in June.

Eureka! I've discovered ... science blogging?

Every once in a while you accidentally stumble on something interesting and beneficial, and you can't help but wonder why you had not seen it before. Because these things rarely hide, you just don't look for them.

This is what happened to me when I followed a random series of interesting links and ended up in the ScienceBlogs. Wait, what? Well, obviously, if you come to think about it, such a thing must exist. In multiple forms, even: Wiki, ResearchBlogging, InsideHigherEd, etc. Boy, do I have things to read ...

I think, I'll start with science blogging. [here, here, here, here, for starters]

Unfortunately, as is often the case with walking down these narrow and twisted paths, I no longer remember, which article or post started me down this particular road. However, I hope that the links in this story will help out someone else and I can call it even, in the grand scheme of things.

Cyber Warfare a WMD?

Some comments on the BBC story on USCybercom, which I picked up from USCybercom Watch:

"Not everyone is convinced of USCybercom's military value. One US official at the London conference said that if cyber warfare was a WMD it was only a weapon of "mass disruption, not destruction"."

Only, indeed. While I agree that the effect of cyber warfare is more disruptive than destructive, I cannot agree with the implication this quote seems to make. Just because you cannot blow things up with something does not mean that it is not important. ENIGMA, anyone? Actually, the example by Professor Kuehl in the beginning (bomb v cyber op) illustrates the benefit of cyber very well.

Secondly, military value does not equal WMD. Infantry is not considered a WMD, so surely it cannot have military value? Clearly, this is nonsense. However, I am afraid I am doing injustice to the unnamed speaker at the conference, who may have had something entirely different in mind.

Thirdly, let's forget about the whole WMD thing. It overly complicates issues by raising emotions from nothing. Cyber operations can and do happen every day and and we do not see "mass destruction" in the headlines. Yes, in theory, a cyber attack could have global and devastating effects (for example, by creating a cascading failure in the power grid), but this is a fringe case. Most cyber operations would be far more limited in scope, aiming for operational/strategic effects through tactical level cyber operations. And as for battlefield damage, cyber operations are perhaps best viewed as a way to maximise the effects of kinetic/thermic/EM weapons.

Cyber Conferences

Here are some cyber conferences that might be of interest, in chronological order (disclaimer: I will take part in all of them):

The International Conference on Information Warfare and Security (ICIW), April 8-9 in Dayton, Ohio, US. This is an academic conference with peer reviewed proceedings and covers a wide range of topics from PSYOPS to cyber operations. I will be presenting a paper titled "Cyberspace: Defininition and Implications".

The SMi Conference on Cyber Defence, May 17-18 in Tallinn, Estonia. This is a professional conference that is leaning a bit towards military approaches. I am invited to give a talk there.

The CCD COE Conference on Cyber Conflict (C6), June 16-18 in Tallinn, Estonia. The Conference is a mix of academic and professional presentations and will also publish peer reviewed proceedings of the academic content. There are three tracks: Legal, Strategy and Technical Solutions. I will be managing the Strategy track. I have written about this event before in here and here. Registration is now open.

The European Conference on Information Warfare and Security (ECIW), July 1-2 in Thessaloniki, Greece. This is an academic conference with peer reviewed proceedings and covers a wide range of topics from PSYOPS to cyber operations. I will be chairing the Cyber Conflict mini-track and presenting a paper titled "Proactive Defence Tactics Against On-Line Cyber Militia".

Oh yeah, did I mention that the registration is open for the C6?

On offensive operations in cyberspace

This year started out in full gear for me and it seems that this is the first week where I can take a breath and write down some of my thoughts.

Last week I was invited to give a talk at one of many cyber defence/IA related conferences in Europe. As is often the case, the question of offensive cyber operations came up. It seems that whenever this happens, the automatic (and politically correct) answer is: well, the military can't plan an offensive cyber campaign, because most likely they will not be able to identify the actor behind the incoming cyber attacks (the attribution problem). They are right, counterattacks in cyberspace can be tricky.

However, this misses the point completely. Who says that cyber operations have to be symmetric (targeting only cyber aggressors with cyber ops). There is every reason for the military to plan and prepare offensive cyber operations for various military situations. When a military is deployed to fight someone, then the target should already be identified and is not necessarily limited to cyber operatives.

