Slashdot Mirror
Behind the Government's Rules of Cyber War
wiredmikey writes "Deciding when malware becomes a weapon of war that warrants a response in the physical world – for example, a missile – has become a necessary part of the discussion of military doctrine. The Pentagon recently outlined (PDF) its working definition of what constitutes cyber-war and when subsequent military strikes against physical targets may be justified as result. The main issue is attribution of cyber attacks. The Department of Defense is working to develop new ways to trace the physical source of an attack and the capability to identify an attacker using behavior-based algorithms. 'If a country is going to fire a missile at someone, it better be sure it has the right target,' said one expert. A widely held misconception in the U.S. government is our offensive capabilities provide defensive advantage by identifying attacker toolkits and methods in foreign networks prior to them hitting our networks. So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"
Damn Chinese hackers. Now the Congress can't have their LAN party, and the lack of recreation will greatly reduce their efficiency.
To offset political mods, replace Flamebait with Insightful.
Constitutionally, an "act of war" is whatever Congress agrees it to be.
Such decisions are not the Executive's to make.
just name a nuke as a nuke power plan that when hacked fires at the hacker.
'If a country is going to fire a missile at someone, it better be sure it has the right target,' said one expert.
Not true, unfortunately. How many wars have started based on false information? Off the top of my head:
* The Spanish-American War: Remember that the Maine sunk by accident
* The Vietnam War: The Gulf of Tonkin
* The Iraq War: No WMDs and no connection to Al Queda.
... Nigerian spammers!
What happens when the missiles get hacked and detonate without launching?
No fair! You changed the outcome by measuring it!
Isn't it easy for some attacker to pretend they are somewhere else on the network? Also, chances are the behavior-based algorithms would need ten to twenty years of tuning before they are reliable (also with respect to real attacker pretending)
Looks like a project that is easy to spend a lot of money on, but with little accountability.
S
http://stephan.sugarmotor.org
Constitutionally, an "act of war" is whatever Congress agrees it to be. Such decisions are not the Executive's to make.
Actually they are. An "act of war" is something different from a "declaration of war". Congress has the ability to control declaring a war and the spending on a war, however the president commands the military. In response to an act of war the president may order the US military to attack the perpetrators, this would be a lawful order. For example as soon as the president learned of pearl harbor he could immediately order US forces to attack enemy forces, he did not have to wait for the following day when congress got the paperwork in order and formally declared war.
Just to be clear here, many "hawks" claim to follow "Christian Values".
Let's consider the Old Testament values:
leviticus 24:19-24:21
19 Anyone who maims another shall suffer the same injury in return:
20 fracture for fracture, eye for eye, tooth for tooth; the injury inflicted is the injury to be suffered.
21 One who kills an animal shall make restitution for it; but one who kills a human being shall be put to death.
Now the idea here is when you are wronged, you *can't* inflect more suffering than you suffered. There is a limit.
Then Jesus came along, and said this was an *upper limit* not a lower limit. You should instead return good for evil. In other words, these Christian Hawks should consider the fact that their ideas of bombing someone because of malware doesn't even past Old Testament standards, much less those of Christianity. How does a crashed computer equate to blowing up a house or office and killing who knows how many innocents in the process?
I am getting very tired of wars and conflicts to line the pockets of various corporate interests. How about we start demanding ethical principles of our leaders rather than buying into their excuses to abuse people abroad, and increasingly, Citizens at home. What is it going to take for people to realize that our government is getting out of hand, and is not behaving in line with our moral and ethical traditions? Seriously, we hear more concern out of our Religious leaders about allowing same sex marriage than we do the killing of 10's and sometimes 100's of women and children!
There *is* something seriously wrong with the morals of this country. When are we going to realize that we are supposed to come to people's aid when they are in need, to hear them when they cry out for relief? That we are not supposed to react by blowing them up?
This is just more bullshit from a belligerent, warmongering nation. 'Nuff said.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Is it fair to start a war with an entire country because of the act of one or a small group of individuals? and when it is a small group of internationally scattered individuals, which country(s) do you attack, all of them? what if one of the people were Americans? or a close ally? is it worth risking all-out World Wide war because of a handful of hackers living in their parent's basements? The question really is difficult to ascertain. This is not unlike the problem of the war on bin Laden, do you attack Saudi? his homeland? Iraq, a country which condemned him, and deported him years earlier? Afghanistan, where he might be hiding out? Pakistan, where he was hiding out? It becomes trickier when you're dealing with more allies... one guy in Britain, one in Canada, one in the Netherlands, one in Italy, and one in Australia, while the attack was launched from a compromised computer within the United States. Who do you invade? Where does the missile target? pick one and hope the rest of the world doesn't side with them on the relatively unprovoked attack on another nation's sovereignty due to the actions of one of their civilians?
Or LBJ.
"Identify the source and stone the attacker to death"
Bob Dylan would be proud.
It used to be worst case your arch nemesis would social engineer themselves a scary but somewhat amusing swat raid at 3am..
Death from above raining on my parade with live ordinance is no joke.
There is no algorithm possible that can say for sure where an attack came from. Such technology simply does not exist especially in the face of thinking advasaries who would undoubtably seek to use US munitionions as a force multipler against their advasaries. Not all conspiracies are false.
Why would that be a hindrance to all of us hawks who have never claimed to follow christian values? ;)
So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?
Same as every other war. Whenever the arms industry, the mass media, and whatever industries want the raw resources of the purported attacker manage to get the public frothed up enough that opportunists in the executive and legislative branches feel secure about being reelected if they start a war. There's not a lot of point in coming up with cover stories ahead of time.[1] There's always plenty of time between the campaign contributions and the actual deployment of the fleets to test ad campaigns and slogans with the focus groups.
[1] Unless you're a think tank or a private military contractor that's scored a nice, fat, no-bid contract to come up with lurid scenarios that can be used to drive news coverage to shore up public support for even more military spending.
Proud member of the Weirdo-American community.
Yes. You attack the people who attacked you, until they don't want to attack you anymore.
-- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
There's too many damn "hawks" claiming to follow the "Taoist Values" of "harmony" and "respect"
I am getting very tired of infiltrating networks and sowing paranoia in the Western world to line the pockets of corporate interests.
For instance, in the case of bin Laden, we knew for a fact that he was in Afghanistan at the time. We asked them to extradite him, all in accordance with the treaty that both the USA and Afghanistan had signed. The Taliban government refused to honor that treaty. So diplomacy had already broken down, and war was basically the only option.
In your other example, we have good relations with all of those countries, and we hope that their governments are not (very) belligerent towards us, at least not to where they would deny us our rights under extradition treaties. So we go through diplomatic channels, we get them to bust the guy and ship him to us for trial. All nice and peaceful diplomacy. Would we go to war with Canada over one criminal whom they refused to extradite? Probably not.
Now if, let's say, there was some large organized gang operating out of, say, Mexico, which routinely attacked and killed Americans, even up to American police officers, then the Mexican government better damn well be cooperating with our military and law enforcement. And if American government officials got involved in smuggling weapons to that big Mexican criminal gang, maybe for some misguided political reason, and our Justice Department knew about that smuggling and tried to stonewall and refused to deal with that problem and punish the officials who were responsible, well, that would definitely be an act of war against Mexico, as well a a violation of their oath of office by those government officials. And if high officials in our Executive branch not only let it happen, but continued to cover up for the crimes, they would deserve to be extradited to Mexico, and I hope the Mexicans would punish them to the fullest extent of the law.
from TFA: ....
> The problem with mandating types of responses - a cyber-attack in response to a cyber-attack, for example -
> is that it limits the nation's ability to respond to threats as needed, John Burnham, vice
Something we do "in a pinch" should never be enough to cause us to declare war on someone who does it to us. But good luck getting agreement on that.
The Tao of the well placed cluster bomb?
Zen and the art of carpet bombing?
As if the U.S. ever needed an excuse to enter into war....
The US should stop putting such stupid people in top military positions, this is extremely dangerous. Is my country going to be nuked the next time a Chinese hacker decides to use a proxy from here?
Cyberwarfare is a fearmongering buzzword so the military types can get all the permissions they need. Just because an exploit is often called an 'attack' , it has nothing to do with a physical attack. Most attacks have a much better real-life analogy:
Cyber espionage
99% of the attacks is actually analogous to some form of espionage. Most attacks aim to get information, which could hardly be classified as warfare. And even the ones that cause informational or physical damage are actually acts of sabotage, a part of espionage.
Cyber espionage has three main properties: it is anonymous, it can be done by a single person or very few people and it can be defended against perfectly.
Thus, a counterattack in case of cyber espionage is impossible as you can't ever be sure who the attacker is, and they might be just a few independent hackers messing around. The optimal course of action is to prepare the defences to resist such an attack, by securing the networks, not placing critical infrastructure on the net, forcing employees to obey security protocols and finally hiring whitehats to test the defences.
Now on the other hand, there IS such thing that can be called:
Cyber warfare
Cyber warfare is also called a denial of service attack, and is fundamentally different from cyber espionage. It's purpose is always the same simple thing: prevent a machine to be accessed from the Internet. Its dangers are that it can disrupt and cause huge losses to companies providing services through the Internet, it can block access to infrastructures that can only be controlled online, and it can prevent the public from accessing certain pieces of information.
Cyber warfare is not anonymous, done by a large number of IP addresses, and can't be defended against. While it can be done by a national "cyber army", even in this case physical retaliation is not advised. It's much easier to just not accept incoming connections from said country untilthe problem is resolved in a diplomatic way. Also, a DoS attack can be done by a group of insurgents/activists or a single botnet controller. In the first case, they should be reported to their country, asking them for action in a form of "cyber ultimatum": if they don't disconnect and investigate those users, connections from the whole country will be blocked. In the case of hacked computers, the owner of the Internet connection should be held responsible for securing it. Thus, even a cyber warfare scenario could be handled without resorting to violence.
Sadly, the Pentagon is full of these aggressive lunatics, and it's even more said that the American government does little against this nonsense.
So the US wants to physically attack the internet? The same one that they designed to sustain a nuclear attack?
Dont you think that these type of systems should NOT be hooked up to the internet and that putting them on the internet is just asking for sh*t to go wrong?
If they really need to be networked with other computers maybe they should invest in their own fiber cables, I mean aren't there plenty of dark fiber for them to buy
And what about locking down the computers themselves, I believe Stuxnet and the Wikileaks deals were because you can just plug a flash drive in and hit copy, who thought that was a good idea to allow???
Sounds like another left hand not talking to the right hand to me
And more to the question posted, don't you think a strike against a cyber-attacker is a little overboard? I mean isn't it like trying to shoot a mosquito with a shotgun, a little overkill and unwarranted don't you think?
For that matter what is a justifiable punishment for that type of crime? A counter cyber-attack, extradition(if we can, depending on where the attack originated from) for prosecution?
Then you have to think about whether it was a country or an individual that has committed the crime, does a town need to get attacked or 1 house? And for that matter he didn't have a gun so using a gun seems like a little much.
Whoever comes up with the answer must make sure that it is a justifiable one and that we aren't just being the world police like always.
Kudos to wiredmikey (and the ed?) for capturing that attribution of an attack is the key sticking point for military response.
Attributing attacks in a packet switched network like the Internet is just a fantasy.. Sure, you can trace an attack back to, say, China, but how do you know the attack originated there? You don't, unless China cooperates and gives your forensics experts access to their networks. Which probably will not happen.
So the hawks want to shore up some credibility for attribution. Here is the plan, from the linked DoD PDF:
Nice try Pentagon, but statistically-powered voodoo does not overcome the problem here: that the attacking machines could be controlled from anywhere, possibly even through teh 7 proxies. Lulz.
Maybe we should listen to the National Research Council when they write "deterrence of cyberattacks by the threat of in-kind response has limited applicability." (NRC Report, p.5)
I'll close with a suggestion: why not, instead of focusing on how and when we get to launch attacks, focus on bettering our defenses?
That's a genius idea, you finally found a reason to bomb/invade every country in the world, or at least the ones that have internet access.
Would we go to war with Mexico over one criminal whom they refused to extradite? Probably.
FTFY
As others have pointed out, technical attribution is unattainable right now. You'd think this would be a deterrent, but there are some legal theorists out there that suggest imputing responsibility to the country that is hosting the attackers. Think back to the U.S. invading Afghanistan because they were harboring Al Qaeda. Currently, international law permits a state to be held responsible if they have “indirect responsibility” for the actions of third parties within their borders, which means that the state had neglected its duty to prevent persons within its borders from perpetrating crimes against other states. However, if the victim state strikes back, their targets must be limited to the non-state actor attacker unless their lawful cross-border operations are opposed with force by the host state. So, there's still an attribution problem, it's just closer to the legal grey area.
Going back to the original question of when a cyberattack might warrant a kinetic counterstrike, I'm going to delve into the really boring legal terminology here. There are several different areas of law to look at. First, you have the jus ad bellum (or jus in bello, depending on what stage of the conflict you're in) requirements of military necessity, proportionality, and distinction under the law of war. Distinction just means you can, for the most part, avoid targeting noncombatants. Whether the necessity requirement is met involves determining whether a more peaceful resolution would be possible, evaluating the nature of the aggression and each party’s objectives, and estimating the likelihood that intervention would be effective. Proportionality requires the response to be limited to the amount of force that is reasonably necessary to interrupt an ongoing attack or to deter future attacks, but does not require the response to be limited to the amount or type of force initially used by the attacker. So the main things that they would be evaluating, if they're following the laws of war, would be necessity and proportionality.
Then, you have Articles 2(4), 39, and 51 of the United Nations Charter to give additional guidance (insofar as they can). Under 2(4), uses of force are prohibited. Under 39, responses to uses of force have to be approved by the UN Security Council, or they can be justified as self defense under Article 51. But Article 51 also requires the initial attack to have been an "armed attack," which probably means something more than a "use of force," which is ever so helpful since the UN Charter was written only with kinetic attacks in mind anyway. When people are talking about applying these provisions to cyberattacks, a bunch of legal scholars have come up with several different names for the same thing - look at the attack, then figure out if it's the kind of attack that would be prohibited under 2(4) (maybe considering the action itself or its effects), and then decide from there whether self defense is justified under Article 51. So basically, no, I don't have much of an answer, I just have a lot of tests to look at for case-by-case situations. Lawyers suck like that.
One of my sources for some of this information: David E. Graham, Cyber Threats and the Law of War, 4 J. NAT'L SECURITY L. & POL'Y 87
TL;DR - This question (when can cyberattacks justify kinetic attacks in response) is hard. But if a cyberattack went after a country's SCADA system, causing a failure in the electrical grid or dumping sewage into the water supply, I'd say that's probably the easiest situation where a kinetic response would be permitted under the law. Asked another way, if Stuxnet had caused a nuclear meltdown that destroyed more property and injured a lot of people, instead
They might have included in their doctrine when starving the economy and blocking international trade becomes enough of a reason to send missiles.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hey, pentagon dudes? I have a suggestion for a target for your nukes!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"
The real-world answer is easy: Whenever it is convenient.
Q: "So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"
A: After the malware or cyber attacks kill someone.
Q: "So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"
A: Once the Terminators take to the field.
So that line in the constitution about the power to declare war belonging to congress - what exactly do you think that means?
Just make sure you weren't a seller of watered wine in this life.
IIRC some monk cataloging the Buddhist hells wrote that one of the worst hells is reserved for them. Granted, it's not eternal, but it's still pretty yucky.