On Cyber War - Freshman Seminar 43z - Internet Law

There is a remarkable degree of perversion involved naming a group Anonymous that speaks to a dry wit. Their choice of name, however, could hardly be more apt. A loosely affiliated “hacktivist” collective, the identities of few Anonymous members are known to the world at large. While their work initially focused on self-gratifying entertainment, exemplified by the catchphrase “we’re doing it for the lulz,” their work of recent years has taken on a strong activist bent. In the past four years alone, the list of Anonymous targets has included the Church of Scientology, major record labels, the Ugandan government, child pornography sites, Facebook, the Israeli government, and most recently, the Westboro Baptist Church. The movement has lent its support to the Stop SOPA and Occupy Wall Street movements, and has adopted the Guy Fawkes masks of the comic book V for Vendetta as one of its most recognizable insignias.

Reactions to Anonymous have been mixed; they have been characterized by some as digital Robin Hoods and by others as cyber-anarchists. One of the difficulties in analyzing Anonymous is the challenge of identifying a coherent group ethic to which analysis can be applied. Very little hierarchy or identifiable group leadership exists, and although some individuals serve as ad hoc spokespeople for the organization, they have no official title within the group. Anonymous is a name that can be adopted almost at will by anyone. While larger projects like the DDoS attacks on major record labels or the takedowns of Israeli government websites and deletion of government databases are undertaken with substantial group consensus, virtually anyone can claim an attack in their name.

With the rise of Anonymous’ broadly hacktivist ethic, much of their recent work has surrounded key social and political issues such as LGBT rights (in Uganda), intellectual property law and anti-piracy legislation (SOPA and the recording industry), and the Israeli-Palestinian conflict. Through code, members of Anonymous have taken action against entities that they perceive as immoral or unjust by taking down websites and infiltrating networks. While their causes may be noble, the aggressive means by which Anonymous pursues its loosely determined objectives makes many sympathizers uneasy.

One of the strongest results to come out of the Anonymous movement may not actually be the organization itself, but a paradigm for effective organizing using the Internet. “The fundamental fact of the 21st century is that any person can now theoretically collaborate with any other person on the planet,” Anonymous’ unofficial spokesperson Barrett Brown told the Canadian Broadcasting Corporation.

To that end, Anonymous has spearheaded a number of campaigns that have had tangible effects in the offline world. The blackouts of Wikipedia and other like-minded organizations became the most visible aspect of the movement to block the passage of the Stop Online Piracy Act, and largely as a result of these protests, SOPA and PIPA were shelved before they were voted upon in Congress. More recently, members of Anonymous have been lobbying for recognition of the Westboro Baptist Church as a hate group by the U.S. government, a move taken in response to the WBC’s threatening to picket funerals of the victims of Friday’s Sandy Hook Elementary School shooting.

Love them or hate them, Anonymous seems to be here to stay. Amorphous and shadowy, but a potent force on the Internet, their hacktivism is slowly but surely blurring the lines between our virtual world and our offline lives.

The distributed denial of service (DDoS) attacks on Estonia in 2007 have gone down in history as one of the largest coordinated cyberattacks. By the end of the waves of DDoS attacks, which lasted for several days, many Estonian banks, news agencies, and government websites had been hacked and defaced. Commerce slowed almost to a standstill for several hours as financial institutions found their servers overwhelmed by requests generated by the botnets behind the attacks. Five years later, the origin and motivation behind the cyberattacks is yet unclear. In hindsight, the Estonian cyberattacks appear to be a turning point in the development of cyberweaponry—and in the progression of cyberwarfare itself.

The incident that sparked the Estonian cyberattacks would otherwise have gone unremarked upon—a brief footnote, if anything at all in the annals of history. The Estonian government was considering the relocation of a Soviet World War II memorial known as the Bronze Soldier of Tallinn from its original place to the Tallinn Military Cemetery. The decision proved to be a flashpoint for Estonian citizens, with tensions running high between ethnic Estonians and Russian-speaking immigrants to Estonia in the aftermath of World War II. In addition, Russian-Estonian relations became strained as protests and counterprotests regarding the decision became more numerous.

