Tuesday, August 21, 2007
We have all, I'm sure, seen news stories about an incident of "cyber war," which turns out to have been something else . . . crime or terrorism.
I want to talk a bit about why I think those errors occur . . . and what I think we need to do to avoid them.
The title of this post is “cyberconflict.” That is an umbrella term I use to encompass cybercrime, cyberterrorism and cyberwarfare. As I explain at length in an article I recently published, these three concepts are conceptually distinct but they all deal with the same problem: a society’s, a nation-state’s, need to maintain social order.
If societies cannot maintain both internal order (keep their citizens from preying on each other, keep the strong from taking advantage of the weak) and external order (keep other societies from coming in and taking over that society’s territory and population), they cannot survive. We’re seeing an object lesson in the need to maintain internal order (at least) in Iraq; if a country can’t establish basic order so people can go about the tasks that have to be done for their physical survival, then the country falls apart . . . and is in a pretty good condition to be taken over by some other country (not that I’m saying that is about to happen in Iraq, but it has happened to other countries that became destabilized).
Countries therefore create a division of labor, the first part of which deals with the need for external order. Militaries (and diplomats) deal with external threats. I’m assuming, as the default, peaceful, non-aggressive societies; their goal in having a military (and diplomats) is to defend themselves against the Hitlers of the world – the countries that are aggressive and are perfectly willing to take over societies they see as weak.
The other part of this division of labor deals with internal order – keeping the citizens in a society from preying on each other in a way that will lead to chaos. Societies do this with two kinds of rules: What I call “civil” rules define what is and is not “legal” (and a subset define what is and is not “proper,” or acceptable) in that society. So every society defines who can marry whom and at what age; some define who can own property, and when; rules say if people can vote and, if so, when. They define property ownership, status, etc. Those are the rules that basically tell us how to live a normal, lawful life, and most of us do.
But since people are intelligent, they can do something social insects and other animals that live in groups can’t really do: They can basically say “the hell with the civil rules, I’m going to do what I want to do, take what I want.” We call that deviance, and societies have to discourage that. They do this with a separate set of criminal rules, which tell us that certain behaviors are really, seriously out of bounds and if we engage in those behaviors we will be punished (locked up, executed, banished, branded, etc.). For roughly the last century and a half, societies have used an analogue of the military to enforce these criminal rules: law enforcement officers. The process of enforcing criminal law used to be more eclectic – civilians used to get involved and, indeed, at times during Anglo-American history, anyway, pretty much were responsible for criminal law enforcement. They had to catch criminals and bring them into whoever was responsible for trying and sanctioning them (conviction pretty much seemed to be a foregone conclusion back then).
Law enforcement officers, then, deal with “crime,” which is internal; they keep the citizens of a society (and people visiting that society) from really, seriously preying on each other. Military personnel deal with “war,” which is external; they engage in combat with military personnel from other societies, societies that are trying to take over their own society, as Hitler did in 1939 when he invaded Poland.
One more note: Basically, societies lump terrorism in with crime. If you recall the Oklahoma City bombing in 1995, Timothy McVeigh was prosecuted for setting off the bomb, convicted and executed. The perpetrators of the 1993 bombing of the World Trade Center were federally prosecuted in New York, as were Al-Qaeda members for the 1993 bombings of U.S. embassies in Kenya and Tanzania.
Now we come to the problem: All of this assumes a tidy division based on territory. Law enforcement handles order within a country’s territory, the military handles order outside the territory. In the U.S., we have laws that rigidly establish that division; it seems to be less rigidly established in other countries, not rigid at all in some.
Cyberspace makes territory irrelevant. A cybercriminal or cyberterrorist or cyberwarrior can strike a target in another country as easily as he can one that’s just down the block. And that creates problems for (i) figuring out what kind of attack it is (Crime? Terrorism? Warfare?), (ii) who the attackers are and (iii) how to respond (Do we launch a military counterstrike? Send in the police?).
Simple example: In May of this year, Estonia was the target of a two-week set of sustained cyberattacks that shut down government websites, media sites, internet service providers and other communications sites. The news stories almost entirely referred to the attacks as cyberwarfare, because that’s what the Estonian government thought they were. They were DDoS attacks that reportedly involved the use of a botnet consisting of a million zombies. The Estonian government, and many reporters, cited the duration of the attack, the size of the botnets and the alleged complexity of the attack as factors establishing it as cyberwarfare. Estonian authorities also heard about the attack in advance and were able to watch as it was planned on Russian-language sites; they suspected the attack was retaliation for their removing a statue honoring World War II Russian soldiers shortly before a holiday honoring former Soviet soldiers.
So, attack-attribution = war. Attacker-attribution = Russian government. Response . . . well, there really wasn’t one.
After the fact, analysis of the attack showed it was hactivisim which, depending on your point of view, is either cybercrime (DDoS attacks are criminal in many countries ) or cyberterrorism (DDoS attacks undertaken with a political motive). The Estonian attacks are a perfect illustration of how difficult attribution and response are online . . . unlike in the real-world. When Hitler invaded Poland, Poland didn’t have any doubts that it was at war or who it was at war with.
In the article I mentioned (which you can find here), I took a first shot at parsing out how these difficulties in attribution and response arise, and what we can do to improve our ability at dealing with them. It’s just a first attempt – I need to do more with it, but I wanted to note the existence of these problems.
One final note: As the Estonian authorities learned when the contacted NATO and asked for help in dealing with what they then believed to be cyberwarfare, they learned that cyberattacks do not constitute “warfare” under the modern law of war. Those laws define warfare as the result of an “armed attack,” and everyone pretty much agrees that a DDoS attack may be an attack, but it isn’t and “armed” attack. As things stand now, if a country started an overt cyberwar, the victim country really could not treat that as “war” and respond with military force, at least, not without becoming the aggressor in the war.