Cyber War Manual Proposes Online Geneva Convention

judgecorp writes "A new manual for cyber war has been compiled by international legal experts and published by NATO. The manual proposes that hospitals and dams should be off-limits for online warfare, and says that a conventional response is justified if an attack causes death or serious damage to property. The manual might get its first practical application today — South Korea's TV stations and banks have come under an attack which may well originate from North Korea."

Frightening

[Hentes]

So when the Chinese hack America from an infected Swiss machine the US will bomb Switzerland? From outside it looks like that the military class has a disproportionately large influence in American politics.

Re:Frightening

[geekoid]

False flag operations are extremely risky, and don't happen as often as you would think.

Re:Frightening

[daveschroeder]

Don't worry, China is on track to outpace the US in military expenditures by 2023. I'm sure that's all for "peaceful regional defense" and will have no impact on the US.

China's military rise
http://www.economist.com/node/21552212

The dragon's new teeth: A rare look inside the world's biggest military expansion
http://www.economist.com/node/21552193

Essential reading on China cyber:

The Online Threat: Should we be worried about a cyber war? (The first page of this is a must read wrt China.)
http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh

Great snippet: ""The N.S.A. would ask, 'Can the Chinese be that good?' " the former official told me. "My response was that they only invented gunpowder in the tenth century and built the bomb in 1965. I'd say, 'Can you read Chinese?' We don't even know the Chinese pictograph for 'Happy hour.'"

To say nothing of the more recent news.

But yes, yes...this is all about "false flag" attacks, because naturally the US is always the evil aggressor, and there has never been any oppression or tyranny in the world, save for what the US has foisted upon it. The principles of freedom for which the US stands are just an illusion force fed to a compliant public by the lapdog mainstream press. In fact, we probably have secret time machines so we could extend this evil beyond our nation's short existence in this world. That explains all the bad things that happened before we were around.

Re:Frightening

[Kell+Bengal]

Fortunately, the Geneva Convention specifically excludes non-state combatants from its protection. Mercenaries, terrorists and insurgents/freedom-fighters are all excluded. The moment you take up arms without being in the military, you are not covered by it.

Re:Frightening

China's military might be able to buy things for a fraction of what it costs the Pentagon to buy something comparable, but they also have to deal with the flip side of the equation -- it's hard enough to verify that high-quality components were used to build hardware when you have the kind of supply-chain culture the US defense industry does, and it's technically possible to read the laser-etched code off of a bolt and trace it all the way back to the miners who were working the day the ore was excavated from the mine & the date itself... then follow it through to the lab reports, quality analysis, chain of custody, and everything else all the way to the finished product. This anal retentive obsession is a big part of the reason *why* the Pentagon will end up paying $17 for that bolt & the mile-long paperwork audit trail behind it. However, it also means that the Pentagon's purchasing department can sleep soundly at night knowing that 99.999% of everything that passes through their custody is precisely what it's supposed to be.

That's an advantage the PLA doesn't have today, and it's going to take decades for them to attain because it goes beyond law, punishment, and technology -- you need an entire set of cultural norms to back it up and keep it enforced even when somebody ISN'T necessarily watching like a hawk. China's electronics industry in particular has a grand tradition of finding incredibly creative ways to cut corners and reduce costs in ways that aren't necessarily obvious or readily apparent... at least, not until long after the goods have been sold & delivered.

If an American soldier runs the self-diagnostics on a robot or tank's computer system & it tells him the system is functioning at 100% capacity with no problems, he can pretty much believe it as an article of blind faith. Pity the poor Chinese soldier who takes HIS gear's word for it, and doesn't realize that they were programmed to lie up until a fraction of a second before something fails catastrophically. Oh, if it happens enough, China's government will find someone to blame & execute them in a very public way to make an example out of them, but that's not much consolation to the fighter pilot who's flying near ground level in zero visibility by instruments to avoid detection, and ends up flying into the side of a mountain that's supposed to be 90 feet below him.

That said, if China ever decided to nuke America with ICBMs, we're *all* totally fucked, even more than we would have been in a Soviet nuclear strike, because the same failures that will probably send at least 5-10% of the missiles crashing into the Pacific, northern Canada, and Gulf of Mexico will ALSO probably have at least 10-20% of them raining down on small towns in Alabama, upstate New York, cow pastures in Minnesota, and trailer parks on the edge of the Arizona desert. At least the Soviet missiles would have been reasonably likely to detonate within 5-10 miles of their intended targets, and were mostly aimed at military targets and a few big cities. China would be more likely to take the "middle" route -- shitloads and shitloads of smaller missiles, indiscriminately thrown just about everywhere in the approximate general direction, purchased for 10% of what American missiles cost to build, on the statistical assumption that at least a few will end up detonating somewhat near their intended targets. Residents of Manhattan might head outside the next morning to a city that's largely intact, and eventually see photos of the smoldering cratered wastelands that used to be the Jersey Shore and Appalachia.

If we're lucky, we might get one tiny consolation prize... reports that Tianjing and Chonggqing were nuked 27 minutes before the American missiles even arrived, courtesy of two Chinese missile launches that went horribly, horribly wrong, hurled their payloads ~50 miles over the horizon, then crashed into the ground at sufficiently high speed to trigger criticality.

That said, I don't believe China would do anything as stupid as launch

Re:Frightening

[fluffy99]

My thoughts exactly. Plus, use of a proxy could create the equivalent of digital Al Qaeda cells, and if the Geneva Convention analogy is extended then there's no nation state to target. (GC is only for 2 or more nations in hostilities, not independent terror groups or internal conflicts) The entire concept sounds like a knee jerk reaction by people who don't understand how Big Al's innerweb works.

Our adversaries are already using proxies and launching attacks from inside the US from compromised US companies and civilians. I think you underestimate the DOD's ability or desire to attribute attacks to the appropriate party before responding. We know damn well who, how, and where from the majority of the intrusions and attacks are coming from.

If there is a significant cyber attack that causes extensive physical damage or casualties, then by all rights it's an act of war and an appropriate response is warranted.

Re:Frightening

[fluffy99]

If some jackass in BFE Wherever, USA gets bored and decides to DDOS a hospital up in Canada, does that put the USA as a whole in violation of this treaty?

We've conducted cyber attacks against Iran, so by this convention we've declared war on the nation state of Iran right?

Re:Frightening

[Internetuser1248]

The US doesn't follow the existing Geneva conventions of war, what makes you think an internet version would apply?

Re:Frightening

[wonkey_monkey]

How is the last one a false flag operation?

This just in: Still clueless

[girlintraining]

These people still do not understand the basics of networked systems. Adherence to this proposed list requires several things which are absent on the global telecommunications networks. First, determining who's attacking. In conventional warfare, attributation is easy: They're wearing distinctive uniforms. Computer viruses and malware doesn't have an embedded flag in it to tell you which government sent it, and even if it did, it couldn't be trusted. Second, attacks that are meant to go after one thing can inadvertently hit something else (collateral damage). This is usually geographically-based in the real world... if a hospital happens to be next to a military munitions depot, umm, oops? But online, the hospital could be in another country and yet still be hit by the attack, because its digital signature is similar to the actual target. Either it's on the same network, or has a similar network address, or even a simple one character typo, is all it takes to send a "cyber bomb" (gags) veering off target. And last, but not least... you can have all the countries on Earth sign this and it still leaves out the guns for hire, the mercenaries. The A-Teams of the digital world: Freelancers. They don't have to go by your rules, and if a hospital happens to have a juicy source of personal information that could be turned into cash through extortion, blackmail, or reselling, they may just decide to go for it.

This document underscores just how little our military and political leaders understand about this new theatre of war. They're drafting up treaties without even knowing where the borders are yet.

Re:This just in: Still clueless

[malacandrian]

In conventional warfare, attributation is easy: They're wearing distinctive uniforms. Computer viruses and malware doesn't have an embedded flag in it to tell you which government sent it, and even if it did, it couldn't be trusted.

Just require all state-sponsored malware to be signed and verified by the a third party. I can see no reason why such a system would fail.

Re:This just in: Still clueless

[girlintraining]

Just require all state-sponsored malware to be signed and verified by the a third party. I can see no reason why such a system would fail.

"Unable to launch nuclear missiles; The application was unable to contact the licensing server. If the problem persists, please contact your network administrator. The launch bay doors will now close."

And oil rigs

[plover]

They might leak and make a mess. And electric grids, boy, that would be inconvenient. And not water treatment plants, or traffic signals. And not banks or shops, either.

The Geneva Convention worked (mostly) because there were mutual prisoners of war who could be mistreated, and horrific effects all around from mustard gas. If Anonymous could post flashing GIFs on an epileptic support group web site for teh lulz, what makes anyone think an attacker will stop at a hospital's firewall?

Get off our lawn

[mars-nl]

Can't all these generals just get on World of Warcraft of whatever online game and fight each other there, instead of wasting everyone's money on using our internet as their newest play yard?

