Does the world need a Geneva Convention for cyber warfare?
The joint USA-Israel-developed Stuxnet worm, which destroyed the centrifuges crucial to Iran's nuclear programme in 2007, signalled a shift in the way cyber attacks were deployed and perceived.
Stuxnet was a success. It demonstrated that cyber attacks could be used to profound material impact where traditional acts of aggression did not succeed. The covert use of cyber weapons worked where sanctions and the threat of violence did not.
Stuxnet was discovered three years later in 2010. Since, the capabilities of nation states, criminal gangs, and state-sponsored groups have only increased. But the rules of play could not be murkier.
The Tallinn Manual
In 2009, a group of cyber security experts began work on the first Tallinn Manual, a non-binding study on how international law might apply to cyber warfare. The first edition was published in 2013, and the second, the Tallinn Manual 2.0, published in February this year.
The issue has also been discussed at the UN, where a resolution was raised by Russia in 2008.
Meanwhile, a working group called the Shanghai Cooperation Organisation – established in 2001 and including China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan and Uzbekistan – goes as far as to treat the dissemination of information online by rival states as a kind of 'information warfare'. India and Pakistan became full members in July 2015.
And a UN resolution adopted in 23 December 2015 promotes multilateral agreements for "the consideration of existing and potential threats in the field of information security, as well as possible strategies to address the threats emerging in this field."
In 2010, the UK started classing cyber attacks from other states, organised crime and terrorists as a "Tier One" threat to national security, alongside international terrorism, military crisis between nations and natural disasters. And in 2011, the White House published the Strategy for Operating in Cyberspace, which as the Tallinn Manual points out, "designates cyberspace as an operational domain".
With all these different resolutions, agreements, unions and lack thereof – where does the law lie? And how useful is a document such as the Tallinn Manual?
"If the world was composed of nothing but the USA and Europe I would say the Tallinn Manual would be a very defining manual," says Martin Libicki, professor, researcher and author with the Rand Corporation.
"But I don't think the United States has much to worry about from Europe – and we have a great deal to worry about from Russia, China, North Korea, Iran, etc."
Studying US behaviour, establishing 'norms'
Naturally, these countries have as much to worry about from the USA. Libicki says to understand what the USA would and wouldn't use in cyber warfare, it's more helpful to examine US behaviour than international law.
"As a general rule if you do something in cyberspace that looks like the sort of thing you could do with kinetic weapons, it will be treated as though you have done it with kinetic weapons," he says.
"If I used a cyberattack to do a wholesale takedown of your power infrastructure, you're going to treat it as if I've dropped bombs on your power infrastructure. So people know not to do that unless they really want to take a large number of chances."
"The United States' decision-making process does take international law into account," Libicki explains. "But the US flexibility on interpreting this international law is quite serious. For instance, in the first version of the Tallinn Manual, it wasn't even clear that Stuxnet was a violation of international law.
"That was probably the clearest example of one country using a cyber attack to destroy things in another country. And it's such a clear-cut example that was nevertheless carried out by countries that believe in international law – that leaves a lot of room."
There has been considerable discussion about the establishing of "norms" on cyber warfare from nation-states. These could loosely be defined as expectations for states to abide by.
According to the UN Group of Governmental Experts: "Norms do not seek to limit or prohibit action that is otherwise consistent with international law. Norms reflect the expectations of the international community, set standards for responsible state behaviour and allow the international community to assess the activities and intentions of states. Norms can help to prevent conflict in the ICT environment and contribute to its peaceful use to enable the full realisation of ICTs to increase global social and economic development."
Where there has been successful cooperation is the 2015 agreement between China and the USA, effectively establishing an agreement not to carry out cyber espionage against commercial companies for competitive purposes.
Libicki believes this to be the best example of an international norm at work – but it was achieved largely through other pressures applied by the USA.
"We indicted several members of the People's Liberation Army and were mounting a credible threat of sanctions against China," says Libicki. "So it wasn't a bunch of guys getting around the table negotiating norms, so much as 'we have a strong national interest in this and we're going to twist your arm until you sign on the dotted line'."
Nevertheless, Libicki believes this was the first meaningful international norm on cyber that included a signatory of a rival power.
He argues that the first established 'norm' in general could be considered the Budapest Convention, which attempted to harmonise the policing of cybercrime across friendly nations. But even here, things don't always run smoothly: the USA sought to have Gary McKinnonextradited, for instance, and more recently legal battles have raged about the information stored on Microsoft's servers in Ireland, with the USA so far unable to gain access.
How serious is the cyber threat?
A distinction worth making is with attacks outright committed by nation states and the use of state-sponsored groups.
Russia has faced accusations lately of allowing hackers to commit cyber crime within its borders, with officers in the intelligence agency the FSB combing the data for useful information. This again muddies the waters because by allowing hacking groups to operate, intelligence agencies themselves have a degree of deniability when it comes to attribution.
