International Agreement for Control of Cyber Weapons

Month: November, 2015

Making After Before

Intelligence is about finding out about something before it happens.  Detective work is about finding out how something happened after the event already has taken place.

In the cyber world, the detective work is much easier than the intelligence work, although neither are particularly elementary.

Before the fact, and after the fact.  Lets start with after.  A criminal act is carried out.  These days, it is either a cyber act in itself, or it is dependent in some way upon some aspect of the cyber world.  Once a person involved has been identified then law enforcement can get a court order to demand all of the cyber baggage being carried around by the perpetuator.   Phone calls, travel records, banking records, credit card records, social media accounts, emails.  Each of these sources of information give important clues to the network of individuals who are the living system supporting the defendant.  Degrees of separation.  By linking the responsible person to their contacts, and then those contacts to all of their contacts, then by the second or third level the number of affiliated persons becomes very great.

But usually it is possible to determine the wheat from the chaff, and to use the numerous hints given by the cyber footprints left by the perpetuator. It is possible to uncover a network of individuals, places of interest, and even more about what happened before the event.  With good detective work, it is possible to find anyone else involved, and even get hints regarding any future similar event if one seems to be planned.

But finding out things before the fact is much harder.  For one thing, there may be no starting point, no person who can be identified.  This essential first step is easy after the fact, but before is another issue.   So the essence of the problem becomes how to find the subject of interest, the starting point.

This is one of the reasons why in combatting terrorism and its use of social media and Internet, investigators are caught in a dilemma.  On the one hand, there is a need to stop or severely limit this type of activity.  On the other hand, if the activity is cut off, then there no longer remains any cyber clues left regarding the identity of the terrorists or criminals or other subjects of interest.

In discussions over a cyber arms limitation treaty, one of the stumbling blocks is the question of how to determine the source of an attack.  It is the same type of problem.  How to find out the after before it it happens.  Making after before.

Cyber Arms Control and the Middle East

The current situation in the Middle East is a disaster.  Yesterday, Turkey shot down a Russian SU-24M fighter aircraft flying over Northern Syria near the Turkish border.  Although the Turkish and Russian militaries had set up a “hot line” to handle any crisis or emergency, the Turkish side never bothered to contact the Russians.

Supposedly, the Russian aircraft flew into Turkish air space, but inspection of the radar outputs published by Turkey indicate that the amount of time flying inside Turkey could not have been more than a minute, possibly only half a minute or less.

When the aircraft was shot down, it was already back in Syrian air space, which means that the Turks shot their missiles from Turkey into Syria.

The Turks said that they had warned the Russian pilots for at least ten times over a period of 5 minutes.  At those speeds, this means that the Russian pilots were warned about Turkish air space when they were still in Syria, and heading towards Turkish territory.

The Russian pilot who survived the attack reported that no communication from the Turks had been received.

Originally there were two pilots in the SU-24.  Shortly after the aircraft was hit, they pushed the emergency escape buttons, to eject in their seats and parachute to safety.  On their way down, at a time when they could not possibly do any harm to anyone, Turkomen persons started firing on them with machine guns, killing one of the Russian pilots.

To add insult to injury, when two rescue helicopters were dispatched from nearby Russian ships to rescue the pilots, one was shot down, and yet another soldier or more were killed.

After the incident, the Turks rather than contacting Russia, instead went directly to NATO with a complaint, demanding support as part of the mutual defense treaty.  Military analysts in the United States are saying that this was an ambush by Turkey against the Russians.

Some are worried that this may lead to a third world war.  It is a horrible situation.  Fascinating as it may be, this blog is no place to examine the complex realities of the Middle East, Syria, Iraq, Iran, Turkey, Russia, the United States, and all the other players there.

Cyber War in the Middle East Now

The list of cyber weapons that are being used now in the Middle East and across the world is very large.  We can name only a few, and without doubt could not list them all, even if there were inclination or time.

Electronic Battlefield. The United States is operating a gigantic information battlefield in which soldiers or special forces on the ground in Syria and Iraq are receiving more or less real time information from a variety of intelligence sources, including real time information from drones and satellites.  For every American soldier in the battlefield hell of ISIS, there are satellites overhead looking out for them.  These in effect are teams of persons at various US dark sites around the world. Constantly on duty, they monitor US troop movements are look ahead so as to be able to warn of danger.

Social Media War. ISIS has mastered the use of social media to recruit “sleeper” agents inside Western countries.  The recruits go through three phases:  First, there is general curiosity about propaganda available online.  Second, they make an initial contact with a recruiter for the Islamic State.  Sometimes this recruitment period goes on for a long time.  Some persons in the United States have even received gifts of candy and books.  In the third phase, the recruited agent goes over to the dark web, which means that all of their communications are encrypted, and this makes it impossible for the intelligence communities around the world to read what they are doing.  It is during this phase that the sleeper agent is given specific instructions regarding what they are next to do.

Hacking War. Every day the United States receives more than 100,000 attacks from overseas.  These attacks are aimed at either destroying or stealing important information.  Most attacks come from Russia, China, North Korea, and Iran.  These attacks are monitored by the NSA Cyber Command, but it is difficult to keep up with all of the attacks, as many of them are automated.

It often is noted that even now adversaries have the ability to shut down or disrupt the US transportation system, the electricity grid, and financial institutions.  This merely compliments the constant virus and denial-of-service attacks that constantly flood the Internet.

The Internet is one of the greatest advantages of the US economy, but also it is a great factor of weakness.

Prospects for Arms Control

For the time being, the prospects for cyber arms control are not good.  Countries are too busy engaging in the growing war against ISIS, and in defending their own national interests.  Second, the cyber arms race is a time in which countries are working very hard to develop their capabilities.  Countries would rather develop their capabilities, than cut these efforts short by working on a treaty.

For the time being, the US is a global intelligence and cyber superpower, but no one knows how long that situation can last.




Cyber War, Kinetic War and “Kinetic-Cyber War”

Cyber war takes place within the bits traversing the world’s information and telecommunications infrastructure.  Software can be corrupted, information stolen, information systems compromised.  There generally is no physical effect of cyber war, but there always is a large information effect.

Kinetic war is the term used for blowing things up.  Shooting people, or equipment.  Bombs, rockets, artillery shells, rail guns.  This is kinetic war.

The Russian Federation is experimenting with a Istrebitel Sputnikov, a “satellite killer”.  The object of this equipment is to destroy telecommunications networks.  It will do this by some type of kinetic force. It sill shoot and destroy satellites.

The United States is orbiting approximately 549 satellites.  China has 142.  Russia has 131.  The United Kingdom has 40.  India has 33.  All of this very expensive equipment is vulnerable.  But it is not the satellites themselves that will be the true targets of this new warfare in outer space.  Instead, it will be the information and telecommunications systems that they support.

The Pax Caelestis is dead.  We now must face “Kinetic-Cyber War”.


Anonymous vs. Daesh

The reverberations of the Daesh attack on teenagers in Paris continue.  Daesh has released videos showing how it is training children to murder non-muslims.  It has threatened to attack the Vatican, and the White House.  At the same time, the cyber war continues.

The original fight between Daesh and Anonymous started when Daesh hijacked a single Anonymous Twitter feed.  After that, Anonymous has continued a regular series of attacks against Daesh, regularly releasing names, id’s, passwords, associated IP addresses and other information on thousands of Daesh internet accounts.  Anonymous released a series of videos in French promising to take further actions against Daesh, and soon.

On November 19th, 2015, Anonymous announced that it had taken down 5,500 Daesh accounts in response to being called “idiots”. This is called #OpParis.  “The Anonymous vs ISIS showdown is only the beginning, with Anonymous vowing to wipe the Internet stage of all ISIS activity, rendering ISIS impotent of their recruiting network online.”

At the same time, Daesh is sending out as many as 96,000 recruitment emails per day, all aimed at getting sympathizers in the West.

This conflict is an example of how cyber war will develop.  There are a number of basic functions in a cyber conflict:

  • Breaking and exposure of the security of enemy Internet accounts;
  • Use of the subculture of hackers instead of the type of organized response found in a military;
  • Sabotage of web servers, and attempts to interfere with Internet facilities of all types of the enemy;
  • Lack of transparency in what is happening, or even what has happened.

It is unlikely that a cyber arms control treaty will be able to identify all of the specific violations or attacks that may take place.  Any attempt to write out a treaty with complete rationalist comprehensiveness is futile.  Instead, the world will need to stick to generalist principles.