The architecture of the attacks was not especially sophisticated—distributed denial of service attacks follow generally the same lines. In the case of the Estonian cyberattacks, the majority of DDoS attacks were ping floods, in which hackers with access to a botnet use computers in the botnet to “ping” a site’s servers. In normal interactions, pinging a server allows a computer to determine if a host on a particular network is reachable. A device sends Internet Control Message Protocol (ICMP) echo request packets to the server and waits for the server to reply with its own packets. Pinging can turn a routine process into a relatively simple, yet effective cyberattack by flooding a server with echo request packets without waiting for replies. As the volume of packets overwhelms the site’s ability to reply, loading time for pages slows dramatically, sometimes taking the entire site offline.

In Estonia, the targets of the DDoS attacks were both government agencies and private Estonian companies. In order to maintain some functionality, the government resorted to blocking requests from IP addresses outside of Estonia for several days. Many financial institutions and news agencies coped with offline servers for several hours until the attacks ceased. In terms of economic damage, the 2007 cyberattacks had only a minimal impact on the Estonian economy, but were thought by some to be a clear attempt at intimidating Estonia or retaliating for the statue’s relocation. Without clear attribution, the political implications of the attacks remained unclear.

In the days following the attacks, Estonian officials attempted to identify their source, to little avail. Some evidence suggested that the attacks were Russian in origin (an assertion later shown to be correct), but it was unclear whether the Russian government had played a role in the skirmish—a rather sinister possibility—or if the attacks were simply the work of patriotic Russian hackers. It wasn’t until almost two years later that Sergei Markov, a deputy of the Russian State Duma, identified the perpetrators of the attacks as members of the Nashi youth group, a state-affiliated organization. Members of Nashi claim that the attacks were carried out without the assistance of either Nashi or the state, although the validity of those claims is difficult to verify.

The importance of these cyberattacks lies not in their size or scope, but rather in the precedent they created for future cyber conflicts. “[The use of cyberattacks] is a political tool…It has become a proven political weapon as a way of intimidating your enemy – silencing them, and potentially controlling their infrastructure. Striking an enemy’s ability to communicate with the outside world is a very valuable use of a weapon at the early stages of war,” Jose Nazario, a security researcher at Arbor Networks told SC Magazine.

While previous cyberattacks focused on compromising the networks of government agencies and government contractors, the Estonia attacks made clear that cyberwarfare can strike civilian targets with equal, if not greater, ease that it can political ones. Whether or not cyberweaponry will bring us closer to the prospect of total war remains to be seen, but it is clear that the impact of such a conflict would extend far beyond the traditional boundaries of combatants into the sphere of civilian life.

I’ll take some time to address the points brought up in the previous post, although my remarks will be rather brief, as there are some interesting case studies about which I’ll be posting later today. We’ve presented two different conceptions of the proper usage and development of cyberweapons: one that focuses on strengthening our defensive capabilities, the other that sees value in developing broader offensive cyberweapons. Cyber Weapons 3 made some interesting points, which I’ll address briefly here.

1. We would not learn anything of significance about our own weaknesses through the development of offensive capabilities.

While it is strictly speaking true that the structure of our defenses will not necessarily resemble that of another country or organization, it goes too far to say that there isn’t utility in developing offensive capabilities, even if they are designed to bring down another entity. In the general sense, developing offensive capabilities for other targets gives insight into strategies that might be used to exploit our own weaknesses. While there are obvious differences between sneaking a computer virus into a nuclear enrichment facility in Natanz, Iran, and sneaking spyware onto corporate servers to steal potentially proprietary information, developing our offensive capabilities can certainly lend insight into the strengths and weaknesses of certain malware vectors, for example.

In the particular, although the structural properties of computer networks may vary from target to target, much of the hardware being used today is limited to a very small number of operating systems. Microsoft, unsurprisingly, has the lion’s share of the world’s personal computer market; likewise, Siemens products (like the programmable logic controllers that were the target of Stuxnet and are the target of many corporate espionage viruses) are nearly ubiquitous in infrastructure and manufacturing the world over. While developing offensive capabilities for one target does not necessarily mean an explicit knowledge of how to structure our cyber defense, the degree of transferability of this knowledge is much higher than one would expect.

2. Our focus should be on the attribution of attacks, not on increasing the arsenal of possible responses.

While it is absolutely true that attribution of attacks is of paramount importance in properly responding to cyberattacks on the United States, having a broader arsenal of possible responses to attacks, cyber or physical, allows us more leverage in our diplomatic actions. Israel, for example, has made immense efforts to expand its defense programs on both fronts and historically has not been hesitant to launch unilateral attacks on foreign entities—especially Iran. The recent attacks on the Iranian oil industry “apparently caught its American partners off guard,” despite the overlapping policy goals of both nations. Greater cyber capabilities were instrumental in preventing Israel from taking physical action against Iran in 2009 and 2010, and developing sufficient cyber capabilities such that our allies do not take ill-advised action against their enemies furthers our interest in forestalling unilateral actions that might upset truces and/or negotiations.

While having a more varied offensive arsenal is no guarantee of the preservation of America’s national security interests, increased cyber capability can be a useful tool in leveraging with our allies as well.

I think Lucian’s previous post on this issue highlights many important issues regarding the role of the government in protecting the private sector from cyber attacks and the degree to which 1) we should take a collaborative approach to cyber security (with firms such as Microsoft, McAfee, and Symantec) and 2) we are comfortable with giving the government policing powers over the entirety of the private sector. Civilian resources have been identified as both resources and targets; there remains, however, another dimension to the landscape of cyberconflict that has not yet been explored—namely that in which private corporations are not simply bystanders, but agents.

Granted, this dimension lies more in the realm of possibility—when dealing with cyberwarfare at the present, the largest and most potent agents are almost exclusively nation-states. Few private corporations, let alone teams of citizen-hackers, have the technological capability and vast amount of resources necessary to construct and deploy a cyberweapon on the scale of Stuxnet or Flame. That being said, it is not inconceivable that some day defense contractors like Blackwater will have added code to their ever-growing arsenal of tools for achieving their objectives. On the other side of the trenches, computer security firms like Symantec have already begun encountering (largely by accident) the tools of international conflict in their everyday work. These burgeoning conflicts rightfully illuminate the question of how private corporations will interact with this new arena of combat.

The question of code-making and the question of code-breaking are two sides of the same coin, and both pose interesting questions regarding the ability of government to regulate the actions of private entities, particularly when the compelling interest is national security.

In the case of private military companies—defense contractors that make up almost a third of defense personnel in the United States—the commingling or transfer of cyber capabilities from/between government and corporation creates several issues. As has been noted previously, while pooling resources and public-private partnerships may allow cybersecurity to be undertaken more effectively, the consolidation of our national security apparatus also leaves open the possibility of a small number of sophisticated attacks to bring down a large part of our national defenses. Such partnerships would render private contractors more likely to be attacked by foreign agents, and it is quite possible that the risk of damage is not worth the value gained by greater collaboration. Another important consideration here is the impact that explicitly involving private military companies in cyberwarfare would have on the status of PMCs under the Geneva Conventions. The rules that govern the changing arena of conflict that we’ve been addressing in the Cyber-Weapons series have yet to be explicitly determined, so it’s yet unclear whether involvement in cyberwarfare would compromise firms like Blackwater and DynCorp’s already precarious positions in the sphere of international conflict.

We should also consider the impact of cyber conflict on computer security firms like Symantec and McAfee, who, it seems, will find themselves increasingly caught in the crossfire as the usage of cyberweapons becomes more prevalent. Already noted has been the role of experts at Symantec in the cracking of the now-infamous Stuxnet virus.  What is perhaps less evident is the frequency with which computer security firms may find themselves unwittingly working at the edges of a larger conflict. The team originally assigned to investigate Stuxnet, for example, initially expected it to be a somewhat more sophisticated form of industrial espionage. Other instances have brought computer security teams into contact with bugs of unknown provenance and indecipherable motive.

No matter the true nature of these encounters, the difficulty involved in telling apart routine cases of malware and the work of more powerful and well-organized entities I predict will bring computer security firms into more frequent contact with the defense agencies of nation-states. The United States would have great difficulty in asking security firms to desist from investigating sensitive pieces of code, particularly firms with international clientele like Symantec or McAfee, as well as those based in other countries like GSMK in Germany. Investigations by private entities could easily compromise the success of operations involving cyberweapons, and methods of resolving these inevitable conflicts should be given serious consideration before cybersabotage becomes a norm of international relations.

Both in specifically the realm of cyber-conflicts, but also in internet law cases in general, I see the debate over whether or not the internet deserves its own set of governing factors hinges upon the innate impossibility, at least for now, of enforcing laws in cyberspace. In this sense, I say that there is anarchy, not in the sense of chaos, but in the sense that, at least for the determined, it is easy to go unpunished. This arises from the combination of two factors: anonymity and scale.

The internet provides a platform through which it is much more difficult to identify users than it is in the physical world. Often, with fairly simple steps involving proxies etc., tracing some illegal action to its perpetrator can be prohibitively more expensive than even the harm done by the crime itself. In the world of cyber-warfare, it is extremely difficult to trace a virus to its source; again, Stuxnet took a team of dedicated, high-level researchers a full year and a half, despite the exceptionally high priority level assigned by the security community to a virus of this magnitude. Compared to many physical world crimes, in which catching a criminal in the act makes ‘finding’ them trivial, identification is never trivial in cyberspace. It is simple, even for everyday users, to avoid region-specific blocks to certain media content, for example US netizens using VPN services to watch the Olympics for free through the BBC. This demonstrates the difficulty of automating a process by which to identify even just the nation from which a user is accessing the internet, while manual identification methods for the same purpose are rendered insufficient by the second factor, scale.

Computers allow users to commit transgressions with minimal planning, cost, and risk to themselves. To download a torrent from the Pirate Bay takes simply a few mouse clicks and a torrent client (which is perfectly legal). Hackers can quickly and cheaply submit several orders of magnitudes of requests to a server in trying to breach its safeguards. If we compare internet crimes to their real-world counterparts, in general they are massively easier to plot and execute. It is enormously more difficult to carry out any kind of real-world theft, while in the internet, it takes but moments. This imbalance leads to a sheer volume of internet infringements which cannot be compared to those of the kinetic world: this is the second factor in the difficulties surrounding the enforcement of internet law.

I think the reason why internet law demands special attention beyond the extent to which cyberspace infringements are accounted for within existing bodies is precisely because of the exceptional difficulty in law enforcement. The problem is that people continue to torrent illegally uploaded intellectual property without a real risk of penalty, not that we would not know how to punish them once they are caught. The existing body of law, while it can be interpreted to include the realm of cyberspace, is simply not enforceable. Thus, until such methods are created which allow us to identify and prosecute criminals with the same ease as we do in the physical world, until the risk of punishment becomes sufficient to deter a larger volume of crime, we are forced to either accept such criminal activity or create new legislature to account for it. Looking specifically at the realm of larger scale cyber-conflict between a nation and a terrorist/vigilante group or other nation, the same applies. We know that the sheer volume of attacks received by the United States is colossal; to catch each one, identify its origin, and respond appropriately is not something that is currently within our capability. Hence the collaboration with the private sector – it is not because there is something fundamentally sound about our government relying upon the private sector to defend our nation, or that it should be the role of the government to provide private companies with security systems, but because this is one of few ways to address the extent to which law enforcement is losing to criminals. This is why, going back to the piracy issue, methods such as the involvement of internet service providers, which are private companies, is considered for the sake of blocking internet service to those who are found guilty of copyright infringement. This is not a policy for which any physical world analogue would be appropriate – for example, we would not agree with the government mandating that gas stations refuse to fuel cars driven by those with traffic violations, yet it is seriously considered, given the technology of today, simply because it makes enforcement easier.

There is currently an enormous gap between the effectiveness of physical and cyber law enforcement in the world. Internet law exists not because it lies outside the jurisdiction of existing legislature, but simply in order to address this gap. Internet law is an artifact of enforcement technology lagging behind that used by criminals: I think that it will be rendered obsolete when the technology gap disappears.

In the previous post of this sequence, several arguments in favor of greater use and development of offensive cybercapabilities are offered. I’ll discuss each of them in turn.

1. The development of cyberweapons allows us greater insight into the weaknesses present in our own security systems.

I would argue that this is for the most part untrue; the systematic discovery and exploitation of security flaws in other systems has very little to do with understanding our own. Indeed, attempting to overcome our own defenses is a valid way to uncover its weaknesses, but this process has nothing to do with our offensive capabilities. In fact, the defensive structures of any target are likely to be so different that any flaw we exploit in a terrorist organization or other government’s security is highly unlikely to reveal anything of significance in our own system. Granted, I am not an expert on the subject, but my understanding is that given the vast differences between defensive systems created by two different organizations, I don’t think it is reasonable to expect that we would learn anything of significance about our own weaknesses through the development of offensive capabilities.

2. Other nations, including our enemies, are already developing and using cyberweapons.

Although this is true, for the most part they have been minor. In fact, under the current United States interpretation of international conflict law, if we were to establish culpability for some cyber-attack on the United States which effected direct harm, we consider ourselves fully justified to retaliate through both cyber and kinetic means. Harold Ko said at the USCYBERCOM Inter-Agency Legal Conference, “There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.”¹ The biggest difficulties, for now, in reacting to the use of cyberweapons against the United States, is not a question of whether or not we can respond, but a question of whom to respond against; it is a question which arises in all realms of cyberspace law, the question of attribution. As far as this goes, the existence of cyberweapons in the hands of other forces in today’s world does not constitute a necessity for the United States to have the same. We are fully capable of deterring and responding to cyber-attacks through conventional means – our focus needs to be on the attribution of attacks, again something that comes from our defensive capabilities, not on increasing the breadth of our means of response.

3. There are special cases in which cyber-attacks can be more effective/precise than conventional methods.

It is, of course, impossible to comprehensively argue that there are absolutely zero cases in which conventional methods suffice and cyber-methods are unnecessary. But I think the example given is worth examining more closely. It is curious that the example given, Stuxnet, is precisely a case of the United States wishing to avoid attribution for its (supposed) attack on the Iranian nuclear power plant. And yet Stuxnet has been attributed to the US, and the US has at this point more or less admitted it is the source of Stuxnet. Furthermore, we have little reason to believe that significant damage to the Iranian nuclear program was significantly hampered or impeded.² As such, I don’t see Stuxnet as an example of a successful cyber-attack where conventional methods have failed – neither of the two goals, to stifle the Iranian nuclear program while keeping the origin of the attack hidden, has been successful.

¹International Law in Cyberspacehttp://www.state.gov/s/l/releases/remarks/197924.htm
²Report: Iran’s nuclear capacity unharmed, contrary to U.S. assessmenthttp://www.haaretz.com/news/world/report-iran-s-nuclear-capacity-unharmed-contrary-to-u-s-assessment-1.338522

A key difference between cyber-warfare and physical military conflicts lies in the involvement of the private sector. There are two ways in which the private sector play a role in cyber-conflicts: as resources and as targets.

Civilian resources are used much more often in cyber-warfare than in conventional attacks. Often, hackers use networks of hacked computers, or a ‘botnet’, in order to better leverage an attack. Even more significantly, civilian companies provide attackers with targets that are both valuable in their own right and as stepping stones to attacking military or government servers directly. For example, Chinese government-backed hackers have in recent years targeted various fortune 500 companies, from financial firms to software developers to energy companies. In 2008, McAfee reports that an estimated $1 trillion of intellectual property was stolen across the world through hacking.¹ In the pentagon’s statement of its cyberstrategy, William J. Lynn writes, “The cyberthreat posed to intellectual property may prove to be the most significant one facing Washington.”² Furthermore, today’s government servers are in a large part protected by private sector contracts and technology. Private firms now hold sensitive information regarding the nature of our security system, exposing them to even greater risk from foreign interests.

There are two sides to the debate surrounding government involvement in private sector security. On the one hand, many large firms, including Microsoft, alongside the Pentagon and Cyber Command, call for greater collaboration, citing the sheer volume of attacks and the inability of either government or company to defend their resources alone. On the other hand, issues of privacy and economic favoritism can arise from such direct government involvement. It is, on the one hand, economically unfair for the government to privilege companies by selecting only some subset of software firms to defend. On the other hand, it is also infeasible for the government to begin a sort of universal cyber-care system and shoulder the burden of protecting all of the nation’s intellectual e-resources. Furthermore, having the government play such an involved role in the protection of, for example, the identities of political dissidents, leaves little impediment in the way of privacy violation.

Spreading the resource of the government so thin can also easily backfire, weakening rather than strengthening the security of our resources. Having shared widespread elements of a security system both gives hackers greater freedom to probe and test their exploits, while simultaneously leaving the nation at risk of collapsing if a very common system were to become breached.

Finally, there comes a question of the government’s role in society. For the most part, when it comes to protecting individual property, the government provides a police force and a judicial system not to prevent crimes directly, but to catch and punish criminals once the crimes have been committed (which, in turn, acts as a deterrent). In this sense, it would be something of a change if the government were to become directly involved in protecting private companies’ intellectual property against hackers directly, rather than simply cracking down on hackers once they have committed crimes; it is akin to the difference between the government providing policemen as security guards for a bank, rather than simply as a response force used only once banks have been robbed. The implications of such a shift in the role of government are somewhat unclear, and, to be fair, it is not well established that this would necessarily be a bad thing – it could be argued that the reason the government does not provide security guards for all establishments is one of practicality, which is no longer an issue when the ‘guard’ in question is simply a sequence of code which can be transferred essentially for free. On the other hand, again, such a shift carries with it a precedent of strong, directly involved government, rather than a government which simply punishes violations of a legal structure, which carries its own series of issues. Either way, I think this is a crucial issue to consider with regard to the relationship between government and private sector security.

¹China Home to Most Hacked Computers, Says Reporthttp://www.inc.com/news/articles/2010/02/china-home-to-most-hacked-computers.html
²Defending a New Domainhttp://www.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx

In addressing the viability cyber-weapons in the international arena, it is worthwhile to note that the technology is so new as to have few case studies available for analysis, and virtually no cases for which longitudinal outcomes are available. Any analysis of cyberweaponry occurs in the absence of any system of norms or regulations addressing this new mode of combat. That being said, contrary to Lucian’s earlier post, it’s worth considering the position that while defensive technologies are certainly a crucial part of our national defense strategy, a focus on defense does not preclude our pursuing offensive capabilities. The reasons for maintaining equally strong, if not stronger offensive cyberwarfare development are as follows.

We should develop stronger offensive cyberweapons, if not out of direct need to have the offensive strength to inflict damage upon enemy targets, then out of a need to better understand potential means of attack on the United States. Indeed, one of the best ways to develop strong defensive technologies is to anticipate the offensive technologies our enemies might wish to use against us. The development and release of the Stuxnet virus, for example, called attention to the security gaps in programmable logic controllers in infrastructure in the United States, and electricity providers are now taking steps to ensure that their grids are well secured.

It’s easy to imagine how this course of action might lead to an escalating cyber arms race, and far be it from the goal of any country to pursue a course of mutually assured destruction with its many. But all evidence indicates that America’s adversaries (and even some of her ostensible allies) have begun developing offensive capabilities. China, among other countries, has been the source of an enormous volume of attacks on the United States, having made multiple attempts at breaching the Pentagon’s servers. Given the Chinese government’s tight control on the Internet usage of their subjects, I find it implausible that authorities in Beijing are unaware of these attacks—although they may not directly sponsor them, their tacit consent is cause enough for concern. Our collaboration with Israel’s defense agency, Mossad, on Stuxnet and other cyberattacks has demonstrated that Israel already considered the implications of cyberwarfare and is moving swiftly to develop that capability.

Granted, the United States is right to use cyberweaponry with a hefty dose of caution—the high development costs and limited possibility for reuse of any one virus means that each attack must be carefully considered. The zero-days that made the Stuxnet virus so devasting and so sophisticated are useless to exploit once revealed (Microsoft, for example, issued a patch for one of the zero-days within weeks of the Stuxnet story being released).

I would also urge caution in asserting too hastily that conventional methods of warfare are adequate for the changed landscape of modern conflicts. As has been noted previously, we are establishing a risky precedent in engaging in attacks on targets that are ostensibly civilian, if not actually so. That being said, traditional standards of warfare are no longer sufficiently graduated as to accommodate the full spectrum of policy options that the United States wishes to pursue. Let us consider, for example, the attack on the Natanz enrichment facility in Iran using the Stuxnet virus, for which the U.S. and Israeli governments have tacitly, if not explicitly acknowledged responsibility.

Traditional policy options to address the possibility of Iran’s escalating nuclear capabilities would have included economic sanctions, drone strikes, or at worst, invasion of the country (as we did in Iraq a decade ago). Iran has long been subject to both uni- and multilateral economic sanctions from the United States, European Union, and U.N. Security Council. Members of the Iranian Revolutionary Guard have had their assets frozen, and an embargo on many products stifles the flow of goods into the country, yet our intelligence indicates that Iran’s nuclear program is as strong as ever. Drone strikes would have been able to effectively disable Iran’s nuclear capabilities for months or even years, but the United States would have a difficult time denying responsibility for the attacks. This lack of plausible deniability would have been perceived by an overt act of war, embroiling the United States in yet another ill-advised conflict in the Middle East. Invasion, by any standard an extreme response, would have most certainly escalated the issue far beyond the range of what would have been considered acceptable to U.S. military brass. Stuxnet, while not entirely effective, was most likely a happy medium between inaction and overreaction. The use of cyberweaponry allowed the United States some degree of plausible deniability while maintaining flexibility in future policy actions.

Furthermore, this view of offensive capabilities ignores the possibility of using cyberweaponry as a tool for espionage. While neither offensive nor defensive, espionage using code rather than physical means (whether personnel or drones) poses a much smaller risk to the United States’ intelligence resources. The utility of code in industrial espionage has already been well-established; Symantec at first glance suspected Stuxnet to be a particularly sophisticated means of industrial espionage. For targets that are well-connected to the Internet, using viruses to relay information about factory layouts rather than risking the security of personnel on the ground seems to be a far more prudent and effective use of our large, but limited national security resources.

This is a weblog created by Lucian Wang and Joy Wang as a final project for Professor Philip Malone’s freshman seminar “Cyberspace in Court: Law of the Internet”.

It takes the form of a dialogue, in which we take opposing sides on each issue. Note that these (unless otherwise stated) do not reflect our personal opinions, but instead are positions we have assumed for the sake of discussion.

In 2010, the United States military formally established U.S. Cyber Command, an organization built solely to fight the United States’ wars in cyberspace. This comes as a response to increased cyber activity by Russian, Chinese and other governments, either directly or through nonmilitary proxies situated in third-party nations. Historically, the battle of the internet has had military ramifications primarily in terms of intelligence: either in acquiring information from databases that are supposedly secure, or in feeding misinformation to counteract those efforts. In the past few years, we have seen a dramatic increase in the cyber-military capabilities of each of these nations, as they test their cyber-strength in what have so far been minor conflicts. It is only recently that cyber-attacks have begun to have real effects – now, the United States and other organizations have the capability to inflict physical damage purely through malicious code.

The acquisition of this new weapon raises a concern: when is the time to use it? In this sequence, I will be taking the following position: that the United States should restrict their use and development of offensive cyber-capabilities (my partner will be arguing the contrary). There are two arguments I will use to support this position:

1. Defense over offense
2. International standard

Let’s begin with the first.

1. Defense over offense

What I mean by this is that it is substantially more important for the nations to focus on defensive measures than offensive capability. Even when provoked, it is substantially more difficult to take retaliatory measures in cyberspace than in the physical world. This is for two reasons: challenges in attribution and  unreliability of cyber-attacks.

