Abstract
Traditional armed conflict is subject to conventions that govern the way wars are fought and protect those who are not involved. However, thus far, there are no equivalents to the Hague and Geneva Conventions of war for the cyber world, where artillery and explosives are replaced by viruses and malware. Therefore, this paper argues that it is imperative to establish international regulations to keep cyberwarfare ethical, based on the foundations provided by existing warfare conventions.
Beneath the continuous flow of bits and bytes of the internet lie sinister weapons: computer viruses and malware. While many international conventions regulate traditional armed conflict, none explicitly apply to this new battlefield of cyberspace. For traditional warfare with artillery and explosives, the Geneva and Hague Conventions consider military attacks ethical if they are proportional in “size and scope” to their provocation and give innocent civilians immunity [1]. Cyberweapons differ so greatly from conventional weapons, however, that it becomes exceedingly difficult to determine the full impact of a cyberattack, much less regulate one. As information security researcher Tarah Wheeler says, currently “in cyberwar, there are no rules.” But cyberwarfare causes such damage that regulation must be established for this new domain [2]. Although the Geneva and Hague Conventions were not assembled for cyberwar, both can serve as a strong basis for future cyber-regulations.
Compared to the millions of lives that traditional war sacrifices, cyberwarfare presents itself as a somewhat restrained combat option. Cyberattacks utilize malware and computer viruses, which, much like biological viruses, attach themselves to a computer program or service and spread to connected devices. As such, cyberwarfare is likely to incur only economic damages from broken computer systems, as opposed to physical harm to innocents. The emerging cyber battlefield also is a much more level playing field compared to traditional war, requiring software instead of the large military might that smaller countries may lack. Cyberwarfare has also been inherently limited by the difficulty of estimating opponents’ cyber capabilities and the complexity of controlling the extent of viruses.
But despite its more subdued nature, cyberwarfare lacks the crucial protections for non-combatants that traditional warfare has. While humanitarians and other non-combatants typically mark themselves with red crosses in traditional war, the interconnectedness of cyberspace makes it difficult to fully separate protected individuals from the rest of the cyber-battlefield. The United States and Russia acknowledged this difficulty and made a step towards bridging the gaps in legislation through a bilateral agreement made in 2011. The agreement outlined efforts to evaluate “intermingling of protected, humanitarian critical infrastructure with non-protected infrastructures” and to “conduct a joint assessment” of the feasibility of various special markers for innocents within cyberwarfare [3]. The larger international stage unfortunately still lacks significant progress in concrete isolation of non-combatants from cyberwar, though the agreement marks a step in the right direction.
Another limitation of cyberwarfare regulation is difficulty in ascertaining what constitutes an ethical response, particularly when determining the source of cyberattacks is difficult. When hackers conduct attacks, their software sends data on their source IP address as well as the destination; the IP address can in turn be used to locate the hacker’s computer. But skilled hackers, including those utilized by governments, can “spoof” their source IP address to make cyberattacks seem to originate from somewhere else. Cyberattacks can also be routed through a series of several computer systems, adding layer after layer of source IPs and further hindering attempts to trace their sources. Determining the source of a virus can thus become a fruitless effort; in many circumstances, it is challenging to execute any cyberwarfare response, let alone pick the appropriate severity of counterattack.
Even a seemingly perfectly crafted cyberattack can still result in challenges for its creators, and even teams defending against malicious hackers can unintentionally do damage to the people they are meant to protect, because of the simple fact that computer viruses are unable to distinguish between friend and foe. For example, in 2017, it was revealed that the National Security Agency (NSA) was stockpiling zero-day exploits, cyberattacks that have no known solution, including an exploit called EternalBlue [4]. A month after EternalBlue was leaked, the software was used to execute a worldwide ransomware attack––in which the software encrypts computer files and demands a bitcoin payment to unencrypt them––extorting an estimated $4 billion from 230,000 computer users worldwide [5]. Even though EternalBlue proved to be a useful intelligence gathering tool for the NSA, its malicious repurposing demonstrates the unreliable nature of cyberweapons.
The potential for long-lasting devastation by both cyberattacks and traditional war makes the latter a sturdy basis with which to evaluate the ethicality of cyberwarfare. An example of the deadly potential of cyberattacks occurred in January 2010, when an Iranian uranium enrichment plant began to fail at an unprecedented rate. It was later discovered that a virus called Stuxnet was replicating itself in the plant’s computer system and interfering with the valves of the centrifuges. With the virus, a team believed to be started by the joint efforts of American and Israeli intelligence was able to increase internal pressure and significantly impair the plant [6]. Though Stuxnet was carefully designed to cause damage to only select areas, a single misstep would have caused irreparable damage: in its weakened state, the nuclear plant could have exploded, claiming thousands of lives and rendering large swaths of land unusable for hundreds of years. The Geneva Conventions prohibit methods of traditional warfare that “cause widespread, long-term, and severe damage to the natural environment”; examining the possible fallout of the Stuxnet attack, it follows that this portion of the conventions should extend to cyberattacks as well [7]. Stuxnet was certainly of dubious ethicality, and similar attacks should not be allowed in cyberwarfare.
Both traditional and cyber warfare also have high capacity for negligence, which suggests that standards of negligence in traditional warfare can apply to its cyber counterpart as well. Seven years after the Stuxnet attack, a Russian hacker group launched a computer virus called NotPetya. The attack was initially aimed at the Ukrainian Government, but ultimately caused $10 billion in nationwide damages, including collateral harm to computer systems used by banks, energy companies, supermarkets and telecommunications providers [8, 9]. According to Tom Bossert, a former U.S. Homeland Security advisor, the attack “was the equivalent of using a nuclear bomb to achieve a small tactical victory” and involved an unprecedented “degree of recklessness” [10]. The hacker group responsible for the virus appeared to prioritize efficiency without considering negative side effects, as the scope of computer systems affected significantly overshadowed the size of the intended target. Considering the property damage and potential financial loss done to thousands of civilians, this attack undoubtedly infringed upon the Hague Conventions and their admonishment against causing “unnecessary suffering” [11]. While the Ukranian government may have been a participant in the conflict, the general public certainly had no involvement and no way to defend itself against this unjust attack.
Cyberwarfare demands an ethical framework in the present day; the exponential improvement of computer capabilities only increases the urgency. Quantum computers in development today are 100 million times faster than ordinary computers, allowing them to inflict more damage much faster, and scientists have only unlocked mere fractions of their capabilities thus far [12]. Using the Hague and Geneva Conventions, we can establish sufficient foundational guidelines, but nations must agree upon strong conventions swiftly. Without an international ethical boundary, cyberwarfare’s destructive consequences will only continue to wreak havoc across the globe.
By Bram Lim, Viterbi School of Engineering, University of Southern California
About the Author
At the time of writing this paper, Bram was a senior majoring in Computer Science at the University of Southern California. He has a deepening interest in anything cybersecurity, including penetration testing and network security.
References
[1] C. Rowe, “Ethics of cyberwar attacks”. [Online]. Available: https://faculty.nps.edu/ncrowe/attackethics.htm.
[2] T. Wheeler, “In cyberwar, there are no rules”, Foreign Policy, 12-sept-2018. [Online]. Available: https://foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no-rules-cybersecurity-war-defense/.
[3] “Working Towards Rules For Governing Cyber Conflict”, EastWest Institute, Jan-2011. [Online]. Available: https://www.eastwest.ngo/sites/default/files/ideas-files/US-Russia.pdf.
[4] C. Cimpanu, “Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decryptor”, BleepingComputer, 13-may-2017. [Online]. Available: https://www.bleepingcomputer.com/news/security/microsoft-releases-patch-for-older-windows-versions-to-protect-against-wana-decrypt0r/.
[5] “What is WannaCry ransomware?”, Kaspersky. [Online]. Available: https://usa.kaspersky.com/resource-center/threats/ransomware-wannacry.
[6] K. Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon”, WIRED, 03-Nov-2014. [Online]. Available: https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.
[7] C. Chinkin, “Legality of Nuclear Weapons”, CND, 27-Jun-2008. [Online]. Available: https://cnduk.org/legality-of-nuclear-weapons/.
[8] B. Nussbaum, “When cyberwar struck its first civilian target”, Nature, 12-Nov-2019. [Online]. Available: https://www.nature.com/articles/d41586-019-03457-9.
[9] F. Bajak and R. Satter, “Companies still hobbled from fearsome cyberattack”, APnews, 30-June-2017. [Online]. Available: https://apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack.
[10] A. Greenberg, “The Untold Story of NotPeya, the Most Devastating Cyberattack in History”, WIRED, 22-Aug-2018. [Online]. Available: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
[11] “Practice Relating to Rule 62. Improper Use of Flags or Military Emblems, Insignia or Uniforms of the Adversary”, ICRC. [Online]. Available: https://ihl-databases.icrc.org/customary-ihl/eng/docs/v2_rul_rule62.
[12] B. Marr, “15 things Everyone Should Know About Quantum Computing”, Forbes. [Online]. Available: https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.
Links for Further Reading
https://www.lexology.com/library/detail.aspx?g=be126908-c800-4ca4-a247-0737bb351bfb
https://about.bgov.com/news/army-to-merge-100-million-regional-cyber-operations-contracts/
https://thediplomat.com/2020/11/why-is-north-korea-so-good-at-cybercrime/