Autonomous Cyber Weapons and Command Responsibility

Autonomous cyber weapons have made their way onto the battlefield, raising the question of whether commanders can be held criminally responsible under command responsibility when war crimes are committed. The doctrine of command responsibility has a long history in international criminal law and comprises three core elements: the existence of a superior-subordinate relationship, the commander’s knowledge of the crime, and the commander’s failure to prevent or repress the subordinate’s criminal actions. This article unpacks the content of these elements and applies them to autonomous cyber weapons by treating them as being analogous to soldiers since they operate within an organized system of command and control. The article goes on to address the important question of whether autonomous cyber weapons as subordinates can commit crimes and then examines the element of causality for the purposes of command responsibility. This article also explains the nature of command responsibility and offers conclusions as to its utility in establishing accountability when war crimes are committed by autonomous cyber weapons

Is the responsibilization of the cyber security risk reasonable and judicious?

Cyber criminals appear to be plying their trade without much hindrance. Home computer users are particularly vulnerable to attack by an increasingly sophisticated and globally dispersed hacker group. The smartphone era has exacerbated the situation, offering hackers even more attack surfaces to exploit. It might not be entirely coincidental that cyber crime has mushroomed in parallel with governments pursuing a neoliberalist agenda. This agenda has a strong drive towards individualizing risk i.e. advising citizens how to take care of themselves, and then leaving them to face the consequences if they choose not to follow the advice. In effect, citizens are “responsibilized .” Whereas responsibilization is effective for some risks, the responsibilization of cyber security is, we believe, contributing to the global success of cyber attacks. There is, consequently, a case to be made for governments taking a more active role than the mere provision of advice, which is the case in many countries. We conclude with a concrete proposal for a risk regulation regime that would more effectively mitigate and ameliorate cyber risk

Crime scripting: A systematic review

The file attached to this record is the author's final peer reviewed version.More than two decades after the publication of Cornish’s seminal work about the script-theoretic approach to crime analysis, this article examines how the concept has been applied in our community. The study provides evidence confirming that the approach is increasingly popular; and takes stock of crime scripting practices through a systematic review of over one hundred scripts published between 1994 and 2018. The results offer the first comprehensive picture of this approach, and highlights new directions for those interested in using data from cyber-systems and the Internet of Things to develop effective situational crime prevention measures

Autonomous cyber weapons and command responsibility

Autonomous cyber weapons have made their way onto the battlefield, raising the question of whether commanders can be held criminally responsible under command responsibility when war crimes are committed. The doctrine of command responsibility has a long history in international criminal law and comprises three core elements: the existence of a superior-subordinate relationship, the commander’s knowledge of the crime, and the commander’s failure to prevent or repress the subordinate’s criminal actions. This article unpacks the content of these elements and applies them to autonomous cyber weapons by treating them as being analogous to soldiers since they operate within an organized system of command and control. The article goes on to address the important question of whether autonomous cyber weapons as subordinates can commit crimes and then examines the element of causality for the purposes of command responsibility. This article also explains the nature of command responsibility and offers conclusions as to its utility in establishing accountability when war crimes are committed by autonomous cyber weapons

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Cyber-Physical Systems (CPS) are characterized by the interplay between digital and physical spaces. This characteristic has extended the attack surface that could be exploited by an offender to cause harm. An increasing number of cyber-physical incidents may occur depending on the configuration of the physical and digital spaces and their interplay. Traditional investigation processes are not adequate to investigate these incidents, as they may overlook the extended attack surface resulting from such interplay, leading to relevant evidence being missed and testing flawed hypotheses explaining the incidents. The software engineering research community can contribute to addressing this problem, by deploying existing formalisms to model digital and physical spaces, and using analysis techniques to reason about their interplay and evolution. In this paper, supported by a motivating example, we describe some emerging software engineering challenges to support investigations of cyber-physical incidents. We review and critique existing research proposed to address these challenges, and sketch an initial solution based on a meta-model to represent cyber-physical incidents and a representation of the topology of digital and physical spaces that supports reasoning about their interplay

ASEAN and the non-traditional regional security agenda

Without a doubt, the whole area of non-traditional security – whether it be threats, issues or challenges (the three are more or less used interchangeably in ASEAN statements and documents on the subject) – has come to occupy a prominent place on the regional security agenda in recent years.1 This is very much in keeping with the ‘widening’, or ‘broadening’, of the security agenda which has occurred internationally in both the academic literature and, crucially, in the policy sphere

The economic impact of cybercrime and cyber espionage

Introduction Is cybercrime, cyber espionage, and other malicious cyber activities what some call “the greatest transfer of wealth in human history,” or is it what others say is a “rounding error in a fourteen trillion dollar economy?” The wide range of existing estimates of the annual loss—from a few billion dollars to hundreds of billions—reflects several difficulties. Companies conceal their losses and some are not aware of what has been taken. Intellectual property is hard to value. Some estimates relied on surveys, which provide very imprecise results unless carefully constructed. One common problem with cybersecurity surveys is that those who answer the questions “self-select,” introducing a possible source of distortion into the results. Given the data collection problems, loss estimates are based on assumptions about scale and effect— change the assumption and you get very different results. These problems leave many estimates open to question. The Components of Malicious Cyber Activity In this initial report we start by asking what we should count in estimating losses from cybercrime and cyber espionage. We can break malicious cyber activity into six parts: The loss of intellectual property and business confidential information Cybercrime, which costs the world hundreds of millions of dollars every year The loss of sensitive business information, including possible stock market manipulation Opportunity costs, including service and employment disruptions, and reduced trust for online activities The additional cost of securing networks, insurance, and recovery from cyber attacks Reputational damage to the hacked company Put these together and the cost of cybercrime and cyber espionage to the global economy is probably measured in the hundreds of billions of dollars. To put this in perspective, the World Bank says that global GDP was about $70 trillion in 2011. A$400 billion loss—the high end of the range of probable costs—would be a fraction of a percent of global income. But this begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of cybercrime and cyber espionage