With "Cyber" Attacks, Effects Matter More Than Means

I enjoyed reading Stuxnet Poses Interesting International Cyber Law Issues by Rick Aldrich in IAnewsletter Vol 14 No 2 (pdf). I've known the author since my days in the USAF and he's very clued-in as a CS grad from USAFA and a lawyer who worked for AFOSI. I'd like to share a few excerpts. Please try to avoid fixation on Stuxnet if that topic bothers you. Stuxnet is not the core of Alrich's argument.

Article 51 of the United Nations (UN) charter states in pertinent part, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations.” [8]

So can a cyber attack, such as that evidenced by Stuxnet, constitute an “armed attack?”

Clearly at the time Article 51 was written, in August of 1945, such an attack was never envisioned. Traditionally the term “armed attack” has connoted a kinetic attack – missiles, bombs, bullets and the like – but it has never been definitively defined.

Incidents like the cyber attacks against Estonia in 2007 and against Georgia in 2008 have prompted renewed interest in defining if or when a cyber attack can also constitute an “armed attack.”

International legal scholars are increasingly moving away from the means of attack and instead looking to the effects.

The test would be whether the effects of the attack are similar to those of a kinetic attack.

Cyber attacks that result in physical damage, such as the destroyed centrifuges in the case of Stuxnet, may be pulled under the rubric of an armed attack, though this approach does not rule out attacks resulting in non-physical effects if the harm is substantial.

This is fascinating, because it makes "cyber" less relevant and requires judgement regarding the consequences of an event. Clearly physical harm takes precedence here, but the underlined portion shows that even digital events without physical harm could still be considered attacks, in the eyes of legal experts.

The article raises other interesting points, such as options for Iran, but I wanted to emphasize the points I listed above.

Comments

Dodgy_Coder said…
Interesting questions here - I agree that at the time of writing the UN charter, the concepts of cyber warfare were obviously not on the radar. When you look at their potential effects on a countries infrastructure, not least of which the internet itself and communications technology, you'd have to conclude that cyber attacks could become just as potent as kinetic attacks.
10:29 AM
Anonymous said…
In Soviet Union times the Nato put really powerful TV broadcast stations along the border.
In modern times the most powerful weapon is news. It is not the banking, banking is a very strong, but artificial dependency, at least in Estonia.

There are legends that perhaps the most powerful cyber attack was in 1982 from CIA to soviet union, that created the worlds most powerful non-nuclear explosion, gas lines controllers were modified. I do not know if they are true.

Another interesting case is Latvia. Somebody copied all of the income tax information and published information on some politicians. The real question was not about what was published, but what other politicians had to do so that they would not to be published.

Juhani
11:06 AM
kurt wismer said…
it doesn't really surprise me that the legal domain would care more about the effects than the methods. they seek to balance out misdeeds with punishments in the name of justice, and in order to achieve such a balance they have always focused on the amount of harm done such that more harm begets more punishment.

defenders, on the other hand, still need to know about methods. countermeasures are so called because they counter the measures of others. effects (or potential effects) should obviously inform their decisions about what to prioritize, though.
1:04 PM
Anonymous said…
Ricks name is misspelt in the first paragraph
10:42 PM
The Ubiquitous Mr. Lovegroove said…
This is an extremely dangerous slippery slope. If the concept of "let's look just at the effects" is really embraced, then any economic activity that causes distress for another nation is casus belli. Say, OPEC cartel jacks up the oil price and Europeans feel that this is destroying their economy, is it OK to invade?

What if someone frames Iran for taking down a NYC water grid for an hour, can US then legally nuke them?
These are extreme examples and surely there are flaws, but I wanted to make a point: traditional (kinetic + NBC) warfare has had a long history and we've arrived at a point where global wars are no longer fought, partially, because we have a good set of rules for these kinds of activities based on centuries of refinement.

Cyberwar should not be governed by the same rules, just because there is "war" in it. If anything, I would rather see it governed by WTO than UN.
7:12 AM
geekyone said…
Very interesting concept but I wonder under such a system would a potential effect be rated the same as an effect? If you don't take into account ineffective attacks due to an unsuccessful attempt but with a potentially huge impact, countries could keep just keep attacking and the defending country would have no legal standing to retaliate until the offending side succeeded in potentially crippling them. On the flip side how would you rate the credibility of an unsuccessful attack? As most of the readers on this blog probably know an unsuccessful attack that theoretically could cause a major impact is fairly common but in reality an attack that actually causes a major impact is a lot less common.
8:11 AM
Anonymous said…
Certainly I'll be reading the article, and I agree that effects are important.

But I'm still not comfortable at all lumping cyber attacks (or any digital mischief) with kinetic attacks.

I'm actually a little more interested in what the intelligence/espionage community would say on such topics, since I think it fits more into their models of behavior than militaristic activity.

I'm sure the problem of attribution will come up at some point. It's pretty clear when a kinetic attack happens who is behind it and it's very clear when it happens (ok, some unofficially-sponsored groups are exceptions).

-LonerVamp
11:17 AM
Anonymous said…
This question is similar to one that has popped up many times over the years in the traditional electronic warfare sphere.

An enemy EW vessel at sea, that's otherwise unarmed in the kinetic sense is causing serious disruption to my vessel's radar and communication systems, and therefore its combat capability.

Is the enemy EW vessel considered to be a combatant? If not, what if hostile aircraft are also on an inbound track to my vessel's position?
9:19 AM
ben said…
A longer paper on the legal aspects of if cyber can be considered 'armed attack':

http://www.au.af.mil/au/ssq/2011/spring/dunlap.pdf
8:15 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more