Law of Armed Conflict To Apply To Cyberwar

charter6 writes "Gen. Kevin Chilton, the head of STRATCOM, just declared that the Law of Armed Conflict will apply to cyberwar, and that the US won't rule out conventional (read: kinetic) responses to cyber-attacks. This means that we consider state-supported 'hackers' to be subject to the Geneva Conventions and Customary International Law, including the rules of proportionality and distinction (i.e. if we catch them, we can try them for war crimes). Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

Awesome

This seems like a great idea, until you realize that any american geek who prods too deeply will be branded an enemy combatant.

Who knows what happens to enemy combatants.

Re:Awesome

[Jurily]

Who knows what happens to enemy combatants.

Cyber Guantanamo. Maybe they could swipe a small beach from Cyber Yugoslavia

Re:Awesome

[chris098]

The whole "illegal enemy combatant" thing is immoral regardless of whether the "attacks" are physical attacks or just attempts made to disrupt digital communications.

They do have a point though - communications infrastructure is very important both for the economic wellbeing of the country, and to allow other branches of the military to coordinate and defend the country.

There really shouldn't be any reason to not consider traditional armed responses to digital attacks. People can cause damage. A teenage hacker may not have the same violent intent as a suicide bomber or a rogue nation plotting a traditional war, but that doesn't stop them from doing something malicious with serious repercussions.

It sounds good in theory, but like the parent, I also look at our country's history of using good judgment in situations like this, and worry.

Re:Awesome

[religious+freak]

No, those rules are just for THE OTHER guys, not us 'mericans!

(We have domestic law enforcement spying on us)

Re:Awesome

[netruner]

Cyber Guantanamo - wouldn't that be like making them use AOL over a 9600 baud modem? Or would that be considered torture by the Geneva Convention?

Re:Awesome

[Jurily]

Cyber Guantanamo - wouldn't that be like making them use AOL over a 9600 baud modem? Or would that be considered torture by the Geneva Convention?

Sir, you're replying to a comment submitted via GPRS on the Worcester-London train. I now officially hate you.

Re:Awesome

[RiotingPacifist]

I thought the whole point of "enemy combatants" was to get around the whole human rights for POW and prisoners. Hence why when the japs waterboarded POWs it was a terrible thing to do (even if they were trying to prevent an attack on civilians involving a WMD), but when the US waterboraded "enemy combatants" it was just enhanced interrogation.

Re:Awesome

[causality]

The whole "illegal enemy combatant" thing is immoral

Like many state-sponsored practices which are immoral, it's designed to intimidate.

There really shouldn't be any reason to not consider traditional armed responses to digital attacks. People can cause damage. A teenage hacker may not have the same violent intent as a suicide bomber or a rogue nation plotting a traditional war, but that doesn't stop them from doing something malicious with serious repercussions.

Assuming that your top priority is punishing those who perpetrate such attacks, this makes a great deal of sense. Now, if your top priority is to prevent computer and network intrusions, I think our efforts and resources would be better spent towards hardening machines and networks, identifying insecure practices, and holding personally responsible the people who are supposed to keep those systems secure.

What I mean by "priority" is that we can do this and still try to locate and arrest the perpetrators, it would just have a lower priority than securing our systems to prevent such intrusions in the first place. In other words, they're not mutually exclusive even though I believe one of those options makes a lot more sense. I just think it's silly to believe that stiff penalties alone are going to prevent the intrusion attempts that anyone running any sort of server already accepts as inevitable.

It sounds good in theory, but like the parent, I also look at our country's history of using good judgment in situations like this, and worry.

I think that if you cut through all the peripheral issues and locate the core principle, this goes back to the idea that "freedom isn't free." What people seem to want is the perfect ability to secure us against all sorts of threats while retaining all civil liberties and preventing the abuse of power. That just isn't realistic and history, particularly that of the 20th century, has been the story of why that doesn't work and isn't going to work. Personally, I'd rather retain my civil liberties and have a government that doesn't have so many easily-abused powers, even if that means that some criminals who do real damage might get away with it (though more likely than not, they'd just be dealt with using the criminal justice system instead of the Gitmo system).

It seems evident that people who value freedom more than a need to "get those bastards", more than their party platform, more than their desire to feel safe from a threat be it real or imagined, more than even life itself, are becoming rare. I am forced to regard that as cowardice. When it comes to the motivation behind poor decision-making, few things are quite so effective as cowardice.

Re:Awesome

[Weedhopper]

The whole "illegal enemy combatant" thing is immoral regardless of whether the "attacks" are physical attacks or just attempts made to disrupt digital communications.

