By Adrianna Llongueras Vicente
Cyber Attack Analysis sent to the Atlantic Council.
Moonlight Maze is the code name given
to a highly classified incident.
Experts
in information security and intelligence
think that Moonlight Maze is an example
of the longest lasting advanced
persistent threat in recent history.
Security
experts had their first contact with this incident in March 1998. The
official U.S.
government perceived abnormal
activity in restricted networks environments.
Systems
within the Pentagon, National Aeronautics and Space
Administration (NASA), the
Department of Energy (DOE), weapons laboratories
and Universities throughout the United States
were affected by targeted attacks on
specific objectives that lasted long periods of time.
The
attacks were directed to seek sensitive but unclassified information systems and stored
data. The incident
response teams after
repeated testing of the affected systems
and data concluded that the cyber-attack had lasted almost two years.
The cyber attackers
had surfed freely through thousands and thousands of documents including maps of military installations,
configuration of troops, military
hardware design.
The FBI
director of the National Infrastructure Protection Centre said that cyber-attack
instructions had its origin in Russia[1].
What it
was clear was that the attacks were structured, disciplined, trained, had extensive
systems knowledge and restraint. Its authors came from intelligence background
and certainly had strong computer and security skills originated outside Moscow. What is worrying
was the extent of data extraction.
As a
result of the discovery and investigation of the cyber-attack, the Pentagon
allocated $ 200 million for new cryptographic equipment plus updating the
intrusion detection and firewalls.
Before
the discovery of this cyber-attack computer centres did not continually monitor
the network traffic. Even when strictest security procedures were introduced,
cyber intruders adapted to them.
Moonlight
Maze accentuated the vulnerabilities of systems and networks in the United
States. Many of these systems had an important role in critical infrastructure
systems, DoD, DOE Department of Justice and other federal agencies.
The
attackers used profiles similar to those used in solar sunrise attack, the
intruders held the following actions: enumerate the address space network, scan
for vulnerabilities, Identify them, exploit them, install a backdoor program enabling
to re-enter the system , destructions of files , gather and remove data.
Moonlight
Maze showed that America
was extremely vulnerable to disruption but also exploitation from an adversary
who could access information whenever he wanted and for a long period of time.
Moonlight
Maze also noted the difficulty of attribution and traceability.
The
experts were able to trace the origin of the attack back into Russia specifically in Moscow
but could not prove or confirm that Russia was the instigator of the
attack because attackers might have routed their traffic through Russian
networks and computers while the origin of the attack was in another country.
A changing world
We are
experiencing what many analysts call "the third industrial revolution” based
on the rapid technological advances.
These
developments directly affect the power; the power as the capability to make things
happen, the capability to influence people's lives and make them do what you
want them to do.
The
rapid development and growth of the virtual world,
“The
cyberspace" is an important context to consider in politics and national
security worldwide.
Cyberspace has facilitated the diffusion of
power, not from State to State as happened historically but to other players
who previously did
not participate in the international
arena.
In the information era this
power is getting outside of states control including the most powerful and
should learn to share
its power with other actors that did not exist until
recently and are much
harder to control.
Cyberspace gives the capacity and
power to state actors, cyber-crime,
and hackers; in short, gives the power to act and
influence in the political arena to any person,
in both hard power and soft power, which were formerly exclusive
controlled by the states.
The feature that distinguishes the
virtual world from our physical world is precisely its
"non-existence", non-existence
because at a given time there is
a portion of this cyberspace
and then this portion has subsequently been cancelled, vanished.
This is unthinkable in physical
geography, we cannot move the mountains
or seas at will, but
in the virtual world is possible, and is
there where a cyber-attack happens and with it emerges
the difficulty to track and identify the
attacker.
The
birth of cyberspace has blurred the traditional concept of great
power in relation to the international “status quo".
Internet is cheap and even the poorest country or anyone
has access at a very low cost; you only need a computer and a hacker to compromise a country’s homeland security or cause serious accidents and millions of victims.
has access at a very low cost; you only need a computer and a hacker to compromise a country’s homeland security or cause serious accidents and millions of victims.
Society
is increasingly dependent
on cyberspace; this dependence carries
an increased exposure to vulnerabilities,
cybercrime and cyber-attacks.
The best way to understand cyber
security is to see it as a complex
problem characterized by
uncertainty, dynamism and a continuous
evolution where it is very
difficult to establish the action / reaction and cause / effect.
Cyber war, cyber espionage and cyber-attacks are serious challenges
confronting us in cyberspace.
Cyber technology can be used to attack
states, financial institutions and
critical infrastructure of the state as the electric grid, transport, nuclear power plants and also attacks public morale but not much importance is given to
that point , which at a given time can destabilize a government.
But not all threats in cyberspace are
an act of war; terrorist groups´ actions, cyber espionage or organized cybercrime can
cause great damage and does not
necessarily constitute an act of cyber
war.
One of the principal characteristics of cyber-attacks are the great speed at which vulnerabilities and threats evolve , but many states are not flexible, they don not
have the ability to adapt and are not fast enough in
facing cyber threats ; when they make
strategies to be applied in Cyberspace they
are already obsolete even before being implemented
Cyberspace
is a parallel virtual
world created by man with the development of information and communication technologies
and without a legal framework.
An international treaty regulating the legal and illegal actions and
activities that can be conducted by the states in cyberspace is needed.
This
international treaty must collect the characteristics of this type of conflict, the
actions that states can conduct
as a response to a cyber-attack (a direct and proportional response), determine which
state and non-state actors can be involved in a cyber-conflict, the type of military target,
industrial or civilian against
which can be directed a cyber-attack.
The
main characteristics of cyber-attacks
are:
- The actors can pursue their strategic and political objectives without the need to initiate a traditional armed conflict.
- Cyberspace gives a disproportionate power to actors that
were regarded a few decades ago as minor threats.
were regarded a few decades ago as minor threats.
