The Cyber Nervous Nellies
By Rachel Ehrenfeld
Friday, April 19th, 2013 @ 1:40PM
In the hands of the well trained, wireless digital devices have the potential to create many nightmare scenarios. Yet, the Federal Aviation Administration is considering more flexible rules to allow the use of e-readers during takeoff and landing, not only during flight.
To prevent interference with the cockpit information display or affect the auto-pilot, e-readers would be required to put the devices on “airplane mode,” thus temporarily disabling wireless functions. This sounds reasonable enough, doesn’t it?
Apparently those who are advocating the relaxation of the rules are expecting the flight crews to enforce the new rules and all passengers to comply. A more realistic scenario, if the rules are relaxed, is of a wireless device used to interfere with the plane’s avionics, causing it to crash. So why does the FAA even consider this?
Because the hysteria over defense against cyber attacks is rising, ignoring the dramatic escalation in cyber attacks against the U.S. In the first quarter of 2013, “40.68% of DDoS …were believed to be from China, compared with 30.59%” in 2012. “The next highest source countries were Germany (10.59%), Iran (5.51%) and India (5.01%).”
Nonetheless, those who seem afraid of defending themselves are working hard to leave us defenseless.
The gist of it is that the Administration and policy-intellectuals concern over cyber attacks has led to a way of thinking that defense against cyber attack would elevate the risk of exposing private information and could also lead down the slippery slope to traditional war as long as armed attack is entertained as one of the possible responses to cyber aggression.
Some of this point-of-view comes from the supporters of international law who believe that policies cannot move forward without deference to law. The international laws of war are based on territorial operations, but cyberspace exists nowhere in particular. Accordingly, adapting the laws of war to cyberspace is particularly difficult. For the Nervous Nellies among us the questions that cyberspace raises seem to be more about the problems of law than the problems of reality. Cyber as a weapon of war is here, whether the law likes it or not, and dealing with it should not be a matter of the law first and reality second. The law needs to get out of the way.
As former Attorney General Michael Mukasey pointed out during ACD’s Capitol Hill briefing last July, there is no real definition of aggression in international law, the UN charter or anywhere else.
But we know it when we see it. For example, an explosion of a nuclear device 50 miles above the center of the United States that shuts down the country’s electrical grid would surely be an act of aggression that could well justify an armed military response. However, the response would be influenced by prudential judgments and would depend on who the perpetrator was. Armed attack may not be the best response–whereas tit-for-tat might: “You shut down our grid, we’ll shut down yours.”
International law does not dictate to the world what aggression is and isn’t. Aggression in its many forms, old or new, has to be dealt with in policy, and policy makers don’t need legal opinions. They need judgment to deal with previously unimagined realities.
Two things seem to bother the Nervous Nellies most about cyber defense. First is the U.S. use of Stuxnet. The second isthe unofficial NATO document, the “Tallinn Manual on the International Law Applicable to Cyber Warfare.”
The Nellies to regard the use of Stuxnet against Iranian centrifuges as an act of aggression (or close enough to it to make them VERY nervous.) This would seem to disallow a cyber response to Iran’s violations of the Nonproliferation Treat Tehran claims to respect. Clearly, the Nellies don’t care, or think that Iran should be allowed to develop its nuclear weapons.
We used Stuxnet! Didn’t Iran’s attack on U.S. banks last fall constitute an act of aggression? But the Nellies are worried that the U.S. is violating international law rather than facing up to reality.
Regarding NATO’s informal Tallinn Manual, the Nellies blame certain out-of control international law experts (U.S. led of course) for “blurring the lines between war and peace.” Once again, this point-of-view presumes that anyone knows where the lines between war and peace are. And it presumes that we have to think legal before we think of defending ourselves when a new threat arises
We, however, consider that all options are appropriate to defend ourselves against and to deter cyber attacks. Cyberwarfare has already proven destructive to our property, economy, and even our lives.
“Future Cyber attacks – this is the shape of things to come,”
This is plainly inaccurate. What about military and other defense networks? (If, during a kinetic conflict, a foreign enemy uses cyber to interfere with our command and control are we going to ask the private sector to help?) Moreover, it presupposes that the government is inclined to use the private sector to fight its cyber battles.
While the Obama administration wants information on cyber attacks from the private sector, it has proposed nothing that would allow the private sector to commit cyber or any other kind of offense in defending its networks against cyber attacks. In fact, it warned the private sector not to counter such attacks.
Earlier today, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), on a bipartisan vote of 287-127 with 18 representatives not voting.
Rep. Mike Rogers (R-Mich) Chair of the House Intelligence Committee who reintroduced the bill together with Rep. Dutch Ruppersberger (D-Md.), stated: “I am very proud that so many of my colleagues were able to look past the distortions and fear mongering about this bill, and see it for what it really is — a very narrow and focused authority to share cybersecurity threat information to keep America safe.” Nevertheless, the White House, for the second time, vowed to veto the bill.
It is no secret that the government needs the resources of the private sector to stop and deter cyber threats. A lot of time has been wasted already. If the government cannot help the private sector, it should get out the way and allow it to increase the pace of developing the proper means to protect itself and us.
Statements such as, “the US has allowed the laws of the market to govern its digital infrastructure,” is placing the blame for cyber threats on us. This is not an uncommon thought among the Nervous Nellies, who seem to prefer other models of proceeding, European, Russian, Chinese and/or UN to control the Internet .
Future Cyber attacks – this is the shape of things to come
April 13, 2013
The attack came via ordinary email, when selected South Korean companies received messages supposedly containing credit card information in the middle of the week before last.
Recipients who opened the emails also opened the door to the enemy, because it was in fact an attack from the Internet. Instead of the expected credit card information, the recipients actually downloaded a time bomb onto their computers, which was programmed to ignite on Wednesday at 2 p.m. Korean time.
At that moment, chaos erupted on more than 30,000 computers in South Korean television stations and banks. The message “Please install an operating system on your hard disk” appeared on the screens of affected computers, and cash machines ceased to operate. The malware, which experts have now dubbed “DarkSeoul,” deleted data from the hard disks, making it impossible to reboot the infected computers.
According to Spiegel online international, DarkSeoul was one of the most serious digital attacks in the world this year, but cyber defense centers in Western capitals receive alerts almost weekly. The most serious attack to date originated in the United States. In 2010, high-tech warriors, acting on orders from the US president, smuggled the destructive “Stuxnet” computer worm into Iranian nuclear facilities.
The volume of cyber attacks is only likely to grow. Military leaders in the US and its European NATO partners are outfitting new battalions for the impending data war.Meanwhile, international law experts worldwide are arguing with politicians over the nature of the new threat. Is this already war? Or are the attacks acts of sabotage and terrorism? And if a new type of war is indeed brewing, can military means be used to respond to cyber attacks?
The War of the Future
A few days before the computer disaster in Seoul, a group led by NATO published a thin, blue booklet. It provides dangerous responses to all of these questions. The “Tallinn Manual on the International Law Applicable to Cyber Warfare” is probably no thicker than the American president’s thumb. It is not an official NATO document, and yet in the hands of President Barack Obama it has the potential to change the world.
The rules that influential international law experts have compiled in the handbook could blur the lines between war and peace and allow a serious data attack to rapidly escalate into a real war with bombs and missiles. Military leaders could also interpret it as an invitation to launch a preventive first strike in a cyberwar.
At the invitation of a NATO think tank in the Estonian capital Tallinn, and at a meeting presided over by a US military lawyer with ties to the Pentagon, leading international law experts had discussed the rules of the war of the future. International law is, for the most part, customary law. Experts determine what is and can be considered customary law.
The resulting document, the “Tallinn Manual,” is the first informal rulebook for the war of the future. But it has no reassuring effect. On the contrary, it permits nations to respond to data attacks with the weapons of real war.
Two years ago, the Pentagon clarified where this could lead, when it stated that anyone who attempted to shut down the electric grid in the world’s most powerful nation with a computer worm could expect to see a missile in response.
A Private Digital Infrastructure
The risks of a cyberwar were invoked more clearly than ever in Washington in recent weeks. In mid-March, Obama assembled 13 top US business leaders in the Situation Room in the White House basement, the most secret of all secret conference rooms. The group included the heads of UPS, JPMorgan Chase and ExxonMobil. There was only one topic: How can America win the war on the Internet?
The day before, Director of National Intelligence James Clapper had characterized the cyber threat as the “biggest peril currently facing the United States.”
The White House was unwilling to reveal what exactly the business leaders and the president discussed in the Situation Room. But it was mostly about making it clear to the companies how threatened they are and strengthening their willingness to cooperate, says Rice University IT expert Christopher Bronk.
The president urgently needs their cooperation, because the US has allowed the laws of the market to govern its digital infrastructure. All networks are operated by private companies. If there is a war on the Internet, both the battlefields and the weapons will be in private hands.
This is why the White House is spending so much time and effort to prepare for possible counterattacks. The aim is to scare the country’s enemies, says retired General James Cartwright, author of the Pentagon’s current cyber strategy.
Responsible for that strategy is the 900-employee Cyber Command at the Pentagon, established three years ago and located in Fort Meade near the National Security Agency, the country’s largest intelligence agency. General Keith Alexander heads both organizations. The Cyber Command, which is expected to have about 4,900 employees within a few years, will be divided into various defensive and offensive “Cyber Mission Forces” in the future.
Wild West Online
It’s probably no coincidence that the Tallinn manual is being published now. Developed under the leadership of US military lawyer Michael Schmitt, NATO representatives describe the manual as the “most important legal document of the cyber era.”
In the past, Schmitt has examined the legality of the use of top-secret nuclear weapons systems and the pros and cons of US drone attacks. Visitors to his office at the Naval War College in Rhode Island, the world’s oldest naval academy, must first pass through several security checkpoints.
“Let’s be honest,” says Schmitt. “Everyone has treated the Internet as a sort of Wild West, a lawless zone. But international law has to be just as applicable to online weapons as conventional weapons.”
It’s easier said than done, though. When does malware become a weapon? When does a hacker become a warrior, and when does horseplay or espionage qualify as an “armed attack,” as defined under international law? The answers to such detailed questions can spell the difference between war and peace.
James Lewis of the Washington-based Center for Strategic and International Studies (CSIS), one of the country’s top cyberwar experts, is somewhat skeptical about the new manual. He sees it as “a push to lower the threshold for military action.” For Lewis, responding to a “denial of service” attack with military means is “really crazy.” He says the Tallinn manual “shows is that you should never let lawyers go off by themselves.”
Claus Kress, an international law expert and the director of the Institute for International Peace and Security Law at the University of Cologne, sees the manual as “setting the course,” with “consequences for the entire law of the use of force.” Important “legal thresholds,” which in the past were intended to protect the world against the military escalation of political conflicts or acts of terror, are becoming “subject to renegotiation,” he says.
According to Kress, the most critical issue is the “recognition of a national right of self-defense against certain cyber attacks.” This corresponds to a state of defense, as defined under Article 51 of the Charter of the United Nations, which grants any nation that becomes the victim of an “armed attack” the right to defend itself by force of arms. The article gained new importance after Sept. 11, 2001, when the US declared the invasion of Afghanistan an act of self-defense against al-Qaida and NATO proclaimed the application of its mutual defense clause to come to the aid of the superpower.