Re:Get off our lawn

[Nyder]

Can't all these generals just get on World of Warcraft of whatever online game and fight each other there, instead of wasting everyone's money on using our internet as their newest play yard?

Because of all the Chinese gold farmers, the Chinese will have the advantage.

Hijinks ensue in definition?

[girlinatrainingbra]

What, should the main page return a "Red Cross" or a "Red Crescent" or an appropriate meta-tag on a web-site's front page in order for it to qualify as an "off-limits" target? Will it be like saying "hey they're not really soldiers 'cause they're not wearing a uniform with patches 'n' shit!" forgetting that the USA's minute-men and civilian militia were definitely a rag-tag bunch of townies who also wore no uniform, while King George's men had their beautiful red-coats!
.
Has the USA turned ourselves into the British colonial empire building with our own red-coats? Why would anyone think the USA would follow a NATO directive or another Geneva convention about "cyber-warfare" when the USA is currently unwilling to follow the already agreed-to Geneva Convention against torture and extra-ordinary rendition and recognition of the sovereignty of other states?

I really don't see the point.

[TsuruchiBrian]

Everyone just breaks these sorts of rules whenever they feel like. It just provides an excuse to attack other countries shrouded in contrived legitimacy. If we want to attack a country for hacking into a dam we'll do it. If other countries want to be mad at us or even retaliate, they will do that. Pretending that we are just following some coherent rules is a joke, and this should be transparent to everyone.

Here is how this works:

1. We do what we want. This is the most important part. Example countries like Axistan are there for our benefit.

2. We invent rules giving us justification for attacking other countries and removing justification from other countries to attack us. Example A: Axistan is bad because they cyber attacked our hospitals and dams. We need to destroy them. Example B: Axistan attacked us for cyber attacking them, but since we attacked just about everything except their hospitals and dams, their retaliation was unjust and therefore they are the initial aggressors and now we must destroy them.

3. We pretend these rules are fair and implicitly agreed to by all other countries. Any country that would not agree to these terms is surely an evil country that gets what's coming to them anyway. So even though Axistan never agreed to this rule, we can still punish them for violating it.

4. When it doesn't work out the way we expected, and we need to break our own rules, that's ok because we still have all the guns, and the American people have a short memory. Oops it turns out we needed to cyber attack one of Axistan's dams. That's fine we'll just invent some reason why it was justified. You mean Axistan somehow managed to cyber attack us without hitting any hospitals or dams? Well lets just invent some reason why it actually broke our rules and lets attack them anyway.

All of this political bullshit is designed to trick a gullible American public that those in charge are righteous in our actions. I think this is giving far too much credit to the average American's ability to think critically. We can skip most of this show and dance. It would be less insulting to the intelligence of all involved if we just said "We're taking your stuff because we want to and we are bigger."

In a lot of ways we never really evolved past the politics of the playground. We just wear suits and use expendable high school kids with m-16s and m-1 tanks to pick on the other kids. We are a bully. But that's the way the world is. There are no adults to make us play nice or punish us. We're all bullies or victims or both. It's lord of the flies on a macro scale.

Dams?

[viperidaenz]

Since when were they off the table for war? They blew up German dams in WW2.

Re:Dams?

[mjwalshe]

That was prior to the current UN laws of war - the USA did not attack dams in Korea as there was debate about its legality.

Re:too many reasons for war

[viperidaenz]

Money is quite dirty and should never be fed to a child. It also has no nutritional benefits.

Off-topic

[FatLittleMonkey]

The Hermit Kingdom's obsession with propaganda and rewriting history, and common language and history with South Korea, seems to make it ideal for a "backdoor" cultural attack.

The modern equivalent of a propaganda leaflet drop. Smuggle, or even airdrop, OLPC-style satellite receivers into North Korea, able to receive dedicated Korean language info dumps from suitable satellites, as well as rebroadcasted live radio and (power willing) TV channels. News, music, live weather, etc. (And dedicated counter-propaganda channels.) And encyclopedias, text books, banned poetry/history/music, stored on the devices. Modular, repairable, with solar panels and crank-generators repurposeable to reduce the number of units turned in or destroyed.

Designed in South Korea, manufactured in China, a few hundred thousand units per year. Bargain.

[Designed well, they could be more generally suited to the poorest parts of the world. Charities might buy them, increasing the production size, reducing the per-unit costs.]

Re:I say dams are legitimate targets.

[jewens]

Sure, but Joe and Winston would have been the ones on trial.