- We can operate and carry out cyber-attacks by IP address falsification; attackers can conduct criminal actions with complete anonymity and impunity (attribution problem) with the use of foreign servers
- The traditional state borders do not exist in cyberspace;
they have disappeared like the line separating civilian and military targets.
- Cyberspace has become the
fifth military domain in the battlefield
together with land, sea, air and space.
Cooperation
is needed from the international community in the field of intelligence,
diplomacy and military affairs as well as development of international rules
governing cyber warfare / cyber-attacks to develop an anticipation capacity to
deal with the complexity of cyberspace.
Since cyberspace
is a structure of global communications and information transfer, where
incidents and cyber-attacks make no distinction between military or civilian
targets that affect everyone in the same way, it is necessary the rise of national
and social security awareness.
As
noted in the paragraph above cyberspace does not differentiate between military
and civilian targets, this raises the question; in case of cyber war, how the states
cope with such a threat? with negotiations, diplomatic formal protest, economic
retaliation, criminal proceedings or through a military attack?.
Cyber
security presents a threefold challenge:
The
dual challenge of promoting both public safety and private security through
securization of networks, the third challenge is the fight against cyber organized
crime and other actors which use Internet infrastructure to achieve their
illicit goals.
Cyberspace
provides total immunity to cyber attackers given the absence of an
international legal framework and particularly the impossibility of identifying
the origin of the attack.
The
development of cyberspace has increased social interactions; millions of users
participate in social networks like facebook and Twitter.
Moonlight
Maze happened in 1999 , was the first
known cyber attack, were a series of
alleged coordinated attacks against U.S. computer systems. It was
established that the attacks had come from a computer in Moscow but it is not known if they had
originated there.
It was
claimed that the hackers had obtained large amounts of data that might include
secret naval codes and information on missile guidance systems, but nobody knew
for sure what information had been compromised. The attack was attributed to Russia.
This paper focuses on the
analysis of Moonlight Maze, especially in the political, legal and
military consequences that carry cyber attacks in the international arena.
Also argues
that cyber attacks represent a threat to international peace and might be
treated by States almost at the same range that Nuclear war because ciberwar
can destroy a modern state without making casualties.
Several
questions arise about cyber attacks:
- When a cyber attack
is “an act of war”;
- What is the appropriate response?
- The
changes cyber war brings
into the “art of war”.
- The laws of the armed conflict can be applied to
cyber war?
- Is a cyber attack considered
a "use of force"? Can be applied art. 2.4 of the UN charter.
- A state can rely on art. 51 of the NATO treaty when under cyber attack? Which is the legal regime of combatants
and civilians in cyberspace?
- The obsolescence of physical borders
in the virtual world.
- What
is the appropriate method for the identification of Internet users
(attribution)?
- How to identify the origins of cyber-attacks
(traceability)
- What
are the actions required to be taken in case of a cyber attack against the National
defence.
- The need of international cooperation with
other states.
The International Community and Cyber security
The
challenge facing cyber security is to identify what needs to be protected, how
to protect it against what or whom and by what means should be protected. This
task cannot be carried out until we lose the traditional view we currently have
on action /reaction and cause/effect in policy making.
In the
21st century we must go far beyond and accommodate to the changing communication
and information technologies, to potential and future threats. This evolution
is not linear but complex, uncertain, dynamic and by now boundless in which it
is difficult to establish the cause, the object and subject.
International
Society must be able to adapt to the rapid technological change because cyber
technology is one of the many results of the globalization process, hence the need to develop a new international
legal framework addressed to the regulation of the virtual world, particularly
cyber security.
We must
work to ensure national cyber security, Cyber-Governance and develop an
international legal framework to which cyber attackers no longer have impunity
in the legal field and settle the conditions and actions required to define
when a cyber-attack is considered an act of war.
It is
of a great complexity to exercise Internet Governance since that means
investment in technology and resources in endless forums to get some vague results.
Internet
Governance currently presents great difficulty, but the alternative approach
must be soft power.
First
is influencing that ruling.
Internet
has been described as a world without law, control or organization.
International
Society through UN, EU, NATO and other international forums need to come
together to improve international cyber security and establish an appropriate
international legal framework, as well as the increasing and urgent need for
close cooperation among public institutions and the private sector.
Internet
challenges National Security.
National Defence
The
best defence against an attack is to know your own weaknesses, be prepared and know
your enemy; the latter it is almost impossible in a cyber attack.
The
identification and correction of major vulnerabilities in the State Critical infrastructure
will be possible through the implementation of policies designed to analysis
and investigation of potential vulnerabilities.
The
analysis of vulnerabilities will be through the assessment of the opinions and
advice from cyber technology experts by the development of adequate action
plans to elaborate an effective deterrence strategy.
We must work
primarily in identifying the source of the attack and the attacker, the forensics,
monitoring the attacks....all technical issues to develop the capacity to identify any users in
the cyber space.
In order for deterrence to be effective, the antagonists, enemies or
future attackers must be convinced that they can be identified, prosecuted and
punished severely.
The effectiveness of cyber deterrence may be more than uncertain as
regards to cyber attacks against information and the critical infrastructure of
a state.
Cyber deterrence must be regarded today as a whole under the
military; making retaliation to an attack must not
be limited only to cyberspace but should be extend to the physical realm; at the diplomatic, economic and political level.
military; making retaliation to an attack must not
be limited only to cyberspace but should be extend to the physical realm; at the diplomatic, economic and political level.
Military cyber activities include:
network-centric Operations,
computer network attack and information development .
computer network attack and information development .
These are operations aimed at implementing the security and
geopolitical influence as a method
of deterrence against future and potential cyber attacks.
Cyber
Space is an element of
power and a support for power,
(political, information, military and economic).
The cyber power is the capacity to use cyberspace to
create advantages and influence events in all operational areas through
instruments of power.
instruments of power.
Many
states are developing ambitious
programs to achieve military
hegemony in cyber technology such as India, China
and Russia.
These
countries have a level of engineering
and technological development much
higher than all Western
countries at a cost more than
competitive.
