1 A Community Position paper on Law of CyberWar Paul Shaw 12 October 2013 Author note This law and cyberwar paper / quasi-treatise was originally written for a course in a CISO certification curriculum, covering cyber law, but was slightly adapted for a more public distribution The references and bibliography should be a good discovery vector for those wanting to purse this topic in more detail. The paper can be feely used / quoted or otherwise incorporated into other cyber security efforts as cited, with the original references / sources cited when appropriate. If you would like to collaborate on this topic, or provide updated sources, or challenge any aspect, etc - Please send me an
2 LAW OF CYBERWAR 2 Executive Summary Understanding the law of cyberwar has the potential to support the development of a cyber response strategy. Using a simple scenario of cyberwar between nation states, the complexities of cyberspace is examined in the context of existing legal and regulatory environments. This evaluation allows for development of a cyber response strategy that considers the full range of military options. The range of military actions include: defensive cyber response; offensive cyber response; and kinetic attacks. Cyberspace complexities are considerations in the design of a cyber response strategy. By understanding the opportunities and challenges of the legal and regulatory environment, a successful course for a cyber response is possible. A cyber response strategy is not a silver bullet that relieves senior leadership of developing the proper legal and regulatory environments. The benefits of developing a cyber response strategy are an improved ability to defend, respond, and avoid escalation. Considering advancing cyber threat capabilities and our dependence upon cyberspace, planning for our cyber response strategy needs to occur now. If a cyber Pearl Harbor happens, it is too late.
3 LAW OF CYBERWAR 3 Law of Cyberwar Cyberspace is critical to the functioning of United States (U.S.) economy and infrastructure. Attacks in cyberspace are common. The cyber threat to our nation is one of the most serious economic and national security challenges we face (Obama, 2013, p. 1). Vulnerabilities to cyber attacks include a high probability of occurrence for loss and potentially grave consequences, to include disrupting the use of cyberspace and causing physical effects. To counter these attacks and protect the availability, integrity, and confidentiality of our networks and data, there is a critical need for a cyber response strategy. Our response strategy needs to include the range of military action but be within the options of our legal and regulatory environment. Considering the extensive military capabilities of the U.S., we need a cyber response strategy within our range of options to include the use of military force. The legal and regulatory environments are shaped by international law, national law, government policy, technology, and the complexity of cyberspace. In this paper, an example of cyberwar between nation states is used to test our cyber response strategy and understand the legal environment. While the law of cyberwar is in development, there are still norms of traditional warfare and humanitarian law that assist with guidance on the development of our cyber response strategy. A critical issue of any cyber response is to prevent a cyber attack from escalating into a cyberwar and/or a full blown war between nation states. Understanding is developed through examining complexities of cyberspace and cyber attack in the context of the existing legal and regulatory environment. We use a simplified scenario of cyberwar between nation states to assist in understanding helpful and contrary aspects of the legal and regulatory environment. The hope is that the U.S. does not require a cyber Pearl Harbor to address issues in the legal and regulatory environment. Further development of the law of cyberwar is essential and critical. Background Threats to the DoD information environment and networks are growing in complexity and capability. Cyber attacks are a frequent occurrence with a range of activities to include malware insertion, monitoring, and hacking. As an example, adversaries are not only attempting more than 250,000 intrusions daily, but have demonstrated proficiency at infiltrating DoD information systems and exploiting sensitive information (Secretary of Defense, 2012, p. 2). These intrusions are not 250,000 daily attempts at starting a cyberwar. Cyber attacks have a