No, it's very much moral and necessity. The application of it by the previous administration, however, is outright criminal.

The Laws of Armed Conflict and the Geneva Conventions that provides the clause for "illegal enemy combatants" as a classification to exist, exist for a reason. It's to prevent war from descending to absolute fucking barbarism. War is ugly and brutal enough as it is when everyone follows the rules.

You have no idea how inhuman the actors who play outside of those rules can be unless you've seen it for yourself. The terrible things that criminal things soldiers have done pale in comparison to the gutwrenchingly and heartbreakingly deplorable acts that armed people will do in the absence of good order and discipline.

That we're using illegal combatant status as a loophole legal justification for torture IS immoral, but the rules were there to try to force everyone to behave with some semblance of human civility, no matter how small.

Re:Awesome

[servognome]

I thought the whole point of having separate legal rules for war situations was that it was a battlefield with thousands of guys running around shooting people. You can't really apply the normal American legal process on that scale. There aren't enough judges, prosecutors, jurors, and, thankfully, lawyers in the world to do it. It just doesn't seem like this rationale applies to hacking. Still, play it safe, guys. If you must hack military sites, for God's sake, wear a uniform!

The Pentagon does in fact have lawyers in the field and planning rooms to review the legality of missions before they are performed.
I always thought that the reason for having rules for war was mutually assured security. There are some horrible prospects in war that countries don't want to face, so they agree to rules which prohibits such activities. Don't torture our soldiers and target our civilians and we respond in kind.
Since they come from agreement and not unilateral moral declarations, participants can ignore the rules when dealing with parties not adhering to the accords.

Re:Awesome

[mysidia]

Here, let me fix that for you:

Its original design criteria included the capability to survive WW3.

In principal the technology can, but politically it can't. That is, the internet technology can withstand such an event, but the communications networks in reality don't provide that level of resiliency, at least not globally.

On the commercial internet, a lot of "redundancy" and "massive failover" options are gone, routing policy simply won't allow it.

Nowadays, the internet is highly centralized and commercialized, everyone connects to the big TIER1 providers, and they demand hefty compensation for the privilege to use a relatively small number of high-capacity links.

And if two of them fail critically, it's not like TIER1 provider C will step forward and provide everyone transit to isolated segments of provider 1. All the major providers require massive compensation for such services.

Nowadays on the commercial internet, there are a few major backbones everyone really needs, and any 1 or 2 un-repairable link failures in the right place can cause major communication disruptions, with enormous congestion of smaller oversubscribed links, with possibly 3 or 4 simultaneous un-repairable failures, large "pieces of internet" can be completely isolated.

And with 5 well-placed failures, the internet as we know it is gone for everyone, for however long it takes to fix damage or lay new wires...

Re:Awesome

[Zordak]

any american geek who prods too deeply will be branded an enemy combatant.

If he's an American geek (as in citizen of the U.S.), there's no "branding" him an enemy combatant. He is a citizen entitled to due process. He would be tried in a federal district court. Unless he's also caught in the hills of Afghanistan carrying a weapon with a Taliban squad, in which case there are those who would treat him as an enemy combatant. But I don't think that's your average geek.

Re:Awesome

The Laws of Armed Conflict and the Geneva Conventions that provides the clause for "illegal enemy combatants"

[citation needed]

As far as I know, the Geneva Conventions do not say anything at all about "illegal enemy combatants". That is a term made up by the Bush administration in their claim that the Geneva Conventions do not apply.

The slightest thought about the phrase shows it to be meaningless.

enemy

1. a person who feels hatred for, fosters harmful designs against, or engages in antagonistic activities against another; an adversary or opponent.

2. an armed foe

combatant

1. a nation engaged in active fighting with enemy forces.

2. a person or group that fights

illegal

1. forbidden by law or statute.

2. contrary to or forbidden by official rules

How can a person or nation actively fighting against you in war be acting illegally simply by the act of fighting against you? Fighting against you is what war is all about. Is the war itself illegal? If so, why did you start it? If not, how is someone fighting against you in that war acting illegally?

The phrase "illegal enemy combatant" has no meaning, legally or morally.

Re:Awesome

[causality]

I love your post and I agree with all of it. But until you've raised your gun to prove yourself otherwise, you've called yourself a coward.

I appreciate the false dichotomy you're presenting here. To be specific, you're saying that my only choices are to either brandish a weapon or consider myself a coward. You leave no room for an understanding of how anything ever gets to the point where (hypothetically speaking) armed conflict would even be considered.

