Inside Cyber Warfare - BestLightNovel.com
You’re reading novel Inside Cyber Warfare Part 31 online at BestLightNovel.com. Please use the follow button to get notification about the latest chapter next time when you visit BestLightNovel.com. Use F11 button to read novel in full-screen(PC only). Drop by anytime you want to read free – fast – latest novel. It’s great if you could leave a comment, share your opinion about the new chapters, new novel with others on the internet. We’ll do our best to bring you the finest, latest novel everyday. Enjoy
Defense Criminal Investigative Services (DCIS) Investigates matters relating to terrorism, prevents the illegal transfer of sensitive defense technology, stops cyber crime and computer intrusions, and investigates cases of fraud, bribery, and corruption.
DOD Cyber Crime Center (DC3) Provides criminal, counterintelligence, counterterrorism, and fraud-related computer forensics support to the defense criminal investigative organizations.
Delivers cyber technical training.
Processes digital evidence and a.n.a.lyzes electronic media for criminal law enforcement and DOD counterintelligence investigations and activities.
Performs investigations and provides forensic training to DOD members to ensure that information systems are secure from unauthorized use.
[212] JS J6 has been disestablished as per the DOD Efficiencies Study: Networks and Information Integration (NII) and J6 Disestablishments (FY 2012, $13 million, FYDP, $65 million)-Transfers acquisition program oversight responsibilities from the a.s.sistant Secretary of Defense for Networks and Information Integration (ASD(NII)) to the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD (AT&L)) and all remaining NII responsibilities to the DoD Chief Information Officer (CIO). The Joint Staff will transfer its J6 (Command, Control, Communications, and Computer Systems) funding and manpower to the DoD CIO and the US Cyber Command beginning in FY 2012.
[213] See the note above about disestablishment of the JS J6 and the pa.s.sing of functions from the ASD/NII to the DOD CIO.
[214] IO responsiblities have pa.s.sed from Ms. Rosemary Wenchal at OUSD(I) to Mr. Austin Branch at OUSD(P).
Chapter 18. Active Defense for Cyber: A Legal Framework for Covert Countermeasures
[T]he United State reserves the right, under the law of armed conflict, to respond to serious cyberattacks with an appropriate, proportional, and justified military response.
-William J. Lynn, III, "The Pentagon's Cyberstrategy, One Year Later," Foreign Affairs, September 28, 2011 By Catherine Lotrionte[215]
During the Cold War, the United States and the Soviet Union constantly maneuvered to achieve superiority and to counter and deter any aggressive moves by each other. When one nation was perceived to overstep its bounds, the other would signal its discontent by moving aircraft carrier groups, conducting military exercises, pursuing diplomatic engagement, seeking sanctions from the United Nations Security Council, enforcing embargoes, and even conducting proxy wars. These signals may well have prevented a nuclear exchange that would have resulted in the loss of many innocent lives and possibly a world war.
Today, when the threat of cyber conflict among nations is a reality, signaling is just as important if not more so because of the global connectivity of the Internet and its links to nations' critical infrastructure a.s.sets. This chapter presents one type of signaling: the use of covert counter cyber strikes. The use of such measures would be an element of the US active defense strategy in cybers.p.a.ce, carried out either by the United States directly or third parties on its behalf, and subject to the international laws relating to the recourse to the use of force and the laws of armed conflict where applicable. While the language used by the Department of Defense in discussing its cyber strategy focuses on the defensive aspect of the overall strategy, the notion of active defense involves offensive measures.[216] Active defense measures, however, use offensive means in order to defend against and neutralize a threat. The purpose of using a cyber counterattack is to stop a specific, immediate, or ongoing cyber threat rather than retaliate with a strategic purpose. It is offensive action for a defensive purpose.[217]
This chapter will examine the use of counter cyber strikes as a model for the United States' operations in cybers.p.a.ce. This model is one approach that would allow the United States to wage an asymmetric fight that spans the global commons while abiding by the rules of international law. It provides the United States an option for dealing with the critical issue of nonstate actors and state proxies engaging in cyber conflict against the United States. This model is not the exclusive one that has been offered, nor should it be the only one considered by the United States. Others have been offered that could shed light on effective methods for the United States to defend against cyber attacks, including a model that looks at deterrence, a nuclear weapons model of mutually a.s.sured destruction, as well as the model of strategic air power.[218] To date, however, not enough attention or writing has focused on the use of direct or indirect counter cyber strikes as an element of active cyber defense.
In 2008, in the testimony by the then-Director of National Intelligence J. Michael McConnell before the Senate Select Committee on Intelligence, McConnell underscored the need for the United States "to take proactive measures to detect and prevent [cyber] intrusions from whatever source, as they happen, and before they can do significant damage." His testimony highlighted the inadequacy of hardening a.s.sets and utilizing pa.s.sive defenses alone as defensive strategies for the United States. The inadequacy of pa.s.sive defenses suggests that the national debate over cyber security must necessarily include considering attack options for defensive purposes. In other words, if pa.s.sive defense is insufficient to ensuring security, an approach to eliminate or degrade an adversary's ability to successfully prosecute an attack may be warranted. The use of covert action within an active defense framework may increase the success of neutralizing the threat, maintaining deniability while at the same time complying with international norms of self-defense.
Precedent exists for the United States' active defense, as it incorporated such methods to deter its adversaries' aggressive actions during the Cold War. In the 1970s, while the United States initially showed restraint in developing anti-satellite weaponry, it quickly moved to a more offensive posture when the Soviet Union attacked three US satellites in 1975. The Soviets' aggressive acts led President Ford to sign the National Security Decision Memorandum No. 345, directing the Department of Defense (DoD) to develop an operational anti-satellite capability allowing for US-based counterattacks against both private and government-sponsored aggressors.[219] As the Cold War ended and new threats emerged from nonstate actors, the United States adopted an active defense approach in its counterterrorism cyber operations, launching a number of offensive counter cyber attacks against Al Qaeda and Jihadi systems and services.[220]
By 1996, the US government clarified some of the lingering questions surrounding its right to launch both physical and cyber counter attacks against cyber aggressors who compromised the ability of US-owned cyber systems. On September 14, 1996, President Clinton signed Presidential Decision Directive/National Science and Technology Council-8, defining US national s.p.a.ce policy. The policy identified key s.p.a.ce activities to be conducted in the interest of US national security, including offensive action to protect US s.p.a.ce a.s.sets.[221] Following the creation of the National s.p.a.ce Policy, Secretary of Defense William S. Cohen issued Department of Defense Directive 3100.10, identifying policies relating to military s.p.a.ce control and stating, "Purposeful interference with US s.p.a.ce systems will be viewed as an infringement on US sovereign rights. The US may take all appropriate self-defense measures, including . . . the use of force, to respond to such an infringement on US rights."[222] Similarly, in 2010, the Department of Defense in its Quadrennial Defense Review doc.u.ment made it clear that in order to operate effectively in cybers.p.a.ce, the United States needs "improved capabilities to counter threats in cybers.p.a.ce," including actively defending its own networks.[223]
In July 2011, the Department of Defense released its Cyber Strategy, which underscored the United States' right to conduct cyber counterattacks against aggressors.[224] An example of this type of active defense was shown in the 2006 US cyber attack against the Al Qaeda network of jihadist websites.[225] The United States is not alone in supporting the use of counter cyber attacks. There have been reports that the UK may have taken down Inspire, a terrorist website.[226] The Israelis have also conducted "denial of service" attacks against Palestinian National Authority websites.[227]
Cold War fears of communist world conquest have been replaced by concerns about the dangers to international peace and security from worldwide jihadism, the acquisition of weapons of ma.s.s destruction (WMD) by rogue states and nonstate actors, and the emergence of a new breed of cyber warriors willing to provide their services to states and nonstate actors. With the emergence of terrorism, the proliferation of WMD, and, more recently, cyber warriors with international ramifications as new sources of threats to national security, the United States, like other nations, has been forced to contemplate and develop new strategies and tactics for its national defense. The US intelligence community continues to play an important role in that regard, and today it must do so by supporting the broader US defense efforts against these new threats. The rest of this chapter focuses on the use of covert action as one method for deterring those who would conduct cyber attacks against the United States and its critical a.s.sets.
