On Cyber War - Freshman Seminar 43z - Internet Law

In 2010, the United States military formally established U.S. Cyber Command, an organization built solely to fight the United States’ wars in cyberspace. This comes as a response to increased cyber activity by Russian, Chinese and other governments, either directly or through nonmilitary proxies situated in third-party nations. Historically, the battle of the internet has had military ramifications primarily in terms of intelligence: either in acquiring information from databases that are supposedly secure, or in feeding misinformation to counteract those efforts. In the past few years, we have seen a dramatic increase in the cyber-military capabilities of each of these nations, as they test their cyber-strength in what have so far been minor conflicts. It is only recently that cyber-attacks have begun to have real effects – now, the United States and other organizations have the capability to inflict physical damage purely through malicious code.

The acquisition of this new weapon raises a concern: when is the time to use it? In this sequence, I will be taking the following position: that the United States should restrict their use and development of offensive cyber-capabilities (my partner will be arguing the contrary). There are two arguments I will use to support this position:

1. Defense over offense
2. International standard

Let’s begin with the first.

1. Defense over offense

What I mean by this is that it is substantially more important for the nations to focus on defensive measures than offensive capability. Even when provoked, it is substantially more difficult to take retaliatory measures in cyberspace than in the physical world. This is for two reasons: challenges in attribution and  unreliability of cyber-attacks.

One of the biggest issues with regard to any aspect of internet crime, cyber-security no less, is one of attribution. The offensive arm of the United States as it is today does not act so much as react; the vast majority of military operations today are in response to threats or risks. As far as this is true, a large part of any attack must then rely on the identification of those from whom the threat or risk originates, a problem made greatly more difficult in the context of cyberspace. Cyber-actors may not even be based in the country for whom they are operating; furthermore, their actions often take place through a chain of co-opted computing resources elsewhere in the world, often utilizing resources belonging to unknowing private citizens. Reverse engineering and tracing a virus or hack to its source can take months, and even then, proving beyond reasonable doubt who is responsible is nearly impossible. Indeed, it took teams of researchers from Symantec a full year and a half to decipher Stuxnet.¹ But one figure given by a spokesperson from the Nuclear Security Enterprise describes up to ten million “significant cyber security events” daily.² Even if this figure is exaggerated, the sheer number of attacks is overwhelming; to trace each of them to a source and confirm culpability before taking retaliatory action would be a colossal task. But even supposing that it were possible to identify the perpetrators of some number of attacks, the advantages of retaliating through cyberspace are still unclear. The relatively low investment required to launch a cyber-attack, since a personal computer, or even a cluster is comparatively cheap compared to conventional weapons used by many terrorist or vigilante groups, also renders retaliatory (or preemptive) strikes especially difficult. In many cases, the perpetrators of an assault have few, if any, assets worth attacking. Although the statistics are unclear (for reasons that should be obvious), a significant portion, if not majority, of the attacks against the United States databases and computers are executed not by enemies on the scale of nations but by small teams of hackers. As such, there is little that a cyber counter-offensive could accomplish that a physical intervention could not.

Again setting these concerns aside, there still remains an issue of unreliability regarding cyber-weapons. The United States considered launching a cyber-attack to support its strikes against Libya in March, but decided against it. Out of several reasons, one that is particularly worth mentioning is the inherent unpredictability of hacking: James Andrew Lewis, senior fellow at the Center for Strategic and International Studies, explains, “It’s the cyberequivalent of fumbling around in the dark until you find the doorknob. It takes time to find the vulnerabilities.”³ This is precisely why the number of attacks launched against the United States is so huge. Hackers attempt to find security flaws through a complicated form of what boils down to pseudorandom guesswork, which at its core can prove to take much longer than expected. In cyberspace, the United States is on the defensive. We are the ones who have assets that require protecting, while other parties are free to probe our security systems, more or less at their leisure; they need succeed only once to inflict damage, while the United States must succeed in at least an overwhelming majority of these incidents. It is the U.S. forces who are pressured on the defensive, who do not have the flexibility to wait for hackers to find a weakness to exploit.

2. International Standard

In the mid 19th century, the United States developed technology that would transform the face of the world. It was a technology which was capable of inflicting massive damage and impossible to defend against. Of course, this is the atomic bomb. Today, we are faced with a similar scenario in the face of cyberwarfare. I do not mean that computer viruses have (yet) the influence to wipe out cities. What I do mean is that it is substantially easier to attack than to defend; a failed attack incurs minimal cost, because retaliatory measures are so prohibitively difficult, while a successful one can inflict serious harm. “In cyberspace, the offense has the upper hand.”⁴ While intelligence interference has become a fairly well established facet of military conflict today, it is crucial that the precedent of using cyber-weapons lightly not be set. In a situation where tensions with Chinese intrusions into U.S. cyberspace are already a cause for concern, escalation could easily become damaging to both sides, most importantly with substantial collateral damage to the private sector; it is important to give no indication that such an escalation is in our interests, nor is acceptable from the standpoint of the international community.

¹How Digital Detectives Deciphered Stuxnet http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
²U.S. Nukes Face Up to 10 Million Cyber Attacks Daily http://www.usnews.com/news/articles/2012/03/20/us-nukes-face-up-to-10-million-cyber-attacks-daily
³U.S. Debated Cyberwarfare in Attack Plan on Libya http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html
⁴Defending a New Domain http://www.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx