Cyber Security as an Emergent Infrastructure

Invited TalkWhen I began studying computer security in late 1972 as a Ph.D. student at Purdue University, the field was in its infancy. There were few academics working in the area, no research conferences or journals devoted to the field, and no professional societies to join. Security papers were presented at conferences and published in journals that covered more established areas of computer science, such as operating systems, or that treated computing and telecommunications broadly. The number of publications and Ph.D. theses relating to computer security was small enough that it was possible to read the entire literature. If there was any security industry at all, I was not aware of it

Cyber warfare and the law of armed conflict

This paper discusses cyber warfare and its intersection with the law of armed conflict. Cyberspace creates a unique battlefield with many challenges. This paper tackles four of these challenges: distinguishing warfare acts from criminal activities; what amounts to an armed attack in cyberspace that justifies a State’s right to selfdefence; target distinction; and direct participation in cyber hostilities. It is the author’s determination that the law of armed conflict does apply in cyberspace however two additional changes are needed for the traditional laws to have any practical effect. These two variations include the extension of the traditional criteria of armed attack to include severe data loss as tangible property damage; and reexamining the framework of direct participation

The status and use of computer network attacks in international humanitarian law.

The information revolution has transformed both modern societies and the way in which they conduct warfare. This thesis analyses the status of computer network attacks in international law and examines their treatment under the laws of armed conflict. A computer network attack is any operation designed to disrupt, deny, degrade or destroy information resident in computers and computer networks, or the computers and networks themselves. The first part of the thesis deals with a States right to resort to force and uses the U.N. Charter system to analyse whether and at what point a computer network attack will amount to a use of force or an armed attack, and examines the permitted responses against such an attack. The second part of the thesis addresses the applicability of international humanitarian law to computer network attacks by determining under what circumstances these attacks will constitute an armed conflict. It concludes that the jus in bello will apply where the perceived intention of the attacking party is to cause deliberate harm and the foreseeable consequence of the acts includes injury, death damage or destruction. In examining the regulation of these attacks under the Jus in bello the author addresses the legal issues associated with this method of attack in terms of the current law and examines the underlying debates which are shaping the modern laws applicable in armed conflict. Participants in conflicts are examined as increased civilianisation of the armed forces is moving in lock-step with advances in technology. Computer network attacks also present new issues for the law relating to targeting and precautions in attack which are addressed; objects subject to special protections, and their digital counterparts are also examined. Finally the thesis addresses computer network attacks against the laws relating to means and methods of warfare, including the law of weaponry, perfidy and the particular issues relating to digital property

Small states and the strategic utility of cyber capabilities

The information revolution has profoundly influenced the interaction between states in the twenty-first century. Networked computers have supported the operations of the global financial system, industrial services, and even the conduct of military operations. Due to this revolution, the level of dependence on networked technologies has risen exponentially following the evolution of the Internet. However, networked technologies have also exposed vulnerabilities that have been exploited by hostile actors to disrupt systems, infiltrate networks, and aggravate conflicts. While the academic literature on cybersecurity has substantially increased in the past decade, most scholars have focused their attention on the capabilities of great powers and strategic behaviour in cyberspace. Despite the cyber incidents involving Estonia and Georgia, as well as the proliferation of cyber capabilities among states, scholars have continued to overlook the relevance of small states in cyber interactions. The significance of this research gap is more prominent in the studies on the Asia-Pacific Region where a substantial amount of studies have focused on the foreign and security strategies of small states but very few have focused on the cyber dimension. This research gap is addressed by the study by exploring the strategic utility of cyber capabilities for small states in the region. More specifically, it addresses the puzzle: Why have small states developed cyber capabilities despite its obscure strategic value? On this, three additional questions are considered: What factors influence the development of cyber capabilities? What are the advantages and limitations of developing cyber capabilities? What are the implications of cyber capabilities on the foreign and security policies of small states? The primary objective of the study is to develop a more comprehensive understanding of the strategic utility of cyber capabilities as foreign policy instruments for small states. It hypothesises that two necessary conditions influence the development of cyber capabilities in small states: the balance of power in the Asia-Pacific (primary condition) and strategic culture (secondary condition). The interplay between these two conditions provides a stronger explanation regarding why small states develop cyber capabilities regardless of the ambiguity surrounding the strategic utility of cyber capabilities. Based this hypothesis, it draws on neoclassical realism as a theoretical framework to account for the interaction between systemic and the domestic variables. The study also pursues three secondary objectives. First, it aims to determine the constraints and incentives that affect the development of cyber capabilities. Second, the study evaluates the functionality of these cyber capabilities for small states. Lastly, it assesses the implications of cyber capabilities on the military strategies and foreign policies of selected small states

Cyber Security as an Emergent Infrastructure

From Bombs and Bandwidth: The Emerging Relationship between IT and Security (Robert Latham ed.), The New Press, 2003. (.pdf of prepublication version