It makes sense to consider different ways to achieve a military objective: aerial bombardment, naval blockade, precision drone strikes, landing a division of Marines, cutting off C2 with cyber attacks, jamming radio communication with EW, threatening with nukes, etc. In fact, according to the principle of least harm, it is consceivable that the commander should FAVOR cyber attacks over more lethal options, if the end result is the same.

There is no good reason to limit the options of the commanders in the doctrine-writing phase between conflicts. Sure, there are legal issues, attribution issues, collateral damage issues and so on - as is the case with drone strikes, for example. And yet the drones are in the sky today. It just shows that where there is a will, there is also a way.

The only real counterargument for offensive cyber is that we don't want to see it on the battlefield (like nukes, bio and chem). However, clearly this is a Genie that we cannot force back into a bottle. Potential adversaries, both state and non-state are already using cyber attacks on a daily basis. Therefore, it makes sense to include this option in the play book of the commanders of the future.

It should be noted that I am not advocating military use of cyber attacks on a daily basis, but only in conflict situations and against "legal" targets. I am also aware that the whole "legal" issue is far from solved and most likely will not be solved in any reasonable timeframe.

Who is writing your e-mail?

It seems that 2010 is going to be an interesting year. First, the Google-China controversy, and now this from NetWitness (also covered in here and here, among other places).

The numbers: 75000 computers compromised in 2500 companies located in 196 countries.

Why Science? Because it works! Kind of ...

Every once in a while I get into a discussion on whether or not it is difficult to enter the scientific community. My theory is that it rests mostly on motivation and self confidence, as is excellently demonstrated by the example of professors Zola and Charlie Chrobak.

I am not really familiar with their current work [pdf], but I have a feeling that it is related to some previous research on Artificial Intelligence.

Thanks to Dr Risto Vaarandi for pointing me to this wonderful story of the underdogs in science.

Jeffrey Carr Inside Cyber Warfare

Jeffrey Carr's new book, Inside Cyber Warfare came out late last year and is an interesting resource for the cyber researcher. If you are familiar with the Grey Goose Reports I and II and have been reading Jeff's blog at IntelFusion, then a lot of the material will look familiar.

The book covers a lot of ground (pretty much all of it), but this is also its weakness. The principle of universality vs effectiveness states that there can't be both at the same time. Therefore, the book feels at times like a train ride - interesting scenery is rushing by, but you do not catch the full richness of it, just glimpses.

I found the Grey Goose Reports an interesting read, although somewhat rough around the edges. Granted, they were done under serious time constraints and included input from many people, so it was to be expected. I'm glad to see that Jeff has polished away a lot of that.

Jeff goes through a host of examples of recent cyber conflicts, specifically looking at potential state-sponsored events like the Russia-Georgia (cyber) conflict of 2008. He includes a lot of small facts and stories that may not have caught your attention before, so it pays to read the book instead of just scanning over it quickly.

On the other hand, however, I find that the biggest problem with Grey Goose and this book is that in the end, they are just stories with a plausible explanation. To me, there is still no concrete PROOF of state involvement in Georgia 2008, even though there are a thousand circumstantial evidence arrows pointing at it. So we are stuck with the attribution question, again.

This brings me back to my own research - understanding "independent" online cyber militia and looking for ways to deal with the phenomenon. I'll have a post on some potential tactics soon.

As I said above, the book definitely contains a lot of interesting information and may provide you with the interesting fact or angle that was missing, if you are researching cyber conflicts. So, if you get the chance, read it.

CFP: ICGS3 - Braga, Portugal

There is a CFP for the 6th International Conference on Global Security, Safety, and Sustainability (ICGS3). The conference will take place 1-3 September in Braga, Portugal. Papers will be published by Springer.

I have not been to this conference before, but I am considering giving it a try. From the website:

"This Annual International Conference is a established platform in which security, safety and sustainability issues can be examined from several global perspectives through dialogue between academics, students, government representatives, chief executives, security professionals, and research scientists from the United Kingdom and from around the globe."

What are your thoughts on this? Have you been there in the past?