4 LAW OF CYBERWAR 4 range of effects from a probe, an infiltration, a compromise, or a disruption. The vast majority of these attacks are stopped by defensive measures by the victim implementing cybersecurity through a cyber response strategy. Cybersecurity is described as the efforts and capabilities necessary to ensuring that the department can execute its missions in the face of cyber warfare by the most capable adversary (Department of Defense Chief Information officer, 2013, p. 3). A cyber response strategy includes a range of options. The issues for a cyber response strategy include the nature of the cyber threat, geometry of cyberspace, attack duration, attack effects, overlapping jurisdictions across U.S. agencies and nation states, and victim responsibilities. While many of these attributes exist in the physical realm for the use of force between states, the complexity, speed, and nature of the cyber realm add complexities and complications. Even with these complexities and complications, our legal and regulatory environments allow for the creation of a cyber response strategy with a range of options. Primary cyber response options are defensive and offensive cyber responses. In the offensive cyber option, there is the possibility for the U.S. government to conduct a cyber attack on another nation or group. While there is not affirmed an official policy that the United States would use cyberattacks, there has not been much refutation of the proposition that the United States was responsible for the Stuxnet attacks (Libicki, 2013, p. 16) on Iranian nuclear capabilities. Other military options extend from the use of force for self defense to war. Concerning a cyber attack, the ambiguities are fewest when cyber attacks cause physical damage to property and loss of life in ways that are comparable to kinetic attacks and traditional war (Lin, 2010, p. 73). For most cyber attacks, there is an assumption that an attacker can be stopped with a strong defense. This assumption even goes further to assert that the victim has the responsibility to provide and maintain a strong defense. The problem is the increasing capability of advanced, persistent, and adaptable threats to overcome cybersecurity defenses. Concerning cyberspace, complex threats compel development of a range of military responses to prevent a cyber attack from becoming something more. Existing U.S. and international law do not have the same restrictions on defensive cyber response as on offensive cyber response. While there are many possible definitions of cyberwar, the North Atlantic Treaty Organization (NATO) definition of cyberwar is probably a best case to examine the legal and regulatory environment. The NATO definition: cyber warfare is a serious form of disruptive cyber attack by a nation on another nation s cyber space, crossing the line into being considered
5 LAW OF CYBERWAR 5 a use of force (Hunker, 2010, p. 4). This definition deals with the most severe effects of cyber warfare, limits the context to opposing nation states, and triggers issues allowing use of force in self defense. This definition allows a comparison of cyberwar and traditional warfare. Traditional warfare has constructs for the conduct of a war (law of armed conflict) and humanitarian law, such as the constructs of proportionality and distinction. Even in this best case scenario, there is a lack of legal clarity on cyberwar in international law and the cyber regulatory environment. Cyberwar triggers a complex and multidimensional interaction of politics, strategy, and law. In examining the legal and regulatory environments, our simple scenario in the NATO definition of cyberwar illustrates complexities and lack of clarity. In the legal environment, U.S. domestic legal and regulatory environment has applicability to the development of a cyber response strategy. The Computer Fraud and Abuse Act (CFAA) is law and guides the Department of Justice (DoJ) for prosecuting computer crimes. The CFAA creates limitations on the range of response on the part of defender. The CFAA limits offensive measures and requires a burden on the victim to prevent similar attacks. In particular, a victim of a cyber attack should not take any offensive measures on its own, such as hacking back into the attacker s computer even if such measures could in theory be characterized as defensive (Jarrett et al, 2010, p. 180). Authorization of use of the network and information is a key construct in determining whether a crime has been committed. Even though an attacker did not have authorization for his use, we are not allowed to commit their sin in our defense. In accordance with this construct of creating a better defense, the DoD is trying to operate a defensible information infrastructure harden the information infrastructure acquire systems that are cyber secure and execute mission-useful courses of action in response to attack (Department of Defense Chief Information Officer, 2013, p. 3). In our NATO scenario, another nation state would not be subject to U.S. criminal law under the CFAA. Although, we need to be able recognize that the cyber attacker is a hostile nation state and not a U.S. citizen or an international criminal group. Initially, it can be difficult to distinguish between a cyber attack for financial gain, information acquisition, or cyberspace disruption. Our NATO definition does not address the issue of attribution. It allows an assumption that the attacker is a nation state. Attribution is one of the many complexities in cyberspace.
