The recent events in Estonia have policy makers and others looking at the rules and permissions to support offensive operations in cyber space. Many are calling for new laws and amendments to charters; processes that are measured in years. We do not have years to figure this out; nor do we need them. Existing legal and ethical frameworks already support and legitimize offensive operations in cyberspace. The key to understanding this is to de-mystify cyberspace and cyberspace operations. With very minor exceptions, they are no different than their real-space counterparts. There are seven key elements to understanding this:
The following is a summary breakdown of these 7 issues:
Cyberspace is a terrain within which operations (including wars) can be conducted. Like land, air, sea and space, cyberspace is a location where assets are targeted and engaged, attacked and defended. It shares the same characteristics of real-space. Parts are used by civilians, others by military and governments. The rule of war applies equally to all terrains.
The myth that "the internet knows no geography" is misleading and dangerous. The computer I am writing this paper on resides in physical real-space. So, too, does the cable connecting me to the internet. The servers and routers providing information and data flow also reside in real space. IP addresses, (the addresses that run the Internet) are parceled out and managed by geographic registries. A simple fact, certain IP addresses reside in certain countries. A more correct statement is "it is easy to traverse geographic boundaries using the Internet when compared to other transmission or travel mediums." The rules of war, peace and conflict are applied to operations within a given geography/terrain. Cyberspace is just another terrain wherein the same rules of war apply.
An attack in cyberspace is planned and executed in similar fashion to attacks in real-space. An aggressor must choose and recon a target. The target is chosen based on its ability to accomplish specific goals that either benefit the aggressor and/or damage the victim(s). Once the target is chosen and surveilled, tools are tested and deployed against the target in an attempt to accomplish specific goals. Some would argue that the speed within which this attack sequence can be carried out makes it more/better/different than traditional, physical attacks; we will show that is a distracting concept that takes away from the real issues. The steps required for successful mission planning and execution are the same in physical and cyberspace.
Attribution is a strategic or policy issue, not a tactical one. For example, the ground soldier taking sniper fire from a mosque is not concerned with exactly who is pulling the trigger. They are not concerned with who paid them, or where they were trained. Likewise, the soldier is not concerned with whether the person pulling the trigger is doing so out of a duty to country or because their family is being held hostage and his actions are being coerced. The soldier on the ground is concerned with only a few things; most related to his own survival. His rules of engagement will dictate how he can respond and in what manner. These ROE's are created before the soldier enters combat; not while he is taking incoming rounds. The issue of attribution is a real space and cyberspace concern. There are rules of engagement to help those with the more immediate concern for safety and survival manage attack attribution in ways that incorporate national and strategic policy as well as the current rules of engagement. Once the threat is neutralized or the soldier is out of harms way, then and only then does attack attribution become a concern; and even then it is for the field commanders and policy makers.
Like its real world counterparts, conflict in cyberspace has a very wide range of activities. On the one end there are nuisance attacks such as spam and web site defacement. On the other end there are attacks against critical infrastructure that can cause mass damage and casualties. This same range of activity exists in the real world. This range of activity is paired up with the range of responses to create proportional responses to malevolent activity.
Well-trained cyberspace operators have a range of responses that mirror those in real-space. On the minimally invasive end there are formal grievance procedures. Further up the scale are the operations that require access to systems. One does not need to destroy a server in order to gain access; nor does access to a sever result in destruction. In most instances, simply disabling the attack mechanism is enough to mitigate an ongoing attack. The relationship of the attack to the defense must be proportional in both cyber and real space operations.
Malevolent acts in real space are conducted by a wide array of people and groups; likewise, those who respond to said acts also occupy a wide array of people and groups. For example, a sniper in the D.C. metro area was handled through the law enforcement and legal process of the United States. That same sniper elsewhere in the world would be treated to indirect artillery fire and heavy machine guns. The action is the same; a sniper is in the area. It is the area within which the activity occurs that dictates who responds and how. The "who" in the equation also dictates responses. The Oklahoma city bombing was conducted on U.S. soil by a U.S. citizen. The 1993 World Trade Center bombing was conducted on U.S. soil by a non U.S. citizen who then fled the country. The mission in both cases is the same: find the person(s) responsible and hold them accountable. The people who conducted the operation were from different organizations, but with the same mission success criteria. The same rules apply in conducting offensive operations in cyberspace as a response to actions taken against the U.S. citizenry and infrastructure.
The analysis is simple and pre-existing. Conducting offensive operations in cyberspace are under the same rules and limitations of operations in real-space. The next section walks through a few samples to illustrate the above principles.
A U.S. citizen receives what appears to be a legitimate email from the Better Business Bureau stating that there is a complaint against the company. The person clicks on a link within the email and unknowingly infects themselves with malware. The malware monitors key strokes and sends banking login information to organized crime who then siphons off several hundred thousand dollars out of the person's commercial account.
The analysis of who is allowed to do what to whom would follow thusly:
Based on the analysis above, the appropriate response is simple:
A federal (non DoD or Law Enforcement) agency should gain access to the phishing server, shut down the processes responsible for the phishing site, process the server remotely to gain valuable intelligence on other victims as well as installing a sniffer to help identify the ultimate actors responsible.
In this scenario we find that the systems controlling the D.C. subways have been compromised. As a result of the attack, several trains are forced into collisions. Several people are dead and many more injured.
The analysis of who is allowed to do what to whom would follow thusly:
Too often we let the novelty of cyberspace and cyberwar distract us from the reality it represents. Cyberspace is simply another terrain. Operations in cyberspace mirror those in real space and thus should fall under the same rules. Before the Internet, the famous Nigerian 419 scam was conducted via the mail. Financial fraud is financial fraud; how you conduct it does not change that fact; so too with acts of terrorism, war and conflict. We do not need new laws or permissions to take proactive steps to protect our citizenry. If you treat cyberspace simply as another terrain, the existing frameworks will guide you through the analysis.
We know the general limits and range of attack and consequences in this terrain. We also know the general limits and range of responses. What we need is to craft the Rules of Engagement now. People need to know that they will not be allowed to freely attack our citizens and infrastructure without the fear of reprisal. We are at war and a defense-only posture has never worked.
There is a long list of those who would harm the U.S. The list includes not only the traditional nation state actors, but terrorist groups, organized crime, radical groups and even individuals. The Internet and our over-reliance on technology allow these groups to work together and learn from their success and failures. Every day individuals and organizations are attacked via the internet. Everything from phishing scams up to cyber extortion, denial of service and computer intrusions impact the citizens of the US. Up until now, the only choice was to hunker within our collective networks and hope that you can survive the next wave of attacks, worms, viruses and scams. While our enemy attacks with impunity, we respond by burrowing deeper behind technologies and laws that do very little to stem the flow.
In our first paper, we equated cyberspace with realspace. When facing cyberspace with such a view, it is easy to justify and plan for retaliatory and even preemptive actions in cyberspace. Active defenders are under the same limitations of operations in realspace; primarily the principles of discrimination, necessity, proportionality and chivalry. These are the traditional four principles of the law of war; as such they are typically applied to direct physical action. No state of war exists on the Internet. We have not declared one, nor has any other state, nation or actor. However, the analysis is a sound framework and workable for all conflict.
This paper will use this current framework to outline a continuum of cyber events and appropriate responses as well as identify those who should effectuate those responses. This is not a definitive guide but a general framework to be used to "get in the game" sooner rather than later. If we, as a country, are forced to wait for the UN, NATO or even the US legislature to amend articles and create new laws, we will end up with a war that is over before we can even enter the battlefield. John Robb questions in his current book: "What if warfare were reinvented and nobody bothered to tell the Pentagon?". This is an unacceptable end point.
Discrimination: "Prior to any use of force, the attacker [must] distinguish between combatants and noncombatants, between military objectives and civilian objects." [1] In cyberspace, the analysis is a bit different. A target in cyberspace is an IP address (as opposed to a latitude and longitude coordinate pair). This target may be in the possession of a civilian, but controlled by a malicious third party. Discrimination in cyberspace revolves around the criticality of the IP address. The commander must determine whether or not the intended IP is within the purview of critical infrastructure. This factor will help identify potential second and third order effects that might evidence themselves in the physical world. An example of this would be a SCADA controller.
If an IP address is attacking a US asset, then the first order effect of a retaliatory strike would be to disable the process on that IP address responsible for the attack. Inappropriate attacks against a SCADA controller could result in power loss (second order effect) and then loss of life in a hospital due to power loss (third order effect).
Necessity: "Permits the use of all force required for mission accomplishment and force protection, but not superfluous force or unnecessary suffering" [2]. A self evident principle, this limits the scope of the response to that which is required to terminate the attack and prevent further harm from the same IP address.
Proportionality: "Requires the military commander to balance the collateral damage (against civilians and their property) or a planned attack against the concrete and direct military advantage expected to be gained." [3] As is pointed out in several articles this does not limit the response to the same amount or type of force as was used in the initial attack. However, any cyber counter attack must take into account any collateral damage that may result.
Chivalry: "This is the easiest of the principles; counter attacks will not be launched from cyber-assets that clearly belong to humanitarian or other non-combatant parties.
In preparing for any counter attack in cyber space it is important to note that the systems executing the initial attack may or may not be in direct communication with the person(s) directing the attack. Bots and botnet attacks allow for a single person to direct the attack power of several hundred thousand systems around the Internet. Likewise, computer network intrusions can be relayed through several bounces to obfuscate the attacker's true IP identity. To address this trail of systems, we recommend a simple three level model. The tertiary level is the IP address of the actual attacking systems. They represent the ground soldiers in the cyber attack and are the farthest away from any C2 assets. The primary level is the IP address of the ultimate person(s) responsible for the attack. Any IP address between the two is simply grouped together into the secondary level.
IP addresses occupy real space. As such, they have a geographic locus which pulls them into the international legal framework. In general, there are three geographic locations from which an attack may be launched:
The distinction is important. While the location of the point of attack is important, it will not change the nature of the response. What will change is who will effectuate the response.
The next item in the matrix is who is going to execute the counter attack or cyber response? Keep in mind that (with the exception of the US network infrastructure), no enemy will sit still while you take pot shots at them. Any proactive or aggressive response will change the status quo and shift the rules. In the short run, we will see a spike in hostile activity against the US when those who would do us harm realize that their window of free reign is closing. Likewise, when dealing with the big money of organized crime, you run the risk of any cyber response being met with real physical harm. Organized crime draws no distinction between hacking and physical violence, they will use both of them with equal efficacy and cruelty. Those would be counter-hackers who are not prepared to cope with death threats against themselves and their families should think twice before entering this war.
As a result, the war will be pushed onto those least prepared to shoulder the burden, corporate America. The private sector networks offer the greatest target space for organized crime, terrorists, industrial espionage and state actors. A limited grant for the authorized use of cyber force will necessarily have to pass to corporations seeking to proactively protect their network assets and work force.
In the end, we are left with the following groups authorized to counter strike in cyberspace:
Each of these groups is chosen for a specific reason and is granted a very specific right for the use of cyberforce. The authorized use of cyberforce mirrors the authorized use of force in real space. The individual home user is left off this list. Their only recourse is entrenched cyber defenses. If their home network comes under direct network attack, they may call for support. The home user does not have the sophistication, tools, training or resources to mount an effectual use of cyberforce.
Corporations are allowed to use cyberforce in the direct defense of their organization's network from directed, concerted attacks. General attacks such as phishing and online scams are NOT directed attacks per se and responses to those are left to other groups. Examples of directed attacks include cyber extortion, network intrusions and denial of service. Corporations are authorized the use of cyberforce against the first two geographic regions (US and friendly non-US).
Federal law enforcement has a very broad mission from the proactive, protective details of the United States Secret Service to the investigatory nature of the Federal Bureau of Investigation. In the case of cyber force, federal law enforcement should be allowed to take those pro-active steps necessary to protect the citizenry of the United States and to manage large scale attacks against corporations that are outside the resource limits of the private sector to manage. Also, federal law enforcement has the legal authority for the use of deadly force. When engaging in operations that tend to implicate organized crime, law enforcement is uniquely equipped to handle the escalation into real space. They alone have the experience in dealing with the death threats and violent actions that are used by organized crime to coerce and threaten. Federal law enforcement is authorized the use of cyberforce within the first two geographic regions (US and friendly non-US).
