Äîêóìåíò âçÿò èç êýøà ïîèñêîâîé ìàøèíû. Àäðåñ îðèãèíàëüíîãî äîêóìåíòà : http://iisi.msu.ru/UserFiles/File/bayern2014/Forum_1.pdf
Äàòà èçìåíåíèÿ: Wed Jan 28 17:16:33 2015
Äàòà èíäåêñèðîâàíèÿ: Sat Apr 9 22:56:47 2016
Êîäèðîâêà:


2014

Titles.indd d Forum_1.indd Forum_1.in1 d 1

06.10.2014 22.10.2014 13:40 22.10.201419:55:48:08 13:40:08


Eighth International Forum «Partnership of State Authorities, Civil Society and the Business Community in Ensuring International Information Security» Ninth Scientific Conference of the International Information Security Research Consortium

April 21­24, 2014 Garmisch-Partenkirchen, Munich, Germany

Forum_1.indd Forum_1.indd 2 Titles.indd 2

22.10.2014 13:40 22.10.2014 19:55:48:11 06.10.2014 13:40:11

Titles


«

, »





21­24 2014 -,

Forum_1.indd Forum_1.indd 3 Titles.indd 3

22.10.2014 13:40 22.10.2014 19:55:49:12 06.10.2014 13:40:12


327;930.22;007 66.4;73 78

« 78 , » 21­24 2014 . -, . -- .: , 2014. -- 288 . ISBN 978-5-19-011008-1 « , » , , . : , , , , , , , .
327;930.22;007 66.4;73

ISBN 978-5-19-011008-1 © , 2014

© , 2014

Forum_1.indd Forum_1.indd 4

22.10.2014 13:40:12 22.10.2014 13:40:12




... : « , » .............................................................................. 8 V.P.Sherstyuk. Opening Remarks: On Agenda and Challenges of the Forum «State, Civil Society and Business Partnership on International Information Security ................................................ 14 ... , « , » ................... 19 S.M.Buravlev. Welcome Address to organizers, participants and guests of the VIII International Forum «State, Civil Society and Business Partnership on International Information Security» ...................... 22 (Charles Barry). : .... 25 Dr. Charles (Chuck) Barry. Challenges in the Protection of Critical InfrastructureSystems Reliability in the Digital Age ...................... 40 ... ................................................................................ 52 Dr. A.A.Streltsov. Focal Areas in Development of International Law of Armed Conflict in the Context of Cyberspace .......................... 62 (Gao Hui). ...................................................... 71 Gao Hui. Applicability of the Law of Armed Conflict in Cyberspace . 75 .., .., .., ... - «» ............................ 79 I.N.Dylevskiy, V.O.Zapivakhin, S.A.Komov, A.N.Petrunin. Adaptation of international legal concept of "aggression" to the specifics of information space .......................................................................... 91 ... - - : ......................................... 101 5

Forum_1.indd Forum_1.indd 5

22.10.2014 13:40:12 22.10.2014 13:40:12


N.V.Sokolova. On international legal aspects of the use of information and communication technologies: the experience of the UN Group of Governmental Experts on international information security .......................................................................................... 107 (Xu Longdi). , «» .............................................. 113 Xu Longdi. Factors Influencing the Definition of `Cyber Warfare' ..... 118 ... ..................................................... 122 P.L.Pilyugin. Challenges of creating the technical control means for observance of future international law norms for cyberspace ........ 134 (Laurent Gisel). ?................................... 144 Laurent Gisel. How does international humanitarian law constrain cyber warfare and protect civilians?............................................... 156 (Pal Wrange) ........................ 166 PÅl Wrange. Intervention in national and private cyberspace and international law ............................................................................ 173 (Sanjay Goel). ............................................. 179 Sanjay Goel (Sandro Bologna) Adaptation of International Law to Cyber Conflict ............................................................................... 188 (Sandro Bologna) ................................ 195 Dr. Sandro Bologna. Cyber Security and Resilience of Industrial Control Systems ............................................................................ 207 ... ............................... 218 A.N.Kurbatskiy. Personal information security and the rules of conduct in information space ...................................................................... 225 (Keir Giles) - ............................................................................................. 231 Keir Giles. Legitimation of Online Surveillance and Monitoring ........ 240 (Yoko Nitta). ? ............................. 248 Yoko Nitta. Japan's Approaches towards Cybersecurity ...................... 258 (Masayoshi Kuboya). : .... 266 6

Forum_1.indd Forum_1.indd 6

22.10.2014 13:40:12 22.10.2014 13:40:12


Dr. Masayoshi Kuboya. Cyberspace Credibility in Japan:Information Literacy and Regulation ................................................................ 272 .., .., ... ............................................................ 277 N.P.Varnovskiy, O.A.Logachev, V.V.Yashchenko. Mathematics and Information Security ..................................................................... 282

7

Forum_1.indd Forum_1.indd 7

22.10.2014 13:40:13 22.10.2014 13:40:13


..
, , ..

:

« , »
! ! , -- .-, (). .- , . - . . IX- , . , . :
8

Forum_1.indd Forum_1.indd 8

22.10.2014 13:40:13 22.10.2014 13:40:13


- . .. (); . . (). , . - 2013 ., . () « -- », , . . () - () . . -- 2013 . () « : , ». « » . , « » ( , . , ), IV (, ), « » (. , ), « -- 2050» (. , ), « » (. , ). , .
9

Forum_1.indd Forum_1.indd 9

22.10.2014 13:40:13 22.10.2014 13:40:13


-, . « » : · «» ; · , ; · ; · «» « » ; · « » «» ; · . , , , . , , , .. . « ». , «», .. , , , , , .. , , , , ­ . , .
10

Forum_1.indd 10 Forum_1.indd 10

22.10.2014 13:40:13 22.10.2014 13:40:13


. « ». : · ; · - ; · , , ; · . . -- . , . , . , 1 12 1949 , , , . , , . , , , , . , « » , . , , 11

Forum_1.indd 11 Forum_1.indd 11

22.10.2014 13:40:13 22.10.2014 13:40:13


. « » : · ; · ; · ; · ; · ; · . , . , , . , , . , , , , . : · , ; · - : ; · . , « » , , . (2014­ 2015 .), . 12

Forum_1.indd 12 Forum_1.indd 12

22.10.2014 13:40:13 22.10.2014 13:40:13


, . , 100 21 (, , , , , , , , , , , , , , , , , , , , ), 3 ( , ICANN ( ), ). -- , . . · « «» ; · ; · - ICAAN . .

13

Forum_1.indd 13 Forum_1.indd 13

22.10.2014 13:40:13 22.10.2014 13:40:13


V.P.Sherstyuk
Co-Chairman of the Forum, Adviser of the Secretary of the Security Council of the Russian Federation, Director of Lomonosov Moscow State University Institute of Information Security Issues

Opening Remarks

On Agenda and Challenges of the Forum «State, Civil Society and Business Partnership on International Information Security
Dear participants of the conference! Ladies and gentlemen! First of all, I would like to express my sincere gratitude to the leadership of the local administration, of this amazing place in Bavaria -- Garmish-Partenkirchen. By virtue of their hospitality, information security experts from many countries are able to get together in this place for eighth consecutive year and discuss the most current issues of international peace and security in the context of threats of information and communication technologies misuse. The fruitfulness of these discussions significantly increased after International Research Consortium has been formed here in Garmish-Partenkirchen. It enabled the conditions to combine the efforts of stakeholders in finding complex solutions to the issues of international information security. In the course of the previous Conference, which took place in Baku in October last year, the Consortium has identified a priority research venue. Taking into consideration the need to counter malicious use of ICTs for military-political purposes, the research is focused on elaboration of international law improvement issues. Today there will be a workshop-round table on this topic. The IX International Conference of the Consortium will take place tomorrow. In its course we will summarize the interim results of this research and decide on plans of the Consortium for the near future. In addition, new members will be admitted to the Consortium. They are: · Institute of Information Security and Cryptology (IIS&C) at the Gumilyov Eurasian National University (Kazakhstan); · Institute of Electronics and Telecommunications under Kyrgyz State Technical University (Kyrgyzstan).
14

Forum_1.indd 14 Forum_1.indd 14

22.10.2014 13:40:13 22.10.2014 13:40:13


As a follow-up to the decisions of the Consortium, since our last meeting in Garmisch-Partenkirchen in 2013 a lot of work has been done. We participated in the plenary session of the European Forum Alpbach (Austria) concerning "Cyberwar -- Perceptions and Approaches of Major Actors". There we supported the idea to intensify efforts to improve international law governing international relations in the field of countering military use of ICT. In April a similar topic was discussed during a meeting on international information security (seminar), held in the Russian Embassy in Stockholm (Sweden) by Russian and Swedish experts. The meeting also addressed the issues of implementation of human rights and freedoms on the Internet. In late October -- early November 2013 in New York (USA) there was a thematic meeting of scientists in the format of the international seminar «Internet governance and management of cyber conflicts: models, regulation and confidence-building measures.» The American side put forward the initiative to make such «synchronization» meetings of scientists and experts an annual event. MSU experts also participated in the Conference "International cooperation in cyberspace" (Georgetown University, Washington, USA), IV World Summit on Cybersecurity (Stanford, USA), in the Conference "National security and the development of science and technology" (Changsha, China), the first international scientific Conference "Information Security Strategy in the light of strategy Kazakhstan­2050" (Astana, Kazakhstan), and in the Conference "Public-private partnership in the Internet era" (London, UK). The agenda of our Conference covers important and complex issues of the formation of international information security system, capable of reducing the threat of ICT use for breach of international peace and security. Firstly, the issues of adaptation of international law to conflicts in information space. The discussion at the round table is expected to touch upon the following questions: · the concept of «Attack» in the information space; · principles of distinction, proportionality and precautionary measures and their operation in conflicts with the use of ICTs; · law of neutrality in conflicts with the use of ICTs; · the concept of «Force» and «Threat of force or Use of force» for information space; · the concept of «Armed attack» and «Aggression» in information space;
15

Forum_1.indd 15 Forum_1.indd 15

22.10.2014 13:40:13 22.10.2014 13:40:13


·

use of force by means of malicious use of ICT and problems of attribution. There is a considerable amount of research papers published on almost all of the mentioned issues, but we believe that the desired solution has not yet been found. This can be partly explained with that the issue at hand is not as much related to gaps or contradictions in the current legislation, but to uncertainty of existing international law interpretations from the standpoint of their applicability to cyberspace, i.e. to the need of adaptation of legal rules to new conditions. It has been proposed to put the concept of «implicit weapons» at the foundation of the solution of this problem. The substance of this concept lies in the fact that in certain cases the misuse of ICTs gives non-military targets, such as civilian aircraft, nuclear power plants, etc. the properties of «weapons», i.e. tools and mechanisms designed to destroy manpower and equipment. This concept makes it possible to identify sufficiently accurate evidence of the use of ICTs as weapons. And accordingly the conditions when the misuse of ICTs can be recognized as an armed attack, consequently making it possible for victim-state to exercise the inherent right to individual or collective self-defense. It also becomes possible to more accurately determine which norms of international humanitarian law and international law governing the use of force require adaptation to the environment of ICTs misuse. The second important direction of countering threats to international peace and security in cyberspace is the information security of critical infrastructures. This issue will also be discussed in the course of a separate «round table». It is planned to consider the following issues: · comparative analysis of national approaches to identification of information infrastructure segments as Critical Infrastructure; · Public-Private Partnership in Critical Infrastructure information security: Best practices, frameworks and recommendations; · marking and identification of information systems and networks that are protected by international law in cyberspace; · International System of Monitoring and Objectification of International law violations in relation to Information systems and Networks: Challenges of development. Some of the mentioned issues have long been a subject of research. Others are just beginning to draw attention. In this context I would like to touch upon the issue of identification of objects in cyberspace that are protected under international humanitarian
16

Forum_1.indd 16 Forum_1.indd 16

22.10.2014 13:40:14 22.10.2014 13:40:14


law. It is obvious that without a solution to this problem we can hardly expect a real success in application of the relevant norms of international humanitarian law. For example, Annex 1 of the Additional Protocol to the Geneva Conventions of 12 August 1949, on Protection of Victims of International Armed Conflicts, is entirely about the rules of identification. Apparently the application of the Protocol to cyberspace also requires a separate Annex, concerning rules of protected objects identification. It seems that preparation of objective documentation about facts of international law violations in cyberspace, is still a challenging problem that has no acceptable solution. As we hope, some ideas that could bring together all stakeholders in this field will be expressed in the course of a «round table». The third important issue to be discussed at the Conference is a comparative analysis of national approaches and priorities in forming of international information security system. The following topics will be discussed in the course of a relevant «round table»: · legitimization of monitoring and control on networks; · implementation of national information strategies; · national cybercrime prevention experience; · technical surveillance in communication networks in the context of human rights protection; · international and national approaches to countering the use of the Internet for terrorist and extremist purposes; · ensuring credibility in cyberspace. As we see it, each of these issues can become a subject of an independent research in the future. Therefore let's presume that this event will identify their key, most complex aspects, worthy to be put on the agenda of the following conferences. We will significantly exceed our plans, if we will not only identify the key aspects, but also offer mutually acceptable solutions of the relevant issues. Finally, the fourth issue to be discussed at the Conference is technological aspects of international information security, from the standpoint of advanced developments. With regard to this issue it is proposed to discuss the following issues: · aggregation, integration and security of Big Data in life sciences and health care; · implications and impact of emerging biotechnology and nanotechnology on information security; · application of mathematical sciences to solution of information security issues.
17

Forum_1.indd 17 Forum_1.indd 17

22.10.2014 13:40:14 22.10.2014 13:40:14


Essentially this «round table» will analyze the factors that determine both present and future perspectives of international information security issues. Our conference is held as we approach the start of the new UN Group of Governmental Experts on international information security (2014-2015) with the mandate of the UN General Assembly to continue research in this area. It seems that to a certain extent our discussion will be a preparation stage for this event. In conclusion I would like to mention that over 100 scientists and experts from 21 countries of the world (U.S., Russia, China, Britain, France, Germany, Japan, Australia, Austria, Azerbaijan, Bahrain, Belarus, Bulgaria, Israel, Italy, Kazakhstan, Cambodia, Canada, Kyrgyzstan, UAE, Switzerland), as well as representatives of three international organizations (International Committee of the Red Cross, ICANN (the International Corporation for Assigned Names and Numbers), the European Defence Research and Technology) are participating in our Conference. Preparation and conduct of such a representative Conference would have been impossible without the help of our sponsors, their representatives are now in the conference hall. I would like to mention them. General Director of FSUE "STC" Atlas ", Alexander Gridin; Scientific Director of Russian Railways Informatics & Automatics Research & Design Institute, Vladimir G. Matyuhin; ICAAN Vice president, Veni Markovski. Deep gratitude to all of them.

18

Forum_1.indd 18 Forum_1.indd 18

22.10.2014 13:40:14 22.10.2014 13:40:14


..
,

, « , »
! , « , ». - -- , . . , . - , , . . , , . , . , .

19

Forum_1.indd 19 Forum_1.indd 19

22.10.2014 13:40:14 22.10.2014 13:40:14


. , , 2020 . 24 2013 . -- , . , -. - , , . , , . . - . . - . -, , . , , · ;
20

Forum_1.indd 20 Forum_1.indd 20

22.10.2014 13:40:14 22.10.2014 13:40:14


·

; · , - . , , « » - . , , , . . , . . , . , , . , !

21

Forum_1.indd 21 Forum_1.indd 21

22.10.2014 13:40:14 22.10.2014 13:40:14


S.M.Buravlev
Co-Chairman of the Forum, Deputy Secretary of the Security Council of the Russian Federation

Welcome Address to organizers, participants and guests of the VIII International Forum «State, Civil Society and Business Partnership on International Information Security»

Dear Colleagues, Allow me to welcome the organizers, participants and guests of the International Forum «State, Civil Society and Business Partnership on International Information Security». For the eighth time a welcoming Garmisch-Partenkirchen becomes a meeting place for information security experts -- representatives of governments, scientists and experts from scientific and educational centers of the world's leading nations. This gathering is dedicated to discussion of the most pressing issues of information security. In the present context topics of the plenary session and questions for seminar discussions are more than relevant. The rapid development of information and communication technologies (ICTs) and their active implementation in various areas of state, societal and individual life makes the issue of ensuring international information security a priority. The transboundary nature of new threats and challenges in the information sphere increases the vulnerability of national information infrastructures. And above all, it affects facilities critical to national security. Gradually increases the risk of destructive information influences threatening the sovereignty and territorial integrity of any state. At that, individuals and society as a whole are also exposed to negative information influences. Environment of information space globalization requires a choice of further directions for international information security development. The choice of Russia, as a member of international community, is enshrined in the Principles of State Policy of the Russian Federation in the field of international information security for the period until 2020. Purposeful document of strategic planning in this area was approved by the President of the Russian Federation on July 24, 2013.
22

Forum_1.indd 22 Forum_1.indd 22

22.10.2014 13:40:14 22.10.2014 13:40:14


The Principles publicly state the main objective -- to promote an international legal regime aimed at creating the conditions for the formation of an international information security system. Support and active participation of scientific, expert and business community should contribute to achievement of this objective. Forum in Garmisch-Partenkirchen is a unique platform that allows a consolidated discussion of international information security problems and together develop scientifically verified paths to solutions to these problems. It is important to understand that countering security threats in the information sphere both nationally and globally should be legitimate. It is necessary to update the norms of international law to regulate the activities of nation-states in information space. Hence the inevitable and urgent need to research the use of ICTs in international conflicts. The issue of general applicability of international law to the use of these technologies should also be investigated. Therefore, the agenda of the Forum gives priority to international legal issues. It indicates the maturity of this discussion platform in Garmisch-Partenkirchen. It is an example of clear understanding of the need to solve the urgent legal issues of international information security, and aspiration to see the development prospects of the global information space relations regulation. I believe the discussions in the course of the Forum will bring us closer to understanding that the existing rules of international law cannot be directly applied to the sphere of ICTs use; these rules should be improved and adapted to this sphere; new rules of international law concerning the sphere of ICTs use can and should be developed, including procedural and institutional form of their implementation. However, only applied nature of the discussion of, so to speak, entire «legal field» of ICTs use will yield the required result. Needless to say, the solution of international information security issues and formation of the corresponding global system requires not only legal foundation, but also a hereon based systematic approach to solving the most pressing problems. A surge of national security threats in the information sphere necessitates the search of effective ways to counter destructive effects on critical infrastructure. Both nationally and globally it is important to identify priorities of international information security system formation. And systematic approach requires looking at the problem in the light of perspective technological developments in this area.
23

Forum_1.indd 23 Forum_1.indd 23

22.10.2014 13:40:14 22.10.2014 13:40:14


I hope that the Forum discussions will fully unlock the extensive international scientific potential and expertise represented here. This will confirm that high appreciation of the role and place of the Forum is just and fair, and will further enhance its authority, among other things through open publication of the proceedings. I wish the organizers, participants and guests successful and fruitful work!

24

Forum_1.indd 24 Forum_1.indd 24

22.10.2014 13:40:14 22.10.2014 13:40:14


1
,

:

1. , - , . , , . . , , , , . -, -- , , , , . , -- , . , , , , . , , . .
1 : , , .

25

Forum_1.indd 25 Forum_1.indd 25

22.10.2014 13:40:14 22.10.2014 13:40:14


2. , ? , . -- : · « , , , , ». · . « -- , , , , ; - ». , 16 , : ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; . , , , , . , , , -- , , « », «» . , , , , . ,
26

Forum_1.indd 26 Forum_1.indd 26

22.10.2014 13:40:14 22.10.2014 13:40:14


. , , . , . , «» , «». , . , , . , , . , , «» . . , -- , . , , , . , , , , , , , . , , - , , . , ? ? 3. , , , , « ». , . 2012 ,
27

Forum_1.indd 27 Forum_1.indd 27

22.10.2014 13:40:15 22.10.2014 13:40:15


, , -- , . 10 , , , . (, ) . 48 5000 . - - . - . 285 . $ 10 . . , , , , ? McAfee, 2013 , , , , $ 100 . 1/10 McAfee $ 1 . , Wall Street Journal, , , . McAfee , - , . : , . , , .
28

Forum_1.indd 28 Forum_1.indd 28

22.10.2014 13:40:15 22.10.2014 13:40:15


2012 (DDoS) . 2013 « -- 2», 50 , , , . , , -. DDOS-, : , ; «», ; , , . , Shamoon, 2012 ( ) -- Saudi Arramco ( ) Ras Gas (). , - . Stuxnet () . , , . (Advanced Persistent Threat). , , , , , , . , , , , . , , 29

Forum_1.indd 29 Forum_1.indd 29

22.10.2014 13:40:15 22.10.2014 13:40:15


, - 2007 . , , , , «», «». . , , , , - 2008 . , . - . , , , . , , . , , . , : , . , . 4. . . . , , - , .
30

Forum_1.indd 30 Forum_1.indd 30

22.10.2014 13:40:15 22.10.2014 13:40:15


, - . , 85% , , , , , . . , , . 2014 , . . . . , . , , , . - . , . , . , « , , , ».
31

Forum_1.indd 31 Forum_1.indd 31

22.10.2014 13:40:15 22.10.2014 13:40:15


- , , . , , , . 5.


C 2004 (), . 2010 2012 , -- . , ( 2010 ), , , , . - , , . , 2010 , , . , , , , . , .


2007 , , : - ; ; ; ; . .
32

Forum_1.indd 32 Forum_1.indd 32

22.10.2014 13:40:15 22.10.2014 13:40:15


, : , , . : ; , ; .


, , , , . 2004 -- 10-. 2004 , 2009 - . , 2013 , : , . : ; Galileo; . -- , , - . 2013 . 33

Forum_1.indd 33 Forum_1.indd 33

22.10.2014 13:40:15 22.10.2014 13:40:15


, , , . , , / .
()

2001 . 2003 , , , . 2006 , , - , . 2011 - , . , 2014 , . , 5-8 , , . . .
34

Forum_1.indd 34 Forum_1.indd 34

22.10.2014 13:40:15 22.10.2014 13:40:15


()

, , 2010 , 2011 . 2013 « ». , , ... , .


, , - . 2008 , 19 57 . 2-5 , . , . . - . , - , .


2012 .
35

Forum_1.indd 35 Forum_1.indd 35

22.10.2014 13:40:15 22.10.2014 13:40:15


. . 2014 , - . 2014 .
()

2004 , . -, , . , 2011 . , . , , .
- ()

2003 - 2005 . 2010 . 2011 2015 . 2012 , , , . 2013 2005 .
36

Forum_1.indd 36 Forum_1.indd 36

22.10.2014 13:40:15 22.10.2014 13:40:15


- ()

2002 , , 2005 , , , , .
()

2013 , . , , , , , . , , . , . , ? , , . , , , , . , , , . 6. , , , . , , , . , , , , ,
37

Forum_1.indd 37 Forum_1.indd 37

22.10.2014 13:40:16 22.10.2014 13:40:16


. - , . , , . . , -, , . , -- , , , .. , , - . , , , , -- . . , . , , . -- , , , -. , , ? , , , . . , , . . 38

Forum_1.indd 38 Forum_1.indd 38

22.10.2014 13:40:16 22.10.2014 13:40:16


, , . , , , , - . , , , , , -- . , . -- , , Stop-Think-Connect; , IP-. , , . , , , , . , .

39

Forum_1.indd 39 Forum_1.indd 39

22.10.2014 13:40:16 22.10.2014 13:40:16


Dr. Charles (Chuck) Barry1
Center for Technology & National Security Policy National Defense University, Washington, D.C., the USA

Challenges in the Protection of Critical Infrastructure Systems Reliability in the Digital Age

1. Introduction Thank you Dr. Sherstuyk and thanks as well as to the many sponsors and organizers for inviting me to participate at this year's Forum on Information Security. The idyllic alpine setting of springtime here in Garmisch invites us all to leave aside the concerns of the broader world for a few days and invest our energies in the business of securing cyber space for our common future. This morning I've been asked to address the challenges of protecting critical infrastructure, an issue of global importance and thus a fitting subject of discussion by an expert international group such as is convened here today. The physical and cyber risks from which critical infrastructure must be protected are many, from mechanical failure to natural disasters to simple human error and, yes, malicious acts, either by criminals or organizations. Protection must be resilient, reliable and enduring whether during times of peace, crisis or conflict. Today let us concentrate on the protection of critical infrastructure from risks emanating in cyber space, or if you like, risks within the information realm. We can touch on physical threats too, which are no less serious but the nature of our Forum is information security. Let us begin. 2. Critical Infrastructure So, what have a lot of consider, one · The U.S. assets so vital is critical infrastructure exactly? It would seem we it. Here are a couple of paraphrased definitions to national and one regional: defines Critical Infrastructure as `those systems and to the United States that their incapacity or destruc-

1 Disclaimer: The view's expressed in this paper are Dr. Barry's alone and do not necessarily reflect the policies of the National Defense University, the Department of Defense or the United States Government.

