Some month’s ago, news have further stirred the already troubled waters of cyberspace: five Chinese PLA officers (People’s Liberation Army) have been indicted from the U.S. Justice Department.
The charge they were facing is ‘espionage for economic and trade purposes’. The accused are Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui, charged of 31 counts of espionage and theft of trade secrets[1].
The five soldiers are members of the PLA unit known as “Unit 61398“, which was raised to the headlines early last year. The unit was mentioned in a report by cybersecurity firm Mandiant as responsible for cyber attacks on U.S. government facilities, banks and companies.
The Chinese government’s response was immediate and predictable:”Allegations extremely ridiculous” was the judgment of the Chinese Foreign Ministry, whose spokesman called for a prompt correction of this “serious error without foundation that threatens international relations, cooperation with the USA and mutual trust.”
In fact, the U.S. has been for years the target of military and economic espionage, with periodic subtraction of Terabytes of information from all areas of industry, and serious harm to safety and industrial rights. A striking example was the interest (from unidentified hackers) for construction projects for the Joint Strike Fighter aircraft, also known as the F-35 Lightning II, traces of which start from 2007.
Whether China is behind all of that is not given to know, but in the opinion of Robert Gates, former Minister of Defense, the threat comes not only from that nation. In an interview with The Register, Gates expressed no surprise at the allegations that the Chinese Arm is trying to steal secrets and technology to U.S. companies, but extends to a dozen countries around the world the ability to conduct cyber espionage. He indicates, among others, France as the most likely after China.
These activities of cyber espionage are undoubtedly inspired or led by governments that may use military or civilian personnel when necessary.
The Chinese example is symptomatic, four possible vectors of attack[2] are easily identifiable: Communist Party of China (CPC), People’s Liberation Army (PLA), State Owned Enterprises (SOE), Civilian Hackers (Hacktivists). In the case of PLA, the Mandiant[3] report has shown that its organizational structure is based on several units specialized, on different International areas.
In other countries, cyber units are basically composed by military personnel, but this does not exclude the presence of highly qualified civilians. The cyber units are nominally established for the purpose of defense against cyber-attacks, but it is well known that in this area, he who knows how to defend also knows how to attack.
The cyberspace has some key features that make it easy to use for cyber-attacks: it requires technology, is persistent and based on fantasy and complexity, has a low cost of entry, uses COTS hardware and software devices, requires motivation.
The militarization of cyberspace is thus well established and involves the possibility of inflicting damage, attacking networks of communication, altering or destroying data, in order to achieve a position of advantage.
In a military sense, a cyber-attack is an un-authorized raid into the network of another country. The attack is carried out in another domain, the Domain of Cyber. This fifth domain of war follows unconventional rules, favored by a nearly impossibility to trace the source of attacks in a decisive manner. International law does not clarify the exact attribution of responsibilities.
In this situation, an unconventional form of warfare between states which exploits the cyber-capabilities to “deny the opponent the effective use of systems, weapons and tools or other infrastructure and processes controlled by them,” can turn into a Cyber-war[4].
When dealing with conventional conflicts, the management procedures have been regulated by international treaties over time. The very cyber-war, i.e. the extension of the “armed” confrontation in the fifth domain, should follow the same rules. The doctrines of military officers from many countries qualify it as just like a conventional conflict, but reality is different.
There is disagreement on the term “cyber-attack”. When can we speak of an “attack to the nation”, and what is the limit of the destructive consequences beyond which we can speak of “offensive attack”? Is it necessary that there is loss of life or can’t simply be triggered by material damage to the infrastructures? And also in this second case, which is the limit, the extent over which the trigger is configured as “attack”?
How is it possible to attribute liability in an incontrovertible manner, to a nation? Like a legal litigation, would it be necessary to have a third-party authority for forensic attribution to accountable actors, now in the cyberspace?
When we talk about attack among states, in the “cyber” world the responsibility cannot be mandatorily attributed to military units of a party. Acts of “cyber” hostility can be caused by people not organized in recognized military units.
The lack of shared interpretation about the meaning of “cyber-war” and its rules, should not prevent the achievement of international agreements on how to conduct “cybernetic” war. In the opinion of some experts[5], a treaty should include obligations of effective cooperation in the investigation subsequent to cyber-crimes. The lack of cooperation would indicate guilt or complicity by the nation.
