CYBERWARFARE

Cyberwarfare is a complex phenomenon and raises many questions regarding definitions,

differences with reference to other warfare, and finally compatibility with ius ad
bellum and ius in bello international law. Some questions may be solved interpreting existing
law, others remain open and without a clear solution.
 
Such complexity depends on the fact that attacks may differ sensibly depending on the final
target, scope, hardware and software tools used. They all have in common to exploit
computer systems and networks in order to achieve a military advantage. Considering the
wide range of information technologies, scopes and targets, it is quite difficult to provide a
comprehensive definition1.
 
To date there are several attempts to define cyberwarfare:
 
 “actions by a nation-state to penetrate another nation’s computers or networks for the
purposes of causing damage or disruption”2
 “warfare conducted in cyberspace through cybermeans and methods”3
 the activity of “conducting military operations according to information-related
principles while disrupting, destroying and knowing much about an adversary while
keeping them from knowing about you”
 “a conflict among actors, both National and non-National, characterized by the use of
information systems, with the purpose of achieving, keeping or defending a condition
of strategic, operative and or tactical advantage.”
 
We may see that as time passes more details of the phenomenon are considered. Some
similarities may be noticed in such definitions or the definition of the much wider concept
such as information war, which might be found in the Annex I of the Agreement between the
Governments of the Member States of the Shanghai Cooperation Organization on
Cooperation in the Field of International Information Security: “confrontation between two or
more states in the information space aimed at damaging information systems, processes and
resources, critical and other structures, undermining political, economic and social systems,
mass psychological brainwashing to destabilize society and state, as well as to force the state
to taking decisions in the interest of the opposing party.”
However, it is important to recognize that information war (information warfare) and
cyberwarfare are two different concepts.

Difference between cyber warfare and other types of warfare

First, cyberwarfare immediate targets are computer systems and networks and most
cyberattacks are conducted through computers and computer networks. Nonetheless,
computer systems and networks may be used to target physical systems and produce physical
damages, death and injury. Second, cyberwarfare attacks may be planned to be executed in a

1
http://www.nyulawglobal.org/globalex/Cyberwarfare_Collateral_Damages.html
2
Richard A. Clarke, Robert K. Knake, Cyberwar, Harper Collins, 2010.

3
Nils Melzer, Cyberwarfare and the International Law, 2011.
very short lapse of time. Third, cyberwarfare activities, given how computer networks and
particularly the Internet are designed, may be routed through many territories, hence complex
problems regarding law of neutrality arise. Fourth, some cyberwarfare activities, aimed at
creating kinetic attacks, may use the hardware and weapons of the enemy in order to execute
the attack by remote controlling them. Fifth, most cyberwarfare attacks may be launched in
stealth mode, i.e. without identification of the attackers. And finally, many cyberwarfare
activities may require the use of many computer techniques and technologies and malware or
the exploitation of vulnerabilities in the targeted computer systems, as well as social
engineering techniques in order to gain access to computer systems and networks.
 
Sometimes such activity requires an extensive study and design, a lot of programming and a
multidisciplinary approach. A lot of investments and preparation may be needed for attacks
that rarely may be launched more than once or replicated.

Cyberweapon: Definitions and an Example of Software Used

One important question is whether the tools used for most cyberwarfare activities and attacks
are to be considered weapons. Such problem has implications with regard to all international
law dealing with armed attacks, use or threat to use the force and how to conduct
hostilities. With regards to such aspect, two different points of view are to be highlighted.
According to the first, a tool (hardware equipment or computer code) is a weapon on the
basis of its objective possibility to cause harm or to allow the execution of an attack. An
example of such type of definition is: “a cyber weapon is the combination of a propagation
method, exploits, and a payload designed to create destructive physical or digital effects.”
 
The second approach requires to evaluate user’s or designer’s purpose in order to decide
whether the tool (or tools) used are to be considered a cyberweapon: “a part of equipment, a
device, or any set of computer instructions, used in a conflict among actors both National and
non-National, with the purpose of causing (directly or otherwise) physical damage to objects
or people, or of sabotaging and/or damaging in a direct way the information systems of a
sensitive target of the attacked subject.” Or, similarly, “cyber weapons are cyber means of
warfare that are by design, use, or intended use capable of causing either (i) injury to, or
death of, persons; or (ii) damage to, or destruction of objects, that is, causing the
consequences required for qualification of a cyber operation as an attack.”
 
Other authors define cyberweapon as a subset of weapons: “computer code that is used or
designed to be used with the aim of threatening or causing physical, functional or mental
harm to structures, systems or living beings.”
 
To date, there are numerous examples of cyberweapons. We will focus on what appears
clearly to be an example of cyberweapon, regardless of the approach and point of view:
Stuxnet.
 
Stuxnet is a complex malware designed to search for a particular controlling system of
specific industrial processes located in a closed network. Upon identification and penetration
of such system, the malware was designed to damage a specific type of turbines and so to
create physical damage bypassing human and automated controls of the target industrial
plant. The effect is similar to the one obtainable by destroying such turbines with
conventional weapons (so called kinetic attack) during a traditional warfare activity.4
 
4
The features of the complex malware and the deep knowledge of the target systems indicate
that it was specifically designed software, created by multidisciplinary team relying on a
particular knowledge of the industrial processes that governed the target system. As we shall
see later, it seems that the malware was designed to comply with most norms of international
law.5
 

Main International Law Issues Regarding Cyberwarfare

Analysis of the phenomenon and definitions of the concept are important in order to deal with
important international law issues, particularly with the ius ad bellum and the ius in
bello norms.
 
For what ius ad bellum is concerned, primary problems are whether cyberwarfare is to be
considered use of the force according art. 2(4) UN Charter, whether it is to be considered an
armed attack under article 51 of the UN Charter and whether and under what conditions
cyberwarfare gives the right to self-defense.]
 
With regard to ius in bello cyberwarfare raises interesting problems regarding the possibility
to apply existing international humanitarian law (IHL) norms. As a matter of fact, at the time
of UN Charter drafting cyberwarfare or cyberspace did not exist and so the question whether
current international norms apply or whether new international norms are needed assumes a
great relevance.
 
On a regional scale, another key question is whether article 5 of the NATO treaty is to be
applied to cyberwarfare activities. Regarding international law, a very precious initiative was
undertaken by a group of experts invited by an international organization, the NATO
Cooperative Cyber Defense Centre of Excellence (NATO CCD COE), in order to create a
manual governing cyberwarfare. Even if the manual (so called “Tallinn Manual” is not an
official NATO document and expresses the view of the experts and not the views of NATO
CCD COE, its sponsoring nations, or NATO, it is a very important attempt to study
cyberwarfare based on customary and conventional international law and to propose some
clear rules of conduct.
 
The norms formulated by the experts consist in numbered rules and each rule is accompanied
by a short commentary. Comments to each rule indicate the relevant existing international
law norms and the interpretation process. The manual itself is written in a concise and clear
manner and allows following transparently the reasoning behind each interpretation and
formulation of rules.

Cyberattacks may be divided into three groups:

 
 The first group includes attacks where it is possible to differentiate easily between
victims and targets, on the one hand, and collateral victims and damages on the other.
 The second group comprises attacks where it is difficult to distinguish between
victims and targets and collateral victims and targets.
5
http://www.nyulawglobal.org/globalex/Cyberwarfare_Collateral_Damages.html
  Finally, the third group involves attacks targeting everything and everyone present on
a territory.6

The Stuxnet Case

The most famous is probably the Stuxnet case. This case took the name from the software
used. The worm was developed with a great investment in human resources and technology,
with the aim to sabotage Iran’s nuclear program with what would seem like a long series of
unfortunate accidents. However, authorship and attribution to a given state are not
certain. This virus infected a lot of computers in the entire world, but the researchers
discovered that the software had a specific target. Stuxnet “is not going after computers or
even Windows software in general, but a specific type of program used in Siemens’s
WinCC/PCS 7 SCADA control software; Stuxnet only broke nuclear centrifuges, which Iran
had illegally obtained to conduct illicit research. Moreover, it neither hurt nor killed anyone.”
 
Although this worm worked only with this specific software, it infected thousands of
computers. A lot of lawyers and researchers wondered about the ethics of this kind of attacks:
“at face value, Stuxnet seems incredibly indiscriminant. While limited in the scope of its
attacks compared to prior malware, this was a worm that still got around. It infected not just
targets in Iran but thousands of computers across the world that had nothing to do with Iran
or nuclear research. Many lawyers see this facet of cyber weapons as proof of their inherent
violation of “prevailing codes of international laws of conflict, as they go beyond just the
original target and deliberately target civilian personnel and infrastructure.” However,
affirming that a computer infected with an inactive virus is possible, nonetheless problematic.
 
The Estonian DDoS-Attacks
In 2007 many websites of banks, governments, universities and newspapers experienced
“Distributed Denial of Service.” For several hours the financial institutions found their
servers overwhelmed by requests generated by the botnets behind the attacks and the
commerce worrying slowed down. There is more than a hypothesis about this attack and the
evidence, confirmed, told the attack started from Russia, but there is no certainty about the
motivation. Again, there are problems with authorship and attribution of the attacks.
 
This case is emblematic with regards to the effects on the population: people had no
information, could not take money from the banks and could not perform other daily
activities. So with a simple DDoS attacks, the life and the economy of Estonia was stopped.
Compared to the Stuxnet attack, which resulted in damage to physical objects, the effects of
the DDoS were temporary.7
 

Review of literature
6
http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=4844&context=fss_papers
7
http://unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf
1) Cyberwarfare and collateral damages by- Edoardo E. Artese and valentin
vitkov
Where this article basically gave an introduction to the cyberwarfare and
the kinds of cyber weapons when and this basically deals with the
international issues where ever the attack has been initiated and where the
attack took place, where international law plays a major role.
Major example here stated was stuxnet.

2) Cyberwarfare and International law by – Nils Melzer

Kind of cyber operations where inter and intra state attacks are taken into
consideration and looking at the intent of the operation and the perons or the
involvement of the state and who all can be affected by it.

3) The law of cyber attack by – Oona A. Hathaway

This is basically the law of cyber attacks what it is basically and existing
conceptions. Where the international legal regimes that indirectly regulate
cyber attacks such as telecommunications aviation space and sea. New
laws and other legal frame works involved.