The Right to Strike Back

pic3-640x400As published on Norse on June 26, 2015.

Last week, at the HiP Conference in Paris, there was a debate on whether or not it should be allowed to strike back when you are being hacked. Currently, criminal law in most countries does not allow it. But is this tenable in today’s’ highly digitized society rife with cybercrime?

My position in this matter is that we should create a legal recognition of the fact that we are in a social gray area where it concerns the Internet, even if it is only a temporary recognition, and allow for somecapability to strike back at cyber criminals. As I’ve said before, humanity is only now scratching the surface of what it means, socially and culturally, to have (largely) unrestricted access to the collective knowledge of Man at our fingertips, (almost) everywhere and (almost) anytime we desire.

In virtually every aspect of the human experience, it has made its’ impact felt. The number of human lives that remain completely unchanged through some kind of information technology is rapidly dwindling to zero as technology advances, and our adoption of them continues to rise.

Under the umbrella-term “Cyber”, that is similarly revered and reviled, we are inching our way through the various aspects of our daily lives to adapt our old notions of how we ‘did things’ to incorporate the new realities we face in the Information Age. Crime, international politics and armed conflicts are among the most hotly debated topics in this regard. What I am getting at, is that in a social and cultural sense, Cyberspace can (and in my opinion should) be considered terrain in the early stages of colonization. Think of it as the New Frontier or the Wild West, if you will.

We recognize that there is this huge new area that can be explored, colonized and exploited, but exactlybecause it is new and untamed, there should be only a limited expectation of Law and Order. Certainly, in most countries the national laws have been revised to incorporate the new realities of Cyberspace. But often these amendments or new laws are only rough first drafts because very few (if any) people understand exactly what Cyberspace means (culturally and socially).

What doesn’t help is the fact that as our technology continues to advance, our uses –and in turn the consequences- are changing with it. In other words: even if we manage to define proper laws for the circumstances right now, there is a good chance that they will be outdated due to technological advances in short order. But that is not really the core issue. Having properly defined, applicable and reasonable laws is only the first step. You have to be able to enforce a law if you expect people to follow it, otherwise it just becomes little more than an advisory note. A cute bauble that the criminally inclined can have a chuckle over while they continue making money off of these exact crimes you’re trying to prevent. And that, unfortunately, is largely where we are now.

Despite being a horrible analogy in every other sense, Cyberspace is the Wild West. Law and Order is reasonably established in some areas, but for the most part you can only depend on the occasional sheriff or Ranger. As was the case in the early years of the Wild West, there –on the whole- isn’t a whole lot of coordination between law enforcement, the government and the citizenry. This can be easily verified by looking at the figures. The number of successfully prosecuted cybercrime cases is very small indeed, when compared to the number of reported incidents. Also consider that we don’t see every incident, and even when incidentsare discovered, they are not always reported. Please don’t misunderstand what I am trying to say: This is not intended as a snipe against law enforcement or the government. They are trying to get a handle on these cases. But the fact of the matter is that we have a serious lack of expertise and experience across the board. There just aren’t enough people skilled and experienced enough to make a serious dent in the numbers. Or, for that matter, to faster develop an underlying framework that makes law enforcement of cybercrime any easier.

Frameworks containing (and hinging on) effective international agreements, laws and political policy to address cybercrime are also still being developed. The often-heard argument to forbid people from striking back at cyber criminals is that to do so is anoffensive act, and not a defensive one. In other words, striking back should be considered a weapon and not a shield. In the strictest sense of the definition this is indeed correct. However, just looking at the success rate of cyber-attacks alone will dissuade anyone from the notion that a “good defense” is enough to stave off a cyber-attacker.

Even the US military, with the highest defense budget in the world, can’t prevent some attacks from being successful. In very practical terms this tells us that we cannot count on being secure when we are only allowed to defend ourselves; something is clearly missing. Perhaps that missing element is the right to strike back. To stick to the earlier analogy of the Wild West, we are unarmed and criminals are not. Essentially we are telling people not to act when they are being attacked. To trust the Police to protect us against predators. To sit still and pray that the criminals don’t find the valuables we’ve buried in the proverbial shed. But clearly the Police are not capable of doing so right now, as can be easily deduced from the figures mentioned earlier.

In my opinion this is untenable, and quite frankly I find it unconscionable to leave the average citizen as such an easy prey. During the debate I therefore argued for at least a temporary recognition that allows for striking back at our assailants, with the express goal of halting an attack. It will be interesting to see how the other panelists view it, and I look forward to hearing if perhaps there is another solution to the problems we face today.

Debating Cyber Warfare – More Questions from .GOV (Part II)

In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three. This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter. Please feel free to comment or contact me with relevant remarks.

Question                
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence? 

  • [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack  that justifies violence in self-defence based on article 51 of the UN Charter?
  • [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s  principles of distinction and proportionality, and the requirement of taking precautions for safety?
  • How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?

Relevant UN Charter articles:

  • Article 2, Section IV:
    All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
  • Article 51:
    Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare. It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method. For this reason the thresholds that have bearing on the various articles in the UN Charter  we have set for conventional warfare do not necessarily change because of innovation in technology, nor do  international agreements automatically become void. Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare. I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.

Humanitarian principles
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage. Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare. Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage. Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.

Civil-Legal principles
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time. Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections. As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack? Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil. Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.