Such circumstances favor the relocation of many
Western companies of
technological nature into Asian countries making the "know how" to be transferred, resulting in serious damage to
the future development of a good technological university education, making Western countries lose their capacity of technological
research.
That means
less students and graduates in engineering, mathematics, science and
technology and increases the risk of cyber espionage and cyber attacks
as a result of that 99% of computer products are made in Asian countries.[2]
“Public-Private-Partnership”
However, cyber space
and the dependence on
new technologies by post-industrial
states is a multiplying
risk effect constituting an Achilles heel. This
dependence increases the vulnerabilities and the exposure of the country's
basic infrastructure to cyber attack (coming from abroad or from inside the State).
The establishment of a mixed institution (public / private) should
aim
to work to investigate in depth the matters referring to cyber space falling under homeland security, research in new in ICTs that the government by itself does not have the capacity to develop.
to work to investigate in depth the matters referring to cyber space falling under homeland security, research in new in ICTs that the government by itself does not have the capacity to develop.
.
Cyber-attacks Legal Status
Cyber attacks through the Internet are becoming increasingly common
and the proliferation of such criminal
activity is a problem for national security, besides,
the network brings into question the existence of the physical boundaries of states and the implementation
of their national law.
The actors that
interact in cyberspace, can
develop their activities exerting a positive or hostile effect from anywhere in the world without being detected and with
the virtual inability of follow
his trail.
But what characterizes these activities
conducted in cyberspace?
As seen in Moonlight Maze
attack;
-
Motivation : cyber-actors usually
have one or more reasons to
pursue their claims, it can be for
personal, ideological, political interest, national interest or unusually without any specific interest.
-
The intent - we mean by "intent"
of the actor with respect the
attainment of the main objective or what it is trying to get.
The attempt is
evaluated versus the ease of reaching the target,
the legality or the unlawfulness of the action.
-
The target - the
targets vary from protected to not protected, not
critical to highly protected and critical (classified,
critical infrastructure or critical
systems).
The target is critical
when not just the level of intrusiveness that
represents the action but the
potential harm of an uncontrolled cyber-attack can cause.
-
Impact - the effects of a
cyber attack are the
first argument and cause to
start an
international cooperation among states.
The
impact may be measured by the financial damage, physical damage or
human harm arising from a cyber-event.
-
The actors - The identification of the attacker, as in any attack, is critical to give an appropriate, prompt and proportionate
response, but in cyberspace the determination of the source
of the attack and identification of
the attacker is virtually impossible right now.
The
origins of Internet and its conception left in
second term the development of network security, the first priority was to ensure real communication between the parts
connected to the system.
In 1972 "The Computer Security Technology Planning Study", James P. Anderson wrote that
"the systems were not designed to be safe and provide hackers with a wealth of opportunities to undermine the operating system itself.”[3]
To measure computer security we rely on the protection of
three core attributes: confidentiality,
integrity and availability.
Almost all cyber attacks seek to compromise least one of these three attributes.
Almost all cyber attacks seek to compromise least one of these three attributes.
Confidentiality
and integrity associated with data transmission. Cyber attacks usually
focus on exploiting the
vulnerability of a system or network in a way not contemplated, providing
the attacker access to the system and enabling him to take control
of it .
Another form of system access is through social
engineering;
is the practice of getting confidential information by manipulating legitimate users.
is the practice of getting confidential information by manipulating legitimate users.
Not only cyber-attacks come from outside of an organization, institution or the State, also the employees themselves represent a risk for businesses and governments;
"individuals such as
contractors, employees or suppliers that
have legitimate access to critical systems throughout computers
generally have detailed
information on system operation and
security as well as physical accessibility that
can provide a first attack
".
Legal Issues
Under International law there
are two sources: formal agreements such as treaties and international
customary law.
The customary law derives from the interpretation
of treaties, international declarations
of institutions, pronouncements
and actions by governments and manifestations of accepted
practices by international law.
Usually international law is an agreement
established by the parties subject
to compliance with the provisions
of the treaty. States that are
not agree or differ
with aspects of international customary law might object for the development of such aspects,
and these States will not be bound by
these provisions to which they have disagreed and will
not be required by them.
State sovereignty
The
electronic signals travel around the world through international networks with
complete impunity enabling any individual or group to carry out a cyber attack
against a system that is on the other side of the world, while national
regulations and the national authority apply only within the boundaries of each
state.[4]
The
State is a set of institutions that possess the authority and power to establish the rules governing a society, having internal
and external sovereignty over a given territory.
Attribution of a cyber attack
to a state is the key element in creating a new legal regime.
Transnational cyber space
activities that affect internal affairs of a state might breach general legal
principles upholding respect for sovereignty and non-intervention. [5]
Article 2 (4) of United Nations Charter :
“The Organization and its Members, in pursuit of the Purposes stated in Article 1, shall act in accordance with the following Principles.
4- All Members shall refrain
in their international relations from the threat or use of force against the
territorial integrity or political independence of any state, or in any other
manner inconsistent with the Purposes of the United Nations.[6]”
With
new technology (ICT) and its
constant evolution makes the physical
boundaries of a state or
territory become increasingly less relevant.
How should
we deal against
a cyber attack due that national
borders do not exist in
Internet and we can not apply national
law?
We have three options to understand the role of national sovereignty in cyberspace:
The first
option, states may try to enforce the traditional
notion of borders into
cyberspace.
The second
option is the recognition that cyberspace needs a special legal regime, a new one, different from the traditional and existing
until now. In cyberspace
there is no national sovereignty
and it must be inspired by the "
The Treaty on Principles Governing the Activities of States in the Exploration
and Use of Outer Space, Including the Moon and Other Celestial Bodies"[7]
Third , in
the event of a cyber-attack against a government website I would suggest
to extrapolate the Diplomatic and Consular Law into the
virtual world; obviously making
the adjustments required to
the cyberspace while keeping the same principle of territoriality that
applies to a State embassy in a third country.
This
is a discussion which from our current era may look
totally disproportionate but
with the evolution of
cyberspace and the increasing
dependence in it, international law will come
to a point that will regulate cyberspace through international
arrangements to set up a pattern of conduct outlining
what actions are lawful
and which violate international
standards.
Use of force.
Depending
on the nature, a cyber-attack can
be considered as “use of force” or as “armed” attack under
international law whilst other hostile actions in cyberspace are not regarded
as such.
There
is a great ambiguity in this
regard since cyber attacks
regardless of its nature enjoy
a lack of regulation, determination and
definition within the legal
criteria governing the use of
force.
Ambiguity makes it possible for states to use cyber-attacks
as an instrument of coercion without
suffering any legal incidence;
nullifying the
capacity of the victim States to find a legal answer to this
particular action.
The
principal legal remedies of the Ius ad Bellum is the Charter of the United Nations,
Article 2.4[8].
First
exception:
In
the seventh chapter of the UN Charter “Action with respect to threats to peace,
breaches of the peace or acts of aggression."
Article 39: “The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security”.[9]
Article 42 “Should the Security Council consider that measures provided for in Article 41 would be inadequate or have proved to be inadequate, it may take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security. Such action may include demonstrations, blockade, and other operations by air, sea, or land forces of Members of the United Nations”. [10]
Second exception: Article
51 “Nothing in the present Charter shall impair the
inherent right of individual or collective self-defence if an armed attack
occurs against a Member of the United Nations, until the Security Council has
taken measures necessary to maintain international peace and security. Measures
taken by Members in the exercise of this right of self-defence shall be
immediately reported to the Security Council and shall not in any way affect
the authority and responsibility of the Security Council under the present
Charter to take at any time such action as it deems necessary in order to
maintain or restore international peace and security”.
Therefore
; unless authorization by the United
Nations Security Council a State
can only make use of the “use of force” if he claims self-defense.
"The
treaty of non-intervention"
prohibits the direct or indirect
intervention in the internal and
external affairs of a State, declares
that any armed intervention or
any other type of interference or control of a State is doomed”.
This lack
of regulation presents a problem for the scope of cyber war; it is unclear when a cyber attack constitutes an armed attack, a use of force
or an armed intervention. [11]
It is also legally ambiguous when we
refer to the outcome of a cyber attack,
even when it causes a physical damage its origin remains virtual and
perpetrated through electronic
means.
Jus in Bello. The law of war
Cyber attacks
can be interpreted as use
of force or armed attack and
needs to be determined the relevant international standard that
can be applied to .
Protocol
Additional to the Geneva Conventions of 12 August 1949, and relating to the
Protection of Victims of International Armed Conflicts (Protocol I), 8 June
1977.[12]
Part
III : Methods and means of warfare -- Combatant and prisoner-of-war status .
Section I -- Methods and means of warfare
Article 36
-- New weapons:
-- New weapons:
“In the study, development, acquisition or adoption of
a new weapon, means or method of warfare, a High Contracting Party is under an
obligation to determine whether its employment would, in some or all
circumstances, be prohibited by this Protocol or by any other rule of
international law applicable to the High Contracting Party”.*
International
humanitarian law (IHL) regulates the
strength and the type of weapons that
can be used in an armed conflict. Even if a State makes use of force legally, it cannot do so indiscriminately
and must comply with the
three principles of the laws of armed conflict including respect towards neutral states.
The
principle of necessity: a
state can appeal to
the use of force only when the
threat is direct and real.
The
principle of proportionality- Use
proportional means against a cyber-attack that had been undergone.
The
principle of distinction - the State must distinguish among civilians, civilians´ property,
the belongings to military personnel
and military targets. The use of force always must respect the neutrality of States and their sovereignty.[13]
The nature of cyber war creates a
problem for the accomplishment of the three
principles: necessity, proportionality
and distinction, and the respect
for the neutrality and sovereignty
of States.
If cyber attacks constitute a use of force or an armed attack,
it is unclear how to apply the above principles;
it is too difficult to control the collateral damage, the intangibility
of the damage, plus a cyber attack makes no distinction between civilian or military targets.
With
regard to neutral states, in theory during
a cyber attack the attackers could not use
the network or the Internet
infrastructure in their territory according to international law; it should be considered as a violation
of the state neutrality, but this principle would only apply to physical violations of
the territory. However, cyber-attacks
do not involve any physical
incursion hence following the current international law; no violation of the
neutrality exists.
At
the international level NATO and the Council
of Europe are working towards establishing
policies on cyber security.
Since attacks against Estonia in 2007, NATO is creating a legal framework on cyber defense. In the Bucharest summit was made a statement announcing that NATO would adopt a policy
regarding cyber defense. This policy stresses the need to protect critical information and critical infrastructure as well as developing and sharing best
practices among Member States, this
policy also highlights the need for
assistance among members of the alliance
and increase the
cooperation between NATO and national
authorities.
The
Council of Europe created in 1996
"The Committee on Crime
Problems”*. The Committee began dealing its agenda on cyber crimes by setting a committee of
experts to study this new challenge.
One of the
first reasons for establishing
this committee was the understanding
that criminal law must
be adapted to the technological evolution and
shall regulate the
bad use of this technology.
In 1997 is
established the Committee of Experts on
crime in cyberspace, after several meetings and drafts; the Convention
on Cybercrime was approved
in July 1st, 2004.
The main
problem addressed by this convention is the cyber crime within the Internet
commerce and attempts to protect the society against illegal
activity. *
The
convention was designed to help
national legislations of the Member States as well as to
initiate a process of international
cooperation concerning the cyber crime.
The
Convention on Cyber crime is an international treaty which has attempted to unify
standards concerning cyber crimes
but does not regulate any aspect of
cyber war or cyber conflict.
Traceability and its legal implications.
In
the event of cyber attacks,
you need the ability to trace the source of the attack through computers and
networks that were instrumental in this attack.
This tracing is very
difficult and may take some time,
a time that in cyberspace makes the fingerprint very weak becoming almost impossible for forensics or computer analysts to trace back the origin of cyber attack.
a time that in cyberspace makes the fingerprint very weak becoming almost impossible for forensics or computer analysts to trace back the origin of cyber attack.
National
criminal law enables or
prevents the international legal assistance a nation can provide for suppression of cyber attacks
caused by people that operate within its borders.
caused by people that operate within its borders.
For
tracking and start a consequent prosecution of the cybercrime it´s very
important that other countries
have criminalized such action or behavior in
cyberspace. If criminal reciprocity does not
exists a country cannot search legal assistance with the State where the first cyber-attack originated, and the criminal prosecution of the cyber-attacker will be impossible.[14]
One option would be the development of an extradition
system regulated by international
agreements in
case of the event of cyber-attacks
by setting double criminality clause; a person will be only extradited if the action (cyber attack) is
considered a crime in both
States.
The second
option is the example of
international cooperation with regard to the use of force.
Article 5 is one of the basic principles
of NATO Treaty and states:
“The Parties agree that an armed attack against one or more of them in
Europe or North America shall be considered an attack against them all and
consequently they agree that, if such an armed attack occurs, each of them, in
exercise of the right of individual or collective self-defence recognised by
Article 51 of the Charter of the United Nations, will assist the Party or
Parties so attacked by taking forthwith, individually and in concert with the
other Parties, such action as it deems necessary, including the use of armed
force, to restore and maintain the security of the North Atlantic area.
Any such armed attack and all measures taken as a
result thereof shall immediately be reported to the Security Council. Such
measures shall be terminated when the Security Council has taken the measures
necessary to restore and maintain international peace and security “.[15]
Estonia's
case provides a precedent with regard to cyber warfare, the principle of Article 5 does not apply because a cyber attack against one NATO member is not considered an attack to all members.
It is important to establish and modify the treaty to set up what activities, rather, which Ciber actions constitute an act of aggression, intervention, use of force, direct participation in hostilities, armed attack or act of war.[16]
It is important to establish and modify the treaty to set up what activities, rather, which Ciber actions constitute an act of aggression, intervention, use of force, direct participation in hostilities, armed attack or act of war.[16]
Attacks on computer systems which destroy
and damage information may
also cause great harm to the
economy, the army and to the
State.
It must be accepted by the international
community that cyber attacks on
information systems can cause
severe damage to the
Victim State and it must be ensured that cyber
attacks on computer systems and networks in international armed conflicts are restricted to lawful combatants and governed by
the law of war.
Moreover,
with the coordination and
regulation of these practices on ciber
actions, States may set up a pattern or a State practice that will become, in years to come, a customary
international law.
Characteristics of a cyber-attack
In 1999 Michael Schmitt, professor
of international law considers that computerized network attacks
represent a new entirely
different instrument of coercion in the international
arena from those existing so far. [17]
In
all cyber attack
is an underlying motivation, it can be defined as an “internal or
external force to a group or a person who creates an enthusiasm
to continue and pursue a sort of action." [18]
This
definition makes it possible to recognize that motivation can be influenced by external or internal factors
and underlines the leading role of
the insistence on achieving a goal; stresses the goal orientation and the direct action.
The
factors that motivate cyber attacks
are political, social, cultural, economic, and
psychological and so on. This motivations are important
for understanding the behavior of cyber actors
and establish a model of action.
Cyber actors can
be motivated to act on
personal, ideological, political or
national interest; in very exceptional
cases cyber-attacks are
not motivated by any particular interest.[19]
We could
describe motivation of each cyber actor by the
degree of mischief and damage that may result in an early attack.
If
there is no particular interest,
usually the intensity of the attack
is lower while if there is a political,
national or religious interest, cyber-attacks are far most highly
developed and have more expertise and great potential to cause more serious harm.
The
intention refers to the tactical goal of the cyber
actor and describes the target of the attack whether or not
the action itself is carried
out or not.
However
this does not mean that an early cyber-attack which
has not reached its target is less harmful or its scope within the system
must not be neglected.
The continuum is the presumption of legitimacy an act can have in national or in
the international community; it goes from permitted to prohibited
act.
A cyber-attack can cause
four effects:
A
breach in confidentiality; availability assault; compromising the system integrity and
control undermining.
To
break confidentiality involves unauthorized
access to confidential information;
defined as cyber espionage as it
were Moonlight Maze , Solar Sunrise and Titan Rain and Flame malware.
Availability assault is disabling the Internet resources usually
achieved through denial of
service attacks. A clear example are
the 2007 Estonia attacks.
Jeopardize
the integrity is the alteration of data, causing the targeted enemy to doubt on the accuracy of
its own data or the information available.[20]
This type of attack is very dangerous
because it can get to the point where the victim does not realize that the information that is used for
decision making is compromised.
Moonlight
Maze is a clear case of counter intelligence that involves information
gathering and acting on that information.
The
target of counterintelligence is foreign intelligence.
Counter
intelligence tactics can be divided in four categories:
-
Passive defense: keeps opponents from valuable
information.
-
Active defense: aims to
bait offensive methods from opponents (honey pots).
-
Passive offense: camouflaging techniques and good intelligence
collecting.
-
Active offense: uses techniques to make useless the attacks from opponents and to manipulate adversaries and make the attacks harmless or not attacking at
all by giving to the adversaries’ false information and manipulating their
interpretation.
In 2006
the U.S. Air Force coined the term “Advanced Persistent Threat” (APT).
APT´s
purpose is to remain hidden, acting in a clandestine manner to gain access and
retain continual persistent intelligence observation of the target. Advanced
Persistent Threats uses stealth, adaptation and very sophisticated techniques
to infiltrate computers and networks for months or even years and these cyber
attacks are conducted by experts using all the intrusion tools available and prioritize
long-terms goals. Cyber-attacks like Moonlight Maze are categorized as TIER 1.
Subversive Multivector Threat (SMT). Highly sophisticated, well crafted,
executed attacks designed to use and exploit as many possible threat vectors as
necessary to accomplish the missions milestones. What makes them different than
other threats is the willingness to utilize people, process and technology
weaknesses in order to meet their ends.
