Cyberwarfare in International Law

belmolis writes "If the CIA is right to attribute recent blackouts to cyberwarfare, cyberwarfare is no longer science fiction but reality. In a recent op-ed piece and a detailed scholarly paper, legal scholar Duncan Hollis raises the question of whether existing international law is adequate for regulating cyberwarfare. He concludes that it is not: 'Translating existing rules into the IO context produces extensive uncertainty, risking unintentional escalations of conflict where forces have differing interpretations of what is permissible. Alternatively, such uncertainty may discourage the use of IO even if it might produce less harm than traditional means of warfare. Beyond uncertainty, the existing legal framework is insufficient and overly complex. Existing rules have little to say about the non-state actors that will be at the center of future conflicts. And where the laws of war do not apply, even by analogy, an overwhelmingly complex set of other international and foreign law rules purport to govern IO.'"

Re:What is IO?

[Nibbler999]

IO = information operations in this context.

Enemy combatants?

[KublaiKhan]

I dare say that any "cyberwarrior" would not have a recognizable uniform, and as such, would probably be classed as an 'enemy combatant' by the gov't...which gives me the screaming blue creevles, given the gov't's current attitude towards anyone they suspect to be such an 'enemy combatant'--Guantanamo Bay doesn't have broadband, does it? Will they torture this new class of enemy combatant by making them dial into AOL with a 300 baud modem on a keyboard with a broken shift/caps key?

Re:Enemy combatants?

[The+Queen]

You are correct in having "screaming blue creevles" as you put it since yes, cyber-warriors are likely to be a mix of military and civilians, and what with all the lawsuits and spying already going on it wouldn't be much of a leap for some hax0r to be tagged by the feds and shipped off for questioning. The real sticky part though is how the law will cross borders. Cyber warfare knows no borders, so what would our government do if someone from Iran came calling to arrest one of our own on such charges?

This is the inevitable and ingenious evolution of war, IMO. Not, as ST:TOS "A Taste of Armageddon" would have it, but without any bloodshed or casualties in the physical sense. By hitting people in their infrastructure, their way of life, and their economy. (Sortof what the 9-11 guys thought they were doing...and heck, what all us 'rich' countries do all the time through sanctions, trade agreements, 'wars' on drugs, and such...)

cluelessness

[Quadraginta]

Gosh, only a lawyer could have the utter cluelessness about the real world and real people necessary to imagine that war has ever been, or ever will be, regulated by law.

Re:cluelessness

[Chirs]

But it has. There is a whole regulatory framework around things like "just war", definition of a combatant, treatment of spies/prisoners, etc.

Now if you'd said that someone would have to be clueless to imagine that combatants always *abide* by the laws regarding war, that's a whole different issue.

Re:cluelessness

[Beardo+the+Bearded]

War has rules. Check out the Geneva Convention.

They aren't always followed, and they certainly aren't being followed by some countries I could mention, but war is supposed to have rules.

The problem with electronic warfare (Cyberwar? e-war? wartronics?) is that you're attacking civilians. There are horrible weaknesses in a great many systems (including the trunked radios used by first responders) that can easily be exploited. Remember, a lot of our coding is done overseas and/or done by exchange students on co-op terms. It doesn't really effect the army if every mortgage in North America gets the "foreclose" tag set. The Air Force doesn't stay home if the SCADA system controlling the reservoir gets false readings about chloroform counts and turns off the taps. If the phone companies are hit with DDoS attacks and you can't get a dial tone, that doesn't stop aircraft carriers.

What those acts do is target civilians. Suddenly, the water's off, the police are trying to kick me out of my home, and nobody can call a lawyer. War is supposed to target just those in uniform, fighting at the time.

Re:cluelessness

[Quadraginta]

Ah? Why don't you check out the history of, say, the war in the Pacific 1941-1945 and tell me if you think the Geneva Conventions have any serious force. Better yet, ask a vet. Then duck. The Geneva Conventions are one of history's endless series of pious wishes that seek to outlaw inhumanity, like the Kellogg-Briand pact, the founding charter of the League of Nations, the UN, et cetera and so forth ad infinitum.

All of these quaint efforts overlook the fact that war is, by definition, the breakdown of any shred of mutual trust and willingness to compromise. War is about killing people, and when you get to that stage of mutual rage and madness, no piece of paper full of high-minded sentiment is going to stop you from doing what you think you must to win (or not lose). I can't think of any historical exceptions. Can you?

