Cyber War - Fact from Fiction in the shadow of the Tallinn Manual

Earlier this week at InfoSec Nashville, Howard Schmidt did a fireside chat style keynote where he answered pre-vetted questions from another gentleman who was asking them. It was all relatively the same thing we've heard for a while now from Mr.. Schmidt, who is a long-time veteran of the school of hard-knocks security in the real world and government, until he brought up a conversation between him and another of his colleagues (I don't recall who, but it doesn't really matter) that basically had him disagreeing that (a) we were engaged in an (paraphrasing) "open cyber war" and (b) we (I assume he meant the 'good guys') were winning. Mr.. Schmidt said he did not believe we were engaged in a cyber war and that we definitely weren't losing.


Hold the phone. Has he read the news lately? Maybe browsed the data breach archives?

 

A colleague of mine who is knowledgeable in these matters made some interesting comments to this.  First, that by the only reasonable definition of such [the Tallinn Manual] we are not engaged in any cyber war.  Therefore, if we're not engaged in a cyber war, we cannot win or lose.  Fair point... Moreover, he took exception to citing data breaches as evidence of cyber war.

 

I completely understand the point... so much so that I started digging through this 215 page behemoth of a document to try and understand what a cyber war defined by International Law and the UN is.  Starting on page 18 in the Scope portion we see references to physical or kinetic force and starting on page 25 clear implications that the normal rules of violation of sovereignty (attacking another nation's sovereignty) to cause damage certainly seems to quality - although as you can see in point 6 the International Group of Experts could not agree whether the placement of malware that cause no physical damage constitutes a violation of sovereignty.  Reading on it becomes abundantly clear that  two things are needed to call something a cyber war - a violation of sovereignty that causes physical damage, and/or the use of force.  The rest of the manual is a page-turned that basically reads like a rule-book for when and how we can understand what the rules of cyber-space law are.

 

It is abundantly clear to me that very few people who talk about "cyber war" (including yours truly) really understand what they're saying - this document certainly educated me plenty, although I'm still far from an expert in the matter.

I know Mr.Schmidt is a very intelligent man so I kept listening for his rationale and what he cited was that in spite of all of the incidents that have transpired in recent times, businesses were still able to continue, the country was still operational in the cyber realm, and there weren't any catastrophic events which I assume means the heavy loss of human life. Before I read through the Tallinn Manual I would have disagreed - now I can see he's dead right.  The reason is there hasn't been 'catastrophic damage' done or a loss of life in the violation of United States sovereignty.

The thinking that even though hacks and breaches have clearly transpired on behalf of nation-states and non-attached hacker assets as well, they haven't impacted us (the Sovereignty of the United States) significantly is what separates espionage, fraud and hacking from cyber war.

 

Whatever you believe breaches cost the US economy, when you add in the preparation, investigation, clean-up, and residual losses the money that simply vaporizes is staggering. I've heard people quote as high as several billion US dollars in losses. This figure doesn't count the money we spend as businesses and tax payers (through the government spending) on hoping to stave off attack and breach. In an economic climate that teeters on recession again at the drop of any more bad indicators - even if the loss is $1Bn ... is that insignificant?  Of course not, but again, fraud and even international espionage do not cyber war make... we're still missing physical damage and loss of life.

What is interesting is all the "poking and prodding", as Scot says, in which we have "un-named sources" being cited to attribute attacks such as Stuxnet to the US fanning international tensions.  The case you've read of an oil company in the Middle East called Aramco which had near 30,000 computers bricked by a cyber-based attack is interesting but spoke to mainly financial loss, and as Scot points out had questionable impact and even more questionable sources... and little is known due to the information blackout on the case.  This is clearly a very complicate geo-political issue, and maybe the prelude to something bigger, but alas again not cyber war.

The extremely complicated Advanced Persistent Attack (APT) attack that took the inner-most secrets from security company RSA and then used those secrets to attack and exfiltrate top-secret military and defense information from our defense contractors were clearly espionage and theft of Intellectual Property.  Whether it was perpetrated by a foreign nation or some rogue group of hackers and even if it's a prelude to something bigger coming - we're still lacking the primary event of physical damage in the violation of sovereignty.

As I've learned - Cyber War has a necessary kinetic component resulting from the violation of Sovereignty and the eventual loss of life.

What we have so far is best described as guerilla war, not open warfare. Guerilla warfare,or more specifically guerilla incursions, clearly fits this current model - because you'll see small incursions strategically placed to cause specific damage performed by non-official military assets on the (suspected) payroll of a nation-state for the purpose of espionage. By damage I refer here to Intellectual Property (IP) theft, financial damage, or other non-kinetic activities. The rest reads like a good spy novel from the Cold War.

Are we involved in open (cyber) warfare? Definitely not.  I would say that we are definitely involved in a played-down Cold War style set of guerilla incursions aimed at strategic assets and targets ... all to the end of espionage or financial damage. This hasn't yet moved to loss of life or direct confrontation - but that may simply be a matter of time.

As far as whether we're winning or losing ... the point is moot.  If there's no war, we're not winning or losing. The problem is that it's easy to get drawn into cyber war, I know I've fallen victim myself, mainly because there are few decent definitions of such an event.  But if you dig deep, and look hard you'll find experts that have defined there to be 2 key components of a cyber war - kinetic action, and the violation of sovereignty leading to a potential loss of life.  We've seen the beginnings of this, and have certainly seen violations of sovereignty - but we've not seen both conditions met.  Is it just a matter of time?  My Magic 8 Ball is broken, so I don't know.

 

Special thanks to Scot Terban, aka @Krypt3ia, for contributing to this piece and pointing out the Tallinn Manual.

Labels: cyber war
Comments
Bob Sipes(anon) | ‎09-14-2012 05:37 PM

While I agree with your overall theme, I would postulate that Stuxnet fits the cyber war definition.  It violated Iranian sovereignity and it caused physical damage to the centrifuges.  Should the centrifuges be considered critical infrastructure?  Were lives lost or damaged?  No and no, but there was a physical impact.

 

Other incidents such as Google, RSA, Flame, etc., should be classified as cyber espionage rather than cyber war.  Espionage, both corporate and nation-state sponsored, has occurred for decades even centuries and has not been considered war.  Cyber espionage is part of the normal technological evolution.

 

The question that arises in today's enflamed geo-political environment is how easily cyber espionage could instigate a retalitory attack that escalates espionage to war.  Based on the Tallinn Manual definition, a single death caused by a power outage during peak-heat season that can be attributed to a cyber attack would be defined as war.

 

I doubt it will be that long before we are long past debating the definition of cyber war and dealing its effects.

Krypt3ia(anon) | ‎09-14-2012 06:32 PM

Bob,

I would agree that the Stuxnet malware and the effects thereof could be considered "warfare" "IF" the determination were made under the Talinn document. Thus, Iran could then declare war I guess upon us if they had hard evidence that we did do it. Instead though, they will continue to leverage the proxy of Hezbollah and sow terror until such time as their IRGC gets it together to attempt to place a worm somewhere in our systems.

 

It's really a matter of the definition of cyberwar, the responses allowed, and the ability to carry them out. Attribution though is the real tricky bit.

K.

Richard Steven Hack(anon) | ‎09-15-2012 12:14 AM
I'd say Stuxnet qualified as "sabotage", and it's not clear if deliberate sabotage qualifies as "war". The US has MANY times engaged in attempts to deliberately sabotage the critical infrastructure and military facilities of other countries such as Russia during the Cold War. Clearly we were not "at war" in those circumstances. So I think "sabotage" is the best description of what Stuxnet was. I agree that Flame would be considered "espionage". Iran has shown incredible patience given the degree of completely illegal acts under international law that the US and Israel has imposed on them, including the assassination of scientists. Iran's nuclear energy program is completely legal, and there is ZERO evidence of any "nuclear weapons program" despite what the mainstream media would have one believe. ALL of the war threats against them are illegal under the UN Charter. Further Iran has never been proven to sponsor "terrorism" anywhere outside its borders, despite allegations in Argentina (mostly from a Iranian defector whom even the CIA considered a "serial fabricator"). Hezbollah is not considered a "terrorist" group by most countries, but a national resistance organization, as is Hamas. It's important to understand the motivations behind the upcoming wars on Syria, Lebanon and Iran. It's a matter of regional hegemony and war profiteering.
CV | ‎09-17-2012 11:38 AM

Raf, you really did your homework here. Is Stuxnet Cyber War or Cyber Sabotage. Frankly, does it really matter? I understand that, from a legal perspective we may want to know what countries are getting into. But the result is the same. Iranian centrifuges have been halted. I leave it up to the reader to decide whether this is a good or a bad thing, as there is a subjective aspect related to whether we trust or don't trust Iran. Your blog is not the right place to debate this, I believe. Where I'm getting concerned is that the advanced technology such as Stuxnet and Flame may get out of control. What will happen if it turns against us, if it ends up on our systems. Are our defences capable of identifying such technology and can they stop it? That's probably an important question from a security perspective, and frankly I don't have the answer. 

I believe we will unfortunately see more such actions as the world gets more and more integrated. And such attack may grind the internet to a halt. Can we still operate without our internet connexions. As we increasingly put our information in the cloud, we assume an ubiquitous internet. Can we count on that. Should we do to the internet what we did to Antartica, have the world governments decide this is unchartered territory and cannot be harmed? Just a thought.

mikk0j(anon) | ‎09-18-2012 10:20 AM

"As I've learned - Cyber War has a necessary kinetic component resulting from the violation of Sovereignty and the eventual loss of life."

 

WRONG! That is what Tallinn manual wants to explain, however #cyberspace is not build to follow principles of kinetic world.

Tari Schreider(anon) | ‎09-28-2012 10:32 AM

We all love to use military words and jargon in our industry - I am guilty as charged.  However, when it comes to the use of the word "war" I feel it is more precise to phrase it as an "act of war."  The difference may seem subtle, but nonetheless is critical in describing cyber attacks. Casus belli is a Latin expression meaning the justification for acts of war. Casus means "incident," "rupture" or indeed "case," while belli means bellic ("of war").  Basically an act is the justifcation for going to war, being their has not been a declared war based on acts we must refer to these attack as "Cyber Acts of War." Nice post!

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation