|
||
|
|
||
|
Stop cyberweapons now! This article presents the need for a treaty to ban cyberweapons and cyberwar, and also to ensure that public telecommunications and Internet networks are not used for offensive military purposes. Prabir Purkayastha & Rishab Bailey Cyberspace is increasingly being militarised and used for offensive military operations. Considering that the Internet is becoming a necessary part of the global information and communications network, this represents a big threat to the future of the world. Damaging a country's infrastructure systems and networks can result in physical damage to property and people and even loss of life. Such attacks can take down a country's electrical grid and water and sewage systems, cause flooding by opening dam gates and even set in motion a Bhopal- or Fukushima-like disaster. Even more worrying is the prospect of one country controlling nuclear and other weapons systems - all of which are operated through computerised control systems - of other countries around the world. As more and more critical infrastructure resources around the world are maintained and operated through computer control systems, ensuring the security of these installations from targeted attacks is critical. The damage caused by the US and Israel to Iranian nuclear centrifuges in Natanz (using the Stuxnet computer virus) is only one example of offensive cyber-operations. Such attacks on nuclear reactors, dams, hazardous chemical facilities, etc. can cause enormous damage to a country. Edward Snowden has shown how the US and its closest allies (constituting the Five Eyes intelligence alliance and Israel) have compromised the entire global network and turned it essentially into a war machine. We now know, for instance, that the US National Security Agency (NSA) carried out over 230 offensive cyber-operations in just one year (2011).1 Thanks to Snowden we know that the NSA has subverted nearly all the devices that run our and by extension our countries' vital infrastructure. Perhaps the most dangerous part of the surveillance that Snowden has revealed is the computer network exploitations (CNEs).2 These are software implants in other countries' networks that have the ability not only to tap into the data streams of these networks but also to disable these networks - they are cyberweapons that have been armed and can be activated with just a single command. Fifty thousand such CNEs have been reported to have been implanted in global telecom networks. The implants persist through software and equipment upgrades and can therefore lie dormant for long periods of time till triggered. US President Barack Obama's Presidential Policy Directive 203 (which authorises targets for cyberattacks) clearly shows that foreign networks4 have been penetrated and their security systems are already compromised. Vital infrastructure of other countries has been pre-targeted, with a cyberattack able to be triggered on command.5 The fact that the most powerful and richest nations are devoting increasing resources to defensive and offensive cyberwar capabilities creates a clear imbalance of power and can encourage those powerful states to engage in cyberattacks on others. The attack by the US and Israel on Iran's Natanz nuclear facilities is one example of this. Though it is generally recognised that longstanding rules of customary international law governing conflict do apply to the area of cyberwarfare as well,6 there are no treaty provisions that ban or limit cyberwarfare. The attack on the Iranian nuclear plant7 was the first instance of the use of a cyberweapon. Various experts have held8 that it was a huge mistake. The scary figure is the estimation that the Stuxnet virus that took down the centrifuges in Natanz would have taken about $100 million to develop - a big sum for an individual or an organisation but small change for a country. And today, vital infrastructure in all countries is run by control systems that have computers embedded in them and are therefore vulnerable to such attacks. Bruce Schneier, one of the world's leading security experts, has written9 on the need for a treaty banning cyberwar. 'We're in the early years of a cyberwar arms race. It's expensive, it's destabilising, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.' It is not enough that cyberwar be banned, but the ability to wage such forms of war must also be curbed by banning the development and deployment of cyberweapons. Due to the nature of the online medium and cyberweapons and cyberattacks, there is a need to update and clarify the relevant norms and laws in a binding international treaty. Such a treaty is necessary to inter alia clarify the scope of cyberwar, what constitutes cyberweapons, and the actions that may follow in international law to prohibit the development and deployment of cyberweapons. For instance, at what point in time does the right to self-defence apply and what are appropriate responses to such attacks? The treaty will also need to deal with the scope of the application of international humanitarian law/the laws of armed conflict to this domain (and therefore the applicability of important concepts such as the protection of civilians and so on). Demilitarisation of the Internet is essential to ensure that the Internet is used for productive purposes rather than as an instrument of warfare. It is necessary that this be recognised by states in a binding and enforceable legal instrument. We already have precedents for such regulation in the form of treaties governing disarmament in outer space and Antarctica, as well as treaties regulating the use of chemical and biological weapons. What is cyberwarfare? There has been much debate about what exactly the term 'cyberwarfare' means. The absence of an established definition is one of the first issues that ought to be addressed in any international effort to demilitarise the Internet. The definition of a cyberwar, much like any traditional war, must rely on the effects of the attack (in any determination of whether a 'cyberwar' exists). The only real difference to a traditional use of force (constituting a war) is that such a war is conducted using computers or computer networks - either by damaging networks themselves or by using computers and computer networks to cause damage to objects/people by damaging vital infrastructure and installations. The term 'cyberattack' is defined as 'a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects'10 or as 'deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks'.11 We believe that a cyberwar is the launch of a cyberattack by one state against another, using software or code that is intended to: prevent the use of an essential computer network and thereby damage critical infrastructure or substantially impair the ability of essential services to function, or cause physical damage to property or people including loss of life, or both. The key issue is the effect of such a weapon - physical damage either by disabling systems or by making systems behave in a way that causes physical damage. Cyberwar as defined above refers exclusively to actions carried out against a computer system or network that result in situations that would, if carried out through traditional means, be construed as an act of war, with physical harm to people and/or property. In order to constitute cyberwar, the actions must be of such a scale as to constitute a use of force (or threat of a use of force) as required under Article 2(4) of the UN Charter. Accordingly, states must agree to prohibit the creation of software or code that can reasonably lead to cyberwar. Creation of such software or code would constitute weaponisation of software and therefore a cyberweapon. Any international treaty on the subject must prohibit both the development and deployment of such weapons, as well as cyberwar. Private individuals and organisations cannot be the protagonists in cyberwar though they may commit cyberattacks/cybercrimes. Cyberwar is an issue between sovereign states (even if indirectly acting through intermediaries). However, this will necessitate clarifying, in the context of the Internet, rules regarding the establishment of state responsibilities of which international law already has various precedents. The primary disagreement on the definition of cyberwarfare seems to be about whether actions constituting 'information terrorism', disinformation and so on would constitute cyberwarfare.12 We believe that the primary issue is physical harm and damage caused to people and property by cyberattacks and any global proscription must be restricted to such issues rather than any attempts to stop the spread of disinformation which could also be construed as 'divergent' views, as this could hamper free speech. Cyberwar must also be differentiated from various other concepts such as cybercrime/online crime and cybersecurity, automated weapons and the use of robots, Internet fraud and identity theft, spamming/phishing, spyware/trojans/bots, surveillance, electronic warfare, cyber-exploitation, etc. While these are all genuine problems concerning the (mis)use of the Internet, they do not constitute cyberwar and must be treated separately. Cyber-exploitation and surveillance by and large look to collect data from either the public or government sources through actions which are generally probing in nature, are non-destructive and attempt to remain as low-profile as possible. They do not generally cause any physical damage or loss of life and will not usually prevent usage of a computer resource (as this would defeat the purpose of conducting the surveillance in the first place). However, computer network exploitations or 'logic bombs' that are capable of taking down telecommunications networks and other vital infrastructure controls would fall under the category of cyberweapons and need to be banned under any global agreement. Electronic warfare is broadly understood to mean 'military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy'13 and is clearly different in scope and nature from cyberwar. Broadly speaking, automated weapons differ from cyberweapons as they generally utilise computer technology to enhance the ability of traditional weapons systems. They do not specifically target computer networks or systems. Intelligent weapons (or ones that can learn from their environment and do not necessarily need a human handler) do not generally attempt to destroy computer systems and networks 'from within' but use computer systems to enhance their own capabilities. Therefore a drone may be automated to fire missiles when certain prearranged conditions are met, but this would not constitute a cyberattack or cyberwar. While such weapons do constitute new threats to global peace and disarmament, they must be dealt with separately as still constituting conventional weapons systems (even if advanced). What is already in place and what is missing? There are essentially no existing international agreements that would restrain cyberwarfare. The Russian government has been pushing since 1998 for a UN treaty to address conflict in cyberspace, though there has been little movement on this front. The US has so far blocked all attempts to initiate a cyberwar treaty, arguing that such a treaty is not enforceable/required (and that it is better to focus on issues of cybercrime) while at the same time steaming ahead with its cyberwar preparations. Some noises have been made from time to time about the willingness to sign a treaty, for instance with Russia around 2010, but no progress has been made.14 An attempt to examine the applicability of traditional international law mechanisms to the cyber realm was made in 2009. The NATO Cooperative Cyber Defence Centre of Excellence convened an international group of legal scholars and practitioners to examine the issue of how to interpret international law in the context of cyberwarfare. The meeting produced a document, known as the Tallinn Manual on the International Law Applicable to Cyber Warfare, which is an academic and non-binding study. The document importantly leaves no doubt as to the applicability of traditional rules of warfare to the cyber arena. Some simple measures that would have protected the network of one country from another were proposed to be included in the International Telecommunication Union (ITU)'s 2012 International Telecommunication Regulations, which include an article calling for cooperation to improve network security. However, this treaty has not been signed by most developed countries (most notably the US). Such cooperation could conceivably act as a restraint on some types of cyber attacks, but the scope of ITU is limited to peaceful use of telecommunications, so it is not clear whether any ITU instrument could in fact constrain cyberwar. Proposals for a treaty or other agreements International legal frameworks such as the United Nations,15 Council of Europe, NATO,16 Organisation of American States17 and the Shanghai Cooperation Organisation have all provided different and often ambiguous legal structures. Despite the importance of the issue, all these bodies have failed to agree on an effective legal framework that can govern all cyberattacks, mainly due to opposition from the US and its allies.18 Various proposals to deal with cyberwar have been discussed in the UN at the insistence of Russia, which has moved several resolutions to draw attention to the potential use of cyber technologies for purposes 'inconsistent with the objectives of maintaining international stability and security' - notably at the First Committee of the UN General Assembly.19 So far these efforts have only resulted in the creation of various expert groups, which submitted reports in 201020 and 201321. These reports have generated several recommendations, including that states sustain a dialogue regarding 'norms of responsible state behaviour' and consider adopting confidence-building measures 'to help increase transparency, predictability and cooperation'. The 2013 report also included the significant affirmation that 'international law, and in particular the Charter of the UN, is applicable [in cyberspace]', that 'State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT [information and communication technology]-related activities, and to their jurisdiction over ICT infrastructure within their territory', and that 'States must meet their international obligations regarding internationally wrongful acts attributable to them'. On 27 December 2013, the UN General Assembly unanimously adopted resolution 68/243, in which it took note of the 2013 expert group report and requested the UN Secretary-General to establish a new expert group that would report to the General Assembly in 2015. The new group of governmental experts, with 20 members, held its first meeting in New York in July 2014 and elected Brazil as the Chair. The group will have three more meetings in 2015. Conclusions It is clear that the US, which believes it leads the world in cyberwar and cyberweapons capabilities, regards all attempts to restrict cyberwar or cyberweapons as unilateral disarmament. In a sense, this is similar to the situation that came up when nuclear disarmament was discussed in the postwar period. The US, which was the only nuclear power at that time, believed that it would be able to maintain its nuclear monopoly for at least a decade. Though the Truman administration had proposed the Baruch Plan in 1946,22 it had conditions that the US knew the Soviet Union would not accept, and turned down the alternative Soviet proposals for a total ban on nuclear weapons. Not only is the belief in such a monopoly on cyberwarfare dangerous, but cyberweapons constitute a real threat to the Internet, which plays a key role in almost all spheres of our activities today. There has been talk of balkanisation of the Internet. But the biggest risk of balkanisation comes not, as has been claimed, from independent domain names and Internet Protocol addresses outside the ICANN (Internet Corporation for Assigned Names and Numbers) system, but from the threat that cyberweapons pose to the domestic networks of countries. The balkanisation of the Internet would then be seen as a protective measure against the threat of cyberweapons from other networks and countries. We must try and build a broad unity and movement among not only Internet activists but also peace and disarmament activists around the world, to ban cyberweapons and cyberwar right now. We have a small window of opportunity to stop cyberweapons. Tomorrow may be too late. Prabir Purkayastha and Rishab Bailey are with the Society for Knowledge Commons, India and also a part of the Just Net Coalition. This article draws upon Sally Burch's 'Notes on the Need for a Cyber Peace Treaty', Just Net Coalition, June 2014, available at http://justnetcoalition.org/notes-need-cyberpeace-treaty-english. Notes 2 'NSA-planted malware spans five continents, 50,000 computer networks' 3 http://www.theguardian.com/world/interactive/2013/jun/07/obama-cyber-directive-full-text 4 https://www.schneier.com/blog/archives/2013/06/us_offensive_cy.html 6 The United States set forth its position on the matter in its International Strategy for Cyberspace: 'The development of norms for State conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Long-standing international norms guiding State behaviour - in times of peace and conflict - also apply in cyberspace.' Also refer to the Tallinn Manual on the International Law Applicable to Cyber Warfare, prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence, ed. Michael Schmitt, Cambridge University Press, 2013. 7 Prabir Purkayastha, 'Stuxnet and Now Flame: The US and Israel Continuing Cyber War Against Iran' 9 Bruce Schneier, 'Cyberwar Treaties' 10 Rule 30 of the Tallinn Manual on the International Law Applicable to Cyber Warfare, prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence, ed. Michael Schmitt, Cambridge University Press, 2013. 12 While the US government mostly takes on an objective-based definition of cyberthreats, the Shanghai Cooperation Organisation, on the other hand, adopts a more expansive means-based definition of cyberwarfare to include the dissemination of information to undermine political, economic and spiritual stability in a country. Tom Gjelten, 'Seeing the Internet as an Information Weapon', NPR, 23 September 2010, http://www.npr.org/templates/story/story.php?storyId=130052701. This difference is illustrated, for instance, when members of the Shanghai Cooperation Organisation in September 2011 proposed to the UN Secretary-General a document called 'International code of conduct for information security'. This approach was not endorsed by Western countries which argued that this approach would lead to political censorship of the Internet. See http://en.wikipedia.org/wiki/Cyberwarfare 13 See, generally, US Department of the Army, 'Electronic Warfare in Operations', Field Manual No. 3-36 (25 February 2009). cf. Colin Crawford, 'Stuxnet: Cyber Conflict, Article 2(4) and the Continuum of Culpability', http://works.bepress.com/colin_crawford/1/. The Tallinn Manual defines electronic warfare as 'the use of electromagnetic (EM) or directed energy to exploit the electromagnetic spectrum. It may include interception or identification of EM emissions, employment of EM energy, prevention of hostile use of the EM spectrum by an adversary, and actions to ensure efficient employment of that spectrum by the user-State'. 14 Siobhan Gorman, 'US Backs Talks on Cyber Warfare', The Wall Street Journal, 4 June 2010 15 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_58_199.pdf 16 http://www.ccdcoe.org/249.html 17 http://www.oas.org/juridico/english/cyb_pry_strategy.pdf 18 Shahrooz Shekaraubi, 'The Wild West of Cyberwarfare', International Policy Digest, 26 February 2014 19 The issue was taken up at the 68th session of the First Committee, and the resolution titled 'Developments in the field of information and telecommunications in the context of international security' (A/C.1/68/L.37) is available at http://www.un.org/ga/search/view_doc.asp?symbol=A/C.1/68/L.37. Also see http://www.un.org/News/Press/docs/2010/gadis3419.doc.htm" target=_blank>http://www.un.org/News/Press/docs/2010/gadis3419.doc.htm, http://www.un.org/News/Press/docs/2009/sgsm12108.doc.htm, and more generally http://opencanada.org/features/the-think-tank/comments/cyber-security-takes-the-floor-at-the-un/ 22 Joshua Williams, 'The Quick and the Dead' References Crawford, Colin, 'Stuxnet: Cyber Conflict, Article 2(4) and the Continuum of Culpability' Gorman, Siobhan, 'US Backs Talks on Cyber Warfare', The Wall Street Journal, 4 June 2010 Hughes, Rex, 'A Treaty for Cyberspace', International Affairs, Vol. 86:2 (2010), 523-541 Owens, William A., Kenneth W. Dam and Herbert S. Lin (eds.), Committee on Offensive Information Warfare, National Research Council, Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities, The National Academies Press, 2009 Rutkowski, A.M., W.A. Foster and S.E. Goodman, 'Multilateral Cyber Security Solutions: Contemporary Realities', Public Interest Report, Spring 2012 Shackelford, Scott J., 'From Nuclear War to Net War: Analogizing Cyber Attacks in International Law', Berkeley Journal of International Law, Vol. 27:1 Shekaraubi, Shahrooz, 'The Wild West of Cyberwarfare', International Policy Digest, 26 February 2014 Tikk-Ringas, Eneken, 'Developments in the Field of Information and Telecommunication in the Context of International Security: Work of the UN First Committee', ICT4Peace, 2012, http://www.ict4peace.org/wp-content/uploads/2012/08/Eneken-GGE-2012-Brief.pdf |
||
|
|
||