The problem with electronic warfare (Cyberwar? e-war? wartronics?) is that you're attacking civilians

What's new about that? What do you suppose the Eighth Army Air Force was doing over Berlin in 1945? Who got snuffed in Hiroshima?

Re:cluelessness

[Quadraginta]

I think you are confusing "has been regulated" with "has been imagined to be regulated by lawyers and naive fools." To be "regulated" requires a bit more than the mere existence of regulations on paper. It requires that these things have actual force, that they actually do something, they restrain people in some way.

The only thing that has ever restrained the behaviour of nations in combat is plain fear of the direct consequences, e.g. retaliation by the enemy. Can you give me a counter-example? Some case where a nation committed to a war, with substantial interests at stake, eschewed methods of war because some lawyer somewhere said they were "illegal?" If not, then those "regulations" are as insubstantial as moonbeams.

Re:cluelessness

[cptdondo]

I agree with you. What regulates military actions is the real or imagined consequences if the tables are reversed. Atrocities on a systematic basis occur if and when the conflict is one-sided either due to military might or sheer force of numbers.

My biggest concern with the currect US treatment of supposed terrorists, is that we are implicitly agreeing to the same treatment of our GIs in enemy hands. There is no doctrinal difference between the Hanoi Hilton and Guantanamo Bay.

There are dozens of examples of fighting men (and women, but mostly men) treating each other with respect and courtesy even while being determined to kill each other.

Re:cluelessness

[rtechie]

All of these quaint efforts overlook the fact that war is, by definition, the breakdown of any shred of mutual trust and willingness to compromise. War is about killing people, and when you get to that stage of mutual rage and madness, no piece of paper full of high-minded sentiment is going to stop you from doing what you think you must to win (or not lose). I can't think of any historical exceptions. Can you? The short answer is: yes. There have been rules of war that have been closely followed, for centuries, by various groups. There were strict laws of war governed by the Church in the Middle Ages. Imperial Japan followed rules of war, right into WWII (you might not agree with those rules, but they existed). The Roman Army followed strict rules. The idea of soldiers acting in a discipled and humane fashion is nothing new. The big problem is that these rules only tend to be followed in cultural sandboxes: European vs. European, Japanese vs Japanese, etc. When conflicts are cross-cultural the tendency to dehumanize opponents increases and you get much bloodier conflicts: Crusades, Native American wars, Vietnam, etc.

I don't think it's useless to have laws of war. There is no reason to believe they make conflicts worse and every reason to believe that they help reduce civilian casualties, torture, etc. During WW1 gas weapons saw wide deployment, and they were banned not because they were ineffective, but because of the danger they reprsented to all soldiers and civilians. Gas weapons have been used since (notably in the Iran-Iraq war), but widespread use is a thing of the past. Ditto for flamethrowers and flame weapons in general (Phosphor weapons are making a comeback though. Bush apparently thinks burning people alive is fun).

Re:What is IO?

[smittyoneeach]

Aye, vast and inscrutable as the Indian Ocean they are.

Cyber-

[Rukki]

I must not be the only one worried that the international regulations are being levied by people so out of step that they think "Cyber" still means "Internet" not "Text-Sex"?

Re:Cyber-

[El+Yanqui]

What do you expect when you get rid of congressmen like Mark Foley who clearly understand what "Cyber" means?

A big IF

[mangu]

"If the CIA is right to attribute recent blackouts to cyberwarfare, ...

Hey, look, "Die Hard 4" is fiction, and not very good fiction at that.

The US=The World

[STrinity]

"If the CIA is right to attribute recent blackouts to cyberwarfare, cyberwarfare is no longer science fiction but reality.

So Estonia only exists in sci-fi novels?

Re:The US=The World

[nweaver]

Well, execpt that The Estonian "Cyber War" was really internal-to-Estonia script kiddiez.

Adequate laws?

[El+Yanqui]

Duncan Hollis raises the question of whether existing international law is adequate for regulating cyberwarfare

Because existing international law has done such a bang up job regulating real warfare.

True stateless war

[G4from128k]

What stops a Saudi IslamoFascist living in Canada from buying malware from the Russian mafia and redirecting attacks through servers in China? Who do we attack when the attacker is a botnet consisting of a bunch of infected PCs on some UK cablemodem network?

The extreme malleability of data, software, and networks means that anyone can make anyone look like they are a participant in an attack. It won't surprise me if a large percentage of counterattacks, reprisals, or sanctions target the wrong party because they were just the last identifiable node in a long chain of proxies and dark-net hops. If one can make one enemy look like it attacked another enemy, then one can kill two enemy for the price of on DDoSing.

Fixed

[philam3nt]

I fixed this for you:

Existing [international] laws can't be made to fit the crimes of cyberwarfare without extensive revision.

The world is growing into the tech age at different rates. The issue is that international laws differ greatly on what constitutes a cyber-crime (see: China) -- what one country considers harmless in another country may result in a lifetime sentence in prison. This discourages not only crime, but international espionage, because the consequences could be disastrous. Laws also differ in times of war, or if the citzen is a government agent, making things currently very complicated. Not to mention a [cr|h]acker routing their way through an unknowing 3rd party country. Where does the responsibility lie?

Examples, FTA:

...serious "translation" problems make [the laws] ill-suited to the task. For example, the U.N. Charter clearly prohibits states from using force except in self-defense or with U.N. authorization. So does that ban Russia from computer attacks on Estonia? It might. Or is it a "use of force" only if the target is physically harmed? Or only if it leads to death and destruction? Or simply whenever the target is critical to a nation's security? Similar uncertainties surround rules on neutrality and civilian distinction...states may shy away from cyberattacks entirely if they don't know what's allowed -- even in cases in which those attacks might cause less harm than the bombs they'll use instead.

When the laws of war don't apply -- even by analogy -- an overwhelmingly complex set of other international and foreign laws kicks in. For example, assume the hackers in the Estonia case were indeed operating from Russia but had no ties to the government or military. Under existing rules, Estonia should respond by asking Russia to police its own territory. To counter-attack would violate Russia's sovereignty. With new rules, however, nations could agree to waive sovereignty concerns and permit a direct response in certain cases, such as cyberattacks by terrorists that all nations might want thwarted.

Hope that helps! The article is much more clearly written as a whole than what's just in the summary.

Re:Fixed

[KublaiKhan]

I stand corrected. The difference in tech levels (and further, the governments' understanding of said tech) amongst countries is extremely pertinent to the issue at hand.

I personally think that the understanding is more important than the tech level insert series of tubes comment here.

CIA: not exactly a trustworthy source

[foqn1bo]

Given their track record, and given who they work for, why on earth should any American in their right mind believe anything the CIA has to say? If this threat were real, they'd just keep it - and the methods used to combat it - a secret for as long as possible, which is what they usually do. What possible reason would they have to reveal it to the press unless the primary objective is propaganda?

Re:CIA: not exactly a trustworthy source

[TubeSteak]

If this threat were real, they'd just keep it - and the methods used to combat it - a secret for as long as possible, which is what they usually do. What possible reason would they have to reveal it to the press unless the primary objective is propaganda? Obviously, the need for a secure U.S.A. infrastructure outweighs the CIA's desire for secrecy. If you keep it a secret, you can't really fix it now can you?

Unless you think that somehow the Gov't will be able to get the private sector to fix the problem without any information leaks. That'd be impressive as hell.

no evidence

[Presto+Vivace]

Neither the Information Week article I saw, nor any other story has provided any details. It is alleged that blackouts occurred due to cyber attacks, but no specific locations are provided. What black outs? When and where? No details are given. And what is the evidence that cyber attacks were involved? We should with hold judgment until we are provided with the specifics.

This crap might end...

[rickb928]

...when the packet you deliver to the datattackers is measured in kilotons, not kilobytes.

And that's not gonna happen any time soon.

It takes a lot to unravel an attack. More work than tracking down the source of a dirty bomb, or Avian Flu dose, or hallucinogens in the water supply.

More good reasons to not go hell-bent on integrating our utilities over the Internet. It cannot be secured. Only a matter of time before someone breaks into a SCADA access point and causes trouble here.

In the meantime, maybe Estonia's example is what we face. Temporary paralysis, expensive resolutions, and the awareness that this can and will happen again.

And in all this, ICANN wants to be independent of the U.S. Harrr... It would appear that the U.S. is not the source of the real trouble on the Internet. It's all the litle wannabees desperate to hurt someone/something else.

May they get a visit from a B-2 when they get caught.

Re:Any Babelfish in the house?

[Anonymous+Custard]

Another translation:

I had a small house of brokerage on Wall Street... many days no business come to my hut... my hut... but Jimmy has fear? A thousand times no. I never doubted myself for a minute for I knew that my monkey strong bowels were girded with strength like the loins of a dragon ribboned with fat and the opulence of buffalo... dung. ...Glorious sunset of my heart was fading. Soon the super karate monkey death car would park in my space. But Jimmy has fancy plans... and pants to match. The monkey clown horrible karate round and yummy like cute small baby chick would beat the donkey.