One of the biggest issues with regard to any aspect of internet crime, cyber-security no less, is one of attribution. The offensive arm of the United States as it is today does not act so much as react; the vast majority of military operations today are in response to threats or risks. As far as this is true, a large part of any attack must then rely on the identification of those from whom the threat or risk originates, a problem made greatly more difficult in the context of cyberspace. Cyber-actors may not even be based in the country for whom they are operating; furthermore, their actions often take place through a chain of co-opted computing resources elsewhere in the world, often utilizing resources belonging to unknowing private citizens. Reverse engineering and tracing a virus or hack to its source can take months, and even then, proving beyond reasonable doubt who is responsible is nearly impossible. Indeed, it took teams of researchers from Symantec a full year and a half to decipher Stuxnet.¹ But one figure given by a spokesperson from the Nuclear Security Enterprise describes up to ten million “significant cyber security events” daily.² Even if this figure is exaggerated, the sheer number of attacks is overwhelming; to trace each of them to a source and confirm culpability before taking retaliatory action would be a colossal task. But even supposing that it were possible to identify the perpetrators of some number of attacks, the advantages of retaliating through cyberspace are still unclear. The relatively low investment required to launch a cyber-attack, since a personal computer, or even a cluster is comparatively cheap compared to conventional weapons used by many terrorist or vigilante groups, also renders retaliatory (or preemptive) strikes especially difficult. In many cases, the perpetrators of an assault have few, if any, assets worth attacking. Although the statistics are unclear (for reasons that should be obvious), a significant portion, if not majority, of the attacks against the United States databases and computers are executed not by enemies on the scale of nations but by small teams of hackers. As such, there is little that a cyber counter-offensive could accomplish that a physical intervention could not.

Again setting these concerns aside, there still remains an issue of unreliability regarding cyber-weapons. The United States considered launching a cyber-attack to support its strikes against Libya in March, but decided against it. Out of several reasons, one that is particularly worth mentioning is the inherent unpredictability of hacking: James Andrew Lewis, senior fellow at the Center for Strategic and International Studies, explains, “It’s the cyberequivalent of fumbling around in the dark until you find the doorknob. It takes time to find the vulnerabilities.”³ This is precisely why the number of attacks launched against the United States is so huge. Hackers attempt to find security flaws through a complicated form of what boils down to pseudorandom guesswork, which at its core can prove to take much longer than expected. In cyberspace, the United States is on the defensive. We are the ones who have assets that require protecting, while other parties are free to probe our security systems, more or less at their leisure; they need succeed only once to inflict damage, while the United States must succeed in at least an overwhelming majority of these incidents. It is the U.S. forces who are pressured on the defensive, who do not have the flexibility to wait for hackers to find a weakness to exploit.

2. International Standard

In the mid 19th century, the United States developed technology that would transform the face of the world. It was a technology which was capable of inflicting massive damage and impossible to defend against. Of course, this is the atomic bomb. Today, we are faced with a similar scenario in the face of cyberwarfare. I do not mean that computer viruses have (yet) the influence to wipe out cities. What I do mean is that it is substantially easier to attack than to defend; a failed attack incurs minimal cost, because retaliatory measures are so prohibitively difficult, while a successful one can inflict serious harm. “In cyberspace, the offense has the upper hand.”⁴ While intelligence interference has become a fairly well established facet of military conflict today, it is crucial that the precedent of using cyber-weapons lightly not be set. In a situation where tensions with Chinese intrusions into U.S. cyberspace are already a cause for concern, escalation could easily become damaging to both sides, most importantly with substantial collateral damage to the private sector; it is important to give no indication that such an escalation is in our interests, nor is acceptable from the standpoint of the international community.

¹How Digital Detectives Deciphered Stuxnet http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
²U.S. Nukes Face Up to 10 Million Cyber Attacks Daily http://www.usnews.com/news/articles/2012/03/20/us-nukes-face-up-to-10-million-cyber-attacks-daily
³U.S. Debated Cyberwarfare in Attack Plan on Libya http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html
⁴Defending a New Domain http://www.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx