“Right after I graduated, I interned with the Arms Control Association. It was terrific.”
Weighing the Case For a Convention to Limit Cyberwarfare
Cyberattack is emerging as a new type of nonlethal weapon that can cause substantial harm to society, especially when used in its most advanced version by countries at war. It may be time to consider an international convention to limit the initiation of such use, particularly against targets that are part of critical national infrastructure and are basically civilian.
Cyberattack refers to offensive actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs resident in or transiting these systems. Its purpose is to mislead or disable an important network-dependent activity. A passive form of attack is cyberexploitation, which gathers intelligence information. A flip side of cyberattack is cybersecurity, which undertakes, through procedural and technical means, to defend against cyberintrusions. The concern addressed in this article relates primarily to the offensive and destructive version of cyberattack by one state against another state’s critical infrastructure. There have been proposals to reduce the threat of cyberwarfare through an arms control agreement; some of the key issues underlying the pursuit of such an agreement are examined in this article.
The threat of serious cyberattack by state or nonstate actors has been on the
Attacks much more harmful than DDOS, with cascading effects, are technically feasible and are assumed to be under development, certainly at the state level. A characterization of the threat potential appears in a recent National Academy of Sciences (NAS) study of cyberattack as a weapon of war.[3] The threat, according to the study, is expected to grow in scope and sophistication.
As the United States continues to look for ways to protect its civil cyberdomain, it also has been actively pursuing, through its national security agencies, efforts not only to protect its own cyber-based military systems but also effectively to attack the cybersystems that are integral to a potential enemy’s military capacity. The focus of the latter is on military and military-relevant targets but also may include components of an enemy’s national infrastructure as a target of strategic information operations.[4] The U.S. offensive programs are very sensitive and thus never openly referenced in any of the last three presidents’ public reviews of cybersecurity. Yet, they will be a background factor, possibly an important one, as the
More than 10 years ago, the concept of an arms control agreement was examined as part of a broader government-sponsored program at
Such a review could be fairly wide-ranging because the targets potentially vulnerable to cyberattack are extensive and varied. This article will be limited to the major question of how an agreement might restrict cyberattack by one state-party against the critical national infrastructure of another and to the pros and cons of such restrictions from a
Existing Legal Limits
Several studies have examined what restrictions the present laws of war and other, less directly applicable agreements would place on cyberattack, including one directed at critical national infrastructure.[9] There is no clear answer, and specific cases would turn on the details of the attack and arguments over the proportionality of anticipated military effect and civilian harm. The self-defense article of the UN Charter would lessen the need to demonstrate military necessity or obtain Security Council approval to carry out retaliation-in-kind and active defense in response to a cyberattack, although consideration of proportionality would remain a restraining factor.[10] Attempts to use the current laws of war to build a body of precedents for restricting cyberwarfare would be protracted, hopefully by the infrequency of wars, and have an uncertain outcome. Further, this approach would not have the normative value of an explicit agreement.
The NAS study examined whether peacetime cyberattack directed at components of another state’s infrastructure might be configured to fall below the threshold of an act of war (jus ad bellum). Such use would add to the
A central question is whether the
• Can the
• Can the
• Is the normative value of an international agreement that is at best self-verifying[12] worth the limitation it would place on the United States, and can other states-parties be expected to conform their offensive decisions to the restrictions of such an agreement?
Protection Without an Agreement
The cybervulnerability of various elements of critical
Unfortunately, no periodic national report card characterizes the state of the threat and assesses the overall progress being made in protecting the infrastructure, but the conclusion of the latest high-level review is that
Given this history and this basic impediment, it seems unlikely, certainly over the medium term, that national measures alone can achieve a strengthened
Cyberattack Capability
Do
• Because the outcome of a cyberattack depends on the minute details of the target’s configuration at the moment of attack and cannot be reliably predicted, such attacks are not a first-line offensive tool.
• Secondary and tertiary systemic and socioeconomic effects of an attack will often be more important than the initial effect. Because projecting these effects requires difficult-to-obtain specialized knowledge of the interdependence of the systems involved, such estimates will be unreliable. This latter consideration also makes it more difficult to project and control collateral damage.
