A recent article in the New York Times postulated America may choose to respond to a devastating cyberattack with a nuclear response. In November of 2017, a widely viewed social media video entitled Slaughterbots suggested “swarms of AI-controlled drones [could] carry out strikes on thousands of unprepared victims with targeted precision.” Both of these articles raised alarm in the general public and identified a need for military thought on the future of kinetic and cyber warfare, and the convergence of these types of warfare. Lost in these recent media pieces are thoughts on the rules of warfare, called the “Law of War,” and the application of these laws to cyber warfare. Given recent attacks, specifically in Ukraine allegedly conducted by Advanced Persistent Threat (APT) group 28 (known as Fancy Bear, Pawn Storm, Sandworm, Sednit, and Sofacy) and the as-of-yet-unknown actors who launched the malware known as Triss or Triton against civilian targets, the discussion of a "Cyber Law of War" is both timely and necessary.
The Cyber Law of War: What you need to know
Sanctioned and structured military operations conducted in accordance with international law have a rigorous approval structure and command authority. It’s certainly true some nations have a wider interpretation of the lawful use of force than others. However, it’s generally accepted that indiscriminate attacks on civilian, civilian infrastructure, places of worship, and locations of cultural or historical significance are to be avoided and respected when it comes to armed conflict between belligerent parties. It becomes significantly problematic when belligerent parties exploit the above protected civilians and designated places. The 1899 and 1907 Hague Conventions created the primary body of work (with significant contributions and foundational work from the Oxford 1880 “Manual of Laws and Customs of War”) known as the Law of War. From this genesis, we have the first Principle of the Law of War, the Principle of Distinction. The Principle of Distinction is the governing principle when it comes to the legal targeting and use of weapons, including cyber weapons. Under international humanitarian, law it is required that belligerents distinguish between combatants and civilians. Implicit in this principle is the extension – which could be contentious – of the principle to infrastructure in the combat zone. A Principle of Proportionality in the use of force is also applicable to the legal targeting and use of weapon systems, including cyber weapons. The legal targeting and use of weapons must consider the damage to civilians and their property. The damage cannot be excessive in relation to the military advantage gained. This principle requires the combatant to consider the ramifications of weapon release in terms of the potential damage to civilian (and civilian infrastructure) vs combatant (and military infrastructure). The Principle of Military Necessity is another consideration when assessing the legality of targeting and use of weapon systems. This principle prohibits wounding or permanently injuring an opponent except during the fight. It also prohibits torture to exact confessions and other activities simply used to inflict additional damage on the enemy that does not further the military objective. Although perhaps it is far-fetched to consider cyber weapons in the above context, The Principle of Military Necessity is augmented by The Liber Code. The Liber Code further defines prohibited activity under this Principle as “in general, … any act of hostility that make the return to peace unnecessarily difficult.” Finally, governing the targeting and use of weapons including cyber weapons is the Principle of Unnecessary Suffering. Article 35.2 of the Additional Protocol I declares it is prohibited to employ weapons, projectiles and materials ,and methods of warfare of a nature to cause superfluous injury or unnecessary suffering.” Thus, when reviewing these four principles of The Law of War (called “The Principles” hereafter), a weapon or cyber weapon released by a belligerent party which is indiscriminate, disproportionate (more damage to civilian than combatant lives and infrastructure), makes a return to peace more difficult, and inflicts unnecessary suffering is in contravention of the Law of War.
Nations considering doctrine that incorporates cyber weapons as part of military operations will need to spend considerable efforts in ensuring the current (unclassified) technology of exploits, worms, and trojan rootkits in use today are compliant with The Principles.
- Exploit – Generally (in cyber weapon terms), an undisclosed zero-day vulnerability that software can leverage to allow an adversary to establish control over an information technology device. In the aforementioned malware known as “Triss or Triton,” a 0-day attack was used.
- Worms – Self-replicating cyber weapons that seek out specific vulnerabilities, exploit them, and potentially infect any connected host. The 2017 “WannaCry” ransomware outbreak exhibited this characteristic.
- Trojan rootkits – Persistent malware that is difficult to remove and will place a targeted computer system under control of an adversary. The alleged NSA “Double Pulsar” trojan is an example of this type of malware.
When these systems are used to conduct espionage activities on targeted infrastructure, they are not (arguably) weapons as their destructive capacity has not been realized. However, in an instant, the machines under control can be ordered to download an execute a destructive payload, thus becoming a “cyber weapon” by damaging or destroying the infrastructure they have compromised and degrading the systems attached. It is the systems that are attached to the targeted computer system that are problematic and which need to be identified prior to triggering destruction. Fortunately, FM 3-12 "Cyberspace and Electronic Warfare Operations" provides guidance to U.S. soldiers on the use and targeting of cyber weapons with the same rigorous command structure and authority applied to physical weapons systems. To see these cyber weapons receive specific direction implies from the US Armed Forces that the Principles are being applied to the use and targeting of cyber weapons. Here are some cyber weapon technical control requirements that during time of conflict and post-conflict should be aligned to The Principles:
- Exploits used in a cyber-attack need to be disclosed after the cessation of hostilities to aid in clean up
- Diligent record keeping of any targeted and infected combatant and civilian assets must be maintained
- Positive Identification of Target (PID) is required for cyber weapon destructive payloads to be activated
- Additional non-cyber intelligence and legal authority must support and confirm the activation of a destructive payload is in accordance with The Principles
- Destructive payloads cannot be activated indiscriminately
- The Trojan rootkits should be designed to uninstall themselves after a pre-determined amount of time
- Self-replication technologies (worms) are only deployed when there is an extremely low probability of moving into non-targeted infrastructure
- The targeted infrastructure is primarily military in nature
- Use of exploit, worms, and trojan rootkits on Industrial Control Systems and SCADA is done with the utmost targeting rigor
The Challenge of Cyber Weapons
Generally, weapons are overt and not difficult to discern: bombs, missiles, and tanks are all easily identifiable as weapons of destructive capacity. When discussing weapons, it’s inevitable the issue of dual-use technology is broached. Ground-based missile systems, as an example, require some sort of power source; so too do civilian generator trucks and backhoe diggers used to dig fortifications. Both are useful for military and civilian purposes, and the argument can be made that targeting these systems makes the “return to peace unnecessarily difficult.” (Liber Code). Cyber weapons are extremely difficult to discern; until a destructive payload is activated, they are generally deployed in an espionage capacity which is not in contravention to The Principles and according to The Tallinn Manual from Rule 30: Sections 2-3 do not constitute an attack: The notion of an 'attack' is a concept that serves as the basis for a number of specific limitations and prohibitions in the law of armed conflict. For instance, civilians and civilian objects may not be 'attacked' (Rule 32). This rule sets forth a definition that draws on that found in Article 49(1) of Additional Protocol 1: 'attacks means acts of violence against the adversary, whether in [offense or defense]. By this widely accepted definition, it is the use of violence against a target that distinguishes attacks from other military operations. Non-violent operations, such as psychological cyber operations or cyber espionage, do not qualify as attacks. As recent global cyber security attacks have illustrated, the failure to secure the alleged NSA cyber exploits and trojans lead to outbreaks like Wannacry, NotPetya, and the BadRabbit attacks. The responsibility for these malware attacks, according to the consensus view of the IT security community, falls on North Korean for WannaCry and Russian actors for NotPetya and BadRabbit. These are examples of mass, self-replicating and indiscriminate cyber weapon usage. Had these attacks inflicted physical damage on infrastructure resulting in a loss of life as opposed to just financial damages, the consequences could have been significant. Urgent work is required by international organizations such as the International Committee of the Red Cross, NATO, and the UN to ensure the development and use of a destructive cyber weapon is done in accordance with the same legal and security rigor applied to nuclear, biological, and chemical weapons.
About the Author: Ian Thornton-Trump, CD, CEH, CNDA, CSA+ is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. Ian previously managed IT projects at the Canadian Museum of Human Rights and is currently the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.