Category Archives: Cyber-Risk

Stuxnet as Cyberwar: The Law of War and the Virtual Battlefield

Posted by on July 14, 2011 1 comment

Cyberwar is a popular topic in national security circles of late. While there has been considerable discussion about whether the U.S. has been subject to cyber attacks in violation of the laws of war, much of the discussion has centered on technical questions related to the nature of various attacks, big and small, with little attention given to the terms being bandied about. In the common parlance, cyber war has been applied to espionage, theft, extortion as well as physical attacks resulting in real world damage. But is any of this really warfare within the definition of international law?

I recently wrote a paper entitled Stuxnet as Cyberwarfare: Distinction and Proportionality on the Cyber Battlefield, where I attempt to address a number of legal issues related to the recent attack known as Stuxnet, looking at the nature of the attack and whether it adhered to the law of war principles of distinction and proportionality. Focusing on whether the Stuxnet attack constituted a form of cyber warfare, I then looked at whether the attack adhered to these important legal principles.

While a number of legal scholars have written extensively on the subject of cyber war, until the discovery of Stuxnet, there was considerable disagreement as to whether a cyber war had ever occurred. While I believe that the Stuxnet event was in fact an attack within the meaning of international humanitarian law (IHL), I think that the attack on the Natanz nuclear facility by unknown aggressors raises as many questions as it answers, including questions of attribution and whether a proportional response by the victim state (in this case, Iran), would have been legitimate within the framework of the U.N. charter.

That said, I am attaching a copy of this paper for readers interested in my analysis of the subject.

Creative Commons License
Stuxnet as Cyberwarfare – Distinction and Proportionality on the Cyber Battelfield by John Richardson is licensed under a Creative Commons Attribution 3.0 Unported License.

Stuxnet: The Movie

Posted by on June 19, 2011 1 comment

In my last post a few weeks ago, I wrote about the Stuxnet virus. If reading a long paper is not your thing, the following video does a very nice job of explaining things.

Let’s Declare Cyberwar!

Posted by on December 14, 2010 No comments

As a child, I remember playing “war” with my friends. Epic battles played out in our backyards with imaginary casualties lying at the feet of victorious warriors in paper hats. Unfortunately, many years later not much has changed in the minds of many otherwise reasoned thinkers.

A recent article by David Frum in “The Week”  exemplifies this phenomena. In his article “Wikileaks is an Act of Cyber War,” Frum argues that Wikileaks is the cyber equivalent of a roadside bomb as compared to the cyber attack on Iran’s nuclear facilities, which he characterizes as an F-35 attack.

But are Wikileaks antics a form of cyber war as Frum and others suggest? The short answer is no.

Best described as a new form of warfare, a cyber-war must be distinguished from cyber-espionage, cyber-crime and other variants of online conflict. While the popular media will continue to use the term to describe anything that will help sell ad space, the term describes a conflict between states as described in the formal laws of war.

The problem today is that legal scholars have not fully figured out how to define a cyber-war since the modern rules of armed conflict were crafted prior to the advent of the Internet.

A short answer to what is a cyber-war is to look at whether the online actions resulted in death or destruction and can it be attributed to another state. There are no easy answers to these seemingly simple questions and other factors need to be addressed as well before declaring a cyber-conflict a “war.” But for purposes of the discussion about pro or anti Wikileaks hackers waging distributed denial of service attacks against credit card companies and the like, it is perhaps better to think in analogous terms. The current demonstrations in the U.K. by student protesters upset over increases in tuition rates seem a more apt comparison. While some students may believe that they are at war with the British government, theirs is a protest, plain and simple.

In the case of Wikileaks, what we are now seeing is a characterization of the cyber event as something defined by the beholder, thereby justifying retaliation. Calling something a war invokes a certain nationalistic fervor and a call to action. Unfortunately, this means spending money (lots of it) to protect us from enemies, real or imagined, forgoing personal freedoms for the common good (remember the Patriot Act?) and branding dissenters from the prevailing ideology as terrorists. It’s not inconceivable that donations to the Wikileaks defense fund could be considered financing a terrorist organization in the not so distant future.

Cyber-wars will befall us all but be patient and be warned. A real cyber-war is not something we will find entertaining on the evening news. Just as important, reckless use of the cyberwar moniker opens the floodgate of state-sponsored repression that makes the whining about Wikileaks look like child’s play.

Wikileaks: Guess Who Owns the Internet?

Posted by on December 8, 2010 No comments

This last week has not been the best of times for Wikileaks and its founder, Julian Assange. After the slow release of State Department cables that revealed embarrassing details of diplomatic musings, Assange has been threatened with death, sought to be prosecuted for espionage, jailed without bail for sex crimes, got denied services by a number of Internet hosting services, PayPal and Amazon, pilloried by all “right” thinking folks and a variety of other plagues. On the bright side, he may get the Man of the Year award from Time magazine and he did, after all, get out some of the leaked cables. All in all, it has been an interesting few days.

What is giving me pause with all that has gone on with Wikileaks is the ability of the U.S. government and one U.S. Senator to essentially override the rule of law and strong-arm major Internet companies to deny the organization to have access to services that would otherwise be available to any enterprise. After pressure from Sen. Joe Lieberman (CT-Idiot), Amazon closed down Wikileaks’ cloud storage account, claiming a violation of its terms of service. Likewise, Paypal summarily terminated Wikileaks account. Meanwhile, the Wikileaks site has come under attack from a hacker with pro-American leanings known as the Jester. Using an all to common attack known as a denial of service (DoS), this hacker has been able to overwhelm the site, effectively shutting it down. Not to be easily taken out, Wikileaks has found support from other online operations, creating many mirrored sites. In the mean time, the U.S., which through its various cyber agencies has complained vigorously about DoS attacks, has been silent on this particular attack.

More importantly, the pressure brought by the U.S. to shut off the Wikileaks release of the cables speaks to the susceptibility of the Internet to state pressure. How far will the U.S. go to stop Wikileaks? Does this event set the stage for a moderated Internet of the politically correct kind?

Its one thing when China or Iran shuts down bloggers but its quite another thing when a journalist challenges the U.S. of A. Somehow, a politically correct Internet is a far more scary thing than a batch of leaked cables.

Cyber Conflict and its Implications for Business

Posted by on November 16, 2010 No comments

Google and Yahoo in China. Research in Motion in the UAE. Siemens in Iran. What do these companies  have in common? In each of these cases, companies have become embroiled in cyber conflicts and more importantly, they are exposed to risk stemming from violations of international human rights or humanitarian laws.

In the emerging field of cyber warfare, experts are looking at the applicability of the rules of war (humanitarian law) for answers about how to manage conflict in the cyber battlefield. Questions about neutrality of countries when hostile Internet traffic passes through their data pipelines, responses to cyber attacks when the actual culprits are unknown and the proportionality of an attack and a response from the nation state subject to a cyber attack are all questions that remain largely unanswered. The impacts on innocent civilians from a debilitating attack on a country’s online infrastructure can be devastating (collapse of power grids, shut downs of electronic financial infrastructures, disruption of telecommunications) and can arguably lead to injuries and deaths. In the realm of international human rights law, questions about censorship of bloggers (Iran and China), invasion of privacy (UAE, India and Saudi Arabia) involving government intrusions into encrypted private email are evolving rapidly.

The challenge facing companies like Google, Yahoo, Siemens and RIM is how can they operate in regions of the world where human rights are at risk while continuing to do business in cyberspace?

So far, these and other companies have either ignored the human rights implications of their business activities or, in the case of these companies, attempted to balance the need for business expansion with a measure of responsibility to stakeholders. However, risks abound for these and other companies caught up in cyber conflict.

It is instructive to look at the current problems facing these companies around the world. “China’s estimated 338 million Internet users remain subject to the arbitrary dictates of state censorship. More than a dozen government agencies are involved in implementing a host of laws, regulations, policy guidelines, and other legal tools to try to keep information and ideas from the Chinese people. Various companies, including Google, Yahoo! and Microsoft, have enabled this system by blocking terms they believe the Chinese government will want them to censor,” notes Human Rights Watch.

“For RIM . . . security is one of the main advantages it touts over competitors. E-mails its customers send are encrypted and sent through RIM’s own servers and network operation centers . . . However, the system also makes it harder for governments to monitor BlackBerry communications than messages from other smartphones, which typically travel across the Internet. That has made RIM’s devices an issue for countries concerned mobile e-mail or messaging could be used to coordinate a terrorist attack or bring down a government,” reports Bloomberg.

Yet what remains unspoken is the fact that any expectation or protection of privacy is thrown out the window by these changes in government policies. Saudi Arabia and the UAE are not exactly bastions of human rights and India is not far behind when it comes to ignoring the rights of its citizens when state action is involved. In each of these instances, governments have framed their decisions to snoop into the private communications of cell phone users as a matter of national security.

In the realm of cyber warfare, recent reports of the Stuxnet computer worm, which some experts suggest was designed specifically to attack the Bushehr nuclear reactor in Iran, accomplishes its task by targeting systems controllers manufactured by Siemens. While some suggest that Stuxnet may have played itself out after attacking a massive number of computer systems, most of which are located in Iran, there is legitimate concern that new zero-day attacks will wreck far greater havoc. Of course, this has triggered considerable debate in the global IT community about cyber warfare, retaliation and massive cyber defense responses. This has, in turn, led to a massive build up of the cyber security industry here in the U.S.

This all leads to the basic question. How are the rights of ordinary people in China, Iran, India and the United States for that matter protected from the cyber aggression of their own governments and from nation states bent on cyber aggression? Equally important, what are the risks to companies complicit in these and other scenarios that are certain to emerge in the coming months and years?

For each of the companies involved in these recent conflicts, their responses have been measured but not without their detractors. However, the voices of concern over human rights in the cases of Google, Yahoo and RIM have been largely drowned out by business and consumer concerns over loss of access. The visceral addiction of rabid Blackberry addicts speaks, at least anecdotally, to the lack of protest over these governments actions and the company’s responses. While Siemens has been a victim of sorts of the Stuxnet worm, the failure of its control systems poses real risks from the catastrophic harms inflicted on those affected by system failures to power systems and other public services.

Today, there is a growing need for developing a body of law that speaks to these concerns and a greater awareness of the need for corporate accountability in the virtual realm. Given that many of the current treaties addressing war and human rights were crafted long before the advent of the Internet, there is considerable uncertainty in the law. This leaves companies somewhat in the lurch in respect to their business conduct with the uncertainty of the law exposing them to unforeseen risks in the coming years.