Declarations of Cyberwar
What the revelations about the U.S.-Israeli origin of Stuxnet mean for warfare
ouths went agape when New York Times reporter David Sanger wrote in June that anonymous sources within the United States government admitted that the United States and Israel were indeed the authors of the Stuxnet worm and related malware. Those two countries had long been suspected of creating the code that wrecked centrifuges at Irans Natanz uranium enrichment facility. But never before had a government come so close to claiming responsibility for a cyberattack. The origins of the most sophisticated cyberattacks ever undertaken may now be clear, but exactly where such attacks fit in the universe of war and foreign policyandwhat the international community would consider a proper response to themis still the subject of debate. A particularly important question is what sort of cyberattack is the equivalent of a traditional armed attack. Efforts to answer that question have culminated in the Manual on International Law Applicable to Cyber Warfare (also known as the Tallinn Manual), which will be published later this year. The Tallinn Manual is a nonbinding yet authoritative restatement of the law of armed conflict as it relates to cyberwar. It offers attackers, defenders, and legal experts guidance on how cyberattacks can be classified as actions covered under the law, such as armed attacks. The term armed attack has a precise meaning in international law: Not all cyberattacks rise to the level of an armed attack, says
18
NA iEEE Spectrum August 2012
Bret Michael, a professor of computer science and electrical engineering at the U.S. Naval Postgraduate School, who has been serving as a technical expert to the group drafting the Tallinn Manual.
Despite this progress, the inter national community is just at the beginning of what could be a long process, says Charles Barry, a senior research fellow at the National Defense Universitys Institute for National Strategic Studies, in Washington, D.C. Hepredicts that it will take another 20to50years to get traction on cyberrules. What is certain, say observers, isthat going forward, conventional warfare will almost always be complemented by cyberwarfare aimed at knocking out an opponents communications and intelligence- gathering capabilities. Actually, thats already being done, says Michael. Cyberattacks can aid in military campaigns, but can the threat of a military response serve as a cyber deterrent? Thats downright silly,
because its difficult, bordering on impossible, to identify a cyberattacker beyond a shadow ofa doubt, says Larry Constantine, a professor in the mathematics and engineering department at the University of Madeira, in Portugal. However, identification beyond ashadow of a doubt might not really be needed to escalate a cyberattack into an armed conflict. In June at CyCon 2012, aNATO-sponsored cyberconflict conference in Tallinn, Estonia, U.S. Air Force Lt. Col. Forrest Hare told attendees that attribution is a political, not a legal, concept. The three standards of proof used in criminal lawbeyonda reasonable doubt, clear andcompelling, and preponderance of the evidencedont apply to military and intelligence operations. Michael adds that the difficulty of reliably tracing an attack to its source does not preclude the use of other sources to weave together what he calls aclear mosaic of responsibility. Showing who funded the activity or provided the actors with guidance may be enough. And there is already a deterrent in the form of the law of armed conflict, says Michael. It holds military commanders or their civilian superiors who order attacks that amount to a war crime as criminally responsible. In the meantime, governments can try to take heart in the belief that there are few nations capable of fielding a cyberweapon with the sophistication of Stuxnet. But Jeffrey Voas, a computer scientist in the computer security division at the U.S. National Institute of Standards and Technology, in Gaithersburg, Md., notes that if an attack doesnt require stealth, the code doesnt have to be nearly as artful. And there are tens of thousands of people who could pull off a less sophisticated strike, says Constantine, who built his own Stuxnet-like malware in 2003 to prove a point. In other words, powerful cyberattacks are within the range of many states, so long as they dont care if they get caught. � Willie D. Jones
spectrum.ieee.org
brian stauffer
