The physical world battle-space is well known and the parameters defined. Similarly an act of aggression or act of war in the physical sense is just as well defined and accepted. That is not the case when it comes to the cyber battlespace. Federal officials, military leaders, policy scholars and security experts are all looking at this issue and struggling to answer the question — what constitutes an act of cyber war?
Back in 1994 I was asked to define cyber warfare and cyber terrorism. My response happened to end up in the U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02. Here is what I wrote.
Cyber Warfare & Terrorism is defined as –the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.
With that in mind we used real world events from the recent Georgian conflict to frame this issue and get your opinion.
Scenario:
The Georgian government relocated their President’s website to a sever on U.S soil (in Atlanta Georgia) and connected to the U.S. Internet backbone. Would an attack on the Georgian President’s web site (hosted within the U.S.) be considered an act of aggression against the United States and ultimately an act of cyber war?
Yes — is one point of view supported by the fact that the attack is against components of the internet infrastructure owned by a U.S. company and located on U.S. soil.
No — is one point of view supported by the fact that the attack is against the web site that represents an individual/leader of a foreign government.
This is a great opportunity for you the reader to voice your opinion and possibly even influence policy makers in Washington. I would encourage the full review of openly available information that may help you formulate your answer.
That is a *very* interesting question.
On the one hand, it is an attack upon a US citizen/corporation which is located on US soil. That would push me to believe that we should treat it as an act of aggression against the United States.
On the other hand, remember what this is, a telecommunications company providing services to a foreign nation. Let’s look at it with some measure of practicality — do we want to commit ourselves to the protection of every foreign government/organization that buys a website for fifty bucks? To what degree are we as a nation exposing ourselves or overextending ourselves? Do we want other nations flocking to put their public government websites on US servers to prevent the threat of cyberwar, like an internet insurance policy?
We could find ourselves in an awkward position if this were to happen. Let’s say that seperatist group #4 claims to be the legitimate government of backwardass country #6. They put their “official government-in-exile website” on a server based in the US, along with statements on how they plan to violently overthrow their current government and instructions on how you can help. Do we want to make the US insure the safekeeping of this group’s cyber affairs? (Ideally, diplomatic discussion would cause the US to bring down the site, but since this is a hypothetical, we can say there may be certain factors which limit the speed at which the US can act in this instance).
Honestly, US companies need to know the danger to which they may expose themselves and the responsibilities that they are undertaking when they agree to host a website that may come under attack by a foreign power. If the policy of the United States is “foreign nations are fair game”, then US companies may wish to limit their exposure and deny any high-profile websites that face attack. A company that has a factory in Nigeria undertakes certain risks when it builds that factory — shouldn’t a telecommunications company be aware of those same risks, even if they keep their servers here at home?
The real question is, are we willing to go to war over this? If the Georgian President’s website WERE attacked by Russia, what should our response be? I don’t think the American people are willing to go to war with another country simply because the website for Kreblakistan had 40 million hits in 30 seconds and crashed, even if it made their internet slow down on Tuesday afternoon. I don’t think we have the political will to consider an attack on a US server which happens to host the website of a foreign nation at war to be an attack on the US itself. Not unless it proves to be part of a larger attack that actually is directed at the United States.
So should the US make promises it can’t (or won’t) keep?
I will speak in general terms here, I am not aware of every single aspect involved, but I think I can make a few points still.
Obviously, a country shouldn’t go to war because a website representing some president somewhere was attacked and crashed. I think an “act of cyber warfare” should be re-defined based on an evaluation of the threat posed by an attack. To get such a “scale of threat” I believe treating websites as “legal individuals” should be a basic starting point.
Here’s a situation to get us started. The USA would not go to war if Joe Terrorist shoots one random citizen in the streets and claims he did it for Country X. However, if the same Joe Terrorist shoots an important person of the government, let’s say the President himself, and he again claims to be doing this for this Country X, then chances are the option of going to war with Country X will be taken as a serious option. Same situation ending in two completely different results by switching the targeted person.