Daesh in Paris

The November 13th, 2015 attack by Daesh in Paris was devastating.  We have learned that the criminals had rented an apartment in Paris to prepare themselves, probably to wait for Friday the 13th, the day on which in 1307 Philip IV of France arrested hundreds of the Knights Templar.  The “crusaders” were crushed then, and Daesh wanted to strike again now.  The use of AK-47 Russian assault rifles against teenagers attending a heavy metal concert seems to have been particularly heartless.  Many are calling what happened in Paris “France’s 9/11”.

In response, the French are in a state of shock, and are insisting that their lives will not be changed by this attack, the worst loss of life for the French since the Second World War.  Many have been gathering at the Place Vendôme leaving candles and flowers.  Many French citizens interviewed have insisted that they are not afraid, and that their lifestyle is not going to change, but this is wishful thinking.

The President of France, François Hollande speaking in the Palace of Versailles to a joint meeting of the French Senate and Assembly, set forth some of the changes that need to be made to fight this terror.

There are an number of expected measures, such as hiring of more law enforcement and judiciary personnel.  Border controls will be improved.  A series of bombing raids by French jets were launched in Syria targeting the small city Raqqa, the self-proclaimed capital of Daesh.  The sole French aircraft carrier, the Charles de Gaulle, is being moved into position in the Eastern Mediterranean, and this will triple French air power.  French diplomats are attempting to get the US and the Russian Federation to join in a coalition to destroy Daesh.

There are a number of cyber measures also being proposed.  These include (a) an increase in funding for cyber intelligence services to support the police and military; (b) a change in the rules of evidence for criminal proceedings allowing the judiciary to use information gathered by intelligence services; (c) perhaps more authority to interfere with social media and web traffic that has been used to promote Daesh.

The use by Daesh of the Internet as a major recruiting tool has been a shock to those who propose unrestricted Internet freedom.   Indeed, the use of the Internet for criminal and terrorist activities long has been a motivating factor for governments to grab control over its use.  On the one hand, we cherish the principles of freedom of communication and freedom of information.  On the other hand, we have a need for governments to protect the public from danger.

This is a trend towards control over the Internet that we have seen in other countries.  In this case, it means the blocking of Internet traffic, and the monitoring of individuals who are reading and distributing this revolutionary information aimed at incitement.

It also has emerged that law enforcement is frustrated by how the terrorists are using encryption, and the hiding of their communication within video games.

All of these challenges, particularly breaking encryption, are extraordinarily tough technical problems.  It is not known how many organizations are capable of breaking encryption, if any.

This is a strange type of “weapon”.

Since Daesh is not a government or a state, its use of the Internet as a weapon would not be covered under a traditional cyber arms control treaty, although the use of the Internet in this degraded fashion should be considered at all levels.

It is difficult to anticipate what the downstream consequences  will be.





The U.S. Department of Defense Three Cyber Missions

Cyber security has now turned into a national security issue.  The U.S. Department of Defense (DoD) has a three sided set of cyber missions. These are:

  1. Defend military networks, systems, and information;
  2. Defend the U.S. as a whole, and all U.S. national interests against major cyber attacks;
  3. Provide cyber support to military operations.

The U.S. DoD plans to have 133 Cyber Mission Force Teams by 2018 including 13 National Mission Teams; 68 Cyber Protection Teams; 28 Combat Mission Teams; and 25 Support Teams.  Of course it is difficult to understand what this really means since there is no public information on these teams (where they are located; how large they are; etc.).

In a recently released document “The DoD Cyber Strategy“, the Pentagon has defined five strategic goals for its cyberspace missions. These are:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;
  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages; and
  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

The report notes (p. 9) that “From 2013-2015, the Director of National Intelligence [James R. Clapper] named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001.”

Conducting “cyber war” is challenging perhaps because there is no strategic balance of power that can be detected.  Any attack, even against a weaker nation, can result in a counter attack.  The reason is that barriers to entry for development of cyber weapons is very low.  Tim Starks argues in “Does cyberwar make sense?” that it does not.  He quotes James Andrew Lewis of the Center for Strategic and International Studies as saying that currently there is no cyber war, there is “only” espionage.  The intelligence community is very concerned.  Robert Brouse’s working paper “Cyber War, Netwar, and the Future of Cyberdefense” is an example.  He writes that “[J]ust as Cyber defense organizations have been required to confront Cyberwar, Netwar organizations, or Netwar-savvy Cyberdefense organizations, are increasingly needed to counter Netwar.”

We can assume that similar thinking is taking place around the world, in different governments.

Even though there is great investment going into these efforts, thus far, there is hardly any talk at all about cyber arms control.  We are still in the learning stage.

Charles Evans Hughes and the Theatre (Internet Incitement)

It was the famous Charles Evans Hughes (1862 – 1948), who had studied at Columbia Law School and taught with Woodrow Wilson at the New York Law School, that defined one of the principles of free speech under the U.S. Constitution.  He wrote in Schenck v. United States, 249 U.S. 47 (1919) “The most stringent protection of free speech would not protect a man in falsely shouting fire in a theatre and causing a panic. It does not even protect a man from an injunction against uttering words that may have all the effect of force.”

Does the same apply to the Internet as a whole?  Is it possible to use the Internet for incitement?  In a recent article Shlomo Ben-Ami, a former foreign minister of Israel, criticizes the current Israeli Prime Minister Binyamin Netanyahu for claiming that many of the recent attacks of Palestinians against Israelis are caused by Islamist websites.  The Director of National Intelligence James R. Clapper also has warned that ISIL (The Islamic State of Iraq and the Levant (Arabic: الدولة الإسلامية في العراق والشام‎)) is using the Internet to recruit people from around the world into their cause.

In the article “The Cyber Intelligence eChallenge of Asyngnotic Networks“, the authors discuss how the Internet and social media, combined with other forms of communication, allow the formation of self-organizing networks.  They argue that principles of neuroscience can be used to model these networks and predict when an event will be triggered.   In their view, the formation of these networks does not need to be conscious, not directed by any single or centralized authority.  Events can simply happen as people in various places, such as terrorists, are simply inspired by the messages they receive.

It is doubtful that the world’s public policy community will ever manage to develop an international treaty that deals with the emergence of self-organizing communication networks that inspire terrorism.  Many countries simply will develop technologies of the “kill switch” to shut off the Internet if there is an emergency.  The problem is that advanced societies are so dependent upon the Internet, it is not feasible to cut off the Internet, because doing this would immediately collapse the economy.

This is another reason why an international convention for the control of cyber weapons is so important.  In the nuclear age, people worried that intercontinental ballistic missiles would be used to drop bombs on their society.  Now, the threat is that the entire economy and communications fabric of a society would be wiped out or severely damaged.  Instead of real death, we would experience a type of “cyber death” – an inability to communicate or even exist as we know it today.  For many this threat may seem abstract, but when we examine the behavior of the younger generations, it is easily possible to see their complete reliance on Internet technologies.  The threat of cyber war is much more disruptive than it may at first appear, and that is why it must be prevented.

Crackas With Attitude

The dangers of cyber warfare or cyber espionage are highlighted by the group “Crackas With Attitude“.  This group recently targeted Mr. John Brennan, the Director of the U.S. Central Intelligence Agency.  They cracked his AOL email account.  Next, then cracked the accounts of Mr. Mark Guiliano, a Deputy Director of the U.S. Federal Bureau of Investigation.  In order to provide more proof, Crackas hacked into the Chrome ComCast email account of his wife.  This was reported by the group Anonymous.

Little if any information is known about the identity of the members of Crackas.  But many people in law enforcement with to find out.  The guidebook to prosecution of hacking is published by the U.S. Department of Justice.  It is entitled “Prosecuting Computer Crimes“, and was published by the Office of Legal Education.  A number of statutes are used to prosecute cyber crime including (Source: Hackerlaw.Org “Hacker Law”):

  • Wiretap Act 18. U.S.C. Section 2510; which covers “wire communication” defined as “any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception”.  
  • Unlawful Access to Stored Communications: 18 U.S.C. § 2701; which is designed by stop anyone from intentionally accessing without authorization any electronic communication service (this would include emails, social media, and any other computer-hosted or telephone hosted service).
  • Identity Theft and Aggravated Identity Theft: 18 U.S.C. § 1028A; which covers producing, transferring, or merely having in one’s possession with intent to use unlawfully any “identification document, authentication feature, or a false identification document”.
  • Access Device Fraud: 18 U.S.C. § 1029; which covers use or transporting of any counterfeit access device, or any telecommunications device that has been modified to obtain unauthorized use of telecommunications services, or even having possession of a scanning receiver.
  • CAN-SPAM Act: 18 U.S.C. § 1037; which is designed to stop the flood of spam in emails that some say is more than 3/4rs of the Internet’s email traffic.
  • Wire Fraud: 18 U.S.C. § 1343; “Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both.”  Fairly broad and comprehensive language.
  • Communication Interference: 18 U.S.C. § 1362; “Whoever willfully or maliciously injures or destroys any of the works, property, or material of any radio, telegraph, telephone or cable, line, station, or system, or other means of communication,. . .”

But at the core of the problem is actually finding people.  That is for law enforcement.

One of the challenges of international cyber arms control will be establishing a boundary between computer hacking laws and international laws of cyber arms.  International hacking by private citizens is not cyber war, unless the hackers are hired by a nation state.  Hackers who work for nation states are not guilty of breaking computer hacking laws if they are working for the government against a foreign adversary. Then, each agent of Government A who hacks into any establishment of Government B is breaking laws in nation B.

So what can we conclude?  We can conclude that laws governing cyber-crime are insufficient to handle the specific challenges of country-to-country government initiated cyber hacking.  That is one of many reasons why an international convention is needed.

The Rules of Self-Defense in Cyber War

Much effort has been focused on understanding how the rules of war change in a cyber environment. For example, one of the key elements of self defense is the notification that the other party has made the first strike. One immediate complication from cyber war is that most often it is not possible to determine who exactly made the attack. If it is not possible to determine the source of an attack, then it is problematical to consider self-defense.

Another challenge concerns the relationship between government and hackers. If, for example, the hacking against country A is done by a group of citizens in country B, then it is not clear how one can establish a relationship between the hackers and the government. If it is not possible to determine this relationship, then it is not possible to place the blame for the attack against the government. It follows that it would be impossible also to activate the rules of war for self-defense.

The right of self-defense under the United Nations charter is set up so that it is exclusively concerned with relations between nation states. There is, for example, no right of self-defense for a country against a terrorist group which is not a government. This does not mean, of course, that a country is unable legally to take any action against terrorists, but it does mean that when it does so out of self-defense, it is not doing this under Article 51 of the United Nations charter.

The nature of the Internet is such that it is possible to disguise the source of any attack. This is the fundamental problem with the laws of war.  These laws are based upon an assumption that it is possible to identify the source of an attack. When this simple assumption is not available, then some other type of mechanism must be used in order to justify self-defense.

The Level of Force Problem.  A second problem concerns the question of level of force. If, for example, it is in fact possible to determine that a cyber attack has taken place, and that the precise source of the cyber attack has been identified, and also that the source itself is linked to another government, then still the question remains “what is the proper response”. If the offended nation state launches a so-called kinetic attack, then is this a proper response to a virtual attack in the CyberWorld? Or is it permissible only to respond to a cyber attack with another cyber attack?

These are a few of the many concerns that must be accommodated in order to set up an international regime for the control of the cyber arms race.


Trans-Pacific Partnership (TPP) and Control of Cyber Attacks

The Trans-Pacific Partnership (TPP) treaty is not one for cyber arms control, but at least it does go a way in spelling out national concerns over improper use of hacking and industrial espionage through cyber means.

The TPP obligates all signatories to guarantee the free flow of data, protect individual (and corporate) privacy, and put in place more robust cyber security measures.  It also has a mechanism that will allow economic sanctions against companies that are caught engaging in industrial espionage through cyber means.

This could be a more powerful deterrent that at first it seems.  It appears to envision a situation in which a cyber attack against one signatory can be punished by all members of the TPP putting in place economic sanctions against the offending company.  This is a powerful weapon, if it is ever used.

In addition, there are rules that target common practices in China, such as forced technology transfer and forced intellectual property transfer.

Although the TPP is primarily an economic trade pact, the underlying mechanism for coordination of cyber security issues might be studied to learn lessons about how countries in the future can respond credibly to cyber attacks.