On Iran and Pre-Emptive Cyber Attacks

irancyberEarly in February of 2013, many news outlets came out with articles about the US Government having a ‘secret legal review‘ on the use of its cyber-arsenal. This legal review concluded that the US government could launch a cyber attack against a threatening nation if the country needed to defend itself. Essentially it boils down to ‘legitimately’ having the power to order a pre-emptive cyber attack, even though only the President himself can authorise such an attack.  As many nations are developing their own Cyber program, and some nations are very actively using cyber attacks to get a definite leg up, nobody really expected any other outcome. A very damning report by Mandiant on “APT1” recently emphasised yet again how professional and broad-scoped China’s cyber espionage apparatus has become, and the United States finds itself a major target in these operations. Even though this same report is heavily criticized by experts for having critical analytical faults, it is hard to deny that Cyber is still increasing in overall popularity on the world’s geopolitical stage.

Some say that this ‘right to strike pre-emptively’ is a warning shot across the bow of China, but it cannot be said that it is a timely revelation in any respect. After all, not having formally asserted this right to strike pre-emptively did not deter the cyber attack against Iran’s nuclear enrichment facilities in Natanz, which was devised during the Bush Jr. administration but was executed under Obama. A cynical view might take that to mean that not one, but two separate administrations had already asserted that right years before. Also, even though it was never confirmed officially, the Washington Post published an article in 2012 that claimed Flame, a piece of malware dubbed the successor to Stuxnet, was also developed by the US government years before, and launched against Iran in roughly the same period of time, also with the intent of slowing down Iran’s nuclear enrichment program.

What makes this all especially interesting is the recent publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare, as commissioned by NATO’s Cooperative Cyber Defence Center of Excellence in Estonia. It’s lead author, Michael D. Schmitt, is also a professor of international law at the US Naval War College in Newport. In a recent interview with the Washington Times professor Schmitt revealed that the collective of authors who worked on the Tallinn Manual were of the opinion that the Stuxnet attack was indeed an Act of Force. These are “Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force”. This is significant because it means that by the opinion of the worlds leading legal minds on Cyber Law (lead by an American, no less), Iran has a legitimate legal reason to declare war against the United States. I should point out that the reverse is not the case, even ifIran is actively seeking nuclear weapons (which does seem likely, seeing as how it would level the geopolitical playing field for them).

Given the already volatile nature of the Middle East as a whole, you’d have to wonder if cyber weapons are a blessing or a curse. The threshold to their use seems to be significantly lower than kinetic means, but this –in turn- may quickly give legitimate claim to escalate matters into the kinetic spectrum. Whatever else may happen, on this front it will be a most interesting decade.

Debating Cyber Warfare – Still more questions from .GOV (Part III)

In this closing article, last in a set of three, I discuss some international treaties that may or may not apply to Cyber Security. Again I would like to note that the answers I give are merely my opinion on the matter. This article is comprised of two questions. Without further ado:

In how far can international codes of conduct in using the digital domain contribute to increase Cyber Security? Can we learn from experiences with existing codes of conduct such as in the area of non-proliferation?

Fading national borders and defacto international routing of data traffic are a property of cyberspace we can’t escape. This makes international relations and codes of conduct essential, especially when considering fighting cyber crime. This calls for Law Enforcement Agencies and Justice departments of multiple countries to work together to stop criminal enterprises in their tracks. International cooperation amongst law enforcement agencies in taking down cyber crime rings has been taking place for several years now, and although not nearly as successful as we’d hope, they did have some successes. For an excellent read on this subject, I recommend Joseph Menn’s Fatal System Error.

As for Cyber Warfare and Cyber Conflict, there are various internationally accepted legal frameworks and cooperative initiatives that can provide some help with increasing security in Cyberspace. Consider the Law of Armed Conflict or the Universal Human Rights, both of which have received wide adoption and have led (and still lead) to increased cooperation among nation states. Connecting to existing initiatives in this area is therefore highly recommended.

Although Non-Proliferation has a similarly high adoption rate, using this as an example may very well give off the wrong idea because of the emotional ‘weight’ associated with nuclear weapons. Cyber weapons are not currently anywhere near the immediate physical threat that nuclear weapons pose, nor is it feasible to attempt to restrict development or trade of cyber weapons. Cyber weapons consist of computer code and knowledge of the target system or application. Anyone with enough knowledge can create one, and all it takes is a computer. Connect that system to the internet and proliferation is both virtually immediate and unstoppable.  

How can NATO and the EU give substance to the principles of Common Defence, Deterrence and the Solidarity clause when considering cyber threats? How can NATO and the EU improve the information exchange with regards to threat analyses?

Existing initiatives within NATO and the EU offer excellent opportunities in this regard. For instance, a better connection to the NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a very good idea. The CCDCOE was founded and sponsored by a number of nations, but the Netherlands was not one of them. It is still possible to become a sponsoring nation by signing its Memorandum of Understanding and after looking at its Mission statement revolving around cooperation, I highly recommend our government does so. Aside from this centre, NATO’s own C3 agency has various endeavors with regards to Cyber Security that we here in the Netherlands might be able to get an advantage out of.

All in all, it’s safe to consider that our best bet lies in engaging in cooperation with other culturally similar nations. Most western nations are as connected to the Internet as we are, and they share our understanding of how critical cyberspace is to us and our economies. Together we simply have a much better chance of improving our situation online.