The Unique Characteristics of Cyber Weapons

"We must assume that cyberweapons will be used" in a war between great powers

From Panayotis A. Yannakogeorgos, National Interest:  Cyber events breaching the threshold of armed attack require the use of cyberweapons. These differ substantially from other malicious code. While a cyberweapon can be software designed to manipulate industrial control functions, it can also be hardware flaws introduced into critical systems. Due to the complexity of ICS, the skill level required to discover zero-day vulnerabilities, as well as the infrastructure required to find targets, gain access and execute the attack requires significant financial and human capital. To date, only Stuxnet has risen to the level of a cyber incident that could be considered an armed attack under international law, since it caused the physical destruction of objects. Although the Shamoon virus impacting the critical energy sector destroyed virtual records, these were restored without widespread destruction or physical injury. Given that the target of Shamoon was on business processes and not ICS systems, the incident did not rise to the level of a cyber attack.

Some argue that illicit system access could, at the flip of a switch, cause destruction, which is what makes cyber warfare “different.” This oft cited claim is groundless. Remote access tools (RAT), such as Gauss, could serve the same function as a laser guiding a weapon to the final target. But a targeting laser is only part of a weapons system. A missile’s warhead is the actual object in the weapon system creating destructive effects. Similarly, in the case of a cyberweapons, a separate package has to be developed to exploit vulnerabilities and cause physical effects resulting in death or destruction. Given the unique characteristics of an ICS, a cyberweapon could not create an effect without being tailor-made for a specific target’s digital and physical environment. In short, this requires ICS schematics, network maps, application developers, cryptographers and a virtual environment replicating the target to the sensor or weapons tests before deployment. Arguing otherwise is akin to making a claim that a SEAL commander would turn a reconnaissance mission on its first foray into Abbottabad into an all-out assault against the bin Laden compound, and expect a high likelihood of success. Both instances require diligent preparation prior to execution. . . .

Discussions of cyber crime and cyber espionage must be clearly separated from discussions of cyber warfare. While we are certainly in a cyber Cold War, we are not in an international armed conflict in cyberspace. By continuing to employ terms interchangeably the current discussion is drifting from issues of information security to issues of national security that warrant a military response. The paradigm required to address cyber crime and cyber espionage is not the same as that required to succeed in cyber warfare. Developing a clear distinction between various types of malicious cyber activity is critical as technologists and policy makers attempt to develop the means necessary to protect valuable information and critical infrastructure alike. The time for gross generalizations and sweeping assertions is at an end.

Cyber espionage, crime and war are very different and necessitate responses under different parts of the law. Consistency of definitions is essential. There cannot be a system of definitions for legal scholars and a conflicting system of definitions for the policy maker, technologist and layperson. It is on clear, common definitions and language that domestic policy and global norms of behavior will be built. Clarifying definitions will permit for the establishment of policy tools, such as escalatory ladders.

Embargo and trade sanctions might be the correct approach in milder cases of gross intellectual-property theft, and serve as a warning of severe penalties to come should something escalate from cyberespionage to attack. In the early hours of malicious cyber events, the United States should diplomatically address criminal disputes. Claiming all malicious actions as cyberwarfare could result in threats of retaliation that, in a real cyberwar, could be discounted as a bluff. Vigorously grasping the situation we are in, rather than fearfully reacting and making desperate pronouncements, will prevent misperception by our adversaries and the public alike.

We should not be concerned with cyberwarfare, but with war. If there is ever a war between great and emerging great powers, we must assume that cyberweapons will be used—and apply the Law of Armed Conflict to their use until a more formal treaty or convention can be negotiated, signed and ratified.

Panayotis A. Yannakogeorgos is Research Professor of Cyber Policy and Global Affairs at the Air Force Research Institute. The views expressed here are solely those of the author and do not in any way represent the views of the Air Force Research Institute, the Air University or the United States Air Force.  (graphic: AP)

Image: ap%205%2020%2013%20Computer-Virus.jpg