Slashdot Mirror

← Back to Stories (view on slashdot.org)

Behind the Government's Rules of Cyber War

Posted by Soulskill on from the defining-preemptive-retaliation dept.

wiredmikey writes "Deciding when malware becomes a weapon of war that warrants a response in the physical world – for example, a missile – has become a necessary part of the discussion of military doctrine. The Pentagon recently outlined (PDF) its working definition of what constitutes cyber-war and when subsequent military strikes against physical targets may be justified as result. The main issue is attribution of cyber attacks. The Department of Defense is working to develop new ways to trace the physical source of an attack and the capability to identify an attacker using behavior-based algorithms. 'If a country is going to fire a missile at someone, it better be sure it has the right target,' said one expert. A widely held misconception in the U.S. government is our offensive capabilities provide defensive advantage by identifying attacker toolkits and methods in foreign networks prior to them hitting our networks. So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"

21 of 117 comments (clear)

  1. Causus Belli by flaming+error · · Score: 5, Insightful

    Constitutionally, an "act of war" is whatever Congress agrees it to be.

    Such decisions are not the Executive's to make.

    1. Re:Causus Belli by masternerdguy · · Score: 2

      The president can also order troops to invade another country without congressional approval. It would be political suicide to, say, wake up and invade Norway. But he can.

      --
      To offset political mods, replace Flamebait with Insightful.
    2. Re:Causus Belli by dak664 · · Score: 3, Informative

      Would it were so. Google police action. According to wikipedia the US has engaged in military actions at least 125 times without prior authorization of Congress. World War II was the last authorized war. Even the Civil War needed no authorization because the opposition was a "belligerent power" and not a "sovereign nation".

    3. Re:Causus Belli by Ethanol-fueled · · Score: 4, Interesting

      Soon, the president will be able to order troops to invade their own country and indefinitely detain citizens such as those evil terrorist protesters who are all the rage these days.

  2. The "right target" is a misconception by guanxi · · Score: 5, Insightful

    'If a country is going to fire a missile at someone, it better be sure it has the right target,' said one expert.

    Not true, unfortunately. How many wars have started based on false information? Off the top of my head:

      * The Spanish-American War: Remember that the Maine sunk by accident
      * The Vietnam War: The Gulf of Tonkin
      * The Iraq War: No WMDs and no connection to Al Queda.

    1. Re:The "right target" is a misconception by Bucky24 · · Score: 2

      This is 'merica boy! We fire at them both!

      --
      All the world's a CPU, and all the men and women merely AI agents
  3. Action is allowed to proceed the paperwork by perpenso · · Score: 4, Insightful

    Constitutionally, an "act of war" is whatever Congress agrees it to be. Such decisions are not the Executive's to make.

    Actually they are. An "act of war" is something different from a "declaration of war". Congress has the ability to control declaring a war and the spending on a war, however the president commands the military. In response to an act of war the president may order the US military to attack the perpetrators, this would be a lawful order. For example as soon as the president learned of pearl harbor he could immediately order US forces to attack enemy forces, he did not have to wait for the following day when congress got the paperwork in order and formally declared war.

    1. Re:Action is allowed to proceed the paperwork by Bucky24 · · Score: 2

      That's a good point. A president can't institute a draft without a formal declaration of war from congress though, which can hamper their ability to invade other countries.

      --
      All the world's a CPU, and all the men and women merely AI agents
    2. Re:Action is allowed to proceed the paperwork by flaming+error · · Score: 4, Interesting

      > the president may order the US military
      > to attack the perpetrators

      The President may order the US military to defend against an active attack. Taking the fight to the attackers requires authorization.

      > wait for the following day when congress got the
      > paperwork

      Congress may be incompetent, stupid, crazy, and deadlocked, but if there were a real attack on American soil, the most dysfunctional Congress we've ever had could get this done in the middle of the night. If Congress can't do it remotely, I'm sure a quorum of members could get individual direct transport to the capital.within a couple hours and pass something within 30 minutes.

      It would take at least that long to prove who started the cyber attack.

  4. So we are a Christian Nation? by paulsnx2 · · Score: 4, Insightful

    Just to be clear here, many "hawks" claim to follow "Christian Values".

    Let's consider the Old Testament values:

    leviticus 24:19-24:21

    19 Anyone who maims another shall suffer the same injury in return:
    20 fracture for fracture, eye for eye, tooth for tooth; the injury inflicted is the injury to be suffered.
    21 One who kills an animal shall make restitution for it; but one who kills a human being shall be put to death.

    Now the idea here is when you are wronged, you *can't* inflect more suffering than you suffered. There is a limit.

    Then Jesus came along, and said this was an *upper limit* not a lower limit. You should instead return good for evil. In other words, these Christian Hawks should consider the fact that their ideas of bombing someone because of malware doesn't even past Old Testament standards, much less those of Christianity. How does a crashed computer equate to blowing up a house or office and killing who knows how many innocents in the process?

    I am getting very tired of wars and conflicts to line the pockets of various corporate interests. How about we start demanding ethical principles of our leaders rather than buying into their excuses to abuse people abroad, and increasingly, Citizens at home. What is it going to take for people to realize that our government is getting out of hand, and is not behaving in line with our moral and ethical traditions? Seriously, we hear more concern out of our Religious leaders about allowing same sex marriage than we do the killing of 10's and sometimes 100's of women and children!

    There *is* something seriously wrong with the morals of this country. When are we going to realize that we are supposed to come to people's aid when they are in need, to hear them when they cry out for relief? That we are not supposed to react by blowing them up?

    1. Re:So we are a Christian Nation? by masternerdguy · · Score: 2

      Actually we're a secular nation.

      --
      To offset political mods, replace Flamebait with Insightful.
    2. Re:So we are a Christian Nation? by artor3 · · Score: 3, Insightful

      One of my favorite verses is "Don't try to do good through evil; overcome evil with good." (Somewhere in Romans, I don't memorize the numbers.) The Republicans respond to this by torturing people without so much as a trial, assuring us all that it's for the best. And this is the party that likes to present itself as defenders of the faith. And even worse, it seems like most self-proclaimed Christians supported the torture.

      I wish they'd just drop the act and admit that they aren't religious, they just hate gays and sexually active women.

    3. Re:So we are a Christian Nation? by Fluffeh · · Score: 2

      Seriously, we hear more concern out of our Religious leaders about allowing same sex marriage than we do the killing of 10's and sometimes 100's of women and children!

      Most of your Religious Leaders are in fact political creatures just like most politicians. They might internally be thinking about the killings of 10's and 100's - but they preach what will be most likely to generate attention.

      The average US citizen doesn't care about 10's or 100's of people dying in some other country at their hand. To make a point, where was the US outrage about the NATO strike that killed 24 Pakistani soldiers. Pakistan is taking this latest attack so seriously that is has given US forces two weeks to vacate their main drone base!

      It's a sad world these days, but leaders of just about all things, be they political leaders, religious leaders, business leaders - all have their own little agenda and they make just the right soundbytes and bring up just the right things to get to where they want to be. Sadly, those agendas very rarely seem to have the improvement of the world in general anywhere in the list.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    4. Re:So we are a Christian Nation? by dcollins · · Score: 2

      "Just because the weapon was a hacker intrusion doesn't mean it can't kill or harm people."

      FUD. When was there ever a hack that has killed people? Meanwhile, the U.S. drops illegal bombs from killer drones around the world every day.

      --
      We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
  5. Re:When the nukers get nuked by c0lo · · Score: 2

    What happens when the missiles get hacked and detonate without launching?

    Identify the source and stone the attacker to death.

    --
    Questions raise, answers kill. Raise questions to stay alive.
  6. Re:attacking the country for the act of an individ by jpapon · · Score: 2

    Yes. You attack the people who attacked you, until they don't want to attack you anymore.

    --
    -- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
  7. Re:Locutus: "Irrelevant" by paulsnx2 · · Score: 2

    Some ethical and moral principles apply regardless. I think as an upper limit only inflicting harm proportional to the harm done to you is a pretty reasonable ethical and moral standard regardless of your ethical/moral/religious views.

    Some multiple of the harm to you might be okay as a deterrent, in the mind of some.

    Almost anyone would consider someone who can forgive and forgo retribution to be someone following a high moral and ethical standard.

    See? I think the post *can* apply, even if you are in no way Christian. That is because I am talking about moral and ethical standards here, not about Christianity. But it remains interesting that Christianity demands more from us, and the fact that we don't meet that standard is more of an argument that we are not a Christian Nation than any historical argument (of which there are plenty).

  8. There are diplomatic procedures for that, actually by Freddybear · · Score: 2

    For instance, in the case of bin Laden, we knew for a fact that he was in Afghanistan at the time. We asked them to extradite him, all in accordance with the treaty that both the USA and Afghanistan had signed. The Taliban government refused to honor that treaty. So diplomacy had already broken down, and war was basically the only option.

    In your other example, we have good relations with all of those countries, and we hope that their governments are not (very) belligerent towards us, at least not to where they would deny us our rights under extradition treaties. So we go through diplomatic channels, we get them to bust the guy and ship him to us for trial. All nice and peaceful diplomacy. Would we go to war with Canada over one criminal whom they refused to extradite? Probably not.

    Now if, let's say, there was some large organized gang operating out of, say, Mexico, which routinely attacked and killed Americans, even up to American police officers, then the Mexican government better damn well be cooperating with our military and law enforcement. And if American government officials got involved in smuggling weapons to that big Mexican criminal gang, maybe for some misguided political reason, and our Justice Department knew about that smuggling and tried to stonewall and refused to deal with that problem and punish the officials who were responsible, well, that would definitely be an act of war against Mexico, as well a a violation of their oath of office by those government officials. And if high officials in our Executive branch not only let it happen, but continued to cover up for the crimes, they would deserve to be extradited to Mexico, and I hope the Mexicans would punish them to the fullest extent of the law.

  9. Re:Locutus: "Irrelevant" by Jiro · · Score: 2

    . I think as an upper limit only inflicting harm proportional to the harm done to you is a pretty reasonable ethical and moral standard regardless of your ethical/moral/religious views.

    I don't accept that standard.

    The reason is that sometimes the amount of harm done is reduced through no desire of the attacker. Your argument says that the better your bomb shelters are, the less you are justified in attacking an enemy (since by using the bomb shelters, you reduced the casualty count on your side, and if there are fewer casualties on your side, proportional force means you are not allowed to kill as many of the enemy).

    This isn't just theoretical. Israel is often the victim of this unbalanced standard. Palestinians lob missiles at Israel. The bomb shelters are too good, so Israel gets told they are using "disproportionate force" when fighting back and killing more Palestinians than are killed by the missiles.

    I'd suggest a different standard: you're allowed to use whatever force on the people causing the harm to stop them from doing you harm.

  10. Very dangerous doctrine by Hentes · · Score: 2

    The US should stop putting such stupid people in top military positions, this is extremely dangerous. Is my country going to be nuked the next time a Chinese hacker decides to use a proxy from here?

    Cyberwarfare is a fearmongering buzzword so the military types can get all the permissions they need. Just because an exploit is often called an 'attack' , it has nothing to do with a physical attack. Most attacks have a much better real-life analogy:

    Cyber espionage

    99% of the attacks is actually analogous to some form of espionage. Most attacks aim to get information, which could hardly be classified as warfare. And even the ones that cause informational or physical damage are actually acts of sabotage, a part of espionage.

    Cyber espionage has three main properties: it is anonymous, it can be done by a single person or very few people and it can be defended against perfectly.

    Thus, a counterattack in case of cyber espionage is impossible as you can't ever be sure who the attacker is, and they might be just a few independent hackers messing around. The optimal course of action is to prepare the defences to resist such an attack, by securing the networks, not placing critical infrastructure on the net, forcing employees to obey security protocols and finally hiring whitehats to test the defences.

    Now on the other hand, there IS such thing that can be called:

    Cyber warfare

    Cyber warfare is also called a denial of service attack, and is fundamentally different from cyber espionage. It's purpose is always the same simple thing: prevent a machine to be accessed from the Internet. Its dangers are that it can disrupt and cause huge losses to companies providing services through the Internet, it can block access to infrastructures that can only be controlled online, and it can prevent the public from accessing certain pieces of information.

    Cyber warfare is not anonymous, done by a large number of IP addresses, and can't be defended against. While it can be done by a national "cyber army", even in this case physical retaliation is not advised. It's much easier to just not accept incoming connections from said country untilthe problem is resolved in a diplomatic way. Also, a DoS attack can be done by a group of insurgents/activists or a single botnet controller. In the first case, they should be reported to their country, asking them for action in a form of "cyber ultimatum": if they don't disconnect and investigate those users, connections from the whole country will be blocked. In the case of hacked computers, the owner of the Internet connection should be held responsible for securing it. Thus, even a cyber warfare scenario could be handled without resorting to violence.

    Sadly, the Pentagon is full of these aggressive lunatics, and it's even more said that the American government does little against this nonsense.

  11. Blahblahblah IAAL, IANYL by cemulli · · Score: 2
    First, I'm a pacifist doing research into cyber deterrence and self defense, so I'm really interested in this topic and what /. posters have to say on it. I studied international law purely to understand these sorts of issues, so here's some of the information that I gleaned from research.

    As others have pointed out, technical attribution is unattainable right now. You'd think this would be a deterrent, but there are some legal theorists out there that suggest imputing responsibility to the country that is hosting the attackers. Think back to the U.S. invading Afghanistan because they were harboring Al Qaeda. Currently, international law permits a state to be held responsible if they have “indirect responsibility” for the actions of third parties within their borders, which means that the state had neglected its duty to prevent persons within its borders from perpetrating crimes against other states. However, if the victim state strikes back, their targets must be limited to the non-state actor attacker unless their lawful cross-border operations are opposed with force by the host state. So, there's still an attribution problem, it's just closer to the legal grey area.

    Going back to the original question of when a cyberattack might warrant a kinetic counterstrike, I'm going to delve into the really boring legal terminology here. There are several different areas of law to look at. First, you have the jus ad bellum (or jus in bello, depending on what stage of the conflict you're in) requirements of military necessity, proportionality, and distinction under the law of war. Distinction just means you can, for the most part, avoid targeting noncombatants. Whether the necessity requirement is met involves determining whether a more peaceful resolution would be possible, evaluating the nature of the aggression and each party’s objectives, and estimating the likelihood that intervention would be effective. Proportionality requires the response to be limited to the amount of force that is reasonably necessary to interrupt an ongoing attack or to deter future attacks, but does not require the response to be limited to the amount or type of force initially used by the attacker. So the main things that they would be evaluating, if they're following the laws of war, would be necessity and proportionality.

    Then, you have Articles 2(4), 39, and 51 of the United Nations Charter to give additional guidance (insofar as they can). Under 2(4), uses of force are prohibited. Under 39, responses to uses of force have to be approved by the UN Security Council, or they can be justified as self defense under Article 51. But Article 51 also requires the initial attack to have been an "armed attack," which probably means something more than a "use of force," which is ever so helpful since the UN Charter was written only with kinetic attacks in mind anyway. When people are talking about applying these provisions to cyberattacks, a bunch of legal scholars have come up with several different names for the same thing - look at the attack, then figure out if it's the kind of attack that would be prohibited under 2(4) (maybe considering the action itself or its effects), and then decide from there whether self defense is justified under Article 51. So basically, no, I don't have much of an answer, I just have a lot of tests to look at for case-by-case situations. Lawyers suck like that.

    One of my sources for some of this information: David E. Graham, Cyber Threats and the Law of War, 4 J. NAT'L SECURITY L. & POL'Y 87

    TL;DR - This question (when can cyberattacks justify kinetic attacks in response) is hard. But if a cyberattack went after a country's SCADA system, causing a failure in the electrical grid or dumping sewage into the water supply, I'd say that's probably the easiest situation where a kinetic response would be permitted under the law. Asked another way, if Stuxnet had caused a nuclear meltdown that destroyed more property and injured a lot of people, instead