Here I am again speaking hypothetically. If it ever actually came to violence, it would only be because a long series of failures occurred that prevented good people from standing up peacefully while standing up peacefully was still possible. There is much truth in that saying about evil thriving because good men do nothing; that is, they aren't good enough. It's a seldom-recognized fact that all of these huge problems like modern totalitarian states were once small problems that could have been dealt with relatively easily. It's not unlike an infection; it starts small and then, if left untreated, it festers and grows until it takes over the host. Identifying it before it gets too far along requires foresight.

I don't mean this in a religious way at all, but what you're really dealing with is what religious people sometimes refer to as "powers and principalities." They are ideas that act through people because those people are compromised. They're not really themselves. They have an identity that is based on a nation, or a group, or an image, or a culture, and have forgotten that real strength is found within. The principle here is that compromised people demand compromised leaders. The condition is therefore systemic. No sane person with any awareness of the available options would ever want to live under a dictatorship. That idea has to be inflicted on them. For that reason, deception, trauma, and a form of seduction are the main methods by which it is realized.

Deception is fairly easy to identify in politics. In fact, it's so common that most people just assume that politicians are liars and no one really cares anymore. Just think about this for a moment. If politicians never make their own decisions as individuals, but rather, cater to the interests of their financial supporters, then are those politicians really acting as human beings or has their humanity taken a backstage so that they can be a mouthpiece for various external interests? A real human being is no one's puppet. The ultimate expression of this mechanism is when you're made to feel like there is something wrong with you for pointing out how phony most people really are. The hardest part about this is that when most people adhere to a group identity, follow trends, or repeat carefully crafted soundbites intended for public consumption, they really believe that doing so is their own original idea. Did you know that a hypnotist can tell a subject up front that he is going to make that subject take off his left shoe, he can then implant the suggestion, and when the subject removes his left shoe he will make up an excuse for why he did so? It's a mindless and suggestible state that is anything other than your real identity.

Trauma, on the other hand, is not so widely understood. The easiest example of that would be the rise of fear-based politics ever since the September 11th attacks. Heightened security and intrusive governmental powers were not sold on the basis of being good ideas; they were sold on the basis of a national enemy who is trying to get us. That's a far cry from open, rational debate and that's no accident. No excuse for the surrender of civil liberties would ever survive rational debate, particularly not for Americans who are actually familiar with the writings of the Founding Fathers. But if a trauma has been inflicted and fear is rampant, that sort of rationality is rendered mute. The ultimate expression of this mechanism was explained by Hegel and is known either as "thesi

Re:Awesome

[Paua+Fritter]

Very true. But you, when all you have is a hammer, everyone else looks like a nail.

The US is so hypermilitarised that militarism is a natural first response to anything. This is how we get such absurdities as "humanitarian bombing campaigns" and "destroying the village in order to save it".

Re:Awesome

[RiotingPacifist]

In some of the other Japanese cases, the "water torture" included strapping people to ladders and dunking them face down into swimming pools until they passed out. This is not the same as waterboarding.

To any normal person typing somebody to a board and making them feel like their drowning is the same thing. Being very specific and defining whats bad as exactly what the Japanese did, and whats ok as exactly what the CIA do, is IMO rather pathetic.

Re:Awesome

[ultranova]

the modern treatment of "illegal enemy combatant" by the US has been immoral. But, it allows for the summary execution of saboteurs, spies, etc. during times of war.

Is there any added value in summary execution as opposed to imprisonment, or even execution after a proper trial? If a bomber pilot who destroys a bridge but is shot down is not executed but merely imprisoned, why should a saboteur who dynamites that same bridge be treated any differently? Sure, he is being sneaky about it rather than painting a huge bullseye on himself, but it could be argued that saboteurs are actually a more humane way to fight a war than bombers, because they are more accurate and usually only strike at military targets rather than carpet bombing a whole city.

There really doesn't seem to be much point in summary executions, besides petty vengeance.

Oil Barons

[lymond01]

This completely explains what happened to my Commodore 64 cluster...

I'd be okay it with if only...

[erroneus]

...if only I get to personally witness the death by execution of the people who write malware, run botnets and spam the hell out of the planet.

Those those trade freedom for security deserve neither. But I would gladly trade some freedom for some revenge against the bastards that really bring hell to the masses.

Re:I'd be okay it with if only...

[Whatsisname]

Right, because goverments of the 20th century killing 200 million people isn't what really brings hell to the masses! My email inbox being flooded with V1AGR4 is so much greater a crime against society!

and the hacker thinks....

[eatvegetables]

"Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

the hacker thinks to himself ...hmmmm, if I hack the military, they might

1. stick me in a cold, dark, room.

2. feed me old, stale food.

3. keep me away from friends, family, and girls.

4. keep me awake all night.

