As the complicated mess of the Ukraine crisis continues to unravel, global commentators have been eagerly suggesting that the escalatory nature of the conflict could lead to a “cyber war.” Although this may be an inflation of the reality, it calls to mind the human costs of such a scenario. Jarno Limnéll, Director of Cyber Security at McAfee, identifies that likely targets “could include ATM networks, e-commerce systems, energy grids, transit and road signals, air traffic control, and certainly military command lines.” In truth, Limnéll is right, but his flag of concern only touches the edge of the enormous hurt that could be felt by us all. The cyber assassin’s tool kit is simple enough to understand, but we should be weary of its ability, capability, flexibility and agility. It is this lethal cocktail of adjectives within the context of limiting damage that must be treated with agreed restrictions for the interest of human life and dignity.
The established paradigm and treaties to restrict weapons adjudged to cause unacceptable levels of human suffering are not new. International law, with the interest of civilization at its core, prohibits the use of chemical, incendiary, and nuclear weapons. It is these limitations that have helped protect us within the four conventional domains of war—land, sea, air and space—for decades. As the international community gradually grows to fill its role in the fifth domain, cyber, it is essential that deleterious cyber utility and activity is given equal consideration, particularly as its destructive capacity is coequal to its nuclear counterparts. Renowned individuals such as James Lewis, Director of the Technology and Public Policy Program at the Center for Strategic and International Studies, have stated that a cyber treaty “does not make sense.” I disagree and instead contend that it is prudent to look at both the present and future, with the emerging science of the fifth domain and its immense capabilities. Only once the full yardstick of cyber probability and capability is understood can responsible stakeholders credibly postulate what mandatory limits must be agreed upon to safeguard the vast networks that service nation states. Simply put, such agreement ticks both the moral and ethical box and limits the consequential fallout of unacceptable sinister cyber activity.
At present, thirty-five countries have offensive cyber capabilities, not to mention the millions of cyber-savvy individuals. National life-support systems, such as critical energy infrastructure (CEI) and the like, remain desirable targets and are vulnerable assets; the more vulnerable our assets, the more fragile our infrastructure. The United States reported a rise from 34 to 257 cyber attacks on their industrial control systems in 2013 alone. The same report revealed that the industrial Internet was disproportionately weaker than the consumer-facing web. We must not get into the business of writing security checks that the international community cannot cash.
It would be folly to secure and defend our wants over our essential security needs. Experts continue to explain that, “if the grid [was] down for a year or more, between two-thirds and 90% of our population could be lost to malnutrition, disease, and the [ensuing] chaos associated with social breakdown.” This kind of sinister cyber attack will leave a smoking crater: a hospital without power, a city without water, a region without energy. Notwithstanding, it is unfeasible and inconceivable for society to disentangle itself from interconnected technological infrastructures. With this in mind, this paper calls for an international agreement enshrined in law that limits the utility of the fifth domain.
The emerging, continued, and growing threat that the fifth domain poses to critical national infrastructure (CNI) is a real concern, and there are very few safeguards available. As the previous Chair of the British Defence Select Committee, Rt. Hon James Arbuthnot MP, warns, “there is a need to focus on protecting critical systems’ for ‘a successful cyber-attack could have truly apocalyptic consequences’.” The physical fallout of such disasters has already transpired with the “Maroochy Water Breach” and the “Stuxnet Worm.” In the instance of the Maroochy Water Services in Queensland, Australia, their supervisory control and data acquisition (SCADA) software—the technology that controls industrial equipment—was compromised. As a result, the hacker, a vengeful former contractor, was able to take command of the 142 pumping stations, equipped only with a laptop and radio transmitter. Over a 3-month period, he released over one million litres of untreated sewage into a storm water drain that flowed directly into local waterways. Consequent contamination was estimated to have affected “many people.” Imagine the insanitary repercussions!
A second example of critical system sabotage can be found and signposted to the Stuxnet attack. Widely accepted to be the first kinetic cyber attack, the self-propagating computer worm infiltrated industrial control systems used to operate equipment, including nuclear centrifuges at the Iranian Natanz Uranium Fuel Enrichment Plant (FEP). The efficacy of the worm halted uranium enrichment production, destroyed 10% of the plant’s centrifuges, and succeeded in infiltrating 15 additional industrial sites worldwide. No longer fiction, cyber has begun to reach its potential of inflicting real-world consequences, and it is this reality that requires international attention.
Recently, it has become apparent that “we’re in a [cyber] arms race” in a largely unregulated domain—the cyber wild west. With the increased diffusion of technology, nations have begun amassing offensive cyber capabilities: utilizing zero-day exploits, distributed denial of server (DDOS) attacks, and weaponized malware technology. Already, “the U.S. has poured billions of dollars into an electronic arsenal,” whilst the “stockpile of exploits runs into the thousands, aimed at every conceivable device.” This exponential growth of cyber arms is particularly dangerous considering the lack of rules and conventions governing the fifth arena of warfare. Dr. Richard Forno from the University of Maryland concedes, “there is no international agreement over what level of cyber warfare is acceptable.” He further recognizes that national systems such as power grids, water treatment plants and medical facilities “do not have adequate protection from hackers.” Clearly, “principles and agreements on cyber warfare must designate sensitive infrastructure as red lines.” It is necessary to afford our critical organizations the same level of protection from cyber hostility as we do from the multitude of other tangible threats.
As states willfully neglect counter proliferation efforts, it becomes clear that they are simply whistling past the cyber graveyard. With nine new pieces of malware discovered every second, governments have done little to adapt and secure their national systems or defensive capabilities. In fact, 95% of U.S. military communications still travel over the civilian Internet. As a recent report by the 9/11 Commission notes, the United States is “at September 10th levels in terms of cyber preparedness.” Disregarding the lack of sufficient mitigating efforts, some international actors are cognizant of the perceived threat. The UK Ministry of Defence’s (MoD) “Cyber Primer” document observes that infrastructure is a key target for conventional warfare and will be so for cyber. Across the pond, the former Director of the National Security Agency (NSA), Mike McConnell, cautions that a sustained cyber attack on financial institutions and critical infrastructure could bring the U.S. “to it’s knees.” The Italian national cyber stratagem goes further to suggest that targeting aviation traffic management control systems, dams, or energy installations could result “in great physical damages and the eventual loss of human life.”
Let’s be clear, this is very serious stuff. Of all the good that can be derived from the fifth domain, it can be eclipsed absolutely if it were used to the ‘n’th degree against civilization—lights out! Col. Professor Mark Hagerott described this hazard best when he stated that, “if our [U.S.] SCADA systems on our east coast were attacked and we could not restore them within about a month… we would be talking tens of millions of people dead.” Due to the standardized nature of national systems, ruinous and cascading network attacks have the capability to bring down multiple infrastructures at once, striking at the heart of our public facilities. If left unchecked and without agreed international restriction, the sinister tentacles of the Ethernet may well be the straw that breaks the backs of nations.
Whilst Pandora’s box of cyber weaponry is left open, leading states such as the UK and U.S. are neither “unified nor consistent” in their approach to deal with its destructive consequences. Governments have failed to recognize that it is a political and strategic challenge to balance the convention of war with civilized conduct, and not just merely an esoteric exercise in cyber security. Arguably, network protection should be developed in tandem with coherent and robust policy that seeks to curtail the unacceptable use of damaging cyber activity. The UK’s MoD, as a case and point, appears to have bypassed the need for an articulate cyber strategy as it looks favorably towards the cyber frontier. A previous Secretary of State for Defence, Rt. Hon Phillip Hammond, MP, stated that, “Internet-based attacks could replace boots on the ground—in the same way tanks replaced horses in the 20th Century,” and that it is “possible to envisage entire conflicts being fought in cyberspace.”
Poppycock. I suggest it is both naive and a false economy to believe that the fifth domain eradicates the requirement for tangible efforts. Cyber capabilities will more realistically be coupled with a military presence from the other domains of war and arguably with the same restrictions placed upon them. It is a sad reality of war that hemorrhaging blood and treasure will be with us for the foreseeable future. From his comments, Mr. Hammond is employing the law of the instrument—“Maslow’s Hammer.” The law describes the over-reliance and privileging of a tool to solve any problem, irrespective of whether it is the correct deterrent. It is unacceptable for governments to mortgage the security of its people so readily on the notion that the Ethernet is the silver bullet, particularly given the lack of consideration to the agreed legal parameters of the fifth domain. Nevertheless, it is clear that net-centric warfare (NCW) will become central to any future conflict. One of the key principles of battle is “economy of effort”—you would not use a sledgehammer to crack a nut. The fifth domain is the ostensible choice for malicious actors as it remains cheap, effective, and can wreak devastation and havoc with relative ease. So you can see it is not just desirable, but it is essential that states move swiftly to agree on both the legal and humanitarian boundaries of this attractive domain and give it the same “due diligence” consideration of the other four domains: land, sea, air, and space.
In response to the politicians’ lag on the cyber front, researchers have made a concerted effort to bring the hazardous consequences of cyber attacks to the forefront. Most notably, they have done this with the U.S. Department of Energy’s (DoE) 2007 experiment: the “Aurora Test.” The study operated a series of cyber attacks against an industrial generator. Exploiting the variation in tolerance, the machine allowed for frequency, voltage, and phase rotation in order to maintain a consistent power supply. As the short intervals in variation occurred, the attacks placed the generator out of sync with the power grid, causing a short period of stress but reconnected it to avoid disconnection. Repeated over multiple iterations, the collective stress caused the machine to vibrate irregularly, discharge smoke, and eventually shutdown. The point is that these ill-protected machines form the cornerstone of public-dependent infrastructure, yet are wholly unprepared against the many facets of cyber hostility. This increasing risk, however, is not confined solely to the industrial sector—it infiltrates the individual as well. In 2008, University of Michigan computer scientist Kevin Fu demonstrated hacking “into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.” At the time, the discovery was coupled with concern about Vice-President Dick Cheney’s pacemaker who, as a precaution, disabled the pacemaker's Wi-Fi to prevent any compromise. Only a year prior, the security company McAffee claimed “they'd found a way to hack into an insulin pump to make it release 45 days worth of insulin in one go.” Considering this challenge to the individual’s and public’s safety, the call for a limit on detrimental cyber technology cannot come any sooner. I salute and agree with Eugene Kaspersky, CEO of Kaspersky Labs, when he said, “we must have an international agreement on cooperation, non-proliferation, and non-use of cyber weapons… [and] that cyber weapons targeted at critical infrastructure must be forbidden.”
Patently, there is an urgent need for states to realign their focus on cyber issues towards restricting the use of sinister capabilities. Nations are challenged by a multitude of political, legal, and policy problems concerning the fifth domain. In part, this is due to a lack of understanding and consensus as to the terms and characterizations used to define sinister cyber activity. Governments remain confounded by a plethora of nebulous cyber definitions, perpetuated mostly by an ill-informed press under the “cyber warfare” tag. Without clear terms of reference, it is impossible to impose these much-needed limitations.
To the trained eye, it is widely acknowledged that a cyber-weapon is not classified or legally defined by its intrinsic properties but by the effect it causes. I liken this to the “repurposed candlestick.” You know what I mean—Colonel Mustard, in the library, with the candlestick. Clearly the candlestick was not designed for murder, but it was an effective weapon nonetheless. An example of this is the malware and remote-access Trojan Duqu, whose purpose and function was to collect data and assets in preparation for the attack by the Stuxnet Worm. Although Duqu’s setup was not inherently destructive, it was a fundamental component of the larger weapon at hand, Stuxnet. Such capabilities have become readily available with the widespread dissemination of blueprints and malicious hardware throughout public forums. Development costs of quasi-Stuxnet technology can now be as little as $10,000—facilitated by a highly profitable, intangible, and opaque cyber black-market. If nation states are to reduce ease-of-access and restrict the use of harmful cyber capabilities, they must first formalize the terms of exactly what it is they are restricting.
With this in mind, the struggle to hold back the perennial tide of malignant cyber attacks is considerable in the extreme. Whilst governments appear content to utilize the fifth domain as a strategic resource, most have shirked the responsibility of securing this new global common. Subsequently, individual, group, and even state actors enjoy carte blanche to exploit cyber for their own sinister intent. Embryonic legislative attempts, such as the European Cyber Convention, illustrate that states have been preoccupied with the low-hanging fruit of cyber crime whilst neglecting to deal with the more-difficult unregulated use of weaponized cyber technology. Notwithstanding, there has been some progress to demarcate the utility of agreed cyber capabilities. One such example can be found in the Multilateral Export Control Regime (MECR). The regime hosts four arrangements, which oversee the agreed control of destructive weapons and technology. Specifically, the 1996 Wassenaar Arrangement deals with, inter alia, controlling encryption technology and as of December, 2013, certain types of malware. Whilst this is an encouraging step, it is not enough and states need to lean in and meaningfully engage in developing a framework document that clearly defines the various strands of sinister cyber activity.
As a handrail, I use the acronym TWESC to help me understand the various categorizations that exist in Cyber: Terrorism, Warfare, Espionage, Sabotage, and Crime. Critically, it is essential that states give deep consideration to mapping restrictions from the existing four dimensions of warfare to the fifth where appropriate and relevant. They much then enshrine them in law. Such an arrangement should seek to include as many emerging global powers as possible; as Laura Galante, a former US Department of Defence intelligence analyst, opines, “cyber weapons give smaller, poorer nations a way to leverage asymmetric force against much larger foes.” Brushing off any skeptical murmurs, this proposal, once established, would smoke-out all other international actors who refuse to embrace this wholesome avenue. This is not such an enormous ask that reasonable civilized governments should be forgiven for ignoring it. I am not asking for the “theory of everything” or what happens at the singularity where time and space cease to be and the laws of physics are rendered meaningless. No, what I'm asking for is a straightforward treaty that provides the most basic human protection from the use of harmful cyber capabilities.
Despite the terra incognito of the cyber sphere, the task to limit it can be addressed with relative ease. Well-established legislation such as the 1899 and 1907 Hague Treaties and 1925 Geneva Convention can serve as a template for restricting the use of destructive technology within the boundaries of accepted civilized warfare. Specifically, Protocols II and III of the 1980 Geneva Convention, which place “restrictions on the use of certain conventional weapons which may be deemed to be excessively injurious or to have indiscriminate effects,” could facilitate the arrival of similar measures for the cyber realm. As a starting point, the resolution on “developments in the field of information and telecommunications in the context of international security,” adopted by the UN General Assembly on 4 January, 1999, is a useful step, declaring, “that the dissemination and use of information technologies affect the interests of the entire international community… [and] can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security and may adversely affect the security of States.”
But there is still more work to do! Perhaps the clearest paradigm of restrictive practice is the Treaty on the Non-Proliferation of Nuclear Weapons that could be replicated for cyber. Even Kaspersky believes, “it would be good if governments were to sign a treaty against the use of cyber weapons [sinister utility] in the same way as they have done against nuclear, biological, and chemical weapons.” It is, however, crucial to acknowledge that cyber is ostensibly different to its nuclear, chemical, and biological partners. Any treaty would necessitate legislative imagination that recognizes the protean nature of the cyber terrain and adapt to it accordingly.
Thus, this paper does not set out to promote a Kellogg-Briand-esque cyber treaty that seeks a blanket ban on the use of the fifth domain. On the contrary, I have attempted to show that agreed restrictions should not blanket the use of cyber capabilities, but rather the unacceptable use of a range of capabilities that could be used to harm human life. Further, I am in no way suggesting this should impede technological development that, for the most part, serves humanity well. It is the certain use thereof that needs restricting. à la the “repurposed candlestick” I referred to earlier.
All in all, there has been little progress to close the air-gap between defining sinister cyber activity and the necessary policy to mitigate its use. Whilst NATO’s move to amend and incorporate cyber into Article 5 is welcome, governments, en masse, remain apathetic to deal with the accumulation of technology that is utilized and weaponized. Consequently, individuals such as Kaspersky are left burdened with the responsibility for sounding this clarion call.
I would ask governments to register this increasing threat and engage with vigor. It requires very little international drive to table a motion that designates the limits of sinister cyber utility. Governments must act now and establish quantifiable restrictions. Let’s get on with it!
Ash J. Hunt is a researcher on transnational cyber policy. He has authored several articles and publications including the paper “Cyber—a real and present danger.” In 2013, he was the sole British delegate to the UN Conference on the Development of Communication and Technology Policies. He has also worked for the Under-Secretary of State, Lord Astor, the Ministry of Defence, and the Cabinet Office. He can be reached at ash_hunt@icloud.com.
a global affairs media network
Cyber Quantifiable Restrictions: The Requirements to Generate Agreed Restrictions on the Use of Cyber Capabilities
March 17, 2015
As the complicated mess of the Ukraine crisis continues to unravel, global commentators have been eagerly suggesting that the escalatory nature of the conflict could lead to a “cyber war.” Although this may be an inflation of the reality, it calls to mind the human costs of such a scenario. Jarno Limnéll, Director of Cyber Security at McAfee, identifies that likely targets “could include ATM networks, e-commerce systems, energy grids, transit and road signals, air traffic control, and certainly military command lines.” In truth, Limnéll is right, but his flag of concern only touches the edge of the enormous hurt that could be felt by us all. The cyber assassin’s tool kit is simple enough to understand, but we should be weary of its ability, capability, flexibility and agility. It is this lethal cocktail of adjectives within the context of limiting damage that must be treated with agreed restrictions for the interest of human life and dignity.
The established paradigm and treaties to restrict weapons adjudged to cause unacceptable levels of human suffering are not new. International law, with the interest of civilization at its core, prohibits the use of chemical, incendiary, and nuclear weapons. It is these limitations that have helped protect us within the four conventional domains of war—land, sea, air and space—for decades. As the international community gradually grows to fill its role in the fifth domain, cyber, it is essential that deleterious cyber utility and activity is given equal consideration, particularly as its destructive capacity is coequal to its nuclear counterparts. Renowned individuals such as James Lewis, Director of the Technology and Public Policy Program at the Center for Strategic and International Studies, have stated that a cyber treaty “does not make sense.” I disagree and instead contend that it is prudent to look at both the present and future, with the emerging science of the fifth domain and its immense capabilities. Only once the full yardstick of cyber probability and capability is understood can responsible stakeholders credibly postulate what mandatory limits must be agreed upon to safeguard the vast networks that service nation states. Simply put, such agreement ticks both the moral and ethical box and limits the consequential fallout of unacceptable sinister cyber activity.
At present, thirty-five countries have offensive cyber capabilities, not to mention the millions of cyber-savvy individuals. National life-support systems, such as critical energy infrastructure (CEI) and the like, remain desirable targets and are vulnerable assets; the more vulnerable our assets, the more fragile our infrastructure. The United States reported a rise from 34 to 257 cyber attacks on their industrial control systems in 2013 alone. The same report revealed that the industrial Internet was disproportionately weaker than the consumer-facing web. We must not get into the business of writing security checks that the international community cannot cash.
It would be folly to secure and defend our wants over our essential security needs. Experts continue to explain that, “if the grid [was] down for a year or more, between two-thirds and 90% of our population could be lost to malnutrition, disease, and the [ensuing] chaos associated with social breakdown.” This kind of sinister cyber attack will leave a smoking crater: a hospital without power, a city without water, a region without energy. Notwithstanding, it is unfeasible and inconceivable for society to disentangle itself from interconnected technological infrastructures. With this in mind, this paper calls for an international agreement enshrined in law that limits the utility of the fifth domain.
The emerging, continued, and growing threat that the fifth domain poses to critical national infrastructure (CNI) is a real concern, and there are very few safeguards available. As the previous Chair of the British Defence Select Committee, Rt. Hon James Arbuthnot MP, warns, “there is a need to focus on protecting critical systems’ for ‘a successful cyber-attack could have truly apocalyptic consequences’.” The physical fallout of such disasters has already transpired with the “Maroochy Water Breach” and the “Stuxnet Worm.” In the instance of the Maroochy Water Services in Queensland, Australia, their supervisory control and data acquisition (SCADA) software—the technology that controls industrial equipment—was compromised. As a result, the hacker, a vengeful former contractor, was able to take command of the 142 pumping stations, equipped only with a laptop and radio transmitter. Over a 3-month period, he released over one million litres of untreated sewage into a storm water drain that flowed directly into local waterways. Consequent contamination was estimated to have affected “many people.” Imagine the insanitary repercussions!
A second example of critical system sabotage can be found and signposted to the Stuxnet attack. Widely accepted to be the first kinetic cyber attack, the self-propagating computer worm infiltrated industrial control systems used to operate equipment, including nuclear centrifuges at the Iranian Natanz Uranium Fuel Enrichment Plant (FEP). The efficacy of the worm halted uranium enrichment production, destroyed 10% of the plant’s centrifuges, and succeeded in infiltrating 15 additional industrial sites worldwide. No longer fiction, cyber has begun to reach its potential of inflicting real-world consequences, and it is this reality that requires international attention.
Recently, it has become apparent that “we’re in a [cyber] arms race” in a largely unregulated domain—the cyber wild west. With the increased diffusion of technology, nations have begun amassing offensive cyber capabilities: utilizing zero-day exploits, distributed denial of server (DDOS) attacks, and weaponized malware technology. Already, “the U.S. has poured billions of dollars into an electronic arsenal,” whilst the “stockpile of exploits runs into the thousands, aimed at every conceivable device.” This exponential growth of cyber arms is particularly dangerous considering the lack of rules and conventions governing the fifth arena of warfare. Dr. Richard Forno from the University of Maryland concedes, “there is no international agreement over what level of cyber warfare is acceptable.” He further recognizes that national systems such as power grids, water treatment plants and medical facilities “do not have adequate protection from hackers.” Clearly, “principles and agreements on cyber warfare must designate sensitive infrastructure as red lines.” It is necessary to afford our critical organizations the same level of protection from cyber hostility as we do from the multitude of other tangible threats.
As states willfully neglect counter proliferation efforts, it becomes clear that they are simply whistling past the cyber graveyard. With nine new pieces of malware discovered every second, governments have done little to adapt and secure their national systems or defensive capabilities. In fact, 95% of U.S. military communications still travel over the civilian Internet. As a recent report by the 9/11 Commission notes, the United States is “at September 10th levels in terms of cyber preparedness.” Disregarding the lack of sufficient mitigating efforts, some international actors are cognizant of the perceived threat. The UK Ministry of Defence’s (MoD) “Cyber Primer” document observes that infrastructure is a key target for conventional warfare and will be so for cyber. Across the pond, the former Director of the National Security Agency (NSA), Mike McConnell, cautions that a sustained cyber attack on financial institutions and critical infrastructure could bring the U.S. “to it’s knees.” The Italian national cyber stratagem goes further to suggest that targeting aviation traffic management control systems, dams, or energy installations could result “in great physical damages and the eventual loss of human life.”
Let’s be clear, this is very serious stuff. Of all the good that can be derived from the fifth domain, it can be eclipsed absolutely if it were used to the ‘n’th degree against civilization—lights out! Col. Professor Mark Hagerott described this hazard best when he stated that, “if our [U.S.] SCADA systems on our east coast were attacked and we could not restore them within about a month… we would be talking tens of millions of people dead.” Due to the standardized nature of national systems, ruinous and cascading network attacks have the capability to bring down multiple infrastructures at once, striking at the heart of our public facilities. If left unchecked and without agreed international restriction, the sinister tentacles of the Ethernet may well be the straw that breaks the backs of nations.
Whilst Pandora’s box of cyber weaponry is left open, leading states such as the UK and U.S. are neither “unified nor consistent” in their approach to deal with its destructive consequences. Governments have failed to recognize that it is a political and strategic challenge to balance the convention of war with civilized conduct, and not just merely an esoteric exercise in cyber security. Arguably, network protection should be developed in tandem with coherent and robust policy that seeks to curtail the unacceptable use of damaging cyber activity. The UK’s MoD, as a case and point, appears to have bypassed the need for an articulate cyber strategy as it looks favorably towards the cyber frontier. A previous Secretary of State for Defence, Rt. Hon Phillip Hammond, MP, stated that, “Internet-based attacks could replace boots on the ground—in the same way tanks replaced horses in the 20th Century,” and that it is “possible to envisage entire conflicts being fought in cyberspace.”
Poppycock. I suggest it is both naive and a false economy to believe that the fifth domain eradicates the requirement for tangible efforts. Cyber capabilities will more realistically be coupled with a military presence from the other domains of war and arguably with the same restrictions placed upon them. It is a sad reality of war that hemorrhaging blood and treasure will be with us for the foreseeable future. From his comments, Mr. Hammond is employing the law of the instrument—“Maslow’s Hammer.” The law describes the over-reliance and privileging of a tool to solve any problem, irrespective of whether it is the correct deterrent. It is unacceptable for governments to mortgage the security of its people so readily on the notion that the Ethernet is the silver bullet, particularly given the lack of consideration to the agreed legal parameters of the fifth domain. Nevertheless, it is clear that net-centric warfare (NCW) will become central to any future conflict. One of the key principles of battle is “economy of effort”—you would not use a sledgehammer to crack a nut. The fifth domain is the ostensible choice for malicious actors as it remains cheap, effective, and can wreak devastation and havoc with relative ease. So you can see it is not just desirable, but it is essential that states move swiftly to agree on both the legal and humanitarian boundaries of this attractive domain and give it the same “due diligence” consideration of the other four domains: land, sea, air, and space.
In response to the politicians’ lag on the cyber front, researchers have made a concerted effort to bring the hazardous consequences of cyber attacks to the forefront. Most notably, they have done this with the U.S. Department of Energy’s (DoE) 2007 experiment: the “Aurora Test.” The study operated a series of cyber attacks against an industrial generator. Exploiting the variation in tolerance, the machine allowed for frequency, voltage, and phase rotation in order to maintain a consistent power supply. As the short intervals in variation occurred, the attacks placed the generator out of sync with the power grid, causing a short period of stress but reconnected it to avoid disconnection. Repeated over multiple iterations, the collective stress caused the machine to vibrate irregularly, discharge smoke, and eventually shutdown. The point is that these ill-protected machines form the cornerstone of public-dependent infrastructure, yet are wholly unprepared against the many facets of cyber hostility. This increasing risk, however, is not confined solely to the industrial sector—it infiltrates the individual as well. In 2008, University of Michigan computer scientist Kevin Fu demonstrated hacking “into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.” At the time, the discovery was coupled with concern about Vice-President Dick Cheney’s pacemaker who, as a precaution, disabled the pacemaker's Wi-Fi to prevent any compromise. Only a year prior, the security company McAffee claimed “they'd found a way to hack into an insulin pump to make it release 45 days worth of insulin in one go.” Considering this challenge to the individual’s and public’s safety, the call for a limit on detrimental cyber technology cannot come any sooner. I salute and agree with Eugene Kaspersky, CEO of Kaspersky Labs, when he said, “we must have an international agreement on cooperation, non-proliferation, and non-use of cyber weapons… [and] that cyber weapons targeted at critical infrastructure must be forbidden.”
Patently, there is an urgent need for states to realign their focus on cyber issues towards restricting the use of sinister capabilities. Nations are challenged by a multitude of political, legal, and policy problems concerning the fifth domain. In part, this is due to a lack of understanding and consensus as to the terms and characterizations used to define sinister cyber activity. Governments remain confounded by a plethora of nebulous cyber definitions, perpetuated mostly by an ill-informed press under the “cyber warfare” tag. Without clear terms of reference, it is impossible to impose these much-needed limitations.
To the trained eye, it is widely acknowledged that a cyber-weapon is not classified or legally defined by its intrinsic properties but by the effect it causes. I liken this to the “repurposed candlestick.” You know what I mean—Colonel Mustard, in the library, with the candlestick. Clearly the candlestick was not designed for murder, but it was an effective weapon nonetheless. An example of this is the malware and remote-access Trojan Duqu, whose purpose and function was to collect data and assets in preparation for the attack by the Stuxnet Worm. Although Duqu’s setup was not inherently destructive, it was a fundamental component of the larger weapon at hand, Stuxnet. Such capabilities have become readily available with the widespread dissemination of blueprints and malicious hardware throughout public forums. Development costs of quasi-Stuxnet technology can now be as little as $10,000—facilitated by a highly profitable, intangible, and opaque cyber black-market. If nation states are to reduce ease-of-access and restrict the use of harmful cyber capabilities, they must first formalize the terms of exactly what it is they are restricting.
With this in mind, the struggle to hold back the perennial tide of malignant cyber attacks is considerable in the extreme. Whilst governments appear content to utilize the fifth domain as a strategic resource, most have shirked the responsibility of securing this new global common. Subsequently, individual, group, and even state actors enjoy carte blanche to exploit cyber for their own sinister intent. Embryonic legislative attempts, such as the European Cyber Convention, illustrate that states have been preoccupied with the low-hanging fruit of cyber crime whilst neglecting to deal with the more-difficult unregulated use of weaponized cyber technology. Notwithstanding, there has been some progress to demarcate the utility of agreed cyber capabilities. One such example can be found in the Multilateral Export Control Regime (MECR). The regime hosts four arrangements, which oversee the agreed control of destructive weapons and technology. Specifically, the 1996 Wassenaar Arrangement deals with, inter alia, controlling encryption technology and as of December, 2013, certain types of malware. Whilst this is an encouraging step, it is not enough and states need to lean in and meaningfully engage in developing a framework document that clearly defines the various strands of sinister cyber activity.
As a handrail, I use the acronym TWESC to help me understand the various categorizations that exist in Cyber: Terrorism, Warfare, Espionage, Sabotage, and Crime. Critically, it is essential that states give deep consideration to mapping restrictions from the existing four dimensions of warfare to the fifth where appropriate and relevant. They much then enshrine them in law. Such an arrangement should seek to include as many emerging global powers as possible; as Laura Galante, a former US Department of Defence intelligence analyst, opines, “cyber weapons give smaller, poorer nations a way to leverage asymmetric force against much larger foes.” Brushing off any skeptical murmurs, this proposal, once established, would smoke-out all other international actors who refuse to embrace this wholesome avenue. This is not such an enormous ask that reasonable civilized governments should be forgiven for ignoring it. I am not asking for the “theory of everything” or what happens at the singularity where time and space cease to be and the laws of physics are rendered meaningless. No, what I'm asking for is a straightforward treaty that provides the most basic human protection from the use of harmful cyber capabilities.
Despite the terra incognito of the cyber sphere, the task to limit it can be addressed with relative ease. Well-established legislation such as the 1899 and 1907 Hague Treaties and 1925 Geneva Convention can serve as a template for restricting the use of destructive technology within the boundaries of accepted civilized warfare. Specifically, Protocols II and III of the 1980 Geneva Convention, which place “restrictions on the use of certain conventional weapons which may be deemed to be excessively injurious or to have indiscriminate effects,” could facilitate the arrival of similar measures for the cyber realm. As a starting point, the resolution on “developments in the field of information and telecommunications in the context of international security,” adopted by the UN General Assembly on 4 January, 1999, is a useful step, declaring, “that the dissemination and use of information technologies affect the interests of the entire international community… [and] can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security and may adversely affect the security of States.”
But there is still more work to do! Perhaps the clearest paradigm of restrictive practice is the Treaty on the Non-Proliferation of Nuclear Weapons that could be replicated for cyber. Even Kaspersky believes, “it would be good if governments were to sign a treaty against the use of cyber weapons [sinister utility] in the same way as they have done against nuclear, biological, and chemical weapons.” It is, however, crucial to acknowledge that cyber is ostensibly different to its nuclear, chemical, and biological partners. Any treaty would necessitate legislative imagination that recognizes the protean nature of the cyber terrain and adapt to it accordingly.
Thus, this paper does not set out to promote a Kellogg-Briand-esque cyber treaty that seeks a blanket ban on the use of the fifth domain. On the contrary, I have attempted to show that agreed restrictions should not blanket the use of cyber capabilities, but rather the unacceptable use of a range of capabilities that could be used to harm human life. Further, I am in no way suggesting this should impede technological development that, for the most part, serves humanity well. It is the certain use thereof that needs restricting. à la the “repurposed candlestick” I referred to earlier.
All in all, there has been little progress to close the air-gap between defining sinister cyber activity and the necessary policy to mitigate its use. Whilst NATO’s move to amend and incorporate cyber into Article 5 is welcome, governments, en masse, remain apathetic to deal with the accumulation of technology that is utilized and weaponized. Consequently, individuals such as Kaspersky are left burdened with the responsibility for sounding this clarion call.
I would ask governments to register this increasing threat and engage with vigor. It requires very little international drive to table a motion that designates the limits of sinister cyber utility. Governments must act now and establish quantifiable restrictions. Let’s get on with it!
Ash J. Hunt is a researcher on transnational cyber policy. He has authored several articles and publications including the paper “Cyber—a real and present danger.” In 2013, he was the sole British delegate to the UN Conference on the Development of Communication and Technology Policies. He has also worked for the Under-Secretary of State, Lord Astor, the Ministry of Defence, and the Cabinet Office. He can be reached at ash_hunt@icloud.com.