These threats
are designed to, in a dynamic fashion, place a greater or lesser amount of
effort and emphasis in one area versus another over time as dictated by the
mission’s goals and the leadership behind them.
SMT are complex unions of
human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open source intelligence (OPSINT) and differ greatly in this sense
from other threat classes such as the Advanced Persistent Threat (APT), as a
result.
Moonlight
Maze had some characterisations of an APT and an SMT.
It was
and Advanced Persistent Threat because
the adversary operated in the full spectrum of computer intrusion, was not an
opportunistic intrusion , receiving directives from their bosses and it was
organized, funded and motivated having military, economically and technical
objectives.
Also
Moonlight Maze can fall into a Subversive Multivector Threat because it was focus
on undermining governments, it had multiple paths associated with each
aspect of the mission that prevented the mission being compromised and was
carefully focused in selected targets.
Undermining the control of cyber organizations can take two forms;
first is the unauthorized use of the service and second is to take complete control of a system or server.
Unauthorized
use of service can be hacking a router to send a virus into a computer to spread to other
computers.
Taking overall system control
is what is called "root access" having the cyber attacker full control over the system.
Another
key factor of a cyber
attack is the goal. Usually the target is a network system, a
critical infrastructure or information
theft.
Cyber warfare
Cyber
warfare is considered by
theorists and military analysts an
asymmetric war or what
is commonly said guerrilla warfare in cyberspace.
Cyber
warfare is the first war that allows a State
or an actor who does not have
sufficient traditional military capability, to fight against a powerful state in cyberspace and cause serious defense damage to government
computer systems or to State
critical infrastructure.
A
State can conduct a cyber-attack against another country without
the attack being
perceived by the victim; and the only weapon used is a mere computer
and the Internet connection.[21]
The
picture of cyber war as a
"clean" war because it
does not cause fatalities and it is less murderous
falls far short of what may be
one day the real impact
caused by such cyber conflict.
It should
be noted that no computer
system is inviolable to an expert hacker or a group of system
engineers; cyber war is a type of war that
may be far more destructive than a traditional one and the worst thing is the difficulty of responding
to a cyber-attack, since
the attacker until now, remains anonymous
and operates remotely.[22]
Therefore,
in the 21st century information is a strategic resource of great value.
International Humanitarian Law and Cyber-warfare
In the legal field cyber
war should be dependent on
the principles of the UN Charter to define the borders of cyberspace; but it is necessary and urgent to develop international law to define more specifically which
actions of the State are
permitted in the virtual
world since the technological changes may
entail inconsistencies among the current legal
principles.
First the type of damage that these attacks can cause are completely different from
the damage caused by a traditional conflict,
for example the destruction of the critical infrastructure computer system may cause damage that are not detectable but they can entail the destruction of the State services.
for example the destruction of the critical infrastructure computer system may cause damage that are not detectable but they can entail the destruction of the State services.
Second,
the state sovereignty is obsolete with the
technology's ability to pass
through borders. National
sovereignty is a fundamental principle of international law since the Treaty of
Westphalia in 1648 which states
that "every nation has exclusive authority of all events occurring within its borders."
Technologies make it possible for individuals or groups of hackers (cyber
soldiers) to go beyond national borders through
the Internet while law cannot
cross State boundaries.
Third, the goals of cyber war are
hard to define since they can be military or civilian; therefore it is difficult to
implement the laws governing armed
conflict since there is no
distinction among combatants
and noncombatants. Hence the
international law concerning cyber
war could say that is nonexistent.
International
law has to adapt rapidly to the evolution of technologies therefore
should not only regulate the aspects of the war but also cyber threats
and the problems posed by the international community.
The
weakness of the international law is that there is no system enforcement
or compulsory jurisdiction;
international law is basically
a contract where the parties agree
to be bound in some aspects
therefore these parties that ratified a treaty will commit breaches of it as long as they believe it is profitable for the interests of the state.
therefore these parties that ratified a treaty will commit breaches of it as long as they believe it is profitable for the interests of the state.
It is necessary to create a
convention where are determine the basic rules governing cyber war, also it should
be discuss the possibility that the state sovereignty is violated by an
individual or another state accessing through the use of a website, social
engineering, virus ...in a government computer systems what action can be taken
by the victim of the cyber-attack.
Article 2 (4) of United
Nations Charter:
“The Organization and its
Members, in pursuit of the Purposes stated in Article 1, shall act in
accordance with the following Principles.
4- All Members shall refrain
in their international relations from the threat or use of force against the
territorial integrity or political independence of any state, or in any other
manner inconsistent with the Purposes of the United Nations. ”
“Action with respect to threats to the peace, breaches of the peace, and
acts of aggression”
International
law governs two aspects of war: the behavior of
warring parties and the conduct
of belligerents in relation to neutral
states.
Art. 39; Art. 41 and Article 42 of the UN Charter describe under what conditions the Security Council authorizes the use of force.[23]
Article 51, describes the conditions in which armed force can be used in self-defense.
If cyber war can be characterized as an act of war it is essential to determine the constraints that the international community should establish when used in wartime.
If the cyber war is an act of war, then the following principles should govern its use:
The
principle of international humanitarian law
should limit the methods used or that might be used against one enemy during the war.
The warring parties should avoid causing collateral damage to the population.
The warring parties should avoid causing collateral damage to the population.
This notion
was encoded in the St.
Petersburg Declaration in 1868
that stated “the only legitimate objective which States shall endeavor to accomplish
during war is to weaken the military forces of the enemy.”
Civilians in war are not a legitimate
objective. The only legitimate target is the military, including "those which by their nature,
location, purpose or use are
an effective contribution to military
action and total or partial
destruction capture or neutralization
... offers a definite military advantage."
International
humanitarian law concerns that only military objectives
can be attacked in a conventional attack, it requires that
states use weapons that allow
attackers to distinguish
between military objectives and civilians. The problem of cyberspace is that both military and civilians use the same information system, therefore it is
unclear how it could be set a legal framework for regulating the military targets on
Internet attacks.
