Purpose
Thursday, September 30, 2010
State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem
Estonia Three Years Later: A Progress Report on Combating Cyber Attacks
These cyber attacks are far from unique. Literally thousands of largely unreported major and minor cyber attacks occur daily. Power utilities in the United States, Polish and South Korean government websites, and UK technology firms have all be hit by cyber attacks in just the past few months. Even school districts in Illinois, Colorado, and Oklahoma have lost millions to fraudulent wire transfers. Responses have been varied, with many nations such as Singapore creating new cyber security authorities responsible for safeguarding IT.
Together these episodes exemplify that cyber attacks against states are increasingly common, and increasingly serious. No longer does it take thousands of planes and divisions of soldiers to destroy vital governmental institutions. It can now be done by a relatively small group of knowledgeable persons linking together zombie computers into a clandestine network that may be used to crash nearly any computer system in the world connected to the internet, from air traffic control to sewage treatment plants.
The central topic of this article is uncovering in brief what is being, and can be done to counter these attacks, both at the national and international level. The focus is on the last two-and-a-half years since the specter of cyber war fully entered public consciousness on the international scene with the cyber attack on Estonia. The question presented is what progress has been made since that time? In short, the answer is very little. Many nations have found mutual benefit in the status quo strategic ambiguity. National information infrastructures, and the World Wide Web in general, remain acutely vulnerable to cyber attacks. Without concerted multilateral action, such as by coordinating the more than 250 Cyber Emergency Response Teams (CERTs) currently operating around the world while also clarifying the applicable legal regime, this intolerable state of affairs will continue.
The structure of the article is as follows. Part I analyzes the threat of cyber attacks to international peace and security. Part II briefly summarizes the current cyber defense policies of the major players, to the extent that information is publicly available, including the United States, Russia, China, and NATO. Part III lays out the current legal regime that may be applied to cyber attacks, highlighting the significant gaps in the system. Finally, Part IV concludes by arguing for the need for a new regime for regulating cyber attacks and proposes new minilateral and multilateral measures that should be taken to more effectively protect information infrastructures from cyber attacks.
Web Tastes Freedom Inside Syria, and It's Bitter
It’s no secret that some nations often censor information that is shared with the public. They block access to Internet sites with information or openness that they have deemed sensitive, to national security issues or otherwise. What may be less well-known is how often those government measures are averted. In the case of Syria, most social networking sites, like Facebook, are blocked by the government. However, as the attached article explains, young Syrians often get around such censorship by hacking into other computers. As Robert Worth of The New York Times writes: “Foreign proxy server numbers are traded among young people like baseball cards.” While this may lead to positive civil rights among youth in Syria, as depicted in this article, it also highlights the difficulty in tracing cyber attacks.
From Net War to Nuclear War: Analogizing Cyber Attacks in International Law
International law has been slow to adapt. The facts on the ground, and the widespread, amorphous use and rapid evolution of the internet in many ways challenge state sovereignty. I will advocate that the best way to ensure a comprehensive regime for cyber attacks is through a new international accord dealing exclusively with cyber security and its status in international law. Yet, the international community lacks the political will to tackle this issue directly. Until such an accord becomes politically viable, it is critical to examine how existing treaty systems may extend to cover the novel facts presented by cyber attacks. Together, existing treaties form a dual track approach to cyber attacks - one that is available for cyber attacks that do not rise to the level of an armed attack, and another that is activated once an armed attack occurs. To that end this paper will examine the most apt analogues in international law to form an appropriate legal regime for the various types of cyber attacks - whether it is humanitarian law (laws of war), human rights law (regulation of nation states behavior), or some novel combination of these and other treaty systems. In framing this regime, it will be argued that cyber attacks represent a threat to international peace and security as daunting and horrific as nuclear war.
Yet the nuclear non-proliferation model is not a useful analogy since the technology necessary to conduct IW is already widespread in the international community. Instead, other analogies will rely on communications and cyber law, space law, and the law of the sea. The main failings of existing international treaties that touch on cyber law though are that most do not carry enforcement provisions. Nor do they specify how the frameworks change or fall away entirely during an armed attack. Nevertheless, regardless of whether or not cyber attacks fall below the threshold of an armed attack these bodies of law have a role to play in forming an appropriate regime. The cyber attack on Estonia in April, 2007, presents an example of the dire need for clarity in the international law of non-conventional warfare using modern technology.
To read the full article, go to http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1396375.
Google Needs Help Agasint Cyber Attackers
In January 2010, corporate America was compromised. Again. Computer attacks possibly emanating from within China were directed at stealing Google's intellectual property along with that of 40 other corporations, mostly in the United States.
In this case, the attacker used a tactic known as phishing, in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments downloaded malware on the host's computer, allowing access to confidential information stored on the computer system. Google has stated that little if any of its property was lost. But it is estimated that similar attacks have led to the loss of 10,000 to 20,000 gigabytes of sensitive information in recent years. The actual figure is probably far higher.
Many computer security experts have called the attack on Google routine. Indeed it was: The number of "computer security incidents" that the U.S. Computer Emergency Readiness Team investigates grew from six in 1988 to 52,658 in 2001. In fact, the United States is "under cyberattack virtually all the time," according to Defense Secretary Robert Gates.
What can the U.S. government do in response? Not enough. It has been reported that the State Department will make a formal protest to Chinese authorities over the Google incident. Why can't we do more? The problem is twofold.
First, it's very difficult to prove who is behind the attacks. The science of tracing such attacks is primitive at best. Sophisticated attacks by knowledgeable hackers, whether private or state-sponsored, are nearly impossible to trace to their source. The current foundation of network communications over the Internet, consisting of the Transmission Control Protocol and the Internet Protocol that route information to its destination, dates to 1982. This antiquated system of communication, designed for a small number of academic and governmental researchers sharing information with low risk of system breaches, is at the heart of the problem.
Second, even if the U.S. government working with Google could definitively state that China was behind the attacks, which seems increasingly likely given recent findings of Chinese code in the malware, legal options are limited. Cyber-attacks activate one of two areas of international law, depending on severity. If the attack is as bad as an armed attack by regular military forces, the laws of war apply. But if it isn't as serious, like the one on Google, other treaties are activated. None of these, however, has any teeth. In recognition of this, the United States and Russia recently took the first steps toward negotiating a treaty for online security, but the countries are still far apart.
Such a treaty, though, would give Google options. It could provide for reparations and sanctions against aggressor nations, like China, when online attacks occur. It could define the burden of proof needed to establish state responsibility for Internet attacks. And, most important, it could provide a forum, a court, where Google could bring a case against China.
Short of a treaty, the Obama administration could push for a national law on online attacks, establishing criminal sanctions against proven attackers and requiring the Department of Justice to prosecute offenders.
Urgent action is needed. So long as the Internet remains open and the legal system undefined, people and nations alike will continue to launch online attacks. Right now, they have nothing to fear.
For a full copy of this article published in the San Francisco Chronicle, go to http://articles.sfgate.com/2010-01-24/opinion/17835314_1_google-attacks-computer-emergency-readiness-team