Covert Action
In 1996, in its final report, the Aspin-Brown Commission emphasized the need for a continuing covert action capability-even after the end of the Cold War. It stated, "in 1975, the Rockefeller Commission investigated alleged abuses in certain covert action programmes and concluded that there were 'many risks and dangers a.s.sociated with covert action, but we must live in the world we find, not the world we might wish. Covert action cannot be abandoned, but should be employed only where clearly essential to vital US purposes and then only after a careful process of high level review'." In an age of proliferated threats, states are no longer the only adversaries and there is no certain target for attribution, covert action may prove to be even more important to the United States' ability to protect national security.
By law, covert actions are those activities of the US government to influence political, economic, or military conditions abroad, where it is intended that the role of the US government will not be apparent or acknowledged publicly.[228] This can cover a wide range of activities in foreign countries, including political advice to foreign persons or organizations, financial support and a.s.sistance to foreign political parties, propaganda, and paramilitary operations designed to overthrow foreign regimes or capture and detain operations against foreign terrorists. Covert action does not include "activities the primary purpose of which is to acquire intelligence, traditional counterintelligence activities, traditional activities to improve or maintain the operational security of United States Government programs, or administrative activities."[229] Traditional military activities are also excluded from the scope of covert action.[230]
Covert action is conducted in support of US foreign policy objectives, as well as when the president has determined that the use of covert action is necessary for US national security. It is done on the a.s.sumption that the link between the activities and the US government can be kept secret. Executive Order 12333 makes the CIA the lead-though not exclusive-agency with authority for covert actions.[231] If the president determines that another agency, for example the NSA, is better suited to achieve a particular operational objective, he may direct that agency to conduct the covert action. No matter which government agency is responsible for its planning and execution, however, the legal definition of that term applies equally to those elements of the US government. Covert cyber actions could be of two general types: (1) propaganda and disinformation that would come under psychological operations; and (2) actions to paralyze the computer networks of target countries or nonstate actors supporting the critical elements of the target country.
[215] This is a guest chapter by my friend and colleague, Professor Catherine Lotrionte, Visiting a.s.sistant Professor and Executive Director, Inst.i.tute for Law, Science and Global Security, Georgetown University. In my opinion, Professor Lotrionte's work in her field of international law and global security is among the very best in the world today.
[216] US Department of Defense, "Department of Defense Strategy for Operating in Cybers.p.a.ce," July 2011. ("Active cyber defense is DoD's synchronized, real-time capability to discover, detect, a.n.a.lyze, and mitigate threats and vulnerabilities. It builds on traditional approaches of defending DoD networks and systems, supplementing best practices with new operating concepts. It operates at network speed using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems. As intrusions may not always be stopped at the network boundary, DoD will continue to operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on DoD networks.") [217] National Research Council, Technology, Policy, Law, and Ethics Regarding US Acquisition and Use of Cyberattack Capabilities, 1011 (2009), pp. 246.
[218] Martin C. Libicki, Cyberdeterrence and Cyberwar (Rand Publis.h.i.+ng), p. 39; Greg J. Rattray, Strategic Warfare in Cybers.p.a.ce (MIT Press), p. 77.
[219] Christopher M. Petras, "The use of force in response to cyber-attack on commercial s.p.a.ce systems-reexamining 'self-defense' in outer s.p.a.ce in light of the convergence of US military and commercial s.p.a.ce activities," Journal of Air Law and Commerce 67, no. 4 (Fall 2002): 12131263, 1224.