• Because the hardware and software subsystems and operating procedures of a complex network are not permanent, maintaining a reliable attack capability may necessitate periodic digital probing, with its risks of discovery, premature exposure of target vulnerabilities, and installation by adversaries of measures to defeat the capability.
The
The NAS study notes the argument that it is too early to consider limiting cyberattack against infrastructure as a military option because the technique is in its developmental stages. The study observes, however, that this stage is also the time of policy flexibility before a significant internal constituency has formed, in the
Because these considerations collectively are inconclusive, the basic question remains open within the public debate.
A Cyberattack Convention
To be acceptable to the
• Military applications of cyberwarfare are useful and may become quite important. The
• The
• Barring a major breakthrough, compliance with any restrictions on use will be very difficult to verify in any reasonable time, owing to the considerable technical difficulty of forensic analysis and of tracing an attack’s origin. Furthermore, treating all levels of attack as possible violations would overwhelm any
Considering these factors, the most practical convention would be multilateral and directed at first use and intent. It would set thresholds on the scale, duration, and severity of attacks and stipulate that exceeding any of the thresholds constituted a violation of the convention; reinforce the requirement for proportionality in anticipated effect on civil society; and preclude assistance to others in conducting prohibited attacks. No cooperative verification measures should be attempted, other than agreement by all parties to cooperate in the investigation of a claim of violation. Such cooperation is vital because some of the pertinent information will reside in third countries.
Arms Control Models
Table 1 lists the five major multilateral arms control agreements in which the
Latency risk is a function of time. Given the estimated capabilities of a party, what is the time scale for that state to create, re-establish, or conduct the particular prohibited capacity or activity? High risk means short time. For example, the time from intention to action for a party to use incendiary weapons against prohibited targets (Protocol III of the Convention on Certain Conventional Weapons [CCW]) is immediate. Based on available know-how, records, stored equipment, and the permitted prophylaxis or defense reserves, the time for
Table 1 also estimates the importance of a breach from a
Assuming a breach would necessitate some form of quid pro quo response, a state can offset high latency risk by devoting resources to maintaining a reasonable latent capacity itself. The decision to conduct such a response would depend on the importance of the particular breach at the time it occurs.[21]
The latency risk accompanying a convention to limit cyberattack directed at critical national infrastructure would be high. Special preparatory actions would be required for a specific attack, but the overall capability would exist in the agency responsible for information operations. There would be some capability at the technology level within the civil sector, but it would require a longer development time and hence have a smaller latency risk. The security and political importance of a breach would be high.
The agreements in table 1 are the most relevant models for a cyberattack convention because they all contain no-first-use commitments. In addition, four of the five agreements define the prohibited weapon, and the ENMOD Convention describes the proscribed techniques and effects by example. Other than the inferred laws of war protection of noncombatants, none except for the CCW, in two protocols, defines a protected class of target. Only the ENMOD Convention sets standards in terms of scale, duration, or severity of unacceptable damage and constrains parties from assisting others in conducting the prohibited actions. The latency risk varies among the five, as does the import of breach, although none have high import.
By adding a definition of a protected class of target, namely, specified components of critical national infrastructure, the ENMOD Convention may be the closest model for a limited cyberattack convention. The two differ in one important way: the latency risk and the security import of a breach are judged to be low for environmental attack, whereas both are high for cyberattack. Nevertheless, the ENMOD Convention model may be a useful starting point for negotiation of a limited cyberattack convention.
Conclusion
The
On the other hand, the
Balancing these conflicting objectives will require a full debate and executive decision. This process will have to be carried out by a special high-level government group because of the sensitive and fragile nature of certain aspects of the information involved.
One model of a convention that could serve as a starting point would commit the parties to no-first-use of cyberattack directed at elements of another party’s critical infrastructure if the disruption from that attack was intended[22] to be widespread, long-lasting, or severe. One reason for these thresholds is to differentiate continuing, manageable lower-level attacks from those that constitute a serious violation by a state-party. All the terms in this commitment could be defined in an Understanding Annex, as in the ENMOD Convention, and would be the subject of negotiation. The convention would also preclude assistance to others in conducting prohibited attacks.
