In this article, the author analyzes the difficulties that exist in cyberspace, due to its own characteristics and the lack of a comprehensive international regulation for the attribution of cyber attacks, as well as to respond adequately to attempts to damage or destroy communication systems, command and control by wicked actors.
In this century, cyberspace is considered an essential element in the lives of millions of people around the world. Through and within cyberspace, essential operations are carried out for economic development, political-social activity, security, industrial production, democratic practice and the protection of critical infrastructures of a State.
However, being a space of dominance and competition, cyberspace has become a tool and a means to carry out illegal activities. They are carried out, with a certain level of impunity, due to lack of regulation of violent activities and potential acts of war committed through of cyberspace.
To present the above, the analysis integrates four sections that: 1.) involve the details of cyberspace, 2.) identify the elements that classify an adverse event as a cyber-attack, 3.) the difficulty of responding to it, and 4.) expose the need for a legal framework for the preservation of peace and security in cyberspace.
Cyberspace is a place created by man and for man, since it is where, collectively, the diverse activities of society converge, covering the transactions, relationships and thoughts of all those users who connect. Cyberspace has no borders as it is an abstraction of the human mind, which has a global scope and tangible and intangible elements that allow the representation of the material world in a virtual space.
Cyberspace is not regulated by International Humanitarian Law due to its recent appearance. However, the negative impact of cyber-attacks and the destructive capacity of cyber weapons have been increasing. Therefore, the States that use them as means of defense and attack must do so with full consideration of the Geneva Conventions.
The attribution of violent actions is a slow and difficult task in cyberspace due to their technical and organizational characteristics. This can include the nature of the cyber-attack, and the configuration of the internet and technological advances. Despite this, there are international efforts to guarantee the precise attribution of the acts and to demonstrate the illegality of the act.
Cyberspace is considered a Global Common. In 1996, John Perry Barlow wrote the Internet Declaration of Independence to convince governments not to assume any sovereignty over cyberspace. Shortly after, cyberspace became the last of the Global Commons, just because it was a virtual space created by man with common utility where information is the main asset.
Cyberspace has a geopolitical importance. Under conditions of hyper connectivity and international competition to dominate cyberspace, controlling it is vital for obtaining, preserving and increasing the power held by a State. Today, cyberspace, together with information technologies, are strategic assets for the governments of the world since, whoever controls cyberspace, will take control of the world. This has generated changes in national security policies, military doctrines and academic research that seek to establish models of cyber sovereignty.
Cyberspace is a dual-use tool. It is an area where a domain is sought and competition is emphasized, cyberspace not only serves to carry out non-harmful activities but has also become a tool and a means to cause harm, steal, swindle, attack, interrupt, surprise, manipulate, lie and murder. Ironically, cyberspace serves both to achieve conciliation, development and peace, as well as to motivate conflict, backwardness and war.
In short, the characteristics of cyberspace make it a unique space, with the potential to generate damage through a cyber-attack. Non-attribution opens the door for actors to use cyberspace with impunity for the benefit of their geopolitical objectives. Consequently, regulating activities, operations and establishing penalties in the event of misusing their capabilities to the detriment of third parties is an action that cannot be postponed.
Under what conditions is a cyber-attack suffered
Despite the fact that the word “cyber-attack” is used to refer to adverse events that threaten computerized command, control and communications systems, not all of them should be considered a cyber-attack. The final objective and the actors of a large-scale hack will be the elements that define the classification of the adverse event as a cybercrime or a cyberattack. Differentiating effectively will allow progress in the construction of an international legal framework that regulates cyber-attacks and the use of force to respond in this situation.
In other words, if the hack carried out by a criminal or criminal group has the main objective of taking advantage of the vulnerabilities of the financial system and stealing money from bank accounts, it must be classified as fraud or theft. Unless the legal framework of the States determines something different, or it is precisely identified that a State is the actor or sponsor of that act.
If a terrorist group manages to take control of strategic facilities or critical infrastructure causing sabotage, then the event must be classified / punished, either as a terrorist act or sabotage; However, if a State carries out a cyber-operation with full knowledge of the facts and a political-strategic objective against the computerized systems of another State, it should be considered as a cyber-attack, act of war or act of aggression.
As aggression is the most obvious manifestation of the use of force between States and the main threat to international security, an armed response is acceptable, as a form of legal and legitimate defense. It is in the case of aggression between States, that one can speak of a cyber-attack and justify the use of force as a means of defense. This is based on International Humanitarian Law, which establishes that States are the only actors that use force in defense of their interests when the sovereignty, survival, permanence and integrity of the State are at risk.
Limiting the right to wage war and launch cyberattacks is something that makes it possible to distinguish between “that which threatens public security” and “an attack on national security.” In order to give a proper and legitimate response in the current context of clandestine operations, you have to consider factors such as indirect confrontations, use of proxies to wage war, contracts with private military security companies, greater participation of private initiative in military operations, and the use of cyberspace as a battlefield. The intensive use of technology in warfare and dependence on computerized systems has made it evident that there is a gray area where both securities overlap. The attribution of attacks is difficult, because the difference between peace and war is diluted, and non-State actors are used, and unconventional measures for the realization and resolution of conflicts are justified.
This gray area is particularly useful in cyberspace since, due to the characteristics of the cyberattacks, it is difficult to attribute them precisely. Cyberattacks are a relatively new phenomenon and a threat to national and international security that leaves little room for legal maneuver for the States that suffer them. No one knows what the next cyber-attack will look like, but it is predicted to be more complex, persistent, automated, targeted, personalized, adaptable, evasive, stealth, disruptive, and dangerous.
The difficulty to answer a cyber-attack: Solar Winds case
The hack suffered by SolarWinds Inc. has revived the existing debate on how to respond to a cyber-attack. Due to the magnitude and scope of the hack against Solar Winds, American society – with all logic, but little thought – is calling for a counterattack with the full force of the State. In a sense, the response demands that anyone who dares to attack the United States (USA) receive the force of their weapons in response, implementing the “Talion Law.” In this way, an initial defense based on deterrence and fear would be obtained. However, the reaction of the US government requires precise and thoughtful considerations. While the US stands out for its diverse, deadly, and comprehensive cyber weapons. It is also clear that its most significant vulnerability is the combination of hyper-connectivity and digital dependency it experiences. Strategically, the US government recognizes that it must address the fragility of cyber defense if it is to emerge victorious from a cyber-attack. The US cannot use its cyber power without ensuring that the escalation of virtual and cyber violence will cause further harm to its enemy. That requires an infallible defense that, in the current context, is not viable. In fact, President-elect Joe Biden is clear that “a good defense is not enough,” and declared that potential adversaries must be interrupted and deterred from even daring to launch a cyberattack, suggesting that he will take action against such cyber-attacks. Biden’s words somehow suggest offense as the best defense.
Regulation of operations in cyberspace
The need for a clear and precise regulation of the activities of the different actors in cyberspace has been evidenced by the adverse and harmful events for some state and non-state actors, who have been unable to respond effectively. Adverse events include acts of cyber espionage, information leaks, personalized cyber-attacks, and acts of revenge or show of force. Below are representative examples of law-breaking acts using cyberspace:
The hack against the Solar Winds company, allegedly by Russian hackers, has rekindled the debate about the lack of regulation and, therefore, the certainty of operations in cyberspace. This is again a topic of debate, after 24 years of the cyber-attack by the group known as Moonlight Maze against renowned government agencies and universities. This event is considered “the first coordinated espionage cyberattack with a global reach”, managing to steal classified information and go unpunished.
In the field of sensitive information leaks, Edward Snowden is the most obvious example of existing insider threats for companies. Although Snowden disclosed information about US spying and intervention programs, he did not elaborate on the tools or methods they use for their implementation and/or operation. In this sense, there were no repercussions against the US government, but there were against Snowden.
There are the two cases of Stuxnet and Saudi Aramco. In the first, the US and Israel used Stuxnet – a Trojan considered the first cyber weapon – to disrupt or stop the Iranian nuclear program. It was the cyber-attack that broke the Digital Rubicon, started the cyber-weapons race, and changed the way we wage war. In fact, in response to the cyber-attack with Stuxnet, Iran erased information from thousands of computers belonging to the Saudi Aramco Company, disrupting all its activities. Both events went unpunished despite the damage and inconvenience caused.
Lessons learned from cyber espionage against Solar Winds, from cyber-attacks such as Stuxnet, and from information leaks such as Edward Snowden’s, make it clear that operations in cyberspace operate with few internationally accepted rules of conduct. Cyberspace, as President Obama once put it, is “the Wild West” or a territory without law, where the actions of governments, terrorists and technology companies converge. These examples are testing the borders of legality with little or no repercussions.
Under the conditions of hyper connectivity and dependence on cyberspace, there are multiple details of operation and functioning that require urgent attention from governments. The free access to cyberspace and the difficulty of attribution of violent and illegal acts are to be prevented from making it believe that there is no difference between acts of public cyber security, cyber war, or control over the acquisition of cyber weapons.
Cyberspace is the fifth area of warfare and, consequently, the current international legal framework must be modified to include the regulation of cyber operations and cyber-attacks.
Cyberspace cannot and should not be a territory without regulation on its use as a means of causing harm or carrying out acts of war. The results would motivate new actors to join cybercrime, escalate violence and acts of illegitimate use of the force which would go unpunished. This will continue until the international community chooses to stop it.
- John Perry Barlow, “Declaración de independencia del ciberespacio,” Periférica Internacional Revista Para El análisis De La Cultura Y El Territorio (1, no. 10,2011), 241-242,https://revistas.uca.es/index.php/periferica/article/view/943 (consultado el 22 de diciembre de 2020)
- David Sanger y Nicole Perloth, “More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government,” The New York Times (17 de diciembre de 2020), https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html (consultado el 25 de diciembre de 2020).
- He is the founder of the Electronic Frontier Foundation, an organization created as a counterpart to the passage of the Telecommunications Act of 1996 in the USA.
- Some reports mention that more than 18,000 of the firms’ clients were affected, which has generated panic among governments due to the economic, political, social and technological impact that it could have. On December 17, Microsoft had identified 40 companies, government agencies, and think-tanks that may have been infiltrated by hackers.
- David Sanger y Nicole Perloth, “More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government,”
In 1996, there were two cyber espionage groups dominating cyberspace: Moonlight Maze (Russia) and Equation Group (USA). The Moonlight Maze group is considered the first Advanced Persistent Threat or APT, and is presumed to be sponsored or organized by the Russian government. He has recently been connected with the APT known as Turla