Why Cyberwar Confounds International Law — Part 3: Digital Shrapnel
Adam Zivo | NATO Association of Canada | 2018 | 1600 words
Imagine a scenario in which your country has been victimized by a cyber attack. The attack is significant enough to constitute an act of war. Perhaps it disrupts your electrical grid, leading to major blackouts. Riots break out. Some hospital patients die. By some stroke of luck, the attack is clearly attributable to a specific adversary. Though you have confidence that you have the legal right to some kind of retaliation, not all responses are permissible. Victimhood doesn’t entail the freedom to commit wonton violence. Assume, also, that at this time the favoured response is to match cyber with cyber. What are you allowed to do?
From the outset, there’s the question of minimizing civilian harm. Our existing international legal conventions require this, and rightfully so. War is inevitable and cruel, but we all benefit from realizable limits on this cruelty, especially when it concerns those who are least involved and least deserving of harm. Is it feasible to limit civilian harm in the cyber realm? It seems not, as civilian and military infrastructure are inextricable. Military systems piggyback on civilian systems to the extent that, within the United States, over 90% of military communication occurs on civilian infrastructure. This is a symptom of the astronomic costs of building and maintaining our technologic networks. Our systems are too elaborate, and too useful to society, to be solely financed and utilized by the state. Symbiosis is necessary and mostly desirable. However, the byproduct of this is that it’s almost impossible to quarantine attacks to military targets. Destruction of an adversary’s communication capabilities means disrupting communications for their entire population.
For example, an effective way to cripple a country would be to attack its DNS servers. These high-level servers are the roadmaps to the internet, and help users find and connect with other servers that actually host content. When you type in something like “CNN.com“, you are requesting data hosted on a server elsewhere. A DNS server routes that request to the appropriate place, allowing you to access the content you need. Within cyberwar theory, it’s understood that disabling an adversary’s DNS servers would render large swathes of their internet effectively useless. Without these essential roadmaps, user requests would get lost in the digital ether. This would cripple, though not necessarily completely disable, military communications and command systems. It would also cripple civilian systems, preventing citizens from accessing their banks, news, e-mails, and so on. Such an attack happened in 2016, when an unknown attacker used multiple DDoS attacks to disrupt Dyn, an American DNS provider. The attack impacted access to dozens of major services, such as BBC, Shopify, Visa, and Netflix. While the attack’s damage was ultimately limited, it served as a proof of concept for the potential power of DNS attacks.
A DNS attack is a relatively mild case of cyber assault, even if executed to far greater effect than the Dyn case. Disabling the Internet is disruptive, even traumatic, but, taken by itself, not sufficient for large-scale societal breakdown. There are other, worse forms of attack. What is worrisome is that, at least at this point in time, the most coercive kinds of cyberattacks not only fail to avoid civilians but actively target them. These attacks are by and large attacks on critical infrastructure, a uniquely juicy target. Unlike most other kinds of systems, sabotaging them has the potential to cause widespread physical harm. An electrical grid’s failure can wreak havoc on social order. Water filtration systems can be manipulated into poisoning hundreds of thousands of people. Dams can be made to malfunction and burst. Trains can derail. Within this class of attacks, the harms are visceral. Blood and injury is more persuasive than error screens. Unlike other kinds of cyberattacks, the primary goal isn’t to directly disrupt military capacity, though that happens too, but to weaken a country by attacking the will of its constituents.
Limited Solutions. Uncontrolled Use.
It’s possible to launch attacks that are both effectively coercive and highly targeted, but those types of attacks require a degree of planning that render them impractical for fast-paced, retaliatory warfare. The Stuxnet worm is an example of this. The worm was ingenious in that it was programmed to be inert unless, through the fulfillment of very specific conditions, it could confirm that it was within Iran’s nuclear program. At this point it sabotaged Iran’s nuclear centrifuges, causing them to fail at abnormal rates. The worm was carefully designed to exclusively attack a military target. In its earlier version, there were even systems in place that allowed its commanders to manually control how it spread. The worm was, and remains, an incredible feat of programming, but its brilliance was predicated on years of research and reconnaissance. Extensive espionage was required to identify the exact configurations of Iran’s centrifuge control systems, which in turn allowed the worm to be constrained to act if, and only if, it came across those systems. Even with this degree of caution, Stuxnet spread out of control and infected hundreds of thousands of computers, though damaging only a few incidentally. Its growth demonstrates how, even with years of planning and astoundingly careful programming, our weapons have a penchant for getting out of hand.
That being said, the question here is what can we, as attackers, do. Just because certain types of attacks are available to us, it doesn’t necessarily follow that we have to use them. We could theoretically avoid human rights issues pertaining to civilian harm by choosing to only use weapons that can guarantee a certain degree of precision, or refrain from using cyber weapons that do real harm. Such an approach would misunderstand the realities of war and is as impractical as suggesting that we should forgo bombs because they blow up the wrong people. War is competitive and vicious, and leaves little room for non-strategic self-restraint. So long as war is war, there will be some impetus to use our most effective weapons, barring some preexisting agreement not to. If states have the option available to them, high-level cyber attacks are a siren song. They’re cheap and don’t risk soldiers’ lives. Their attraction is, in a way, analogous to that of arial bombing, in which a state secures greater safety for its personnel in exchange for less precise destruction and therefore more collateral damage. Cyberattacks have the advantage of dealing most of their harms indirectly. As such, their violation of civilian rights is murkier and less likely to provoke backlash, which is particularly concerning given the very tenuous respect these rights command in the first place.
If it can be argued that the destructive nature of war pushes actors to use the most devastating attacks, which naturally harm civilians, is it not also arguable that these types of attacks can be preemptively banned? Nuclear weapons were limited, as were chemical weapons. Is that not the purpose of international law, to govern and constrain our worst impulses? This is one of the issues that cyberwar theorists and international policymakers are currently struggling with. The issue is that control of chemical and nuclear weapons is made feasible because their production and ownership can be tightly controlled. Few states own these weapons, meaning that laws limiting their use have fewer opportunities to be challenged. As a system of arms control, there is a fair degree of predictability. Cyber weapons are a different story. Their proliferation is a given. They are cheap, easy to acquire, and easy to hide. By their very nature, they appeal to smaller states who need to asymmetric advantages, such as North Korea. Not only do many states own them, but so do non-governmental actors. It may not be feasible to ban a class of weapons that are attractive and already ubiquitous.
The regulation and control of civilian-oriented cyberattacks is not only unpromising in theory, it also goes against today’s realities. American electrical grids are already littered with malicious implants that, while currently dormant, could cause devastating damage if ever activated. Malicious code also hides in the software of other critical infrastructure systems, such as water treatment plants. Cybersecurity auditors are justifiably concerned, but the private sector has shown little enthusiasm to solve this problem. Hardening defences is costly. There is little public appreciation for the risks of leaving this problem unaddressed, and governments are reluctant to force security via regulation, so companies feel scant pressure from above or below. Within cyber circles, there seems to almost be a sense of futility. Some commentators are pushing to outlaw critical infrastructure attacks at an international level, and governments give lip service to the problem these days. However, given the gap between rhetoric and action, it seems that these kinds of attacks, and, by extension, the expectation that civilians are appropriate targets, will continue to be normalized in the cyber realm. This could change if there were a paradigmatic shift in how people perceive the problem. A wide scale cyberattack on critical infrastructure could induce this, but this is only speculation.
As of now, if you wanted to launch a retaliatory attack against an adversary, you would be partially constrained by the question of collateral damage. On one hand, our international systems have a theoretical commitment to their well-being. On the other hand, there is compelling pressure on actors to disregard that principle, which is abetted by our current practices, by our fatalistic acceptance of certain kind of cyber attacks, and by the very nature of cyberwar itself.