[220] Maura Conway, "Terrorism and the Internet: New Media-New Threat," Parliamentary Affairs 59(2) (2006): 283298, 295.
[221] The White House, Fact Sheet On National s.p.a.ce Policy Review, National Security Presidential Directive/NSPD-15, June 28, 2002, p. 1.
[222] US Department of Defense, Department of Defense Directive 3100.10, s.p.a.ce Policy, July 9, 1999, pp. 67. This doc.u.ment may be found at the Was.h.i.+ngton Headquarters Services website at http://www.dtic.mil/whs/directives.
[223] US Department of Defense, 2010 Quadrennial Defense Review, p. ix.
[224] US Department of Defense, Department of Defense Strategy for Operating in Cybers.p.a.ce, July 2011.
[225] Bruce Hoffman, "The Use of the Internet by Islamic Extremists," Testimony presented to the House Permanent Select Committee on Intelligence on May 4, 2006, Santa Monica, CA: RAND, 2006; David A. Fulghum, "Digits of Doom," Aviation Week & s.p.a.ce Technology 167, no. 12, September 24, 2007.
[226] Ellen Nakas.h.i.+ma, "List of cyber-weapons developed by Pentagon to streamline computer warfare," Was.h.i.+ngton Post, May 31, 2011.
[227] P. D. Allen, "The Palestinian-Israeli Cyber War," Military Review (MarchApril 2003): 5259, 52.
[228] National Security Act of 1947, 50 U.S.C. section 413(b)(e)(2006).
[229] Id. section 413b(e)(1).
[230] Id. section 413b(e)(2) (this does not preclude the NSA from being the sole agency responsible for a cyber covert action).
[231] Executive Order No. 12333, section 1.8(e), 3 C.F.R. 200, 205 (1982) (providing that no agency other than the CIA may conduct covert action "unless the President determines that another agency is more likely to achieve a particular objective").
Cyber Active Defense Under International Law
Cyber capabilities and vulnerabilities raise tremendously important international legal questions. What are permissible uses of offensive cyber capabilities? What legal authority do states have to respond to cyber attacks or cyber threats by states or nonstate actors? Can states legally employ third parties to conduct cyber operations in self-defense of the state? In order to know when the United States may legally use active defensive measures against an adversary, it is necessary to have a clear understanding of the legal regime and norms governing a nation's use of force to launch a counterattack against a cyber aggressor. In defining the legal issue, it is important to determine what const.i.tutes an adversarial "armed attack" in cybers.p.a.ce. While there is no clear statement in international law that outlines legally acceptable or unacceptable cyber defensive actions, there are legal principles and past state practices that establish the right to counter a cyber attack as a valid legal response to acts of aggression.
Since 1945 when the UN Charter was ratified, the international legal regulation of the use of force has been based on Article 2(4) of the UN Charter. This provision directs that "all Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."[232] Article 51 of the UN Charter provides that "nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations."[233] Although there is debate about the scope of the Article 51 right of defense, it is generally accepted that Article 51 establishes an exception to the absolute prohibition on the use of force set forth in Article 2(4).[234] Furthermore, it is widely accepted that "armed attack" is understood to be something that rises beyond the threshold of a use of force as meant in Article 2(4).[235] With respect to active cyber defense and the UN Charter, therefore, two major issues emerge. First, for purposes of Article 2(4), are there cyber attacks that rise to the level of a use of force? Second, for purposes of Article 51, can cyber attacks be equivalent to an armed attack that would give rise to a state's right to use lethal force in response? This latter question relates to the issue of what remedies are available to a state that is the victim of a cyber attack or that faces the imminent threat of a cyber attack.
Among international legal scholars there have been disagreements as to the exact meaning of the terms "use of force" and "armed attack" within the UN Charter.[236] Especially within the context of cyber activities, there will likely remain different interpretations of these key phrases, where cyber attacks can range in similarities from kinetic military force, economic coercion, espionage, or even subversion. In testimony at his confirmation hearings before the Senate, Lieutenant General Keith Alexander explained, "there is no international consensus on a precise definition of a use of force, in or out of cybers.p.a.ce. Consequently, individual nations may a.s.sert different definitions, and may apply different thresholds for what const.i.tutes a use of force."[237] Some scholars and policymakers have emphasized the need for clarity in the interpretation of Article 2(4) and Article 51 as they apply to cyber attacks.[238] For government officials considering the use of active cyber defense measures, clarity on these issues would be critical. Government officials need to know the legal bounds of the actions that they are contemplating.[239]
In July 2011 the US government publicly articulated a general position on cyber attacks and Article 2(4) and Article 51, and the Department of Defense unveiled its uncla.s.sified version of its Cyber Strategy.[240] While the uncla.s.sified version was general in its descriptions of DoD initiatives to counter cyber threats, a discussion of the strategy in a Wall Street Journal article-in which US military officials were cited as sources-provided the more interesting context to the US position on cyber attacks and the UN Charter provisions. According to the sources, the Pentagon has articulated the concept of "equivalence" to decide when a cyber attack would trigger a conventional response.[241] If a cyber attack were to result in death, damage, or a high level of disruption similar to that of a conventional military attack, then it could be grounds for a conventional response. In releasing the strategy, Deputy Defense Secretary William Lynn stated, "The United States reserves the right, under the laws of armed conflict, to respond to serious cyber attacks with a proportional and justified military response at the time and place of its choosing." Through its announced strategy, the US government has clarified its thinking on cyber attacks and Article 2(4) and Article 51 of the UN Charter. There could be cyber attacks against the United States and its infrastructure (i.e., the electric grid) that the government would interpret as "armed attacks," therefore triggering the right to respond with force, through conventional or cyber means. Both academic and policy experts have supported this idea of a.s.sessing the legality of cyber attacks based on the effects of the actions taken.[242]
[232] UN Charter, article 2, paragraph 4.
[233] Id. Article 51.
[234] Anthony Clark Arend and Robert J. Beck, International Law and the Use of Force (Routledge).
[235] Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America) International Court of Justice 14, (June 27, 1986): 202.
[236] Tom J. Farer, "Political and Economic Coercion in Contemporary International Law," American Journal of International Law 79 (1985): 405.
[237] Advance Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command: Before the US Armed Services Committee, 111th Congress 11 (April 15, 2010).
[238] James A. Lewis, "Multilateral Agreements to Constrain Cyberconflict," Arms Control Today, June 2010, p. 16.
[239] Christopher C. Joyner and Catherine Lotrionte, "Information Warfare as International Coercion: Elements of a Legal Framework," European Journal of International Law 12 (2001): 825, 86364.
[240] US Department of Defense, Department of Defense Strategy for Operating in Cybers.p.a.ce, July 2011.
[241] Siobhan Gorman and Julian E. Barnes, "Cyber Combat: Act of War," Wall Street Journal, May 31, 2011.
[242] Michael Schmitt, "Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework," Columbia Journal of Transnational Law 37 (1999): 885, 91415; NRC Committee Report, at 3334; Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It (Ecco), p. 178; James A. Lewis, "Multilateral Agreements to Constrain Cyberconflict," Arms Control Today, June 2010, p. 16.
Cyber Active Defenses as Covert Action Under International Law
At times states have determined that, when faced with an aggressive adversary, overt military engagement against the adversary would not be the best, most effective, or appropriate means to counter the threat. If diplomatic efforts have failed and military engagement is ruled out, covert measures may provide policymakers with a third option that would be legally justified and effective in countering the threat and protecting national security. If, for example, the United States was the victim of ongoing cyber attacks from a foreign adversary, and the president determined that the attacks were of such a scope, duration, or intensity that the country needed to act in self-defense, he could authorize the use of covert action to neutralize the threat. This would be done without initiating overt military hostilities against the adversary. Such offensive measures conducted during a time of peace (i.e., no acknowledged armed conflict) would be justified under a self-defense argument under Article 51 of the UN Charter.
According to press reports, the US government may have already considered the use of "preemptive cyber-strikes" designed under certain circ.u.mstances to knock out adversaries' computer systems and networks that are perceived as hostile.[243] In 2009 the Stuxnet worm that targeted Iranian nuclear facilities and caused the shutdown of 1,000 centrifuges at Iran's Natanz nuclear fuel enrichment plant may be the most recent and controversial example of a defensive "preemptive cyber-strike" against a perceived threat. The legality of the use of the Stuxnet worm that targeted the SCADA systems of Iran would depend on the factual basis for the justification to use force against Iran, and whether the use of the Stuxnet worm (i.e., its consequences) was proportionate to the threat. Knowing the consequences of a cyber strike in advance to a.s.sess proportionality may be challenging because of the highly interconnectedness of information systems, which can make indirect secondary or tertiary effects of cyber attacks more consequential than the direct ones.[244]
Looking beyond the legal a.n.a.lysis of the Stuxnet worm to its c.u.mulative effect, it clearly sent a signal to Iran that its development of nuclear weapons is perceived as an aggressive action that is not condoned. Importantly, the Stuxnet worm was a covert defensive step, avoiding the need to use military force against a nuclear plant and potentially escalating conflict. As former NSA General Counsel Stewart Baker stated, "It's the first time we've actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve."[245] Furthermore, where the factual basis for a.s.serting a violation of Article 2(4) and justifying self-defense against cyber attacks may be subject to uncertainty, debate, and lack of verifiability, states may find it more effective to act in self-defense in a covert manner, avoiding the challenges of publicly defending their actions.
There are some basic principles we can devise about the legality of cyber covert action. First, the international laws related to the recourse to the use of force and the UN Charter applies to covert action in cybers.p.a.ce (regardless of which US government ent.i.ty is conducting the covert action). Second, the laws of armed conflict, which regulate the manner in which hostilities can legally be waged, also apply to any US covert action involving the use of cyber attacks during armed conflict. During an acknowledged armed conflict, the laws and customs of armed conflict would govern cyber covert action: military necessity, proportionality, distinction, discrimination, chivalry. In other circ.u.mstances where a cyber covert action was conducted in less than acknowledged armed conflict, the legal status of a cyber attack would be judged primarily by its effects, regardless of the means or which ent.i.ty conducted the action. This a.s.sessment would be based on the criteria set forth by the UN Charter.
[243] Ellen Nakas.h.i.+ma, "US Eyes Preemptive Cyber-Defense Strategy," Was.h.i.+ngton Post, August 29, 2010, A15.
[244] Ellen Nakas.h.i.+ma, "The Dismantling of Saudi-CIA Web Site Ill.u.s.trates Need for Clearer Cyberwar Policies," Was.h.i.+ngton Post, March 19, 2010.
[245] Christopher d.i.c.key et al., "The Shadow War," Newsweek, December 20, 2010, p. 28, p. 31 (quoting Stewart Baker).
Cyber Attacks Under International Law: Nonstate Actors
International law presumes that armed conflict is initiated only at the direction of governments and not by private groups or individuals. Governments are the ent.i.ties that maintain armed forces to partic.i.p.ate in armed conflict, and those forces remain under the control and direction of the government. In the age of the Internet, however, nonstate actors such as "hacktivists" or patriotic hackers have complicated the legal landscape. During times of conflict or political tension between states, some members of a state's citizenry may be motivated to support the country's war effort or political position by taking direct action. Hacktivists or patriotic hackers are private citizens skilled in cyber attack capabilities who can, on their own, initiate a cyber attack against another state. They can do this without the consent, direction, or control of the state's government. There have been incidents, however, where it is suspected that hacktivists were encouraged and a.s.sisted by the state. For example, when Estonia was subject to "denial of service" attacks in 2007 that disrupted government and commercial functions for weeks, evidence linked the Russian government to the attacks. The Russian government, however, denied any involvement, even though the evidence suggested that the Russian government may have encouraged "patriotic hackers" to conduct the attacks.[246] There are also reports that China is similarly relying on unofficial, semi-private hackers to carry out cyber attacks, while the government denies its involvement. According to Verisign's iDefense lab, which investigated the attacks against Google in 2010, the IP addresses of the attack "correspond to a single foreign ent.i.ty consisting either of agents of Chinese state or proxies thereof."[247]
Under international law, if patriotic hackers carry out a cyber attack against another state that rises to the level of an "armed attack," the victim state has the legal right, acting in self-defense, to use force against those hackers located within the state. In 1980 the International Court of Justice in the US v. Iran case held that the actions of a state's citizens can be attributed to the government if the citizens "acted on behalf on [sic] the State, having been charged by some competent organ of the Iranian State to carry out a specific operation."[248] The court also found that the Iranian government was responsible because it was aware of its obligations under international law to protect the US emba.s.sy and its staff, knew of the emba.s.sy's need for help, had the means to a.s.sist the emba.s.sy, and failed to comply with its obligations.
Proving a link among nonstate actors, hacktivists, and the government may be difficult, impossible, or take too long to confirm in order for legal authority to take swift action. Under such circ.u.mstances, states may choose to exercise the right of self-defense in a covert manner, carrying out counter cyber measures directly or through other parties. Depending on the circ.u.mstances, a state may choose to carry out the covert action on its own through its intelligence or military forces, or it may choose an indirect avenue of having surrogates conduct the covert action. Delegating the right to others to act in a state's self-defense has benefits as well as costs, and it ought to be considered carefully by policymakers. During the Cold War, for example, surrogate forces waged the major battles between the superpowers.
International law and state practice has established a state's right of active defense against those states that conduct cyber attacks directly or wage their cyber attacks through loose affiliates or proxies. As of today, the United States does not have a clear strategy for active defense in response to states that pursue aggressive cyber attacks against it. A credible counter proxy strategy needs to be constructed to signal to those states that use cyber proxies against the United States that it will not be without consequences. Such a signal could help to deter these states in their aggressive cyber actions.
A credible active defense strategy that incorporated counter proxy measures would likely need to have an overt as well as a covert component. The overt component would relate to extending political, moral, and diplomatic support to the elements of those states that struggle against the regimes. The covert component, likely never to be discussed publicly, would be integral to the success of preventing and deterring states from using cyber attacks to harm US national security. Legally justified as self-defense under the UN Charter and customary international law, the covert component would also need to be executed in a proportionate manner to the threat.
[246] Charles Clover, "Kremlin-Backed Group Behind Estonia Cyber Blitz," Financial Times, March 11, 2009, p. 8.
[247] Tania Branigan and Kevin Anderson, "Google Attacks Traced Back to China, Says US Internet Security Firm," The Guardian, January 14, 2010.
[248] United States Diplomatic and Consular Staff in Tehran (US v. Iran), International Court of Justice 3 (May 24, 1980), 29. The issue of state responsibility for nonstate actors was also an issue in the ICJ Nicaragua litigation where the court concluded that in order for the actions of the nonstate actors to be attributable to the state, the state had to have "effective control" over the nonstate actors. More recently in the Prosecutor v. Tadic case, the international tribunal held that a foreign state's overall control, rather than effective control, of a nonstate military organization may render that state responsible for acts of the organization. Prosecutor v. Tadic, Case No. IT-94-1-A, Judgment on Appeal, pp. 115162 (International Criminal Tribunal for the Former Yugoslavia, July 15, 1999).
About the Author.