6 LAW OF CYBERWAR 6 There is the possibility that opening salvos of the next war will likely occur in cyberspace (Card and Rogers, 2012, p. 1). It is possible that a cyber attack will be part of or precede a physical attack. In the context of a cyber response strategy, the U.S. needs to be able to use their extensive military force to deter and respond to cyber attacks. The U.S. has extensive kinetic military capabilities for inclusion in a cyber response strategy. U.S. leadership expressed a willingness to respond with military force to cyber attacks that cause deaths or significant economic harm, such as causing a nuclear plant meltdown, flooding populated areas, or interrupting air traffic control to cause crashes (Waxman, 2013, p. 114). Even with these potential red cyber attack lines, using military force strategy needs to be approached with the intent to avoid escalation. Using military force can create a complex interaction of strategy, politics, and law, but is still a viable response option. The existing construct for national self defense from an attack uses the concept of jus ad bellum or right to war. The United Nations (U.N.) Charter under Article 2(4) prohibits the threat or use of force except in self-defense or when authorized by the UN Security Council (Waxman, 2012, p. 44). This construct of attack is better defined in the kinetic realm than the cyber realm. As discussed above, the U.S. uses an effects-based approach for a cyber attack to trigger the right of self-defense. Constructs of military conduct in such a use of force in selfdefense are guided by the humanitarian law concepts of proportionality and distinction. Proportionality requires a minimization of harm to civilians and civilian property when attacking a military objective. Distinction requires targeting of combatants and not civilians. It took extensive periods of time to develop these two constructs in physical realm. Understanding these concepts in the cyber realm is a newer concept, with minimal precedence and few examples. Analysis The lack of legal clarity and international consensus for a cyberwar does not mean a cyber attack could not escalate into a traditional war between nation states. Our NATO definition of cyberwar is a valid starting point. To prevent a cyberwar, potential red lines exist in cyberspace. Even if those red lines are ill-defined, nation states understand potential backlash from a cyber attack to escalate into a cyberwar or lead to an armed conflict. The lack of clarity creates unease on an accepted threshold of response between an effect from a cyber attack and an appropriate military response. Instead of clarity, there is a complex and multidimensional
7 LAW OF CYBERWAR 7 interaction of politics, strategy, and law for such a response. Political considerations of a military response include national and world opinion. The public and international community may not understand the connection between a cyber attack and its physical effect. Even a cyber attack with physical effects, there might be a high degree of harm to allow a military action. Our NATO example has an interaction of strategy, politics, and law, especially for advanced and capable military capabilities. Complexity does not invalidate using military force in response to a cyber attack; instead it forces senior leadership to operate in a highly contested and uncertain international legal environment (Waxman, 2013, p. 121). The expectation is that a victim will adequately protect themselves from a cyber attack. This protection is mostly through defensive actions and not a kinetic military response or offensive cyber operations. This expectation exists in public and international opinion even with legitimate military responses. This construct of adequate defense has a comparable concept in the Department of Justice (DoJ) guidance for the CFAA. DoJ advises victims after an intrusion and its associated investigation are complete is to take steps to prevent similar attacks from happening again (Jarrett et al, 2010, p. 184). Even after the 2007 cyber attacks on Estonia, NATO developed more formal guidance for supporting Allied nations if they need to counter cyber attacks (Hunker, 2010, p. 9). This assistance was mostly in the form of technical assistance to overcome and mitigate the attack. We explore the legal and regulatory environment as either helpful or contrary aspects. Underlying and recurring concerns for our cyber response strategy is to avoid escalation of a military response into a war and a possible inability to contain an offensive cyber attack to the intended military target. Helpful Aspects of the Legal and Regulatory Environment Cyber defense is the preferred option in our current legal and regulatory environment. A defender has many abilities to isolate and block cyber attacks. These defensive capabilities are increasing with the development of many commercial applications for monitoring technology. New applications and technologies are emerging to provide enhanced situational awareness, threat detection, and behavior monitoring. Many of these applications can operate in an automated mode, with the owner selecting from levels of automation. The emergence of these
