Cyberwarfare and Collateral Damages[1]

 

By Edoardo E. Artese and Valentin Vitkov

 

Edoardo E. Artese is a lawyer in Milan (Italy) and Madrid (Spain), working between Milan (Italy) and Bangkok (Thailand). He is a founding member of DirtICTo, an Italian association of IT experts. He collaborates with Milan State University, faculty of law, chair of legal informatics and with University of Cagliari, chair of Computer E new technologies law and ICT for law & forensics. His areas of interest are business law, Intellectual propriety law and information and telecommunications technologies. He graduated in law with a copyright law thesis on Databases. He speaks Italian, Spanish, English and a little bit of Thai.

 

Valentin Vitkov collaborates with a law firm in Milan, Italy. He collaborates with Milan State University, faculty of law, chair of legal informatics. His areas of interest are the relationships between law and information and telecommunications technologies. He graduated in law with a copyright law thesis on Creative Commons Licenses. He speaks Italian, Bulgarian, English and French.

 

Both authors have written many articles about information technology aw and they are often speakers in conference about IT law.

 

Published November/December 2015

 

 

1.     Introduction

The purpose of this paper is to offer an introductory overview on the collateral damages of cyberwarfare. This paper offers an overview on cyberwarfare with focus on collateral damages and the role of victims.

 

Cyberwarfare is a new type of warfare that poses numerous challenges. First, the article outlines basic definitions of cyberwarfare and cyber weapons proposed so far, and it outlines the international legal framework. Second, the article addresses collateral damages and the role of victims including illustrations of two paradigmatic cases of widely known cyberattacks.

 

2.     What is Cyberwarfare?

Cyberwarfare is a complex phenomenon and raises many questions regarding definitions, differences with reference to other warfare, and finally compatibility with ius ad bellum and ius in bello international law. Some questions may be solved interpreting existing law, others remain open and without a clear solution.

 

Such complexity depends on the fact that attacks may differ sensibly depending on the final target, scope, hardware and software tools used. They all have in common to exploit computer systems and networks in order to achieve a military advantage. Considering the wide range of information technologies, scopes and targets, it is quite difficult to provide a comprehensive definition.

 

To date there are several attempts to define cyberwarfare:

 

 

We may see that as time passes more details of the phenomenon are considered.[6] Some similarities may be noticed in such definitions or the definition of the much wider concept such as “information war,”[7] which might be found in the Annex I of the Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security: “confrontation between two or more states in the information space aimed at damaging information systems, processes and resources, critical and other structures, undermining political, economic and social systems, mass psychologic[al] brainwashing to destabilize society and state, as well as to force the state to taking decisions in the interest of the opposing party.”[8]

 

However, it is important to recognize that information war (information warfare) and cyberwarfare are two different concepts.

 

3.     Difference between Cyberwarfare and Other Types of Warfare

Cyberwarfare differs from other types of warfare in many aspects. We highlight some of them.

 

First, cyberwarfare immediate targets are computer systems and networks and most cyberattacks are conducted through computers and computer networks. Nonetheless, computer systems and networks may be used to target physical systems and produce physical damages, death and injury. Second, cyberwarfare attacks may be planned to be executed in a very short lapse of time. Third, cyberwarfare activities, given how computer networks and particularly the Internet are designed, may be routed through many territories, hence complex problems regarding law of neutrality arise. Fourth, some cyberwarfare activities, aimed at creating kinetic attacks, may use the hardware and weapons of the enemy in order to execute the attack by remote controlling them. Fifth, most cyberwarfare attacks may be launched in stealth mode, i.e. without identification of the attackers. And finally, many cyberwarfare activities may require the use of many computer techniques and technologies and malware or the exploitation of vulnerabilities in the targeted computer systems, as well as social engineering techniques in order to gain access to computer systems and networks.

 

Sometimes such activity requires an extensive study and design, a lot of programming and a multidisciplinary approach. A lot of investments and preparation may be needed for attacks that rarely may be launched more than once or replicated.

 

4.     Cyberweapon: Definitions and an Example of Software Used

One important question is whether the tools used for most cyberwarfare activities and attacks are to be considered weapons. Such problem has implications with regard to all international law dealing with armed attacks, use or threat to use the force and how to conduct hostilities. With regards to such aspect, two different points of view are to be highlighted. According to the first, a tool (hardware equipment or computer code) is a weapon on the basis of its objective possibility to cause harm or to allow the execution of an attack. An example of such type of definition is: “a cyber weapon is the combination of a propagation method, exploits, and a payload designed to create destructive physical or digital effects.”[9]

 

The second approach requires to evaluate user’s or designer’s purpose in order to decide whether the tool (or tools) used are to be considered a cyberweapon: “a part of equipment, a device, or any set of computer instructions, used in a conflict among actors both National and non-National, with the purpose of causing (directly or otherwise) physical damage to objects or people, or of sabotaging and/or damaging in a direct way the information systems of a sensitive target of the attacked subject.”[10] Or, similarly, “cyber weapons are cyber means of warfare that are by design, use, or intended use capable of causing either (i) injury to, or death of, persons; or (ii) damage to, or destruction of objects, that is, causing the consequences required for qualification of a cyber operation as an attack.”[11]

 

Other authors define cyberweapon as a subset of weapons: “computer code that is used or designed to be used with the aim of threatening or causing physical, functional or mental harm to structures, systems or living beings.”[12]

 

To date, there are numerous examples of cyberweapons. We will focus on what appears clearly to be an example of cyberweapon, regardless of the approach and point of view: Stuxnet.[13]

 

Stuxnet is a complex malware designed to search for a particular controlling system of specific industrial processes located in a closed network. Upon identification and penetration of such system, the malware was designed to damage a specific type of turbines and so to create physical damage bypassing human and automated controls of the target industrial plant. The effect is similar to the one obtainable by destroying such turbines with conventional weapons (so called kinetic attack) during a traditional warfare activity.

 

The features of the complex malware and the deep knowledge of the target systems indicate that it was specifically designed software, created by multidisciplinary team relying on a particular knowledge of the industrial processes that governed the target system.[14] As we shall see later, it seems that the malware was designed to comply with most norms of international law.

 

5.     Main International Law Issues Regarding Cyberwarfare

Analysis of the phenomenon and definitions of the concept are important in order to deal with important international law issues, particularly with the ius ad bellum[15] and the ius in bello[16] norms.

 

For what ius ad bellum is concerned, primary problems are whether cyberwarfare is to be considered use of the force according art. 2(4) UN Charter, whether it is to be considered an armed attack under article 51 of the UN Charter and whether and under what conditions cyberwarfare gives the right to self-defense.[17]

 

With regard to ius in bello cyberwarfare raises interesting problems regarding the possibility to apply existing international humanitarian law (IHL) norms. As a matter of fact, at the time of UN Charter drafting cyberwarfare or cyberspace did not exist and so the question whether current international norms apply or whether new international norms are needed assumes a great relevance.[18]

 

On a regional scale, another key question is whether article 5 of the NATO treaty is to be applied to cyberwarfare activities.[19] Regarding international law, a very precious initiative was undertaken by a group of experts invited by an international organization, the NATO Cooperative Cyber Defense Centre of Excellence (NATO CCD COE), in order to create a manual governing cyberwarfare. Even if the manual (so called “Tallinn Manual”)[20] is not an official NATO document and expresses the view of the experts and not the views of NATO CCD COE, its sponsoring nations, or NATO, it is a very important attempt to study cyberwarfare based on customary and conventional international law and to propose some clear rules of conduct.

 

The norms formulated by the experts consist in numbered rules and each rule is accompanied by a short commentary. Comments to each rule indicate the relevant existing international law norms and the interpretation process. The manual itself is written in a concise and clear manner and allows following transparently the reasoning behind each interpretation and formulation of rules.

 

6.    Collateral Damages and Victims

Collateral damages may be defined as incidental death or injury of civilians or damage or destruction of civilian objects.[21] Preliminary, as a general norm, based on article 51(5)(b) and article 57(2)(a)(iii) of the Additional Protocol I (AP I), the Tallinn Group of Experts proposed the rule 51, specifically regarding collateral damages: “a cyberattack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited.”

 

Such norm requires evaluation of the possible harms and to compare them to the concrete and direct military advantage that may be obtained by the cyber operation. In particular, the assessment must take into consideration both direct and indirect effects and so both the direct and indirect consequences of the operation. Moreover, the evaluation must be made at the time of designing, ordering and executing the attack and the military advantage should be considered as a whole and not with reference to a particular part of the attack. Additional rules are proposed and reinforce civilian protection and decrease of collateral damages.

 

Under art. 57(3) of AP I, only the target that will create less danger to civilian lives and objects should be chosen among equivalent targets (see Rule 56 of the Tallinn Manual and commentary). Art. 57(2)(b) of AP I is the basis on which the attack must be suspended or cancelled if collateral damages would be excessive. It is interesting to notice that in order to operate with respect to such rules, a continuous assessment and monitoring of the attack is necessary and that such activity can be carried on by technical and highly skilled personnel. Moreover, technical evaluations are to be coordinated with legal evaluation to ensure the operation complies with the law.

 

Such provisions are to be appreciated in the context of other obligations. First, it is required to verify that the objectives are neither civilian nor civilian objects and are not subject to special protection, based on art. 57(2)(a)(i) of AP I (see also Rules 53, 32 33, 34, 35, 37 of the Tallinn Manual). Second, a general obligation to spare the civilian population is imposed, based on art. 57(1) of AP I (see Rule 52 of the Tallinn Manual). Third, it is necessary to choose means or methods of an attack with a view to avoid and minimize incidental injury to civilians, loss of civilian lives and damage or destruction of civilian objects, based on art. 57(2)(ii) of AP II (see also Rule 55 and 56 of the Tallinn Manual).

 

Moreover, an obligation to choose targets between adequate targets that will create fewer dangers to civilian lives and objects is based on art. 57(3) of AP I (see Rule 56 of the Tallinn Manual). There are general obligations to protect civilian population and objects during warfare. As a matter of fact, during warfare hitting civilian objects and property is prohibited, unless they are dual use and in this case an assessment of necessity and excess in comparison to the military advantage that must be gained. In particular, some categories may not be considered civilian or may be not considered such for a given period of time. For example, mercenaries may be considered as belligerents without combatants’’ privileges. Civilians participating in cyber operations may lose protection as long as they participate in such operations. Finally, a problematic group is that of civilians participating in a levée en masse.[22]

 

Finally, a special duty is to take particular care during cyberattacks against works and installations containing dangerous forces, namely dams, dykes, and nuclear electrical generating stations, as well as installations located in their vicinity (see Rule 80 of the Tallinn Manual, based on art. 56 AP I and art. 15 AP II). There are also relevant prohibitions to be considered. The first is the prohibition to attack with the aim at creating terror amongst civilians. The second prohibition is to destroy attack, remove or make useless objects necessary for the survival of civilians. Such norms must be read in connection with the norms regarding lawful targets. Such norms consider unlawful targets civilians, medical personnel, medical infrastructures, medical computer and networks, personnel and objects of third parties to the conflict trying to provide humanitarian aid, objects necessary for the survival of civilians.

 

A particularly interesting norm formulated in the Tallinn Manual is Rule 83, based on the principle of distinction, articulating the prohibition to attack civilian objects, articles 35(3) and 55 of the Additional Protocol I:

 

 

There is unanimity of the international group of experts who contributed to the Tallinn Manual that the environment is a civilian object. According to them who plan, approve or conduct a cyberattack must take precautions with respect to the expected collateral damage to the natural environment. In particular, the experts highlight that destruction of natural environment which is not justified by a military necessity is to be considered prohibited.