According
to customary international law it is legal for the warring parties to cut off the communication lines
in order to restrict
communication among military
systems, so far, there is no violation
of international humanitarian law.
A virus
like Stuxnet considered
the primary weapon in cyber
war era, or currently the discovery of “Flame”; those viruses before reaching its military objective had infected millions of civilian computers.
In this
case we are no longer inside the legality of international
humanitarian law because in cyberspace is very difficult to determine whether a cyber-weapon has
infected civilian systems before reaching its goal.
The law of armed conflict exists because of the willingness of nations to prevent unnecessary
suffering and destruction in war.
The
basic principles in the law of armed
conflict:
- Military Necessity: the need for the army to become involved or take part in the necessary acts for the attainment of a legitimate military objective. Attacks are limited strictly on military targets.
- Distinction: is basically the differentiation among combatants.
"The parties in conflict must at all
times distinguish among
civilian property and military objectives”.
civilian property and military objectives”.
- Proportionality: Humanitarian law also requires that the
offender complies with the principle
of proportionality, "Ban on weapons and methods that cause civilians and
their property excessive harm in relation to the specific and direct military advantage. Prohibits to launch attacks which
may be expected to cause incidental
loss and injuries among civilians,
or damages to civilian
property, or both, which would be
excessive in relation to the anticipated military advantage. "[24]
We
should examine whether this principle applies to cyber war;
first it s very difficult for cyber soldiers to determine the specific goal of a cyber-attack , usually seek to carry out dual attacks (damaging civilian and military systems).
first it s very difficult for cyber soldiers to determine the specific goal of a cyber-attack , usually seek to carry out dual attacks (damaging civilian and military systems).
Secondly cyber war is a hidden
war and can be difficult to know what is the proper response to an attack as well as we do not know against whom to launch the cyber attack.
The
question is; in case of suffering a cyber attack a State may use conventional weapons as a concrete response to this cyber-attack?
And in case
of a conventional attack the victim
State can respond with a cyber-attack?
In the
first case Russia has
stated that if they suffer a cyber attack from another
State its response will be
with nuclear weapons.
The United States considers that it can respond to a cyber attack using conventional weapons if the attacker State has been identified.[25]
The United States considers that it can respond to a cyber attack using conventional weapons if the attacker State has been identified.[25]
Proportionality is measured quantitatively if the response has to adapt to the characteristics of the attack, such as the scale
of action the type
of weaponry and the magnitude
of the damage.
It is a proportionate response the one that is necessary and appropriate to repel the attack.
It is a proportionate response the one that is necessary and appropriate to repel the attack.
Proportionality
in the jus in Bello
is based on the proportionality
assessment prescribed in
Article 51.5 b) Protocol Additional to
the Geneva Conventions of 12 August 1949, and relating to the Protection of
Victims of International Armed Conflicts (Protocol I), 8 June 1977,
which considers indiscriminate and therefore,
prohibited :
Art 51. - Protection of
the civilian population:
- The civilian population and individual civilians shall enjoy general protection against dangers arising from military operations. To give effect to this protection, the following rules, which are additional to other applicable rules of international law, shall be observed in all circumstances.
5.
Among others, the following types of attacks are to be considered as
indiscriminate:
(b)
an attack which may be expected to cause incidental loss of civilian life,
injury to civilians, damage to civilian objects, or a combination thereof,
which would be excessive in relation to the concrete and direct military
advantage anticipated.[26]
The elements
of this provision lead to
the conclusion that it has become
a norm of customary law applicable even beyond the "ratione
personae" of Protocol I.
The Two Additional Protocols to the Geneva Conventions 1949 to improve protection of
victims of international armed conflicts (Protocol I) and
non-international (Protocol II)
are not currently applicable to an
attack in cyberspace.
How to
apply this protocol in
cyberspace when a "cyber
warrior" may be in a public place without wearing a military uniform, therefore considered
civil?
Or, in the case which a
cyber-attacker carries an insignia that distinguishes him as a doctor and therefore under the protection of the protocol I ; what it must be done? It
is clear that cyber war does not
distinguish between combatants and noncombatants, however following the previous
example, if this person is caught carrying a cyber attack against military targets he would be
considered a combatant.[27]
Humanitarian
law also requires that the offender complies with the principle of proportionality, "Ban on weapons and methods that cause civilians and
their property harm excessive
in relation to the specific
and direct military advantage anticipated.
This restricts to launch
attacks which may be expected to cause incidental death and injury to
civilians or damages to
civilian property, or both,
which would be excessive in relation
to the military advantage anticipated.
"
After all,
international law changes with events “The life of the law has not been logic;
it has been experienced”[28]
The army and the cyberspace
Each
war is a product of its time. The means and tactics used have always evolved together with technology.
War in the information age has
altered and modified the characteristics of conflicts,
the fighting capabilities
and battlefield.
ICTs
have been integrated
into the military and are treated
as
a target and as a weapon like other constituents of the army.
We can identify different degrees of cyber war but three are the most
significant:
1 - Cyber warfare as an integral and complement to conventional military operations: its focus on achieving information superiority or Information dominance on the battlefield; this entails deleting the
enemy air defenses, block or destroy radars, etc....
a target and as a weapon like other constituents of the army.
We can identify different degrees of cyber war but three are the most
significant:
1 - Cyber warfare as an integral and complement to conventional military operations: its focus on achieving information superiority or Information dominance on the battlefield; this entails deleting the
enemy air defenses, block or destroy radars, etc....
It seeks
to destroy the enemy's
capacity to respond. This type of cyber war focuses
almost exclusively in military
targets.
2 - Restricted cyber war: the information infrastructure is the means, the target and the weapon of the attack. As a target of the attack,
this infrastructure is a medium through which the cyber attacker decreases the enemy's organizational effectiveness system ,uncovering future or potential vulnerabilities of the enemy, to the extent that with the degradation of the transmitted data the enemy comes to question the accuracy of the information available to making decisions.
3 - Cyber war without limits or limitations: it is a form of war that has three main characteristics:
- First there is no distinction
among military and
civilian objectives.
- Second
has a consequence in the physical world,
resulting in casualties among
the population as a result of a deliberate attack to inflict
great damage and destruction as
it would be for example a cyber attack to the air
traffic control, dams and electric grid.
- Third the economic and social impact besides the loss of lives is one of the main objectives.
- Third the economic and social impact besides the loss of lives is one of the main objectives.
Net-war switch decision-making responsibility
that traditionally felt
on higher hierarchically controls to the basic soldier.
on higher hierarchically controls to the basic soldier.
Current and
future troops must be willing to take
complex decisions in extreme situations, be dynamic, have the capacity of anticipation, adaptation, decision making and willingness to take responsibilities and learn.
complex decisions in extreme situations, be dynamic, have the capacity of anticipation, adaptation, decision making and willingness to take responsibilities and learn.
The army of the future should recruit soldiers with a superior level of education, soldiers with initiative, rapid decision-making
ability and great adaptability.
Software
Intelligent Agents A software
agent that enables the control
and patrol in cyberspace, it uses artificial intelligence (AI) to achieve the goals set by its "creator". These programs are
independent entities that have their own behavior and apply a specific response to
threats as well as they have the ability to communicate with other systems.
Software
Intelligent Agents are known as “infocraft".[29]
RUSIA
The
experts were able to trace the origin of Moonlight Maze back into Russia, specifically in Moscow, but could not prove or confirm that the
Russian Government was the instigator of the attack.
Even
though, an analysis of the vision and concept of Russia’s Military Strategy on
Internet is required.
In
December 1999 Prime Minister Putin published his view of the Russian role in
Internet.
Russian
Prime Minister felt that the development and dominance of information and
communications technologies would be a priority for his government.
In 2002
the government presented "Electronic Russia 2002-2010"[30] a
strategy and political initiative to modernize the Russian government.
The
Strategy identifies as a top priority the development of the ICT infrastructure
to facilitate licenses for import / export of high technology material,
facilitate technology transfer from private to public sector and to promote the
use of the information and communications technologies in the government.
Russia identifies three main threats to its national security that can lead to
military conflicts:
First
is the risk of conflicts with countries bordering Russia.
Secondly;
the possibility of a direct confrontation against the United States of America and its
Western allies.
Third a
potential conflict against China
in the event that it wants to enlarge its frontiers.
The
development of the Russian concept of Information Warfare or cyber war was
forged during the 80s and 90s of the 20th century with the so-called
revolution in military affairs (RMA), this revolution established a centralized
cyber warfare command and control and the information dominance in the battlefield.[31]
The Russian
theories focuses its goal on controlling the enemy’s decision-making and
control its actions by attacking telecommunications, financial and economic systems
and state critical infrastructures, using all the necessary means, conventional
weapons and cyber weapons, so the victory on the adversary may be attained
within a short period of time, at a very low cost and with minimal casualties.[32]
Russia has ranked the effects of a cyber war in second place after a nuclear
war, the Russian government considers that it has the right to use nuclear
weapons in the event that a State attacks this country using cyber weapons and
therefore start a cyber-war.
Russia believes that cyber weapons regardless of
whether cause or no casualties, attack critical infrastructure, the economic
system, command and control systems and the army's potential combat, thus, considers
to be legitimated to use nuclear weapons against the enemy.[33]
Maskirovka (маскировка)
"Disguise" maskirovka tries to control the enemy by creating a false
perception on the current situation, alter the available military capacity and making
the adversary act in a predictable way and contrary to their interests while carrying
out military operations.[34]
In
times of war, information warfare is intended to achieve a specific goal; the
superiority and information dominance of the enemy, to have an information
advantage as well as ensuring its own information systems.[35]
Maskirovka
operations comprise camouflage, concealment and deception.
Russian
Defense Ministry considers information dominance a critical element of
information warfare because it is integrated into the strategic and practical
operational levels in times of war and
Peace.
In short it is a complement that supports the combat operations and group
activities.
CONCLUSION:
The most important problems posed by cyberspace today can be identified as the following:
Policy area:
•
Promote the development of (CERT), the creation of multidisciplinary and multistate CERTS,
also at the European Union level that can respond in the event of a cyber-attack.
• Promote the development and implementation of a Cyber Code of Conduct that creates a culture, education and global awareness of citizenship on cyberspace.
• Promote the development and implementation of a Cyber Code of Conduct that creates a culture, education and global awareness of citizenship on cyberspace.
• Creating
at the regional level an European Union organization and at the International level an independent institution whose mandate will
focus exclusively in the realm of cyberspace; working at the technical, political and diplomatic
level in order to develop an
international legislative body that would regulate all aspects related to
cybercrime, cyber-attacks and cyber conflict .
This
organization must have the purpose to serve as an international debate forum among
governments and private sector within the scope of cyber defense with joint
policy and security strategies as well as creating international cyberdefense
military units.
Legal Area:
• Promote cyber security ensuring privacy and compliance with laws.
• The improvement in law enforcement, cooperation at the political and diplomatic levels, information sharing and cooperation in
cyber investigations among all countries.
• The improvement in law enforcement, cooperation at the political and diplomatic levels, information sharing and cooperation in
cyber investigations among all countries.
•
Development of international law to establish a regulation
of
all aspects of offensive and defensive cyber warfare.
• To promote the ratification by all countries of the Convention on
Cybercrime of the Council of Europe and its internal implementation by the signatory States.[36]
all aspects of offensive and defensive cyber warfare.
• To promote the ratification by all countries of the Convention on
Cybercrime of the Council of Europe and its internal implementation by the signatory States.[36]
Technical area:
• Identify the risks and opportunities
provided by virtual systems and
Cloud computing; establish
secured networks in the
transfer of applications and information.
• Improve the capacity for monitoring and tracking online communications in order to identify the
source of origin
of cyber-attacks or other cyber-criminal acts.
of cyber-attacks or other cyber-criminal acts.