1 IS THERE SUCH A THING AS A VIOLENT ACT IN CYBERSPACE? By Michael Turner International Security and Intelligence Summer School 2013 Pembroke College University of Cambridge
2 INTRODUCTION Thomas Rid, in his paper Cyber War Will Not Take Place (1), claims that of all the cyberattacks that have taken place, none so far have been violent. Rid claims that Cyber war has never happened in the past. Cyber war does not take place in the present. And it is highly unlikely that cyber war will occur in the future. And part of that claim is the belief that cyberattacks are not violent: the causal chain that links somebody pushing a button to somebody else being hurt is mediated, delayed, and permeated by chance and friction. I however think Rid focuses too much on the method of the cyberattack when analysing the level of violence and he does not consider all of the consequences of a cyberattack. I get the feeling Rid thinks the link between the initial attack across the network and the indirect damage done to individuals and structures in the physical world is too loose and therefore it s inappropriate to claim cyberattacks are violent. J. Lewis does a better job at expressing the opposite view to Rid in the paper for the Center for Strategic and International Studies (2): the weapon is, for all practical purposes, intangible, tiny electrical pulses whose lethality comes not from their own innate destructive capacity but from the ability to instruct other tangible systems to malfunction. I will stress however that the purpose of the this paper is not to go up against Rid s main conclusion that cyberwar will not take place others have already responded to Rid, for example Cyber War is Inevitable (Unless We Build Security In) by Gary McGraw (3). Instead I will just focus on assessing the violence of a cyberattack, if at all violent, whether that s a hypothetical or a historical cyberattack. In this paper I will explain how I d like to define cyberspace and I will explain that the important aspects when assessing the level of violence of a cyberattack are the consequences and not the methods or mechanisms of the attack. I will look at what violence is in the physical world and then apply that knowledge to assess the violence of several hypothetical and historical cyberattacks, with a more in-depth look at the Stuxnet attack. However, I am not going to talk about cybercrime or cyberespionage, these topics fall outside the scope of this paper. WHAT IS CYBERSPACE? Having looked at several explanations of cyberspace I personally think the clearest and simplest to understand explanation is by Lior Tabansky (4). Tabansky doesn t try to concise the explanation to a sentence; Tabansky instead takes time to explain cyberspace in terms of 3 separate layers. Tabansky describes the first layer as being the physical layer, which contains physical objects such as processors, storage devices and communications infrastructure etc. that are capable of providing the physical infrastructure for the other 2 layers. Sitting on top of the physical layer are the software layer and the data layer; the software layer being the programs and the set of instructions that a computing device follows and the data layer is the information that a computer stores and uses within the computer s programs. As there is only one aspect of cyberspace that is rooted in the physical world, cyberspace is a very different space to the physical world we live in. The behaviour within cyberspace can differ greatly to
3 the physical world. Hence, what can be described as cyberwarfare, cyberattacks, cyberespionage or cybercrime can look very different to the actions without the prefix cyber, despite the cyber version being the cyberspace analogy of the physical world action. VIOLENCE IN THE PHYSICAL WORLD Violence is not an easy word to define, and what levels of violence are acceptable change over time and vary across the world, as the World Health Organization states in the World Report on Violence and Health (5): A generation ago, for instance, the cane was a regular part of discipline in British schools, used to beat pupils on the buttocks, legs or hands. Today a teacher in Great Britain can be prosecuted for using physical restraint of any kind on a child. Despite acknowledging the ever changing tolerance of violence, the World Health Organization then go on to define violence in their report as: "the intentional use of physical force or power, threatened or actual, against oneself, another person, or against a group or community, that either results in or has a high likelihood of resulting in injury, death, psychological harm, maldevelopment, or deprivation." However the Oxford English Dictionary (6) regards violence to not just be restricted to the harm of someone, but also something. Thus it encompasses more than the WHO s definition. The definition given by the WHO is a good definition of violence, although I will also consider the damage to physical objects as violent. However I don t think we can split actions into violent actions and non-violent actions. I think violence is a continuous scale of intensity. Within the British legal system we have acknowledgement of the different levels of intensity as can be seen by the progression: common assault, ABH, GBH, manslaughter and murder. If there was just a violent act or a non-violent act would they not all bring the same penalty if they were all classed as violent? To try and find a definition of violence when there is this intensity scale of violence would amount to finding the fine line that then separates a violent act from non-violent act. I think this is the wrong approach, as the perception of where that line is will depend on person to person, country to country and will inevitably change over time. Within this paper I will not worry too much about whether an act is violent or not, but instead concentrate more on comparing different cyberattacks and finding their relative intensity of violence. Looking at violence in cyberspace is not easy however, as humans can not directly be harmed by cyberattacks we are not elements of cyberspace. This is also true of every other animal, plant, rock etc. on this planet. Hence in cyberspace, we are not looking at the direct attack to see how violent the act is but instead the indirect consequences of the attack. Events are often undetected until after the damage is done, the attack itself may take only a fraction of a second to complete its task, and its direct impacts may be unclear (7). For example in a hypothetical scenario, forcing components in a hospital s electrical power system to malfunction causes direct harm to those components, but the indirect harm could be that individuals within that hospital that are on a life
4 support system may die and patients in need of urgent medical care that would be expected to survive could die as a result of the inability of the hospital staff to provide the care that they would be able to provide under normal circumstances. In this case I would say the cyberattack had caused the loss of life and so is can be considered an especially violent act. This is I think a problem with assessing the intensity of the violence of a cyberattack, before the attack happens we are merely speculating on how much harm it will incur but even after an attack has happened we will be trying to judge which parts of the damage that have occurred can be explained by the attack. If it was just direct consequences then it would be easier, but the harm it causes to individuals and structures will always be secondary and indirect. To highlight this, think of the effects of a nuclear weapon; it has the immediate effect, the effect of the initial explosion which directly destroys individuals and structures, but there is also the lasting nuclear fallout which continues to cause harm indirectly long after the event has taken place. In this example we can see both the direct and indirect consequences. DISTRIBUTED DENIAL OF SERVICE AND PORT BLOCKADES There are many different types of cyberattacks, but in this section I m going to argue that the cyberattack is not what s important in deciding just how violent the attack is, but rather the important aspects to consider are intended targets and the potential consequences of the cyberattack. The method of the cyberattack is not important in assessing the level of violence. In this section I m going to focus on distributed denial of service (DDoS) attacks. I will show that different levels of violence can be inflicted by just one method, highlighting that the method does not itself decribe the level of violence. DDoS attacks are types of attacks that do not force the physical elements in cyberspace to malfunction but instead shut down a software or network service. The direct consequences of DDoS attacks only affect the virtual software and data layers of cyberspace and not the physical layer, so we could think of DDoS attacks as being the least violent type of cyberattack. I will show that this is irrelevant however as it is the overall consequences, direct and indirect, that matter. As part of Rid s (1) claims that cyberattacks aren t violent, Rid quotes Andrus Ansip to reason that DDoS cyberattacks are non-violent. Andrus Ansip, then Estonia s prime minister, asked, What s the difference between a blockade of harbours or airports of sovereign states and the blockade of government institutions and newspaper websites? It was of course a rhetorical question. Yet the answer is simple: unlike a naval blockade, the mere blockade of websites is not violent, not even potentially; unlike a naval blockade, the DDoS attack was not instrumentally tied to a tactical objective, but an act of undirected protest; and unlike ships blocking the way, the pings remained anonymous, without political backing. Here Rid focuses on the method of the blockade, pings against ships. DDoS attacks and traditional blockades both stop a service from running for a certain amount of time and so are comparable in
5 that sense. However a blockade is aimed at shutting off trade, whereas a DDoS attack is a general attack that is not confined to stopping just trade. We could launch a DDoS on a TV service and therefore stop people that use that TV service from watching TV, this would not cause harm to anyone and I think could be classed as not showing any violence. Alternatively we could shut down an internet banking service, denying individuals and companies with access to their money. Depending on the amount of time that the service was down for this could be considered violent if people struggle get their money out to buy the necessities of life (food etc.). Or a DDoS attack could be more serious if we shut down a telephony service such as the emergency services, then people who could ordinarily be rescued and saved from fire, illness or injury would not get the help they required and preventable harm would not be prevented. But these examples of violence have only a loose connection to the attack and claiming some level of violence is sketchy. If however an air traffic control system was attacked, the result could be catastrophic for the aircraft involved and the passengers and crew. In an article in New Scientist (8) they talk about the vulnerabilities of air traffic control systems in a different way, but it also claims that ADS-B uses GPS signals to continuously broadcast a plane's identity, ground position, altitude and velocity to networks of ground stations and other nearby aircraft. And so the ADS-B service is a service listening to signals, therefore it can be targeted by DDoS attacks. A target such as an air traffic control system has the potential to cause a significant amount of destruction and loss of life. I would argue that this is a very violent act. The target of the DDoS attack and the effects of that service being prevented from running are the important aspects to consider when assessing the intensity of the violence of the attack. If a DDoS attack causes damage, destruction, harm or loss of life, I argue that it should be considered violent. The intensity of which should be evaluated by the scale of the harm caused. The method may seem non-violent, even the direct effects don t damage physical components, but I argue that it is the overall effects that should concern us. As hopefully you can see from the hypothetical examples above, the level of violence varies dramatically because of the varying target of the attack and therefore consequences of the attack For a historical example consider the attacks on Estonia in 2007, for the story of what happened see Joshua Davis article in Wired Magazine (9). Within this and from the news articles at the time, including this one from the guardian (10), there is no sign of any damage being done or harm coming to any individual. As the level of destruction would have hit the headlines at the time I m inclined to say that there was no harm done, however this is obvious inconclusive. The attacks (DDoS attacks on government and media websites) were quickly contained. This sort of attack caused alarm but did not cause harm and so I would judge this to not be a violent attack. The intent also seems to be a protest at the government for the removal of a statue, not to cause harm to anyone in Estonia. And the intent is something that should come into consideration too when assessing the violence of a cyberattack.
6 INTENT AND VIOLENCE The definition of violence used by the WHO (stated above) states that violence is an intentional act. This then gives several cases where the intended outcome is different to the actual outcome in one way or another. I will talk about these cases in the cyberattack setting. Consider a cyberattack where the intention is to harm, but the outcome is less than expected. The intention was there to begin with, and the will was there to harm, but for some reason the attack did not achieve what it set out to achieve. This could be because of better than expected cyberdefences by the target or because the aggressors did not have the skills to achieve the outcome, or maybe just because of unexpected variations and unpredictability in performance of components and/or software. I liken this situation to attempted-murder. The intent was there but the outcome didn t happen the way it was planned. In my opinion this doesn t make it any less violent, if the attackers were more skilled or maybe luckier, then the desired damage would take place and we would consider it a violent act. The aggressor s lack of skills to carry out the task does not make it any less violent. Similarly consider a cyberattack where the outcome causes greater harm than the intended level of harm. Perhaps there were unforeseen consequences that the aggressor failed to take into account, or the methods were more effective than anticipated. In this case I think of it as an inability to control intended destruction and I liken this to manslaughter, the intent was less than the outcome. It then comes down to your background and country of origin as to whether we view this as a less violent act because the intentions were not to cause so much harm. I would argue that it isn t less violent, especially in cyberattacks where the consequences could be quite severe if a vital infrastructure is taken down. In an article written at the time by CNN on the USA s Aurora project (11), Meserve says that if one third of the US electricity grid goes down, that is equivalent to hurricanes. This is obviously a news article playing on fear and the accuracy should not be taken as truth, but it highlights that there could be serious consequences to come out of cyberattacks and those that are unleashing cyberattacks should take into account the total damage and harm that can be caused by a cyberattack. HOW VIOLENT WAS THE STUXNET ATTACK? Stuxnet was arguably the most sophisticated cyberattack from history. Ralph Langer (12), Sharon Weinberger (13) and the report by the Institute for Science and International Security (14) all give good overviews of the Stuxnet attack. But how violent was the Stuxnet attack? As I ve stated before, I m not going to concern myself with the methods used in cyberattacks, no matter how sophisticated and interesting they are, as is the case with Stuxnet. The important aspects to consider when assessing the intensity of violence of a cyberattack are the intent of the aggressor and the outcome of the attack. The target of the Stuxnet attack was very specific; it was after very specific Siemens industrial control systems and in particular the programmable logic controllers to alter the speed of the delicate centrifuges of nuclear facilities, causing the centrifuges to malfunction. The target is claimed
7 to be the Iranian uranium enrichment facility in Natanz, 60% of the infected devices were in Iran (13). It caused physical damage to the centrifuges, which then needed replacing. It was the first cyberattack in history that caused physical damage all by itself. The outcome then was a low intensity of violence, no individual got hurt but there was a small amount of physical damage caused to complex components of Iran s nuclear facilities. Judging the intent is more difficult though. Nobody has come out and claimed responsibility for the cyberattack and nobody has stated the real purpose of the attack, there is only speculation. The report by the Institute for Science and International Security (14) says: in the event of a malfunction, the safety systems are designed to quickly empty the centrifuges of uranium hexafluoride. Symantec stated in a comment to ISIS that its researchers found no code in Stuxnet that would block the dumping of uranium hexafluoride from the centrifuges. The report then goes on to say: If its goal was to quickly destroy all the centrifuges in the FEP, Stuxnet failed. But if the goal was to destroy a more limited number of centrifuges and set back Iran s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily. These quotes seem to hint that Stuxnet was not trying to cause an explosion or cause serious damage, but merely to slow down Iran s research and development. This is backed up by an article in Breaking Defence (15) that defends the Stuxnet attack by claiming that it actively aimed to limit collateral damage. This may be further backed up an article by Robertson (16) which summarises the Symantec technical report Stuxnet 0.5: The missing Link (17), Robertson s article claims that Stuxnet originally was going to target the gas valves in the nuclear facility potentially causing an explosion. These arguments point to the intent of the attack to be contained to only Iran s nuclear facilities and to not cause massive damage but to slow the research and development of nuclear enrichment, a potential precursor to the development of nuclear weapons. However Stuxnet did spread outside of Iran (let us assume that Iran was the intended target), potentially causing damage outside of Iran. An article in Ars Technica (18) claims that the creators of Stuxnet lost control of the worm and it spread much further than intended (this is possibly exaggerated). This is however backed up by the quote Stuxnet appears to have spread unintentionally and well beyond its targets from the report by the Institute for Science and International Security (14). What is worrying is the impact that Stuxnet might have on the world if some actor wants to use Stuxnet as a basis to create their own malware to bring down power grids, water systems or other vital infrastructures. As said in Sharon Weinberger s article (13), Stuxnet essentially laid out a blueprint for future attackers to learn from and perhaps improve. Stuxnet appears to be an extremely targeted cyberattack; Stuxnet did not affect other nuclear facilities outside of Iran. It appears that the attack was not intended to cause massive destruction or harm individuals (we could claim that it should be classed as cybersabotage). Hence I would class the violence of Stuxnet as low intensity.
8 CONCLUSION I think that when assessing the intensity of the violence of a cyberattack, we should base this assessment on the outcomes and effects of the attack, including indirect consequences, and not on the actual method. This way we can assess the violence of a cyberattack in the same manner that we would assess the intensity of the violence of an act taken outside of cyberspace. We base the assessment on how many individuals and other objects are harmed or damaged and to what degree they are affected. Mirroring the assessment of violence outside of cyberspace, the assessment should take into account the intent of the aggressor, although this may be more difficult in cyberspace as sometimes the aggressor is unknown as their identity has been concealed. I see cyberspace as just another space to do battle in. Just like how the invention of aircraft brought about another space to do battle in, cyberspace is again providing states with a space to form attacks within. I think states will seek to control cyberspace just as they sought to control the skies decades ago. The difference is that the direct effects of the attacks don t result in explosions and loud noises, instead they subtly affect devices connected to cyberspace, and so it s easy to be fooled into thinking that cyberattacks are not violent. The violent aspects of a cyberattack will be very similar to violent acts outside of cyberspace but the mechanisms and methods will be different. Randretsa articulates it well in the article Violence and Cyberspace (19) by saying Just as chemical or biological weapons and neutron bombs, a computer network weapon is likely to cause violence despite the absence of kinetic energy. Although Randretsa then goes on to conclude in the article that ultimately, it seems that the advent of cyberwar constitutes a break with the way that war has been waged so far, a war based on physical violence. Such a virtual fight avoiding death and destruction should be welcomed. This I think is naïve and contradictory, Randretsa claims that cyberweapons can cause violence and then welcomes cyberwar with the thinking that no violence will come of it. I would go the opposite way and say that in the future we are more at risk. We are more at risk because of the spreading of advanced cyberweapons that can be picked up and modified by people who aren t interested in keeping the harm contained and the collateral damage minimized. This then endangers citizens who could become the target. We are also connecting more and more devices to the internet and therefore to cyberspace. I agree with Langø, who says in the paper Defining War and Warfare in Cyberspace (20) Because of the seemingly unstoppable drift towards more and more connectivity, we as a society are becoming increasingly dependent on cyberspace. Due to the inherently weak defensive aspect of cyberspace, it is said that increased vulnerability is the inevitable result of increased dependency. Smart cities, smart grids, smart homes etc. all require dumb devices to be connected to the internet, placing the previously isolated systems at risk. Moreover, the inexpensive nature of cyberweapons mean that it s going to be more than the just the state acting in a violent way in cyberspace, non-state actors will play a part in this story. Unfortunately I think with the expansion of cyberspace and development of exciting new technologies, the opportunities for cyberattacks by the aggressors in the world are much greater, and so there will be more potential for violent acts in the future.
9 BIBLIOGRAPHY 1. Cyber War Will Not Take Place. Rid, Thomas. 1, 2012, Journal of Strategic Studies, Vol. 35, pp Lewis, James Andrew. Thresholds for Cyberwar. Center for Strategic and International Studies. September Cyber War is Inevitable (Unless We Build Security In). McGraw, Gary. 1, 2013, Journal of Strategic Studies, Vol. 36, pp Basic Concepts in Cyber Warfare. Tabansky, Lior. 1, May 2011, Military and Strategic Affairs, Vol. 3, pp World Health Organization. World Report on Violence and Health. Geneva : World Health Organization, Oxford Dictionaries. [Online] Oxford University Press, Richardson, John C. Stuxnet as Cyberwarfare: Applying the Law of War to the Virtual Battlefield. [Online] Social Science Research Network, July or 8. Marks, Paul. Air traffic system vulnerable to cyber attack. [Online] New Scientist, September Davis, Joshua. Hackers Take Down the Most Wired Country in Europe. [Online] Wired Magazine, August Traynor, Ian. Russia accused of unleashing cyberwar to disable Estonia. [Online] The Guardian, May Meserve, Jeanne. Sources: Staged cyber attack reveals vulnerability in power grid. [Online] CNN, September Stuxnet: Dissecting a Cyberwarfare Weapon. Langner, Ralph. 3, May-June 2011, Security & Privacy, IEEE, Vol. 9, pp Is this the start of cyberwarfare? Weinberger, Sharon. 2011, Nature, Vol. 474, pp Albright, David, Brannan, Paul and Walron, Christina. Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? [Online] December Freedberg jr., Sydney J. Cyber Command Lawyer Praises Stuxnet, Disses Chinese Cyber Stance. [Online] March
10 16. Robertson, Jordan. Stuxnet Had Earlier, Potentially Explosive Version, Symantec Says. [Online] February McDonald, Geoff, et al., et al. Stuxnet 0.5: The Missing Link. s.l. : Symantec, Anderson, Nate. Confirmed: US and Israel created Stuxnet, lost control of it. [Online] Ars Technica, June Randretsa, Thierry. Violence and Cyberspace. [Online] Revue Defense Nationale, Langø, Hans-Inge. Defining War and Warfare in Cyberspace. [Online] Hegemonic Obsessions, November Parks, Raymond C and Duggan, David P. Principles of Cyberwarfare. IEEE Security and Privacy. September 2011, pp The Ethics of Cyberwarfare. Dipert, Randall R. 4, 2010, Journal of Military Ethics, Vol. 9, pp Lab, Kaspersky. Kaspersky Lab Identifies Operation Red October, an Advanced Cyber- Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide. [Online] January ber_an_advanced_cyber_espionage_campaign_targeting_diplomatic_and_government_institution s_worldwide.