11 Jul 2016

The Legal Implications of Cyberwar

James Connelly, Professor of Political Theory at University of Hull and Director of the Institute of Applied Ethics, has just presented a paper at the 2016 Euro-ISME conference and is the principal investigator of the ESRC funded project, ‘The Common Good: Ethics, Rights and Cyber Security’. He discusses some of the questions surrounding the ethics of cyber counter-terrorism and the implications for legal systems with the Robotics Law Journal.

By Tom Dent-Spargo

http://www.123rf.com/profile_stevanovicigor

What is cyberterrorism and is it distinct from cyberwar?

They are distinct but their definitions overlap, and can sometimes be used interchangeably. The old-fashioned view of a war is that you have two opponents who openly declare war, and if it is to be a just war, there are also certain conditions that are upheld regarding how the war will be fought – not harming innocents, treatment of prisoners and so on. In the case
of cyberwar it’s not clear if it’s ever declared. A lot of cyberwar consists of a series of cyber attacks, but when do they constitute a war? Is one attack a war? Cyberwar, in a sense, has a parallel with Pearl Harbour in this regard. Pearl Harbour itself wasn’t a war, it was an attack with no declaration, though it led to the US declaring war. Cyberwar seems often to take that form. Cyberwars are usually not of the type or duration of war that we’re used to. In that way it is remarkably like cyberterrorism.

The difference between the two often depends on who the perpetrators are and you have to consider what distinguishes conventional war from terrorism in the first place. One way of looking at it is to say that terrorism is something that non-state actors do (even though state actors can use terror, you don’t normally call them terrorists). Terrorism tends to have political goals, as does war. However, terrorism does not typically abide by, or seek to abide by, the rules and conditions of war. In principle, cyberterrorism and cyberwar are overlapping but different.

In cyberwar, the effects that we are concerned with are principally measurable physical effects. In that way, it is clear that cyberwar and cyberterrorism are almost the same as war and terrorism respectively but simply by other means. It’s a delicate question because they are closer to each other than traditional war and terrorism are to each other. Though it has to be noted that conventional warfare has changed a lot in recent years. It has now moved to small asymmetrical guerrilla-type conflicts, instead of a traditional conflict between two opponents. Examples include fighting in the Vietnam jungle or Iraq desert as opposed to the British and the Germans taking it in turns to bomb each other.

In the future, it’s likely that we will stop talking of cyberwar or cyberterrorism as being separate entities, instead being just a component of war and terrorism. Cyber attacks will still be recognised as distinct, but the other lines will have blurred.

Which systems are most likely to be targeted?

Ultimately, the only attacks that will be seen as worth doing are the ones which have physical effects, and most cyber attacks do. The most ‘innocent’ looking attack will have some effect you can feel, even if it is just slowing down a system. For example, if you were to hack into the stock exchange and just slow down its processes, people will gain or lose money, and therefore gain or lose power, property and so on. Slowing down that system at a specific moment might be enough to gain a crucial advantage.

Certain types of weaponry are obvious targets, either their development or their operation. On the state level, if you suspect another state of secretly developing a nuclear bomb, you target a nuclear power station’s systems, in order to hinder or disable the development. Most types of weaponry now are part of the internet of big things, with ships being designed and arranged electronically; gaining access to such a ship’s operation would grant you great power in the physical world.

Terrorism is unlikely to ever draw the distinction between military and civilian targets, and in the cyber world, civilian systems are being targeted more often. Anything that’s operated electronically will offer some route of remote access. Cyberterrorism is likely to want to cause as much havoc as possible in order to cause the terror to gain its political goals. Cyberterrorism is likely to target civilian systems; as collateral damage, or where you want to simply slow down a system to gain an advantage.

Cyberwar, being considered the cyber arm of normal war, might target all sorts of systems but remain restricted to military targets. Obviously sometimes in war there is collateral, some civilian loss of life or civilian harm caused indirectly by targeting
a military target, but there is usually an attempt to keep such damage to a minimum. A cyberwar is likely to maintain this restraint against targeting civilian systems, or to at least keep this collateral at a low level.

However, the opening up of civilian systems makes the possibility of ‘Total War’ that much closer. If a war becomes a ‘Total War’ both parties might start targeting civilian structures, directly or indirectly.

What are the responses to cyber terrorism?

There are two major responses: one is just making sure that you are building good cyber walls against any potential attack; the other is to attack the potential attackers, either pre-emptively, or if you have failed to build a good cyber wall, retroactively. Primarily, the response is to focus on enhancement of cyber security.

The reason for this is because of the proliferation of cyber attacks; it has to be assumed they are happening all the time. As a very primitive example, phishing emails are rife in the internet, and are sent to everyone. Most of the time these are safely ignored, but the numbers are impossible to quantify. It then goes all the way up to more sophisticated and invisible attacks, equally hard to quantify. So we don’t know how much of this is going on.

On a personal level, you know when you have had a computer virus, but not necessarily when you receive an unsuccessful attack, just as with physical colds and viruses. I have been in contact with people who have had them and not known about it. But on those occasions when I have caught a cold, one of the first thoughts is, ‘who gave me this?’.

Tracking a successful attacker is desirable, but if you have a good enough security system, you’re unlikely to be able to find out who it was as the attack will have likely just ‘bounced off’. So it’s almost a paradox that it’s possible to have a great security system but it denies you the ability to find out who are these agents and so you can’t improve it further. Due to the severe quantity of attacks and the difficulty in ascertaining the identity of the attackers, the main response is to increase the security.
Even more important than who is how. Whether or not the full extent of the attack was successful, how they got through the security system is vital information for increasing the level of security.

How is this coded in law?

Essentially it is a case of modifying the existing law to cover cyberwar or cyberterrorism, or simply stating how it will be applied in these situations.

The Tallinn agreement is the most high profile international agreement, though non-binding, about how international law applies to cyberwar (due for a second edition later this year). There is an enormous amount of international law and agreements of the conduct of cyberwar out there, ranging from international and regional agencies, to action plans released by the G8. So there is a lot of legislation there, aimed mainly at ensuring that states have the right tools to combat the cyber threat.

Proportional response is a much trickier issue with cyber attacks, which often take the form of small and seemingly insignificant attacks over a period of time, each one almost unnoticeable, but that have a huge cumulative effect. In response to an individual attack, a direct attack in response would seem to be out of proportion. The questions of at what point are you justified in fighting back becomes difficult to answer, and depends on the nature of the cyber attack. Sometimes they have immediate and obvious effects, but often they are less tangible.

How do you think the law needs to change in the future?

Both with the law – domestic or international – and ethics, the prevalent view is that we don’t need to change
the principles we have, it’s more useful instead to just modify their application. We need to keep them up to date
for new circumstances, instead of panicking and thinking that we have to change everything, which leads to regarding cyber actions as a completely and utterly new issue, different from everything else. A cyber attack is still the basic idea of ‘I’m going to attack you for a purpose,’ whether it’s cyberwar, -crime, or -terrorism. It’s the threshold questions that are different.

If you start with cybercrime the question is what is it in law you need to focus on? Is it the intended outcome of the crime or is it the means that they employ? Normally it’s the intended outcomes, and that’s no different to the laws we have now. It doesn’t matter if you sneak your way into the Bank of England, explode your way into it, or electronically transfer funds out of it, the point is, you’re trying to run off with the money. That is what you are targeting in law, not specifically the means of the theft.

Attacking the means is not usually a viable option. In the example above, it would be similar to banning all cars just because the robber used a car to get to the bank. The method is not relevant compared to the intended outcome; and if cars are banned, the burglar will just walk to the bank the next time.

It should be an extension of law, rather than something you have to rebuild from the foundations. The Tallinn agreement is essentially doing that, codifying the way that the law needs to be applied to cyberspace as oppose to redefining the law.

What are the main challenges for the law?

There are new and more cunning methods of attack being developed all the time, leading to unanticipated possibilities using cyber means. Because of this, in the cyber world, the law can fall behind very quickly.

The speed of new technologies and methods of attack can take advantage of loopholes in law, similar to tax havens. Tax evasion is illegal, but there are ways to get around that that are exploited. There are new ways of laundering money using the internet and other technologies, making it easier than it is do that physically. Because the range of the means keeps expanding, the law must be updated regularly to keep pace.

Identity theft using Facebook meta data is something no one thought could be a possibility ten years or so ago. This example is still tied in to the idea that there are limits on how much you are allowed to find out about people. The prevalence of information afforded by the internet has given us this new problem (or new aspect to an issue) which needs to be coded in law.

Something that can be directly criminalised is deliberate attempts to gain information, knowledge or property that isn’t yours, which is why intellectual property rights are so important. If I am trying to hack into a system to gain knowledge which isn’t mine, that’s no different from any other form of robbery or theft.

We want a free internet; if we’re not paying for it, then we’re the product. We are the ones the companies are buying and selling, that’s why people want our data, we are the products for the companies. What are the limits of that data gathering? That is one of the truly new things that we need to account for in law.

Who needs to be involved in the discussion of the ethics of counter-cyber terrorism?

It’s a question of stakeholders. One can argue that there are differences and distinctions between cyberwar, terrorism, crime. The principal stakeholders are the main agents of the state. The armed force, police force, the security force, the intelligence
force, all these are going to be involved in cyberterrorism, as is the case with normal terrorism. All the organs are going to be called in to counter cyberterrorism. The difference is that there are going to be specialist divisions in those agencies to specifically deal with the new type of threats.

The other people that need to be involved are normal citizens. People are being asked to report others if they see examples of cyber bullying or mysterious behaviour. If someone is suspected of recruiting others to go to IS through a laptop, citizens are being encouraged by the state to turn in those people. There is obviously a danger of this going overboard – people reporting anyone because of personal biases and so on. Vigilantism has to be avoided, but citizens keeping an eye out for potential problems should not discouraged. Engaging the public properly is going to be important if they are going to be involved in this discussion. The public is an important stakeholder.
This work was supported by the Economic and Social Research Council.

 


related topics