Jeffrey Carr Inside Cyber Warfare

Jeffrey Carr's new book, Inside Cyber Warfare came out late last year and is an interesting resource for the cyber researcher. If you are familiar with the Grey Goose Reports I and II and have been reading Jeff's blog at IntelFusion, then a lot of the material will look familiar.

The book covers a lot of ground (pretty much all of it), but this is also its weakness. The principle of universality vs effectiveness states that there can't be both at the same time. Therefore, the book feels at times like a train ride - interesting scenery is rushing by, but you do not catch the full richness of it, just glimpses.

I found the Grey Goose Reports an interesting read, although somewhat rough around the edges. Granted, they were done under serious time constraints and included input from many people, so it was to be expected. I'm glad to see that Jeff has polished away a lot of that.

Jeff goes through a host of examples of recent cyber conflicts, specifically looking at potential state-sponsored events like the Russia-Georgia (cyber) conflict of 2008. He includes a lot of small facts and stories that may not have caught your attention before, so it pays to read the book instead of just scanning over it quickly.

On the other hand, however, I find that the biggest problem with Grey Goose and this book is that in the end, they are just stories with a plausible explanation. To me, there is still no concrete PROOF of state involvement in Georgia 2008, even though there are a thousand circumstantial evidence arrows pointing at it. So we are stuck with the attribution question, again.

This brings me back to my own research - understanding "independent" online cyber militia and looking for ways to deal with the phenomenon. I'll have a post on some potential tactics soon.

As I said above, the book definitely contains a lot of interesting information and may provide you with the interesting fact or angle that was missing, if you are researching cyber conflicts. So, if you get the chance, read it.

CFP: ICGS3 - Braga, Portugal

There is a CFP for the 6th International Conference on Global Security, Safety, and Sustainability (ICGS3). The conference will take place 1-3 September in Braga, Portugal. Papers will be published by Springer.

I have not been to this conference before, but I am considering giving it a try. From the website:

"This Annual International Conference is a established platform in which security, safety and sustainability issues can be examined from several global perspectives through dialogue between academics, students, government representatives, chief executives, security professionals, and research scientists from the United Kingdom and from around the globe."

What are your thoughts on this? Have you been there in the past?

The Schmitt analysis, Part II

This is my second post that looks at the legal aspects of cyber conflicts. As Sean pointed out, Schmitt also wrote a piece in 1999 that gives a framework for evaluating whether or not jus ad bellum applies to cyber conflict. The text is available here [pdf]. Note that the last post was about jus in bello and this one is on jus ad bellum, which the author defines as:

"... that body of international law governing the resort to force as an instrument of national policy ..."

... or in other words, when is it ok to go to war. The article limits the scope to CNA between state actors, which is good, because applying the laws of war on non-state actors is always tricky. In the end, however, it needs to be done, because many of the actors in the cyber conflicts of today are definitely not state actors. Schmitt poses two generic scenarios of interest:

"In the first, State A conducts CNA operations against State B with no intention of ever escalating the conflict to the level of armed engagement. The advantages gained through the CNA are ends in themselves. In the second scenario, State A conducts CNA operations in order to prepare the battle space for a conventional attack. The goal is to disorient, disrupt, blind, or mislead State B so as to enhance the likelihood that conventional military operations will prove successful."

He again stumbles on the issue of whether or not CNA constitutes "use of force" if the legal text is interpreted the traditional way. He then brings counterexamples of "lawful" use of force, which require a different analysis approach. Schmitt analyzes the text, looks at the history behind it, and shows how the application of law has evolved over time with court cases. He arrives to the conclusion that in the end, what matter are the consequenses.

He provides a list of criteria to be analyzed in order to check whether a cyber attack could be considered "use of force" in terms of international law. Here they are:

"1) Severity: Armed attacks threaten physical injury or destruction of property to a much greater degree than other forms of coercion. Physical well-being usually occupies the apex of the human hierarchy of need.
2) Immediacy: The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Thus, the opportunity for the target state or the international community to seek peaceful accommodation is hampered in the former case.
3) Directness: The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate. Thus, the prohibition on force precludes negative consequences with greater certainty.
4) Invasiveness: In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.
5) Measurability: While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.
6) Presumptive Legitimacy: In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere--are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive. Thus, the consequences of armed coercion are presumptively impermissible, whereas those of other coercive acts are not (as a very generalized rule)."

An example of the use of the Schmitt analysis in a more quantitative form is available here [pdf].

He spends a fair amount of time analysizing what actions could be taken in response to CNA. He comes up with a relatively simple decision procedure:

"1) Is the technique employed in the CNA a use of armed force? It is if the attack is intended to directly cause physical damage to tangible objects or injury to human beings.
2) If it is not armed force, is the CNA nevertheless a use of force as contemplated in the U.N. Charter? It is if the nature of its consequences track those consequence commonalities which characterize armed force.
3) If the CNA is a use of force (armed or otherwise), is that force applied consistent with Chapter VII, the principle of self-defense, or operational code norms permitting its use in the attendant circumstances?
a) If so, the operation is likely to be judged legitimate.
b) If not and the operation constitutes a use of armed force, the CNA will violate Article 2(4), as well as the customary international law prohibition on the use of force.
c) If not and the operation constitutes a use of force, but not armed force, the CNA will violate Article 2(4).
4) If the CNA does not rise to the level of the use of force, is there another prohibition in international law that would preclude its use? The most likely candidate, albeit not the only one, would be the prohibition on intervening in the affairs of other States."

