Posted by: Ahmed Elashry
During an onstage interview at the Cloudflare Internet Summit in San Francisco, Avril Haines, a former deputy national security adviser during the Obama administration, said that while there are established norms around what counts as a physical act of war, those same metrics do not exist for digital attacks.
“In the conventional world, we have a long history of rules that tell us when another country has used force, when what they do constitutes an armed attack, and therefore when we have a legal basis to respond to it in a kinetic way or in other ways,” she said.
Experts mentioned that cyber-attacks do not have the same set of laws and norms of conventional war. The question here is: would a cyber-attack lead to a conventional war?
At the invitation of NATO cooperative cyber defense center of excellence, the international group of expert prepared the Tallinn on the international law applicable to cyber warfare. Throughout the manual several issues related to cyber security and cyber laws were discussed. They defined cyber-attacks as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”
Several countries and big tech companies have been trying to develop norms to cyberspace, especially after the recent well known WannaCry ransomware attacks which spread in around 150 countries and affected the UK’s National Health Service (NHS). The Lazarus group which have ties with North Korea was suspected of this attack. Cyber security is growing concern for governments and private sectors.
According to the National Conference of State legislators (NCSL) in 2017 at least 42 states introduced more than 240 bill or resolutions related to cybersecurity.
Tech companies are also getting into the mix around cyberwar regulations. Microsoft chairman Brad Smith has been advocating aggressively on behalf of his company for a “digital Geneva Convention” establishing norms and protecting civilians.
State Backed Attacks and Laws
Last June China and Canada signed an agreement vowing not to conduct state sponsored cyber-attacks against each other aimed at stealing trade secrets or other confidential business information. Meanwhile, according to Reuters “The new agreement between Canada and China covers only economic cyber espionage, which includes hacking corporate secrets and proprietary technology. It does not encompass state-sponsored cyber spying for intelligence gathering.”
In January 2017, NATO chief Jens Stoltenberg, said that according to their latest evaluations “there was a monthly average of 500 threatening cyber-attacks last year against NATO infrastructure that required intensive intervention from our experts,” he told Die Welt daily.
That’s an increase of 60 percent compared to 2015. Most of these attacks did not stem from private individuals but were sponsored by national institutions of other countries,” he added.
“All military activities are now based today on data transmission. If that fails to work, it can cause serious damage,” he said.
In the last decade state backed attacks were very active. The top players were China and Russia as they have been developing cyber weapons. In the last few years state cyber-attacks have come out from the shadows. Lots of companies found themselves facing intelligence agencies and military without any protection from the government.
Motivations behind Cyber Attacks
Looking at the top two players we find out that there are several motivations behind these attacks. Cyber security professionals mentioned that the Russians motivations are mainly hacking businesses information that will assist their competitive standing the economic world. Experts mentioned, that one of their priorities is collecting military and diplomatic information involves gaining a stronger standing in their strategic negotiation with the USA.
In contrast, Chinese motivations have been purely economic, cybersecurity professionals have noted an increasing number of network intrusions that result in exfiltration of business information, including IP and executive communications. That’s a hallmark of Chinese hacking groups, particularly Group 61398, who are known for stealing trade secrets from companies such as Westinghouse and US Steel.
Legal Framework in the United States:
Currently, cyber security regulation comprises of directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The main purposes of the cyber security regulations is forcing companies and organizations to protect their information from attacks such as viruses and unauthorized access (stealing intellectual property or confidential information) and control system attacks.
The federal government has been working to strengthen its cyber security laws, they enacted some laws and amended some of the older laws. This blog post gave few examples of them (https://blog.appknox.com/a-glance-at-the-united-states-cyber-security-laws/)
Would a Cyber-Attack Lead to Conventional Warfare?
There is a huge distinction in definitions between conventional war and cyberattacks. Although, there is a huge connection between one another. Global Zero Commission on Nuclear Risk Education published a report in 2015 which pointed out that “At the brink of conflict, nuclear command and warning networks around the world may be besieged by electronic intruders whose onslaught degrades the coherence and rationality of nuclear decision-making,”
First, sophisticated attackers from cyberspace could spoof U.S. or Russian early warning networks into reporting that nuclear missiles have been launched, which would demand immediate retaliatory strikes according to both nations’ nuclear warfare doctrines. Second, online hackers could manipulate communication systems into issuing unauthorized launch orders to missile crews. Third and last, attackers could directly hack into missile command and control systems launching the weapon or dismantling it on site (a highly unlikely scenario).”
Since several countries and hacker have been working on developing their electronic weapons, I believe that governments should start preparing for that sort of an attack at any point.