State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem

This Article reviews both the applicability and desirability of the two vying regimes for state responsibility under international law as applied to cyber attacks: the effective and overall control standards. Due to the technical difficulties with proving attribution for cyber attacks, along with the unreasonably high burden of proof required by the ICJ’s interpretation of the effective control standard, this Article argues for the adoption of the overall control standard as being both within the best interests of NATO as well as the international community.

Estonia Three Years Later: A Progress Report on Combating Cyber Attacks

Hackers have been online since a Cornell graduate student infected MIT’s burgeoning network with the first Internet worm on November 2, 1988. But recently cyber attacks on states have proliferated both in numbers and severity. The best-known recent example of such a cyber attack was on April 27, 2007. In a matter of hours, the websites of Estonia’s leading banks and newspapers crashed. Government communications were compromised. An enemy had invaded and was assaulting dozens of targets across the country. But this was not the result of a nuclear, chemical, or biological weapon of mass destruction. Nor was it a classical terrorist attack. A computer network was responsible, with attacks coming from thousands of zombie private computers around the world. And this was just the beginning. Flash forward to August 7, 2008 when immediately prior to the Russian army invading Georgia en masse a cyber attack reportedly crippled the IT systems of the Georgian military including air defense. Georgian command and control was forced to resort to U.S. government and Google accounts while Estonian advisors helped to deflect the ongoing cyber onslaught.

These cyber attacks are far from unique. Literally thousands of largely unreported major and minor cyber attacks occur daily. Power utilities in the United States, Polish and South Korean government websites, and UK technology firms have all be hit by cyber attacks in just the past few months. Even school districts in Illinois, Colorado, and Oklahoma have lost millions to fraudulent wire transfers. Responses have been varied, with many nations such as Singapore creating new cyber security authorities responsible for safeguarding IT.

Together these episodes exemplify that cyber attacks against states are increasingly common, and increasingly serious. No longer does it take thousands of planes and divisions of soldiers to destroy vital governmental institutions. It can now be done by a relatively small group of knowledgeable persons linking together zombie computers into a clandestine network that may be used to crash nearly any computer system in the world connected to the internet, from air traffic control to sewage treatment plants.

The central topic of this article is uncovering in brief what is being, and can be done to counter these attacks, both at the national and international level. The focus is on the last two-and-a-half years since the specter of cyber war fully entered public consciousness on the international scene with the cyber attack on Estonia. The question presented is what progress has been made since that time? In short, the answer is very little. Many nations have found mutual benefit in the status quo strategic ambiguity. National information infrastructures, and the World Wide Web in general, remain acutely vulnerable to cyber attacks. Without concerted multilateral action, such as by coordinating the more than 250 Cyber Emergency Response Teams (CERTs) currently operating around the world while also clarifying the applicable legal regime, this intolerable state of affairs will continue.

The structure of the article is as follows. Part I analyzes the threat of cyber attacks to international peace and security. Part II briefly summarizes the current cyber defense policies of the major players, to the extent that information is publicly available, including the United States, Russia, China, and NATO. Part III lays out the current legal regime that may be applied to cyber attacks, highlighting the significant gaps in the system. Finally, Part IV concludes by arguing for the need for a new regime for regulating cyber attacks and proposes new minilateral and multilateral measures that should be taken to more effectively protect information infrastructures from cyber attacks.

Web Tastes Freedom Inside Syria, and It's Bitter

It’s no secret that some nations often censor information that is shared with the public. They block access to Internet sites with information or openness that they have deemed sensitive, to national security issues or otherwise. What may be less well-known is how often those government measures are averted. In the case of Syria, most social networking sites, like Facebook, are blocked by the government. However, as the attached article explains, young Syrians often get around such censorship by hacking into other computers. As Robert Worth of The New York Times writes: “Foreign proxy server numbers are traded among young people like baseball cards.” While this may lead to positive civil rights among youth in Syria, as depicted in this article, it also highlights the difficulty in tracing cyber attacks.

From Net War to Nuclear War: Analogizing Cyber Attacks in International Law

On April 27, 2007, Estonia suffered a crippling cyber attack launched from outside its borders. It is still unclear what legal rights a state has as a victim of a cyber attack. For example, even if Estonia could conclusively prove that Russia was behind the March 2007 attack there is no clear consensus on how Estonia could legally respond, whether with armed force, its own cyber attack, or some other measure. The scholarly literature dealing with these questions, as well as the ethical, humanitarian, and human rights implications of information warfare (IW) on national and international security is scarce. Treatments of IW outside the orthodox international humanitarian law (IHL) framework are nearly non-existent. This underscores the tension between classifying cyber attacks as merely criminal, or as a matter of state survival calling for the same responses as conventional threats to national security.

International law has been slow to adapt. The facts on the ground, and the widespread, amorphous use and rapid evolution of the internet in many ways challenge state sovereignty. I will advocate that the best way to ensure a comprehensive regime for cyber attacks is through a new international accord dealing exclusively with cyber security and its status in international law. Yet, the international community lacks the political will to tackle this issue directly. Until such an accord becomes politically viable, it is critical to examine how existing treaty systems may extend to cover the novel facts presented by cyber attacks. Together, existing treaties form a dual track approach to cyber attacks - one that is available for cyber attacks that do not rise to the level of an armed attack, and another that is activated once an armed attack occurs. To that end this paper will examine the most apt analogues in international law to form an appropriate legal regime for the various types of cyber attacks - whether it is humanitarian law (laws of war), human rights law (regulation of nation states behavior), or some novel combination of these and other treaty systems. In framing this regime, it will be argued that cyber attacks represent a threat to international peace and security as daunting and horrific as nuclear war.

Yet the nuclear non-proliferation model is not a useful analogy since the technology necessary to conduct IW is already widespread in the international community. Instead, other analogies will rely on communications and cyber law, space law, and the law of the sea. The main failings of existing international treaties that touch on cyber law though are that most do not carry enforcement provisions. Nor do they specify how the frameworks change or fall away entirely during an armed attack. Nevertheless, regardless of whether or not cyber attacks fall below the threshold of an armed attack these bodies of law have a role to play in forming an appropriate regime. The cyber attack on Estonia in April, 2007, presents an example of the dire need for clarity in the international law of non-conventional warfare using modern technology.

To read the full article, go to http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1396375.

Google Needs Help Agasint Cyber Attackers

In January 2010, corporate America was compromised. Again. Computer attacks possibly emanating from within China were directed at stealing Google's intellectual property along with that of 40 other corporations, mostly in the United States.

In this case, the attacker used a tactic known as phishing, in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments downloaded malware on the host's computer, allowing access to confidential information stored on the computer system. Google has stated that little if any of its property was lost. But it is estimated that similar attacks have led to the loss of 10,000 to 20,000 gigabytes of sensitive information in recent years. The actual figure is probably far higher.

Many computer security experts have called the attack on Google routine. Indeed it was: The number of "computer security incidents" that the U.S. Computer Emergency Readiness Team investigates grew from six in 1988 to 52,658 in 2001. In fact, the United States is "under cyberattack virtually all the time," according to Defense Secretary Robert Gates.

What can the U.S. government do in response? Not enough. It has been reported that the State Department will make a formal protest to Chinese authorities over the Google incident. Why can't we do more? The problem is twofold.

First, it's very difficult to prove who is behind the attacks. The science of tracing such attacks is primitive at best. Sophisticated attacks by knowledgeable hackers, whether private or state-sponsored, are nearly impossible to trace to their source. The current foundation of network communications over the Internet, consisting of the Transmission Control Protocol and the Internet Protocol that route information to its destination, dates to 1982. This antiquated system of communication, designed for a small number of academic and governmental researchers sharing information with low risk of system breaches, is at the heart of the problem.

Second, even if the U.S. government working with Google could definitively state that China was behind the attacks, which seems increasingly likely given recent findings of Chinese code in the malware, legal options are limited. Cyber-attacks activate one of two areas of international law, depending on severity. If the attack is as bad as an armed attack by regular military forces, the laws of war apply. But if it isn't as serious, like the one on Google, other treaties are activated. None of these, however, has any teeth. In recognition of this, the United States and Russia recently took the first steps toward negotiating a treaty for online security, but the countries are still far apart.

Such a treaty, though, would give Google options. It could provide for reparations and sanctions against aggressor nations, like China, when online attacks occur. It could define the burden of proof needed to establish state responsibility for Internet attacks. And, most important, it could provide a forum, a court, where Google could bring a case against China.

Short of a treaty, the Obama administration could push for a national law on online attacks, establishing criminal sanctions against proven attackers and requiring the Department of Justice to prosecute offenders.

Urgent action is needed. So long as the Internet remains open and the legal system undefined, people and nations alike will continue to launch online attacks. Right now, they have nothing to fear.

For a full copy of this article published in the San Francisco Chronicle, go to http://articles.sfgate.com/2010-01-24/opinion/17835314_1_google-attacks-computer-emergency-readiness-team