Because the cyberthreat is evolving rapidly and is difficult to define, any proposed solution is very unlikely to address the problem effectively for the long term or perhaps even the medium term. On the other hand, it may be important to constrain this form of warfare in the relatively early stages of its development. The type of limited convention described in this article strikes an appropriate balance by establishing some important initial parameters that could serve as the basis for more comprehensive agreements in the future.
David Elliott is an affiliate of the Center for International Security and Cooperation at
ENDNOTES
1. Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia,” The New York Times, May 29, 2007, www.nytimes.com/2007/05/29/technology/29estonia.html; John Markoff, “Cyber Attack Preceded Invasion,” Chicago Tribune, August 13, 2008, http://archives.chicagotribune.com/2008/aug/13/business/chi-cyber-war_13aug13; Siobhan Gorman and Evan Ramstad, “Cyber Blitz Hits U.S., Korea,” The Wall Street Journal, July 9, 2009, http://online.wsj.com/article/SB124701806176209691.html.
2. The White House, “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” n.d., www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf (hereinafter White House cyberspace policy review); Office of the Press Secretary, The White House, “Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” May 29, 2009, www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/ (hereinafter Obama cyber infrastructure remarks).
3. William A. Owens, Kenneth W. Dam, and Herbert S. Lin, eds., “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” National Research Council, 2009 (hereinafter NAS study).
4. Gregory J. Rattray, Strategic Warfare in Cyberspace (
5. John Markoff and Andrew E. Kramer, “
6. Kevin Soo Hoo,
7. Kevin J. Soo Hoo et al., “Workshop on Protecting and Assuring Critical National Infrastructure: Setting the Research and Policy Agenda,” October 1997, http://iis-db.stanford.edu/pubs/10354/it5.pdf.
8.
9. For a summary of this extensive literature and further development of the subject, see NAS study, section 7.
11. In an arms control agreement, a government typically decides to accept a reduction in some aspect of its military capability so that it can better protect its military personnel and assets, as a result of the other side’s comparable military reduction. Although such tradeoffs may be difficult to assess, they are generally less difficult than those, such as the type under discussion in this article, in which the reduction in military capability must be weighed against the benefits to civilian populations and infrastructure. A further complication in the case of assessing the value of a cyberattack agreement is that the level of civilian damage and the value of the forgone military capability are difficult to quantify at this stage of cyberattack development.
12. Self-verification means that individual states determine the compliance of another state without help from any international entity, such as the International Atomic Energy Agency, or trustworthy cooperation from a suspected miscreant, but may include some input from an ally on a bilateral basis.
13. The White House, “Report of the President’s Commission on Critical Infrastructure Protection,” October 1997, http://lccn.loc.gov/98113463.
14. The White House, “Defending America’s Cyberspace: National Plan for Information Systems Protection Version 1.0: An Invitation to a Dialogue,” January 2000, http://clinton5.nara.gov/media/pdf/npisp-fullreport-000112.pdf; The White House, “The National Strategy to Secure Cyberspace,” February 2003, www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf; Obama cyber infrastructure remarks.
15. White House cyberspace policy review.
16. Joint Chiefs of Staff, “Information Operations,” Joint Publication 3-13, February 13, 2006, www.dtic.mil/doctrine/jel/new_pubs/jp3_13.pdf.
17. John Markoff and Thom Shanker, “Halted ‘03 Iraq Plan Illustrated U.S. Fear of Cyberwar Risk,” The New York Times, August 2, 2009, www.nytimes.com/2009/08/02/us/politics/02cyber.html; Joint Chiefs of Staff, “Information Warfare: A Strategy for Peace, the Decisive Edge in War,” USGPO Doc. D 5.2:IN3, 1997, http://handle.dtic.mil/100.2/ada318379.
18. NAS study, pp. 1-25 – 1-26, 2-39.
20. Red-teaming is a technique used in the development of military systems in which an independent friendly force undertakes to defeat a system and thereby identifies vulnerabilities that must be fixed. In the case of the Eligible Receiver project, government experts, using public information, analyzed and probed certain civil operational systems and found that many of them, thought to be secure from cyberattack, could be penetrated. See www.globalsecurity.org/military/ops/eligible-receiver.htm; John Hamre, interview, Frontline, PBS, February 18, 2003.
21. A good example of sensitivity to the circumstances of a breach is
22.