Cyber-War: Exploiting The Ambiguities Of Cyber Space


 

There is little doubt that we live in the digital age, the age of information. The internet has connected the people of the world in ways that were once unimaginable. Goods from the other side of the globe can be ordered, paid for and shipped to one’s door without leaving the couch; news of uprisings in the Middle East is beamed into Australians’ living rooms in real-time; and US Air Force pilots direct missile strikes in Afghanistan from the safety of a bunker in America. The analyst Marshall McLuhan noted in 1974 that almost any new technology introduced by mankind will inevitably be found to have a military application.

The internet is no exception to this rule. The difficulty, however, is understanding what amounts to a military application of cyber technologies. That is, what is an act of cyber war? This is a question that is vexing academics and legislators, alike. There have been suggestions from some quarters that Russia may have hacked the electronic voting machines in the recent presidential election. Similarly, there were claims that Australia’s bungled census in August 2016 was the target of denial of service attacks launched from Singapore and China. Although these attacks’ connections to foreign states have been vigorously denied by both the targets and alleged perpetrators, what is not clear is whether such assaults on activities fundamental to the healthy functioning of a democratic state should be interpreted as an attack on the state itself, of sufficient significance so as to provoke a military response. Even if they were deemed to be acts of war, it would simply raise the question of who was responsible.Launched from a distance, with increasingly advanced speed and precision, cyber-attacks can occur before the target is even aware they have been hit.It could be hours, days or months before the attack is noticed. The capacity to route and re-route one’s actions through virtual private networks (VPNs) in various locations across the globe, renders an attack almost impossible to accurately trace. Stuxnet, perhaps the most famous cyber-attack, is believed to have been deployed by the US. Yet, without an admission of culpability, the international community is left guessing who the true culprits may have been. In an increasingly “connected” world, leaving these questions unanswered exposes civilian populations to attacks from foreign states and non-state actors, with little hope for protective action from their government.

Thus far, the major states of the world have been unwilling or unable to define cyber-attacks or cyber-war. In 2009, the NATO Cooperative Cyber Defence Centre of Excellence convened a group of 21 experts in international law and military affairs to develop a policy on the use of cyber resources in war. The result was the Tallin Manual on the International Law Applicable to Cyber Warfare (2012). As with many innovations in the world of digital technologies, however, this manual was quickly relegated to obsolescence as the changes in the digital sphere outpaced the development of international law and norms. Professor Michael Schmitt, the Tallin Manual project director and professor of international law at the U.S. Naval War College, explained in 2014, that a major part of the difficulty with determining what constitutes an act of cyber-warfare, is that there is no concrete definition of an act of ‘conventional’ war. Indeed, there remains uncertainty as to what constitutes the ‘use of force,’ a fundamental concept in discussions of war and conflict.

The notions of an act of war or the use of force remain political considerations. Traditionally, these concepts were intuitive. The destruction of a building or piece of critical infrastructure on sovereign territory, or the death of nationals, civilian or military, could easily be construed as acts of war. Cyber-attacks, on the other hand, are not so simply defined. The reasons for this difficulty are two-fold. First, the means of cyber-attack are different to a conventional attack. There is no stretching of the imagination required to think of an attack that uses munitions or explosives as the use of force. The destructive results of such an attack are similarly self-evident. But the same cannot be said for the release of a computer virus into a network, or the stealing of terra-bytes of information from a server. Ultimately, the effects are the same; a piece of infrastructure malfunctions, causing massive disruption to military or civilian lives. Sometimes the infrastructure may even be rendered useless, with catastrophic damage being caused. While cyber-attacks may still cause casualties, whether directly or indirectly, such an eventuality is not immediately obvious, and thus a cyber-attack may be an attractive option for a relatively clean and bloodless attack. Politically, it becomes much more difficult to justify the deployment of military resources in response to an attack that caused no obvious destruction or casualties. The second difficulty in defining a cyber-attack as an act of war is, as already mentioned, that it is almost impossible to trace the source of a cyber-attack. One of the most powerful attributes of declaring an action as an ‘act of war’ is the deterrent factor that action consequently takes on. A state is unlikely to commit an act that would cause a powerful state to declare war upon them as the costs of such an action would likely outweigh any benefits. However, a cyber-attack that cannot be traced is an attractive option to disrupt a rival state’s development or functioning as it gives one the chance to further one’s own agenda without fear of reprisal. This aspect also makes cyber-attacks particularly attractive to non-state actors acting of their own accord or on behalf of a patron state. The prospect of Cold War-style proxy wars over the internet is very real.

One reason for the lack of a clear definition, and the unwillingness to progress the definitions of cyber-attacks is the way the internet and cyber-space are perceived by states. On the one hand, the internet (the physical infrastructure) is owned and maintained by private, mostly American corporations. As such, an attack on the internet can be perceived as an attack on the United States, thus a legitimate target. Secondly, the states in question are unlikely to cede their advantage in cyber-warfare by admitting to specific capacities, let alone limiting those capacities through international treaties or conventions. The lack of clarity can pose problems for civilian populations as the internet, as a piece of critical infrastructure, is a legitimate or ‘traditional’ target of military engagement. However, it is infrastructure that is shared between the civilian population and the military, raising questions as to whether access through civilian technologies (such as smart phones or, increasingly, the smart devices that comprise the ‘internet of things’, referring to a network of devices connected to the internet, including televisions and refrigerators) is a legitimate means of targeting a foreign power. Another barrier to settling on a clear idea of states’ conduct in cyber-space is the notion that cyber-space is a space apart from the physical or corporeal world. The digital world, some argue, is separate to that which we inhabit and is thus free from the rules, regulations, laws and norms that govern this world and subject to its own particular rules and norms. Whether such a concept is proved true or false, it is clear that states must come together to resolve these issues before it is too late. It was only when the US and the USSR had amassed enough nuclear weapons to destroy the entire earth thirty times over, that the notion of a need to control their development and spread became a pressing concern. The successes of the nuclear non-proliferation treaty regime and the conventions against the use of chemical and biological weapons, show that states, even those ideologically opposed, are capable of coming together to solve problems such as those mentioned above. One would hope that the world’s powers have enough foresight to act on the vagaries of cyber-warfare before the prospect of apocalyptic cataclysm becomes a reality.

 

 

Anton Anin