Are International Laws and Treaties Enforceable in Cyberspace
There have been several efforts to draw international treaties to address cyber crime and regulate cyber conflict, yet reaching consensus has been difficult. Each state has its own legal system with diverse laws based on societal values, political establishment, and social norms developed through centuries. International law has been painstakingly developed, with laws typically enacted following horrific incidents that brought global consciousness to the fore. We have not seen anything of similar proportion in cyberspace, and therein lies one reason for the inertia.
Political leaders are reluctant to face the new realities of globalization by changing policies and laws to address the problems that come with it. Partially, the reluctance is because effectively addressing these problems entails harmonizing laws across all countries at the potential expense of the domestic audience. Instead of striving for genuine compromise, some countries continue to reiterate intransigent positions while lobbying their own views on other countries. This can be seen as using subterfuge to continue building an arsenal while working to slow others down in the same pursuit.
Physical vs Cyber
Several scholars have argued that the cyber domain is not distinct from the physical, and that current international laws should apply to both. There are a lot of analogies between cyber conflict and other forms of warfare, the principles of conflict can apply to both, and consequently, the rules of conventional warfare also apply to cyberspace.
However, there are enough differences and singularities in the cyber domain to make the enforcement of conventional rules of warfare untenable in several cases. I believe we need to learn from existing international laws — to take them as a guide — but seriously think through the unique issues of the cyber domain as we build new international cyber jurisprudence.
There are several laws that are applicable to Cyber Conflict, including:
1. Right to Armed Conflict
2. The Law of Neutrality
3. Humanitarian Law
We examine each of these laws dealing with international conflicts and raise key issues regarding their adaptation to the cyber domain given issues of attribution.
Right to Armed Conflict
The right to armed conflict has evolved through a series of agreements, and has several clauses:
1) War should be waged by a legitimate authority rooted in the notion of state sovereignty.
In cyber conflict, what is a legitimate authority? Cyber warfare is a covert warfare typically conducted by proxies of countries; Are the proxies of nation states legitimate? Would nation states ever agree to the notion that the entities committing the attacks are their proxies? What if the proxies are operating outside of the country?
2) The aim of war must not be to pursue narrowly defined national interests, but rather to re-establish a just peace. What is just peace in cyber space? Can a pre-emptive strike for national interests be justified?
3) The need to weigh the costs and benefits involved in waging war (including human life and economic resources). There is a need for immediacy in cyber warfare while launching a counter attack. It is often difficult to make an accurate assessment of the pros and cons of such an attack in such scenarios.
4) The need to ensure that counter attack be proportional to the violence being encountered.
The concept of proportionality is based on an assessment of damage, which often takes a long time to analyze in the cyber world. This need for immediacy of reaction makes it difficult to ensure proportionality.
5) We must exhaust diplomatic options prior to violence. Ambiguity in attribution, and resultant diplomatic wrangling can be long processes, while the need for response to repulse the attack (and cause collateral damage) has great urgency.
The Law of neutrality (Hague Convention V of 1907)
The Law of neutrality regulates the coexistence of states at war and states at peace. This law asserts that neutral countries should not allow their resources to be used by one country to attack another. It places the following responsibilities on neutral countries:
• Refrain from participating in the conflict
• Maintain impartial treatment of combatants
• Prevent belligerents from committing violations of neutrality on their territory
• Including use of force if necessary
• Intern combatants found on territory until end of hostilities
What does participation mean in the cyber domain? Does a bot server located on neutral territory violate the tenets of the Law of neutrality?
The fundamental problem with the applicability of these laws is the weakness of national cyber infrastructure. Computers of a neutral country can be infiltrated without its cognizance in order to launch an attack. Can we hold these countries responsible for the attacks launched by other countries, especially if the neutral country does not have the technical ability or resources to adequately secure their networks?
These laws also prevent combating parties from using neutral territories to move weapons, troops, etc., or recruiting combatants from neutral states. Can the citizen of a neutral country working voluntarily with a combating country put the neutral country in legal jeopardy? In the case of the attack on SONY, for example, multiple countries were responsible and the attribution was never clear.
There has been a particular emphasis on the application of the International Humanitarian Law (IHL) to cyber conflict. IHL defines a set of rules that limit the effects of armed conflict (LOAC) by protecting individuals who are not, or are no longer, participating in the hostilities, and it restricts the means and methods of warfare. While one between the cyber and physical domains must be considered. In several instances the citizens of a country are involved in launching attacks themselves — are they legitimate targets of a counter attack.
It is important to note that laws are subject to interpretation based on circumstances and point of view. They can be applied erroneously, inconsistently, misused for parochial reasons, or flouted for reciprocity, based on flimsy grounds. The laws need to be defined so that they are unambiguous and enforceable, which is difficult in the cyber domain. Attackers can use the Internet’s cloak of anonymity to camouflage their true identities. There are several explicit factors that make enforceability and ambiguity issues particularly difficult for cyber crimes.
As intelligence agencies and militaries of states are increasingly engaging in espionage and subversive activities against other nations in cyber space, distinctions between cyber crime and cyber warfare are blurring. It is difficult for the leadership of one state to distinguish whether attacks on a website or online theft of data are actions of individuals in another state who are motived by financial gain, political or religious ideology, or actions taken by that state’s intelligence agency or military. Since motive is unclear, it becomes very difficult to differentiate potential acts of cyber war from cyber crime.
Attribution is one of the largest challenges in the enforcement of cyber warfare rules. Must we be able to unambiguously identify the perpetrators of a crime to apply an international law? There are three categories of attribution problems. First, attacks through the Internet are notoriously difficult to attribute. Attackers can camouflage their actions by exploiting a lack of security on many hosts, allowing them to use machines in a third country for launching attacks. Without proper cooperation or surveillance across borders, it is hard to have high confidence in attribution. The second problem deals with delivering attacks on secure systems through other media, such as thumb drives, CDs and DVDs. An example of this was the Stuxnet worm introduced into Iranian nuclear facilities. For these secure systems, forensics and intelligence should identify the source of the weapon. The third attribution issue is malware in the hardware and software that is preloaded.
Technical attribution requires network forensics, such that data is collected from various sources, and then a chain of evidence is built to identify the perpetrators. If we are able to collect evidence in time we have techniques to provide reliable attribution, however the key challenge in data collection is its dispersion across the network. There are several pieces of information that are available but information can be spoofed making attribution harder.
IP address attribution is less useful if the IP address of the host that initiated the attack is spoofed, or belongs to an intermediate host. One may also be able to discover the machine assigned the IP address at the time of the attributed action.
For attacks conducted via e-mail, knowing the e-mail address potentially serves as a useful way to identify the source computer, e-mail address holder, and ultimately the perpetrator. Unfortunately, since e-mail addresses are also easy to create or spoof, an e-mail address is often a dead end for attribution.
Locating the physical location of the source of the attack is important so that jurisdiction can be established, and search warrants or other actions can be taken, as appropriate in the case of crime, terrorism, or war-like activities.
Identifying the actual individual who was at the attacking computer is the final step of attribution. However, beyond identifying the individual, sufficient attribution may also require determining whether the individual was acting on behalf of a foreign government, terrorist organization, or criminal group.
Consider the SONY hack
• analysis of the malware use in the attack shows similarity to previous malware linked to North Korea. The similarities were in lines of code, encryption algorithms, data deletion methods, and compromised networks.
• It was also noticed that several Internet protocol (IP) addresses associated with a group of North Korean businesses located in Shenyang in northeastern China were hardcoded into the data deletion malware used in this attack.
The tools used in this attack also had similarity to a cyber-attack against South Korean banks carried out purportedly by North Korea in March 2015.
As you can see here, a lot of the attribution is conjecture, based on circumstantial evidence. It also largely rests on ip-addresses that we all know can be spoofed, sometimes deliberately, to misdirect attacks. Also, the evidence is based on private-vendor data and the sources of the data are still secret. Unless we change the standards of attribution, this seems like weak attribution that would not stand in any court of law. Therein lies the difficulty in responding the cyber attacks.
What is the future of attribution?
The fact that cyber attacks by one state on another can be outsourced to private contractors, conducted through botnets of the zombie computers of unknowing people and organizations, and distributed across the globe, makes it incredibly difficult to ascertain many facts about any given attack. These factors greatly complicate the gathering of sufficient evidence to establish who is actually responsible, and/or a motive behind an attack. Yet, the responsible party (ies), and a motive, are critical factors to ascertain if the crime is to be subject to adjudication informed by the Law of Armed Conflict. When military personnel conduct an attack in physical space using conventional weapons, like guns, cannon, aircraft and rockets, the facts of who shot whom first may be complicated and shrouded in self-serving disinformation. Nevertheless, there are reports of independent journalists and eyewitnesses, a rapidly growing body of satellite imagery and aerial reconnaissance, as well as photos and videos taken by civilians and military service personnel that are often quickly uploaded to the Internet. In cyberspace, ascertaining that an attack even occurred, let alone from where and by whom is fraught with difficulty.
Moreover, given that it is so difficult to attribute responsibility for a cyber attack, it is difficult for the victim of the attack to respond in a manner (ie proportionately) as justified by the Law of Armed Conflict.
If a state that has been attacked cannot effectively respond with an accurately aimed counterattack, states cannot credibly threaten to punish any state that initiates a cyber attack. Lacking such credible threats, states are unable to effectively deter other states from launching cyber attacks as they may be able to deter attacks conducted in physical space, whether by conventional or nuclear weapons. Without the ability to credibly threaten attacking states with retaliatory punishment, any effective enforcement of collective security arrangements among groups of states or the international community is seriously undermined.
Even if the world’s states were to negotiate, sign and ratify a universal cyber peace treaty, individual states could easily violate the treaty without fear of retribution, given the difficulty of enforcement.
What to do? I take you back to my opening statement, that these issues of international cyber crime and conflict are ‘seemingly’ intractable. I have just spent considerable time detailing current issues, dilemmas and difficulties associated with attribution and retribution in cyber crime, which seem to dramatically limit the applicability of established international law in the cyber domain. However, these laws, and the principles behind them—international cooperation, responsibility for justice, and mutually beneficial security for all—are precisely the beacons that must guide us as we work to establish the technical means to improve attribution and forensics capabilities. Increasingly, the analysis of malware is being used to establish provenance of the
code and subsequently to establish attribution. Over time, attribution will become more reliable and we need to be ready with the legal instruments and political consensus to effectively deal with cyber issues as an international community.
Just as the world turned to international law after World War II for regulation and security in the new reality of nuclear weapons, we must be steadfast in our efforts to build a foundational international consensus to regulate cyber crime and cyber warfare. The technical issues of attribution that currently exist are evolving as we speak; the need for cooperation, and effective jurisprudence, however, are timeless, universal, and much more important than the technical hurdles we must overcome.
The Internet is quickly transforming from a community gathering and marketplace to a conflict zone with threats from multiple actors. We stand at a threshold; we can preserve the Internet as a resource for ours and future generations around the world, regardless of country of origin, political or religious affiliation; or allow it to be destroyed through mutual distrust and parochial needs. As an optimist, I trust that we will be able to prevail and maintain its goodness. I strongly believe that the difficulties we’ve detailed here today are surmountable; by a steadfast dedication to consensus-building. We need to establish mutual goals in a combination of forensics, intelligence, law and politics that can form the basis of an international cyber forum.
We have a lot of work to do in understanding the problems and finding solutions that are fair to the entire community, including balancing competing interests of nation states.
This speech was delivered at the 11th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 20-23 April 2015 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.