Towards Reversible Cyberattacks

This paper appeared in the Proceedings of the 9th European Conference on Information Warfare and Security, July 2010, Thessaloniki, Greece.Warfare without damage has always been a dream of military planners. Traditional warfare usually leaves persistent side effects in the form of dead and injured people and damaged infrastructure. An appealing feature of cyberwarfare is that it could be more ethical than traditional warfare because its damage could be less and more easily repairable. Damage to data and programs (albeit not physical hardware) can be repaired by rewriting over damaged bits with correct data. However, there are practical difficulties in ensuring that cyberattacks minimize unreversible collateral damage while still being easily repairable by the attacker and not by the victim. We discuss four techniques by which cyberattacks can be potentially reversible. One technique is reversible cryptography, where the attacker encrypts data or programs to prevent their use, then decrypts them after hostilities have ceased. A second technique is to obfuscate the victim's computer systems in a reversible way. A third technique to withhold key data from the victim, while caching it to enable quick restoration on cessation of hostilities. A fourth technique is to deceive the victim so that think they mistakenly think they are being hurt, then reveal the deception at the conclusion of hostilities. We also discuss incentives to use reversible attacks such as legality, better proportionality, lower reparations, and easier ability to use third parties. As an example, we discuss aspects of the recent cyberattacks on Georgia.Approved for public release; distribution is unlimited

Cybersecurity: mapping the ethical terrain

This edited collection examines the ethical trade-offs involved in cybersecurity: between security and privacy; individual rights and the good of a society; and between the types of burdens placed on particular groups in order to protect others. Foreword Governments and society are increasingly reliant on cyber systems. Yet the more reliant we are upon cyber systems, the more vulnerable we are to serious harm should these systems be attacked or used in an attack. This problem of reliance and vulnerability is driving a concern with securing cyberspace. For example, a ‘cybersecurity’ team now forms part of the US Secret Service. Its job is to respond to cyber-attacks in specific environments such as elevators in a building that hosts politically vulnerable individuals, for example, state representatives. Cybersecurity aims to protect cyberinfrastructure from cyber-attacks; the concerning aspect of the threat from cyber-attack is the potential for serious harm that damage to cyber-infrastructure presents to resources and people. These types of threats to cybersecurity might simply target information and communication systems: a distributed denial of service (DDoS) attack on a government website does not harm a website in any direct way, but prevents its normal use by stifling the ability of users to connect to the site. Alternatively, cyber-attacks might disrupt physical devices or resources, such as the Stuxnet virus, which caused the malfunction and destruction of Iranian nuclear centrifuges. Cyber-attacks might also enhance activities that are enabled through cyberspace, such as the use of online media by extremists to recruit members and promote radicalisation. Cyber-attacks are diverse: as a result, cybersecurity requires a comparable diversity of approaches. Cyber-attacks can have powerful impacts on people’s lives, and so—in liberal democratic societies at least—governments have a duty to ensure cybersecurity in order to protect the inhabitants within their own jurisdiction and, arguably, the people of other nations. But, as recent events following the revelations of Edward Snowden have demonstrated, there is a risk that the governmental pursuit of cybersecurity might overstep the mark and subvert fundamental privacy rights. Popular comment on these episodes advocates transparency of government processes, yet given that cybersecurity risks represent major challenges to national security, it is unlikely that simple transparency will suffice. Managing the risks of cybersecurity involves trade-offs: between security and privacy; individual rights and the good of a society; and types of burdens placed on particular groups in order to protect others. These trade-offs are often ethical trade-offs, involving questions of how we act, what values we should aim to promote, and what means of anticipating and responding to the risks are reasonably—and publicly—justifiable. This Occasional Paper (prepared for the National Security College) provides a brief conceptual analysis of cybersecurity, demonstrates the relevance of ethics to cybersecurity and outlines various ways in which to approach ethical decision-making when responding to cyber-attacks

Breaking the Cyber-Security Dilemma: Aligning Security Needs and Removing Vulnerabilities

Current approaches to cyber-security are not working. Rather than producing more security, we seem to be facing less and less. The reason for this is a multi-dimensional and multi-faceted security dilemma that extends beyond the state and its interaction with other states. It will be shown how the focus on the state and "its” security crowds out consideration for the security of the individual citizen, with detrimental effects on the security of the whole system. The threat arising from cyberspace to (national) security is presented as possible disruption to a specific way of life, one building on information technologies and critical functions of infrastructures, with relatively little consideration for humans directly. This non-focus on people makes it easier for state actors to militarize cyber-security and (re-)assert their power in cyberspace, thereby overriding the different security needs of human beings in that space. Paradoxically, the use of cyberspace as a tool for national security, both in the dimension of war fighting and the dimension of mass-surveillance, has detrimental effects on the level of cyber-security globally. A solution out of this dilemma is a cyber-security policy that is decidedly anti-vulnerability and at the same time based on strong considerations for privacy and data protection. Such a security would have to be informed by an ethics of the infosphere that is based on the dignity of information related to human beings

Cyber Humanitarian Interventions: The viability and ethics of using cyber-operations to disrupt perpetrators’ means and motivations for atrocities in the digital age

In the contemporary digital age, mass atrocity crimes are increasingly promoted and organised online. Yet, little attention has been afforded to the question of whether proactive cyberspace operations might be used for human protection purposes. Beginning with the framework of the Responsibility to Protect (R2P), this thesis asks: How might cyber-operations be used ethically to protect populations from mass atrocity crimes? To answer this question, I introduce the concept of ‘cyber humanitarian interventions’, and argue that such measures can be used to disrupt potential perpetrators’ means and motivations for atrocities. Specifically, I contend that cyber humanitarian interventions can be used to frustrate potential perpetrators’ communication channels, logistical supply chains, and funding, as well as to stymie potential perpetrators’ desire for violence via online, targeted, tailor-made campaigns based on their big data. These capabilities can be used in an ethically acceptable manner, and thus ought to be pursued prior to the resort to other more forceful measures to protect. Moreover, and perhaps more controversially, I argue that, in some circumstances, there is a qualified responsibility to deceive potential perpetrators – via online disinformation – in order to fulfil responsibilities to protect. This thesis seeks to make three key contributions. First, it contributes to extant literatures on R2P, atrocity prevention, and cyberspace by offering cyber humanitarian interventions as a hitherto neglected tool for human protection. Second, it furthers ethical debates on atrocity prevention by providing an in-depth analysis of how cyber humanitarian interventions can be deployed ethically. Third, it challenges prevailing conceptions of disinformation by arguing that that there is, in fact, a qualified responsibility to deceive potential perpetrators into not committing atrocities via online disinformation. In sum, this thesis aims to bring 21st century capabilities to bear on centuries-old crimes, and highlights cyber humanitarian interventions as a more peaceful, cost-effective, and politically palatable tool to protect vulnerable populations from mass atrocity crimes

The better angels of our digital nature?: Offensive cyber capabilities and state violence

Cybersecurity en cybergovernanc

Information Operations Under International Law: A Delphi Study Into the Legal Standing of Cyber Warfare

The ever-growing interconnectivity of industry and infrastructure through cyberspace has increased their vulnerability to cyber attack. The lack of any formal codification of cyber warfare has led to the development of contradictory state practices and disagreement as to the legal standing of cyber warfare, resulting in an increased risk of damage to property and loss of life. Using the just war theory as a foundation, the research questions asked at the point at which cyber attacks meet the definition of use of force or armed attack under international law and what impediments currently exist in the development of legal limitations on cyber warfare. The research design was based on using the Delphi technique with 18 scholars in the fields of cyber warfare and international law for 3 rounds of questioning to reach a consensus of opinion. The study employed qualitative content analysis of survey questions during the first round of inquiry in order to create the questions for the 2 subsequent rounds. The first round of inquiry consisted of a questionnaire composed of 9 open-ended questions. These data were inductively coded to identify themes for the subsequent questionnaires that consisted of 42 questions that allowed the participants to rank their responses on a Likert-type scale and contextualize them using written responses. Participants agreed that a computer attack is comparable to the use of force or armed attack under international law, but fell short of clearly defining the legal boundaries of cyber warfare. This study contributes to social change by providing informed opinions by experts about necessary legal reforms and, therefore, provides a basis for greater legal protections for life and property

U.S. strategic cyber deterrence options

The U.S. government appears incapable of creating an adequate strategy to alter the behavior of the wide variety of malicious actors seeking to inflict harm or damage through cyberspace. This thesis provides a systematic analysis of contemporary deterrence strategies and offers the U.S. the strategic option of active cyber defense designed for continuous cybered conflict. It examines the methods and motivations of the wide array of malicious actors operating in the cyber domain. The thesis explores how the theories of strategy and deterrence underpin the creation of strategic deterrence options and what role deterrence plays with respect to strategies, as a subset, a backup, an element of one or another strategic choice. It looks at what the government and industry are doing to convince malicious actors that their attacks will fail and that risk of consequences exists. The thesis finds that contemporary deterrence strategies of retaliation, denial and entanglement lack the conditions of capability, credibility, and communications that are necessary to change the behavior of malicious actors in cyberspace. This research offers a midrange theory of active cyber defense as a way to compensate for these failings through internal systemic resilience and tailored disruption capacities that both frustrate and punish the wide range of malicious actors regardless of origin or intentions. The thesis shows how active cyber defense is technically capable and legally viable as an alternative strategy in the U.S. to strengthen the deterrence of cyber attacks

The Ethics of Cyberweapons in Warfare

International Journal Cyberethics, Vol. 1, No. 1, 2009We discuss the ethical issues of using cyberweapons, software that attacks data and other software during warfare. Many people assume these are relatively benign weapons, but we argue they can create serious harms like any weapon. We define cyberweapons and describe them in general terms, and survey their status as per the laws of war. We then discuss the unreliability of cyberweapons, the problem of collateral damage, and the associated problems of damage assessment, maintenance of secrecy, and mounting cybercounterattacks. We examine some possibilities for creating more ethical cyberweapons and discuss the alternative of cyber-blockades. We conclude that cyberattacks should generally be outlawed by international agreement.Approved for public release; distribution is unlimited