Other analysts[6] prefer to extend the principles of the Geneva and The Hague Conventions to cyber-confrontations because they consider them also applicable/appropriate to this domain of confrontation. Signing humanitarian agreements for the creation of protected zones for the critical infrastructure of civilian interest, however, would not prevent the possibility of their involvement. The not framed cyber-warriors could be induced to not adhere to these protected enclaves of cyberspace. Particularly “the patriots who group together as cyber-armies”[7] might be tempted to do that.
The result of this unregulated use of increasingly sophisticated technologies can still overturn social norms of coexistence or legitimate confrontation.
It is therefore necessary to first resolve the ambiguities in the interpretation of Countries’ behaviour in cyberspace and create legal instruments for the recognition and attribution of responsibility to Nations.
Therefore, it is necessary first of all to resolve ambiguities in the interpretation of the behavior of states in cyberspace and created legal instruments for the recognition and allocation of national responsibilities. Finally, international cooperation[8] has to be shared and reinforced in tackling cyber-crimes that have an alibi for the inevitable buck-passing.
Such agreements should regulate the conduct of military confrontation in this domain, establish some rules of deterrence (by denial) based on the response structures to cyber-attacks, strengthen regulations on cyber warfare because they enable the effective tracking threats.
The politics should give a crucial impulse to agreements between states. The need for a cyber-treaty to prevent future cyber-wars is turning out to be increasingly urgent. Its achievement would undoubtedly have a positive impact on all countries, reducing the heavy costs caused by cyber-crime[9].
About the Author:
ing. Giuseppe G. Zorzino, CISA CISM CGEIT CRISC, is a security consultant with more than 33 years of experience in the IT industry. He is working on ISMS, IT governance, privacy, compliance, security awareness. Enlisted in the Italian Air Force Academy in 1972, he holds a Master in Electronic Engineering from University “Federico II”, Naples. He is member of ISACA (Information Systems Audit and Control Association), ISC2 Italian Chapter, Order of Engineers in Rome Province, Technical Committee of CESMA (Center for Aeronautical Military Studies “Giulio Douhet”). Zorzino has also achieved and maintains many other certifications like Lead Auditor ISO27001, Security+, MCSA:Sec 2003, IBM Certified Solution Architect.
Disclaimer:
Any views or opinions presented are solely those of the author and do not necessarily represent those of CESMA.
[1] http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0519/US-indicts-five-in-China-s-secret-Unit-61398-for-cyber-spying-on-US-firms-video
[2] “21st Century Chinese Cyber Warfare”, LtCol (ret) W. Hagestad II, ITGP, 2012
[3] “APT1, Exposing One of China’s Cyber Espionage Units”, Mandiant, 2013
[4] Cyber-war – L’insieme delle operazioni condotte nel e tramite il cyberspace al fine di negare all’avversario – statuale o non – l’uso efficace di sistemi, armi e strumenti informatici o comunque di infrastrutture e processi da questi controllati. Include anche attività di difesa e “capacitanti” (volte cioè a garantirsi la disponibilità e l’uso del cyber-space). Può assumere la fisionomia di un conflitto di tipo “tradizionale” – quando coinvolge le forze armate di due o più stati – ovvero “irregolare”, quando si svolge tra forze ufficiali e non ufficiali. Può rappresentare l’unica forma di confronto ovvero costituire uno degli aspetti di un conflitto che coinvolga altri dominii (terra, mare, cielo e spazio); in entrambi i casi, i suoi effetti possono essere limitati al cyber-space ovvero tradursi in danni concreti, inclusa la perdita di vite umane. – “Glossario Intelligence 2013”, Gnosis, 2013
[5] “Why we need a cyberwar treaty”, Benjamin Mueller, The Guardian, Mon 2 June 2014
[6] “It’s Time to Write the Rules of Cyberwar”, Karl Rauscher, IEEE Spectrum, 2013
[7] “Hacktivism – Cyberspace has become the new medium for political voices”, François Paget, McAfee Labs™, 2012
[8] “Convention on Cybercrime”, Budapest, 2001
[9] “Report On Global Cost Of Cyber Crime”, Center for Strategic and International Studies-McAfee, June 2014, http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf