Law of Armed Conflict, Attribution, and the Challenges of Deterring Cyber-attacks
Recent history is full of events demonstrating the serious effects of cyber-attacks and the prominent role they play in global events. Incidents such as the 2010 Stuxnet attack on an Iranian Uranium enrichment facility, the 2008 Russian cyber-attack on the country of Georgia, the 2014 attack on Sony Pictures Entertainment, and the 2015 discovery of a substantial compromise of the United States Office of Personnel Management are just a few recent examples of the significant and dangerous role cyber operations play in world conflicts. The United States possesses the most powerful and technologically advanced military forces in the world and has successfully deterred most conventional attacks against its homeland. Yet when it comes to cyber-attacks, the Sony and OPM incidents show the U.S. has proven seemingly unable to deter these attacks and remains notably vulnerable to attacks in cyberspace. Traditional models of deterrence such as Mutually Assured Destruction (MAD) have worked well with nuclear weapons but applying these traditional models to cyber-attacks becomes challenging when one considers the difficulty of attribution and the limitations of operating within the confines of the international Law of Armed Conflict (LOAC).
This research examines the unique new cyber battle space and explains why it poses a significant threat to the U.S. It studies attribution and how difficulties in this area create significant issues for deterrence of cyber-attacks. LOAC is explored with consideration of how these international laws apply to operations in the cyber domain. Finally, the research will show that if the U.S. continues to apply LOAC to cyber conflicts and remains unable to definitively attribute attacks, it will be unable to deter future cyber-attacks.
To better understand the subject matter presented in the research throughout this paper, several terms are defined here followed by a brief introduction to how data (cyber “weapons”) are transmitted across computer networks.
Cyber: The DoD defines cyber as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications network, computer systems, and embedded processors and controllers” (Reveron 2012, 115).
Cyber Operations/Computer Network Operations (CNO): CNO is considered one of the core capabilities of Information Operations and is subdivided into Computer Network Defense, Computer Network Attack, and Computer Network Exploitation (Huntley 2010, 4).
Computer Network Defense (CND): CND are efforts to protect, monitor, analyze, detect, and respond to unauthorized activity within computer networks (Huntley 2010, 5).
Computer Network Attack (CNA): CNA are actions taken through the use of computer networks to “disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves” (Huntley 2010, 5). It is important to note the breadth of this definition includes targeting physical computer hardware as well as the information stored on or passing through the network.
Computer Network Exploitation (CNE): CNE are intelligence collection efforts through the use of computer networks to gather data from target systems (Huntley 2010, 5). This is espionage conducted through computer networks and can include gathering data that is of intelligence value to the actor (i.e. sensitive weapon system information) or simply gathering data about a network for future CNA against that network.
As explained later in the LOAC section, the author understands that not all cyber-operations amount to “cyber-attacks” and that CNA, CND, and CNE all describe different types of operations. For simplicity however, the term cyber-attacks will be used generically throughout this paper to describe all types of CNO.
To understand cyber-attacks and the material later in this paper, a very basic description of how computers communicate and transmit data over networks is included here. Cyber-attacks are, after all, simply malicious data placed on victim systems. Although other means exist for placing this data that are beyond the scope of this research, the most common attack vector is through the Internet.
Similar to a street address for mail delivery, every device on the Internet must have an identifying address in order to send or receive data. Identification of a device on the Internet is accomplished through two numbers, the Media Access Control (MAC) address and the Internet Protocol (IP) address.
The MAC address is assigned to a computer’s Network Interface Card (NIC), which is responsible for receiving communications from and transmitting communications to the network. This address generally remains permanently assigned to a specific device unless the NIC is replaced. The MAC address is used to identify the device on its local network (for example, home network or internal office network) but is not used to identify the device outside that network (Meyers 2015, Glossary).
Identification of a device outside of its local network is accomplished through an IP address. Although a network’s administrator can statically assign IP addresses to specific computers, they are more frequently dynamically assigned through Dynamic Host Configuration Protocol (DHCP.) Using DHCP, computers are automatically assigned an IP address when they connect to the network. This address is assigned for a set period of time and can be reassigned at the end of that period or when the computer disconnects from the network (Meyers 2015, Chapter 7).
IP addresses are the addresses computers use to send data to each other across the Internet. In most instances, however, due to Network Address Translation (NAT), the IP address of individual computers are kept private from outside networks and are replaced with the public IP address assigned to the network’s router. Using NAT, a computer sends data to its network router with a destination IP address. The router removes the sending computer’s IP address, replaces it with its own public IP address, and transmits the data to its destination (Meyers 2015, Chapter 8).
DHCP and NAT create several difficulties important to understand when considering attribution of cyber-attacks. First, because of NAT, even if investigators determine the originating IP address of an attack, this does not lead them to a particular computer. The IP address would be that of a router, which could be the gateway for hundreds of computers at a company or government organization, each with their own private IP addresses. Second, because of DHCP, even if investigators learned a private IP address, this address could have been reassigned to any number of other computers since the time of the attack. An additional complication is that attackers can spoof both the IP and MAC addresses, leading investigators down the wrong path.
Another concept important to understand is that of Proxy Servers. A Proxy Server is a computer that accesses Internet resources on behalf of another computer, leaving the requesting computer hidden (Meyers 2015, Chapter 12). Malicious cyber actors hide themselves by compromising innocent computers and using those computers as proxies to conduct their attacks. Complicating things even further the actors can use proxy-chains, using one computer to access another, to access another, until they finally reach their victim. Investigating an attack using a proxy-chain requires examining all of these compromised computers located throughout the world.
Seriousness of the Threat – Affecting the Strategic Calculus of the U.S.
Opinions within the academic community differ on the severity of cyber threats towards the U.S. These range from “the next threat to national security” (Clarke and Knake 2010) to “overhyping” and “fear-mongering” (Masnick 2015). Whether overhyped or not, the reality among governments is that nations are preparing to operate in this environment and to address the threats they face. The U.S. Department of Defense wrote in its Cyberspace Policy Report to Congress that it recognized “that a nation possessing sophisticated and powerful cyber capabilities could attempt to affect the strategic calculus of the United States. In this scenario, an adversary might act in ways antithetical to vital U.S. national interests and attempt to prevent the President from exercising traditional national security options by threatening or implying the launch of a crippling cyber-attack against the United States” (U.S. Department of Defense 2011). This recognition is not limited to the U.S. In “Zeros and ones: tackling cyber at the tactical edge,” the International Defence Review described that many countries around the world were designing defensive and offensive cyber strategies in response to the increase of state-sponsored cyber-attacks (International Defence Review 2013, 2).
Richard Clarke, former U.S. National Coordinator for Security, Infrastructure Protection, and Counterterrorism, argued the threat of cyber war was very real, and the U.S. was at a greater risk from cyber war than were other nations. He went further to state the risk was not just to computers and computer networks. Rather than simply being a digital alternative to traditional kinetic war, cyber weapons could actually increase the likelihood of traditional combat. Clark wrote that the U.S. needs to “understand what cyber war is, to learn how and why it works, to analyze its risks, to prepare for it, and to think about how to control it” (Clarke and Knake 2010, 82).
What makes the U.S. so technologically advanced is what makes it so vulnerable to cyber-attacks. This technological advancement has made the country, its people, its government, and its military dependent on the very technology that is susceptible to cyber-attacks. The reach of computers and networked devices into almost every corner of American life makes cyberspace a defining feature of modern life. While the development and integration of technology has created many great opportunities, the increased reliance on technology has in turn created many vulnerabilities (U.S. Department of Defense 2011, 1).
The adoption of networked technology by individual users grew exponentially over the past decade. The DoD estimated global Internet usage grew from 360 million users to over 2 billion users from 2000 – 2010. Cyberspace has become an integral part of the fabric of these users’ lives (U.S. Department of Defense 2011, 1). Any interruption in this technology is a major disruption to a society so dependent on the technology.
Beyond the simple interruption of individual users’ lives however, one must consider the dependence of U.S. critical infrastructure on networked computers. Everything from communications systems, electrical power grids, transportation systems, banking systems, and medical services, are dependent upon the Internet. These systems are all attractive targets for cyber-attackers because computers run the command and control systems, handle the logistics, the communications, and run the backbone of these critical services (Andress 2014, Chapter 1).
The U.S. military is equally dependent, if not more so, on cyberspace then is the civilian sector. Former U.S. Deputy Secretary of Defense William Lynn described just how important cyber technologies are to national security when he stated, “Just like our national dependence [on the Internet], there is simply no exaggerating our military dependence on our information networks: the command and control of our forces, the intelligence and logistics on which they depend, the weapons technologies we develop and field — they all depend on our computer systems and networks. Indeed, our 21st century military simply cannot function without them.” (Reveron 2012, Chapter 1).
Consider the ubiquitous computer chip, which essentially powers the military today. This critical piece of technology could become one of the military’s greatest vulnerabilities if exploited. Computers control weapons and communications systems. Military airplanes and unmanned aerial vehicles receive and send targeting information via wireless computer networks. Computerized Global Positioning Systems guide smart weapons towards their targets. Intelligence Surveillance and Reconnaissance systems gather massive amounts of data that require computers for sorting and analyzing (Andress 2014, Chapter 1). The loss, interruption, or manipulation of these systems would diminish U.S. military advantages.
Although the U.S. is well equipped to handle many difficult operating environments, the cyber environment is particularly challenging. The unique challenges make operating in the cyber domain significantly different than operating in traditional domains such as air, sea, land and space. One reason the environment is so challenging is because no single entity owns or controls the Internet. The Internet is owned and used by individuals, governments, and private companies (Reveron 2012, Chapter 1). Contrast this with sovereign airspace or land, which is controlled and regulated by governments, or with the sea, which is governed by Admiralty law. The Internet is owned and managed by a hodgepodge of telecommunications providers, government entities, and Internet service providers. This creates a very challenging environment both legally and operationally.
Another unique challenge of operating in cyberspace is that governments do not have a monopoly on operating in this domain (Reveron 2012, Chapter 1). Anyone, from anywhere in the world with a computer and an Internet connection, can operate in this environment. Again, contrast this with the heavily regulated airspace where the cost of entry is significantly higher. Or consider nuclear weapons where the complexity and costs of building a weapon (not to mention legality) mostly limits their production to governments. The ability to destroy data and computer networks, which potentially cripples a military or massively disrupts commerce, can be exercised by potentially anyone with access to the internet.
Professor Amy Zegart described five reasons why operating in cyberspace is different than the other domains in which the U.S. military operates. First, the nations that are the most powerful are actually the most vulnerable to cyber-attacks because of their dependence on computer networks. Second, the government cannot fight in cyberspace alone because eighty-five percent of the Internet’s backbone is owned by the private sector. This raises unique legal issues that will be discussed later. Third, the cyber-attack surface is extremely large, vulnerable, and open. This makes it very hard to protect. As an example, Zegart explained within computer software there is, on average, one defect for every 2500 lines of software code. Putting this into perspective, the Android mobile phone operating system has approximately 12 Million lines of code. The Microsoft Windows operating system has approximately 40 Million lines of code. This equates to an estimated 16,000 vulnerabilities in Windows. Fourth, unlike a traditional, kinetic attack, victims of cyber-attacks do not necessarily know they have been attacked until potentially a significant amount of time has passed. Zegart provided as an example a 2008 attack on the U.S. military involving a malicious USB thumb drive in which 14 months passed before the attack was recognized. Fifth, a cyber-attack typically lacks the telltale warnings and indicators of a kinetic attack such as troop buildup or equipment movement (Zegart, Cyberwar 2015).
U.S. government policy seems to indicate recognition of this increasing threat posed by cyber operations. Perhaps the best indication of how serious the U.S. considers cyber threats from a military standpoint is explained by the Department of Defense in its 2011 Policy Report to Congress. The report stated, “The Department recognizes that a nation possessing sophisticated and powerful cyber capabilities could attempt to affect the strategic calculus of the United States. In this scenario, an adversary might act in ways antithetical to vital U.S. national interests and attempt to prevent the President from exercising traditional national security options by threatening or implying the launch of a crippling cyber-attack against the United States” (U.S. Department of Defense 2011, 3).
The possible targets of cyber-attacks are almost limitless. Any electronic device could potentially be exploited, damaged, disturbed, interrupted, or somehow compromised by a determined attacker. Even “air gapped” systems, that is, systems not connected to any other networks, have proven exploitable (Kassner 2015, Paganini 2014). Consider the following, non-conclusive, examples of different types of cyber-attacks.
In 2007, the Idaho National Laboratory conducted “Operation Aurora,” an exercise that proved a cyber-attack on computer systems controlling machinery such as generators, pumps, valves, turbines, switches, or circuit breakers, could actually cause physical destruction to that equipment and the resources it supported (International Defence Review 2013, 4). Interestingly, just one year later, an actual cyber-attack on the control systems of an oil pipeline in Eastern Turkey demonstrated the reality of physical damage from a cyber-attack. The attackers targeted the pipeline’s computerized control systems causing monitoring and alarm equipment to fail, which allowed oil to over-pressurize in the line. The resulting explosion shut down the line for three weeks. This example of physical damage caused by a cyber-attack was a significant development in the nature of cyber warfare (Robertson and Riley 2014).
Networked and digital weapons, equipment, and vehicles, are also susceptible to sabotage and loss or corruption of command and control by maliciously placed malware. Other attacks could exploit vulnerabilities in targeting systems, global positioning systems (GPS), thermal-imaging devices, communication components, internal power, and weapon system suites. The guarantee of a decisive advantage going into a conflict, the advantage on which the U.S. depends, is not necessarily guaranteed when one considers its vulnerabilities in cyberspace (International Defence Review 2013, 5).
America’s dependence on Unmanned Aerial Vehicles (UAV) for surveillance and kinetic strikes has also proven vulnerable to cyber-attacks. Iraqi insurgents reportedly intercepted the data downlink from a U.S. UAV in 2009. Iran claimed, in 2011, that it hacked the signal of a U.S. Sentinel RQ-170 UAV and landed it inside northeastern Iran. Then, in 2012, Iran broadcast footage from another U.S. UAV it claimed it had hacked. This corresponds to the discovery, in late 2011, of key logging malware on the networks of U.S. Air Force UAV ground control stations at Creech Air Force Base in Nevada (International Defence Review 2013, 5). Key loggers are software programs or hardware devices that track every key pressed on a computer keyboard. Some can also capture screenshots from the computer monitor (Veracode 2015). The key logger example leads nicely into the next example of cyber vulnerabilities: cyber espionage.
The use of key logging malware is just one example of cyber espionage. Another example of CNE is the attack on OPM, which compromised the sensitive, personal information of more than 22 million people inside and outside the U.S. government (Levine and Date 2015). Allegedly stolen by China, the information was a treasure trove for anyone attempting to recruit spies within the U.S. government or attempting to conduct counterintelligence activities against the U.S. intelligence community (Moran 2015).
A final example in this non-exhaustive summary is that of the vulnerabilities of U.S. military logistics to cyber-attacks. Logistics are extremely important to the deployment of U.S. forces worldwide. Its capability to fight is based upon moving massive amounts of personnel, equipment, weapons, food, and other supplies to the correct places at the correct times. This explains the old military maxim “amateurs study tactics; professionals study logistics” (Andress 2014, Chapter 1). An enemy could corrupt the networks that track components and supply pallets, or even compromise shipping equipment such as computerized ship-to-shore cranes, causing delays in the delivery of critical supplies (International Defence Review 2013, 5). Further, again from an espionage standpoint, if the enemy can track the shipment of military goods by compromising logistics systems, they could predict U.S. intentions and capabilities (Andress 2014, Chapter 1).
The above examples of U.S. vulnerabilities to cyber-attacks demonstrate the seriousness of the threat to national security. Commercial, government, and military networks are all vulnerable and America’s dependence on these networks make it uniquely susceptible. Deterrence of these types of attacks is explored in the next section.
Deterrence has been an important part of western security doctrine since the time of ancient Greece and became particularly important in the post-World War II nuclear world. Now U.S. national security is facing the challenges of deterring malicious cyber operations. Cyber operations provide unique opportunities to accomplish America’s political and military objectives but the environment also presents distinct, new challenges for deterrence (Jenson 2012, 3).
Deterrence must be understood first in general terms and then specifically as it relates to cyberspace. As defined by NATO, deterrence is synonymous with dissuasion and is “the convincing of a potential aggressor that the consequence of coercion or armed conflict would outweigh the potential gains . . . this requires the maintenance of a credible military capability and strategy with the clear political will to act” (North Atlantic Treaty Organization 2013, 2-D-6). The U.S. Department of Defense describes deterrence similarly as “The prevention of action by the existence of a credible threat of unacceptable counteraction and/or belief that the cost of action outweighs the perceived benefits” (U.S. Department of Defense 2010). A third definition is “the art of convincing an enemy not to take a specific action by threatening it with intolerable punishment and/or unacceptable failure . . . [it] depends upon effective communication between a state and the entity it wishes to deter. In order to be effective, these messages must lead adversaries to conclude that the probable costs of taking proscribed actions outweigh desired gains” (Solomon 2011, 2). This section examines how deterrence applies to cyberspace. But first, a model of deterrence from modern history will be presented and explored for its similarities or differences to deterrence of cyber-attacks.
As the threat from nuclear weapons grew throughout the 1950’s and 1960’s, a new strategy of deterrence developed. This new deterrent model became known as Mutually Assured Destruction (MAD) and represented a major shift in deterrence. Prior to MAD, countries fought their wars on physical battlefields and those with the superior fighting forces won the battles. Under MAD, both sides built such large stockpiles of nuclear weapons that total destruction of both sides was guaranteed in case of a nuclear conflict. If one side knew that initiating a nuclear strike on the other meant their own, almost immediately assured destruction, they would be deterred from launching the initial attack (de Castella 2012).
Experts argue, however, that traditional models of deterrence will not work in cyberspace. Clarke concluded, “The force that prevented nuclear war, deterrence, does not work well in cyber war” (Clarke and Knake 2010, Introduction). Similarly, Solomon argued that while cyber deterrence may be plausible, it cannot depend on the traditional model of nuclear deterrence or on other conventional deterrence methods that have protected the U.S. since World War II (Solomon 2011, 24).
Cyber Deterrence is Different
Full Spectrum Deterrence Required
Cyber weapons are very different from traditional weapons used by nation states because their possession is not limited to just nations. Nuclear weapons, for example, are typically only in the hands of other countries, and even this is limited to very few countries subject to heavy regulation and monitoring. More than 140 countries, however, are reported to have or to be developing cyber weapons and more than 30 countries are actually creating units in their military devoted strictly to cyber operations (Jenson 2012, 4). In addition to nation states, terrorist organizations and even “hacktivist” organizations possess very capable offensive cyber capabilities (Rosenzweig 2013, Chapter 5). Former U.S. CYBERCOM Commander, General Keith Alexander, included this concern in a statement to Congress, saying “in 2010 we saw cyber capabilities in use that could damage or disrupt digitally controlled systems and networked devices, and in some cases we are not sure whether these capabilities are under the control of a foreign government” (Alexander 2012). This ability of hundreds of state actors, and many non-state actors to operate nefariously in cyberspace significantly impacts deterrence in a way that was not an issue with the nuclear threat (Jenson 2012, 4). Rather than deter against attacks from just a few, well-known attackers, the U.S. must now deter hundreds of attackers, each with differing abilities and motivations.
Not only must the U.S. deter a broader spectrum of threat actors, it must also deter against a wider variety of threats than it does with nuclear deterrence. The reality with nuclear war is that any nuclear attack is considered catastrophic, thereby limiting the number of necessary planned responses. A cyber operation may consist of anything from a small penetration to test a system’s security, the defacing of a website, the crippling of a weapon system, the stealing of sensitive plans for the development of a new capability, or an attack causing actual physical damage such as Stuxnet. This breadth of potential attacks means deterrence strategy for cyber-attacks must be much broader than for nuclear attacks. It must account for a wider assortment of potential attackers and potential types of attacks (Jenson 2012, 4).
An additional difference between deterrence of cyber-attacks and deterrence of nuclear attacks is that ineffectiveness is, essentially, guaranteed. This is true from a technical perspective (Jenson 2012, 5) because no matter how robust network defenses may be, a determined attacker will eventually find a successful attack vector. But this is also true from a sociological perspective. Some attackers are simply unable to be deterred because the costs are so low and the benefits are potentially so high (Davis and Jenkins 2002, 4).
One reason for the success of nuclear deterrence is that devastating retaliation was guaranteed. Determining who launched the attack would not be difficult so the attacker expected certain retaliation from its victim. This is not necessarily true in cyberspace, as will be explained later. Since determining exactly who is responsible for the attack is not always possible, immediate retaliation is far from guaranteed. Additionally, attackers may spoof their activity to look as if another nation is responsible for the attack. In this way, the promise of certain retaliation could actually incentivize an attacker to not only launch an attack against the U.S. as their first target, but then to spoof their attack is if it came from another country, which would then be the recipient of U.S. retaliation (Jenson 2012, 5).
One of the most fundamental principles of deterrence throughout history is that of a country signaling to its adversaries what its response capabilities are in case of attack. Capabilities must be known because an attacker simply cannot be deterred by a capability it does not know exists. With kinetic weapons, a nation can make its capabilities known through exercises and military demonstrations (Jenson 2012, 6), or through inspections such as START and OPENSKIES treaties (Michie 2005, 376). Such signaling is not possible with cyber capabilities. One reason for this is because the anonymity provided through cyber operations makes publicly displaying one’s capabilities seldom beneficial (Jenson 2012, 6). If the U.S. were ever to respond to an attack using conventional weapons, there would be no question that it was the U.S. who launched the attack. So there is little reason for the U.S. to keep general kinetic response capabilities secret. With cyber weapons however, the U.S. needs to keep its capabilities secret. Signaling a response capability may deter attackers, but in the process the U.S. may also reveal a tool (and therefore diminish its effectiveness) needed for offensive capabilities. The same malicious software used for a destructive response can be used for espionage.
Another reason signaling is not beneficial as a deterrent for cyber-attacks is because many cyber weapons are considered “single-use” weapons. A “single-use” weapon is only effective as long as no one knows about it. Displaying it would make the weapon ineffective for future use (Jenson 2012, 7). For example, if the U.S. signaled it had developed a capability to exploit a previously unknown (to the enemy) vulnerability in a particular enemy network, the enemy would simply patch that vulnerability or move its critical systems off of that network.
Theories of Cyber Deterrence
The DoD described deterrence in cyberspace as relying on two principles: imposing costs on the attacker (retaliation) and denying the adversary’s objectives (U.S. Department of Defense 2011, 2). Jensen further broke down these two principles by dissecting the principle of retaliation into “Strike Back” and “Legal Strike Back,” and the principle of denying the adversary’s objectives into Invulnerability, Resiliency, Invisibility, and Interdependence.
Deterrence by Retaliation
Many potential cyber-attackers could potentially be deterred by the threat of retaliation, along with the clear present capability and will to do so (Jensen or n124). This has been a foundation of U.S. deterrence policy since the Cold War and could be a part of its cyber deterrence policy. The ability to respond with a devastating attack in response to an imminent enemy attack is a key component of nuclear deterrence. Put simply, the costs to an enemy are so great that they choose not to attack. The options for a U.S. response to a cyber-attack could also be devastating and could consist of much more than just a cyber response. President Obama, in his International Strategy for Cyberspace, wrote about the U.S. intention to deter by signaling its commitment to respond with a full spectrum of possible responses; “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country . . . We reserve the right to use all necessary means - diplomatic, informational, military, and economic - as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests” (Obama 2011, 14).
Although Obama declared the U.S. could respond with a kinetic response to a cyber-attack there are some limitations to cyber deterrence through a strike back retaliation. First, international law does not authorize the victim of a cyber-attack to respond in self-defense unless the attack is grave enough to amount to an “armed attack” (Jenson 2012, 10). International law will be explored later but for now, consider most cyber operations would not amount to an armed attack so the U.S. could not strike back or threaten to strike back and deter potential attackers.
Strike back deterrence is further limited by the principle of proportionality. International law requires any signaled or planned response be proportional to the initial attack. Proportional does not mean the response must be the same as the initial response, but it must be comparable, must not escalate, and must be no more than what is required to end the attack and to defend the victim (Jenson 2012, 11). This proves challenging in cyberspace. Determining the significance and extent of a cyber-attack is difficult. It is not always clear when the attack started or when it ended. The U.S. could discover malicious software on a weapons system today that could render it inoperable but that was not yet executed and its purpose not completely understood. Is the mere presence of the malware an ongoing attack? If the vulnerability had not yet been exploited then what is a proportionate response? Is simply removing the malware the proportional response? If enemies know the U.S. is limited to this type of proportional response (simply removing the malware) then they will not be deterred by threats of a proportionate strike back.
An alternative to a strike back in the form of a kinetic or cyber retaliatory strike is the concept of a legal strike back. This is the idea that a nation can deter a cyber-attack by promising a law enforcement or civil action in response. General Alexander mentioned this when he stated “the bottom line is, the only way to deter cyber-attacks is to work to catch perpetrators and take strong and public action when we do” (Hollis 2011, 396). There may be some effectiveness of a legal strike back deterrence when the attackers are cyber criminals as opposed to nation-state sponsored attackers but this can be exceedingly complicated, even against cyber criminals, when the attacks cross international borders. The ability of the U.S. to prosecute a group of cybercriminals in another country is significantly hampered by international procedural limitations such as extradition and jurisdiction. For example, extradition is usually limited to actors subject to dual-criminality. The offense for which they are accused must be illegal in both countries. With the relative infancy of cybercrime laws in many countries, there is a good chance that even with convincing evidence of guilt from the U.S, the actor would not be extradited, therefore severely limiting the effectiveness of deterrence through legal action (Jenson 2012, 13).
Further, as will be shown in the Attribution section, the ability to investigate and to collect evidence from the multiple countries who’s borders a transnational attack would cross, is complicated, if not prohibited, by the multiple laws, procedures, and varying degrees of willingness to cooperate with a U.S. investigation (Jenson 2012, 13). One final consideration to the ineffectiveness of a legal strike back deterrence is the reality that a law enforcement response will not effectively deter nation-state sponsored attackers. Actors conducting attacks on behalf of their government or military employer (the most significant attacks suffered by the U.S.) are not likely to ever be successfully prosecuted by the U.S.
Kim Taipale, of the Center for Advanced Studies in Science and Technology Policy, summarized the limitations of deterrence through retaliation:
Because of the particular characteristics of cyberspace - in particular because of its dual use and borderless nature; the difficulty of differentiating probe from attack and definitively identifying attackers; the zero time interval between detection and attack and the scale-free, unpredictable and unbounded nature of potential consequences; the multiplicity of potential attack vectors, attackers, and motivations; and the contestability of potential responses - a general retaliatory-based policy that explicitly threatens severe punishment in response to a particular kind of attack may not be sufficient to deter cyber-attacks, and, in some circumstances, may be counterproductive (Taipale 2009).
The DoD also acknowledged problems with the idea of deterring by retaliation. Lynn said Pentagon planners believed the threat of retaliation alone was not enough to deter potential attackers from attempting to steal information or from conducting damaging attacks through cyberspace. He further said, “Our ability to identify and respond to a serious cyber-attack is only part of our strategy . . . Our strategy’s overriding emphasis is on denying the benefit of an attack. Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place” (Serbu 2011). On another occasion, Lynn stated, “traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult and time consuming to identify an attack’s perpetrator” (Lynn 2010).
Another method of retaliation, although not proposed by Jensen, is mentioned here because it is fresh in the news media at the time of this research. This is the idea of deterring attacks by retaliating with sanctions. On September 25, 2015, the very day of Chinese President Xi Jinping’s visit to the U.S. to discuss cyber-attacks, President Obama threatened sanctions against China for its alleged cybercrimes stating, “It has to stop” (CBS News 2015). The authority for sanctioning cyber-attackers came from an Executive Order signed by Obama on April 1, 2015. This order, EO 13694, established a sanctions program to “financially target and deter parties engaging in, profiting from, or in any way supporting the actors engaging in” malicious cyber activities (Melnik 2015, 53).
The effectiveness of deterring future cyber-attacks through sanctions is not yet established. However, it is important to note the key factor in establishing sanctions is knowing who was responsible for the attack. As will be explored in the Attribution section, attribution of cyber-attacks is difficult. If a potential attacker conducts their attack in a manner difficult to attribute, they will know the U.S. lacks the ability to sanction and therefore will not be deterred by any threats of retaliation through sanctions.
Deterrence by Denying the Benefit of the Attack
This idea behind this method of deterrence is to build computer networks in a manner that, even if attacked, will not provide any benefit to the attacker. In theory, this would de-incentivize, and therefore, deter, cyber-attacks. Proposals include making computer systems invulnerable to an attack, building resiliency into cyber systems, making systems invisible and making networks interdependent upon each other. If these steps were possible, an attacker would be deterred from attacking because they could not benefit from the attack.
The first necessary step for deterring through this method is making systems invulnerable to an attack. This concept could be compared to that of the Strategic Defense Initiative (SDI) in nuclear deterrence which deters enemies of the U.S. by promising the U.S. could intercept and destroy any incoming ballistic missiles making an attack essentially worthless for the attacker (Jenson 2012, 15). The near omnipresence of computers in business, government, and military today, however, makes the job of protecting them to the point of invulnerability extremely difficult. Protecting against attacks to these systems is significantly different then nuclear missile attacks. With nuclear attacks, the U.S. possesses the ability to almost immediately recognize an attack and to generally know from where, geographically, attacks are launched. Launching an attack on the U.S., without the U.S. knowing it is under attack, is nearly impossible (Jenson 2012, 15).
With cyber-attacks, the attackers frequently use compromised systems from all over the world to launch their attacks. It cannot be predicted from where the attack will come. The targets may be anything from research institutions, defense contractors, universities, government agencies, or military targets. The victims oftentimes will not even know they were attacked until a significant amount of time has passed (Zegart, Cyberwar 2015). Experts also argue even the most well-protected computer networks will still be vulnerable to committed attackers with the amount of time, resources, and expertise of skilled nation-state actors (Contreras, DeNardis and Teplinsky 2013, 2).
Beyond the technical limitations of trying to make computer systems completely invulnerable to attacks, lie legal and privacy concerns. This is due to the fact that most of America’s Internet traffic, even government and military traffic, is transmitted across private sector infrastructure. And the government and military purchases much of its computer and networking hardware as commercial off the shelf (COTS) equipment complete with its corresponding vulnerabilities. If the U.S. government were to decide in order to deter cyber-attacks it must make networks and computers completely invincible to attack, then it would necessarily require the ability to monitor these private networks and to oversee production of civilian computers and networking equipment. The legality of this type of government takeover is questionable at best, not to mention undesirable by the American citizenry (Nakashima 2012).
The second criterion for establishing deterrence by denying the benefit of the attack is to create resilient and redundant systems. The idea behind this is that an attack to U.S. systems will not have its desired affect because the systems are essentially duplicated. A redundant system would not succumb to an attack because even if segments or particular computers were shut down, there would be duplicate systems to come online and allow the system to remain functional (Jenson 2012, 17).
The feasibility of deterrence through redundancy is rather limited, for several reasons. First, it is unlikely the government could financially and logistically support the initial purchase, the maintenance, and the upkeep of completely redundant systems (Jenson 2012, 18). Secondly, even if systems could be protected from destruction by creating redundancy, this still would not deter attacks for the purposes of espionage or theft. These attacks do not damage a network or attempt to take it down, just to exfiltrate data. Redundancy would not deter this. Thirdly, even if creating redundant systems could deter some attacks on computer networks, this would not deter the numerous other types of cyber-attacks. Individual navigation capabilities on weapon systems would remain vulnerable, communication equipment and other devices would have no redundant capabilities and therefore remain vulnerable. Finally, as mentioned previously, a significant portion of the U.S critical computing infrastructure is owned by the private sector. These commercial companies are not able to completely duplicate all of their systems, nor would the government likely be able to mandate this. The strategy of deterrence through redundancy may work on a small scale but the challenges described here severely limit the likelihood of deterrence through redundancy at a nationwide level.
Another proposed method of deterring by denying the benefit of the attack is to make systems invisible to the attacker. The idea of this method as a deterrent is that an attacker cannot attack a system he cannot see, and that he will have to waste significant time and effort to locate the system. This could cause them to direct their efforts elsewhere (Jenson 2012, 18). There are several obvious limitations to deterrence through making networks invisible. First, as has been explained previously, potential targets of attack consist of everything from military communication systems, GPS guided weapons, banking and finance systems, supply chain management systems, and civilian transportation systems. It is simply not feasible to make all of these targets invisible to the enemy. If only some are made invisible, it will direct the enemies’ efforts towards the networks that they are able to identify. While this may deter attacks to a specific system, it does not successfully deter attacks on the United States as a whole. Is it successful deterrence if the government picks certain target to hide while allowing others to therefore become more vulnerable? To compare this with nuclear deterrence, would it be considered successful deterrence if the U.S. prevented an attack on New York City only to direct that attack towards Los Angeles?
The final component of the strategy for deterrence through denying the benefit of the attack is to make networks interdependent. If an attacker’s networks are interconnected with America’s, they may be deterred from attacking the U.S. for fear of damaging their own systems. An example of this type of deterrence working, although not to the benefit of the U.S., was during the 2003 invasion of Iraq. The U.S. military contemplated cyber attacks on Saddam Hussein’s financial networks, but these attacks were not carried out because they feared the interconnectedness of the world’s computer networks would result in the attack spreading and creating worldwide financial havoc (Markoff and Shanker 2009). This example demonstrates the downside of deterrence through interconnectivity. Creating interdependent systems between nations could deter attacks but interdependency also limits America’s options to respond to an enemy attack or to conduct offensive actions. Since the U.S. has declared that Cyberspace is a domain in which it desires to operate and exercise dominance (U.S. Department of Defense 2011, 2), any deterrence strategy that limits the ability of the U.S. to operate in this domain would not be an effective strategy.
The Department of Defense seems to acknowledge that deterrence through denying attackers the benefit of the attack is limited. In its Cyberspace Policy Report, the DoD stated if the “deny objectives” form of deterrence does not work, it “maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains. Continuing to improve our ability to attribute attacks is a key to military response options” (U.S. Department of Defense 2011, 2).
Deterrence through International Norms
On 25 September 2015, President Xi Jinping and President Obama announced an agreement to accepted cyber norms between their two nations. Specifically, they agreed that neither country’s government “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors” and to “further identify and promote appropriate norms of state behavior in cyberspace within the international community” (Office of the Press Secretary 2015). There was also discussion about agreeing to no “first use” of cyber-attacks on critical infrastructure (Kaplan 2015). This method of deterrence is akin to arms control efforts of deterring traditional attacks. As with deterrence through sanctions, this type of deterrence also suffers due to difficulties in attribution. Lynn wrote on this subject, “Traditional arms control regimes would likely fail to deter cyberattacks because of the challenges of attribution, which make verification of compliance almost impossible” (Lynn III 2010).
Three general principles of deterrence were presented here: retaliation, denying the benefit of the attack, and arms control (or accepted norms). These models are borrowed from kinetic deterrence but are flawed when applied to cyber deterrence. A significant challenge to the effectiveness of these models is the challenge of attribution (Haeussler 2011).
What is Attribution?
Attribution is the process of determining who conducted a particular attack. Attribution could be as broad as determining the general geographic location of the attackers, or more specifically determining the actual individual identities of the attackers. It could mean just determining characteristics of the attack that tie it to a particular group of people (possibly a military unit, a criminal organization, or group of hackers) (Andress 2014, 15). Put simply, attribution is determining the owner of the computer, the physical location of the computer, or the specific individuals responsible for operating the attacking computer (Clark and Landau 2011, 2). The problem with attribution in cyberspace is that attacks take place over the Internet and the Internet was not designed with the requirement of attribution. Former director of the National Security Agency, Mike McConnell, wrote “We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options - and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment - who did it, from where, why and what was the result - more manageable” (McConnell 2010, 2). This section explores difficulties with attribution in cyberspace, how it is different from attribution of kinetic attacks, and how this negatively affects deterrence.
One of the unique challenges with attribution of cyber-attacks is determining whether the attacker was a foreign government, a criminal or terrorist organization, or a combination of some sort. Deterring a nation state is different from deterring a terrorist group and the legally justified methods of retaliation vary as well. Contrast this with conventional means of warfare. If a foreign military struck the U.S. with a kinetic attack, U.S. intelligence would have no trouble determining who launched the attack nor would there be any confusion about what level of responsibility that nation had in the attack. The U.S. would not have to prove the attacker was the enemy’s military versus a group of political activists or criminals prior to retaliating.
Jason Healey, in “Beyond Attribution: Seeking National Responsibility for Cyber-attacks,” described this attribution challenge by explaining not only do intelligence services and policymakers have to determine the geographic location of cyber-attackers but they also have to determine the level of national involvement in the attacks (Healey 2011, 2). For example, an attack coming from an IP address in China does not mean the Chinese government is behind the attacks. (As will be explained later, even determining the geographic location of the attacker based on IP addresses is difficult.) In order to explain the various levels of state involvement in cyber-attacks, Healey developed a ten level “Spectrum of State Responsibility.” The spectrum is explained here to demonstrate the difficulty in determining who (versus just “where”) is responsible for the attack. This specific and detailed level of attribution is important when considering deterrence because deterring attacks from actors at various levels of the spectrum require different strategies.
Spectrum of State Responsibility
- State-prohibited. The national government will help stop the attack that may be originating from within its borders or be passing through its networks. Although the government cooperates with efforts to stop the attack, they may have some responsibility for the insecure systems involved in the attack.
- State-prohibited but inadequate. The national government is cooperative with the U.S., and would try to stop the attack, but lacks the resources to do so. It may not have the necessary laws, technical capabilities, or political will to stop it. As with State-prohibited attacks, the nation bears some responsibility for not being able to stop the attackers and for having insecure systems.
- State-ignored. The national government is aware of the attacks but does not take any official action as a matter of policy. While the government is not launching the attacks, they may agree with the goal of the attackers and may help them stay undetected.
- State-encouraged. A third party conducts the attack but the national government’s policies encourage the attackers. Members of government military and intelligence organizations may be encouraged to conduct off-duty “recreational” hacking and the government will not cooperate in U.S. investigations or endeavors to prevent the attacks.
- State-shaped. A third party conducts the attack but the national government provides some support, like providing coordination between those in government who may be performing off-duty hacking and the attackers. The government will still maintain plausible deniability and will not cooperate with the U.S.
- State-coordinated. The national government actually coordinates the activities of third-party attackers by providing targeting information and technical assistance. This is done off the record allowing the state to still maintain plausible deniability.
- State-ordered. While the attacks are still conducted by a third party, they are directed by the national government and the attackers act as a proxy for the government’s policies. At this level, the attackers could be considered agents of the state under international law.
- State-rogue controlled. Elements of the government conduct the attacks but without the knowledge or direction of national leadership. The attackers may be a rogue local unit or junior officers of a government’s offensive cyber forces.
- State-executed. The national government directs and controls the attacks using its own forces.
- State-integrated. The national government integrates its cyber forces with the third party attackers with a common command and control system. The government controls targeting and the attackers are legally agents of the state (Healey 2011, 2-3).
Clearly, just determining an attack probably came from an IP address likely located geographically within the borders of a certain country is not sufficient specificity for attribution of a cyber-attack to a specific actor. In order to deter future attacks from these actors, the U.S, must first be able to identify the actual actors and motivations behind the attacks. Deterring the first two levels of attacks could be possible if the third party attackers knew the country from which they operated would take action against them. This essentially transfers deterrence from the U.S. to that country and, as shown previously in the Deterrence section, depending on other countries to investigate and prosecute cyber acts that are illegal in the U.S. is fraught with challenges.
State-ignored, encouraged, shaped, and coordinated attacks would be very difficult to deter. The state’s knowledge and encouragement of these attacks indicate they would not assist in enforcing any threat of U.S. law enforcement action. And, as non-combatant civilians, LOAC prohibits taking any military action against these actors (Rosenzweig 2013, Chapter 5).
State-ordered, rogue conducted, executed, and integrated attacks could justify the threat of U.S. strike back retaliation as deterrence. The third-party actors in these cases may legally be considered enemy combatants as agents of the state and therefore legitimate targets for a U.S. response. But, as described in the Deterrence section, a strike back deterrence is far from a guaranteed deterrent in cyberspace and as will be described in the Law of Armed Conflict section, determining the legality of a U.S. retaliatory strike is, at best, unclear.
Challenges of Attribution in Cyberspace
The previous section explained that attribution of a cyber-attack, even if it can be technically tracked to a possible geographic area through an IP address, must be much more specific if it is to be used to design a deterrence strategy. This section describes some of the difficulties of obtaining a specific attribution for attacks in cyberspace. The primary challenge is that the Internet was not developed with the goal of attribution in mind (Clark and Landau 2011, 1). According to the DoD, the very characteristics of the Internet that led to its explosive growth also provide anonymity. The Department wrote, “Our potential adversaries, both nations and non-state actors, clearly understand this dynamic and seek to use the challenge of attribution to their strategic advantage” (U.S. Department of Defense 2011, 4).
The complicating characteristic of most cyber-attacks is that they are multi-stage and multi-step. This complicates attribution because it makes it very difficult to determine from where the attack originated. Consider a bot-net based attack such as Russia’s attack on Georgia in 2008. In a bot-net attack, (oftentimes used for a Distributed Denial of Service (DDoS) attack,) a “bot-master” compromises a large number of innocent computers from all over the world to create a bot-net. The bot-master then directs the thousands of compromised computers to simultaneously attack a victim network, overloading the servers and causing the network to crash. Investigating a bot-net attack is difficult because the bot-master will be several degrees removed from the attacking computers. Tracing the route from the victim machines, through the various levels of attacking machines, and finally back to the actual bot-master may involve crossing multiple jurisdictional boundaries through countries surrounding the globe, and possibly falsified source IP addresses. Additionally, identifying the machine responsible for initiating the attack may still not yield the responsible party. Many bot-nets are created by cyber criminals who rent out the bot-net’s services to interested parties (Clark and Landau 2011, 7).
Many other attacks are directed through multiple stages of computers around the world set up as proxies. Preparation for these attacks starts with compromising innocent computers, which are then used as proxies to scan networks for additional vulnerable machines. The compromised computer may be an individual machine on someone’s home network, a small business server, or a computer belonging to a large university or company. These compromised machines are then used to scan for and compromise more machines. Eventually, an infrastructure of compromised machines is created (proxy-chain). The attacker uses some proxy machines for actually attacking the target networks, others for data transit, some simply as “dead-drops” to temporarily store exfiltrated data, and some as intermediary command and control nodes. This infrastructure consists of compromised computers all over the world, many out of reach of U.S. intelligence and law enforcement authorities, significantly complicating the process of attributing who is ultimately responsible for the attack (Clark and Landau 2011, 11-12). Even if the U.S. is able to determine the IP address for the original attacking computer is geographically located in a particular country, it does not mean the government of that country is responsible for the attack (Jenson 2012, 6). Since attribution is central to deterrence and any retaliation requires knowing with full certainty who the attackers are (Clark and Landau 2011, 2), the difficulty in attribution is a significant stumbling block to U.S. deterrence.
The difficulty in tracking an attack back to its origin is made even more difficult by the virtual nature of cyberspace. There are no fingerprints or DNA evidence in a cyber-attack (Andress 2014, Chapter 15). Even the tools used to conduct the attacks are not always unique to the attackers so they provide another level of anonymity. The same tool used by a hacker or criminal actor could also be used by a nation-state actor. The use of non-attributable tools and proxy chains spread throughout the world makes definitive attribution in cyberspace difficult, costly, and rare (Clarke and Knake 2010, 2).
Deterrence policy depends on the ability to attribute attacks. And the legality of any retaliatory deterrence depends on correct attribution. As expressed above, the type of response varies greatly based on the levels of state versus non-state involvement in the attack. The ability to clearly determine who is responsible not only guides the U.S. in its threatened response but also the identity of the attacker could determine if a state of war exists with the attacking country (Rosenzweig 2013, Chapter 4). The inability to attribute, however, limits the ability to deter and, as Lieutenant General Harry Raduege Jr. wrote, “our continuing inability to attribute attacks is tantamount to an open invitation to those who would like to do us harm, whatever their motives” (Raduege Jr. 2010, 3).
Law of Armed Conflict
In addition to affecting deterrence, attribution difficulties also pose challenges for LOAC. This challenge was described by Navy Judge Advocate General, Todd Huntley, in the National Law Review, “America’s failure to protect cyber space is one of the most urgent national security problems facing the country . . . Cyber-attacks are not accompanied by calling cards. Perhaps the single greatest challenge to the application of the law of armed conflict to cyber activity is the challenge of attribution” (Huntley 2010, 38). This section examines LOAC and demonstrates how deterrence, attribution, and LOAC are inextricably intertwined.
LOAC is not one group of laws codified in a single source. Rather, it is an international body of laws and norms developed over the last hundred years through a series of conventions (Bernard 2015, 2). These laws address most aspects of international conflict and direct how and when wars may justifiably start (jus ad bellum,) and how they are fought (jus in bello) (Andress 2014, Chapter 13). The International Committee of the Red Cross in Geneva generally monitors international compliance with LOAC and The International Criminal Court, established in 2002, is the primary judicial body enforcing LOAC (Conde 2011).
Jus ad bellum, Latin for “the right for war,” is the set of international norms that determine when it is lawful for states to resort to force. This body of law is addressed mostly in articles of the U.N. Charter such as Article 2(4) which states, “all Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations” (Kilovaty 2014, 100).
Articles 42 and 51 of the U.N. Charter establish two exceptions to the prohibition of the use of force. Article 42 allows force after a U.N. Security Council resolution authorizing forcible measures. Article 51 recognizes a state’s inherent right for the use of force in individual and collective self-defense against an armed attack. Unfortunately, the U.N. Charter does not specifically describe “force” and “armed attack” (Kilovaty 2014, 100).
Jus in Bello, Latin for “the law in waging war” (Jus in Bello Law and Legal Definition 2015) encompasses that which is known as International Humanitarian Law. Much of this is found in the Geneva Conventions of 1949 and its amendments, the 1977 protocols to the Geneva Conventions, and the customary legal norms known as The Laws and Customs of War (Conde 2011). This body of law governs how wars are legally fought and includes principles discussed below such as neutrality, distinction, and proportionality. The next section examines whether LOAC even applies to cyber conflicts.
LOAC Application to Cyber Conflicts
The laws, conventions, and norms that make up LOAC developed over the past century and although these laws are old, and cyber conflicts are relatively new conflicts, no new laws have developed to replace these laws in the governance of conflicts in cyberspace. The DoD believes that its cyberspace operations are governed by LOAC and has produced two reports making this clear. In 2011, the department published the Department of Defense Cyberspace Policy Report containing fourteen references to international law, including “The Department also seeks to prevent dangerous escalatory situations by following the same policy principles and legal regimes in its cyberspace operations that govern actions in the physical world, including the law of armed conflict” (U.S. Department of Defense 2011, 5). Any retaliation must also comply with LOAC; “The nature of the DoD response to a hostile act or threat is based upon a multitude of factors, but always adheres to the principles of the law of armed conflict” (U.S. Department of Defense 2011, 8).
The Department also released its Department of Defense Cyber Strategy in April 2015. This report referenced international law four times, including “Any decision to conduct cyber operations outside of DoD networks is made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict” (U.S. Department of Defense 2015, 6). Referring specifically to deterrence, the department stated, “In a manner consistent with U.S. and international law, the Department of Defense seeks to deter attacks” (U.S. Department of Defense 2015, 2).
While the DoD may have determined it applies LOAC to its cyber operations, this has not stopped military leaders legal scholars from expressing their concern about LOAC’s incompatibility to cyberspace. General Alexander told the U.S. Congress that he believed there was a “mismatch between our technical capabilities to conduct operations and the governing laws and policies” (Dunlop 2011, 1). Jeffrey Addicott, Law Professor and Director of the Center for Terrorism Law at St. Mary’s University School of Law, echoed this concern when he wrote, “International laws associated with the use of force are woefully inadequate in terms of addressing the threat of cyberwarfare” (Addicott 2010, 550).
Much of the challenge of applying LOAC to cyber operations is the language and terminology of conventional war that does not readily translate well to cyber conflicts. Since the language used to develop these laws does not easily apply to cyberspace, there is much confusion as to how the laws apply (Andress 2014, Chapter 13). The Talinn Manual, published by the World’s leading scholars and practitioners of international cyber law, described the problem in a similar manner. Because cyber technology did not exist when the laws were created, the Talinn Manual’s authors believed the development of cyber practices could outpace the laws that govern their use and argued that LOAC’s applicability to cyber operations remained unsettled (Schmitt 2013, 17).
This next section examines the historic international legal principles that have applied to international conflicts for over a century. As described above, the U.S. applies these principles to all conflicts, including those involving cyberspace. Several of the most significant LOAC principles are explained here along with their applicability to cyber conflicts.
What is a Cyber-Attack?
When cyber operations are discussed, whether in reference to OPM, Sony, Stuxnet, or any other malicious activity, they are frequently called cyber “attacks.” It is rarely this straightforward however, and to adequately consider deterrence strategy or legal response options, decision makers must first determine whether the hostile activity actually rose to the legal definition of an “attack.” This is not simply an academic discussion but is a current issue of confusion among U.S. government leaders. On September 10, 2015, leading members of the U.S. Intelligence Community testified to the House Select Intelligence Committee on the topic of Cybersecurity Threats. Panelists included directors of the FBI, CIA, NSA/Cyber Command, DIA, and the Director of National Intelligence James Clapper. Congressional Representatives frequently referred to cyber incidents as “cyber-attacks” when questioning panel members. This compelled Director Clapper and other panelists throughout the hearing to remind Representatives that not every incident (such as OPM) legally amounted to an enemy attack and therefore the military and intelligence community’s responses were limited (House Permanent Select Committee on Intelligence 2015). Congress also demonstrated its confusion and concern over the classification of cyber operations as “attacks” in 2011 when they asked the DoD how the department will evaluate the risks of U.S. cyber espionage activities being interpreted by target nations as an attack (U.S. Department of Defense 2011, 6). It is worth noting that Congress asked this question of the DoD back in 2011, and still demonstrated confusion over the definition of a cyber-attack in 2015. The confusion by these high-level decision makers within the U.S. government reveals the difficulty of applying traditional warfare concepts to cyberspace.
This lack of clarity may be understandable considering international law has no established definition for “attack.” Protocol 1 to the Geneva Conventions does not provide much assistance here. It simply defines attacks as “acts of violence against an adversary” (Geneva Convention 1949). Without a concrete definition, legal scholars are left looking at consequences of activities and developing an effects-based analysis of an incident to determine whether it was an “attack.” One of these scholars, Paul Rosenzweig, described three schools of thought that have developed to determine whether a cyber activity rises to the level of an attack.
The first school is the most conservative. It looks at whether damage caused by the activity could have previously only been achieved via a kinetic attack. Under this criterion, a cyber operation that shut down a power grid would be considered an armed attack because destroying a power grid could only have been accomplished previously through an application of kinetic force (Rosenzweig 2013, Chapter 5).
The second school evaluates the extent of the attack’s effect on its victim regardless of whether those effects could have previously only been accomplished through kinetic means. A cyber event disabling a nation’s financial networks would be devastating to that nation despite not actually causing any physical damage. Under the second school of thought, this would be considered an armed attack due to the level of disruption to the victim state (Rosenzweig 2013, Chapter 5).
The third school is the most broad, and considers any compromises of a nation’s critical infrastructure, even if unsuccessful, to be an attack. This includes attempted intrusions, even those that could be considered simply preparation of the battlefield for later use. Rosenzweig did not mention intrusions conducted solely for the purposes of espionage but his inclusion of “intrusions that had no consequence” (Rosenzweig 2013, Chapter 5) implies these would also be considered armed attacks under this school of thought.
U.S. policy makers generally subscribe to the second school, that is, they focus on the overall effects of a particular incident (Rosenzweig 2013, Chapter 5). This can be quite clear in some situations, such as the OPM breach, which Clapper explained to Congress involved only the theft of data. This would not be considered an attack. But other instances are not so clear. For example, what if the tools placed on OPM’s systems to exfiltrate data (not an attack) could also have been used to damage the networks? Since the very same tools used for espionage purposes could be used for destructive purposes, the reason they are found on the network may not be clear (Rosenzweig 2013, Chapter 5). Also, what if, in the process of compromising OPM’s networks, some data was destroyed? Is the destruction of data “destruction” in the sense of an armed attack? These determinations are critical because if an incident causes damage, it legally amounts to an attack, and the U.S. is authorized to respond with its own use of force.
Interestingly, the DoD uses a definition for attack that does not require any actual destruction. The Department characterizes a cyber-attack as actions “taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.” This definition conflicts with LOAC, which requires a more destructive act in order to justify an Article 51, self-defense response (Dunlop 2011, 86-87). Breaches like the OPM breach still would not raise to the level of an attack under the DoD’s definition since (at least as publicly revealed) the compromise exclusively stole data but did not disrupt the data, deny access to the data, degrade the data, or destroy the data.
Use of Force in the Context of Cyber Conflict
Closely related, and equally as confusing, to determining whether a cyber act amounts to an attack is considering whether the act is a “use of force.” Naval War College Professor Michael Schmitt described seven factors to determine whether a cyber act constitutes a use of force: severity, immediacy, directness, invasiveness, measurability, presumptive legitimacy, and responsibility. Key to Schmitt’s determination is that the victim must experience more than a mere inconvenience. There must be at least “temporary damage of some kind” and the “causation, or risk thereof, of death or injury to persons or damage to or destruction of property and other tangible objects” (Dunlop 2011, 85-86). The Stuxnet attack meets this standard for a use of force. Creating and launching a malicious tool that infiltrated Iran’s nuclear facility, caused the damage that it did, and violated Iran’s sovereignty would, according to Schmitt’s definition, constitute a use of force. Under Article 2(4) of the U.N. Charter this would arise to a clear act of war (Bernard 2015, 2).
Complicating matters is the fact that tools used for non-destructive means such as espionage can also be used for destruction. This is important because the DoD considers the “effect and purpose” of the cyber act to determine whether it is a use of force (U.S. Department of Defense 2011, 9) but the “purpose” may not always be clear. Malicious code is not like a bomb. Its discovery on a network does not immediately disclose a destructive purpose.
Determination of whether an act is an attack, or use of force, is critical to deterrence because it determines the appropriate response. It is the threat of a guaranteed response that is a key element of deterrence strategy. If an act rises to the level of armed conflict, then the conflict is governed by LOAC. If it does not, then it is governed by the more restrictive rules of law enforcement (Dunlop 2011, 84). As described in the Deterrence section, threat of U.S. law enforcement response is not likely to deter international hostile cyber activity. If a hostile actor can keep its activities below the level of a forceful, armed attack, which is a pretty high standard, they will not be deterred by any U.S. promise to retaliate against cyber-attacks. Unless the hostile act caused physical destruction, any retaliation by the U.S. could possibly be illegal under LOAC and therefore the retaliatory threat carries no deterrent weight.
Public statements by the U.S. President and the DoD make clear their intentions to retaliate to hostile cyber acts. President Obama stated, “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country . . . We reserve the right to use all necessary means - diplomatic, informational, military, and economic - as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests” (Obama 2011, 14).
The DoD echoed this policy in their report to Congress, which stated hostile acts in cyberspace deserved a full response from the military, and that the Department was developing the ability to respond to these acts in cyberspace as well as in other domains (U.S. Department of Defense 2011, 2). However, this response to “hostile acts” by the DoD conflicts with the U.N Charter which states that threats of force and the use of force are prohibited unless in response to an armed attack. Simply being the victim of a hostile act does not necessarily amount to being the victim of an armed attack (Dunlop 2011, 85). Only once a determination is made that the act constituted an armed attack, and only after the attack is sufficiently attributed to an enemy nation, can the U.S. consider a response (Rosenzweig 2013, Chapter 5).
If the attack is attributed to a non-state actor then the U.S. cannot use any force in self-defense. This again raises the importance of attribution and proving state control. This can be challenging to prove since states sometimes turn to loosely controlled “hacktivists” to carry out their attacks. This was seen when Russian hacktivists attacked Georgian websites during Russia’s invasion of that country (Rosenzweig 2013, Chapter 5). As explained in the Attribution section, a victim nation must accurately and convincingly determine the level of state involvement in an attack before any forceful response can be made. Again, this limits the ability of a state to deter cyber-attacks with any promised retaliation.
If the attack is convincingly attributed to a state, and it does rise to the level of an armed attack, then a forceful response may be justified. However, as Jack Goldsmith of Harvard University argued, any retaliation must be limited to responding only to major attacks that are “significant or crippling cyber-attacks. Small-scale insurgency attacks or other forms of espionage are immune from retaliation” (Rosenzweig 2013, Chapter 5). And even then, the response options are still significantly limited by the following principles of proportionality, distinction, and neutrality.
The principle of proportionality requires a proportional response and prohibits any response that could be considered excessive compared to the desired military outcome of the response (Dunlop 2011, 89). This principle requires “the scale and effect of the counter-force must be similar to the armed attack” and the self-defense response must be “proportional to the objective of repelling the armed attack” (Kilovaty 2014, 103). This raises interesting questions regarding cyber-attacks. When did the attack start? When is it over? When is it repelled? If the U.S. discovers China placed malicious software on a critical weapon system that could render it ineffective in a conflict, what is a proportionate response? When is that attack repelled? This must be considered in light of President Obama’s pledge to use any tools at his disposal to respond to a cyber-attack. The response must actually be limited to only one that is proportional to the initial attack (Rosenzweig 2013, Chapter 5).
Proportionality is not explicitly defined in the U.N. charter but it has been established over the years through international customs. Rosenzweig described three factors to determine proportionality. First, is the action necessary or could the situation have been solved in another manner? Second, is the degree of force excessive compared to the value of the objective? Third, does it adequately distinguish between military objectives and civilian property? These questions are difficult to answer in cyberspace and in light of the third question, it is particularly hard to eliminate chances of civilian involvement since civilian, military, and government systems are frequently intertwined (Rosenzweig 2013, 5). This leads to the next principle, distinction.
The international principle of distinction prohibits any attack that may be expected to cause incidental loss of civilian life, injury to civilians, or damage to civilian objects considered excessive compared to the military advantage sought by the attackers. This restricts the U.S. to using only retaliatory weapons capable of discriminating between civilian and military targets (Dunlop 2011, 89). Any response capable of damaging civilian infrastructure is illegal according to LOAC. With the interconnectedness of civilian, government, and military systems (Rosenzweig 2013, Chapter 5), this significantly limits the options when considering retaliation.
The principle of distinction is another reason the Stuxnet attack may have violated international law. The attack apparently failed to follow LOAC’s requirement to “do everything feasible” to ensure the target is limited to only valid military objectives. Since the Stuxnet worm spread far beyond the intended Iranian nuclear target, its destruction could have reached vital civilian infrastructure such as a power grid or other critical infrastructure (Dunlop 2011, 90).
Another interesting element of distinction, which impacts the United States’ ability to retaliate in cyberspace, is the requirement to separate its military from civilian systems. It is illegal, for instance, to disguise military forces in uniforms of the Red Cross, or to camouflage military buildings as a hospital. It would also be illegal to launch an attack from a school or a church. LOAC prohibits any such concealment of military assets and requires combatants to have a “fixed distinctive sign recognizable at a distance” and to “carry arms openly” (Jenson 2012, 19). Just how this applies to using the Internet, which is mostly owned and operated by civilians, to launch a cyber-attack for military purposes is uncertain. Jensen acknowledged it is unclear how this principle will play out by nations in cyberspace and argued, as it stands, LOAC seemed to prohibit conducting attacks through computers and networks not clearly identified as belonging to the military (Jenson 2012, 19).
Rosenzweig further demonstrated the inability of LOAC to clearly address this principle of distinction with regards to cyberspace when he wrote, “the lack of distinction in cyber fires and the borderless nature of the Internet can lead to a host of other almost insoluble legal issues regarding the use of cyber force” (Rosenzweig 2013, Chapter 5). He provided five questions that are left unclear in the application of LOAC to cyber force. First, who is a cyber combatant? Can a civilian hacker be an armed combatant? What about a civilian government employee in a nonmilitary agency such as an intelligence agency? Secondly, how can the U.S. ensure a cyber-attack avoids damage to protected targets such as hospitals? Rosenzweig pointed out that computers are not marked with signs that clearly state they belong to a hospital’s network, and that civilian and government systems are frequently intertwined. If cyber-attacks cannot guarantee distinction, does this make any cyber-attack illegal? Thirdly, cyber-warriors might not wear uniforms with their “weapons” openly displayed so how does the U.S. distinguish its personnel as combatants and non-combatants? This question also challenges some of the most common tactics for cyber-attacks such as hiding attacks behind seemingly innocent civilian activity like spearfishing emails from a victim’s bank or other similar civilian source. Fourthly, is the issue of perfidy, or using false cover to wage an attack. Using the cover of a compromised innocent website to introduce malware onto an enemy’s systems (a watering hole attack) could be considered perfidy, and be therefore, illegal. Fifthly, as discussed in the next section, is the question of violating another state’s neutrality. A successful attack (or retaliation) will almost certainly have malicious traffic routed through other neutral countries and use servers and computers located in non-combatant countries (Rosenzweig 2013, Chapter 5).
The international law of neutrality was established during the 19th Century and was codified most recently in The Hague V Convention in 1907 (International Committee of the Red Cross 1988). Although these rules are over 100 years old the U.S. has determined they are still the ruling guidance for applying neutrality to all conflicts, including cyber conflicts (Augustine 2014, 80). Neutrality essentially prohibits the use of a neutral nation’s territory for the purposes of transiting weapons or launching an attack by a combatant nation.
Article 2 of the Hague V forbids the movement of “troops or convoys of either munitions of war or supplies across the territory of a neutral Power.” The authors of Article 2 certainly did not imagine digital weapons when they crafted this prohibition, but legal scholars argue “convoy of munitions” could include the packets of data that make up cyber weapons (Augustine 2014, 73). Article 3 prohibits erecting wireless radio stations on the territory of a neutral country. This was prohibited because enemy military communication lines are legitimate military targets. To construct them in a neutral country could drag that county into the conflict by a strike on those communication facilities. Again, the drafters of Article 3 did not anticipate cyber warfare, but the functional equivalent today of a radio tower could logically be a command and control node or proxy computer routing malicious traffic around the world (Augustine 2014, 84).
The International Court of Justice has suggested that the Hague neutrality laws extend to all weapons systems (Augustine 2014, 80). U.S. Congress also recently expressed its awareness and concern of possibly violating neutrality when it asked the DoD about the legality of the U.S. military “transporting cyber ‘weapons’ across the Internet through the infrastructure owned and/or located in neutral third countries.” They also asked how to handle when the U.S. is attacked or placed at risk by actions taking place on or through computers or infrastructure located in a neutral third country (Andress 2014, Chapter 13). Sharing this concern are Department of Justice lawyers who determined in 2010 that attacks using networks or servers in another country, outside a war zone, without permission, are unlawful due to their violation of neutrality (Nakashima 2010).
An interesting case study regarding neutrality in cyber conflicts is Russia’s cyber-attacks on Georgia in 2008 targeting Georgian websites, including those of the President, the Central Government, the Ministry of Foreign Affairs, and the Ministry of Defense. The attacks, although controlled by Russia, originated from all over the world with at least one command and control server located in Turkey, a neutral third-country (Augustine 2014, 96). Considering Turkey’s neutrality in the conflict, and LOAC’s prohibition on using the territory of a neutral country, this operation possibly violated international law.
Beyond Turkey, the Georgia attacks are a great example of the potential for cyber conflicts to involve neutral parties, including the United States. An Atlanta based private web hosting company, Tulip Systems, assisted the Georgian government during the conflict by hosting Georgia’s websites taken down by Russia. This seemingly generous act not only exposed Tulip Systems to multiple DDoS attacks but also jeopardized the United States’ ability to remain neutral in the conflict. Tulip Systems legally opened up themselves, and therefore the U.S, to attack based on LOAC’s recognition of the ability to target anyone taking part in the hostilities (Augustine 2014, 96-99).
Another significant example of neutrality in cyber conflicts is the Stuxnet attack. This attack spread far beyond its intended target of Iran to reach 155 different countries. Command and Control was actually executed by servers in Malaysia and Denmark. Under the LOAC principle of neutrality, Iran could have legally retaliated against those attacking servers and put Malaysia and Denmark in the vulnerable position of being dragged into an international conflict (Augustine 2014, 103).
This research was designed to analyze deterrence in cyberspace, which is a topic of great interested to the U.S. based on even a cursory look at current events as reported by the news media. Reviewing official U.S. government documents shows the government shares this interest by including cyber-threats top on its list of threats faced by the U.S. With the creation of U.S. Cyber Command in 2009, an organization charged with conducting “full spectrum military cyberspace operations” (U.S. Strategic Command 2015), it can be assumed the country has developed robust offensive cyber warfare and espionage capabilities. But as recent high profile attacks against the U.S. have shown, the nation remains vulnerable to these attacks in a way very much unlike kinetic attacks. This research examined the ability to deter future attacks and is summarized here.
The research on deterrence showed current models rely on methods similar to those used to deter nuclear and other kinetic attacks, such as Mutually Assured Destruction, arms control, sanctions, and retaliation. Another proposed method was making networks redundant and invincible to attacks so that an attack does not completely take a network offline. Difficulties emerged, however, when applying the realities of cyber conflicts to these models. Significant among the difficulties is the fact that the U.S. does not currently possess the ability to accurately attribute attacks to the specificity required for effective deterrence.
Research into attribution showed limitations in this critical area resulted in some of the greatest challenges for deterrence. General Raduege Jr. succinctly said, “our continuing inability to attribute attacks is tantamount to an open invitation to those who would like to do us harm, whatever their motives” (Raduege Jr. 2010, 3). Specifically, the inability to correctly attribute leaves the U.S. unable to apply sanctions, to retaliate, or to pursue law enforcement responses to attacks. Complicating matters is the fact that much of the attribution challenge is essentially built-in to the very structure of the Internet by its design.
The inability to attribute attacks creates difficulties for the US in determining legal responses under the Law of Armed Conflict. Attribution is a key element of determining Jus ad bellum. If the U.S. cannot convincingly show whether the attacker was a nation state versus a criminal organization or a terrorist organization, it cannot establish the conflict’s legal status or the internationally authorized response options.
LOAC, developed over the last hundred years, uses concepts and terminology incompatible with cyber conflicts. Despite this incompatibility, the U.S. regulates its actions in cyberspace with LOAC just as it does any other conflict. These laws significantly limit America’s options when attempting to respond to and deter cyber-attacks.
LOAC requires a legal determination of “attack” and “use of force” in international conflicts. The determination may be clear in the domains of air, land, sea, and space but they are not sufficiently clear in the cyber domain. LOAC requires proportionality in any response to an attack. It requires distinction so that civilians are not unlawfully targeted. It also requires combatants recognize the neutrality of other countries. These three criteria, while seemingly clear-cut in a kinetic conflict, are very difficult to satisfactorily meet in a cyber conflict.
The first area of study was the application of LOAC to cyber conflicts. The research showed that the U.S. does apply LOAC to cyber conflicts but that there are several significant areas where LOAC does not readily transfer from kinetic to cyber conflicts. The second area of study was the ability to attribute attacks to specific actors. The research showed that attribution of cyber-attacks with specificity is difficult, if not impossible, for multiple reasons.
The question, then, is how do these two factors affect the ability of the United States to deter cyber-attacks. To answer this question, consider again the definitions for deterrence presented earlier as provided by NATO and the DoD:
NATO: “The convincing of a potential aggressor that the consequence of coercion or armed conflict would outweigh the potential gains . . . this requires the maintenance of a credible military capability and strategy with the clear political will to act” (North Atlantic Treaty Organization 2013, 2-D-6).
U.S. Department of Defense: “The prevention of action by the existence of a credible threat of unacceptable counteraction and/or belief that the cost of action outweighs the perceived benefits” (U.S. Department of Defense 2010).
Key to both of these definitions is that in order to be deterred from attacking, the aggressor must be convinced the consequences of attacking outweigh the benefits because of a “credible military capability and strategy” or “a credible threat of unacceptable counteraction.” The research showed the inability to positively identify attackers means the U.S. cannot promise a credible retaliatory threat capable of deterring potential actors. Even if the U.S. attributed an attack with a level of specificity that would convince the International Criminal Court exactly who was culpable, the complications of LOAC in cyberspace make any significant retaliation legally difficult. America’s enemies know it applies LOAC to cyber conflicts and their skilled cyber forces understand and exploit difficulties in attribution. They understand America’s public threats to retaliate are seriously hindered by LOAC. They heard Admiral Rogers, who as the Commander of U.S. Cyber Command is responsible for directing military operations in cyberspace, recently testify to this very point. Rogers testified before U.S. Congress that he did not have enough clarity to determine how Cyber Command can respond to cyber conflicts because there was no framework instructing him what was an acceptable or unacceptable response. “Because,” Rogers said, “currently the environment we’re all in in right now, I don’t think anyone is satisfied with the environment we find ourselves in right now” (House Permanent Select Committee on Intelligence 2015).
Comparing cyber-attacks to the analogy of a child stealing cookies from a cookie jar, the current environment is one where a child knows he should go ahead and steal the cookie. The child’s parents are unable to determine who took the cookie or in many cases to even notice a cookie is missing. And the parents are severely limited in enacting any significant punishment for taking the cookie. For the child, the benefits are great and the costs are low. Similarly, as long as retaliation options in cyberspace are unclear and significantly limited by LOAC, and determining who attacked and who to retaliate against is limited by attribution challenges, the United States will remain unable to significantly deter future cyber-attacks.
Addicott, Jeffrey F. "Cyberterrorism: Legal Policy Issues." In Legal Issues in the Struggle Against Terrorism, edited by John N Moore, & Robert F. Turner. Durham, NC: Carolina Academic Press, 2010.
Alexander, Keith B. "Statement of General Keith B. Alexander, Commander, United States Cyber Command Before the House Committee on Armed Services Subcommittee on Emerging Threats and Capabilities." March 20, 2012. http://armedservices.house.gov/index.cfm/hearings-display?ContentRecord_id=92823c77-38f0-4c20-a3ee-36729e8e19a3&Statement_id=214d3347-5989-4575-8863-680c76e57e42&ContentType_id=14f995b9-dfa5-407a-9d35-56cc7152a7ed&Group_id=41030bc2-0d05-4138-841f-90b0fbaa.
Andress, Jason. Cyberwarfare: Techniques, Tactics and Tools for Security Practitioners, Second Edition. eBook. Rockland, MA: Syngress Publishing, 2014.
Augustine, Zachory P. "Cyber Neutrality: A Textual Analysis of Traditional Jus in Bello Neutrality Rules through a Pupose Based Lens." The Air Force Law Review (The Judge Advocate General's School) 71 (2014): 69-106.
Bernard, Doug. China, Espionage and the Law of Cyberwar. June 10, 2015. www.voanews.com/articleprintview/2814621.html (accessed June 17, 2015).
CBS News. Obama Threatens Sanctions against China over Cyber Hacking. September 25, 2015. http://www.cbsnews.com/news/obama-threatens-sanctions-against-china-over-cyber-hacking/ (accessed September 25, 2015).
Clark, David D., and Susan Landau. "Untangling Attribution." Harvard National Security Journal (Harvard University) 2 (2011).
Clarke, Richard A, and Robert K. Knake. Cyber War: The Next Threat to National Security and What To Do About It. Kindle Edition. New York, NY: HarperCollins, 2010.
Conde, H. Victor. Law of Armed Conflict. eBook. Armenia, NY: Grey House Publishing, 2011.
Contreras, Jorge L., Laura DeNardis, and Melanie Teplinsky. "America the Virtual: Security, Privacy, and Interoperability in an Interconnected World." American University Law Review, June 2013.
Davis, Paul K., and Brian Michael Jenkins. Deterrence & Influence in Counterterrorism. Santa Monica, CA: RAND National Defense Research Institute, 2002.
de Castella, Tom. How did we forget about mutually assured destruction. February 15, 2012. http://www.bbc.com/news/magazine-17026538 (accessed October 3, 2015).
Dunlop, Charles J. "Perspectives for Cyber Strategists on Law for Cyberwar." Strategic Studies Quarterly (United States Air Force) Spring (2011).
Geneva Convention. Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977. 1949. https://www.icrc.org/applic/ihl/ihl.nsf/Article.xsp?action=openDocument&documentId=17E741D8E459DE2FC12563CD0051DC6C (accessed October 3, 2015).
Haeussler, Ulf. Cyber Strategy and the Law of Armed Conflict. Washington, DC: National Defense University, 2011.
Healey, Jason. Beyond Attribution: Seeking National Responsibility for Cyber Attacks. Washington DC: The Atlantic Council, 2011.
Hollis, Duncan B,. "An e-SOS for Cyberspace." Harvard International Law Journal (Harvard University) 52, no. 2 (2011).
House Permanent Select Committee on Intelligence. Cybersecurity Threats. September 10, 2015. http://www.c-span.org/video/?328021-1/hearing-worldwide-cybersecurity-threats&live (accessed September 10, 2015).
Huntley, Todd C. "Controlling the Use of Force in Cyberspace: The Application of the Law of Armed Conflict During a Time of Fundamental Change in the Nature of Warfare." The Naval Law Review (Naval Justice School) 60 (2010).
International Committee of the Red Cross. Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land. The Hague, 18 October 1907. 1988. https://www.icrc.org/ihl/INTRO/200?OpenDocument (accessed September 23, 2015).
International Defence Review. Zeros and ones: tackling cyber at the tactical edge. November 5, 2013. https://janes-ihs-com.ezproxy1.apus.edu/CustomPages/Janes/DisplayPage.aspx?DocType=News&ItemId=+++1591838&Pubabbrev=IDR (accessed September 9, 2015).
Jenson, Eric Talbot. "International Law and the Intenet." Emory International Law Review (Emory University School of Law), 2012.
Jus in Bello Law and Legal Definition. 2015. http://definitions.uslegal.com/j/jus-in-bello/ (accessed September 19, 2015).
Kaplan, Rebecca. Little chance of major U.S.-China cyber breakthrough in Xi visit. September 25, 2015. http://www.cbsnews.com/news/little-chance-of-major-us-china-breakthrough-in-xi-visit/ (accessed September 25, 2015).
Kassner, Michael. Air-gapped computers are no longer secure. January 26, 2015. http://www.techrepublic.com/article/air-gapped-computers-are-no-longer-secure/ (accessed September 5, 2015).
Kilovaty, Ido. "Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare." American University National Security Law Brief 5, no. 1 (2014): 91-124.
Levine, Mike, and Jack Date. 22 Million Affected by OPM Hack, Oficials Say. June 9, 2015. http://abcnews.go.com/US/exclusive-25-million-affected-opm-hack-sources/story?id=32332731 (accessed August 12, 2015).
Lynn III, William J. "Defending a New Domain." Foreign Affairs (Council on Foreign Relations), September/October 2010.
Markoff, John, and Thom Shanker. Halted '03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk. August 1, 2009. http://www.nytimes.com/2009/08/02/us/politics/02cyber.html?_r=0 (accessed October 2, 2015).
McConnell, Mike. "Mike McConnell on how to win the cyber-war we're losing." The Washington Post, February 28, 2010.
Melnik, Tatian. "New U.S. sanctions program seeks to give government an extra tool to fight cyber-attacks." Journal of Health Care Compliance 17, no. 3 (2015): 53-56.
Meyers, Mike. CompTIA Network+ All-In-One Exam Guide. eBook. New York, NY: McGraw-Hill/Osborne, 2015.
Michie, Andrew. "The Provision Application of Arms Control Treaties." Journal of Conflict & Security Law 10, no. 3 (2005): 345-377.
Moran, Rick. "Did the Massive OPM Hack Wreck American Espionage?" American Thinker, June 15, 2015.
Nakashima, Ellen. Pentagon is debating cyber-attacks. November 6, 2010. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/05/AR2010110507464_pf.html (accessed October 3, 2015).
—. White House, NSA weigh cybersecurity, personal privacy. February 27, 2012. https://www.washingtonpost.com/world/national-security/white-house-nsa-weigh-cyber-security-personal-privacy/2012/02/07/gIQA8HmKeR_story.html (accessed October 2, 2015).
North Atlantic Treaty Organization. "NATO Glossary of Terms and Definitions." Defense Technical Information Center. 2013. http://www.dtic.mil/doctrine/doctrine/other/aap6.pdf (accessed September 7, 2015).
Obama, Barack. International Strategy for Cyberspace: Prosperity Security, and Openness in a Networked World. Washington: The White House, 2011.
Office of the Press Secretary. FACT SHEET: President Xi Jinping’s State Visit to the United States. September 25, 2015. https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states (accessed September 25, 2015).
Paganini, Pierluigi. Hacking air gaped networks by using lasers and drones. October 25, 2014. http://securityaffairs.co/wordpress/29551/hacking/hacking-air-gapped-networks.html (accessed September 5, 2015).
Raduege Jr., Harry D. Fighting Weapons of Mass Disruption: Why America Needs a "Cyber Triage". NY: EastWest Institute, 2010.
Reveron, Derek S. Cybersapce and National Security: Threats, Opportunities, and Power in a Virtual World. eBook. Washington, DC: Georgetown University Press, 2012.
Robertson, Jordon, and Michael Riley. Mysterious '08 Turkey Pipeline Blast Opened New Cyberwar. December 10, 2014. http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar (accessed September 5, 2015).
Rosenzweig, Paul. Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World. eBook. Westport, CT: Praeger Publishers, 2013.
Schmitt, Michael N. Talinn Manual on the International Law Applicable to Cyber Warfare. NATO Cooperative Cyber Defense Center of Excellence, Cambridge: Cambridge University Press, 2013.
Serbu, Jared. DoD cyber strategy aims at deterrence. July 15, 2011. http://federalnewsradio.com/defense/2011/07/dod-cyber-strategy-aims-at-deterrence/ (accessed September 10, 2015).
Solomon, Jonathan. "Cyberdeterrence between Nation-State Plausible Strategy or a Pipe Dream?" Strategic Studies Quarterly, 2011.
Taipale, K. A. "Cyber-Deterrence." Law, Policy and Technology (IGI Global), January 2009.
U.S. Department of Defense. Department of Defense Cyberspace Policy Report. Washington, DC: Department of Defense, 2011.
—. "Department of Defense Dictionary of Military and Associated Terms - as ammended through 15 June 2015." Defense Technical Information Center. November 8, 2010. http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf (accessed September 7, 2015).
—. The Department of Defense Cyber Strategy. Washington, DC: Department of Defense, 2015.
U.S. Strategic Command. U.S. Cyber Command. March 2015. https://www.stratcom.mil/factsheets/2/Cyber_Command/ (accessed September 26, 2015).
Veracode. Keylogger. 2015. http://www.veracode.com/security/keylogger (accessed September 5, 2015).
Zegart, Amy. Cyberwar. June 29, 2015. https://www.youtube.com/watch?v=JSWPoeBLFyQ&feature=youtu.be (accessed July 1, 2015).