Cyberattack is an attractive option for warfare. Nation states may find it advantageous to influence or coerce other countries while taking advantage of anonymity and deniability through military campaigns that operate in cyberspace. It has been demonstrated several times in the recent past that the use of malicious cyber code can cause physical disruption of critical infrastructures through manipulation of industrial control systems (ICS).
Cyberattacks also minimize the need to risk military personnel or costly equipment. Malicious code is also
reusable, offering a practically bottomless magazine for future attacks. However, such advantages for “clean” warfare also have a darker side. With all the conveniences, swiftness, and reduced loss of personnel, there is also the temptation to use cyberattacks frequently, and perhaps favor using them instead of engaging in prolonged or frustrating negotiations. In addition, extremist groups may be able to acquire copies of malicious cyber code to use anonymously against targets that are non-military.
The UN Charter provides guidelines for justifying a response to a cyberattack that represents a use of force. These are found in Article 2(4) — disruption through meeting the definition for “use of force”, and in Article 51 — disruption through meeting the definition for an “armed attack” that threatens to disrupt national sovereignty. However, most recent cyberattacks have fallen short of disrupting the ability of a nation state to exercise its sovereignty. Also, in some countries, there are legal authorities that provide guidelines for launching offensive cyberattacks. In the United States, the authorities for offensive cyberattacks are found in:
• Title10 USC — where military operations do not require written findings in advance of taking action. However, operations under this authority may not offer easy deniability of cyberattack action.
• Title 50 USC — where the US engages in covert actions. Under this authority, the President must make a written finding that the action supports an identifiable foreign policy and national security objective.
When it is uncertain whether a cyberattack might amount to a use of force under the UN Charter, then Title 50 enables secrecy and deniability of action.
Recent news reports show that cyberattacks are becoming more sophisticated and more stealthy. When damage to physical equipment also occurs, there is a tendency to start comparing malicious cyber code to weaponry. But, what is a weapon, and when are cyberattacks legitimately called Cyber Weapons?
In the US, every military service has a written definition for what comprises a weapon. However, a weapon must also meet international legal standards. The Hague Article 22 and Geneva Article 36 describe how a “capability” that is called a weapon cannot be used by the military until after a legal review. The Hague and Geneva Conventions are intended to protect the civilian population from unnecessary suffering during a war. However, it can be shown that many cyberattacks have also had unpredictable collateral effects on the civilian population.
The “Tallinin Manual on International Law Applicable to Cyber Warfare” was developed after highly-disruptive cyberattacks were directed against Estonia in 2007. This Manual defines a cyber weapon as a “cyber means of warfare” that is capable, by design or intent, of causing injury to persons or objects. This definition of a weapon excludes the destruction of data, unless there is direct connection to injury, or the functionality of a computer system. So, if there is intentional injury, or if computer functionality is intentionally disrupted through a cyberattack, then we experiencing a cyber weapon. However, reverse-engineering and analysis of recent sophisticated cyberattacks has shown there are several additional characteristics that must also be present to develop a more accurate definition for a cyber weapon.
Recent news reports have labeled several examples of highly-sophisticated malicious code as cyber weapons. These reports have included results of extensive studies of malicious code with names such as Flame, Duqu, and Stuxnet.
These three examples of malicious cyber programs were reportedly used as part of a combined multi-year cyberattack campaign intended to disrupt the operations of specific nuclear processing facilities in Iran. This malicious cyber campaign may have been secretly ongoing inside the Iranian top facilities from at least 2006 through 2010 before being discovered by security personnel working outside Iran. So, in addition to the definitions in the Tallinin Manual, the current generation of cyber weapons may also require these following characteristics:
• stealth that enables malicious programs to operate secretly over extendedtime periods
• multiple malicious programs that combine different missions such as espionage, data theft, or sabotage
• a special technology to enable the malicious code to bypass or fool protective cybersecurity control technology.
The special technology to bypass or fool cybersecurity controls, including those that supposed to protect top-secret industrial facilities such as the nuclear plant in Iran, is called Zero Day Exploits. A Zero-Day Exploit (ZDE) is a specific malicious code prefixed onto a larger malicious program payload, and is designed to take advantage of a vulnerability that is new and unknown in the targeted system. A ZDE is able to defeat or temporarily suspend the operation of cyber security controls, and thus open a targeted computer system so that a malicious payload can enter and begin its mission. Many highly-skilled hackers work diligently to discover new system vulnerabilities that allow the creation of newer ZDEs. These hackers are motivated because ZDEs can be sold for large amounts to bidders such as nation states, or extremists. The ZDEs that are discovered and designed by highlyskilled hackers are a major ingredient for the current generation of cyber weapons.
A final characteristic that enables malicious code to be successful as a cyber weapon is what has been described as an “intimate knowledge” of the targeted industrial control systems of civilian and/ or military equipment. The hackers who created the ZDEs that were used in the cyber weapons campaign to attack Iran apparently had a very good understanding of the specific industrial equipment that was targeted. This highly-specialized knowledge held by a designer, and then used to create the various malicious code payloads for espionage and sabotage, is what makes a current generation cyber weapon campaign so effective.
However, there can also be problems with the current generation cyber weapon campaigns. Cyber weapons can possibly go out of control. For example, Stuxnet was reportedly updated several times to add functionality, and eventually the malicious code escaped the confines of the Iranian Uranium Enrichment facility. Instances of Stuxnet have been detected in many countries outside of Iran. However, other facilities have escaped damage because the malicious payload in Stuxnet was designed to attack only the specific equipment inside the nuclear facility in Iran. Future cyber weapons that might not be as carefully designed as Stuxnet could also spread unexpectedly, and might possibly
cause collateral damage to other facilities.
In the future, the environment and opportunities for cyberattacks will expand. Past targets have been industrial control systems for critical infrastructures such as oil and gas pipelines, and civilian electrical power stations. As more detailed information for intimate knowledge becomes reachable over the internet, future targets will likely include complex military facilities and weapon systems, including more examples of nuclear facilities, or communication, command and control (C3)/C3 plus computer (C4) systems, and missile defense architectures
(like Surface-Air-Missiles). For example, the Soviet-era BUK Missile System Anti-aircraft missile (SAM) system that reportedly brought down Malaysia Airlines Flight 17, killing 298 people over Ukraine on July 2014, is sophisticated, but may have vulnerabilities, and does not possess the ability to discern civilian from military targets on its own. Unfortunately, detailed knowledge of the BUK Missile System is available over the Internet. Technical instructions for this system, plus several Russian-made missile launchers, in the form of an accurate software simulator, can be downloaded from the Internet, enabling anyone to learn and practice the basic operation of multiple Soviet-era antiaircraft missile launchers.
As another example of growing vulnerabilities for sophisticated military equipment, the Defense Science Board reportedly has given the Pentagon a classified list of military weapons systems where designs were stolen by cyber espionage. The list includes designs for the advanced Patriot missile system, known as PAC-3 (see Washington Post, Ellen Nakashima, May 27, 2013). A separate report also available on the Internet shows research on vulnerability analysis of national missile defense software, including the PAC-3 Patriot Missile System (“Using Genetic Algorithms to Aid in a Vulnerability Analysis of National Missile Defense Simulation Software” — JDMS, Volume 1, Issue 4, October 2004 Page 215–223, http://www.scs.org/pubs/jdms/vol1num4/imsand.pdf).
In conclusion, cyberattacks are becoming more sophisticated, and when the following characteristics are present — (a) use of ZDEs to bypass cybersecurity technology, (b) use of campaigns involving coordination of several different malicious programs, and (c) use of stealth to prolong malicious operations for espionage or sabotage — we may be experiencing the effects of a cyber weapon. Correct attribution is very difficult, and the technologies used for cybersecurity defenses are becoming less adequate for the expanding job of protection against cyber weapons. Therefore, classical deterrence theory developed for the nuclear weapons could not work for the cyber weapons. In addition, cyber weapons can possibly go out of control. Future cyber weapons that are not built as carefully as Stuxnet could also spread unexpectedly and cause unpredictable damage. Finally, research into examples of current generation cyber weapons has also shown that detailed and intimate knowledge of a targeted system contributes to the success of a cyber sabotage campaign. As more information becomes available on the internet describing intimate details and the possible vulnerabilities of sophisticated equipment and facilities, including military equipment, perhaps through cyber espionage, these may also become new targets for future generations of cyber weapons.
There are many policy topics related to cybersecurity and cyber warfare that are worthy of future research:
• Which strategies may help reduce/regulate global proliferation of ZDEs/malware/payloads designed for cyber warfare?
• Future attack campaigns are likely already in place and operating now. How can these be detected and restrained?
• What is, if any, the legality in the framework of international (and humanitarian) law concerning the use/threatened use of nuclear weapons as retaliation against cyber weapons?
• Is a cyber arms control mechanism feasible? If it is, keeping in account that a nuclear arms control system took decades, how long will this take?
• Is the UNSC still the right Institution to deal with a global cyber arms control?
• If yes, to avoid a Cybergeddon, should the P5 reveal all cyber weapons openly?
Prof. Maurizio Martellini
Insubria Center on International Security (Italy)
Dr. Clay Wilson
American Public University System
This speech was delivered at the 11th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 20-23 April 2015 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.