Law of Armed Conflict To Apply To Cyberwar

charter6 writes "Gen. Kevin Chilton, the head of STRATCOM, just declared that the Law of Armed Conflict will apply to cyberwar, and that the US won't rule out conventional (read: kinetic) responses to cyber-attacks. This means that we consider state-supported 'hackers' to be subject to the Geneva Conventions and Customary International Law, including the rules of proportionality and distinction (i.e. if we catch them, we can try them for war crimes). Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

Awesome

This seems like a great idea, until you realize that any american geek who prods too deeply will be branded an enemy combatant.

Who knows what happens to enemy combatants.

Re:Awesome

[Jurily]

Who knows what happens to enemy combatants.

Cyber Guantanamo. Maybe they could swipe a small beach from Cyber Yugoslavia

Re:Awesome

[chris098]

The whole "illegal enemy combatant" thing is immoral regardless of whether the "attacks" are physical attacks or just attempts made to disrupt digital communications.

They do have a point though - communications infrastructure is very important both for the economic wellbeing of the country, and to allow other branches of the military to coordinate and defend the country.

There really shouldn't be any reason to not consider traditional armed responses to digital attacks. People can cause damage. A teenage hacker may not have the same violent intent as a suicide bomber or a rogue nation plotting a traditional war, but that doesn't stop them from doing something malicious with serious repercussions.

It sounds good in theory, but like the parent, I also look at our country's history of using good judgment in situations like this, and worry.

Re:Awesome

[netruner]

Cyber Guantanamo - wouldn't that be like making them use AOL over a 9600 baud modem? Or would that be considered torture by the Geneva Convention?

Re:Awesome

[Jurily]

Cyber Guantanamo - wouldn't that be like making them use AOL over a 9600 baud modem? Or would that be considered torture by the Geneva Convention?

Sir, you're replying to a comment submitted via GPRS on the Worcester-London train. I now officially hate you.

Re:Awesome

[RiotingPacifist]

I thought the whole point of "enemy combatants" was to get around the whole human rights for POW and prisoners. Hence why when the japs waterboarded POWs it was a terrible thing to do (even if they were trying to prevent an attack on civilians involving a WMD), but when the US waterboraded "enemy combatants" it was just enhanced interrogation.

Re:Awesome

[causality]

The whole "illegal enemy combatant" thing is immoral

Like many state-sponsored practices which are immoral, it's designed to intimidate.

There really shouldn't be any reason to not consider traditional armed responses to digital attacks. People can cause damage. A teenage hacker may not have the same violent intent as a suicide bomber or a rogue nation plotting a traditional war, but that doesn't stop them from doing something malicious with serious repercussions.

Assuming that your top priority is punishing those who perpetrate such attacks, this makes a great deal of sense. Now, if your top priority is to prevent computer and network intrusions, I think our efforts and resources would be better spent towards hardening machines and networks, identifying insecure practices, and holding personally responsible the people who are supposed to keep those systems secure.

What I mean by "priority" is that we can do this and still try to locate and arrest the perpetrators, it would just have a lower priority than securing our systems to prevent such intrusions in the first place. In other words, they're not mutually exclusive even though I believe one of those options makes a lot more sense. I just think it's silly to believe that stiff penalties alone are going to prevent the intrusion attempts that anyone running any sort of server already accepts as inevitable.

It sounds good in theory, but like the parent, I also look at our country's history of using good judgment in situations like this, and worry.

I think that if you cut through all the peripheral issues and locate the core principle, this goes back to the idea that "freedom isn't free." What people seem to want is the perfect ability to secure us against all sorts of threats while retaining all civil liberties and preventing the abuse of power. That just isn't realistic and history, particularly that of the 20th century, has been the story of why that doesn't work and isn't going to work. Personally, I'd rather retain my civil liberties and have a government that doesn't have so many easily-abused powers, even if that means that some criminals who do real damage might get away with it (though more likely than not, they'd just be dealt with using the criminal justice system instead of the Gitmo system).

It seems evident that people who value freedom more than a need to "get those bastards", more than their party platform, more than their desire to feel safe from a threat be it real or imagined, more than even life itself, are becoming rare. I am forced to regard that as cowardice. When it comes to the motivation behind poor decision-making, few things are quite so effective as cowardice.

Re:Awesome

[Weedhopper]

The whole "illegal enemy combatant" thing is immoral regardless of whether the "attacks" are physical attacks or just attempts made to disrupt digital communications.

No, it's very much moral and necessity. The application of it by the previous administration, however, is outright criminal.

The Laws of Armed Conflict and the Geneva Conventions that provides the clause for "illegal enemy combatants" as a classification to exist, exist for a reason. It's to prevent war from descending to absolute fucking barbarism. War is ugly and brutal enough as it is when everyone follows the rules.

You have no idea how inhuman the actors who play outside of those rules can be unless you've seen it for yourself. The terrible things that criminal things soldiers have done pale in comparison to the gutwrenchingly and heartbreakingly deplorable acts that armed people will do in the absence of good order and discipline.

That we're using illegal combatant status as a loophole legal justification for torture IS immoral, but the rules were there to try to force everyone to behave with some semblance of human civility, no matter how small.

Re:Awesome

[mysidia]

Here, let me fix that for you:

Its original design criteria included the capability to survive WW3.

In principal the technology can, but politically it can't. That is, the internet technology can withstand such an event, but the communications networks in reality don't provide that level of resiliency, at least not globally.

On the commercial internet, a lot of "redundancy" and "massive failover" options are gone, routing policy simply won't allow it.

Nowadays, the internet is highly centralized and commercialized, everyone connects to the big TIER1 providers, and they demand hefty compensation for the privilege to use a relatively small number of high-capacity links.

And if two of them fail critically, it's not like TIER1 provider C will step forward and provide everyone transit to isolated segments of provider 1. All the major providers require massive compensation for such services.

Nowadays on the commercial internet, there are a few major backbones everyone really needs, and any 1 or 2 un-repairable link failures in the right place can cause major communication disruptions, with enormous congestion of smaller oversubscribed links, with possibly 3 or 4 simultaneous un-repairable failures, large "pieces of internet" can be completely isolated.

And with 5 well-placed failures, the internet as we know it is gone for everyone, for however long it takes to fix damage or lay new wires...

Re:Awesome

The Laws of Armed Conflict and the Geneva Conventions that provides the clause for "illegal enemy combatants"

[citation needed]

As far as I know, the Geneva Conventions do not say anything at all about "illegal enemy combatants". That is a term made up by the Bush administration in their claim that the Geneva Conventions do not apply.

The slightest thought about the phrase shows it to be meaningless.

enemy

1. a person who feels hatred for, fosters harmful designs against, or engages in antagonistic activities against another; an adversary or opponent.

2. an armed foe

combatant

1. a nation engaged in active fighting with enemy forces.

2. a person or group that fights

illegal

1. forbidden by law or statute.

2. contrary to or forbidden by official rules

How can a person or nation actively fighting against you in war be acting illegally simply by the act of fighting against you? Fighting against you is what war is all about. Is the war itself illegal? If so, why did you start it? If not, how is someone fighting against you in that war acting illegally?

The phrase "illegal enemy combatant" has no meaning, legally or morally.

Re:Awesome

[causality]

I love your post and I agree with all of it. But until you've raised your gun to prove yourself otherwise, you've called yourself a coward.

I appreciate the false dichotomy you're presenting here. To be specific, you're saying that my only choices are to either brandish a weapon or consider myself a coward. You leave no room for an understanding of how anything ever gets to the point where (hypothetically speaking) armed conflict would even be considered.

Here I am again speaking hypothetically. If it ever actually came to violence, it would only be because a long series of failures occurred that prevented good people from standing up peacefully while standing up peacefully was still possible. There is much truth in that saying about evil thriving because good men do nothing; that is, they aren't good enough. It's a seldom-recognized fact that all of these huge problems like modern totalitarian states were once small problems that could have been dealt with relatively easily. It's not unlike an infection; it starts small and then, if left untreated, it festers and grows until it takes over the host. Identifying it before it gets too far along requires foresight.

I don't mean this in a religious way at all, but what you're really dealing with is what religious people sometimes refer to as "powers and principalities." They are ideas that act through people because those people are compromised. They're not really themselves. They have an identity that is based on a nation, or a group, or an image, or a culture, and have forgotten that real strength is found within. The principle here is that compromised people demand compromised leaders. The condition is therefore systemic. No sane person with any awareness of the available options would ever want to live under a dictatorship. That idea has to be inflicted on them. For that reason, deception, trauma, and a form of seduction are the main methods by which it is realized.

Deception is fairly easy to identify in politics. In fact, it's so common that most people just assume that politicians are liars and no one really cares anymore. Just think about this for a moment. If politicians never make their own decisions as individuals, but rather, cater to the interests of their financial supporters, then are those politicians really acting as human beings or has their humanity taken a backstage so that they can be a mouthpiece for various external interests? A real human being is no one's puppet. The ultimate expression of this mechanism is when you're made to feel like there is something wrong with you for pointing out how phony most people really are. The hardest part about this is that when most people adhere to a group identity, follow trends, or repeat carefully crafted soundbites intended for public consumption, they really believe that doing so is their own original idea. Did you know that a hypnotist can tell a subject up front that he is going to make that subject take off his left shoe, he can then implant the suggestion, and when the subject removes his left shoe he will make up an excuse for why he did so? It's a mindless and suggestible state that is anything other than your real identity.

Trauma, on the other hand, is not so widely understood. The easiest example of that would be the rise of fear-based politics ever since the September 11th attacks. Heightened security and intrusive governmental powers were not sold on the basis of being good ideas; they were sold on the basis of a national enemy who is trying to get us. That's a far cry from open, rational debate and that's no accident. No excuse for the surrender of civil liberties would ever survive rational debate, particularly not for Americans who are actually familiar with the writings of the Founding Fathers. But if a trauma has been inflicted and fear is rampant, that sort of rationality is rendered mute. The ultimate expression of this mechanism was explained by Hegel and is known either as "thesi

Re:Awesome

[Paua+Fritter]

Very true. But you, when all you have is a hammer, everyone else looks like a nail.

The US is so hypermilitarised that militarism is a natural first response to anything. This is how we get such absurdities as "humanitarian bombing campaigns" and "destroying the village in order to save it".

Re:Awesome

[RiotingPacifist]

In some of the other Japanese cases, the "water torture" included strapping people to ladders and dunking them face down into swimming pools until they passed out. This is not the same as waterboarding.

To any normal person typing somebody to a board and making them feel like their drowning is the same thing. Being very specific and defining whats bad as exactly what the Japanese did, and whats ok as exactly what the CIA do, is IMO rather pathetic.

I'd be okay it with if only...

[erroneus]

...if only I get to personally witness the death by execution of the people who write malware, run botnets and spam the hell out of the planet.

Those those trade freedom for security deserve neither. But I would gladly trade some freedom for some revenge against the bastards that really bring hell to the masses.

Re:I'd be okay it with if only...

[Whatsisname]

Right, because goverments of the 20th century killing 200 million people isn't what really brings hell to the masses! My email inbox being flooded with V1AGR4 is so much greater a crime against society!

and the hacker thinks....

[eatvegetables]

"Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

the hacker thinks to himself ...hmmmm, if I hack the military, they might

1. stick me in a cold, dark, room.

2. feed me old, stale food.

3. keep me away from friends, family, and girls.

4. keep me awake all night.

...(pause), ALRIGHT! Woohooo!. I wonder if I get to play WoW too!/p?

Re:and the hacker thinks....

[catmistake]

if the hacker has any sense, he'll hack the U.S. Constitution and restore the backups of Habeas corpus

With apologies to Martin Niemoller...

[Tackhead]

the US won't rule out conventional (read: kinetic) responses to cyber-attacks.

So, with geolocation services, we could finally make all the jokes about ICBM addresses come true?

Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

First they tortured the terrorists,
And I felt kinda iffy about that,
Even though it worked on TV.

They they tortured Iraqi civilians,
And I felt pretty embarassed,
Even though I was safe at home in America.

Then they tortured people they thought were suspicious,
And I started to get scared,
Even though I didn't hang out with anybody like that.

Then they started torturing the spammers, the botnet herders, and the malware authors,
And I'm sorry, Professor Niemoller,
But that makes up for everything!

Beware...

[warlock]

Launching an ICMP attack might get an ICBM response...

Time to update the RFCs.

Rules of Engagement would still apply

[NimbleSquirrel]

Those in charge of US CyberCommand have stated for a long time now they want the ability to a physical attack in response to a cyber attack.

They state that they want the Law of Armed Conflict to apply. This would also mean that the Rules of Engagement would apply as well. Generally, the Rules of Engagement state that they are only allowed to use deadly force if there is an imminent threat of death or injury. That means they won't be dropping bombs on hackers' houses anytime soon. But then the US military does have a record or "shoot first, ask questions later".