I guess the same principle could be applied to websites. Attack and crash a certain website, it’s a “simple” crime. Attack and crash another certain website, and it’s an act of war. Then quantities should play an important role as well, attack and crash 1 or 2 unimportant websites, it’s a “simple” crime. Attack and crash 10–20 thousand unimportant websites, and it becomes an act of war.
See websites as if they were people, legally speaking, and I think you’d be able to build up a fairly efficient definition of “cyber-warfare”.
If anyone sees flaws in this, please, point them out. This is just the best I could come up with.
Hmm, I find this discussion rather strange… if a cyber attack is done, you want to escalate it to full cyber warfare, right? And so want to define when it will be right to do so.
However, in such a unique situation as this, I think the response should go in accordance to the attack. After all, your government has invested a hefty amount of dollars to develop cyber warfare capabilities, so why not put them in use right away against all hacking attempts against US cyber assets? In order to declare a cyber war, you must know where it came from anyway, and when you know just attack them back. If then a government is stupid enough to cry out against the attack, then your government can ask for an explanation of the earlier attack or escalate the conflict.
Anyway, just a thought. If cyber warfare is such a black ground of ops, where anyone may pull out an attack, then why not do it yourselves against identified targets instead of engaging in diplomatic conflicts?
Conlad has a good point…
The only way to really establish a solid definition would be to have a defined environment in which to establish that definition. Else, the variables keep changing pretty much randomly and your definition doesn’t actually mean anything, since anyone can pretty much always find a work-around or a loophole of some kind and exploit that fault to keep attacking you whatever you might say or do.
I guess the cyber-world is just too much like water, a wave can hit you pretty hard, but even if you wanted to, you’d never be able to pick out the exact molecules that inflicted the damage. Too much chaos and unpredictability.
If that’s indeed what we’re facing, we just might have to realize that we will not be able to establish a firm definition that would be in any way effective.
Conlad
The questions is — What (as is what act or attack) would rise to the level that a cyber war is declared or breaks out?
Hacking a web site is no way near the level I envision. Taking down the ability to process credit and debit cards for more than 1 day does.
The interesting point in the discussion is the relivance of ‘Nation States’ in this debate. Traditional warfare was predicated on recognised States undertaking or threating hostile acts.
The advent of what is in effect boardless states in the internet world calls into question the traditional notion of Nations going to war.
Any consideration of ‘cyberwarfare’ should be taken in the context of criminality in a cyber environment. Spaming, hacking and other criminal acts are well understood. Would not cyberwarfare be an escalation of that criminality.
The ability to separate out the ‘military’ and ‘criminal’ aspects of cyber attacks relies on a nation undertaking that attack, which leads to the aspect of nations endorsing that activity.
As an Australian where Privacy rights are codified under law, having emails VoIP communication subject to NSA review is something that could be mistaken for a criminal act against me. Despite that the fact that NSA is permitted under US law to conduct those activities.
We could find ourselves in an awkward position if this were to happen. flv converter for macmac mp4 converter
I’m new to the idea of cyber warfare, so I won’t pretend to be a subject matter expert.
As a military member, I see the dependence on computers becoming more of a factor in every day operations than ever. Yesterday my flight’s server went down for maintenance and 85% of the personnel in the building had to stop working. Even in my job, a very basic maintenance job, we depend on at least 2 server databases to process our work orders. If cyber warfare were to take place on a military server, I would absolutely see that as an act of war. But where do you draw the line between an illegal act, and an act of war? I mean, Alec posted an extreme, assassinations of U.S. officials. But what effect does cyber warfare have on the body? Can someone inject a virus into a server that could kill a bunch of people? Maybe I don’t know enough about it, but it seems like the collateral damage, from even a large-scale attack, like taking down all US bank servers for a few days to keep people from buying and selling, has minimal impact.
The fact that you can’t even define aggression exposes how ridiculous the entire idea of your cyberwar is Mr. Coleman.
Want to know how to stop a government from hacking a web site? Unplug the damn thing from the net…with a bomb…on their side of the cable. Case closed.
Can you send me one of those fat government paychecks now?
“Want to know how to stop a government from hacking a web site? Unplug the damn thing from the net…with a bomb…on their side of the cable. Case closed.“
Which is fine and dandy for a secure network — stealing critical files should not be possible as they won’t be *on* computers connected to the internet. No matter how good your hacking-fu is, you can’t magic a network cable into existance on the other side of the world.
The problem comes when looking at systems that have to be publicly accesible to be considered ‘working’ — any sort of public information webg page, and VoIP telephony servers, are perfect examples. If I can make you disconnect them from the internet, they’re valueless to you and I won.
Ultimately, as noted, it can only be treated in the same way sabotage by a spy/terrorist is treated — (a) how serious was the attack on a third party, (b) what ‘collateral damage’ was done to the host nation, © can you identify who — even vaguely — was responsible, and (d) to what degree do you think their host nation/organisation supported, encouraged or planned the action?
So the fact that several of the BOTNET servers that helped launched this DDOS were located in the US has nothing to do with this, RIGHT??? So does the US or some other country attack itself??? Please try to understand the problem before you ask the question.
In the US the complaint is that the Chinese are attacking their infrastructure while in the rest of the world the complaint is that the US is conducting attacks on them. Cyber warfare is completely different from any other form of warfare. An attack can happen without notice, from any location, be anonymous with the support/coordination from multiple sources and in most case are unprovoked. That is why the US is so unprepared for a Cyber attack. Federal/State/local government agencies are not equipped, trained, or ready on the defensive to dealing with these types of issues on a massive scale. Maybe they have had to deal with a handful of cases at one time but noting in the magnitude of removing the US presence from the Internet. However, that would take some serious coordination form other groups, countries, and insiders for that to happen. However, just the fact that it could happen should get all levels of government to question the state of the security of the US national infrastructure.
Hmm… to make things even more confusing how will you handle countries that host routers and servers that were forwarding the traffic
to the target. It’s not like you have a direct connection between attacking and a victim computers. TCP/IP traffic may take different routes to arrive at the destination. For example, the attack happened on Georgian website in the USA but the network packets went through Poland and Japan. Would you consider them as aiding parties? The answer is probably NO since you have distinctly defined origin and destination addresses in TCP/IP packets. Hence, you can clearly identify were packet/traffic came from and who is the attacker.
Here is also another scenario — less clear one. The attacker is using a bot-net and 90% of machines used to mount an attack are located outside of the attacking country. So, 90% percent of the traffic will be originated from countries that have nothing to do with the attacker. Technically, you won’t even be able to prove that the ATTACKING COUNTRY is behind the attack. Even if you do prove that the attack came from particular country, you still need to prove that the government was behind it. Anyways, I hope this demonstrates how complex this whole thing is when it comes to technical aspect of it and there is no ‘cut-and-dry’ approach to solving it.
As from the political/social standpoint, I like Ptsfp comparison of cyber-warfare to spy craft. Things are hard to track when it comes to internet and network traffic. Network traffic routing conundrum doesn’t have much of geographic restrictions (that are often used to define in independent state and act of aggression towards one) associated with it. Spooks are the same way, they aren’t concerned with borders. If spook from country A get caught in country B, country B doesn’t declare a war on country A. It simply arrests the spook or expends him/her — no bombs needed!
In case of cyber-warfare, I would think having an ability of unplugging certain countries from international info highway so they don’t disrupt others would be a great idea. This however introduces another set of problems but it would be simple and effective way to isolate offenders.