 

Cyberattacks may be divided into three groups:

 

 

As we may see, the respect of the international law norms, as interpreted by the Tallinn group of experts, imposes to whom designers, decision makers and executors of an attack to pay much attention, to choose precise targets, to minimize collateral damages and to suspend or cancel attack in case collateral damages are excessive compared to the military advantages that may be obtained.

 

This raises difficulties given that sometimes it is not possible to distinguish a civilian from a military target on computer networks and that for many cyberattacks it is necessary to use the Internet, a complex grid of networks, some of which are military and other civilian ones. However, it is established that indiscriminate cyberattacks, aimed at both civilian and military targets, should be considered prohibited. Again, a key question is what is an attack, what is an armed attack and when does an attack procure damage to civilians and objects.

 

In particular, the concept of damages is problematic when the attack causes temporary consequences on civilian property and activity[23] or how to assess whether an act is to be considered damage.[24] So, in conclusion, should we assume that the norms expressed in the Tallinn Manual are expression of international customary and conventional law, or at least a good attempt to interpret such law, the respect of such norms minimizes in any case the collateral damages in case of cyberwarfare, given that the actors are obliged to respect such norms when they design, decide and execute an attack.

 

At this point, technical problems arise with respect to cyberspace definition. As a matter of fact, it is neither obvious nor easy to identify whether a given user of computer is a civilian, a protected civilian, a mercenary, a military or a civilian hired as an auxiliary in a military structure. The same is for the protected objects and infrastructures for survival and medical purposes. Moreover, for what the Internet is concerned, it should be noted that on the one hand it is a structure used by both civilian and military subjects,[25] on the other hand it is so pervasive in everyday life that it may even be considered the entirely electronic man made environment around us.

 

7.     Practical Cases

Many cases of cyberattacks occurred in the recent years. Some of them are disclosed, many of them likely remain unknown to the public and undocumented.

 

Two paradigmatic cases are reported below:

 

7.1.  The Stuxnet Case

The most famous is probably the Stuxnet case. This case took the name from the software used.[26] The worm was developed with a great investment in human resources and technology, with the aim to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents. However, authorship and attribution to a given state are not certain.[27] This virus infected a lot of computers in the entire world, but the researchers discovered that the software had a specific target. Stuxnet “is not going after computers or even Windows software in general, but a specific type of program used in Siemens’s WinCC/PCS 7 SCADA control software; ... Stuxnet only broke nuclear centrifuges, which Iran had illegally obtained to conduct illicit research. Moreover, it neither hurt nor killed anyone.”[28]

 

Although this worm worked only with this specific software, it infected thousands of computers. A lot of lawyers and researchers wondered about the ethics of this kind of attacks: “at face value, Stuxnet seems incredibly indiscriminant. While limited in the scope of its attacks compared to prior malware, this was a worm that still got around. It infected not just targets in Iran but thousands of computers across the world that had nothing to do with Iran or nuclear research. Many lawyers see this facet of cyber weapons as proof of their inherent violation of “prevailing codes of international laws of conflict, as they go beyond just the original target and deliberately target civilian personnel and infrastructure.”[29] However, affirming that a computer infected with an inactive virus is possible, nonetheless problematic.

 

7.2.  The Estonian DDoS-Attacks

In 2007 many websites of banks, governments, universities and newspapers experienced “Distributed Denial of Service.”[30] For several hours the financial institutions found their servers overwhelmed by requests generated by the botnets behind the attacks and the commerce worrying slowed down. There is more than a hypothesis about this attack and the evidence, confirmed, told the attack started from Russia, but there is no certainty about the motivation. Again, there are problems with authorship and attribution of the attacks.