What they want is for a cyber attack ot be deemed an act of War. This is hardly going to stop attacks from China (where a large proportion of the attacks currently originate). Needless to say that sending a cruise missile into mainland China to take out a hacker's house would be a very bad move for the US in the current climate.

Re:Hey!

[Alex+Belits]

1. They are definitely members of "organized resistance movement" -- otherwise how can they be declared to be "combatants" in the first place?

2. When the war is claimed to be waged against "terrorists", it would require some very special kind of logic to claim that "terrorists" (again, by attackers' own definition) fighting it are not a party to the conflict.

3. The intent of Geneva Convention is not to exclude any category if people that may be captured during a war that is not already protected by other laws. It is assumed that whoever is not protected by Convention, would be protected under local laws related to civilian population. Treating Geneva Convention as an invitation for loophole hunt is nothing but word games on part of Bush administration.

Reasonable response!

[fluffy99]

I think it's a perfectly good answer. You don't want to tell China that a physical response is off the table, otherwise they'll get the idea that they can contine their cyber attacks without any danger of real consequences. So long as the response is in proportion to the offense, then there is no issue.

Remember if we can't consider it an act of war, then a physical response means we just started the war.

What happens if for example, they escalate from simple intrusions and information theft to destructive acts like dropping power grids or destroying systems. If it involves significant loss of life or property? Do we simply ignore it and pretend they haven't just committed an act of war? Do we cyber-hack them back? We'd probably target the building full of PLA that are actively hacking us with something stronger than an internet feed (and yes, we already know who they are and where they are operating out of).

Re:whoa! whoa! whoa! whoa! whoa!

[Ungrounded+Lightning]

From what I understand, these machines only have control of things that can affect money.

Medical records. Operation of automated medical tools. Communications used for bringing police, fire departments, ambulances, and other "first responders" to sites where people are in danger and/or injured. The components of the power grid, which operates life support systems, traffic lights, refrigeration preventing food poisoning, air-conditioning and heating equipment without which the elderly may die of heatstroke or hypothermia, etc. Railroad train signaling (preventing multi-train collisions, derailment - including into nearby structures and people. Water purification equipment. Sewage treatment equipment. Reservoir level control and irrigation water routing (which could lead to massive flooding if fouled). Industrial process control - which manages processes that could cause fires, explosions, and the release of toxic chemicals if fouled.

I could go on.

why is money more important than human life?

Money is crystallized labor. It represents a fraction of lifetime that a person worked to acquire it. Stealing or destroying it is stealing that portion of the person's life - enslaving them. It is well understood that deadly force is an appropriate response to attempts to enslave a person or hold them in slavery.

Just Suppose

[DaveAtFraud]

Just suppose that foreign crackers penetrated the air traffic control system or the power grid and either caused massive casualties due to lack of air traffic control or they turned off the lights to major portions of the country also causing significant casualties and economic losses. Further, let's suppose that we are able to identify the source of the attack. It sounds like the majority of the posters so far think we ought to call up their ISP and ask that their account be terminated.

I think a cruise missile would be more appropriate or maybe a few precision guided weapons applied as needed. The source of such an attack is a legitimate target and sending a message that such targets well be dealt with in a manner proportionate to the damage they inflict makes a lot of sense to me. If the attack is state sponsored, retaliation that is far out of proportion is called for since the attack constitutes an act of war.

Cheers,
Dave

Don't think this was crafted for Blackhats....

[TiggertheMad]

It sounds good in theory, but like the parent, I also look at our country's history of using good judgment in situations like this, and worry.

I suspect that this law is mostly a diplomatic message being sent to China, to let them know we mean business if they use extra-military actors to engage in cyberwarfare. There have been a number of announcements from the pentagon that Chinese hackers have been actively poking at the military systems.

This is the polite heads up to their intelligence service to let them know that we are going to hold their China responsible for the activities of their nationalistic and zealous hackers and if they don't ease up, the counter stroke will be to park a cruse missile in the block of apartments that they are operating out of.

It sounds heavy handed, but States don't fuck around with playing games in courts when they view other states as being hostile. So if it seems like a pretty drastic measure, it is because it was likely a response crafted to deal with another state on the levels that states operate. It's possible that another Kevin Mitnik type could get dragged off to federal prison using this, but that would probably be some local prosecutor trying to show how 'tough' they were on cybercrime.