8 LAW OF CYBERWAR 8 commercial cybersecurity capabilities is less a function of government investment and instead from commercial demand. The regulatory environment for cybersecurity has numerous mandates for a government wide comprehensive cybersecurity strategy and improved cybersecurity capabilities. An example is the Comprehensive National Cybersecurity Initiative (CNCI). Under CNCI, cybersecurity is not an additional activity or a military response and instead a capability implemented as part of a cyber response strategy. The DoD is improving cybersecurity with a reduction of our attack surface and improved cyber situational awareness in the Joint Information Environment (JIE). JIE is developing a sensor grid that extends from individual workstations and applications to the DoD infrastructure. JIE will provide DoD cyber forces with the decision support capabilities to observe, diagnose, act, maneuver, and dependable mission execution in the face of cyber warfare by a capable cyber adversary (Takai, 2013, p. 3). Along with JIE efforts, individual Services are implementing additional cybersecurity efforts. The U.S. Navy is developing a cyber situational awareness (SA) capability for insight into the health of cyberspace, the capabilities at their disposal, and adversary actions (Card and Rogers, 2012, p. 7). These are helpful regulatory actions and contribute to improved cybersecurity. These efforts for a stronger cyber defense extend beyond the government. Presidential Policy Directive 21 (PPD 21) requires implementation of improved cybersecurity for U.S. critical national infrastructure. Most of our critical infrastructure is commercial, for which the government should not expect the private sector to protect and defend itself, at least not against foreign government intelligence services like those of Russia, China, Iran or North Korea (Cilluffo, 2012, p. 44). A critical legal and regulatory issue will be extension of DoD cyber defense capabilities to non-dod entities. Unfortunately, the rules for sharing of technology and information between government and commercial service providers are still in development. Participation tends to be voluntary. Using our NATO cyberwar example, restrictions on sharing of DoD technology and information should be relaxed after a major incident. The hope is that a proactive stance on changing the legal and regulatory environment occurs before a major cyber Pearl Harbor event. Various elements for CNCI implementation are making progress. The CNCI Information Sharing Architecture on threat and incident data includes commercial entities on a voluntary basis. There are efforts for greater inclusion of commercial critical infrastructure
9 LAW OF CYBERWAR 9 providers in other technology and information sharing efforts with the government, which may include tax breaks and other financial incentives for their participation. Contrary Aspects of the Legal and Regulatory Environment Within the cyber battlefield, many complexities exist to include the nature of the attacker, complex battlefield geometry, and conflicting regulatory responsibilities. Cyber attackers are individuals, criminals, social groups, and nation states. Attack attribution can be difficult with attackers intentionally masking their origin, location, and identity. Attack geometry includes the ability for an attack to be initiated in 300 milliseconds (or less) from anywhere in the world and use multiple hops to mask the point of origin. Cyber attacks durations vary from milliseconds to multiple years. Advanced threats can lay dormant and undetected for extended periods of time. Effects of a cyber attack can include information compromise, financial loss, equipment damage, service disruption, or death. There is a difference of authority and interest between the Department of Defense, Department of State, Department of Justice, and National Intelligence for a cyber attack (Breuer, 2013, pp.3-9). Attackers can exploit cyber geometry for attacks to cross jurisdictions and authorities. Depending on the geometry of the attack, these different authorities may be required for a cyber response. Cyber attacks require classification, description, and behavioral analysis, which can be consuming of time and personnel. The nature of cyber battlefield allows the attacker to have an advantage. Our NATO scenario of cyberwar between nation states allows for simplification of attacker complexities, battlefield geometry, and conflicting regulatory responsibilities, but not elimination. In the NATO definition, the attacker and points of origin should be known. If a system is compromised, an operational commander should know whether the system is still usable in full or degraded mode, identify alternatives to aid the commander in completing the mission, and finally, provide the ability to restore the system to a known, trusted state (Department of Defense, 2013, p. 34). The default mode of operation is to isolate a compromised asset, but intelligence needs may override this isolation. Overlapping authorities still exist in the NATO scenario, as intelligence can use a known compromised system to provide false or misleading information to an opponent. The existence of competing interests between operations and intelligence is an example of the lingering complications for even a known compromised system with an identified enemy.
10 LAW OF CYBERWAR 10 There are numerous legal and regulatory restrictions on offensive cyber operations. Offensive cyber weapons can operate across the phases of military operations to include probing an enemy before conflict to disabling specific enemy capabilities in time of war. Legal regulations start with the construct of authorization (as with the CFAA) to be in another s system or network. Regulatory restrictions include the authority of operational and tactical commanders to conduct offensive cyber operations. Even using the NATO definition of cyberwar, current doctrine has offensive cyber attacks approved at the Combatant Commander (COCOM) level. Authority for offensive actions is highly centralized within the U.S. government and that decisions involve the president himself (Leed, 2013, p. 4). Another issue for offensive cyber operations is that the nature of the enemy system impacts the ability to conduct cyber operations. The ability to carry out offensive cyber operations is a direct function of the weakness of the target system (Libicki, 2012, p. 323). A dilemma of offensive cyber capabilities is acknowledging a capability can result in its loss. Making what is vulnerable clear may be unnecessary, perhaps unwise. Every hack leads to fixes that make the next exploitation much harder (Libicki, 2013, p. viii). Additionally, there are concerns of limiting the effect of a cyber weapon to the intended target and not affecting a wider public network, which follow the humanitarian law constructs of proportionality and distinction. Even in a cyberwar with a known nation state, there is a concern that a cyber weapons will network beyond their intended target. Our NATO definition of cyberwar does not ensure that the humanitarian constructs of proportionality and distinction are maintained by an offensive cyber response. It is possible for unintended effects with the use of an offensive cyber weapon. Existing DoD cyber environment and policy contain problems for response to cyber attacks, especially automated offensive cyber responses. There is a need to automate analysis across almost all aspects of evaluating to a cyber attack. Cyber attacks have a range of response times, with some attacks requiring a near-real time response, but not all responses to cyber attacks should be automated. Most DoD legacy infrastructure and applications are not secure or resilient to advanced cyber threats. As our infrastructure and applications are redesigned and upgraded with advanced cybersecurity technologies, our ability to automate cyber responses increase. Our policies need to consider adjust limitations on the use of a technology due to concerns of unintended consequences. Just because a technology can perform a task, does not mean that the technology should be used for that task. Similar to restrictions exist in the kinetic
11 LAW OF CYBERWAR 11 world for automation of response to physical attacks. The existence of complex threats and the need for rapid response compel development of a strategy with a range of automated cyber responses. Even using the NATO definition of cyberwar between nation states, desires to maintain control and have a man in the loop impose severe restrictions on automated offensive cyber response. Conclusion Understanding the law of cyberwar is critical for the development of a cyber response strategy. Cyberspace is complex domain with many complexities and complications. Cyber attacks are a real threat with severe potential consequences. The range of response actions requires an understanding of our current and evolving legal and regulatory environment. In any cyber response there is an interaction of politics, strategy, and law. Cyber defense is the preferred option for most cyber threats, but may not be adequate for all threats. There is a need for a range of military options to include offensive cyber capabilities and kinetic military response. A military response might be allowed under the construct of self defense, if a cyber attack produces effects in the real world. A kinetic effect from a cyber attack does not mean that a nation will necessarily reply with a kinetic response. Leaders must consider that the public and international community may not understand the connection between a cyber attack and an acknowledged effect, due to technical complexity, attribution, and/or secrecy. These considerations are just part of the complexity in the design of a cyber response strategy. By understanding the opportunities and challenges of the legal and regulatory environment, a successful course for cyber response is possible. A cyber response strategy is not a silver bullet that relieves senior leadership of developing the proper legal and regulatory environments. Developing a cyber response strategy, along with developing our legal and regulatory environments, improves our ability to defend, respond, and avoid escalation in cyberspace. Considering advancing cyber threat capabilities and our dependence upon cyberspace, there is an urgent need for developing our cyber response. If a cyber Pearl Harbor happens, it could be too late to develop the law of cyberwar to prevent undue pain and suffering.
12 LAW OF CYBERWAR 12 References Breuer, P. (2013, September 13). How to split the hair: Challenges to DoD Computer Incident Response. Cyberlaw Class Presentation. National Defense University. Washington, D.C. Card, K. and Rogers, M. (2012, November). Navy Cyberpower United States Navy. Washington, DC. Retrieved on 5 September at Cilluffo, F. (2012, August). The U.S. Response to Cybersecurity Threats. Defense Dossier. Issue 4. American Foreign Policy Council. Retrieved on 20 September 2013 at Department of Defense. (2013, January). Resilient Military Systems and the Advanced Cyber Threat. Defense Science Board Task Force Report. Washington, D.C. Retrieved on 1 September 2013 at Department of Defense Chief Information Officer. (2013, May 25). DoD CIO Capability Planning Guidance for Fiscal Years 15 to 19. Washington, D.C. Executive Office of the President of the United States. (2010, March). The Comprehensive National Cybersecurity Initiative. The White House. Retrieved on 20 September 2013 at Hunker, J. (2010, November). Cyber war and cyber power Issues for NATO Doctrine. Research Paper No. 62. Research Division - NATO Defense College, Rome. Retrieved on 24 September 2013 at Jarrett, H., Bailie, M., Hagen, E., and Etringham, E. (2010, October). Prosecuting Computer Crimes. OLE Litigation Series. Computer Crime and Intellectual Property Section Criminal Division. Department of Justice. Retrieved on 24 September 2013 at Leed, M., Lewis, J, and McCreary, J. (2013, September). Offensive Cyber Capabilities at the Operational Level. Center for International and Strategic Studies. Retrieved on 25 September 2013 at Libicki, M. (2013). Brandishing Cyberattack Capabilities. Rand Corporation. Retrieved on 5 September 2013 at Libicki, M. (2012, Fall). Cyberspace Is Not a Warfighting Domain. I/S: A Journal of Law and Policy for the Information Society. Retrieved on 5 September 2013 at
13 LAW OF CYBERWAR 13 Lin, H. (2010, August 13). Offensive Cyber Operations and the Use of Force. Journal of National Security law and Policy. Retrieved on 24 September 2013 at Obama, B. (2013, July 19). Taking the Cyberattack Threat Seriously. Wall Street Journal Online. Retrieved on 4 September 2013 at Obama, B. (2013, February 12). Critical Infrastructure Security and Resilience. Presidential Policy Directive (PPD) 21. Office of the Press Secretary. The White House. Retrieved on 1 September 2013 at Secretary of Defense. (2102, May 1). Transitional Framework for Cyberspace Operations Command and Control. Memorandum for Commanders of the Combatant Commands. Washington, D.C. Takai, T. (2013, September 26). Joint Information Environment Implementation Guidance. Department of Defense Chief Information Officer. Washington, D.C. Waxman, M. (2013, June). Self-defensive Force against Cyber Attacks: Legal, Strategic and Political Dimensions. International Law Studies. Volume 89. U.S. Naval War College. Retrieved on 1 September 2013 at Waxman, M. (2011). Cyber Attacks as Force Under UN Charter 2(4). International Law Studies. Volume 87. Retrieved on 19 September 2013 at https://www.usnwc.edu/getattachment/23bd0c48-96bf-4ffd-a64c /cyber- Attacks-as--Force%E2%80%9D-under-UN-Charter-Article-.aspx