...(pause), ALRIGHT! Woohooo!. I wonder if I get to play WoW too!/p?

Re:and the hacker thinks....

[catmistake]

if the hacker has any sense, he'll hack the U.S. Constitution and restore the backups of Habeas corpus

With apologies to Martin Niemoller...

[Tackhead]

the US won't rule out conventional (read: kinetic) responses to cyber-attacks.

So, with geolocation services, we could finally make all the jokes about ICBM addresses come true?

Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

First they tortured the terrorists,
And I felt kinda iffy about that,
Even though it worked on TV.

They they tortured Iraqi civilians,
And I felt pretty embarassed,
Even though I was safe at home in America.

Then they tortured people they thought were suspicious,
And I started to get scared,
Even though I didn't hang out with anybody like that.

Then they started torturing the spammers, the botnet herders, and the malware authors,
And I'm sorry, Professor Niemoller,
But that makes up for everything!

Hey!

[Alex+Belits]

Isn't "illegal enemy combatant" a new term invented by Bush administration to describe people they sent to Guantanamo prison in violation of Geneva Convention and pretty much all other laws or treaties relevant to those people?

Re:Hey!

[bkpark]

Isn't "illegal enemy combatant" a new term invented by Bush administration to describe people they sent to Guantanamo prison in violation of Geneva Convention and pretty much all other laws or treaties relevant to those people?

Bush administration may have invented the term, but you can't really blame them. After all, you have to call them something. They are not uniformed soldiers. They don't even have any affiliation with any sovereign nations as far as their actions go, and if the allegations about what any of these detainees did or planned to do turned out to be true, they sure weren't "innocent civilians".

So, Bush administration can call them either "illegal enemy combatant", or "terrorists", or if they really wanted to, even "freedom fighters". It's just words. It doesn't change the essence of what (a good majority of) these people are.

Re:Hey!

[Alex+Belits]

1. They are definitely members of "organized resistance movement" -- otherwise how can they be declared to be "combatants" in the first place?

2. When the war is claimed to be waged against "terrorists", it would require some very special kind of logic to claim that "terrorists" (again, by attackers' own definition) fighting it are not a party to the conflict.

3. The intent of Geneva Convention is not to exclude any category if people that may be captured during a war that is not already protected by other laws. It is assumed that whoever is not protected by Convention, would be protected under local laws related to civilian population. Treating Geneva Convention as an invitation for loophole hunt is nothing but word games on part of Bush administration.

Re:Hey!

[bkpark]

To clarify what I mean, Bush administration invented term because they had to.

They had to call these guys something, and they had to do something about these guys. Perhaps some of the things Bush administration did weren't the best they could have done in the hindsight, but then, no one claimed they were perfect.

To set the record straight, no American started "the craze". Some 19 terrorists did. What we did was by no means unprovoked—and, for some time, the world agreed with us.

Re:Hey!

[Tubal-Cain]

The idea that they don't meet any of those definitions is tenuous at best, and a downright lie at worst.

I see the list as an AND filter, not an OR filter.

Beware...

[warlock]

Launching an ICMP attack might get an ICBM response...

Time to update the RFCs.

Rules of Engagement would still apply

[NimbleSquirrel]

Those in charge of US CyberCommand have stated for a long time now they want the ability to a physical attack in response to a cyber attack.

They state that they want the Law of Armed Conflict to apply. This would also mean that the Rules of Engagement would apply as well. Generally, the Rules of Engagement state that they are only allowed to use deadly force if there is an imminent threat of death or injury. That means they won't be dropping bombs on hackers' houses anytime soon. But then the US military does have a record or "shoot first, ask questions later".

What they want is for a cyber attack ot be deemed an act of War. This is hardly going to stop attacks from China (where a large proportion of the attacks currently originate). Needless to say that sending a cruise missile into mainland China to take out a hacker's house would be a very bad move for the US in the current climate.

Re:Rules of Engagement would still apply

[Chmcginn]

Needless to say that sending a cruise missile into mainland China to take out a hacker's house would be a very bad move for the US in the current climate.

Well, unless you thought the Fallout games were a training simulator.

Re:"State-Supported" Hackers

[Phroggy]

From the the summary:

This means that we consider state-supported 'hackers' to be subject to the Geneva Conventions and Customary International Law,...

I really don't know what any of this means. First, what's with the "state-supported" bit? Why would that matter? Second, what does it mean to be subject to the Geneva Conventions - that we can't torture them if we catch them?

It means a foreign government is attacking the United States, either directly or by outsourcing the task to private contractors. This decision says that just because they're doing the attack over the Internet instead of physically doesn't mean we should treat it any differently.

On the other hand, if it's just some Chinese script kiddie in his basement, acting alone (without the support of the Chinese government), we're not going to retaliate by bombing Beijing, because that would be stupid.

Reasonable response!

[fluffy99]

I think it's a perfectly good answer. You don't want to tell China that a physical response is off the table, otherwise they'll get the idea that they can contine their cyber attacks without any danger of real consequences. So long as the response is in proportion to the offense, then there is no issue.

Remember if we can't consider it an act of war, then a physical response means we just started the war.

What happens if for example, they escalate from simple intrusions and information theft to destructive acts like dropping power grids or destroying systems. If it involves significant loss of life or property? Do we simply ignore it and pretend they haven't just committed an act of war? Do we cyber-hack them back? We'd probably target the building full of PLA that are actively hacking us with something stronger than an internet feed (and yes, we already know who they are and where they are operating out of).

About time...

[AnAdventurer]

I am glad there are some better defined rules for engaging the enemy on this field. Once we can ID the "hackers" and whether they are state sponsored or not we can take an action like sending a cruse missile to their little hacker training camp. Don't know if I am joking? Don't worry your not alone.

Re:whoa! whoa! whoa! whoa! whoa!

[Ungrounded+Lightning]

From what I understand, these machines only have control of things that can affect money.

Medical records. Operation of automated medical tools. Communications used for bringing police, fire departments, ambulances, and other "first responders" to sites where people are in danger and/or injured. The components of the power grid, which operates life support systems, traffic lights, refrigeration preventing food poisoning, air-conditioning and heating equipment without which the elderly may die of heatstroke or hypothermia, etc. Railroad train signaling (preventing multi-train collisions, derailment - including into nearby structures and people. Water purification equipment. Sewage treatment equipment. Reservoir level control and irrigation water routing (which could lead to massive flooding if fouled). Industrial process control - which manages processes that could cause fires, explosions, and the release of toxic chemicals if fouled.

I could go on.

why is money more important than human life?

Money is crystallized labor. It represents a fraction of lifetime that a person worked to acquire it. Stealing or destroying it is stealing that portion of the person's life - enslaving them. It is well understood that deadly force is an appropriate response to attempts to enslave a person or hold them in slavery.

Just Suppose

[DaveAtFraud]

Just suppose that foreign crackers penetrated the air traffic control system or the power grid and either caused massive casualties due to lack of air traffic control or they turned off the lights to major portions of the country also causing significant casualties and economic losses. Further, let's suppose that we are able to identify the source of the attack. It sounds like the majority of the posters so far think we ought to call up their ISP and ask that their account be terminated.

I think a cruise missile would be more appropriate or maybe a few precision guided weapons applied as needed. The source of such an attack is a legitimate target and sending a message that such targets well be dealt with in a manner proportionate to the damage they inflict makes a lot of sense to me. If the attack is state sponsored, retaliation that is far out of proportion is called for since the attack constitutes an act of war.

Cheers,
Dave

Don't think this was crafted for Blackhats....

[TiggertheMad]

It sounds good in theory, but like the parent, I also look at our country's history of using good judgment in situations like this, and worry.

I suspect that this law is mostly a diplomatic message being sent to China, to let them know we mean business if they use extra-military actors to engage in cyberwarfare. There have been a number of announcements from the pentagon that Chinese hackers have been actively poking at the military systems.

This is the polite heads up to their intelligence service to let them know that we are going to hold their China responsible for the activities of their nationalistic and zealous hackers and if they don't ease up, the counter stroke will be to park a cruse missile in the block of apartments that they are operating out of.

It sounds heavy handed, but States don't fuck around with playing games in courts when they view other states as being hostile. So if it seems like a pretty drastic measure, it is because it was likely a response crafted to deal with another state on the levels that states operate. It's possible that another Kevin Mitnik type could get dragged off to federal prison using this, but that would probably be some local prosecutor trying to show how 'tough' they were on cybercrime.

Well, hey!

[Jane+Q.+Public]

I would not rule out a "kinetic" response if someone messed with my computer, either! Where's the surprise?

Hacking Judicial Precedents

[mbstone]

This would actually be a cool hack. You'd have to pwn Lexis and Westlaw, and print up some bogus law books (numbered reporters of legal decisions such as Federal Reporter 3d and United States Reports) and plant them in all the law libraries and courthouses (just mail them out in official-looking West Publishing cardboard boxes). Presto, habeas corpus is back. Your legal brief in your next case would read something like this: "We hereby overrule our previous precedent in Jones v. Fatootie denying habeas corpus. Potrzebie v. Holder, 779 U.S 998 (2009)."