A second decision procedure is available for determining whether or not a response with armed force is applicable:

"1) If the computer network attack amounts to a use of armed force, then the Security Council may characterize it as an act of aggression or breach of peace and authorize a forceful response under Article 42 of the Charter. To constitute an armed attack, the CNA must be intended to directly cause physical damage to tangible objects or injury to human beings.
2) If the CNA does not constitute an armed attack, the Security Council may nevertheless find it to threaten the peace (the absence of inter-state violence) and authorize a use of force to prevent a subsequent breach of peace. The CNA need not amount to a use of force before the Council may determine that it threatens peace.
3) States, acting individually or collectively, may respond to a CNA amounting to armed attack with the use of force pursuant to Article 51 and the inherent right of self-defense.
4) States, acting individually or collectively, may respond to a CNA not amounting to armed attack, but which is an integral part of an operation intended to culminate in armed attack when:
a) The acts in self-defense occur during the last possible window of opportunity available to effectively counter the attack; and
b) The CNA is an irrevocable step in an imminent (near-term) and probably unavoidable attack."

The paper contains a lot of insight (at least to an outsider like me) of how the international law works and what may be the questions asked after the first real cyber war. I highly recommend reading this paper in full to get the picture. I know the author is currently working on updating the analysis, but until then, we must wait.

The Schmitt analysis

Here is a bit of reading from 2002 that is still relevant today. Michael N. Schmitt wrote an article called "Wired warfare: Computer network attack and jus in bello" [pdf], where he explored what the international humanitarian law has to say about CNA. It should be required reading for all of us cyber conflict researchers, as sooner or later we will have to tackle with showing how our theories work (or not) in the framework of existing laws. And the article shows, that lawyers' concerns are often a bit different from what we might expect.

As an anecdote, I found it very funny when Richard Nixon's head (President of Earth in Futurama), faced with a legal obstacle, says something along the lines of: "Well, I know a place where the Constitution doesn't mean squat!" and the camera zooms to the Supreme Court. [from memory, so it may be a little inaccurate]

For those who are a unsure what jus in bello means, he provides a definition:

"... that body of law concerned with what is permissible, or not, during hostilities, irrespective of the legality of the initial resort to force by the belligerents."

With that clear, let's move on. He quickly analyzes whether the international humanitarian law applies to CNA at all and finds that yes it does, if it can be classified as 'armed conflict'. That, in turn, requires that 'armed forces' are engaged in the conflict. However, the link between CNA and armed forces is not very strong, so he analyzes the contradictions in the text of the law and its application to conclude that:

"... humanitarian law principles apply whenever computer network attacks can be ascribed to a State are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable."

Obviously, the biggest problem here is the attribution. Cyber is very much a silent service when it comes to taking credit for the really complicated and high profile attacks. Government A could very well pull off a 'cyber war' and remain anonymous. Better yet, make it look like it came from Govt. B.

Since direct injury and death is presumably difficult to reach with cyber, let's discuss the other two. Would financial loss be enough to evoke the damage criteria? If so, how much loss are we talking about? Does destruction only apply to physical objects or is information also on the menu? What if an attacker drops all tables in the national registry of [CLASSIFIED] and manages to mess up the backups as well? The truth is out there...

Schmitt follows a trail of deductions similar with the 'armed conflict' with the concepts of 'targeting' and 'attack' in the law. He also touches the classification of targets to combatants and military objectives, civilians and civilian objects, as well as dual use objects. He discusses targeting economic systems (stock market, banks etc) as military targets and once again returns to the threshold of 'injury, death, damage or destruction'.

The civilian section includes an interesting bit about contractors or civilians who perform cyber attacks. He points out that those civilians (and contractors) with an official tie to the military could still be targeted and could be considered prisoner of war (because they are 'accompanying the armed forces'), if captured. On the other hand, if civilians launch the attack and they do not have an official connection, they would be 'illegal combatants' (who may still be attacked). This is only in case where the cyber attacks are severe enough to pass the threshold mentioned above.

Unfortunately his section on dual use objects is relatively short. I think the dual use category is extremely important in cyber context, as one could argue that most systems could potentially be dual use (Internet, for example, can serve as a backup communication system for the military and it is most likely going to be the main battlefield of cyber conflict). This is definitely one aspect that merits further study.

He shows that the legal framework actually supports cyber attacks over kinetic in some cases, such as shutting down dams and nuclear power stations (which you should not do with kinetics).

He analyzes several aspects of CNA targeting, including discrimination, distinction, proportionality, collateral damage, incidental injury and perfidy. I think the difference between a perfidy and a ruse is what would often get IT guys in trouble.

Overall, he covers a lot of ground and to my knowledge, there is still no better, definite answer on what is and is not allowed in cyber space. As always, read the paper for full info.

First post

...of 2010. This year has actually started with a flurry of activity and I seem to be quite busy for at least the next five weeks or so. I guess this is good, as most of the activity is centered around my research.

This year will be important for my PhD studies. I plan to research and publish some core pieces of my thesis in preparation for the write-up and defense in 2011. Specifically, I want to address the structure, capabilities and weaknesses of volunteer cyber militia. Tackling those issues will not be easy, requiring me to revisit some concepts that I haven't looked at in years.