The Schmitt analysis, Part II

This is my second post that looks at the legal aspects of cyber conflicts. As Sean pointed out, Schmitt also wrote a piece in 1999 that gives a framework for evaluating whether or not jus ad bellum applies to cyber conflict. The text is available here [pdf]. Note that the last post was about jus in bello and this one is on jus ad bellum, which the author defines as:

"... that body of international law governing the resort to force as an instrument of national policy ..."

... or in other words, when is it ok to go to war. The article limits the scope to CNA between state actors, which is good, because applying the laws of war on non-state actors is always tricky. In the end, however, it needs to be done, because many of the actors in the cyber conflicts of today are definitely not state actors. Schmitt poses two generic scenarios of interest:

"In the first, State A conducts CNA operations against State B with no intention of ever escalating the conflict to the level of armed engagement. The advantages gained through the CNA are ends in themselves. In the second scenario, State A conducts CNA operations in order to prepare the battle space for a conventional attack. The goal is to disorient, disrupt, blind, or mislead State B so as to enhance the likelihood that conventional military operations will prove successful."

He again stumbles on the issue of whether or not CNA constitutes "use of force" if the legal text is interpreted the traditional way. He then brings counterexamples of "lawful" use of force, which require a different analysis approach. Schmitt analyzes the text, looks at the history behind it, and shows how the application of law has evolved over time with court cases. He arrives to the conclusion that in the end, what matter are the consequenses.

He provides a list of criteria to be analyzed in order to check whether a cyber attack could be considered "use of force" in terms of international law. Here they are:

"1) Severity: Armed attacks threaten physical injury or destruction of property to a much greater degree than other forms of coercion. Physical well-being usually occupies the apex of the human hierarchy of need.
2) Immediacy: The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Thus, the opportunity for the target state or the international community to seek peaceful accommodation is hampered in the former case.
3) Directness: The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate. Thus, the prohibition on force precludes negative consequences with greater certainty.
4) Invasiveness: In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.
5) Measurability: While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.
6) Presumptive Legitimacy: In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere--are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive. Thus, the consequences of armed coercion are presumptively impermissible, whereas those of other coercive acts are not (as a very generalized rule)."

An example of the use of the Schmitt analysis in a more quantitative form is available here [pdf].

He spends a fair amount of time analysizing what actions could be taken in response to CNA. He comes up with a relatively simple decision procedure:

"1) Is the technique employed in the CNA a use of armed force? It is if the attack is intended to directly cause physical damage to tangible objects or injury to human beings.
2) If it is not armed force, is the CNA nevertheless a use of force as contemplated in the U.N. Charter? It is if the nature of its consequences track those consequence commonalities which characterize armed force.
3) If the CNA is a use of force (armed or otherwise), is that force applied consistent with Chapter VII, the principle of self-defense, or operational code norms permitting its use in the attendant circumstances?
a) If so, the operation is likely to be judged legitimate.
b) If not and the operation constitutes a use of armed force, the CNA will violate Article 2(4), as well as the customary international law prohibition on the use of force.
c) If not and the operation constitutes a use of force, but not armed force, the CNA will violate Article 2(4).
4) If the CNA does not rise to the level of the use of force, is there another prohibition in international law that would preclude its use? The most likely candidate, albeit not the only one, would be the prohibition on intervening in the affairs of other States."

A second decision procedure is available for determining whether or not a response with armed force is applicable:

"1) If the computer network attack amounts to a use of armed force, then the Security Council may characterize it as an act of aggression or breach of peace and authorize a forceful response under Article 42 of the Charter. To constitute an armed attack, the CNA must be intended to directly cause physical damage to tangible objects or injury to human beings.
2) If the CNA does not constitute an armed attack, the Security Council may nevertheless find it to threaten the peace (the absence of inter-state violence) and authorize a use of force to prevent a subsequent breach of peace. The CNA need not amount to a use of force before the Council may determine that it threatens peace.
3) States, acting individually or collectively, may respond to a CNA amounting to armed attack with the use of force pursuant to Article 51 and the inherent right of self-defense.
4) States, acting individually or collectively, may respond to a CNA not amounting to armed attack, but which is an integral part of an operation intended to culminate in armed attack when:
a) The acts in self-defense occur during the last possible window of opportunity available to effectively counter the attack; and
b) The CNA is an irrevocable step in an imminent (near-term) and probably unavoidable attack."

The paper contains a lot of insight (at least to an outsider like me) of how the international law works and what may be the questions asked after the first real cyber war. I highly recommend reading this paper in full to get the picture. I know the author is currently working on updating the analysis, but until then, we must wait.

The Schmitt analysis

Here is a bit of reading from 2002 that is still relevant today. Michael N. Schmitt wrote an article called "Wired warfare: Computer network attack and jus in bello" [pdf], where he explored what the international humanitarian law has to say about CNA. It should be required reading for all of us cyber conflict researchers, as sooner or later we will have to tackle with showing how our theories work (or not) in the framework of existing laws. And the article shows, that lawyers' concerns are often a bit different from what we might expect.

As an anecdote, I found it very funny when Richard Nixon's head (President of Earth in Futurama), faced with a legal obstacle, says something along the lines of: "Well, I know a place where the Constitution doesn't mean squat!" and the camera zooms to the Supreme Court. [from memory, so it may be a little inaccurate]

For those who are a unsure what jus in bello means, he provides a definition:

"... that body of law concerned with what is permissible, or not, during hostilities, irrespective of the legality of the initial resort to force by the belligerents."

With that clear, let's move on. He quickly analyzes whether the international humanitarian law applies to CNA at all and finds that yes it does, if it can be classified as 'armed conflict'. That, in turn, requires that 'armed forces' are engaged in the conflict. However, the link between CNA and armed forces is not very strong, so he analyzes the contradictions in the text of the law and its application to conclude that:

"... humanitarian law principles apply whenever computer network attacks can be ascribed to a State are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable."

Obviously, the biggest problem here is the attribution. Cyber is very much a silent service when it comes to taking credit for the really complicated and high profile attacks. Government A could very well pull off a 'cyber war' and remain anonymous. Better yet, make it look like it came from Govt. B.

Since direct injury and death is presumably difficult to reach with cyber, let's discuss the other two. Would financial loss be enough to evoke the damage criteria? If so, how much loss are we talking about? Does destruction only apply to physical objects or is information also on the menu? What if an attacker drops all tables in the national registry of [CLASSIFIED] and manages to mess up the backups as well? The truth is out there...

Schmitt follows a trail of deductions similar with the 'armed conflict' with the concepts of 'targeting' and 'attack' in the law. He also touches the classification of targets to combatants and military objectives, civilians and civilian objects, as well as dual use objects. He discusses targeting economic systems (stock market, banks etc) as military targets and once again returns to the threshold of 'injury, death, damage or destruction'.

The civilian section includes an interesting bit about contractors or civilians who perform cyber attacks. He points out that those civilians (and contractors) with an official tie to the military could still be targeted and could be considered prisoner of war (because they are 'accompanying the armed forces'), if captured. On the other hand, if civilians launch the attack and they do not have an official connection, they would be 'illegal combatants' (who may still be attacked). This is only in case where the cyber attacks are severe enough to pass the threshold mentioned above.

Unfortunately his section on dual use objects is relatively short. I think the dual use category is extremely important in cyber context, as one could argue that most systems could potentially be dual use (Internet, for example, can serve as a backup communication system for the military and it is most likely going to be the main battlefield of cyber conflict). This is definitely one aspect that merits further study.

He shows that the legal framework actually supports cyber attacks over kinetic in some cases, such as shutting down dams and nuclear power stations (which you should not do with kinetics).

He analyzes several aspects of CNA targeting, including discrimination, distinction, proportionality, collateral damage, incidental injury and perfidy. I think the difference between a perfidy and a ruse is what would often get IT guys in trouble.

Overall, he covers a lot of ground and to my knowledge, there is still no better, definite answer on what is and is not allowed in cyber space. As always, read the paper for full info.

First post

...of 2010. This year has actually started with a flurry of activity and I seem to be quite busy for at least the next five weeks or so. I guess this is good, as most of the activity is centered around my research.

This year will be important for my PhD studies. I plan to research and publish some core pieces of my thesis in preparation for the write-up and defense in 2011. Specifically, I want to address the structure, capabilities and weaknesses of volunteer cyber militia. Tackling those issues will not be easy, requiring me to revisit some concepts that I haven't looked at in years.