 

This case is emblematic with regards to the effects on the population: people had no information, could not take money from the banks and could not perform other daily activities.[31] So with a simple DDoS attacks, the life and the economy of Estonia was stopped. Compared to the Stuxnet attack, which resulted in damage to physical objects, the effects of the DDoS were temporary.

 

8.    Conclusions

This short survey on some of the key questions regarding cyberwarfare and collateral damages show the attempts of scholars to propose interpretations of existing customary and conventional law, with reference to a conventional framework drafted before an unpredictable evolution of information and telecommunications technology took place. Some questions can be solved interpreting existing international norms, others remain still open. Complexity derives from the numerous techniques that may be used in cyber operations, from the difficulties to classify targets and from some structural differences of some types of cyber operations in comparison to operations using kinetic weaponry.

 

Time is mature for the international community to find an agreed way to approach cyberwarfare, in order not to unbalance or change the application of the fundamental principles regarding use of force, self-defense and the role of the United Nations for solving international conflicts. As a matter of fact, as time passes more aspects of cyberwarfare will be identified and it may be needed to update international law with aim to maintain the peace and peaceful relations between states.

 

There are many open questions about the applicable law and a general awareness that some cyberattacks could create even more damage than traditional attacks, especially if they are not carefully designed to minimize collateral damages. When considering collateral damage in light of the existing legal framework and in the absence of new norms, maximum care should be given to minimize the amount of collateral damages while upholding the tradition of International Humanitarian Law.

 



[1] The views and opinions expressed in this article are the sole responsibility of the authors and reflect exclusively their personal views. All links visited were active on 15th September, 2015.

[2] Richard A. Clarke, Robert K. Knake, Cyberwar, Harper Collins, 2010.

[3] Nils Melzer, Cyberwarfare and the International Law, 2011,

 see http://unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf

[4] Samuel Liles, J. Eric Dietz, Marcus Rogers, Dean Larson, Applying Traditional Principles To Cyber Warfare, in 2012 - 4th International Conference on Cyber Conflict, edited by C. crossed, R. Ottis, K. Ziolkowaki, page 177.

[5] Stefano Mele, Legal Considerations on Cyber-Weapons and Their Definition, 3 Journal of Law and Cyber Warfare 52 (Spring 2014). See also, Stefano Mele, Cyber-Weapons: Legal and Strategic Aspects, version 2.0 (2013), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2518212 (Italian Institute of Strategic Studies “Niccolò Macchiavelli”).

[6] Such evolutions are clearly visible when comparing the actual efforts to define Cyberwarfare with earlier attempts to do so, see for example the definition of Libicki in Martin C. Libicki, What is Information Warfare?, 1995. For a comparison between cybercrime, cyberattack and cyber warfare, see Oona A. Hathaway, Rebecca Crootof, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue & Julia Spiegel , The Law of Cyber-Attack, California Law Review 100 (2012) 817.

[7] Martin C. Libicki, What Is Information Warfare? (1995).

[8] Annex I to the Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security of 16th June 2009.

[9] Trey Herr, PrEP: A Framework for Malware & Cyber Weapons, Journal of Information Warfare, 2013, Vol. 13, No. 1, February 2014. Available at SSRN: http://ssrn.com/abstract=2343798 or http://dx.doi.org/10.2139/ssrn.2343798

[10] Stefano Mele, Legal Considerations on Cyber-Weapons and Their Definition, Journal of Law and Cyber Warfare, Vol. 3, Spring 2014, Issue 1, page 58, see http://www.jlcw.org

[11] See Michael N. Schmidt (Ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013, Cambridge University Press.

[12] Thomas Rid, Peter McBurney (2012), Cyber-Weapons, The RUSI Journal, 157:1, 6-13, DOI: 10.1080/03071847.2012.664354, at http://dx.doi.org/10.1080/03071847.2012.664354. The authors discuss broadly the dual use of most weapons and therefore the importance of the psychological dimension of weapons, i.e. the offender’s intention to threaten harm or cause harm to a target. A similar approach is to define a weapon as “an object designed for, and developed or obtained for, the primary purpose of killing, maiming, injuring, damaging or destroying” and to assume that the same definition may be extended to cyber weapons. See Gary D. Brown, Andrew O. Metcalf, Easier Said Than Done: Legal Reviews of Cyber Weapons, Journal of National Security Law & Policy, 2014, Vol. 7:115.

[13] See also section 7.

[14] See Trey Herr, PrEP: A Framework for Malware & Cyber Weapons, Journal of Information Warfare, 2013, Vol. 13, No. 1, February 2014. Available at SSRN: http://ssrn.com/abstract=2343798 or http://dx.doi.org/10.2139/ssrn.2343798 , as well as W32.Stuxnet Dossier.

[15] The term is used to indicate international norms regulating the use of force of a state against another state. Its primary sources are customary law and articles 2(4), 41, 42 and 51 the UN Charter (see UN Charter). Ius ad bellum norms changed significantly after World War II, as a reaction to the terrible danger the whole mankind faced and the terrible consequences for the civilian population, properties and military personnel in a conflict that involved an unprecedented quantity of new and advanced weapon for mass destruction based on intensive scientific and industrial research and development.

[17] In fact, post World War II ius ad bellum norms have the aim to relegate armed response, use or menace of the force and armed attacks as an extrema ratio, promoting instead peace and the pacific solution of international disputes or internationally agreed measures, including use of force authorized by the UN Security Council and so collectively deliberated.

[18] For instance, art. 41 of UN Charter states that “the Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations." During the last twenty years, information and telecommunication technologies evolved in an unpredictable way. Today such technologies are used not only for communicating but also for doing, i.e. for performing a lot of human activities and actions which once required physical goods to be transported from one place to another and people to move from one place to another and to perform a lot of physical actions not intermediated by computer systems and network platforms.

[20] See Michael N. Schmidt (Ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, 2013, Cambridge University Press, hereafter referred to as the “Tallinn Manual”.

[21] See commentary of Rule 51 of the Tallinn Manual.

[22] See  Christopher Waters, New Hacktivists and the Old Concept of Levée en Masse, Dalhousie Law Journal, 2014, Vol. 2, N. 2, Nils Melzer, Cyberwarfare and the International Law, 2011, page 33, see http://unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf, rule 27 and commentary of the Tallinn Manual.

[23] Examples of temporary consequences are DOS (Denial of Service) attacks and DDOS (Distributed Denial of Service) attacks.

[24] For example, two interesting questions are whether a temporary use of internet bandwidth for propagating a malware or whether a malware, like Stuxnet, which activates only at specific conditions and in specific computers and stays inoculated but inactive in other computers, are to be considered damage. Another question regards the theft of data without damaging any computer system or network and without damaging the data.

[25] Ten years ago estimates were that 95% of military information uses civilian networks, at least in part, see Antolin-Jenkins, Cdr. Vida M., Defining the parameters of cyberwar operations: Looking for law in all the wrong places? Naval Law Review, 2005, 51.

[26] See the chapter 4 for a technical description of the software.

[28] P. W. Singer, Stuxnet and Its Hidden Lessons on the Ethics of Cyberweapons, in Case Western Reserve Journal of International Law, 47 (2015).

[29] P. W. Singer, Stuxnet and Its Hidden Lessons on the Ethics of Cyberweapons, in Case Western Reserve Journal of International Law, 47 (2015).

See also P.W. SINGER & ALLAN FRIEDMAN, Cybersecurity and Cyberwar: what everyone needs to know, 115 (2014).

[30] See https://www.cis.uab.edu/forensics/blog/Estonian.DDOS.pdf for an interesting presentation about Estonia DDoS-attacks with a small historical introduction.