Present and Past Concerns:
Cyber-Warfare and the Analogy with Nuclear Security Threats
By Giuseppe Spatafora
The advent of the Computer Age marks our time. The development of Internet Technology has profoundly affected the way in which we communicate, make business, learn and interact with one another. Cyber-space is generally regarded as an asset which simplifies life and empowers people: empirical evidence shows that the most advanced societies and states are increasingly relying on cyber-space and on ITC networks. Recently, however, this ever-increasing reliance has turned into a liability: individuals, corporations and states have become the target of attacks carried out through modern cyber-infrastructures. Professor Martin Hildebrand from Toronto University provides an interesting portrait of the new security threats in the Age of Internet:
Cyberspace is not merely a place where registration is becoming paramount, pervasive, and highly profitable. Increasingly, it is becoming a space rooted in a layer of automated decision-making systems. These computational layers enable and inform all kinds of remote control, which are not only used to create added value for the industry or to uncover criminal networks; they also underpin malicious attacks against both individual netizens and private and public organizations (204).
As Hildebrand suggests, cyber-attacks protect the identity of the aggressor because they are carried out through remote control: the main obstaclefor ensuring defense from or response to an attack has been the difficulty of verifying the cyber-aggressors’ identity.
Three forms of cyber-attack can be distinguished, depending on the actors involved: Cyber-Crime, Cyber-Terrorism and Cyber-War. Cyber-Crime is the broadest category: it involves attacks against computer hardware and software, financial crimes, penetration of online services, abuse, and others. Cyber-Terrorism, instead, can be defined as “a cyber-attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or intimidate a society into an ideological goal” (“NATO and Cyber-Defence” par. 10). Depending on the context, the term cyber-crime may be interchangeable with cyber-terrorism as often it is impossible to make a distinction between computer network attacks performed by terrorists and cyber-crimes.
Another concern for states’ security, however, is the deployment of cyber-space as the fifth war space, after land, sea, air, and outer space. In the past decades, attacks on one state by another have multiplied, and states’ security systems have proved to be incapable of responding to an act of cyber-warfare.In 2007 the world came to know the effects of cyber-warfare on states, when Estonia suffered a massive denial-of-service attack in the midst of a diplomatic crisis with Russia over the removal of a Soviet statue in the center of Tallinn. Estonia, in which “98% of bank transactions are done online, 98% of income tax returns are done online, 95% of prescriptions are refilled online”, suffered an economic and political paralysis after the breakdown of its critical websites (Ilves). Although evidence clearly points to Russia as the responsible for the attack, its involvement has not been legally proven yet.
Estonia’s case was not the only example of state-on-state cyber-attack. In the 2008 Russian-Georgian conflict, Georgia suffered “the first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other war-fighting domains, land, air and sea” (Hollis 2). In 2011, Iranian computer-controlled nuclear centrifuges were badly damaged by a computer worm, probably deployed by a State Intelligence apparatus – Israel and the United States are the main suspects – because of its complexity. And in 2014, in response to the United States’ accusation of backing hackers and cyber-terrorists, North Korea declared to be “fully ready to stand in confrontation with the US in all war spaces including cyber warfare space” (Evans par. 5).
These examples show how paramount it is for states to examine the new security threats posed by cyber-warfare. The most advanced states are the most vulnerable to cyber-attacks, and their possibility to respond to an attack is restrained by the lack of cyber-defence capabilities and the absence of international legislation on the matter. At a deeper analysis, however, the current situation may remind of the beginning of the Cold War, when the nuclear threat impended over the world.The discovery of nuclear energy led, almost immediately, to the application of this new technology to warfare. Similarly, international law and organizations were unprepared to deal with the matter, and the most powerful nations started to look at ways of developing their national nuclear defence strategies. Thus, we may find relevant analogies between the nuclear threat during the Cold War and the new menace posed by cyber-warfare.
The first similarity between the two areas is the “security dilemma” that the atomic and cyber technology created. In international relations, the security dilemma states that one actor’s gain in securityinevitably threatens others. A perfect illustration of the security dilemma was the nuclear arms race. When the United States launched two atomic bombs on Japan, demonstrating its military superiority over any opponent, other powerful states felt threatened and started to seek for nuclear weapons for the purpose of self-defence. The Soviet Union developed nuclear weapons in 1949, causing panic in the West and pushing the United States to develop other détente weapons like the hydrogen bomb. The United Kingdom, France and China soon followed, and nuclear weapons started to proliferate, increasing the fear of Mutually Assured Destruction (M.A.D.).Some IR scholars criticize the growth of massive nuclear armaments for self-defence, like Robert Jervis, who claimed that the security dilemmacauses unnecessary fears, compromises cooperation and“encourages behavior that leaves all concerned worse off than they could be” (167). In contrast, realist scholars claimed that the diffusion of nuclear armaments brought about peace in the form of deterrence. Kenneth Waltz, for example, contrasts“the logic of conventional and nuclear weaponry toshow how nuclear weapons are in fact a tremendous force for peace and afford nationsthat possess them the possibility of security at reasonable cost” (731). Waltz explains that, when two states possess nuclear weapons, like the US and the USSR or India and Pakistan, they will not wage war on each other because of M.A.D. As a consequence, the more states possess the atomic bomb, the fewer the chances of a new conflict would be.
As far as cyber-warfare is concerned, we are witnessing the escalation of a “cyber-security dilemma.” The cyber-attack on Estonia offered a “striking picture of how a state could find itself facing significant adversarial acts on this newest, digital front, but in a manner and scope that do not constitute traditional armed attacks” (Hinkle13). It also demonstrated how essential it is for states to adopt measures for the security and the defence of their cyber-space.Just as since the 1940s states developed the atomic bomb, in the aftermaths of the 2007 attack, states moved to strengthen their national cyber-defence centers. The United States had convened the first major legal conference on cyber governance in 1999, but in the following years attention shifted to terrorism, especially after the 9/11 attacks (Schmitt 1). Only in 2011 the U.S. Department of Defence issued its “Strategy for Operating in Cyberspace”, and established a Cyber Command to conduct operations in the new area. Other highly “wired” countries soon followed, including Canada, the United Kingdom, Italy, Germany, Russia and China. Although national cyber defence centers are claimed to be developed exclusively for a defensive purpose, they also empower states to pursue an offensive cyber-attack: China’s online defense unit, the “Blue Army” has been accused of undertaking cyber-attacks against foreign companies and government agencies, and similarly North Korea was blamed guilty of supporting cyber-terrorists (Evans par. 3).
It seems thatstates fear a new form of M.A.D. in which their critical cyber-infrastructures may be destroyed by an act of cyber-war. Realist scholars like Waltz may claim that the number of cyber-attacks will diminish once a sufficient number of states possess cyber-offensive capabilities, and therefore they would support the development of national cyber centers.However, most experts, like Schmitt or Hinkle, believe that the best option to prevent cyber-warfare should be the development of international law and of a platform for collective defence. One of the reasons why Waltz’s “nuclear peace” may not apply to the cyber realm is that, as previously discussed, it is not easy to verify the aggressor’s identity and ensure response.
Another major similarity between the Cold War’s nuclear threat and today’s cyber threatis the initial lack of international legislation on the subject. The main sources of international law are treaties and customary practice, and both have proven slow to adapt to changing patterns of world politics. Hundreds of diplomats were drafting the UN Charter in San Francisco when a state deployed nuclear weapons for the first and, so far, only time in a conflict. Nevertheless, although the UN Charter included the arms control and disarmament among the goals of the United Nations, it made no reference to nuclear regulation. For two decades, states were able to deploy and increase their nuclear capability without legal restrains. Only in the 1960s, after the Cuba missile crisis risked to unleash a nuclear confrontation, the US and the USSR started to discuss a nuclear arms control treaty. Consequently, the nuclear powers signed several bilateral agreements and multilateral treaties to limit the possession and the use of nuclear weapons.
The most important multilateral treaty is the 1969 Nuclear Non Proliferation Treaty (NPT), which limits the possibility of possessing nuclear weapons to the US, the USSR, Britain, France and China, and countries without nuclear weapons will allow the U.N. International Atomic Energy Agency (IAEA) to oversee their nuclear facilities and ensure that they are deployed for pacific use (“Arms Control Treaties” par. 1). The NPT was significant in preventing the spread of nuclear weapons, but it also created substantial inequality by assigning the nuclear-power status only to the five permanent members of the UN Security Council. A further weakness of the treaty is that states which developed nuclear capability later on – India, Pakistan, Israel, North Korea – haveimmediately withdrawn from the NPT without major repercussions, and as a result they have avoided sanctions. Other major multilateral treaties are the Limited Test Ban Treaty and the Comprehensive Test Ban Treaty, which prepared a framework for limiting and eventually prohibiting nuclear tests. The most important bilateral agreements for limitations in the use of nuclear weapons, instead, are the US-USSR talks known as SALT and START agreements.
We can recognize similar patternsfor what concerns cyber-security.Like in the 1940s, international law today does not comprehend specific measures to deal with cyber-warfare. The only regulations of the United Nations deal with information security and privacy protection, rather than with security and attack prevention. The first bilateral agreement concerning cyber-security involved, like in the Cold War, two superpowers: the American and Chinese Presidents met at Palm Springs in 2013 and agreed ona general cooperation framework “to address issues like cyber-security and the protection of intellectual property” (Botelho, Merica and Yellin par.8). This sentence suggests that the main concernsof the meeting were cyber-crime and privacy violations, not cyber-warfare. Indeed, critics argue that the two governments have different stances on the use of the Internet for defence purposes, and therefore they will not easily reach an accord: “While the U.S. is focusing on acts of violence and terrorism, China is utilizing the Internet and other mechanism in order to steal commercial or military secrets” (par. 15). Thus, it can be argued that the “cyber-security dilemma” is preventing cooperation in the area of cyber-defence.
As previously mentioned, “[there] are no treaty provisions that directly deal with cyber warfare” (Schmitt 5). However, the NATO Collective Cyber-Defence Center of Excellence (CCD CoE), located in Tallinn in the aftermaths of the 2007 cyber-attack, made a first attempt to predict and regulate the potential danger cyber warfare might be for the international order. In 2013, the CoE issued The Tallinn Manual on the International Law Applicable to Cyber Warfare, drafted by a panel of experts and edited by Michael N. Schmitt. The Introduction states theManual’s scope:
The Tallinn Manual examines the international law governing cyber warfare. As a general matter, it encompasses both the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict… Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics (Schmitt 3).
The Tallinn Manual is made up of both Rules and Commentaries. Rules, or “black letter rules”, are the applications of existing hard and soft international norms to the cyber realm whereas the commentary is intended to identify the legal basis for the rule, explain its normative content, address the practical implications, and set forth interpretation (Schmitt 5). Many comparisons are drawn, for example, with the International Court of Justice’s ruling cases.
The Group of Experts was unanimous in its estimation that rules of international law on war apply to cyber operations. Thus, the main claim of the Tallinn Manual is that countries that suffer a cyber-assault have the right to self-defenceand proportionate response to the act of aggression, as expressed in the UN Charter Article 51. However, the Tallinn Manual is not a piece of legislation but a guideline to predict possible future attacks and implement policies. It can potentially become the basis for an international treaty which, like the NPT, would regulate the new weapons. One of the hopes is to institute states’ legitimacy to respond to a cyber-attack and, as a result, create a détente system like in the Cold War. Another, more liberal aim is to enhance international cooperation in order to prevent, detect and respond to an act of cyber-warfare. The European Commission, for example, regards the Tallinn Manual as guideline for its Cyber-Defence Strategy, part of the broader Common Foreign and Security Policy of the Union (“Factsheet Cyber Defence”).
Those who support the Tallinn Manual’s proposal aim to create a Collective Cyber-Security body similar to the IAEA, but this project faces opposition at the United Nations level. In 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan circulated the updated version of an “International Code of Conduct for Information Security”, in the form of a letter to the UN Secretary-General. The “Code of Conduct” calls for a strong state role in the control of information technology and networks, therefore concentrating on the issue of privacy, but makes no reference to cyber-warfare or to the applicability of existing international law to it (Grigsby par. 5). The less prone to accept an international body is Russia, which is repeatedly blamed by the international community for the cyber-assaults on Estonia, Georgia, and for supporting Eastern Ukrainian rebels who are currently carrying out cyber-attacks on the Kiev Government. Russia pursues an adamant strategy of non-regulation of cyber-space for defence purposes, arguing that any attempt to regulate cyber-war would imply legitimizing cyber-war itself. According to Waxman, it will be hard to reach an important multilateral agreement given the superpowers’ diverging positions, just like in the 1950s a nuclear agreement seemed impossible (39).
The prescription, however, is not to abandon efforts to regulate the new cyber-threats. One major conclusion that can be drawn by comparing the cyber and nuclear threats is that the international structures need time to adapt to changing patterns and new issues. The expansion of nuclear armaments took the world by surprise, and increasing national defence infrastructures was deemed more urgent than regulating the system: the result was détente. What we are witnessing in the early 21st century is the build-up of cyber-defence systems to avoid a cyber-attack like the one on Estonia in 2007. Today’s world moves less toward a system of collective cyber-security than toward an anarchic world of cyber-deterrence. However, after decades of deterrence, the system adapted to the nuclear threat by adopting hard law on the limitation of armaments.If the analogy is correct, the Tallinn Manual may represent the first step towards the regulation of cyber threats, as well. As previously discussed, there are also numerous differences between nuclear proliferation in the Cold War and the cyber-threat of the 21st century: therefore, we may expect different outcomes in the next years. But, in the last decades, we have witnessed several repetitive outcomes: History may suggest that cyber-security will evolve like nuclear security, and that in the future a treaty or resolution will ensure a more stable “cyber-peace.” The Computer Age’s liabilities may, eventually, be turned into assets.
“Arms Control Treaties: Nuclear Non Proliferation Treaty.” AtomicArchive.com. AJ Software & Multimedia, 1998. Web. 4 April2015.
Botelho, Greg, Dan Merica, and Jessica Yellin. “Despite tensions, U.S., Chinese leaders talk of forging ‘new model’ in relations.”CNN News. CNN, 9 June 2013. Web. 16 March 2015.
Evans, Stephen. “Sony Hack: North Korea threatens US as row deepens.” BBC News. BBC, 22 December 2014. Web. 20 February 2015.
“Factsheet Cyber Defence.” European Defence Agency. The European Union, 2015. Web. 24 March 2015.
Grigsby, Anthony. “Will China and Russia’s Updated Code of Conduct Get More Traction in a Post-Snowden Era?” Council on Foreign Relations. Net Politics, 28 January 2015. Web. 3 April 2015.
Hildebrandt, Martin. “Extraterritorial Jurisdiction to Enforce in Cyberspace? Bodin, Schmitt, and Grotius in Cyberspace.” University of Toronto Law Journal, 196.224 (2013). Print.
Hinkle, Katharine C. (2011). “Countermeasures in Cyber Context: One More Thing to Worry About.”The Yale Journal of International Law Online, 37.2 (2011): 11-21.Yale Publications, Fall 2011. Web. 4 April 2015.
Hollis, David. “Cyber-War Case Study: Georgia 2008.” Small Wars Journal. Small Wars Journal, 2011. Web. 12 March 2015.
Ilves, Toomas H. “What Keeps Me Awake at Night? Worries and Challenges for a Small European Ally.” Fletcher School of Law and Diplomacy at Tufts University. Boston, 7 October 2013. Lecture.
Jervis, Robert. “Cooperation under the Security Dilemma.” World Politics. A Quarterly Journal of International Relations, 30.2 (1978). Print.
“NATO and Cyber-Defence.” NATO Parliamentary Assembly. NATO, 2009. Web. 4 April 2015.
Schmitt, Michael N. (Ed.).Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge UP, 2013. Print.
Waltz, Kenneth N. “Nuclear Myths and Political Realities.” American Political Science Review, 84.3 (1990): 731-745. Print.
Waxman, Matthew C. “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4).” Yale Journal of International Law 36 (2011): 1-39. Social Science Research Network. Web. 12 March 2015.