The Department of Defense is allowed to take any and all proactive measures to protect its networks inside the US and abroad. Branches of the armed services should be allowed to use cyberforce as a response to directed cyber attacks against DoD networks. DoD is authorized the use of cyberforce against all three geographic regions (US, friendly non-US, and non-friendly/non-US)
The National Security Agency has been chosen for this article for very unique reasons. Their role is to handle operations against IP addresses that reside in the third geographic region; outside the US and unfriendly. Private corporations are not equipped to handle operations against unfriendly nations. IP addresses attacking from these countries may or may not be state sponsored. Likewise, federal law enforcement has no legal presence in these countries. The NSA is uniquely qualified to conduct cyber operations against assets in these countries.
Private military companies represent an emerging operator base. The PMCs can work as sub-contractors to all the above mentioned groups and enjoy the freedom of mobility. The PMCs can also handle the cyber and physical threats facing corporations as well as any escalations that may occur as a result of use of cyberforce. PMCs are authorized the use of force within all three geographic regions.
Below is a model matrix for attack and response in cyberspace. It addresses the issues and actors from the paper and puts them in a constsruct that is easily manageable. A key factor in managing attack escalation is through notification. The world public needs to know the limits and rules by which we will protect our citizenry and critical infrastructure. This is necessary to prevent use of cyberforce from escalating to an exchange of missiles.
| Cyber Incident | Victim | Cyberforce Response |
|---|---|---|
| Port scanning and other network reconnaissance | N/A | No response is appropriate. Log IP address and activity for future analysis. |
| Spam | N/A | Spam is a facilitator of financial fraud, ID theft and other crimes. It is typically a tertiary level operator. Spam servers should be identified and compromised, the process responsible for the spam is to be stopped and deleted. Evidence collected to ID secondary and primary sources. |
| General (broad) phishing | N/A | Phishing sites are typically a tertiary level operator. Phishing site is to be identified and compromised, the process responsible for the site is to be stopped and the web pages removed. Evidence collected to ID secondary and primary sources. |
| Spear Phishing (Directed attacks against high ranking individuals) | Corporation, government, DoD | Spear phishing is still conducted from a tertiary level operator. However, the sensitivity and criticality of the targeted credentials escalates the nature and timeline of the response. The phishing site is to be immediately compromised, the process is stopped and the files deleted. Backdoors and sniffers are installed to proactively identify secondary and primary level operators. |
| Identification of potential primary level operator | N/A> | System is to be identified and compromised. Evidence collected to positively ID the person behind the keyboard, files systematically destroyed to prevent use of the system as a primary operator. |
| DoS or DDoS Bot | N/A | Traffic from source IP address is blocked at the victim or ISP level. Statistical number of identified bots are compromised, the attack process is stopped and evidence is collected to ID secondary and primary sources. |
| Site hosting copyrighted material | Holder of the copyright | Victim corporation is allowed to compromise the server and stop the process responsible for hosting the copyrighted material. All identifiable copy protected material is to be deleted. |
| Computer network intrusion/data theft across a network | Corporation | Identify potential sources of attack or destinations for stolen data. Minimally invasive compromise to identify the role of the IP address in the attack chain. |
| Computer network intrusion/data theft across a network | SCADA | Identify potential sources of attack or destinations for stolen data. Compromise systems in short order. Delete files that could be used to repeat the attack. Install backdoors and sniffers to identify secondary and primary level operators. |
| Computer network intrusion/data theft across a network | DoD mission critical network (network responsible for active support of operations) | Identify potential sources of attack or destinations for stolen data. Compromise systems in short order. Delete files that could be used to repeat the attack. Install backdoors and sniffers to identify secondary and primary level operators. |
This is not an absolute or exhaustive model. This is a starting point for entering into the authorized use of cyberforce. Any framework will need refinement and adjustment through time. The important take away from this matrix is that there is a need to authorize the use of cyberforce in the protection of the US citizenry and critical infrastructure. A defense-only posture is unacceptable in the current climate. This paper is designed to show who the relevant actors and responses would be in an overall framework that allows us the necessary freedom and support to protect our own.
White Wolf Security is a provider of high-end, tailored, hands-on Information Security training. We are unique because our courses move beyond the technology. Our diverse team of instructors is pulled from a variety of backgrounds. As a result, we are able to address the Technical, Legal, Policy and National Security issues that surround information and its uses.