As a delayed follow-up to this post from a few weeks ago, I wanted to touch on the Tallinn Manual released by NATO back in March. I've read through most of it, and won't pretend to be an expert in international law, the laws of war, or other such topics. However, I do play a cyber security expert in real life, and will try to relate the positions put forth in the manual based on that. In general, the manual indicates that a new set of laws to govern the fighting of cyber wars is not necessary since the laws already in place for conventional wars are sufficient. It then sets out to relate those laws to fighting wars in cyber space. There are a couple of points that stuck in my mind as I read through the manual. I'll try to summarize those here.First, states are responsible if attacks originate from infrastructure within their borders. Perhaps that is stated too strongly, and a better way to put it would be to say that states cannot knowingly allow attacks to originate from within their borders. While that sounds like a reasonable rule, there are a few obvious problems.
- We're talking about networks. Logical borders do not readily translate into physical ones . . . at least not physical ones that coincide with state borders. To draw on the easiest example of a problem with this rule- how do we deal with a situation where a C&C server in Russia is used to control a botnet of predominantly US computers? Is that an attack originating from Russia or from the US? What about cloud platforms? In that case we may be talking about a system that is distributed across national borders.
- Define "knowingly." Are countries going to need to know what traffic crosses their borders? It is one thing to say a nation should know that a random, unaffiliated citizen has managed to build and launch an ICBM against a foreign power, but an altogether different proposition to say that the nation must be able to know when a bored computer wiz with no job has managed to hack into foreign classified IT systems and may potentially disclose the names of all that countries spies for example. In a sense, this would almost force countries to take up an advanced level of monitoring of its own citizens for which we currently view countries like China and Syria as oppressive.
Second, the manual equivocates cyber and conventional wars in terms of impact to human life. That is to say that they are not equal unless they both jeopardize life. When cyber war does impact human life, it deems that reciprocate attacks are justified meaning that if a US hacker sabotages a damn in China resulting in 800 deaths, not only would China be justified in launching a cyber offensive that placed US lives at risk, but that China could use bullets-and-rockets type of war to reciprocate with equal force.
Third, the manual declares that unlawful actions can essentially be undertaken by any state in response to unlawful actions taken by another state even when these do not qualify as a "use of force." In other words, even when the attack does not put lives at risk, if we sabotage Iranian nuclear reactors they would be justified in doing the same to us.
Here are a few problems with the previous two rules.
- During conventional war, recognizing an attack is somewhat simpler. Evidence of the attack is obvious and demonstrable through pictures, video, and physical, empirical evidence. In cyber operations, it is not even obvious to most that an attack will have occurred if an important IT system supporting the government has been knocked offline. Even if the damage done was physical, there is a layer of abstraction involved in a cyber attack. If a nuclear reactor is shut down or damaged due to an attack, the immediate impact may not be known to the public. Maybe they will experience brownouts or blackouts, or perhaps there will be a regional evacuation. Even with this information, it's not clear if these are the result of natural causes, human error, or a malicious attack. Such connections and motives are a foregone conclusion with the use of conventional weapons.
- Second, attribution of the attack is more difficult. While there can be challenges, it is generally easier to identify physical weapons in use than cyber weapons. We can track physical people training to use conventional weapons in a remote location, and can track their movements over time. However, cyber environments allow attackers to apply hiding and diversionary tactics which mask their location and/or the route the attack takes to reach the target. Therefore, there is often some more research and investigation necessary to identify the attack source.
- Secondarily, the same thing that makes it difficult to link attack effects with an actual malicious cyber attack makes it incredibly easy for an entity to claim that it has been attacked and provoked into response. Sine this entity needs to be the one that claims and substantiates that it has been attacked even when such activity has occurred, there would be nothing out of the ordinary if the entity were to come forward with claims of an attack that never occurred . . . or which occurred, but is perhaps overstated and/or purposely attributed to the wrong source.
These are just some basic examples of why the Tallinn Manual raises some concerns for its practical application. This recent news story provides perhaps the simplest and most illuminating example of how application of the Tallinn Manual can be problematic. We have seen this and other stories where companies who fail to secure data adequately, turn and attack the person who identifies the vulnerability as "hackers" in the media and in court. In the context of the Tallinn Manual and heightened distrust and aggressiveness between countries such as China and the US, such stories can serve as the basis for escalation of offensive cyber capabilities.