Maybe this will sound insane, but my best guess at the moment is that the only way to establish a solid definition of cyber-warfare is to do this through complete legislation of the cyber-space, a **census** of all websites, country by country, and the establishment of an individual status for websites and server, similar to the idea of “legal person” used for companies. Once we give “rights” to websites as legal entities, we eliminate most of the questions and we’re able to think in a much clearer way.
Of course, having a census made for every single website is impossible. BUT. Is it really possible anyway to have a census made of every single person in, let’s say, New York City? There would always be some homeless people left out of the database. Same thing here; we would know, through the census, about every single registered website and would be able to establish a series of rights for them.
We can then establish solid legislation concerning the creation of new websites, including mandatory registration of the website at the legal level. You give birth to a new child, you get him/her to exist in the system or else the kid won’t actually have any “right”, legally speaking. Same with websites.
From there, we can very well work our way through. If anything, internet would be a much more orderly place.
Actually is you thnk it realisticly. If the attac is harming USA websites too or compromises their cesurity its attac against us. If it destroys some USA sites defenses on the same server its initial attack agaisnt US. If it only concentrates on the site blocking and overloading ect. that server can limit away by removing the site its never an attack against us as te site is part of separate conflickt. If the attack damages the server or surrounding system physically its a critical attack against USA infrasctruckture. Basically all attacks are bad attacks but in war some attacks have to be accepted if they do not expand the war. Under the freedom of information however all attacks by anyone against enemies public propaganda is illegal and destrucktive to humanity itself. Blaaaah. –how do you take this. Its an attack agains EVERYBODY.
Honestly, US companies need to know the danger to which they may expose themselves and the responsibilities that they are undertaking when they agree to host a website that may come under attack by a foreign power.
I suspect it depends a lot on how much “collateral” damage to your assets and infrastructure the attack causes as to whether it should be considered an attack on your assets and infrastructure. If an attack is of such a magnitude that it significantly impacts on the backbone carrier’s ability to operate, and that carrier is providing civic or commercially-significant services that are compromised, degraded or removed, then I’d say we have an aggressive act.
Of course, the key word here is “significant”, and that extent can change depending on how critical and/or costly the disruption of service is.
Then of course comes the problem of proving it. If you’re going to go to war — “cyber” or otherwise — with another power, then you need to have your casus belli worked up to a point of high plausibility. That kind of thing could be relatively difficult to prove in a decentralised environment, unless someone’s being quite blatant about things.
It’s certanly a call for improving security across the board, and providing extra insulation for trusted infrastructure, in any case.
Buried in the bowels of todays News…
http://www.cbsnews.com/stories/2008/08/20/tech/main4368749.shtml
I think you will have to treat this as an Embassy issue.
You are going to have to cede a legal, embassy classification to that server, so, you will prob have to have a physical, dedicated spot for the server.
This gives it legal standing as a foreign diplomatic agent. so attacking a sponsered server, would equate to attacking a legal attache.
That would make the host country unable to read, change, or even unplug the server.
Kinda changes the meaning of a diplomatic packet !
Hey cyber so called experts!Why is a DEMOKRAT literally more popular during wartime than a REPUBLIC NAM VET And seems to be the new(lak)
President.…It’s def.. an inside thing right
aoc gold,are you just trying to disturb someone
with your worthless posts??? I bet you visit teamguynetwork.com…Remember Broadband and security issues…
Anything that doesn’t belong to an id or server that,
isn’t authorized to add itself,is an attack in my
mind..
yes, its an attack if the Russian hack into the Georgian website hosted on US servers. Because the Russians should know what they are hacking into. and if they are hacking into US networks then the country is not safe from foreign invaders and the military should be ready to cybershoot back (if the attack can not be thwarted) but hold until the President gives the order. and when the President gives the order the military will apply and equivalent cybershot as the one that was taken when the US was attacked by the Russian in the scenario in the 1st place. maybe they will hack into russian network and make the russian pressident’s personal computer show nothing but http://spongebob.nick.com/ for a whole hour. yes its an attack shoot back