In mid-2015, the US Office of Personnel Management disclosed an enormous data breach that could have affected as many as 21.5 million people. The breach saw attackers steal extremely sensitive information including Social Security numbers, dates of birth, names, and full addresses, from what was the largest database of US government personnel.
None of that information is yet to appear anywhere online, leading officials to suspect the involvement of a foreign government – some fingers were pointed at China – and speculation that the motive could be for blackmail purposes at a later date.
Earlier this year, Ciaran Martin, head of the National Cyber Security Centre (NCSC), said that the threat from cyber attacks had increased, including those that threatened "national security". Chancellor Philip Hammond said at the time that the NCSC had been blocking as many as 200 potential attacks every day.
Of course, just as Britain is subject to these attacks, it is also shoring up its own offensive capabilities. In an unprecedented speech late last year Hammond boasted that Britain would invest in its own cyber offensive capabilities.
A recent tranche of documents released by Wikileaks called Vault 7 detailed the extent of the CIA's cyber operations and the agency's ability to crack into the most-used operating systems in the world. This followed the earlier NSA and GCHQ leaks from Edward Snowden which exposed the creation of a worldwide surveillance dragnet led by the USA and Britain. And documents released by Wikileaks alleged that the USA was also engaging in cyber espionage against friendly nations, with claims that it had tapped the German chancellerey for decades.
A serious problem with navigating cyber attacks is attribution.
"Unlike with bullets or missiles where you can see where they've been fired from, the same doesn't apply to cyber weapons," says Jarno Niemela, senior security researcher at F-Secure. "The problem with cyber weapons is the difficulty of attribution."
"There are many cases where we know it's Russia but we don't have concrete proof – we still don't have concrete proof and even if we did have concrete proof, Russia says it didn't do it."
To illustrate the difficulties of attribution, Niemala says that F-Secure once discovered a command line used by an attacker that was completely new – a Google search of the code turned up nothing, which is unusual because hackers are prone to copy-pasting instructions.
F-Secure then checked Chinese search engine Baidu and there were a lot of hits.
"This kind of indicates the attacker had been from China, but then again, this guy might have been smart enough to use Baidu to assemble the attack, in the hope of leading us to think it was from China," he says.
One case in point is the Sony hack, allegedly perpetrated by North Korea – as Rand's Martin Libicki notes, the US made an enormous song and dance out of this attack "but in fact North Korea has done far more damaging hacks to a treaty ally of the United States and we've done nothing – that treaty ally is of course South Korea."
"On the one hand you could say these attacks are violations of international law but on the other hand how serious it is depends on your estimate of what a big deal the next guy's going to make."
Speaking with Techworld late last year, the ex-CTO of the CIA, Bob Flores, said that it's "always reasonable to cast doubt on assertions".
"Assertions are one thing, and proof is something else entirely," he said at the time. "Just as it's very easy to exploit things that are out there today, it's also very easy to spoof – it's very easy for me to launch an attack that makes it look like I'm from North Korea."
"And so you can look at a bunch of things and say, well, the preponderance of evidence says 'this is coming from North Korea' – OK, but that's not proof. Whether it's North Korea or the Russian Business Network or China or whoever, it doesn't really matter."
"Modern warfare has changed"
We are watching the evolution of cyber war policy unfold in real time. So far, much of the international diplomacy seems to be occurring on a case-by-case basis.
Rick McElroy, security adviser for Carbon Black, believes that getting countries around a negotiating table to hash out the rules of play would be a "hard slog" globally. But, he says, an international body like the UN would be a good place to start building some clarity around cyber warfare.
"We're really at a point from a nation-state actor perspective where we need to have a discussion," McElroy says. "What is a cyber weapon? When does a cyber attack become a physical attack that involves life, and infrastructure, and money? What is the definition of that?
"I was a United States Marine and we love the Geneva Convention – it protects us as soldiers in someone else's country from being tortured, and that's a great thing. There's no cyber equivalent to that. Even the precursor of what cyber war is depends on the country you're talking to."
"Given the recent set of events, I think you'll see a lot more nations get together on this. I don't think the US is going to be leading that charge – in fact I think we'll be a little detrimental to the process right now."
What would it take to get countries working towards laying the foundations for some kind of agreement? McElroy doesn't paint a rosy picture of the future: "I don't think the people that could propose the legislation understand the actual issues, so they're probably a little misinformed about what would actually work in action," he says.
"I think we could follow a model like we did with the Geneva Convention – the problem with that is that was a result of horrific actions that had occurred.
"We decided as a species we were going to stop being in that business because it's awful. I don't know that there's been the cyber equivalent of that yet.
"Modern warfare has changed. The precursor to any modern warfare is cyber war. Look at anybody's playbook – and the US wrote it, everybody else has just adopted it – how much of this is intelligence gathering to do physical attacks? How much of it is intelligence gathering to get the upper hand on the other nation?
"My gut tells me this isn't getting done in five years, I don't know if it's getting done in 10. And it's going to take a massive event to do it."