40

Forum_1.indd 40 Forum_1.indd 40

22.10.2014 13:40:16 22.10.2014 13:40:16


tion would have debilitating impact on national security, economic security, public health or safety. · The EU uses a very similar definition by saying European Union Critical infrastructure is assets or systems essential for the maintenance of vital societal functions such as health, safety, security, and economic well-being whose disruption or destruction would have a significant impact in a Member State. For U.S. critical infrastructure, the federal Department of Homeland Security goes on to list 16 distinct sectors of critical infrastructure including: banking; chemical; communications; critical manufacturing; dams; defense industries; education facilities; emergency services; energy sector; food and agriculture; government facilities; public health; information technologies; nuclear sector; national monuments; and water. One observation we should keep in mind is that what is critical often depends on what agency is being asked. In a small town with but one water well or one bridge or one telephone line or one road, certainly all these elements of the town's infrastructure are considered "vital," and their loss would be "debilitating" to the townspeople and their elected officials. But it is unrealistic for a nation to define every small road, bridge, telecommunications link or water source as critical infrastructure on a national scale, even if politically it must at times regard them as such. It would be impossible to invest in the protection of all infrastructures that depends on cyberspace. Moreover, if everything is considered critical, nothing will be. There would be no priorities on which to allocate resources. So, `everything' is no more an answer than `nothing.' Tough choices are needed, and even within them, priorities will have to be set. In fact much of the international literature on critical infrastructure offers similar lists of critical infrastructure sectors such as those cited above. However, it is not necessary to have an internationally agreed list of what is critical and is not critical infrastructure. We would likely find it hard to agree among many nations on a common definition, and in any case, such a `list' would need continuous updating. Its utility would be meaningless. Nonetheless, it would be helpful to have a degree of mutual and reciprocal transparency with respect to what each nation regards as its critical infrastructure, mainly by category but perhaps also by noting a number of major public installations and systems. There are surely other national and international definitions besides the two given above, but from these definitions we can
41

Forum_1.indd 41 Forum_1.indd 41

22.10.2014 13:40:16 22.10.2014 13:40:16


readily see that protecting critical infrastructure will be a daunting task, and there will undoubtedly always be elements of risk. There is a lot of critical infrastructure in all of our nations, and there are international critical infrastructures as well, most notably the system of undersea fiber optic cables mainly owned by multinational corporations but largely located in international waters. If these are the critical systems we are trying to protect, what are the threats that we face today and into the future? What should we be worried about? 3. Threats to critical infrastructure Keeping with the American model, the U.S. takes an `All-Hazards Approach to Infrastructure Protection' in order to address the physical as well as the cyber dimension. Recently, this proved to be exactly the right approach. When Hurricane Sandy struck the Caribbean, the eastern U.S., and Canada in 2012 the threats to critical infrastructure came in the form of massive physical destruction caused by nature -- high winds, violent electrical storms and massive flooding. Hurricane Sandy took 10 million people off the electric power grid along the U.S. East coast, some of them for many weeks, leaving them without heat, water or power, this in spite of federal, state and local emergency responses that brought legions of power line repair crews in from all across the United States and Canada. More than 5,000 commercial airline flights were canceled in one 48 hour period. The central New York and Washington subways systems were closed due to flooding. The New Your Stock Exchange had two unprecedented days of closure. 285 people lost their lives. More than $10 Billion in damage overall. Much critical infrastructure was destroyed. But with regard to threats from cyber space, is protecting critical infrastructure really as important or more so that the threat of physical damage from natural causes? A summer 2013 study by the think tank Center for Strategic and International Studies and the computer security firm McAfee concluded the annual cost of cybercrime involving critical infrastructure in the U.S. was an estimated $100 billion. That estimate was a sharp downward revision to only one-tenth of what McAfee had reported before for the same period -- an earlier estimate of $1 trillion in annual losses. That put annual cybercrime losses, often directed at the financial services sector, on a par with the annual cost of automobile accidents according to the Wall Street Journal. However the longer term costs, such as lost competitiveness due to the theft of proprietary
42

Forum_1.indd 42 Forum_1.indd 42

22.10.2014 13:40:16 22.10.2014 13:40:16


commercial information, were not factored in to the CSIS-McAfee revisions. So let's not kid ourselves: the risks to critical infrastructure from cyber space are real and expanding even as our dependence on these systems grows inexorably greater and more irreversible. Several high profile cases underscore the grave risks we all face. Cyber attacks in the form of Distributed Denial of Service (DDOS) attacks on American banks in late 2012 were a particular wake-up call in the US. These attacks led to the industry-wide exercise Quantum Dawn 2 in July 2013, where more than 50 banks, plus the Security and Exchange Commission, FBI and Departments of Treasury and Homeland Security participated. There is the distinct possibility online attacks will grow as customers do more transactions online. Besides DDOS attacks, threats to our infrastructure include: Criminals who want to steal money; Hacktivists" who want to make political statements by disrupting critical system; and foreign governments that want to spy on American and other nation's multinational companies. In addition, we have the recent example of the 2012 Shamoon virus attacks on Saudi Arramco (Saudi Arabia) and Ras Gas (Qatar), key companies in the Middle East energy (petroleum and natural gas) infrastructure. These attacks were alleged to have been conducted by or on behalf of a nation state. Another recent, amply reported infrastructure attack was the Stuxnet attack on programmable logic controllers (PLCs) within the uranium enrichment complex at Natanz, Iran. This attack is considered by some as the first use of a specific cyber weapon, although much more information and analysis is needed before that claim can be confirmed. Advanced Persistent Threats are another growing and high profile concern. APTs are sophisticated, tend to go after high value targets including infrastructure systems, and their malicious code is hard to detect and eliminate inside a network. APTs often have no detectible presence, they simply reside inside a network and either exfiltrate data, report on network activity, or plant malware for later exploitation, including taking down the network at a critical time. We have seen politically motivated attacks against nation states such as the attacks on the Estonian banking, information and government websites in spring 2007. In that case, although some regarded it as an attack against the state of Estonia, it was determined to be a `cyber riot' by hactivist, acting on their own or as proxies,
43

Forum_1.indd 43 Forum_1.indd 43

22.10.2014 13:40:16 22.10.2014 13:40:16


in response to an Estonian decision, unpopular with Russians, to relocate a monument from the capital's (Tallinn) central square. It should come as no surprise that there will be infrastructure attacks as part of kinetic inter-state conflicts, such as the Georgian systems attacked during the Russo-Georgian war of 2008. What is yet to be defined is how these attacks might transgress the Laws of Armed Conflict in terms of their potential for disproportionate civilian casualties or indiscriminate destruction. We will hear much more on this topic from Dr. Sanjay Goel this afternoon. Similar, yet not exactly the same due to the absence of a conventional military campaign were the cyber attacks against Ukrainian and NATO information systems during the recent Russian subversion and annexation of Ukraine's Crimea region. Indeed, across the spectrum of military operations it is reasonable to conclude that any future operation will include a cyber component. These, then, represent a palate of threats that are growing, and no doubt even this short list is incomplete. The one thing we can say with near certainty: the threats are not going away but are becoming more commonplace and increasing in their sophistication. Now let's take a look at what nations and international organizations are doing to counter these threats. 4. Highlights of the US system for Critical Infrastructure protection The US has matched a federal department to work with each of the sixteen sectors of critical infrastructure already mentioned. The majority of sectors are the responsibility of the Department of Homeland Security. Some sectors are matched to other departments, for example, the defense industrial sector is matched to the Department of Defense and the banking sector to the Department of the Treasury. Each sector has a corresponding Information Sharing and Analysis Center or ISAC for public-private partnering and voluntary information sharing on threats and protection techniques. These are important exchanges because approximately 85% of US critical infrastructure is in the private sector, while the government side of these partnerships typically has better awareness of the overall threat than any of the individual private corporations or business sectors. A National Infrastructure Protection Plan (NIPP) has been developed, along with a series of Sector Specific Plans (SSPs) to correspond with each identified sector. These are synchronized within a National Response Framework (NRF), an overall guide for how
44

Forum_1.indd 44 Forum_1.indd 44

22.10.2014 13:40:16 22.10.2014 13:40:16


the United States responds to all manner of disasters and emergencies, not only cyber space based crises. In February 2014 President Obama unveiled the first voluntary cybersecurity standards for businesses to use in protecting the critical infrastructure they own. The standards also encourage greater information sharing across business sectors and with relevant government agencies. This is a first step. Getting competing companies to share information about successful attacks against them is difficult and potentially economically harmful. However, in time compliance should fall into place and ultimately perhaps a law requiring compliance might as well. As part of its responsibilities to assist the defense industrial sector, the Department of Defense launched an Enhanced Cybersecurity Initiative to share threat and protection information with defense contractors regarded as part of that sector of critical infrastructure. Similar initiatives are assist other sectors are being developed by other departments, most notably the Department of Homeland Security. Finally, the US 2011 International Strategy for Cyberspace commits to `provide the necessary knowledge, training and other resources to countries seeking to build their own technical and cybersecurity capacity. US support ranges from supporting national capabilities for incident management to building public-private partnerships, to enhancing control system security, to drafting effective cyber crime laws. The US has worked with other counties individually and in fora under the auspices of the OAS, APEC, NATO and the UN. 5. Let us now look briefly at what is already being done by international organizations to protect infrastructure
The United Nations

The work of the UN's Group of Government Experts (the GGE) has been gaining credibility as one of the more encouraging efforts at international cooperation since 2004. GGE agreements in 2010 and 2012 have been modest yet noteworthy -- as such enterprises usually are at the beginning. Each was more substantive than the last (the 2010 agreement followed an earlier failed attempt to reach an agreement) and we should be optimistic that the next round of discussions, though among a wider group of experts, will continue that trend. We need not say more here about the positive momentum of GGE because we are fortunate to have Ambassador
45

Forum_1.indd 45 Forum_1.indd 45

22.10.2014 13:40:16 22.10.2014 13:40:16


Andrey Krutskikh next on the plenary program. He is well known to all of us as one of the original GGE members, the chair of the 2012 GGE agreement, and a seasoned veteran who will again be negotiating this coming summer at the next round of discussions. No doubt Andrey will offer us some valuable insights into what to expect during the next and larger two year GGE enterprise. What is important here is to make clear that the UN is actively engaged in furthering international cyber security.
International Telecommunications Union

The ITU drafted its Global Cybersecurity Agenda (GCA) in 2007 with five pillars: a Legal Framework; Technical Measures; Organizations Structures; Capacity Building; and International Cooperation. The ITU is the lead global agent for confidence building measures in the ICT sector. One of its most visible projects is the Global Cybersecurity Index, which ranks cyber security capabilities of nation states based on the five criteria of Legal Measures, Technical Measures, Organizational Measures, Capacity Building and Cooperation. ITU partners with other organizations, such as: the UN Office of Drugs and Crime (UNODC) to share best practices in cybercrime legislation; the International Multilateral Partnership Against Cyber Threats (IMPACT) to work toward global solutions to cyber threats; and the Forum for Incident Response and Security Teams (FIRST) to share best practices on computer incident response capabilities.
European Union

The EU is perhaps the most active regional organization in international cyber security, which reflects its solid bureaucratic roots. In 2004 the EU established the European Network and Information Security Agency (ENISA) in Crete, which is celebrating its 10th anniversary this year. It also began looking at infrastructure protection in 2004, and organized an information sharing European Public-Private Partnership for Resilience (EP3R) in 2009. Early last year it adopted the EU Cyber Security Strategy, and in August 2013 it updated its European Program for Critical Infrastructure Protection (EPCIP), with the three work streams of Prevention, Preparedness and Response. The EPCIP identifies four priority pan-European sectors: the EuroControl Air Traffic System; the Galileo global satellite navigation system; the Electricity Transmission Grid and the European Gas Transmission Network.
46

Forum_1.indd 46 Forum_1.indd 46

22.10.2014 13:40:16 22.10.2014 13:40:16


The EU has developed a Critical Infrastructure Warning Information Network (CIWIN), an Internet-based system for exchanging critical infrastructure protection ideas, studies and best practices among its members and their agencies. The CIWIN portal has been up and running since mid-January 2013. The EU's Digital Agenda for Europe has conducted, though ENISA, two pan-EU cyber security exercises examining critical infrastructure protection across the Union. It also set minimum baseline capabilities and services and policy recommendations for member's National/ Governmental Computer Emergency Response Teams (CERTs) to function effectively.
North Atlantic Treaty Organization (NATO)

NATO has been involved in Critical Infrastructure Protection (CIP) since 2001. In 2003 the Senior Civil Emergency Planning Committee adopted a six point plan to help nations manage the consequences of Chemical, Biological, Radiological and Nuclear (CRBN) attacks, particularly resulting from terrorism. In\2006 Heads of State and Government confirmed the Alliance role in CIP to protect its members' populations, territories, infrastructure, and forces from the consequences of terrorist attacks, and to protect its own security interest from the disruption in the flow of vital resources. In 2011 the Alliance began to look at its dependencies on member critical infrastructures and work with members to assess the vulnerabilities to systems vital to Alliance missions and operations. In 2014 Alliance ministers are expected to approve a new Cyber Defense Policy that will strengthen NATO programs over the next several years. More recently, indeed earlier this month on 5-8 April, the North Atlantic Council accepted the request of Ukraine, a NATO partner country, and sent the NATO Advisory Support Team on Critical Infrastructure and Civil Population Protection to assist Ukraine in developing civil contingency plans and crisis management measures. These related to critical energy infrastructure and risks to civil protection in the event of further aggravation of the security situation there.
Organization for Security and Cooperation in Europe (OSCE)

OSCE expressed consensus interest in cyber security as a transnational threat at its 2010 summit and again at a special conference convened on cybersecurity in 2011. In December 2013, the
47

Forum_1.indd 47 Forum_1.indd 47

22.10.2014 13:40:16 22.10.2014 13:40:16


OSCE agreed an "Initial Set of Confidence-Building Measures to Reduce the Risk of Conflict Stemming from the Use of Communications and Information Technologies (ICT)." This list includes, inter alia, the voluntary holding of consultations at an appropriate level in order to reduce the risk of misperception...and to protect critical national and international ICT infrastructures, including their integrity.
Organization for Islamic Cooperation (OIC)

The OIC is another regional organization taking steps to address critical infrastructure protection, although by coaching interested members to strengthen their capacities at the national level. The OIC stood up OIC CERT in 2008 and to date 19 of 57 OIC members CERTs have joined OIC CERT. They convene 2-5 conferences annually to share best practices, norms and threat indications. Only some of these discussions support critical infrastructure protection but it is a welcome start. Worldwide we should applaud even small steps and encourage their growth in substance and transparency. It should be taken advantage of by many more OIC members, most immediately Afghanistan as it strives to make its ICT infrastructure more reassuring to an economy struggling to gain more truly commercial, post-ISAF footing at the end of this year.
The African Union (AU)

In January 2012 the AU drafted a Convention on Confidence and Security in Cyberspace. The stated purpose of the Convention is to establish a credible framework for cyber security in Africa. This is a first encouraging step toward AU engagement in critical infrastructure protection. The Convention was to be adopted in January 2014 but that was not done due to privacy objections from Kenya. The next step is for Kenya to submit its written objections by May 2014.
The Organization of American States (OAS)

In 2004 OAS members approved a resolution that called on the Secretariat to begin working on cyber security issues with the goal of each member state having organized a CSIRT, and the OAS organizing its own CSIRT as a coordinating mechanism for regional initiatives in cyber security. The latest information available is that most OAS members had CSIRTs in 2011, indicating the program has been largely a success. It is not clear how active the OAS
48

Forum_1.indd 48 Forum_1.indd 48

22.10.2014 13:40:17 22.10.2014 13:40:17


CSIRT itself is in mentoring members or organizing future OAS assistance programs similar to OIC.
Association of Southeast Asian Nations (ASEAN)

Singapore Declaration of 2003 called for establishing an ASEAN Information Infrastructure and CERTs for all by 2005; Master Plan on ASEAN Connectivity of 2010; ASEAN ICT Master Plan (AIM) 2015 agreed in 2011; Members committed in 2012 to continue ASEAN CERT Incident Drills in support of the ASEAN Network Security Action Council (ANSAC); the 2005 Framework for Cooperation on Network Security was updated in 2013.
Asia Pacific Economic Cooperation (APEC)

APEC has agreed on a number of cyber security documents since 2002 including a Cyber Security Strategy in 2005 that recognized the importance of the security of communications infrastructure and particularly the Internet across the APEC region.
Shanghai Cooperation Organization (SCO)

In March 2013 the SCO signed agreements to combat the use or potential use of computer networks for terrorist, separatist or extremist's ends. While these agreements do not appear to be intended to address critical infrastructure protection in any collective way, they nonetheless indicate SCO's engagement in this field at the present time. No doubt there are other initiatives worldwide and those present who can contribute to this list are encouraged to do so during discussion. Those just cited are illustrative of the degree to which the UN and many regional organizations are beginning to grapple with the permanent task of critical infrastructure protection. Are any of them doing all that is needed in their respective realms? I expect all would agree they can and must do more and do everything they are already doing to greater effect, to higher standards they internally seek. We should work with them and encourage them to move forward energetically, transparently and cooperatively. 6. Conclusion This brief tour d'horizon of critical infrastructure and some of the protection initiatives already underway should whet your appetite for discussion and ideally new thinking on how to grapple with the associated challenges at the international level.
49

Forum_1.indd 49 Forum_1.indd 49

22.10.2014 13:40:17 22.10.2014 13:40:17


Let me seed such a discussion with three baskets of work that we should consider essential. First we must improve the resilience of our critical systems, new and old, and commit to investing in system improvements at a rate apace with or ahead of the bow wave of future risks we foresee. We must embrace this nationally through public-private enterprise, regionally, and globally. We should also invest in curbing the ease with which the particular nemesis of botnets can be organized and promulgated, including by-hire networks for criminal use. This will require nations to take responsibility to deal with lawless behavior on their territory. It will also require improving the speed and excellence of network forensics and finding the means to employ Internet traffic filtering, most probably at the ISP level. There are many sound reasons why filtering has not been widely implemented -- latency, cost, privacy, etc). We need solutions that satisfy the various stakeholders involved, including the ISPs and the users themselves. Related to computer forensics, which is a broader field than the one example I just gave, and filtering policies, we need a far more educated and alert user workforce, one that in aggregate becomes far better at best practices and computer hygiene. This human dimension of critical infrastructure protection is too often overlooked. It is not where the money is for tech companies selling network security solutions. Yet, there is little doubt this is where the biggest security gap lies. Unwittingly, honest and authorized users simply allow their access credentials to be easily pirated away -- from bad passwords to unauthorized devices on networks to unsecured authentication medium to succumbing to spear phishing. Will the next generation of users, the generation raised on-line, be better at security? Perhaps, but that is not readily apparent given the freedom with which personal information is shared on social media. It will take computer security being embedded in every method and subject of education. Technology of course can help by making security built-in by default. Active defense and reconnaissance within critical information networks is another essential component of protection. Network administrators must be able to detect malware not only at boundary portals, but also within their network where hidden, unauthorized and untrusted agents will lurk, masquerading as authorized users and thus would be otherwise undetected. Nor can we, as noting at the beginning of this discussion, ignore the physical threat to information systems, be it posed by a natural disaster like Hurricane Sandy, an act of terrorism or some other form of destruction. Just like cyberspace-based protection meas50

Forum_1.indd 50 Forum_1.indd 50

22.10.2014 13:40:17 22.10.2014 13:40:17


ures, physical protection measures must include fixed hardening, redundancy and suitable barriers, as well as dynamic protection such as active human or automated surveillance systems. We will need to prioritize and invest sufficient resources so that over time protections become and remain adequate. We should address challenges on two fronts -- at the user end-points on the networks, through training such as Stop-Think-Connect; and also strengthening protection at the key infrastructure nodes where we can shield millions of systems and IP addresses at once. We have to take both approaches and not simply invest in one or the other. Finally we will need the capacity, connectivity and resilience to respond together in ways that achieve timely system recovery and limit the impacts of infrastructure failure. When we have put all these capabilities in place we will be well on our way, and well prepared, to meet the present and future challenges to critical infrastructure protection.

51

Forum_1.indd 51 Forum_1.indd 51

22.10.2014 13:40:17 22.10.2014 13:40:17


..
..


() «» . 2013 1, «... . , . , , , ». . , , 90- . , . , , , , -- , , , .51 . , «» , , . , «»
1 . 68- , 24 2013 ., \68\150

52

Forum_1.indd 52 Forum_1.indd 52

22.10.2014 13:40:17 22.10.2014 13:40:17


« ». , , , -- , , -, , , , . , , , .51 , - . , 2001 , , . , , , , «» , . : · (Jus ad Bellum), , , ; · (Jus in Bello), , . , , . 1. Jus ad Bellum. Jus ad Bellum , 53

Forum_1.indd 53 Forum_1.indd 53

22.10.2014 13:40:17 22.10.2014 13:40:17


, , , , . . 41 42 , «» -- , () , . , , , , , , , , , .. . , , «» , . , , , , , , - , . , , , , , , , . ( , , ..), ( -, -, ), , , . -- .
54

Forum_1.indd 54 Forum_1.indd 54

22.10.2014 13:40:17 22.10.2014 13:40:17


, . , . «» , , , . , , . 41 , « ». , . 2 (4) , , . , , , « » « ». « » , .. , « », « » , . « » , , « ». , , . . 51 .
55

Forum_1.indd 55 Forum_1.indd 55

22.10.2014 13:40:17 22.10.2014 13:40:17


« » Jus ad Bellum : · « », . 2 (4) ; · , .. , , - , . , , , , «» , .. «». , «» «» «», «» , , . («») , , , , .. «». () 11 2011 . . , . , 11 2001 . - « » . 51 . , «», , «». , () , , .. «».
56

Forum_1.indd 56 Forum_1.indd 56

22.10.2014 13:40:17 22.10.2014 13:40:17


« ». « » , : · () () ; · , , ; · , « ». , « », , . 51 . , , . 51 . .2 (4) , . 51 . , -- , , , , , , . , . ( ) , « » . , -- .
57

Forum_1.indd 57 Forum_1.indd 57

22.10.2014 13:40:17 22.10.2014 13:40:17


2. Jus in Bello. , , . , , , , , . « », , - . , « » , , , , , . , , , , , . , , , , , . . , , , , . , , , . , . , , , , :
58

Forum_1.indd 58 Forum_1.indd 58

22.10.2014 13:40:18 22.10.2014 13:40:18


· ·

; ; · ; · ; · , . . , , , , . , , , . , , , . . 2011 , , , . 3. . . , , 59

Forum_1.indd 59 Forum_1.indd 59

22.10.2014 13:40:18 22.10.2014 13:40:18


. , . , . , , , . , , . , , , . : · 2(4), 39, 41, 42 51 , ; · , , ; · , , ; · ; · , ;
60

Forum_1.indd 60 Forum_1.indd 60

22.10.2014 13:40:18 22.10.2014 13:40:18


·

, , ; · , , . . : ; ; . « », , . 51 . , , , . , , , , , «» .

61

Forum_1.indd 61 Forum_1.indd 61

22.10.2014 13:40:18 22.10.2014 13:40:18


Dr. A.A.Streltsov
Institute of Information Security Issues, Lomonosov Moscow State University

Focal Areas in Development of International Law of Armed Conflict in the Context of Cyberspace
The use of information and communication technologies (ICTs) as a "coercive" tool for resolving international conflicts is becoming an increasingly perilous threat to international peace and security. According to the 2013 UN Group of Governmental Experts, "It is in the interest of all States to promote the use of ICTs for peaceful purposes. States also have an interest in preventing conflict arising from the use of ICTs. Common understandings on norms, rules and principles applicable to the use of ICTs by States and voluntary confidence-building measures can play an important role in advancing peace and security." Legal countermeasures to malicious use of ICTs represent an issue that is not new on the agenda. The original papers on the use of international law in the context of cyberspace in general and in the Internet in particular were published back in the middle of the 1990s. Nonetheless, experts still keep looking for answers. On one hand, many experts believe that malicious use of ICTs may cause damage that may be compared, in certain circumstances, with the use of conventional weapons, and in some cases even with the use of weapons of mass destruction. From this perspective, such use of ICTs represents a major threat to international peace and security and shall engender the right of self-defense for a state in terms of Article 51, UN Charter. On the other hand, despite the "obvious" possibility of using ICTs for military purposes, almost all the experts presume that ICTs are not a weapon. In both Russian-language and Englishlanguage literature, the term "ICTs" is often regarded as a synonym to "information technologies." In the Russian laws, the term "information technologies of such processes and methods". In the English-language literature, this term has a broader meaning and stands for a concept that integrates all the existing telecommunications, computers, and, where necessary, any special and generalpurpose software, memory, and audio-visual systems, which users may employ to store, transmit and process information.
62

Forum_1.indd 62 Forum_1.indd 62

22.10.2014 13:40:18 22.10.2014 13:40:18


In recognition of these two aspects, some experts propose adoption of an international treaty that would enable us to take countermeasures, in response to the malicious use of ICTs, that would be outside the scope of Article 51, UN Charter, but would nevertheless comply with the provisions of Draft Convention on the Responsibility of States for Internationally Wrongful Acts. This Draft Convention was developed by the UN Inernational Law Commission, discussed and taken note of by the UN General Assembly in 2001, and therefore does not represent a source of law. The author of this article believes that the process of customizing the international law of armed conflict may include bridging the gaps in terminology that develop in the norms of international law when applied to the malicious use of ICTs, as well as bridging the gaps in legal regulation of international relations where malicious use of ICTs represents a tool of power struggle between states seeking to pursue certain political objectives. In this case, customization shall involve two relatively independent segments of international law of armed conflict: · Law on the use of force (Jus ad Bellum), which determines when a state can use force in the context of international relations, including for the purpose of self-defense, and · Law of warfare (Jus in Bello), which determines the rules for the use of armed force by the state and non-state entities in the course of international and non-international conflicts, to include the rules applicable to humanitarian constraints. A separate issue that needs discussion is the format that can be used to document legal innovations in international treaties. 1. Inernational law Jus ad Bellum. The primary source of Jus ad Bellum law is the UN Charter, which lays down the basic rules for regulating relations based on the use of force or threat of force and, at the same time, restricts application of conventional rules of international law in this domain. According to Articles 41 and 42, UN Charter, there are two basic kinds of "force": force that implies the use of armed forces (weapons), and force that does not imply the use of weapons. In case of force that implies the use of armed forces, one state coerces another state to act as the coercing state desires by pushing the coerced state into a deadlock at threat of physical elimination of its political leadership, political machinery, weapons, armed forces and equipment, destruction of the economic foundation of existence, and infliction of suffering on the civil population, i.e. through the use of direct violence.
63

Forum_1.indd 63 Forum_1.indd 63

22.10.2014 13:40:18 22.10.2014 13:40:18


In case of force that does not imply the use of armed forces, the state being coerced is "isolated," whether partially or completely, to disallow communication with other states. Such isolation may take the form of interruption of economic relations, communications by rail, sea, air, via mail, telegraph, radio and other means of communication, and in the form of severance of diplomatic relations. As we know, ICTs, being one of the factors that promote industry and standard of living and enable operation of public and national infrastructures, may be used as a tool for damaging various living environments of the society and the state and for harming the economic, social, cultural and political relations. In some cases, such adverse impact of ICTs may result in fatalities (impact on automated control systems in aviation, railway and highway sectors, power supply control system, etc.), significant destructions (impact on automated process control systems used at hydro power plants and nuclear plants), and damage to the economic, military, and defense capabilities of the society and the state. Malicious use of ICTs may be considered, in a number of circumstances, as threat of force or use of force against the territorial integrity or political sovereignty of the state being affected. Besides, ICTs may also be used as a means of violence that does not imply the use of armed forces. This is due to the fact that information exchange function is implemented through the Internet in the modern world. From this perspective, interruption of data transmission, storage, processing, retrieval and distribution services using the Internet may be one of the ways to "isolate" a state. Recourse to such actions (which do not imply the use of armed forces) within the context of measures intended to maintain or restore international peace and security is essentially stipulated by the provisions of Article 41, UN Charter, which provides for potential interruption of "other means of communication." It therefore appears that international relations in the domain of malicious use of ICTs are generally governed by the provisions of Article 2 (4), UN Charter, which require states to abstain from the use of force of threat of force in international relations, including in cyberspace. At the same time, the author believes there is an opportunity for legal confirmation of the criteria of malicious use of ICTs at the borderline of "threat of force" and "use of force." For the "use of force," such borderline may be represented by the onset of severe effects of malicious use of ICTs, i.e. actual enforcement of will on another state, coercion to change its policy as
64

Forum_1.indd 64 Forum_1.indd 64

22.10.2014 13:40:18 22.10.2014 13:40:18


regards its territorial integrity, political sovereignty or other values that a state shall seek to consolidate in accordance with the UN goals. A borderline of "threat of force" may be represented by warning of a state's public officers about potential use of force in the form of malicious use of ICTs, as well as practical demonstration of accumulated ICT resources intended to pursue the political goals that do not reach the "use of force" borderline. In principle, the only reason for legitimate use of force by a state provided by the modern international law is self-defense in response to an armed assault. Indefeasible right to individual and collective self-defense in case of armed assault is provided by Article 51, UN Charter. The term "armed assault" relating to Jus ad Bellum may be construed as: · "use of force" that a state shall refrain from in pursuance of provisions of Article 2 (4), UN Charter, or · aggression, i.e. use of armed force by a state against the sovereignty, territorial integrity or political independence of another state, or use of armed force by any other means contradictory to the UN Charter. From this point of view, aggression committed by means of malicious use of ICTs could constitute grounds for the creation of right to individual or collective self-defense, provided that ICTs and the term "weapon" in its conventional meaning are synonymous, i.e. ICTs are a type of "weapon." As stated above, "processes" and "methods" are neither "devices," nor "tools," which means they cannot be treated as weapons in this context. At the same time, ICTs may be used to change the regular ("nominal") operation of computerized facilities and devices, leading to a real threat to life and health of people, integrity of buildings and structures, and environmental security, i.e. conversion of such facilities and devices into "weapons." It is the possibility to convert conventional (non-specialized) devices into weapons as a result of their off-nominal application was used by terrorists during the attacks in the USA on September 11, 2001. These considerations, with support of the international community, enabled the US government to announce its right to individual and collective self-defense and engage in military operations against Iraq and Afghanistan -- countries accused of support of terrorism. As a result, the 9/11 terrorist attack, in which terrorists used hijacked planes, was de facto made equal to an "armed assault" in the meaning of this term provided by Article 51, UN Charter.
65

Forum_1.indd 65 Forum_1.indd 65

22.10.2014 13:40:18 22.10.2014 13:40:18


Apparently, the term "weapon" therefore shall now have a broader meaning, to include devices that have the properties of "weapon" in certain circumstances. Malicious use of ICTs may be viewed as a factor that may turn conventional (non-military) devices into those employed for killing enemy troops and hardware, i.e. "weapons." This type of weapons can be called "implicit weapons." Malicious use of ICTs transforms a facility or device into "implicit weapon" if such facility or device has the following properties: capability to injure (damage) troops and hardware as a result of failure of their regular (nominal) operation; existence of information or communication systems within a facility or device that enable malicious use of ICTs resulting in damages of troops and hardware; existence of ICTs intended to transform a non-military device or facility into an "implicit weapon." From this perspective, any assault involving the so-called "implicit weapons" shall be deemed as an armed assault and lead to implications stipulated by Article 51, UN Charter. To this end, generally speaking, provisions of Article 51, UN Charter do not require customization to the conditions of malicious use of ICTs in cyberspace. One of the important features of using ICTs for threat of force or for use of force in the meaning provided by Article 2 (4), UN Charter, and for the purpose of an armed assault in the meaning provided in Article 51, UN Charter is its unobservability. This unobservability is due to the fact that ICTs basically represent a process of purposeful change, in accordance with a certain algorithm, of information stored in electronic memory of computers, means of communication, and communication devices. This fact makes it harder to assess credibility of data presented by the debating parties with respect of breach of international law by way of malicious use of ICTs. To enable fair consideration of such disputes, it appears vitally important to establish a unified system (possibly based on appropriate national and regional systems) for registering the cases of threat of force or use of force, as well as "armed assault" with the help of malicious use of ICTs. National and regional elements of the registration systems hall be certified in accordance with uniform standards, and the personnel operating such devices shall have the extraterritorial right under the aegis of the UN.
66

Forum_1.indd 66 Forum_1.indd 66

22.10.2014 13:40:18 22.10.2014 13:40:18


2. International law Jus in Bello. The primary sources of law in this domain include the Hague conventions, Geneva conventions, and other international treaties concluded to promote the rules and ideas of the stated conventions. It is commonly known that international humanitarian law regulates relations intended to reduce physical suffering of persons immediately affected by military operations and damage to property of civilian population, as well as to ensure integrity of cultural property. Considering the concept of "implicit weapons" described above, the rules of humanitarian law regulate public relations that involve malicious use of ICTs in cyberspace in pursuit of military and political objectives. Despite the similarities between the ICTs and "conventional weapons" as regards the methods of violence, types of suffering of injured and sick persona and civilian population, as well as the forms of damage to cultural property, there are some major differences between them in terms of legal regulation of the subject public relations. Based on our review, the majority of provisions contained in the sources of international humanitarian law are either invariable with regards to the type of weapon used during military operations, or implies restricted use of specific types of weapons. For instance, the rules of warfare and restriction of combat mission resources barely depend on the type of weapons used, and rules that prohibit the use of certain types of weapons regulate relations that imply the use of these specific weapons. At the same time, certain rules of international humanitarian law require customization to the conditions of malicious use of ICTs. This is primarily due to the fact that ICTs are subjects of international relations governed by international treaties that involve distribution and communication of information. Malicious use of ICTs may obstruct due performance of international treaties, for instance those that provide for the development and maintenance of registers and reference books. Additionally, the use of ICTs as a means of transformation of non-military facilities into military facilities may also be subject to international restriction of their use for purposes of war. The rules of international humanitarian law that require customization include, first of all, the rules that regulate international relations in the following domains: · identification; · prohibition of certain cases of malicious use of ICTs for purposes of war; · perfidy;
67

Forum_1.indd 67 Forum_1.indd 67

22.10.2014 13:40:18 22.10.2014 13:40:18


· ·

espionage and reconnaissance; retention of neutrality of states that do not participate in military operations. Rights and duties of neutral states are governed by the rules of international humanitarian law of neutral powers and persons in war on land and naval war. It appears that one of the greatest challenges in law enforcement practices of belligerent states with respect of malicious use of ICTs against neutral states is identification, in the first place, of critical facilities of their national information infrastructures to help prevent accidental or deliberate breach of rules of international law with respect of such states. In our opinion, this problem may be solved by compiling the charts of digital addresses of critical facilities of national information infrastructures of neutral states and communicating them, in case of armed conflict, to the belligerents, as well as by monitoring the cases of malicious use of ICTs against the facilities specified in the chart. Besides, it might help to create a single authority to coordinate countermeasures against dangerous activities of states aimed at critical facilities of the global, regional and national information infrastructures similar to the Inernational Seabed Authority. Such new authority could operate in reliance on the Rules of Conduct of States in Inernational Information Security. A draft document containing such rules has been presented in 2011 by the Russian Federation, China, Tajikistan and Uzbekistan in the UN. 3. Proposals on the form of securing the customized rules of law and procedure of their enactment. Legal registration of proposed rules of law is critical to the customization of international law of armed conflict. Activities aimed at improving the international law, based both on the codification principle and the progressive development principle, rely on the international principles of friendly relations and cooperation. These principles include the obligation of states to cooperate with each other in accordance with the UN Charter, without which there can be no fair approach to the official documentation and registration of legal innovations as regards the customization of international law of armed conflict. One of the reasonable approaches to solving this problem involves the development of draft proposals to international treaties that regulate international relations with respect of armed conflicts in the context of malicious use of ICTs. It is common knowledge that the number of sources of international law in this domain that require customization is relatively small. Therefore, development of draft international treaties could be materialized in the develop68

Forum_1.indd 68 Forum_1.indd 68

22.10.2014 13:40:19 22.10.2014 13:40:19


ment of a system of relatively independent materials with common terminology and principles. Each draft treaty could be developed in reliance on the terminology and with retention of the legal mechanics that have already stood the test of time and demonstrated success on the level of international experts and politicians. Such international treaties could include the following: · Treaty on the application of provisions of Articles 2(4), 39, 41, 42 and 51 of the UN Charter to the cases of use of force or threat of force by means of malicious use of ICTs -- with due consideration for the issue of establishment of international system of collaboration in investigations of armed assaults with the use of ICTs; · Treaty on additional measures to secure registers and lists created in accordance with the rules of international humanitarian law against attacks involving the malicious use of ICTs; · Treaty on the development of international system for registration of information systems of facilities and persons protected by the international humanitarian law, as well as the international system of monitoring violations of rules of international humanitarian law with respect of such facilities and persons; · Treaty on voluntary restriction of espionage and reconnaissance in the cyberspace; · Treaty on detailing the procedure of identification of information space objects protected by the international humanitarian law; · Treaty on the prohibition of malicious use of ICTs against critical facilities of global, regional and national infrastructures protected by the international law; · Treaty on the creation and maintenance of a register of critical facilities of global, regional and national infrastructures, assault on which with malicious use of ICTs constitutes an international crime. Conclusions One of the essential focal areas of progressive development of contemporary international law of armed conflict is customization of such law to the conditions of malicious use of ICTs for purposes of war. Three core lines of customization are proposed: customization of international law of use of force; customization of international humanitarian law; and improvement of international law of procedure. The process of customization of international law of use of force may be based on the concept of "implicit weapon," which allows
69

Forum_1.indd 69 Forum_1.indd 69

22.10.2014 13:40:19 22.10.2014 13:40:19


minimizing the emerging legal innovations and maintaining the tight limits of legitimate use of force, as stipulated by Article 51 of the UN Charter. In the context of customization of international humanitarian law to malicious use of ICTS, legal innovations involve a significant scope of international relations that imply both expansion of the list of prohibited types of weapons and identification in the information space of facilities and persons protected by the rules of international law. Improvement of the procedural aspect of international law of armed conflict mostly touches upon the issues of objectification of legal facts that underlie the emergency, termination or change of legal relations that involve the use of ICTs as a means of "coercive" resolution of international conflicts.

70

Forum_1.indd 70 Forum_1.indd 70

22.10.2014 13:40:19 22.10.2014 13:40:19


(Gao Hui)
(),


! ! . 20- , . 20 . 2013 0,6 . , . - . , , . . , . () , - . , , . , , . .
71

Forum_1.indd 71 Forum_1.indd 71

22.10.2014 13:40:19 22.10.2014 13:40:19


(), , jus in bello . jus in bello, jus ad bellum. . I. Jus ad bellum , 2(4) 51 . 2(4) , 51 , , . , « » « » -- . , , , « ». Jus in bello 1949 1977 , , . , jus in bello, : , , . , , , . , , . -, jus ad bellum, , . « » « » ? ? ? « »? ? ,
72

Forum_1.indd 72 Forum_1.indd 72

22.10.2014 13:40:19 22.10.2014 13:40:19


, , , « , , , , ». -, jus in bello, , , . , ; , , , , . , jus in bello, , . II. -, , , . , . , , . -, , -, , , , , .. . -, , . « », . , , . , . -, - . , , ,
73

Forum_1.indd 73 Forum_1.indd 73

22.10.2014 13:40:19 22.10.2014 13:40:19


, . , , , . -, . , , , , . -, jus ad bellum, jus in bello. III. , . . , , , , . . , , . , , , .. «».

74

Forum_1.indd 74 Forum_1.indd 74

22.10.2014 13:40:20 22.10.2014 13:40:20


Gao Hui
Cyberinformation Center of China Association for International Friendly Contact (CAIFC)

Applicability of the Law of Armed Conflict in Cyberspace
Distinguished Guests! Ladies and Gentlemen, It is my privilege to join in your discussion on cyber security at this beautiful Alps town. This year marks the 20th anniversary of China's enter into the internet. The past 20 years witnessed China's rapid development and admirable accomplishment in this field. Up to the end of 2013, China has 0.6 billion netizens, among which half of them has the experience of on-line shopping. Among the top ten international internet companies, three of them are Chinese enterprises. So China has become one of the major powers in cyberspace, and firm guardian for cyber security. Not long ago, Chinese central government established leading group of cyber security and informatization with our President Xi Jinping as group leader. We firmly believe that China needs to join international society in safeguarding cyber security. China Association for International Friendly Contact is committed to friendly communication between China and the rest of the world, we are also one of the founding members for International Information Security Institute. In order to facilitate international cooperation in cyberspace, CAIFC specially established Cyber and Information Center, and invite many Chinese first-class experts on cyber security and related legal specialists as our research fellows. We would love to take this opportunity to intensify cooperation with the representatives and experts of the think tanks present here today. Now I would love to share some of my thoughts on the applicability of the Law of Armed Conflict in Cyberspace. The Law of armed conflict (LOAC) usually refers to jus in bello or international humanitarian law. But in the broader sense, it can be used to refer to both jus in bello and jus ad bellum. This paper uses this concept in the broader sense. I. Problems with applying LOAC in Cyberspace Jus ad bellum is generally reflected in articles 2(4) and 51 of the UN Charter. Article 2(4) prohibits the threat or use of force in
75

Forum_1.indd 75 Forum_1.indd 75

22.10.2014 13:40:20 22.10.2014 13:40:20


international relations, while article 51 allows a state under armed attack to invoke the right of individual or collective self-defense. To note, "use of force" and "armed attack" are two different words. Although there is no definition for the two words in the UN Charter, we can read from the text that only when the use of force reaches the extent of an "armed attack" can the state take measures in self-defense. Jus in bello is mainly reflected in the Geneva Conventions of 1949 and its additional protocols in 1977, including the basic rules and principles to be observed by the parties during an armed conflict. There are four fundamental principles underlying jus in bello, that is to say, military necessity, humanity, distinction and proportionality. The purpose of the principles is to achieve the balance between military necessity and humanity, intending to minimize the suffering caused by armed conflict while not impeding military efficiency. In my opinion in order to apply LOAC in cyberspace, we need to solve many problems and obstacles. Firstly, as regards jus ad bellum, for a cyber operation to constitute a use of force or an armed attack, many problems shall be manifested: what is the right threshold of "use of force" and "armed attack" in cyberspace? When can a right to self-defense be invoked against cyber attack? How can we counter attack for self-defense? How to observe the requirements of "necessary and proportionate" in counterattack? Does a hacker constitute a legitimate target? In fact, although some country argues that a state can invoke the right of self-defense or even preparatory self-defense for imminent cyber threats, the country at the same time points out that "Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force". Secondly, as regards jus in bello, although customary international law has some limitations on new technologies developed into weapons, it is hard to say that the principles of distinction and proportionality is automatically applicable in cyberspace. Legally, it is subject to further examination and analysis; technically, it has to ensured that cyber attacks are controllable, capable of realizing the requirements of the principles of distinction and proportionality, and capable of accurately assessing possible collateral damage. Problems also arise when other rules of jus in bello are applied in cyberspace, such as the law of neutrality.
76

Forum_1.indd 76 Forum_1.indd 76

22.10.2014 13:40:20 22.10.2014 13:40:20


II. Causes for the problems and obstacles Firstly, cyberspace is a virtual, interconnected space where it is easy to conceal identity. Cyberspace is thus rather different from the real world. When we are trying to apply the LOAC rules developed for the real world in cyberspace, we have to consider the features of cyberspace. Secondly, cyber-related concepts are ambiguous and lack common understanding, including cyber war, cyber crime, cyber weapons and cyber security, etc. In this sense, it is quite necessary to define the related terms and concepts. Thirdly, there is no criterion for assessing the damage caused by cyber attacks. Most commentators use the criterion of "direct physical injury and property damage resulting from the cyber event", but it is not quite clear. Besides, cyber operations feature non-physical damage, which shall also be taken into account. But there is still no consensus on whether non-physical damage can constitute a use of force and how to assess the damage. Fourthly, it is still difficult to attribute cyber attacks. This is generally a technical issue, including difficulties in ascertaining the sources of attack, the identity and intention of the attacker, the relationship between the attacker and its state. Legally, it results in difficulties in determining whether the cyber activities constitute a use of force, and in determining the responsibility of the relevant state. Fifthly, there are no valid global cyber norms. Many countries have their own cyber security policy, but the policies are generally competing rather than complementing each other. Sixthly, there is no generally agreed interpretation of existing international law for both jus ad bellum and jus in bello. III. Solutions for the problems Legally, consensus shall be reached on the applicability of LOAC in cyberspace. The work of UNGGE shall be strengthened and when appropriate a legally binding international cyber security agreement shall be made. Technically, in order to effectively cope with international cyber attacks and strengthen CBMs, technologically advanced countries such as the United States shall share cyber attack attribution technologies. To this end, joint research and development of attribution-related technologies should be encouraged.
77

Forum_1.indd 77 Forum_1.indd 77

22.10.2014 13:40:20 22.10.2014 13:40:20


To strengthen cooperation and increase efficiency, it is necessary to establish an international cyber security organization, preferably under the authorization of the UN. Functions may include the coordination of drafting and implementing relevant legal norms, the management of joint research and development and sharing of cyber technologies, etc. We need to further explore the efficiency and wisdom of second track or one and a half track communication in the process of regulation formulation.

78

Forum_1.indd 78 Forum_1.indd 78

22.10.2014 13:40:20 22.10.2014 13:40:20


.., .., .., ..


- «»
. , - . (, , , -, ..). . , . «» «» , . , ( ), , , . - - , . . , . -- -, ? , «» , , . ,
79

Forum_1.indd 79 Forum_1.indd 79

22.10.2014 13:40:20 22.10.2014 13:40:20


«», , , , . , . -- « ». , . (), 2013 , . , , . , , , « - »1. , , .51 ( ) . , « », . , , - «» , . «» 1974 3314 (XXIX). 1 «»
1 « ». (A/68/37), 18 2013 .

80

Forum_1.indd 80 Forum_1.indd 80

22.10.2014 13:40:20 22.10.2014 13:40:20


« , , , , ». , «» . - , , . , (, ). , « »2, 1 , . . «» «», . , , « » , . - (, ), , . (, , ), , , 2 1« » -- , , , , , , , , , (. « », 2 2011 ).

81

Forum_1.indd 81 Forum_1.indd 81

22.10.2014 13:40:20 22.10.2014 13:40:20


, , .. . . , . - , . . , , , ? ? , . , « »31 , . , , , - () , . , Stuxnet . « » 2010 4.2 , , . DDOS- - 2007 2008 . . , , ? , 3 1« » -- , , (. « - », 2 2011 ). 4 2 2010 , , 24.12.2010; Top Military Developments of 2010, StrategyPage, January 14, 2011.

82

Forum_1.indd 82 Forum_1.indd 82

22.10.2014 13:40:20 22.10.2014 13:40:20


, . 5 ( ) , . . -, . -, , -- ? ? ? ? . 51 ? ? . «». , , . .. « » . , , , , - . , . . , , . 3 3314 .
83

Forum_1.indd 83 Forum_1.indd 83

22.10.2014 13:40:20 22.10.2014 13:40:20


, , , , , . . , , . , , , . , . 2 3314 , « , , , , , , ». - - - . -, , - . . -, , , . , , . , ,
84

Forum_1.indd 84 Forum_1.indd 84

22.10.2014 13:40:21 22.10.2014 13:40:21


, 5. 1 , , , , -- . , .. . , . 3 . -, « , , » (. d). . . -, , « » (. a) « » (. b). « » , . : , , 6. 2 « », « » , . , , 5 1 .. . , 14, 10 2013 ., . 6­7. 6 2 .. : . .: - , 1997.

85

Forum_1.indd 85 Forum_1.indd 85

22.10.2014 13:40:21 22.10.2014 13:40:21


« 1»7, . « » « ». « , , , , » (. f). , , , -, - . , « , , , , , , » (. g). , , , . , 3314 . . 4 , « , , ». . , « 7 1« » -- , (. « ­ », 2 2011 ).

86

Forum_1.indd 86 Forum_1.indd 86

22.10.2014 13:40:21 22.10.2014 13:40:21


». - ( , .), . « , , , ». , , , . , , , . , , , VII, , - , . «» «», . 51 , : « , , , , . , , , , ,
87

Forum_1.indd 87 Forum_1.indd 87

22.10.2014 13:40:21 22.10.2014 13:40:21


». , -. , , . , , , . , , .. , , , . () , - « , 6, 7 8 »8.1 .. « » 100 - . . 51 , , , . , , . , « » 8 1 . : . , 5 (78). 2010, . 1­9.

88

Forum_1.indd 88 Forum_1.indd 88

22.10.2014 13:40:21 22.10.2014 13:40:21


3314, . 3 . , , , : · , ; · , , . , « », 60 , , . , , , , - . . , 1998 « » , . « » « », 3314 (XXIX) 1974 . 2011 , « » , 9. 1 , 1 2017 . ,
9 1 . , 31 -- 11 2010, . .

89

Forum_1.indd 89 Forum_1.indd 89

22.10.2014 13:40:21 22.10.2014 13:40:21


, . - , « » , , . .

90

Forum_1.indd 90 Forum_1.indd 90

22.10.2014 13:40:21 22.10.2014 13:40:21


I.N.Dylevskiy, V.O.Zapivakhin, S.A.Komov, A.N.Petrunin
Ministry of Defense of the Russian Federation

Adaptation of international legal concept of "aggression" to the specifics of information space
With the development of information technologies, there emerge trends and conditions for their use for aggressive purposes. Recently there was a significant increase in number of destructive information attacks by means of contemporary information and communication technologies. They target information systems and information resources of States (financial, transportation, industrial, media, military, etc.). Last year in April the banking system of the Republic of South Korea was disrupted. In theory it is known who did this and who is behind this, but the South Korean leadership does not have the evidentiary foundation. The so-called "Anonymous" hacker community regularly puts various illegally obtained confidential information on the Internet. What kind of organization this is, who authorizes its activities (perhaps the secret services of a particular State) is not known for sure, and thus it is not at all clear what countermeasures should be taken against them and how to qualify their actions. This year in March, online resources of major Russian TV and radio companies suffered information attacks, aimed to obstruct their work. Our experts have noted a highly professional conduct of these attacks. Their implementation requires a lengthy preliminary preparation. And here the same questions arise -- who authorized information attacks on Russian Internet resources, what forces carried them out and how to protect oneself in the future? Analysis of information about such destructive effects, found on the Internet and in the media, shows that lately information attacks are becoming more complex. It is predicted that in the near future they will target not only information resources on the Internet, but also the national critical infrastructure, which supports operation of industry, transportation, energy and other spheres of life. Information attacks on critical infrastructure can lead to serious consequences, comparable with the use of conventional weapons. That is, the use of information and communication technologies in certain conditions can become a weapon -- an "Information weapon".
91

Forum_1.indd 91 Forum_1.indd 91

22.10.2014 13:40:21 22.10.2014 13:40:21


In this regard, the question arises about the possibility to invoke a legitimate right to self-defense in response to such information attacks, which in this case, as it appears, is possible to qualify as an act of aggression. This question has already been raised by a number of experts within the framework of the third UN Group of Governmental Experts (GGE) (concluded its work in 2013). But one couldn't find answers to this and other questions related to the development of existing international law in relation to the specifics of the information space. Therefore, the fourth mandate of GGE (which will start this year) includes a question "how International Law is applied to the use of Information and Communication Technologies by countries."1 This broad approach implies among other things the study of applicability of Article 51 of the UN Charter (the right to self-defense) to military response to information attacks. And therefore the study of what comprises an act of aggression with the use of ICT from the standpoint of International Law. Russian Ministry of Defense is also concerned about the increasing threat of such comparable to known acts of aggression cross-border information effects on military information systems and resources. In this regard, the Russian military experts have analyzed the international legal concept of "aggression" in the context of its adaptation to the specifics of information space, the main results of analysis are described in this article. Aggression is currently defined by UN General Assembly Resolution 3314 (XXIX) of 19742. According to the Article 1 of this Resolution, aggression is "the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations, as set out in this Definition". It follows that the concept of "aggression" is not identified with the use of force of arms in general. In order to recognize any fact of force of arms use as aggression, it is necessary to establish that force of arms was used to breach sovereignty, territorial integrity or political independence of another state. Violation of sovereignty, territorial integrity or political independence of another state is carried out in specific physical environments (land, sea and airspace). But there also exists "Informa1 UN General Assembly Resolution 68/243. Developments in the field of information and telecommunications in the context of international security 2 "Definition of Aggression" UN General Assembly Resolution 3314 (XXIX), 1974

92

Forum_1.indd 92 Forum_1.indd 92

22.10.2014 13:40:21 22.10.2014 13:40:21


tion Space"3,1 where each State has its interests, which must be protected. In contrast to physical environment, it has no distinct state borders. It stands for reason that it is often called "global" and "cross-border", that is they cross national borders. However, currently the global expert community is gradually developing an understanding that the concept of "state sovereignty" has the same direct relation to information space, as to other forms of geophysical space. All information and communication technologies (assets, systems), used to form the information space, have their national owners and are housed within the sovereign borders of individual States. Therefore, cross-border violations of their normal functioning (destruction, incapacitation, suppression), which can be accomplished by force of arms based on the use of traditional weapons, could qualify as a violation of the sovereignty, territorial integrity or political independence of another state, i.e. as an aggression. Let's take conditional hydroelectric power plant. It is no doubt a critical infrastructure of the State. If someone attacks it by means of any of the available modern weapons, it will lead to immense destruction and loss of life. This would be considered an act of aggression. And if, the automated control system of the station is disrupted by means of information and communication technologies, and this led to its destruction and loss of life? Would it be an act of aggression? Yes, here as well, there happens to be an act of aggression. Having said that, the practice of "information weapons"42 use against such targets, the results of which would be commensurate with the damage caused by conventional weapons has not yet developed. However, according to some experts, there are already examples confirming that certain information and communication technologies (ICT) have such cross-border capabilities that allow one to qualify their use as an act of armed aggression. For example, computer attack using the Stuxnet virus on Iran's nuclear facilities
3 1"Information space" -- field of activities related to generating, transforming, transferring, using and storing information which influences, in particular, individual and public mind, information infrastructure and information as such (see Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security, 2 June 2011) 4 2"Information weapon" -- information technologies, ways and means of waging an information war. (see Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security, 2 June 2011)

93

Forum_1.indd 93 Forum_1.indd 93

22.10.2014 13:40:22 22.10.2014 13:40:22


may well claim the first place in the 2010 nomination "aggression in cyberspace"5.1 Two other examples of cyberattacks, although used different methods, tools and targets, can also be considered as acts of aggression. These examples are DDOS-attacks on the information infrastructure of Estonia in April -- May 2007 and Georgia in August 2008. They permanently paralyzed public administration and municipal maintenance systems in these countries. What is this but a violation of state sovereignty, territorial integrity or political independence of another country? No wonder that Estonian government, being seriously concerned about vulnerabilities of their information infrastructure, got Article 5 of the Washington Treaty (collective response to an armed attack) to extend to this kind of computer attacks and deployed NATO Cooperative Cyber Defense Centre of Excellence in Tallinn, to carry out a symmetrical response to them. However, the practical recognition of cross-border cyber attacks as acts of aggression is significantly complicated. Firstly, there are no developed methods and tools for rapid and precise identification of location and national identity of source of cyberattacks. Secondly, even if the sources of malicious activity are identified, how to expose a connection between a certain network community with government stakeholders? What if its members act solely out of patriotism or other motives? Who should bear international responsibility for the outcome of a malicious cyberattack? How can one accurately establish the presence of an act of aggression in this case? Is a response to such computer attacks legitimate in principle as part of the right to self-defense under Article 51 of the UN Charter? And at whom exactly should this response be directed? Countries are actively looking for answers to these questions. Certain groups of experts within these countries have already come up with possible "answers". In particular, among the U.S. expert community the dominant opinion is that the national identity of information attack is not at all essential in the course of its qualifications. At the same time they rely on the so-called concept of "responsible behavior" of countries. From American perspective this behavior implicates that national governments should be responsible for any computer attacks carried out from their territory, regardless of motivation of attack and political and legal status of contractor and perpetrator.
5 1V.Miasnikov, Top Military Developments of 2010, StrategyPage, January 14, 2011.

94

Forum_1.indd 94 Forum_1.indd 94

22.10.2014 13:40:22 22.10.2014 13:40:22


In our opinion, such an approach to qualification of aggressive acts is unacceptable. Wars are unleashed and waged by countries with the use of armed forces. As for individuals and legal entities, they can be considered a source of aggression only if they act on order by governmental authorities. This provision is formalized in Article 3 of Resolution 3314 and will be further analyzed hereafter. Having said that, Individuals who carry out cross-border attacks with terrorist, extremist or interested motives, cannot be considered a source of aggression. In this case, information attacks should be classified as terrorist, extremist or other criminal offenses. These crimes are antisocial in nature and therefore different countries as a rule cooperate on criminal prosecution of those responsible within the framework of international legal assistance. Countries must be internationally liable for transboundary crimes carried out from their territory, since they are under obligation to administer the law on their territory. However, this responsibility is not related to the crime of aggression, which by its nature is associated with national military policy and its direct or indirect implementation in the form of illegal military activities. Article 2 of Resolution 3314 states that "the first use of armed force by the State in contravention of the Charter shall constitute prima facie evidence of an act of aggression although the Security Council may, in conformity with the Charter, conclude that a determination that an act of aggression has been committed would not be justified in the light of other relevant circumstances, including the fact that the acts considered or their consequences are not of sufficient gravity". In the course of international-legal qualification of specific act of cross-border military use of ICT this provision should be interpreted with regard to two principal facilitations. Firstly, a country which first executed an information attack on another state to accomplish its military and political objectives may be recognized as aggressor. This time factor, in accordance with the resolution favors the recognition of an act of aggression. Secondly, to take the final verdict on whether or not this information attack is an act of aggression, the UN Security Council must assess the nature of consequences of this attack. In case the effects are found to be of sufficient gravity, the attack can be qualified as an act of aggression. Can the aforementioned cyberattacks on Iranian nuclear facilities be considered of sufficient gravity if, according to experts, as a result of these attacks, Tehran's nuclear program was set back
95

Forum_1.indd 95 Forum_1.indd 95

22.10.2014 13:40:22 22.10.2014 13:40:22


two years?61 If so, then theoretically Iran could be recognized by the Security Council of the UN as a target of aggression, and the authors and perpetrators of computer attacks, if they acted on government orders -- as aggressors. However, presently this decision is unlikely to be made in practice, as the UN Security Council needs corresponding criterial framework to determine the gravity of the military use of ICT. Currently a list of possible acts of aggression in Article 3 of Resolution 3314 serves as similar framework regarding the use of conventional armed force: Firstly, the issue of such qualification can be easily resolved by using the criterion of "an attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State" (pt.d). At the same time, in the context of this provision, it does not matter what kind of weapons are used. Therefore, cyberattacks launched by armed forces of one country against information infrastructure of the armed forces of another country may be recognized by the Security Council as an act of aggression. Secondly, for qualification of aggression by means of ICTs one can use the criteria "attack by the armed forces of a State on the territory of another State" (pt.a) and "use of any weapons by a State against the territory of another State" (pt.b). In this case, the use of information weapons by Special Forces of army, navy and air force can be qualified as an attack by the armed forces on the territory of another State. The territory of a State includes land, water, aerial domains7. 2 As for the "information space", not only the question of its inclusion in the concept of "territory of a State" has not been resolved, but it has not even been considered from this standpoint. However, it is obvious that "information resources"83 which form the national segment of the information space are precisely on the territory of a State. Therefore, further by "attack by the armed forces of a State on the territory of another State" we will mean among other things "the use of armed forces of a State information weapon against information resources of another state".
6 1 V.Barinkin "Minefield of information wars" Military-industrial courier 14, April 10, 2013, p. 6­7. 7 2 S.Baburin "Territory of the state. Political and geopolitical issues", Published in Moscow State University 1997. 8 3 "Information resources" -- information infrastructure, as well as information as such and its flows (see Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security, 2 June 2011)

96

Forum_1.indd 96 Forum_1.indd 96

22.10.2014 13:40:22 22.10.2014 13:40:22


Criterion "the action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State" (pt.f) is of special interest for possible qualification of aggression using ICT. The scope of this criterion in case it extends to information space, can encompass all States which have on their territory proxy servers that are used by aggressor States for anonymous cyberattacks. And finally, the use of the criterion "the sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein" (pt.g). It can be relevant if aggressive computer attacks are carried out not by units of the regular armed forces but by other forces and means executing tasks in their interest and on their behalf. It should be noted that the Resolution 3314 doesn't limit the Security Council to the list noted above. Article 4 states that "the acts enumerated above are not exhaustive and the Security Council may determine that other acts constitute aggression under the provisions of the Charter". Therefore, the specific qualification criteria of aggression with the use of ICT can be further explicitly defined. For example, "the use of information weapons by armed forces of a State against objects of critical infrastructure of another State" may be such a criterion. It seems essential to formulate a criterion for recently proliferated information attacks that use modern information and communication technologies (social networks, mobile communications, etc.). "State-sponsored propaganda of war and use of force, dissemination of inflammatory information aimed on destabilization of national and international situation, outbreak and escalation of armed conflict" can be such a criterion. In case these actions are recognized as the use of armed force by State or group of States against sovereignty, territorial integrity or political independence of another State, they should be qualified as acts of aggression. This naturally entails responsibility for nations and individuals involved in their preparation and execution. UN Charter enshrines the principle of non-interference in matters within the domestic jurisdiction of any State, and makes an exception to this principle only in case of enforcement measures under Chapter VII, that is by descision of the UN Security Council, and not at the sole discretion of any State or coalition of states. To further investigate the possible approaches to identification of the information aspects of aggression; of particular interest is
97

Forum_1.indd 97 Forum_1.indd 97

22.10.2014 13:40:22 22.10.2014 13:40:22


the question of distinction of concepts "aggression" and "self-defense", as enshrined in Article 51 of the UN Charter: "Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security". It is indicative that this provision is interpreted by different international law specialists in different ways. In particular, Russian science of law states that an armed attack is primary in relation to self-defense. Therefore, only a real armed attack, rather than the threat of it, can be the basis for self-defense, as otherwise it loses its self-defense response quality, and itself turns into an armed attack. Western experts, in contrast, believe that the state has the right to resort to self-defense preemptively, not only in case of an armed attack, but also in case of a threat, or to protect economic interests and citizens who are at risk in other countries. In the course of the first Review Conference of the Rome Statute of the International Criminal Court (ICC), the proposal made by the United States to exclude the jurisdiction of the ICC when the aggressor state acted in "good faith and to prevent crimes envisaged in Articles 6, 7 and 8 of the Statute"91 was almost unanimously rejected. Thus, the U.S. attempt to shield themselves from liability in the event of another so-called "humanitarian intervention" was not supported by more than 100 member states of the ICC. By implication of Article 51 of the UN Charter, the recourse to force in self-defense, for example, in the event of cross-border computer attacks, is allowed only if they are recognized by the Security Council as an act of armed attack. Therefore, preempive and extended interpretation of self-defense against such attacks given in guideline documents of the U.S. and NATO, contradicts the current understanding of the right of the State to ensure its territorial integrity and political independence from the act of violence in the form of an armed attack.
9 1 G.Bogush Review Conference of the Rome Statute: new horizons of international criminal justice. Comparative constitution review 5 (78)2010, pp.1-9

98

Forum_1.indd 98 Forum_1.indd 98

22.10.2014 13:40:22 22.10.2014 13:40:22


Thus, analysis of information aspects of "definition of aggression" testifies the need of its adaptation to be applicable to information and communication technologies on the basis of the aforementioned existing provisions of Resolution 3314. And inclusion of the possible acts of aggression in the information space in Article 3 of this Resolution. In particular, it is proposed to include: the use of information weapons by armed forces of a State against critical infrastructure of another State; State propaganda of war and use of force, dissemination of inflammatory information to promote destabilization of national and international situation, outbreak and escalation of an armed conflict. In conclusion, it should be noted that the work on the elaboration of a legally binding "Definition of Aggression", that has been going on for more than 60 years, cannot be considered finished, since this definition lacks the necessary legal power. This is due to the fact that the UN General Assembly, whose resolution codified the definition of aggression, is not empowered to make decisions binding on all Member States of the Organization. However, in the foreseeable future, this problem can be solved. In particular, in 1998, the ICC was given jurisdiction over the "crime of aggression", provided that it will be implemented after the definition of this crime will be accepted. In subsequent years, the concept of "crime of aggression" was conceived by Special Working Group by legislative restatement in the Rome Statute of "Definition of Aggression", annexed to the UN General Assembly Resolution 3314 (XXIX) of 1974. During the first Review Conference of the Rome Statute of the ICC in June 2010, there was adopted a Resolution, according to which the Rome Statute includes the definition of "crime of aggression" and conditions under which the Court may exercise jurisdiction over this crime10.1 The actual exercise of jurisdiction depends on decisions to be taken at the next Review Conference after January 1, 2017 . Thus, the expected inclusion of a definition of aggression in the Rome Statute will provide it with necessary legal force. As for information aspects of this international legal concept, their regard in the general "definition of aggression" would require
10 1 Review Conference of the Rome Statute of the International Criminal Court, Campala, May 31 -- June 11, 2010, Official proceedings

99

Forum_1.indd 99 Forum_1.indd 99

22.10.2014 13:40:22 22.10.2014 13:40:22


the initiation of separate negotiation processes, both within the UN and in the structures of the ICC. Only as a result of this negotiation processes and their completion with a consensus can the world community receive a universal international-legal methodology for classification of specific facts of cross-border use of modern ICTs as acts of armed aggression.

100

Forum_1.indd 100 Forum_1.indd 100

22.10.2014 13:40:22 22.10.2014 13:40:22


..


- - :
, ! - - (). : -- « ». , , . « » , . , , . , «» . . , , : «» . . , , , () , , «» . ( 40) () . , , , : 101

Forum_1.indd 101 Forum_1.indd 101

22.10.2014 13:40:22 22.10.2014 13:40:22


( , ) . -. , , « », . , - . , . -- « ». , , . -- , . . : , ? , , ? - « » « ». « » , . 2011 « ». -- , , . «» « » , , , , . . , .
102

Forum_1.indd 102 Forum_1.indd 102

22.10.2014 13:40:23 22.10.2014 13:40:23


, «» , , - , . , , «» , . , « », -- , -- . « , ». « » . . . . . , , . , , , , . « » , , . , . . - . : , , . -- . . , , «», . - , 103

Forum_1.indd 103 Forum_1.indd 103

22.10.2014 13:40:23 22.10.2014 13:40:23


. , , , -- -- , , - . . , . : , , «» , . . - -- ( , ) . - «» . -, . « », « », «» . . , « », « , » (. 1, « » 3314 14 1974 .). , «», , , , , . , , - , . . , , . , , .
104

Forum_1.indd 104 Forum_1.indd 104

22.10.2014 13:40:23 22.10.2014 13:40:23


, : a) « , , »; b) . . . , « - » , . -, jus ad bellum ( ) jus in bello ( ), , , . . (. 51) : . , , « ». « » . . -- ? , ? « » «» . « », , , . , «» . , , ?
105

Forum_1.indd 105 Forum_1.indd 105

22.10.2014 13:40:23 22.10.2014 13:40:23


«» . , , ? ? , - , . , -- . , . -- . . , , . , , . , . . . , - . . , .

106

Forum_1.indd 106 Forum_1.indd 106

22.10.2014 13:40:23 22.10.2014 13:40:23


N.V.Sokolova
Ministry of Foreign Affairs of the Russian Federation

On international legal aspects of the use of information and communication technologies: the experience of the UN Group of Governmental Experts on international information security
Ladies and gentlemen, colleagues! I would like to thank the organizers of this meeting for the opportunity to discuss among experts such relevant and crucial problematics as international legal aspects of the use of information and communication technologies (ICT). Frankly speaking, for politicians and diplomats this topic is largely a «terra incognita». ICTs, as nuclear technologies half a century earlier, opened a new era in the history of mankind. Now we must determine at international level the rules for «the game» in the information space -- what with regard to nuclear sphere has not been done in time. As you know, it resulted in an arms race, limitation of which required tremendous efforts of international community. The results of today's debate will determine whether «the game» in the information space will be honest. The relevance of this conversation cannot be overemphasized. If before now the threats in the information sphere seemed though frightening, but a distant perspective, now it is obvious that the time of «preamble» has passed. It is time to move on to concrete solutions. General recognition of this fact can be illustrated by the fact that International information security (IIS) has become a fullfledged, influential track in the UN, along with disarmament and other «classical» topics. Last year, the UN General Assembly resolution on the establishment of a new Group of Governmental Experts (GGE) on IIS was supported by an unprecedented number of countries (more than 40). Despite the budgetary challenges the UN is currently facing, not only did the funding in this area not suffer, but it had been increased: GGE will be holding four (instead of three, as it was before) extended meetings. The first of these will take place in July in New York. Let me take advantage of our meeting in Garmisch, this unique opportunity to directly address the experts, and to describe the «areas
107

Forum_1.indd 107 Forum_1.indd 107

22.10.2014 13:40:23 22.10.2014 13:40:23


of concern» that we'll have to tackle in the GGE. Primarily, these are questions of international legal regulation of the information sphere. As it turned out, it is easy to get lost on this road. As with our conversation, that until now has been focused entirely on the discussion of «The Tallinn Manual on the International Law Applicable to Cyber Warfare». You can get an impression that this is the only work in progress in this field, and it has no alternatives. The very definition of the problem leads to fundamental disagreement -- the report is based on the thesis, that conflicts with the use of ICTs are inevitable, and it is impossible to prevent them. All subsequent analysis is built on the basis of these assumptions. In this regard the question arises: then what is the point in generally expensive international debate, if we acknowledge in advance our own powerlessness and inability to prevent war in the information space? On the other hand, isn't this experts' report drawing too much attention, when even the authors evaluate the findings as outdated? Regarding the question of international law regulating the use of ICT we start far «from scratch» and not «from Tallinn». While some countries enthusiastically developed «rules of war» in the information space, Russia came forward with rules to prevent it. In 2011, together with SCO partners, we circulated a draft «Guidelines in the sphere of IIS». At its heart lies the idea of prevention of conflicts with the use of ICTs, as opposed to their legalization. «Guidelines» in their spirit are the «gentlemen's agreement» between countries that are guided by common sense and not ideological guidelines and seek to ensure peace in the information space. We still receive responses from other nation-states. It is encouraging that interest to this document on political forums increases over time. Frankly, the «Guidelines» get critical acclaim as well, although no one managed to provide any specific justification why this document cannot become an international legal basis for regulating the behavior of states in the field of ICTs. It is often an impression that criticism is not so much related to the content, but to «allergy» to the initiative coming from SCO countries. Therefore, the silence of the expert community is surprising, as it seems to be so keen on «Tallinn manual» that it -- whether out of inertia, or intentionally -- ignores alternative initiatives. Even more disappointing are estimates in the spirit of «I did not
108

Forum_1.indd 108 Forum_1.indd 108

22.10.2014 13:40:23 22.10.2014 13:40:23


read, but condemn nonetheless». Although real and scientifically substantiated comments of experts in particular could help refine the «Rules of Conduct» in a constructive way. Now let's move to positive things. We have been able to reach agreement on a lot of things at the highest international level. Last year in June, the previous UN GGE has finished its work. Sharp debates were held until the last moment. But they showed that in the face of the common threats consensus is possible even if there is a disagreement between parties on specific issues. As a result, the report was adopted, and definitively confirmed that all countries are interested in ICT development for peaceful purposes, and in prevention of conflicts caused by their use. By general opinion of GGE experts, preventing confrontation caused by ICT use should be a «starting point» for our conversation in the future. This is especially important today, when questions of war and peace in the information space are actually put on the agenda. The document reflects another important point. We managed to reach a legal compromise on basic approach to international legal aspects of ICT use. This compromise is reflected in a balanced formula: international law is generally applicable to the information space, but it is necessary to develop new rules that would reflect its specific features. This approach is not a diplomatic casuistry. It is dictated by considerations of common sense. The first part of this compromise captures the fact that information space is not a space of chaos, «jungle», where no generally accepted international principles and norms exist. It is unlikely that anyone would deny that in the use of ICTs the nation-states must comply with the provisions of the UN Charter. For example, the report of GGE has a clear indication that one of the basic principles of modern international law -- the principle of respect for state sovereignty -- extends to the sphere of ICT use by nation-states, in particular to jurisdiction of nationstates over ICT infrastructure in their territory. However, this compromise has another side. It implies the development of new norms of international law, which take into account the specific features of ICTs. And there is a logical explanation to this as well: information space, as a new sphere of human activity, cannot be «automatically» governed by the rules that were created for completely different technological conditions. In the past development of maritime and space law went along a similar path.
109

Forum_1.indd 109 Forum_1.indd 109

22.10.2014 13:40:23 22.10.2014 13:40:23


At this stage, there stand out two main directions of development of the international legal framework -- adaptation (in cases where it is possible and appropriate) of a number of existing standards and development of the new ones. It is necessary to close international legal «deficiencies» in this area. Firstly, it is the problem of relevant terminology. Such basic concepts of international law as «armed attack», «aggression», «neutrality» and others can get a completely different legal content with regard to information space. For example, we may need an extended interpretation of the «act of aggression», which is defined in the UN documents as «the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State» (Article 1, of the «Definition of Aggression», UN General Assembly Resolution 3314 of 14 December, 1974). The list of actions that fall under the definition of «aggression» includes armed forces invasion of the other state's territory, occupation, territorial annexation, bombing, blockade of sea ports, etc. Clearly, this list, compiled in completely different militarypolitical and technological realities over thirty years ago, is not exhaustive. The resolution provides for its extension. It seems that the list could be extended by inclusion of misuse of ICTs, including cyberattacks on critical infrastructure. In this context specific language will, of course, require a detailed study. It is noteworthy that current definition of aggression includes the following: a) «the action of a State in allowing its territory... to be used by that other State for perpetrating an act of aggression against a third State»; b) employment of mercenaries for the use of armed force against another State. These provisions could also be adapted to the information space. And we already have experience in this field. The abovementioned report of the GGE expressly states that «States must not use proxies to commit internationally wrongful acts» with the use of ICT and should seek to prevent the use of their territory for illegal purposes. Secondly, there is a problem of conflict management in information space in terms of jus ad bellum (the right to use force) and jus in bello (international humanitarian law), including qualification of information warfare as a new type of weapon, and realization of the right to self-defense, including parameters of proportional response to the attack with the use of ICT, etc.
110

Forum_1.indd 110 Forum_1.indd 110

22.10.2014 13:40:23 22.10.2014 13:40:23


Let me provide a specific example. In accordance with the UN Charter (Article 51) the use of force is possible only in one case: the realization of the right to self-defense. This right is in turn given to the nation-state which suffered an «armed attack». International law does not provide a specific definition of an «armed attack». In accordance with established practice it is thought of as an attack by the use of traditional methods and means of warfare. In this regard, the question arises -- is it possible to classify ICTs as a weapon? And if so, what weapon category should they be referred to? In case of an «armed attack», the state has the right to «proportional» self-defense. So far we couldn't establish exact parameters of «proportional response» even regarding traditional methods of warfare, although there have been attempts to do so over the course of the last fifty years. Obviously, it will be even harder to determine «proportionality» of self-defense in relation to the use of ICTs. On the other hand, if ICTs are considered to be dual-use technologies, can these restrictions be extended to them under corresponding regulations? Special attention must be given to interpretation of the concept of «neutrality» in relation to information space. For example, can nation-state be considered neutral if cyber attacks on another nationstate are conducted through its territory? Or if such strikes are launched by non-state actors in the interests of a third country? There is also an issue of international legal responsibility for misuse of ICT by nation-states, and forms of allocation and consolidation of this responsibility. How will be settled the disputes involving the use of ICTs, what should be the role of the UN mechanisms and in what direction should they be developed -- this is an incomplete list of new related questions. As mentioned above, the first meeting of the new UN GGE will be held in July. At the initiative of Russia, its mandate focuses on two themes -- the use of ICT in conflicts and the applicability of the International law to information space. We expect the discussions under this GGE to draw specific conclusions on these issues. In this sense, such meetings of experts, as we have today, at the eve of the new session of the GGE, could make a significant practical contribution to its work. Back on issue of terminology, we would like to draw attention to experiences of the OSCE, where currently there are held discussions of the glossary on IIS proposed by Russia. This glossary has been developed on the basis of currently existing agreements on international information security, to which Russia is a party.
111

Forum_1.indd 111 Forum_1.indd 111

22.10.2014 13:40:24 22.10.2014 13:40:24


In terms of international information security discussions, the Forum in Garmisch has earned high international standing and represents a number of national views on these issues. Expertise of this platform could have particular application in the political arena. For example, an informal working group on elaboration of international-legal terminology in the sphere of ICT could be created as a part of the Forum. This group could systematize existing concepts and determine the directions of their possible adaptation. Results of this work could be taken into account during discussion within relevant international forums, including the United Nations.

112

Forum_1.indd 112 Forum_1.indd 112

22.10.2014 13:40:24 22.10.2014 13:40:24





, «»

I.
1.

. , . , , -: , , , , . , , « » (DDoS) . , , , . , , , . , . , - , . - , . , , «» . 1991 , 1999 2003 , . 113

Forum_1.indd 113 Forum_1.indd 113

22.10.2014 13:40:24 22.10.2014 13:40:24


: , , -- , . , , , . 2007 Stuxnet 2010 . « ». . Stuxnet , , , . Stuxnet .
2.

- . - . , . : , , , ; , , . 1993 Rand Corporation « !» 2010 III, « », « , , ». «» , , 11 , , . « ». 2011 « -
114

Forum_1.indd 114 Forum_1.indd 114

22.10.2014 13:40:24 22.10.2014 13:40:24


». , , «» . «», , , , . , , -- , . , , , , , . , , , , , . , , , , , : . II. , «» , , , , .
1.

, : , . : -- , -- , -- , -- , -- -- . , , . , , 115

Forum_1.indd 115 Forum_1.indd 115

22.10.2014 13:40:24 22.10.2014 13:40:24


. - . , , . , , : - ; , , , , ; , , , , . , , . / , . .
2.

, , . -- . , -. , : , . , , , . , , , , : , , , 116

Forum_1.indd 116 Forum_1.indd 116

22.10.2014 13:40:24 22.10.2014 13:40:24


, , . , , . , , . , , . , , . , , , . . , « ».

117

Forum_1.indd 117 Forum_1.indd 117

22.10.2014 13:40:24 22.10.2014 13:40:24


Xu Longdi
China Institute of International Studies

Factors Influencing the Definition of `Cyber Warfare'

I. The diverse nature of online activity and the contested existence of cyber warfare
1. The diverse nature of online activity

There is a huge amount of variety among the type and nature of online activities, and also differences among people's understanding of cyber activity, -threats and -security. For example, some people believe online threats can be divided into four levels: cyber intrusion, organized crime, ideological and political extremism, and cyber invasion originating from countries. Others believe cyber attacks include hacking, distributed denial of service (DDoS), and Trojan malware. Still others believe cyber attacks include cyber terrorism, cyber warfare, cybercrime, and cyber espionage. Among these, although terrorist organizations do have an online presence, true cyber terrorism is still extremely rare, while true cyber warfare is also yet to take place. In contrast, cybercrime and -espionage are the most pressing problems. In brief, because of the complex and ever-changing nature of online activity, and the wide range of cyber threats, it is imperative to formulate rules to tackle these threats and safeguard cyber security. Cyber warfare is the extreme form of online threats and cyber attacks, and is receiving an increasing amount of attention. In fact, since the inception of the Internet, internationally, there has been constant debate about cyber warfare, with different countries contesting the `dominance' over the net. In the 1991 Gulf War, 1999 Kosovo War and 2003 Iraq War, cyber tools came into their own. In recent years, many countries have taken various measures, unveiled rafts of cyber policy, formulated cyber strategy, set up cyber commands and strengthened the building of cyber forces as if cyber warfare were about to break out at any time. Some of the cyber attacks that have taken place in recent years seem to have provided further evidence of the arrival of cyber warfare. The 2007 attack on Estonia and the 2010 Stuxnet virus are seen as the newest cases of cyber warfare. The former was de118

Forum_1.indd 118 Forum_1.indd 118

22.10.2014 13:40:24 22.10.2014 13:40:24


scribed by the Estonia's defence minister as the "unnoticed Third World War". Western cyber warfare specialists also called it the first cyber war in its true sense. The Stuxnet virus did not disable Iran's nuclear facilities, but it did cause approximately twenty per cent of Iran's centrifuges to be scrapped and caused huge delays to Iran's nuclear plans. The appearance of the Stuxnet virus signified the inception of yet another type of cyber weapon and a new phase of cyber warfare.
2. The contested existence of cyber warfare

People have different ways of defining and understanding warfare. Similarly, there are also different understandings of cyber warfare. On the whole, at present there is still no consensus as to the existence of cyber warfare, with opinion generally divided into two camps: one group maintains that cyber warfare exists and, indeed, has already occurred; the other school of thought contends that cyber warfare does not exist and will not occur. As early as 1993, John Arquilla and David Ronfeldt of the Rand Corporation claimed `Cyber warfare is coming!' In 2010, US Deputy Secretary of Defense, William Lynn III, wrote "although cyberspace is a man-made domain", in terms of military action, it has become "as important as land, sea and air". The White House's former cyber `czar', Richard Clarke, believes the threat posed by cyber warfare dwarfs that posed by terrorist attacks such as 9/11 and has called for the adoption of a raft of measures "to begin to prevent the catastrophe of cyber warfare". In February 2011 then-Director of the CIA, Leon Panetta, also warned "the next Pearl Harbour may well be a cyber attack". Of course, some believe this is a kind of `cyber paranoia' and an overreaction to cyber attacks. In contrast to this `cyber paranoia', Thomas Rid at King's College London believes that although there have been numerous cyber attacks, there has not yet been a cyber war. There has not been one at present and neither is it possible that one will occur in future. This is because one form of aggressive action must satisfy a number of conditions before it constitutes an act of war. According to Carl von Clausewitz's definition, war must be violent, instrumental and political or, that is to say, any act of war must be potentially fatal, instrumental and political. However, among cyber attacks that have already taken place, regardless of the scale, none have satisfied these conditions and thus cannot be said to constitute an act of war. In contrast, all past and present
119

Forum_1.indd 119 Forum_1.indd 119

22.10.2014 13:40:24 22.10.2014 13:40:24


political cyber attacks can be attributed to three relatively complex forms of activity, which are as old as warfare itself: subversion, espionage and sabotage. II. Factors influencing the definition of `cyber warfare' Faced with a lack of consensus on the concept of cyber warfare, it is beneficial for an accurate definition and understanding of the issue by clarifying the parameters of the term, including attackers and targets, and objectives and consequences.
1. Attackers and targets

Put simply, attackers can be divided into three levels of actors: individuals, groups and states. These can be configured in six pairs as: individual-individual, individual-group, individual-state, groupgroup, group-state and state-state. In terms of these configurations, it is only the state-state attacks that can be described as acts of war, whereas it would be very hard to describe attacks among the other five pairs in this way. Of course, if an individual or group is authorised or instructed by a state, this could also constitute an act of war. However, because of the unique nature of cyberspace per se, it is difficult to trace the origins of an attack. Therefore, it is very hard to identify the attacker, and to infer whether cyber warfare does actually exist. In terms of attackers' targets, these often include: computer operating systems and soft- and hardware; soft resources and computer information such as personal information, corporate secrets and intellectual property; and critical infrastructures such as banking system, airlines, communications, dams and power stations. These targets may be individual, group or state assets, of different levels and of different value. Therefore, it is very difficult to determine the existence of cyber warfare from just one factor/criterion. This is also a Gordian knot in defining cyber warfare from the perspective of attacker or target. 2. Objectives and consequences of cyber attacks Just as with the different types of cyber activity, there is a huge variety of objectives of cyber attacks. Some attacks are purely borne out of the attackers' interest and curiosity, or to demonstrate their computer talents and abilities -- the majority of early `hacking' falls into this category. Some attacks are to gather corporate secrets, gain economic advantage or perpetrate online fraud. Some
120

Forum_1.indd 120 Forum_1.indd 120

22.10.2014 13:40:24 22.10.2014 13:40:24


are for sabotage, including: corrupting or deleting information from a target computer, corrupting or paralyzing the target computer's software and operating system or corrupting the computer's hardware or information infrastructure. Of course, some cyber attacks are also intended to launch cyber warfare, in both its limited and unlimited forms. Related to this, attacks with different objectives will also bring about different consequences, including: loss of personal and commercial information, theft of intellectual property rights, sabotage of computer hard- and software, corruption of computer's operating system, destruction of key information infrastructure or even human casualties. Apart from the latter, i.e. human casualties, all of these other consequences have occurred, but it is very difficult to see them as constituting cyber warfare. Even if attacks result in casualties, these still have to be differentiated according to whether they were caused directly or indirectly. These factors all influence the decision as to whether cyber warfare has already taken place or whether it even exists. Simply put, when analysing and evaluating the nature of cyber incidents, one must take an overview of the above-mentioned factors in a comprehensive manner. One must make an objective analysis of the specific situation, including the originator and victim of the attack, and the objectives, as well as possible consequences. We should not exaggerate or overlook facts, and should avoid oversimplifying cyber warfare by lumping all cyber attacks together under the rubric of `acts of war'.

121

Forum_1.indd 121 Forum_1.indd 121

22.10.2014 13:40:24 22.10.2014 13:40:24


..
..



«». [1]: « » [2]. [5]. «». [4] [5]. , : « \ / , () , () », : « , , ». « ()» [6], , , « » [6]. , , . [7], « » U.S. News & World Report [8]. , « 122

Forum_1.indd 122 Forum_1.indd 122

22.10.2014 13:40:25 22.10.2014 13:40:25


-- » [9], . , « -- , , , . , , « », , . , , » [9]. , [10] , [6], . , -- , . Jus ad Bellum , , , [6, 11]. , ? . -, , , . [12] [13], , , « ». « . -- . . » [14]. , - ,
123

Forum_1.indd 123 Forum_1.indd 123

22.10.2014 13:40:25 22.10.2014 13:40:25


Stuxnet [15] DDOS- 2007 . , . . , () , . (security) , (safety). - , . , , , . , -, \. Stuxnet , [16]. DDOS-, [17] . , , . . , « » , , , . , , , , , . « 124

Forum_1.indd 124 Forum_1.indd 124

22.10.2014 13:40:25 22.10.2014 13:40:25


» [6] , : · « ; · , , ; · » [6]. , (), , . . « ( ) , « » » [6]. , , , : · (); · ; · ( ) ; · (, , ) , . , , .
125

Forum_1.indd 125 Forum_1.indd 125

22.10.2014 13:40:25 22.10.2014 13:40:25


Jus in Bello -- , . , « , , , , » [6]. , [6], , , : · , ; · , ; · , , , , , ; · , ; · ; · . , . Web-, . - -- World Wide Web
126

Forum_1.indd 126 Forum_1.indd 126

22.10.2014 13:40:25 22.10.2014 13:40:25


(WWW). Web . , Web- , , , . Web- , , , .
1

. ICANN ( ) , . , : «» : · AERO -- ; · EDU -- ; · MUSEUM -- ; «» -- : MED -- ( ); MEDICAL -- ; HOSPITAL -- . , , . , .
2

, , DNS.
127

Forum_1.indd 127 Forum_1.indd 127

22.10.2014 13:40:25 22.10.2014 13:40:25


A

Address

1

IP- - . IPv6

DNS DNS IP- SMTP, DNS- IPV4 ? Jabber, Active Directory

RFC RFC 1035 RFC 1035 RFC 1035 RFC 1035 RFC 1035 RFC 1035 RFC 1035 RFC 3596 RFC 1876 RFC 2782

NS CNAME

Authoritative name server Canonical name Start of authority Domain name pointer Mail Exchanger Text string IPv6 Location information Server selection

2 5

SOA PTR

6 12

MX TXT AAAA LOC SRV

15 16 28 29 33

, TXT , LOC , SRV (, , ). DNS ICANN, , , .
3

( RFC), , . , 128

Forum_1.indd 128 Forum_1.indd 128

22.10.2014 13:40:25 22.10.2014 13:40:25


, . 1 2.
IP- ,

IP- ( , «» ) DNS ( PTR), IP . , , , , , , . IP- , . IP- ( ). IP- , , . IP- , , whois (RFC 3912), () IP-. , IP- , , , -, IP- .
IP- ,

, , IP- , .
129

Forum_1.indd 129 Forum_1.indd 129

22.10.2014 13:40:25 22.10.2014 13:40:25


(UDP, RFC 768) . UDP, - () IP- , (, - -) IP- , , . , ( DNS, whois ) .
,

Web- , , , LOC DNS whois (RFC 3912), () IP- IP-. , , , , IP- ( ), (, ) , , . , . , , IPv4, IPv6 .
130

Forum_1.indd 130 Forum_1.indd 130

22.10.2014 13:40:25 22.10.2014 13:40:25


- , , ( , ) .
,

, , : · ; · , ; · . : · ; · ( ) ; · (, , ) , .


( ) , , (\), (). ,
131

Forum_1.indd 131 Forum_1.indd 131

22.10.2014 13:40:26 22.10.2014 13:40:26


.


RFC (Request for Comments) . , DOS DDOS , ( DOS-), ( DOS-) RFC2267 RFC-2827. , , , , , .
1. -- -- . http://www.politik.org.ua/vid/publcontent.php3?y=7&p=57 2. . http://ru.wikipedia.org/ 3. Clarke, Richard A. Cyber War, HarperCollins (2010) 4. : . .., .. . .. 2013. http://iisi.msu.ru/articles/article31/ 5. The Russia ­ U.S. Bilateral on Cybersecurity ­ Critical Terminology Foundations, Issue 2 6. .. « » . .. 2014. http://iisi.msu.ru/articles/ 7. « ». . Geneva 2011. ( ., . .) 8. « » U.S. News & World Report. http:// www.3dnews.ru/632012/ 9. «An International Cyberwar Treaty Is the Only Way to Stem the Threat» by Bruce Scheider, Security Technologist and Author June, 2012 http://www.usnews.com/debate-club/should-there-be-an-international-

132

Forum_1.indd 132 Forum_1.indd 132

22.10.2014 13:40:26 22.10.2014 13:40:26


treaty-on-cyberwarfare/an-international-cyberwar-treaty-is-the-onlyway-to-stem-the-threat 10. The Tallinn Manual on the International Law Applicable to Cyber Warfare. General editor Michael N. Schmitt. Cambbridge University Press 2013. http://issuu.com/nato_ccd_coe/docs/ tallinnmanual?e=5903855/1802381 11. Cyber-Weapons, Thomas Rid, Peter McBurney. The RUSI Journal olume 157, Issue 1, pp 6-13, 2012. 12. : 45% 2013 , 16 , 2013. http://www.securitylab.ru/news/448558.php 13. . . , . . « », 4, 2003. 14. ? ... http://lukatsky.blogspot. ru/2012/04/blog-post_18.html 15. W32.Stuxnet Dossier. Nicolas Falliere, LoamO Murchu, Eric Chien. Symatiec Security Response. Version 1.4 (February 2011)/ 16. : -- (Intel Live 2011 ) 01.12.2011 http://www.xakep.ru/57907/

k

133

Forum_1.indd 133 Forum_1.indd 133

22.10.2014 13:40:26 22.10.2014 13:40:26


P.L.Pilyugin
Institute of Information Security Issues MSU

Challenges of creating the technical control means for observance of future international law norms for cyberspace
There are different definitions of «cyberwar» concept. This concept is often linked solely to the Internet [1]: «computer confrontation on the Internet» [2]. More general understanding of this concept extends it to all computer networks [5]. Also there is no unambiguous definition of «cyber weapons» concept. However, Russian and American experts in the course of a bilateral project [4] arrived at a common understanding of a number of terms [5]. In particular, there has been developed a definition of cyber conflict as «a tense situation between or among nationstates or organized groups where unwelcome cyber attacks result in retaliation», and refers to cyber war as «an escalated state of cyber conflict between or among states in which cyber attacks are carried out by state actors against cyber infrastructure as part of a military campaign». Yet more general understanding of cyber threats is as «malicious use of information and communication technologies (ICTs)» [6], which includes both cybercrime and cyberterrorism, and in relation to military action ICTs can be considered as «implicit weapons» [6]. Along with development of conceptual apparatus and realization of possible consequences of cyberattacks, consideration was given to the issue of regulation of relations in cyberspace, both nationally and internationally. The scientific community stood out for the need for such regulation [7], while a number of political analysts in the «Discussion Club» of US News & World Report [8] have expressed the opposite views of international treaties. Lately, however, the notion that «an international treaty banning cyberwar is the only way to cope with this threat» [9], is becoming increasingly important. You can also agree with the author of the following quote, that while «the total prohibition of cyber weapons is certainly a good goal, it is almost certainly unattainable. More likely are agreements which: oblige the parties to refrain from first use of such weapons; ban cyber weapons with «broad-spectrum attack»; and to have only such weapons, that will self-destruct at the end
134

Forum_1.indd 134 Forum_1.indd 134

22.10.2014 13:40:26 22.10.2014 13:40:26


of hostilities. The next phase could include agreements restricting tactics and defining limits of weapon stockpiles» [9] It seems that the first real step in this direction should be not a manual [10] for cyberwarfare, but adaptation of modern international law to the realities [6], which can be further developed into a separate branch of law. The only question is whether there are technical possibilities -- cyber means -- which will allow adequate understanding of what is happening in cyberspace for the application of the relevant legal standards. Focal areas of Jus ad Bellum adaptation International law provides for the exercise of the right to defense, the use of the armed forces by nation-states to repel aggression or thwart threats to peace. At that it is assumed that the resulting or expected damage must not be negligible [6,11]. But how to recognize a threat to peace or aggression in cyberspace, and to estimate damage, how to determine the real source of a threat? There are three major problems. Firstly, although a similar problem of potential damage and threat assessment is considered by methods of information security risks analysis, these results have more methodological rather than practical significance. Despite reports on a large number of computer attacks [12] and the existence of different methods of identifying hazards and evaluating potential losses [13], according to many experts, to a large extent all of this is a «fear commerce». «There are more than five methods for estimating the probability. There are more than three dozens methods of damage assessment. There are no less than fifty risk assessment methods. And the result still satisfies no one» [14] This is due to the fact that there has been a relatively small number of actual cyberincidents with any significant damage. And considering the subject matter one usually only remembers Stuxnet [15] or DDOS-attack on the information system of the Estonian government in 2007. In fact, we can only have expertise rather than a realistic assessment of the likelihood of a particular attack -- and this is also true with regard to expected damage. The second problem relates to identification of the true cause of the actual damage. The fact is that any software (SW) contains errors, the consequences of which could be catastrophic. That is why software development technology considers, along with information security, the problems of reliability, stability and safety. There are enough examples of real disasters with a large number
135

Forum_1.indd 135 Forum_1.indd 135

22.10.2014 13:40:26 22.10.2014 13:40:26


of casualties or huge economic losses caused by software errors, the source of which were design flaws or mistakes in programing rather than cyberweapons or backdoors. In the analysis of incidents all this requires a careful study of software code and in absence of human-readable source code, the complexity of this problem is comparable to creation of similar software. And finally, thirdly, it is necessary to identify the source of threat\aggression. In the above-mentioned cyberattacks, the alleged involvement of the United States and Israel in creation of Stuxnet code has not been proved, and in case of Estonia the real author of the attacks was not Russia. [16] Sometimes it is possible to detect the source of network DDOS-attacks, which are constantly conducted on the network [17] and as of now are not considered a serious threat. Typically, they are conducted by hacker groups and not cybertroops of nation-states. And targeted attacks are much more complicated. The fact is that all of the existing «intrusion detection» systems actually only detect characteristics of an action, similar to intrusion or changes in the system, and the analysis of the actions, changes in the system and the machine code is performed by specialists. Furthermore, when the intrusion is detected significantly late, there remains no log data, and to determine the source it becomes necessary to analyze the machine code of embedded programs -- and creators of such programs rarely leave autographs. However, the adaptation of existing international law necessitates such «attribution of the facts of the wrongful use of force or armed attack by malicious use of ICT» [6] that there is: · «confidence of the parties in dispute in the credibility of the evidence provided by technical means of detection of international agreements violations; · monitoring of all events that make up legal facts that invoke the right of individual or collective self-defense; · objectivity of the information provided by technical means of monitoring and possibility of its submission as proof to the International Court in consideration of related disputes»[6]. As is evident from the abovementioned issues associated with the recognition of the threat (aggression), determination of its cause and source, it will be impossible to attribute the evidence of the wrongful use of force or armed attack by malicious use of ICT only by technical means. For each such incident it will be necessary to conduct an investigation and secure the obtained evidence. In this sense precisely it is possible to «create a unified system (perhaps on
136

Forum_1.indd 136 Forum_1.indd 136

22.10.2014 13:40:26 22.10.2014 13:40:26


the basis of the relevant national and regional systems) for registration of the facts of the threat or use of force, as well as an "armed attack" by means of malicious use of ICT». [6] However, besides the framework for such investigations by authorized personnel, it is necessary to provide uniform requirements for software that will be examined: · software must be installed (purchased) officially; · software must be signed by a trusted developer certificate; · the developer should store (or hand over) the source code of the installed software for further analysis; · all software changes (improvements, modifications, bug fixes) must be signed, and their source code -- stored. Such software requirements can be considered a certification of software that should be installed at information infrastructure nodes that can be targets of aggression and must be protected, in particular within international law. Focal areas of Jus in Bello adaptation The Law of armed conflict is a historically developed legal framework of international law governing the conduct of belligerents in times of armed conflict. From the standpoint of rules of law adaptation to cyberspace it is important to note that «the major portion of the provisions enshrined in the sources of international humanitarian law, is either invariant to the type of weapon used in the course of hostilities, or focused on the restriction of the use of specific types of weapons»[6]. Considering the priorities of international humanitarian law adaptation, provided in [6], we can identify the tasks that require the establishment of appropriate technical solutions that provide: · a special procedure of digital identification of information systems and telecommunications networks, protected by international humanitarian law; · maintenance of registers and records, prescribed by the rules of international humanitarian law; · the prohibition of military malicious use of ICTs against persons and objects protected under international humanitarian law, as well as critical objects of global, regional and national infrastructures, the failure of which could lead to unnecessary loss of human life, as well as significant environmental backlash; · protection of neutrality of the states not participating in the hostilities;
137

Forum_1.indd 137 Forum_1.indd 137

22.10.2014 13:40:26 22.10.2014 13:40:26


· ·

the prohibition of certain types of malicious use of ICTs; a special software and hardware certification system in compliance with requirements of countering the malicious use of ICTs. Let's review some of the technical and organizational solutions that can be offered to meet these challenges. The introduction of domain extension and the creation of registries of Web-resources protected under international humanitarian law. Speaking of cyberattacks, one very often implies attacks on websites of the World Wide Web (WWW). Today many experts consider the protection of Web-resources a basic trend of information security. In order to easily identify the Web-resources of registers and archives, persons and objects protected under international humanitarian law, it is possible to introduce a separate domain extension. Web-resources of global, regional and national critical infrastructures, the failure of which may result in unnecessary loss of human life, as well as a significant negative environmental backlash, can be considered separately.
Method 1

For different types of objects one can introduce different domain extensions. To introduce these domain extensions one should contact ICANN and entrust it (or a body under the jurisdiction of the UN) the function of keeping the register of organizations that applied for registration in these domains. Such specialized domain extensions exist today, for example: The "old" top-level general use domains: · AERO -- the domain for the aviation industry; · EDU -- the domain for educational institutions in the USA; · MUSEUM -- for museums; "New" -- after the opening of consolidated top-level domains registration: · MED -- domain for medicine (people and organizations); · MEDICAL -- the same; · HOSPITAL -- for hospitals; · and others. Registration in this domain extension should be carried out only upon the presentation of documents, confirming the status of organizations that are protected under international humanitarian law. In this case, getting a new domain name in this extension does not negate the old domain name, as one website can have multiple domain names.
138

Forum_1.indd 138 Forum_1.indd 138

22.10.2014 13:40:26 22.10.2014 13:40:26


Method 2

For the identification of domain names of organizations that are protected by international humanitarian law, you can enter additional records in DNS database.
Code 1

Type A

Long form Address

Description Consistence between the name and the IP-address Address of the server domain zone Aliases -- singlelevel forwarding Credibility indication Forwarding framework Mail gateway for the domain Acceptance of random data IPv6 address format Geographical location Servers reference for services

Usage

RFC

one of the most RFC 1035 commonly used entry DNS widely used DNS widely used for IP-addresses important for SMTP DNS-tunnels `A' value for IPV4 ? Jabber, Active Directory RFC 1035 RFC 1035 RFC 1035 RFC 1035

NS CNAME SOA PTR

Authoritative name server Canonical name Start of authority Domain name pointer Mail Exchanger Text string for IPv6 Location information Server selection

2 5 6 12

MX TXT AAAA LOC SRV

15 16 28 29 33

RFC 1035 RFC 1035 RFC 3596 RFC 1876 RFC 2782

The TXT record in particular allows you to add arbitrary data to the description of the domain, LOC record can be used to identify neutral parties, and SRV record describes the existence of a specific service (e.g., identification service, of which more will be said below). Adding records to the DNS database for identification can be carried out by the relevant Registrar without participation of ICANN, but only upon presentation of the document, confirming the status of organizations protected by international humanitarian law.
Method 3

Adding to the root directory of each website a file with a special name (first name and file structure can be described in the relevant RFC) containing information on the status of the organization,
139

Forum_1.indd 139 Forum_1.indd 139

22.10.2014 13:40:26 22.10.2014 13:40:26


which is protected by international humanitarian law. Although this method is the easiest, in this case it will be difficult to confirm the status of organizations that are protected by international humanitarian law. It would be better to combine this method with the above described method 1 or method 2. Creation of registers of Internet nodes (their IP-addresses), protected by international humanitarian law. A domain name can be identified (and hence "recognized") by its IP-address and DNS database (PTR record), but in general IPs may not have the corresponding domain name. For example, networks of international humanitarian organizations, servers and network of medical institutions, networks of global, regional and national critical infrastructures, the destruction of which may lead to unnecessary loss of human life, as well as a significant negative environmental backlash, can be connected to the Internet as nodes. All IP-addresses of nodes of such organizations can be added to the register of organizations that are protected by international humanitarian law. Creation of registers could be entrusted to registrars of IP-addresses (or other agency under the jurisdiction of the United Nations). Registration in this register of IP-addresses should only be done upon presentation of documents confirming the status of organizations that are protected by international humanitarian law. It is possible to provide information whether IP-address belongs to the register of organizations that are protected by international humanitarian law, through Whois service (RFC 3912), using the public access to the database servers (DB) of IP-addresses registrars. Unfortunately, information about the real owners of IP-addresses may be inaccurate, since, as a rule, addresses are allocated to Internet service providers, and information about IP-addresses distributed by them may be unavailable. Introduction of polling standard for IP-addresses of Internet nodes, protected by international humanitarian law. For identification of websites on the Internet, protected by international humanitarian law, it is possible to develop a polling protocol to determine if they are included in the registry of IP-addresses of organizations that are protected by international humanitarian law. The simplest case of polling implementation can use User Datagram Protocol (UDP, RFC 768) and reserve a fixed port number. Using UDP, computer applications can send a service request message (datagram) specifying the reserved port number to other websites on the Internet at specific IP-address.
140

Forum_1.indd 140 Forum_1.indd 140

22.10.2014 13:40:26 22.10.2014 13:40:26


Protected node should then either return a registration number (possibly signed by electronic signature certificate of appropriate trusted registrar center) in the registry of IP-addresses of organizations that are protected by international humanitarian law, or ignore the request. It is important to note that the proposed approach may be the only functional way in the event of network integrity violation (no access to DNS, whois service, or other registers) as a result of a conflict. Protection of neutrality of the states not participating in the hostilities. For identification of Web-resources of the States not participating in hostilities, it is sufficient to use the national domain of the country, LOC record in the DNS database or Whois service (RFC 3912), that has access to public database servers (DB) of IP-addresses registrars and domain names registrars, and provides information about the owner of a domain name or IP-address. Unfortunately, the information stored in these databases may be incomplete or may not correspond to reality, since the domain name registrars do not carry out verification of the information provided by the owners of the domain name, and information about IP-addresses in this case may be more accurate (but not necessarily complete), because national (local, regional) ISPs and their address pool tend to remain in the territory of the state. Objectives for organizational and legal support of technological tools As noted above, the implementation of the proposed methods of identification, protection against treachery (falsification of status of organizations that are protected under international humanitarian law) and incidents investigation must have an appropriate organizational and legal support.
Unified system of certification of information systems and telecommunications networks that are protected by international humanitarian law

To investigate incidents we need to introduce a system of certification of information systems and telecommunications networks that are protected by international humanitarian law. This system should consider: · availability of a baseline information security tools; · maintaining means of information recording sufficient for incidents analysis; · use of officially purchased certified software.
141

Forum_1.indd 141 Forum_1.indd 141

22.10.2014 13:40:27 22.10.2014 13:40:27


Certified software must meet the following specifications: software must be signed by a trusted developer certificate; the developer should store (or hand over) the source code of the installed software for further analysis; · all software changes (improvements, modifications, bug fixes) must be signed, and their source code is stored.
· ·

Organizational and technical support for investigations of incidents

An international body (under the jurisdiction of the United Nations) should be created to perform audits of information provided in the registry, investigate incidents of malicious use of the ICTs and investigate occurrences of ITCs (software\hardware) intended for malicious use (cyberweapons). This body should have a high expert status, use appropriate equipment to carry out inspections and investigations, storage and provide access to their findings.
Standardization of technical requirements

Most of the abovementioned technical solutions in their implementation necessitate supplement of existing or development of new RFC documents (Request for Comments) and their introduction into general use. For example, at the moment we can significantly reduce the risk of DoS and DDoS attacks if we make it obligatory for providers to filter not only incoming (protection of resources from DoS-attacks), but also outbound traffic (neutralizing sources of DOS-attacks) in compliance with RFC2267 and RFC-2827. In conclusion, it should be noted that the abovementioned suggestions not only differ in complexity of their implementation and require different expenses, but their effectiveness may vary considerably depending on the stage, severity and scope of cyberconflict. References
1. -- -- Konventsia o zapreshenii kibervoini (Convention on prohibition of cyberwar). http://www.politik.org.ua/vid/publcontent. php3?y=7&p=57 (in Russian) 2. Kibervoina (Cyberwar). http://ru.wikipedia.org/ (in Russian) 3. Clarke, Richard A. Cyber War, HarperCollins (2010) 4. : . .., .. . .. 2013. 5. The Russia­ U.S. Bilateral on Cybersecurity­ Critical Terminology Foundations, Issue 2 http://iisi.msu.ru/articles/article31/ 142

Forum_1.indd 142 Forum_1.indd 142

22.10.2014 13:40:27 22.10.2014 13:40:27


6. A.A.Streltsov «Osnovnie napravleniya progessivnogo razvitiya mezhdunarodnogo prava vooruzhennih konfliktov (Focal areas of progressive development of international law of armed conflict)» MSU, 2014. http://iisi.msu.ru/articles/ 7. «V poiskah kibermira (In search of cyberworld)». ITU and World Federation of Scientists. Geneva 2011. (in Russian) 8. «Diskussionniy klub (Discussion club)» U.S. News & World Report. http://www.3dnews.ru/632012/ (in Russian) 9. «An International Cyberwar Treaty Is the Only Way to Stem the Threat» by Bruce Scheider, Security Technologist and Author June, 2012 http://www.usnews.com/debate-club/should-there-be-an-internationaltreaty-on-cyberwarfare/an-international-cyberwar-treaty-is-the-onlyway-to-stem-the-threat 10. The Tallinn Manual on the International Law Applicable to Cyber Warfare. General editor Michael N. Schmitt. Cambbridge University Press 2013. http://issuu.com/nato_ccd_coe/docs/ tallinnmanual?e=5903855/1802381 11. Cyber-Weapons, Thomas Rid, Peter McBurney. The RUSI Journal volume 157, Issue 1, pp 6-13, 2012. 12. LK: 45% kiberugroz v 2013 godu ishodilo ot Rossii I SSHA (LK: 45% of cyberthreats in 2013 came from Russia and the USA), December 16, 2013. http://www.securitylab.ru/news/448558.php 13. Analiz instrumentalnikh sredstv otsenki riskov utechki informatsii v kompiuternoy seti predpriatiya (Analysis of instrumential tools of risk assessment of information leak in enterprise network) S.Loparev A.Shelupanov «Voprosi zashiti informatsii (Issues of information protection)», 4, 2003. 14. Kak schitat' riski? (How to calculate risks?) A.V.Lukatskiy http:// lukatsky.blogspot.ru/2012/04/blog-post_18.html 15. W32.Stuxnet Dossier. Nicolas Falliere, LoamO Murchu, Eric Chien. Symatiec Security Response. Version 1.4 (February 2011)/ 16. Schnaier: tineidgeri I peregovori -- nasche spasenie ot kibervoini (Schnaier: teenagers and negotiations -- our salvation from cyberwar) (Intel Live 2011 London) 01.12.2011 http://www.xakep.ru/57907/

k

143

Forum_1.indd 143 Forum_1.indd 143

22.10.2014 13:40:27 22.10.2014 13:40:27


1


?
, , . -- , -- . , , . , 1868 . -- - , , « », «, », « ». , , , , , , . , , .
1 , , .

144

Forum_1.indd 144 Forum_1.indd 144

22.10.2014 13:40:27 22.10.2014 13:40:27


, . , , . «» «», , , . , «», -- , -- . (). «» , , , 1 2. « ». - 2 3, 3 4.
2 1. ICRC `How is the Term "Armed Conflict" Defined in International Humanitarian Law?', Opinion paper, March 2008, available at http://www.icrc.org/ eng/assets/files/other/opinion-paper-armed-conflict.pdf 3 2 1. : " -- , , , , , , ". : http://www.mid.ru/BDOMP/spm_md.nsf/0/CA43ABC67EDADF8644257BE8001D9047 ( - 16 2014 .). 4 3 (`Department of Defense Dictionary of Military and Associated Terms, Joint Publication 1-02') ( 15 2014 .): " -

145

Forum_1.indd 145 Forum_1.indd 145

22.10.2014 13:40:27 22.10.2014 13:40:27


, , , , , , , , . - , . , , , . GPS , -- , - . , , , , . , . , , , . , , , . . -- , , ». http://www.dtic.mil/doctrine/new_ pubs/jp1_02.pdf (. 127). 2006 . (`Joint Publication 3-13, Information Operations') ( 2012 .) : " »: , , , , -- , , , ». http://www.globalsecurity.org/intell/ library/policy/dod/joint/jp3_13_2006.pdf (. GL­9).

146

Forum_1.indd 146 Forum_1.indd 146

22.10.2014 13:40:27 22.10.2014 13:40:27


2013 ., , « , , , , »5. 1 2011 . « » , 6.2 , , , , , , , , , 7.3 . , . . , , , , ( , , «
5 1 . , 24 2013 ., A/68/98, . 8, . 19. 6 2 : http://ens.mil.ru/science/publications/more. htm?id=10845074@cmsArticle. 7 3 : A/66/152, c. 8, ; . : http://foreignminister.gov.au/speeches/2013/jb_sp_131017.html. : A/68/156/Add.1, 4, . 2. : A/68/156/Add.1,. 18, . : http://cms.webbeat. net/ContentSuite/upload/cav/doc/advies_22_reg_reactie_EN.pdf, . 5. : A/59/116, . 3 A/65/154, . 7. : A/59/116/Add.1 .4, 5 A/66/152 21-22; . http://www.state.gov/s/l/releases/remarks/197924.htm. The European Union: E.U. Council Conclusions, General Affairs Council meeting, 25 June 2013, 12109/13, p. 4 para. 6 (available at http://register.consilium.europa.eu/ doc/srv?l=EN&f=ST%2012109%202013%20INIT).

147

Forum_1.indd 147 Forum_1.indd 147

22.10.2014 13:40:27 22.10.2014 13:40:27


»). , . , , , , 8. 1 , , 9,2 , , . , 103 , , , , , 11. 4 . 12.5 -: . , , , . ,
8 1 54 12 1949 ., ( I) 8 1977 . ( -- I) , , . I: . - -. , , , 2006. ( -- . .), 54 ( : http://www.icrc.org/customary-ihl/ eng/docs/v1_rul). 9 2 52 I 8, . . « , , , , , ». 10 3 56 (1 2) I. 11 4 56(3) I 42, . . 12 5 Cordula Droege, Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians in The International Review of the Red Cross, Volume 94, nb 886, summer 2012, pp. 533 -- 578 ( : http://www.icrc.org/eng/assets/files/ review/2012/irrc-886-droege.pdf)

148

Forum_1.indd 148 Forum_1.indd 148

22.10.2014 13:40:27 22.10.2014 13:40:27


. , , , , . , . -: , ? , , . -- , , -- , ? -- -- , . jus ad bellum . , jus ad bellum (jus in bello) . , , 1949 . 1977 .131 , , , , , . , , , , , . , , - 214.
13 1. ICRC `How is the Term "Armed Conflict" Defined in International Humanitarian Law?', 1 . 14 2ICRC, `International Humanitarian Law and the challenges of contemporary armed conflicts', 31st International Conference of the Red Cross and Red Crescent, Geneva, 28 November­1 December 2011, Report prepared by the ICRC, October

149

Forum_1.indd 149 Forum_1.indd 149

22.10.2014 13:40:28 22.10.2014 13:40:28


-: , , , , . , , , . , , , , , «». I 1977 . « , , » ( 49 (1)). , , , «» «, , , , , »15. 1 , , , : «2011, 31IC/11/5.1.2, p. 37, para. 4, : http://www.icrc.org/ eng/assets/files/red-cross-crescent-movement/31st-international-conference/31int-conference-ihl-challenges-report-11-5-1-2-en.pdf. 15 1Tallinn Manual, Rule 30, p. 106, : http://ccdcoe.org/ tallinn-manual.html. . , , . , , , . , , , , . , , , . jus in bello, , « ». , , , , . .: ICRC, `What limits does the law of war impose on cyber attacks? Questions and Answers', 28

150

Forum_1.indd 150 Forum_1.indd 150

22.10.2014 13:40:28 22.10.2014 13:40:28


» . , , , . , , , - 16. 1 , , , , . , , , , , , «» . : , , . , , , . « , »17.2 ; - , . , , . , June 2013, : http://www.icrc.org/eng/resources/documents/ faq/130628-cyber-warfare-q-and-a-eng.htm. 16 1ICRC, `Report on International Humanitarian Law and the challenges of contemporary armed conflicts', 13 , . 37, . 17 2 . , A/68/156, . 20, ( ).

151

Forum_1.indd 151 Forum_1.indd 151

22.10.2014 13:40:28 22.10.2014 13:40:28


, , , , , . , , , , , , , . , , , , , . , . , , , -- , , , . , , , . , . , , . - , . , , , . , , , , , -- .
152

Forum_1.indd 152 Forum_1.indd 152

22.10.2014 13:40:28 22.10.2014 13:40:28


, , . , , . , , , , . , , , , , . , , , , , , , . , , . , , . , , , , , , , , . . , , , , , . 2011 . , ,
153

Forum_1.indd 153 Forum_1.indd 153

22.10.2014 13:40:28 22.10.2014 13:40:28


18, 1 219. , 3()20, -- , 421. , , , , 22. 5 , 23. 6 2013 ., , , , « - , - "24. 7 , , , .
: http://nz.chineseembassy.org/eng/zgyw/t858978.htm. . A/68/98, . 10, . 18. 203 : http://www.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe 77fdcc32575d900298676/7b17ead7244e2064c3257925003bcbcc!OpenDocument. 214 2020 . : http://www.scrf.gov.ru/documents/6/114.html (. 12(.)). 225 . , A/59/116, . 13, . 3 ( ) 236 . 6 . 247 . A/RES/68/243, 27 2013 ., . 4.
192 181

154

Forum_1.indd 154 Forum_1.indd 154

22.10.2014 13:40:28 22.10.2014 13:40:28


, , , . , , , , . , , -- , , -- , . 36 I 1977 .25, 1 , , , . , , .
251 36 I -- : , , , , , , , - , .

155

Forum_1.indd 155 Forum_1.indd 155

22.10.2014 13:40:28 22.10.2014 13:40:28


Laurent Gisel1
International Committee of the Red Cross

How does international humanitarian law constrain cyber warfare and protect civilians?
Scientists, businesses and governments continuously endeavour to invent and develop new technologies, which have the potential to bring about huge benefits for humankind in the economic and social realm. Technological developments in the information and communication field -- and in particular the creation and expansion of cyber space which is one of the last decades' defining technological developments -- are no exception in that regard. But new technologies also bring about new risks and potential concerns in various realms, in particular if used during armed conflict. The first time that States placed limits on the choice of means of warfare by way of an international treaty was in the 1868 St Petersburg Declaration, by which they agreed upon `technical limits at which the necessities of war ought to yield to the requirements of humanity' and envisaged the possibility to come to subsequent understandings `in view of future improvements which science may effect in the armament of troops, in order (...) to conciliate the necessities of war with the laws of humanity.' In the spirit of the important principles embodied by the Declaration and in keeping with its own mandate, the ICRC monitors the development of new technologies and their use or potential use in armed conflicts, such as armed drones, autonomous weapons systems or, precisely, cyber warfare. It aims at assessing their actual or potential human cost and analyses how the rules of IHL govern their use. Applying pre-existing legal rules to a new technology also raises the question of whether the rules are sufficiently clear in light of the technology's specific characteristics and foreseeable humanitarian impact. Businesses, media and governments regularly report that their web-sites or networks have been subject to cyber attacks. However, there is no authoritative definition of the notions of "cyber attack" or "cyber warfare", and they have been used by different people to mean different things. A large proportion of operations referred to as "cyber attacks" constitute illicit information gathering -- such as
1 The views expressed in this article are those of the author alone and do not necessarily reflect the views of the ICRC.

156

Forum_1.indd 156 Forum_1.indd 156

22.10.2014 13:40:28 22.10.2014 13:40:28


industrial espionage -- or other cyber crimes and occur outside the context of armed conflicts. They are not governed by international humanitarian law (IHL). "Cyber warfare" is used in this article to refer to means and methods of warfare that consist of operations against or via a computer or a computer network through a data stream, when such cyber operations are conducted in the context of an armed conflict within the meaning of IHL2. 1Media and commentators also often refer to "information war". Information war is defined notably in the Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International information 2Security3, while the U.S. provides a definition of information3 operations4. Though definitions vary and may reflect substantive differences in the understanding of these notions, it seems that information war and information operations are broader notions than cyber warfare as defined here, and often encompass at least part thereof. The ICRC is particularly concerned by cyber warfare because of the vulnerability of cyber networks and the potential human cost of cyber attacks. If the networks of a State are attacked, civilians risk being deprived of basic essentials such as drinking water, medical care and electricity. If GPS systems are paralysed, there may
2 1See ICRC `How is the Term «Armed Conflict» Defined in International Humanitarian Law?', Opinion paper, March 2008, available at http://www.icrc.org/ eng/assets/files/other/opinion-paper-armed-conflict.pdf. 3 2Annex 1 List of basic terms in the field of international information security: "Information War -- confrontation between two or more states in the information space aimed at damaging information systems, processes and resources, critical and other structures, undermining political, economic and social systems, mass psychologic brainwashing to destabilize society and states, as well as to force the state to taking decisions in the interest of an opposing party". Unofficial translation available at http://media. npr.org/assets/news/2010/09/23/cyber_treaty.pdf (all web-sites last accessed on 16 June 2014). 4 3`Department of Defense Dictionary of Military and Associated Terms, Joint Publication 1-02' (As Amended Through 15 March 2014): "information operations -- The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own." Available at http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf (p. 127). The 2006 version of the DoD `Joint Publication 3-13, Information Operations' (superseded by the 2012 version) provided a more detailed definition: "information operations. The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own." Available at: http://www.globalsecurity.org/intell/library/policy/ dod/joint/jp3_13_2006.pdf (p. GL­9).

157

Forum_1.indd 157 Forum_1.indd 157

22.10.2014 13:40:28 22.10.2014 13:40:28


be a risk of civilian casualties occurring -- for example, through disruption to the flight operations of rescue helicopters that save lives. While the military potential of cyber space is not yet fully understood, experts seem to agree that attacks against transportation systems and electricity networks, or even against dams or nuclear plants are technically possible. Such attacks could have wide-reaching consequences for the well-being, health and lives of hundreds of thousands of people. It is the role of the ICRC to recall that in an armed conflict, constant care must be taken to spare civilians and civilian objects. Indeed, cyber warfare is subject to IHL in the same way that any new weapons, means and methods of warfare are. There is no legal vacuum in cyber space. This is unambiguously stated in the 2013 report of the United Nations Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security which asserted that "International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment"5. 1The Russian Ministry of Defence 2011 Conceptual views on the activities of the Armed Forces of the Russian Federation in the information space more specifically stated that the Armed Forces of the Russian Federation have to follow the regulations of IHL during their operations in the information space6. 2An increasing number of States, such as Australia, Canada, Japan, the Netherlands, the U.K and the U.S., or international organisations, such as the European Union, have similarly recognised that IHL applies to cyber warfare7. 3The cardinal principle of the conduct of hostilities under IHL is the obligation to direct attacks against com51 `Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Note by the Secretary-General', 24 June 2013, A/68/98, p. 8, para 19. 62 Available at: http://ens.mil.ru/science/publications/more.htm?id=10845074@ cmsArticle; (unofficial translation available at http://www.ccdcoe.org/strategies/ Russian_Federation_unofficial_translation.pdf). 73 Australia: A/66/152, p. 6, last para.; see also: http://foreignminister.gov. au/speeches/2013/jb_sp_131017.html. Canada: A/68/156/Add.1, p. 4, pt. 2. Japan: A/68/156/Add.1, p. 15, first para. The Netherlands: http://cms.webbeat.net/ ContentSuite/upload/cav/doc/advies_22_reg_reactie_EN.pdf, p. 5. The U.K.: A/59/116, p. 11, para. 3 and A/65/154, p. 15, para. 7. The U.S.: A/59/116/Add.1 p. 4, para. 5 and A/66/152 pp. 18-19; see also http://www.state.gov/s/l/releases/ remarks/197924.htm. The European Union: E.U. Council Conclusions, General Affairs Council meeting, 25 June 2013, 12109/13, p. 4 para. 6 (available at http:// register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012109%202013%20INIT).

158

Forum_1.indd 158 Forum_1.indd 158

22.10.2014 13:40:29 22.10.2014 13:40:29


batants and military objectives only. Attacks against civilians and civilian objects are prohibited, and this prohibition also governs cyber attacks. In recent years, there has been increasing concern for the protection of critical infrastructures against cyber attacks. During armed conflict, such attacks would most often constitute violations of IHL. Indeed, drinking water and electricity networks that serve the civilian population, banks, railway networks and public health infrastructure are civilian objects in the first place (at least as long as they have not become so-called "dual-use" objects). As such, they are protected against direct attack. Water systems, in particular, enjoy special protection for being objects indispensable to the survival of the population8. 1Similarly, dams and civilian nuclear plants usually do not fall within the definition of what constitutes a military objective9,2 and are thus protected against direct attacks. Even if they become military objectives in particular circumstances, IHL might nevertheless prohibit their attack103 or at least require that the party to the conflict which would attack them takes particular care to avoid the release of dangerous forces and consequent severe losses among the civilian population11.4 However, to reaffirm the relevance of IHL for cyber warfare and recall such fundamental rules is only the first step. Indeed, cyber warfare raises a number of challenges for the interpretation and application of IHL12. 5 First: anonymity. Anonymity in cyberspace is easy to achieve, and this complicates the ability of States to attribute aggressive
81 Art. 54 of the 1977 Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocols I) of 8 June 1977 (hereinafter AP I), and ICRC, `Customary International Humanitarian Law, Vol. I: Rules', Jean-Marie Henckaerts and Louise Doswald-Beck (eds), Cambridge University Press, Cambridge, 2005 (hereinafter ICRC Customary Law Study), Rule 54 (available at: http://www.icrc.org/ customary-ihl/eng/docs/v1_rul). 92 Art. 52 AP I and Rule 8, ICRC Customary Law Study, "In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose partial or total destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage". 103 By virtue of the principle of proportionality, or because of Art. 56(1 and 2) AP I. 114 Art. 56(3) AP I and Rule 42, ICRC Customary Law Study. 12 5A detailed examination of these challenges can be found in Cordula Droege, Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians in The International Review of the Red Cross, Volume 94, nb 886, summer 2012, pp. 533 -- 578 (available at: http://www.icrc.org/eng/assets/files/ review/2012/irrc-886-droege.pdf)

159

Forum_1.indd 159 Forum_1.indd 159

22.10.2014 13:40:29 22.10.2014 13:40:29


activities to the perpetrators, and especially to do so in a timely manner. Since IHL relies on the attribution of responsibility to States and other parties to armed conflict, anonymity creates major challenges. If the perpetrator of a given cyber operation cannot be identified, it is extremely difficult to determine whether IHL is even applicable to the operation. The answer to this challenge might, however, not lie in the legal field alone, but first in the technical field. Second: do cyber operations amount to a resort to armed force triggering the applicability of IHL? There is no doubt that an armed conflict exists when cyber operations are resorted to in combination with traditional kinetic weapons. However, when the first -- and possibly the only -- hostile act is a cyber operation, can this amount to an armed conflict? This question is closely related but nevertheless distinct from whether a cyber operation alone could amount to a use of force or an armed attack under the United Nations Charter. Such jus ad bellum issues are of crucial importance and thus widely debated. However, issues pertaining to jus ad bellum and the question of the scope of application of IHL (jus in bello) should not be confused. IHL applies in situations of armed conflicts, whether international or non-international, as defined in the 1949 Geneva Conventions and their 1977 Additional Protocols13.1 In that regard, there seems to be no reason to treat cyber operations that would cause effects similar to those caused by kinetic operations differently than the latter. Beyond such kind of operations, the disruption of critical infrastructure lasting long enough to create severe hardship for the population might also be considered as a resort to armed force triggering the applicability of IHL, in view of IHL's purpose to protect the civilian population against such consequences. The ICRC, however, believes that defining the type of cyber operations that triggers the applicability of IHL in the absence of any kinetic operation will be determined only through future State practice14.2 Third: in situations where IHL applies, such as when an armed conflict is already being waged through traditional kinetic means,
131 See ICRC `How is the Term «Armed Conflict» Defined in International Humanitarian Law?', note 1 above. 142 ICRC, `International Humanitarian Law and the challenges of contemporary armed conflicts', 31st International Conference of the Red Cross and Red Crescent, Geneva, 28 November­1 December 2011, Report prepared by the ICRC, October 2011, 31IC/11/5.1.2, p. 37, para. 4, available at http://www.icrc.org/eng/assets/ files/red-cross-crescent-movement/31st-international-conference/31-int-conference-ihl-challenges-report-11-5-1-2-en.pdf

160

Forum_1.indd 160 Forum_1.indd 160

22.10.2014 13:40:29 22.10.2014 13:40:29


the question arises as to the definition of "cyber attack". The notion of "attack" is cardinal for the rules on the conduct of hostilities in particular for the principles of distinction, proportionality and precautions in attack. Indeed, while parties to a conflict have to take constant care to spare civilians in all military operations and to protect them against the effect of hostilities, most specific obligations governing the conduct of hostilities apply to "attacks". The 1977 First Additional Protocol defines attacks as "acts of violence against the adversary, whether in offence of in defence" (Art. 49(1)). The group of experts which drafted the Tallinn Manual on the International Law Applicable to Cyber Warfare defined a "cyber attack" under IHL as "a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."151 The crux of the matter, however, lies in the detail, namely what is "damage" in the cyber world. A number of IHL experts agree that the loss of functionality of an object may also constitute damage, while others argue that only physical damage is relevant. The ICRC considers that if an object is disabled, it is immaterial whether this occurred through destruction or in any other way16.2 This issue is very important in practice, as a more restrictive view of the notion of attack might imply that fewer and less precise IHL rules would govern and thus restrict such types of operations. In particular, a cyber operation aimed at making a civilian network dysfunctional might not be covered by the IHL prohibition of directing attacks against civilian
151 Tallinn Manual, Rule 30, p. 106, Available at http://ccdcoe.org/tallinn-manual.html. The Tallinn Manual was drafted at the invitation of the NATO Cooperative Cyber Defense Centre of Excellence. However, the Tallinn Manual is not a NATO doctrine but a non-binding document prepared by a group of experts in their personal capacity. Some have expressed a negative opinion of the Tallinn Manual because it was a regional endeavour and because it would legitimize cyber warfare or promote the militarization of cyber space. This is certainly not the reason for which the ICRC took part as an observer in the group of experts that drafted it. The aim of the ICRC's participation was to ensure that the Manual would uphold the protection that IHL gives to victims of armed conflicts. The ICRC generally agrees with the formulation of the jus in bello rules stated in the part of the Manual on "the law of cyber armed conflicts". However, there are exceptions, where the ICRC considers that the norms under existing IHL are actually stronger or more protective than the rules as drafted in the Manual. For more details, see ICRC, `What limits does the law of war impose on cyber attacks? Questions and Answers', 28 June 2013, available at http://www.icrc.org/eng/resources/documents/faq/130628cyber-warfare-q-and-a-eng.htm. 162 ICRC, `Report on International Humanitarian Law and the challenges of contemporary armed conflicts', note 13 above, p. 37, last para.

161

Forum_1.indd 161 Forum_1.indd 161

22.10.2014 13:40:29 22.10.2014 13:40:29


persons and objects under an overly restrictive understanding of the notion of attack. Fourth: the challenges that the interconnectedness of cyber space creates for the rules of IHL aiming at the protection of civilians and civilian objects. There is only one cyber space, and the same networks, routes and cables are shared by civilian and military users. As the U.K. noted last year, "[t]he interconnected nature of cyberspace means that disruptive activities against one system may cause unintended and unpredictable effects in other systems"17.1 The interconnectedness of cyber space might even make it impossible to distinguish between military and civilian computer networks when launching a cyber attack; if carried out nevertheless, such an attack would violate the prohibition of indiscriminate attacks. The use of malware which replicates itself without control and damages civilian cyber networks is similarly forbidden. For example, a party to a conflict would violate the prohibition of indiscriminate attacks under IHL if it releases via the internet a malware tailored to block enemy military radars, while expecting that the malware's code will spread to and affect civilian air traffic control radars. Under the principle of proportionality, a party to a conflict must also do everything feasible to assess whether an attack may be expected to cause incidental harm which would be excessive in relation to the direct and concrete military advantage anticipated, and if that is the case, not conduct the attack. Furthermore, when launching an attack, parties to the conflict have to take all feasible precautions to avoid or at least minimize incidental civilian casualties and damage to civilian objects, including civilian cyber infrastructure and networks. The interconnectedness of cyber space entails the risk that cyber attacks cause incidental damage indirectly. Such indirect incidental damage, however remote it is, has to be considered to the extent that it can be expected -- and parties to the conflict that plan or launch cyber attacks have to expect that they risk causing incidental damage indirectly. One could even question whether it is always possible to appropriately assess such indirect effects. This is just a brief overview of the issue, and there are many other challenges. Some of them reflect challenges that exist for kinetic operations, such as for the definition of the notion of direct participation in hostilities. If someone takes a direct part in hostilities by way of a cyber attack in support of one party to an armed
171 `Development in the field of information and telecommunications in the context of international security, Report of the Secretary General', A/68/156 p. 16, para. 1 (response from the U.K).

162

Forum_1.indd 162 Forum_1.indd 162

22.10.2014 13:40:29 22.10.2014 13:40:29


conflict, he cannot expect the enemy to remain idle. This person would lose his or her legal protection against direct attack, including kinetic attacks, during the execution of the cyber attack and the preparatory measures forming an integral part thereof. Other challenges are possibly more specific to cyber warfare, such as the geography of cyber conflicts, the application of the law of neutrality and the concept of sovereignty, or the definition and legal review of cyber weapons, just to name a few. Despite these challenges, the key question is not whether new technologies are inherently good or bad. New technologies might also have positive effects if used in a law-abiding manner. In terms of the ability to avoid or minimize incidental civilian harm, precision guided munitions constitute an improvement over artillery or aerial bombardment weapons used during World War II. Without underestimating the challenges, one cannot rule out the possibility that technological evolution might lead in the future to the development of cyber weapons that would, in specific circumstances, cause fewer casualties and less incidental damage than traditional weapons, to achieve the same military advantage. For instance, it might be less damaging to disrupt through a cyber operation certain public services simultaneously used for military and civilian purposes than to destroy such infrastructure through bombardment. In such cases, the principle of precaution arguably imposes an obligation on parties to armed conflicts to choose, whenever feasible, the means least harmful to civilians to achieve their military aim. This being said, a holistic reflection is warranted to fully consider the risks and implications of the use of new technologies from all perspectives and the ICRC is urging States to consider them well before they develop such technologies. While the relevance of IHL as the main body of law that constrains cyber warfare and protects civilians needs to be reaffirmed, the ICRC does not want to rule out that there might be a need to develop the law further to ensure that the protection it provides to the civilian population is sufficient. That will have to be determined by States. In that regard, there is some debate within the international community on the manner to address the challenges raised by cyber warfare and more broadly those related to information security. In 2011, China, Russia, Tajikistan and Uzbekistan submitted to the United Nations Secretary General an International Code of Conduct for Information Security18, 1co-sponsored by Kazakhstan and Kyr181

Available at http://nz.chineseembassy.org/eng/zgyw/t858978.htm.

163

Forum_1.indd 163 Forum_1.indd 163

22.10.2014 13:40:29 22.10.2014 13:40:29


gyzstan in 201319. 1Russia also put forward a Draft Convention on International Information Security (Concept)20,2 and one of Russia's current priorities in the field of international information security is to promote the formulation and adoption by Member States of the United Nations of international regulations concerning the use of principles and standards of international humanitarian law in the use of information and communications technologies21.3 For its part, the U.K. considers that a multilateral instrument to restrict the use of information technologies in armed conflict is unnecessary, notably because the law of armed conflict already govern such use22.4 Several other States expressed themselves on some of the challenges raised by the application and interpretation of international law to cyber warfare23.5 In December 2013, when requesting the Secretary General to establish a new Group of Governmental Experts, the United Nations General Assembly added to the scope of matters to study "the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by6 States"24. While some of these documents and statements are broader in scope than IHL, the ICRC welcomes the interest given to these issues and will continue to offer its expertise on how IHL constrains cyber warfare with a view to limit its potential human cost, and on how to best address the challenges it raises. These challenges however underline the necessity for parties to armed conflicts to be extremely cautious, if and when resorting to cyber attacks, to avoid harm to civilians and civilian networks. These challenges also underscore the importance that States which may develop or acquire cyber warfare capacities -- whether for offensive or defensive purposes -- assess their lawfulness under IHL, as is necessary for any new weapons or methods of warfare. This
See A/68/98, p. 8, para 18. 2Available at http://www.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe77fdcc325 75d900298676/7b17ead7244e2064c3257925003bcbcc!OpenDocument. 21 3`Basic principles for State Policy of the Russian Federation in the field of International Information Security to 2020', September 2013 available at http://www. scrf.gov.ru/documents/6/114.html, unofficial translation available at http://www. veleposlanistvorusije.mid.ru/doc/pr_20130916_en.pdf (p. 5, para. 12(d)). 22 4`Development in the field of information and telecommunications in the context of international security, Report of the Secretary General', A/59/116, p. 11, para. 3 (response from the U.K) 23 5See references in note 6 above. 246 `Developments in the field of information and telecommunications in the context of international security', A/RES/68/243, 27 December 2013, OP 4.
20 191

164

Forum_1.indd 164 Forum_1.indd 164

22.10.2014 13:40:29 22.10.2014 13:40:29


is required by Art. 36 of the 1977 First Additional Protocol25,1 and is the only way to ensure that armed forces and other government agencies potentially resorting to cyber capabilities during an armed conflict will be able to abide by their obligations under international law. The fact that a growing number of States are developing cyber warfare capabilities only reinforces the urgency of these concerns.
25 1Art. 36 AP I -- New weapons: In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this Protocol or by any other rule of international law applicable to the High Contracting Party.

165

Forum_1.indd 165 Forum_1.indd 165

22.10.2014 13:40:29 22.10.2014 13:40:29



,



1. ( , ) , , , , . . 2. , , , . , . , 2013 : · 19. , , ... · 20. , , , , - . · 21. , . . , , (
166

Forum_1.indd 166 Forum_1.indd 166

22.10.2014 13:40:29 22.10.2014 13:40:29


), . . opinio juris1, , , , . ; , , . , , , 2013 . , . 3. , , , mutatis mutandis2. . , , . , , . , , . , , . , , , , , . , , , .
1 2

. .

167

Forum_1.indd 167 Forum_1.indd 167

22.10.2014 13:40:29 22.10.2014 13:40:29


, , . : , . . , , . , , , , . . , , (. ). , , . , , . , , , , . , . , , , . , , Stuxnet - , . , . , 2007
168

Forum_1.indd 168 Forum_1.indd 168

22.10.2014 13:40:30 22.10.2014 13:40:30


2008 , . , , . , « , , » ( ). , - , . , , , , , , , , . , , . 4. -- , , -- - . . , . , , . , , . . , , -, , . , , . , , . , 41(1) , , --
169

Forum_1.indd 169 Forum_1.indd 169

22.10.2014 13:40:30 22.10.2014 13:40:30


-- . , . , , , , . , . ( , , , , , , ). , opinio juris3, 1 , . , , . , ( ) . , , , . 5. , , , , . , , . , , , . , , 19 3

1 .

170

Forum_1.indd 170 Forum_1.indd 170

22.10.2014 13:40:30 22.10.2014 13:40:30


() (). -- -- « ». , , , . , , 12 17 . 17 : 1. , . . , . 17 -- -- . , , , . 2(1) : 1. , , ... , . , : 2(1) « », , , ,
171

Forum_1.indd 171 Forum_1.indd 171

22.10.2014 13:40:30 22.10.2014 13:40:30


, . , , , , . 6. . , , . , , . , . , . , . , , , . . , « », «» «». , . .

172

Forum_1.indd 172 Forum_1.indd 172

22.10.2014 13:40:30 22.10.2014 13:40:30


PÅl Wrange
Stockholm Center for Intrernational Law and Justice, Sweden

Intervention in national and private cyberspace and international law

1. Introduction This presentation (which is based on an article to be published later this year) will argue that an intrusion by a state in foreign national cyberspace may be prohibited even if it does not amount to the use of force, both as a violation of sovereignty and as a violation of human rights. That conclusion is arrived at from the point of view of a generalist through the application of existing international law. 2. Cyberspace and international law International law, as it currently exists, applies to computer networks. This is also a position generally taken by states. This was confirmed in a report from a broadly representative group of governmental experts, which concluded i.a. the following in a UN report in June 2013: `19. International law, and in particular the Charter of the United Nations, is applicable ... 20. State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory. 21. State efforts to address the security of ICTs must go handin-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments. Still, the situation is far from clear. With the exception of the Budapest Convention against Cybercrime, and possibly some provisions in the ITU Convention (drafted long before Internet), there is no international convention on the topic. The aforementioned UN report is the closest thing we have to an authoritative intergovernmental opinion. There are very few instances of opinio juris, very little, if any, confirmed state practice, and no judgments or reports from international adjudicative or monitoring bodies. There is not even very much doctrine; most writers who have engaged in
173

Forum_1.indd 173 Forum_1.indd 173

22.10.2014 13:40:30 22.10.2014 13:40:30


international law aspects of cyber sphere have written about international humanitarian law and the use of force. One important exception is the Tallinn Manual, drafted by a group of experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence and published in 2013, which deals expertly but briefly and not conclusively with some peacetime uses of Internet. 3.Sovereignty and intervention in cyberspace As implied above, the starting point must be that states exercise sovereignty over their respective cyberspaces, mutatis mutandis. However, states may have many reasons to take measures also in foreign cyberspace. Some of these reasons are legitimate as such, like investigations of and responses to terrorism and other crimes. Others may be more dubious, like intelligence or sabotage. Some such acts may constitute armed attacks, illegal intervention, or legal countermeasures, while other acts are legally unproblematic. For many commentators, if an act does not constitute use of force, it appears to be more or less unproblematic. However, many of these acts, like espionage, may constitute illegal intervention or interference, and that issue has been subject to much less academic debate. Those few writers who have commented specifically on the principle of non-intervention generally agree that the principle applies in cyberspace. Under the principle of non-intervention and the sovereign equality of states, enforcement of a state's laws may and the exercise of public authority may not take place on another state's territory without that state's consent. This was confirmed in very clear terms in a judgment from Canada's Supreme Court: The power to invade the private sphere of persons and property, and seize personal items and information, is paradigmatic of state sovereignty. These actions can be authorized only by the territorial state. There is controversy as to if cyber intrusions that do not create any lasting harm are prohibited. According to some writers, damage is irrelevant, whereas others find that only intrusions that cause material harm constitute illegal interventions. The latter view is difficult to understand, though. Under the Budapest Convention on Cybercrime, a number of acts, commonly conducted as a part of law enforcement or cyber espionage (see below), are criminalized. This includes illegal access and illegal interception, and the Convention contains no exceptions for measures taken by foreign public agencies. In fact, the preparatory works of the Convention clearly spell out that the Convention does not allow remote extraterritorial search. Hence, the logical conclusion is that the general
174

Forum_1.indd 174 Forum_1.indd 174

22.10.2014 13:40:30 22.10.2014 13:40:30


prohibition of intervention, including the prohibition of infringements on territorial sovereignty, applies also in cyberspace. Nevertheless, even if unauthorized, under some circumstances such measures may be justified. A state may take countermeasures against attacks from another state, and that applies even if the attack does not reach the threshold of an armed attack or even use of force. So, for instance, if the Stuxnet virus could be attributed to a particular state, then Iran could take countermeasures against that state. In addition to countermeasures, states may also invoke necessity, in order safeguard an essential interest against a grave and imminent peril. Several of the most famous incidents, like the attacks against Estonia in 2007 and against Georgia in 2008, have been difficult to impute directly to a state. In principle, a state may be responsible for acts carried out by individuals, if these individuals are directed or controlled by a state. Furthermore, a state has the duty `not to allow knowingly its territory to be used for acts contrary to the rights of other States' (ICJ Corfu Channel Case). That obligation includes the duty to investigate and to prosecute, in cooperation with the target state, as well as a measure of active prevention. It is submitted that if a state whose territory is being used for attacks is being notified and still does not take action in good faith, there is at least some degree of responsibility. At any rate, if a state is unable to police its portion of cyberspace, that might invite other states to take self-help measures. 4. Espionage One particularly controversial -- and surely prevalent -- type of Internet activity is cyber espionage. To collect information is -- in and of itself -- not illegal under international law. This is now to a large extent carried out over the Internet and does not necessarily need the consent of the target government. However, espionage may also involve unauthorized intrusion into servers that contain private and secret data. Some writers have argued that espionage is legal under international law and that there is therefore no obstacle to committing espionage over the Internet. Those who make that claim essentially say two arguments. First, they point out that there is no treaty prohibiting espionage. Hence, if it is not prohibited, it must be legal. However, this argument misses the point that even though there is no wholesale prohibition of espionage, many more concrete forms of espionage are prohibited. Under Article 41(1) the Vienna Convention on Diplomatic
175

Forum_1.indd 175 Forum_1.indd 175

22.10.2014 13:40:30 22.10.2014 13:40:30


Relations, for instance, states have undertaken the obligation that staff of diplomatic missions -- many of which are in reality spies -- must comply with domestic law in the state where they are being stationed. Other state agents are covered by the general prohibition of intervention, including the prohibition of enforcement. The second argument provided by these writers is that there is a customary norm to that effect, since all nations engage in such activities. However, this is based on a complete misunderstanding of how customary international law is formed. (Remember that the default position is that a number of types of acts conducted in the course of espionage are illegal, so the burden of proof is on those who claim that there is an exception for espionage.) In order for a customary norm to be formed, there needs to be not only state practice, but also opinio juris, a legal conviction that this practice corresponds to the law. I know of no state that has publicly claimed that espionage in all its forms is legal. On the contrary, states generally deny (or at least refuse to admit) being involved in illegal espionage. I therefore conclude that espionage that involves unauthorized access to servers and other computers in a foreign state generally constitute illegal interventions into the sovereignty of that state. 5. Human rights So, unauthorized access into computers in foreign states is generally illegal under international law, but may sometimes be justified. However, it is important to note that human rights cannot be disposed of by the state of nationality of the person in question. Hence, if state A conducts a search on the computer of an individual in state B, it is immaterial whether A invokes the consent of B or whether the measure is justified as a countermeasure. One highly relevant human right is the freedom of information, which is included under the freedom of expression, covered by Article 19 in both the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR). While a state has the right to close its borders -- including borders in cyberspace -- it must still respect the right to `receive and impart information and ideas of all kinds, regardless of frontiers'. This means that any efforts that a state may take in order to counter terrorism or other crimes, for instance by stopping the dissemination of private or public messages from a computer, will have to take this right into account.
176

Forum_1.indd 176 Forum_1.indd 176

22.10.2014 13:40:30 22.10.2014 13:40:30


Further, there is the right to privacy, protected under Article 12 of the UDHR and Article 17 of the ICCPR. Article 17 of the ICCPR provides: 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. This applies in cyberspace, too. An intrusion by a state into a server in another state may constitute not only a violation of that other state's sovereignty, but also a violation of the human rights of another person. Article 17 does not prohibit all interference -- interference shall not be arbitrary or unlawful -- which suggests that a balance needs to be struck. It may be argued that the ICCPR does not protect individuals who are situated beyond the territory of a state which invades their private spheres. Article 2(1) of the ICCPR reads: Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant, without distinction of any kind... The Human Rights Committee has confirmed that the convention has extraterritorial application. In the case L pez Burgos v Uruguay, it held that Article 2 (1) of the Covenant places an obligation upon a State party to respect and to ensure rights `to all individuals within its territory and subject to its jurisdiction', but it does not imply that the State party concerned cannot be held accountable for violations of rights under the Covenant which its agents commit upon the territory of another State, whether with the acquiescence of the Government of that State or in opposition to it. Therefore, even measures on foreign soil which do not violate the sovereignty of a foreign state may be prohibited because they violate the human rights of an individual. 6. Conclusion In international law discourse on cyber attacks, there has been much focus on the threshold for the use of force. Cyber attacks or intrusions which do not amount to the use of force, have often been held to be unproblematic. As I have argued here, however, such intrusions will often constitute illegal interventions into the sovereignty of another state, or constitute violations of human rights.
177

Forum_1.indd 177 Forum_1.indd 177

22.10.2014 13:40:30 22.10.2014 13:40:30


Nevertheless, it is not completely clear how the usual rules of international law should be understood in this space. As mentioned, states have not been very helpful in clarifying these issues. For sure, the old principles and rules of international law apply to cyberspace, too. The lack of a new convention is therefore not an excuse for not trying to comply with these rules. Nevertheless, there is a pressing need for international bodies to clarify these rules, in the form of new conventions or less formal documents. We need to know of what terms like `use of force', `jurisdiction' or `intervention' mean in cyberspace. And we need to know if governments may invade our privacy. In that process, commentators on international law should play an important role.

178

Forum_1.indd 178 Forum_1.indd 178

22.10.2014 13:40:30 22.10.2014 13:40:30



, SUNY,


! , . , . , , , . , , , , , , , , . -- , , . , . . , . , . . , . , , , . 179

Forum_1.indd 179 Forum_1.indd 179

22.10.2014 13:40:31 22.10.2014 13:40:31


, , , . , . . , . , , , , . , , . , , , , . , . , . , , , . , , , . : 1) , . ? , , , - -- ? - ,
180

Forum_1.indd 180 Forum_1.indd 180

22.10.2014 13:40:31 22.10.2014 13:40:31


, , ? ? 2) , , . ? , ? 3) ( ) , , . . 4) , . , . 5) , , ( ) . , , . . , . , , , .
181

Forum_1.indd 181 Forum_1.indd 181

22.10.2014 13:40:31 22.10.2014 13:40:31


() . , (), , , . , , , , , . , . , . . , , , . . , . . , , . , . , . , , . , , . , « » (DDoS) , . , «» -- , - 182

Forum_1.indd 182 Forum_1.indd 182

22.10.2014 13:40:31 22.10.2014 13:40:31


, . , , . , , , . . -, , , . , . , . -, , , -- , , . , , . , - ( , ) . , , . .
183

Forum_1.indd 183 Forum_1.indd 183

22.10.2014 13:40:31 22.10.2014 13:40:31


, . . , . , , , -, . . , -, - DVD- -- Stuxnet. . . ( ) . 2001 () 1 ( ). 2004 , - , . , , (, ), 382 192 - . . , , , ,
1 Convention on Cybercrime, CETS No.: 185 at: http://conventions.coe.int/ Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG 2 See "chart of signatures and ratifications" at convention webpage above.

184

Forum_1.indd 184 Forum_1.indd 184

22.10.2014 13:40:31 22.10.2014 13:40:31


. . , . , . . 2011 ( ), . , - . , . , : 1. , ? 2. , . , ? , , -- , , . , , ,
185

Forum_1.indd 185 Forum_1.indd 185

22.10.2014 13:40:31 22.10.2014 13:40:31


. , , . , , . . 2012 , . 2013 . , , . . , , , . , , . , : 1. 2. 3. 4. 5. ( -- ) 6. , . . . . , , .

186

Forum_1.indd 186 Forum_1.indd 186

22.10.2014 13:40:31 22.10.2014 13:40:31


. , . . , , . , 7 . , .

187

Forum_1.indd 187 Forum_1.indd 187

22.10.2014 13:40:31 22.10.2014 13:40:31


Sanjay Goel
SUNY, USA

Adaptation of International Law to Cyber Conflict
Good Afternoon! I would first like to thank IISI for inviting me to this conference. I have been here each year since its inception and it is always a privilege and a delight to be here. Before I start my remarks, I would like to emphasize that I do not represent the views of the U.S. government, but rather my own views as an academic. Especially at this time of turmoil when U.S. -- Russia relations are at a low, we as academics need to work even harder to ensure that the progress that we have made in working together in the areas of cyber conflict and cyber security continues on a path forward. I would like to correct the negative portrayal of United States by this morning -- I do sincerely believe from my vantage point as an academic that it is important for the United States to build consensus on the issue of international cyber security and despite short-term setbacks, the long term prognosis is promising. My remarks today are focused on the adaptation of the international law to cyber incidents. I am neither a lawyer nor a political scientist. My remarks are an attempt at understanding the adaptability of existing international laws to cyber conflicts based on technical and strategic considerations. There have been several efforts to draw international treaties to address cyber crime and to regulate cyber conflict. However, reaching consensus on creating international laws in cyberspace has been difficult. Each state has a different legal system with diverse laws and each state's laws are based on the societal values, political establishment, and social norms developed through centuries of history. It has taken many years to build consensus on international law and these laws were typically enacted following horrific incidents that brought global consciousness to the fore. We have not seen anything of those proportions in cyberspace and therein lies the reason for the inertia. Political leaders are reluctant to face new realities of globalization by changing policies and laws to address the problems that come with it. This is often because effectively addressing these problems entails harmonizing laws across all countries at the expense of the domestic audience. Another reason is that countries, instead of striving for genuine compromise,
188

Forum_1.indd 188 Forum_1.indd 188

22.10.2014 13:40:31 22.10.2014 13:40:31


continue to reiterate their intransigent positions while attempting to foist their own views on other countries. Several scholars have argued that the cyber domain is not distinct from the physical domain and that current international laws should apply to the cyber domain. It is true that there are a lot of analogies between cyber conflict and other forms of warfare and the same principles that apply to physical warfare can apply to cyber warfare. Consequently, the rules of conventional warfare also apply to cyberspace. However there are enough differences in the cyber domain so as to make their enforcement untenable in several cases. I do believe that we need to learn from the existing laws but seriously think through the unique issues of the cyber domain as we build new international laws. I examine existing laws dealing with international conflicts and raise the key issues while evaluating their adaptation to the cyber domain. Right to Armed Conflict The right to armed conflict has evolved through a series of agreements and has several clauses: 1) War should be waged by a legitimate authority rooted in the notion of state sovereignty. What is a legitimate authority in cyber warfare? Cyber warfare is a covert warfare typically conducted by proxies of countries -- are the proxies of nation states legitimate? Would nation states ever agree that the entities committing the attacks are their proxies? What if the proxies are operating outside of the country? 2) The aim of war must not be to pursue narrowly defined national interests, but rather to re-establish a just peace. What is just peace in cyber space? Can a pre-emptive strike for national interest be justified? 3) Need to weigh costs and benefits of involved in waging war (including human life and economic resources) There is need for immediacy in cyber warfare during counter attack. It is often difficult to make accurate assessment of the pros and cons prior to launching a counter attack. 4) Ensure that counter attack be proportional to the violence being encountered The concept of proportionality is based on assessment of damage, which often takes a long time to do in the cyber world. Due to the need of immediacy of reaction it is often difficult to ensure proportionality.
189

Forum_1.indd 189 Forum_1.indd 189

22.10.2014 13:40:31 22.10.2014 13:40:31


5) We must exhaust diplomatic options prior to violence. With ambiguity in attribution diplomatic wrangling can often be tedious and long drawn while need for response has urgency to repulse the attack (and cause collateral damage). Law of neutrality This law asserts that neutral countries should not allow their resource to be used by one country to attack another country. The fundamental problem with this is the weakness of cyber infrastructure of countries. Computers can be infiltrated without cognizance of neutral country to launch attack. Can we hold these countries responsible for the attacks launched by other countries especially if the neutral country does not have technical ability or resources to secure their networks to protect from such activities. Humanitarian Law There has been particular emphasis on application of the International Humanitarian Law (IHL) to cyber conflict. IHL defines a set of rules that limit the effects of armed conflict (LOAC) by protecting individuals who are not or are no longer participating in the hostilities and restricts the means and methods of warfare. While one may agree with the arguments being made, one should recognize the unique difference between the cyber and physical domains. In several instances the citizens of a country are involved in launching. It is also important to note that laws are subject to interpretation based on ones own point of view. They can be applied erroneously, misused for parochial reasons, or flouted by reasons of reciprocity on flimsy grounds. The laws need to be made such that they are unambiguous and enforceable. The attackers can use the cloak of anonymity that the Internet provides to camouflage their true identities. Therein lies the difficulty in enforcing the rules. There are several explicit factors that make enforceability and ambiguity issues hard to overcome. Ambiguity There has to be a common unambiguous definition of terms across the nations as we start harmonizing laws. For instance, there has often been a debate on the distinction between cyber crime, cyber warfare, and cyber terrorism. We can add one more term to this i.e. cyber activism. The tools and techniques are common across
190

Forum_1.indd 190 Forum_1.indd 190

22.10.2014 13:40:32 22.10.2014 13:40:32


all of these the difference lies in the actors and motivations behind these attacks. Cyber warfare is appropriate when state actors are involved and the motivation is achieve political objectives. Cyber warfare then becomes another weapon in the arsenal of countries that can be used in conflicts. For instance denial of service attacks have been used extensively during recent kinetic warfare incidents mainly for psychological impact and propaganda. When non-state actors are involved in attempting to influence political changes it is termed as cyber terrorism such as Al Qaeda attempting to influence young Muslims in the United States to join the jihad. Cyber activism occurs when social groups launch attacks in order to bring attention to social and political issues both within a country and across multiple countries. For instance activists in middleeast countries campaigning on social media for political change or hacking groups attacking organizations that supported the prosecution of Julian Assange. The fundamental problem in such definitions is in the differing perceptions. First the distinction between state and non-state actors is often blurred since the non-state actors often have tacit and financial support as well as patronage of government organizations. Non-governmental groups have been linked to governments in Iran, Russia, and China. It is very difficult to prove this nexus conclusively hence this ambiguity. Second the definition of terrorism differs based on perception -- a social activist for one country could be a terrorist for another country making the distinctions even fuzzier. Motive As the intelligence agencies and militaries of states are increasingly engaging in espionage and subversive activities against other nations in cyber space, distinction between cyber and cyber warfare is blurring. Given that it is difficult for the leadership of one state to distinguish whether attacks on a website or online theft of data are actions of individuals in another state who are motived by financial gain, political or religious ideology or actions taken by that state's intelligence agency or military, it is very difficult to differentiate potential acts of cyberwar from cybercrime -- hence motive is unclear. Attribution One of the largest challenges in enforcement of cyber warfare rules is attribution. Can we unambiguously identify the perpetra191

Forum_1.indd 191 Forum_1.indd 191

22.10.2014 13:40:32 22.10.2014 13:40:32


tors of a crime to be able to apply an international law. There are three categories of attribution problems. The first deals with attacks through the Internet which are the most notorious for lack of attribution. These attacks can be camouflaged due to the underlying architecture of the Internet that allows attackers to attack remotely by exploiting lack of security on many hosts allowing them to use machines in a third country for launching attacks. Without proper cooperation across borders or surveillance across borders, it is hard to have high confidence in attribution. The second problem deals with delivering attacks on secure systems through other media such as thumb drives, CDs and DVDs such as the Stuxnet worm introduced into Iranian nuclear facilities. For these secure systems forensics and intelligence should identify the source of the weapon. The third attribution issue is the malware in the hardware and software that is preloaded. Political will (Prior Efforts) There have been two mega efforts in order to create international laws for cyber space. The 2001 Council of Europe (CoE) Convention on Cybercrime1 (Budapest Treaty) entered into force in 2004, however, it has not been signed and ratified by several key CoE member states such as Russia and Turkey. Although the convention is open to non-CoE member states and several have ratified it (Australia, Japan and the United States), a total of only 382 of the 192 member states of the United Nations have acceded to the convention. The main point of contention is the reluctance of countries to provide unfettered access to law enforcement agencies of other countries. The Internet has no borders and in order for law enforcement authorities to successfully apprehend, prosecute and punish perpetrators of transnational cybercrimes, authorities must get unfettered access to track criminal activities across the entire Internet unfettered by states' jurisdictional boundaries. The justification for unfettered access is the volatility of data and delays in handing over investigations to law enforcement authorities of other countries. Opponents of unfettered access argue that it is a violation of sovereignty. The distrust among nations built through centuries of conflict and the wide diversity in societal norms is hard to bridge in a short time. At this point the Budapest Treaty has stagnated with minimal traction. In 2011, Russia released a
1 Convention on Cybercrime, CETS No.: 185 at: http://conventions.coe.int/ Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG 2 See "chart of signatures and ratifications" at convention webpage above.

192

Forum_1.indd 192 Forum_1.indd 192

22.10.2014 13:40:32 22.10.2014 13:40:32


parallel treaty (eKaterinburg Treaty) that focuses on cyber warfare. Though it addresses the issues of cyber warfare, it did not have the traction to become universally acceptable because of geopolitics of cyber space. It has been morphed into the Shanghai Cooperative Organization declaration that defines fundamental principles for responsible behaviour in cyber space. There are two points to note: 1) Would a country like to be handicapped by agreeing to a treaty to not be able to deliver cyber weapons? 2) A cynical view would go so far as to state that the laws are for the weak countries they don't apply to the strong. Would the militarily stronger countries use these weapons and deny culpability while prosecuting the weaker ones based on ambiguity in attribution? Confidence building measures the goal of the international community may be to negotiate, sign and ratify a verifiable treaty that would limit the use and development of cyber warfare capabilities, similar to treaties that have limited the development and spread of nuclear, chemical and biological weapons. However, given the absence of credible legal instruments to protect against cyber warfare and difficulty in verifying compliance with treaties, international bodies are working arduously to create Confidence Building Measures (CBMs) in cyber space. The role of CBMs is to prevent unintended escalation of an incident by miscalculation, misperception, or misattribution of an incidence. Such measures for cyberspace would avoid a full-scale cyber war among nations and worse yes prevent precipitation of an innocuous incident into kinetic war. There are several different efforts underway to develop CBMs in the cyber arena. United Nations held a conference in 2012 to assess the role of Confidence Building Measures to assure stability in cyber space in 2012. OSCE adopted the first ever cyber/ ICT security related multilateral confidence-building measure in 2013. While non-binding and innocuous this shows a diplomatic momentum building towards a consensus in creating CBMs. This is going to be an extremely challenging task. CBMs are aligned along three primary dimensions, i.e., transparency, predictability, and verifiability. While this has worked in other avenues, i.e. nuclear, convention, and chemical warfare it needs to be evaluated for cyber warfare. Let us examine the typical CBMs from other domains.
193

Forum_1.indd 193 Forum_1.indd 193

22.10.2014 13:40:32 22.10.2014 13:40:32


1) Troop movements and exercises 2) Exchange of Information about assets 3) Exchange of personnel and joint exercises 4) Communication mechanisms to deescalate situations 5) Prohibited Weapons (For instance -- critical infrastructure) 6) Training and Education The hard truth is that each country is engaged in strategically positioning themselves for cyber warfare. Countries are redefining their military doctrines to include cyber warfare as a critical arena of conflict. The cost to acquire cyber weaponry is much lower than that for conventional weapons acquisition. Countries are considering cyber warfare as a way of balancing asymmetry in conventional weaponry. At the same time countries with favourable military strengths are investing heavily in both cyber offense and defence to ensure the continuation of asymmetry -- leading to the cyber arms race. Countries are blaming each other for activities that they are themselves engaged in. It is hard to build confidence at the same time as countries race forward to overtake each other in developing cyber weapons. Distrust lingering on from the cold war and the new developments in Ukraine do not help the cause of cooperation. It would be such a waste to see all the goodwill that we have built over the last 7 years to go to waste. I sincerely do hope we are all able to find common ground and a way move forward through the current geopolitics.

k

194

Forum_1.indd 194 Forum_1.indd 194

22.10.2014 13:40:32 22.10.2014 13:40:32







( , - , , , ..), , . , , , , , . , - , . , [1]. , , , , , . Stuxnet, Flame Duqu. Stuxnet , . , Stuxnet, , , . ,
195

Forum_1.indd 195 Forum_1.indd 195

22.10.2014 13:40:32 22.10.2014 13:40:32


, , , . USB- Windows, « »1. , , - . , , , , . , . , -- . . . , . , " " , , , . , , , , . , , , , , , , [2].
1 http://news.cnet.com/8301-1009_3-57560799-83/stuxnet-attacks-iran-againreports-say/

196

Forum_1.indd 196 Forum_1.indd 196

22.10.2014 13:40:32 22.10.2014 13:40:32


21

, , . , «» , . . , , , . , , Microsoft Windows Apple MacOS X , . . , , , , ,
2 1S. Bologna, ICS and Smart Grids Security Standards, Guidelines and Recommendations, presentation at ERNCIP conference, JRC Ispra, 2012

197

Forum_1.indd 197 Forum_1.indd 197

22.10.2014 13:40:32 22.10.2014 13:40:32


. , . , , Windows Mac OSX, ( ) ( ), . , (2009­2013) (ICS-CERT) , 2009­2013 . 2009 . (33,4%) (33,3%)3. 1 2010 . . 18 , 44% . 2010 ., Stuxnet, , (5,12% )4.2 2011 . 198, 81,41% , -- , , 5.3 , ICSCERT 2012 ( 2011. -- 2012.), , 2011 , -- 41% 6.4
3 1ICS ­CERT Incident Response Summary Report 2009-2011, available from: https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-CERT%20Incident%20Response%20Summary%20Report%20(2009-2011)_accessible.pdf 4 2Ibidem. 5 3Ibidem. 6 4ICS-CERT Monthly Monitor Oct-Dec 2012, available from: http://ics-cert. us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_Oct-Dec2012.pdf

198

Forum_1.indd 198 Forum_1.indd 198

22.10.2014 13:40:32 22.10.2014 13:40:32


(2012 .)

ICS-CERT 2013 ( 2012 -- 2013), - . - , 53% . -- , , - . , 2010 , , , .
199

Forum_1.indd 199 Forum_1.indd 199

22.10.2014 13:40:33 22.10.2014 13:40:33





, ( , ) , , «» , ( ). [3]:

·

/ ( ). · ( ) . · « ». · / . · /. · . · . · . · ( // ). · , , (, , , ..).

· · ·

(DDoS); ; , , ; · ( -- ); · / (, -- PLC);
200

Forum_1.indd 200 Forum_1.indd 200

22.10.2014 13:40:33 22.10.2014 13:40:33


·

( , , , ..); · ; · . ( ) , -- , . , , , , , . , , , .
,

, . , , , , , . -- , , . , , . , , . . , , (, ..), (, ,
201

Forum_1.indd 201 Forum_1.indd 201

22.10.2014 13:40:33 22.10.2014 13:40:33


..), / ( ). , , , (, « »), (, ), , (, / ). , . , [4]. . . ( ) , ,
202

Forum_1.indd 202 Forum_1.indd 202

22.10.2014 13:40:33 22.10.2014 13:40:33




. , . , . , , [5]. . , . . , , , [6]. . , 30 2009 .,
203

Forum_1.indd 203 Forum_1.indd 203

22.10.2014 13:40:33 22.10.2014 13:40:33


- (EP3R). EP3R : , , , , , , 1.


7 2013 « : , »2. 3, 4, 5. , . , : « , . .
7 1http://www.enisa.europa.eu/activities/Resilience-and-CIIP/public-privatepartnership/european-public-private-partnership-for-resilience-ep3r 8 2European Commission (2013), Cybersecurity Strategy of the European Union: an Open, Safe and Secure Cyberspace., available from: http://ec.europa.eu/dgs/homeaffairs/e-library/documents/policies/organized-crime-and-human-trafficking/ cybercrime/docs/join_2013_1_en.pdf 9 3Remarks by EU high representative Catherine Ashton at the at press conference on the launch of the EU's Cyber Security Strategy, February 7th 2013, available from: http://www.consilium.europa.eu/uedocs/cms_Data/docs/pressdata/EN/ foraff/135287.pdf 10 4Neelie Kroes, "Using cybersecurity to promote European values", speech at the at press conference on the launch of the EU's Cyber Security Strategy, February 7th 2013, available from: http://europa.eu/rapid/press-release_SPEECH-13104_en.htm 11 5Cecilia MalmstrÆm, "Stepping up the fight against cybercriminals to secure a free and open Internet", speech at the at press conference on the launch of the EU's Cyber Security Strategy, February 7th 2013, available from: http://europa.eu/rapid/ press-release_SPEECH-13-105_en.htm

204

Forum_1.indd 204 Forum_1.indd 204

22.10.2014 13:40:33 22.10.2014 13:40:33


-- . , . , . [...] . , , . -- . , »1. 12 2013 « »2. . 19 2013 3 ( 24 2013). . -, « », ( « »). « ». . -.
Neelie Kroes remarks, op. cit. 2Barack Obama, "Improving Critical Infrastructure Cybersecurity" Executive Order of February 12, 2013, available from: http://www.whitehouse.gov/the-pressoffice/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity 14 3Available at: http://www.gazzettaufficiale.it/atto/serie_generale/caricaDettaglioAtto/originario?atto.dataPubblicazioneGazzetta=2013-03-19&atto.codiceRed azionale=13A02504&elenco30giorni=true
13 121

205

Forum_1.indd 205 Forum_1.indd 205

22.10.2014 13:40:33 22.10.2014 13:40:33


2014 « »1 « »2. « » , , , - 24 2013 . , , , .
[1] Sandro Bologna, Alessandro Fasani, Maurizio Martellini: Cyber Security Deterrence and IT Protection for Critical Infrastructures, SpringerBriefs in Computer Science 2013, pp 57-72 [2] Paul Theron, Sandro Bologna: Critical Information Infrastructure Protection and Resilience in the ICT Sector, Book, IGI Global, 2013. [3] Sandro Bologna, Stefano Mele, Alessandro Lazari, "Improving Critical Infrastructure Protection and Resilience against Terrorism Cyber Threats", NATO Advanced Research Workshop Managing Terrorism Threats to Critical Infrastructure -- Challenges for South Eastern Europe" Belgrade, Serbia, May, 2014. [4] General Dynamics 2010, Defending against cyber attacks with session-level network security. [5] Ann Coos, Ronald Bearse, 2013, Strengthening Resilience of the Nation's Most Important Asset: People, The CIP Report, December 2013. [6] Wayne Boone, 2014, Functional Resilience: The "Business End" of Organizational Resilience, The CIP Report, January 2014.
1Available at: http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/ uploads/2014/02/italian-national-strategic-framework-for-cyberspace-security.pdf 162 Available at: http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/ uploads/2014/02/italian-national-cyber-security-plan.pdf
15

206

Forum_1.indd 206 Forum_1.indd 206

22.10.2014 13:40:34 22.10.2014 13:40:34


Dr. Sandro Bologna
Italian Association of Critical Infrastructure Experts

Cyber Security and Resilience of Industrial Control Systems

Industrial Control Systems and Implications for Security Industrial Control Systems are an important part of the core of any Technological Infrastructure (Electricity Grid, Oil and Gas Transmission Grids, Telecommunication Networks, Financial Systems, etc..) and thus they need to be constantly secured in order to work properly and without consequences in case of attacks and incidents. Industrial Control Systems and their components control different kind of infrastructures, from energy production, to manufacturing and water treatment, and they are obviously critical to the operation of infrastructures that are often highly interconnected and mutually dependent systems. It's straightforward to say that being able to control any part of an Industrial Control System permits the manipulation of the mechanisms of an infrastructure. There is no doubt that cyber attacks are the most common and most costly attacks in Industrial Control Systems [1]. Producing comprehensive lists of cyber attacks is not an easy task because, generally, government agencies, national critical infrastructures, large-scale laboratories and other critical actors do not tend to disclose whether a cyber attack has taken place neither the details of it. Among the most popular and recent, are: Stuxnet, Flame and Duqu. Among these attacks only Stuxnet was aimed to causing damage to the target infrastructure, while the others were used for espionage. Indeed, Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems. It's thought to have been designed to shut down centrifuges at Iran's Natanz uranium enrichment plant, where stoppages and other problems reportedly occurred around that time. The sophisticated worm spreads via USB drives and through four previously unknown holes, known as zero-day vulnerabilities, in Windows.1 The first response against cyber threats has been focused on their technical side, investing in security measures such as firewalls, an1 http://news.cnet.com/8301-1009_3-57560799-83/stuxnet-attacks-iran-againreports-say/

207

Forum_1.indd 207 Forum_1.indd 207

22.10.2014 13:40:34 22.10.2014 13:40:34


tivirus and other software/hardware intrusion-detection solutions. However, there is a growing understanding that this problem cannot be dealt on a technical and operational level only, as, nowadays, many of the aforementioned technical solutions have proven to be ineffective or insufficient if not integrated with redundancyoriented solution. It is easy to get lost on the enormity of a security solution, but it doesn't have to be that way. Yes, there are answers and it starts with technology. But technology ends up being a solid tool. In the end, people wield the power. That means security culture must be on a par with safety effectively protect against cyber attacks.

Seven Layer Physical ICS Architecture2

1

Resilience, commonly intended as the capability of the infrastructures or service to rapidly "bounce back" after an attack or to absorb and frustrate its potential, is now deemed an economically justified policy in complement of existing prevention and protection policies that stand as the pillars of current Critical Infrastructure Protection programs. Such new approach is increasingly important especially since cyber attacks have multiplied in recent years increasing the fear of global digital-breakdowns, deviation of use and general distrust of many services essential to the modern society.
2 S. Bologna, ICS and Smart Grids Security Standards, Guidelines and Recommendations, presentation at ERNCIP conference, JRC Ispra, 2012

208

Forum_1.indd 208 Forum_1.indd 208

22.10.2014 13:40:34 22.10.2014 13:40:34


Resilience is an engineered aptitude, embedded in the infrastructures' protection and management lifecycle, that allows complex systems to survive to different kind of attacks or to diminish their impacts, and consequently incidents that occur despite defence barriers crafted into those systems [2]. For this reason, it is mandatory that awareness should be raised in the knowledge of what the cyber security of Industrial Control System is, and in this sense, understanding what the potential consequences of adopting a loose cyber security methods could be is pivotal. Of course, the term "cyber security" encompasses both deliberate attacks from the outside and inside, and the unintentional misuse of the systems. A point that is really important to stress is the difference between an Industrial Control System and a Corporate Information System. Both can be targets of cyber attacks, but they have different nature and so the attacks and the consequences. One of the main differences is that Operating Systems such as Microsoft Windows or Apple Mac OSX are available to anyone and so relatively easy to study and analyze, due to the wider audience of consumers and users. ICS are a different thing. They are more difficult to acquire since they serve a limited scope of consumers, mainly industrials, and in order to perform an attack on those, a deep practical knowledge on both hardware and software is needed; also it is worth mentioning that there are multiple producers and vendors, differencing system from system. In contrast to a cyber attack against retail operating systems that is widespread because many systems and networks depend on them -- Windows or Mac OSX, for example -- and their flaws, an attack to a specific Industrial Control System is based on a deep knowledge on that specific system, with its own peculiarities. Analysis of sectors targeted by cyberattacks (2009­2013) The United States Industrial Control Systems Cyber Emergency Response Team (ICS- CERT) performed a research on the 20092013 period to see the trends in cyber attacks as regards the sectors that have been attacked. In 2009, the number of reported incidents was nine. The most attacked sectors were Water (3,34%) and Energy (3,33%)3.1

3 1 ICS ­CERT Incident Response Summary Report 2009-2011, available from: https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-CERT%20Incident%20Response%20Summary%20Report%20(2009-2011)_accessible.pdf

209

Forum_1.indd 209 Forum_1.indd 209

22.10.2014 13:40:34 22.10.2014 13:40:34


In 2010 the number of reported incidents increased forty-one, with Energy as the leading sector with the 18, 44% of the total attacked. In 2010 the Nuclear sector was among those attacked with 5,12% due to the discovery of Stuxnet4.1 At the end of 2011 the reported incidents skyrocketed to 198, with 81,41% of them directed to the Water sector, followed by Energy, Nuclear, Government Facilities and Chemical5.2 Surprisingly, according to the ICS-CERT Operational Review of the fiscal year 2012 (October 2011­September 2012) the number of reported attacks is almost the same as in 2011, but with a complete change in the most attacked sector, that's to say energy, with 41% of the total reports6.3

Incident reports by sector (2012)

According to the ICS-CERT Operational Review of the first half of fiscal year 2013 (October 2012 -- May 2013) the number of reported attacks is still increased with no change in the most attacked sector, that's to say energy, with 53% Given the fact that the above analyses encompasses only the incident reports of cyber attacks towards Critical Infrastructures that took place in the United States, it's not possible to draw any
1Ibidem. 2Ibidem. 6 3ICS-CERT Monthly Monitor Oct-Dec 2012, available from: http://ics-cert. us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_Oct-Dec2012.pdf
5 4

210

Forum_1.indd 210 Forum_1.indd 210

22.10.2014 13:40:34 22.10.2014 13:40:34


general conclusion. However it's interesting to point out how the number of incidents related to cyber attacks, and also the sectors involved, increased substantially from 2010 onwards.

Energy is the most targeted sector

Common vulnerabilities and methods of attack
Vulnerabilities

the reason why the operators of cyber infrastructures -- or infrastructures that rely on IT systems -- should increase their focus on resilience is quickly explained if considering all of the "known" vulnerabilities and methods of attack that can negatively affect the lifecycle of cyber systems (and services depending on those systems). The most recurring vulnerabilities and attacks can be briefly summarized in the following lists [3]:
Vulnerabilities
· · · ·

Intrinsic software/hardware vulnerability (by design); Lack of (physical and logical) protection measures; 0-day vulnerabilities; Misconfiguration/incompatibility of the components of a system; · Lack of software/hardware updates or updates not properly tested before installation/implementation; · Unpreparedness of the system administrators; · Lack of training of the users of the system; · Obsolescence of the infrastructure or of part of the systems; · Flaws in the corporate IT policy (credentials still active even after retiremet/resignement/dismissal of employees);
211

Forum_1.indd 211 Forum_1.indd 211

22.10.2014 13:40:34 22.10.2014 13:40:34


·

Underestimation of risks deriving from physical vulnerabilities of facilities that hosts cyber systems (e.g. exposed to flooding, wilful acts, etc.).
Attacks
· · · ·

Distributed denial-of-service; Network intrusions; Malware, trojan horse, backdoors; Targeting of specific users (administrators -- key position's operator); · Targeting of specific equipment/devices (e.g. Programmable logic controller -- PLC); · Total or partial destruction of the systems (e.g. fire, explosion, etc.); · Social engineering; · Insiders. Both the aforementioned categories have increased in importance (and capability to harm cyber systems) due to the massive adoption of technologies in all of the corporate and public sectors and due to the light-speed evolution of the market competition -- circumstance that in some case is forcing the technology vendors to sell "notfully-tested" equipment. It can be affirmed that the adoption of resilience measures seems to be justified by the same variables that a long time ago have suggested the adoption of protection measures and from the awareness that there's no resilience without protection and viceversa. At the same time, it's necessary to highlight that the adoption of resilience measures shouldn't in any case divert or reduce the focus from protection, as these approaches are complementary and cannot be equally missing from the management and security lifecycle of modern infrastructures. The resilience approach past and recent experiences have shown how likely is that protection policies, sooner or later, may fail. For this reason, and being aware of the fact that the efforts put in place for protection of CIIs can be easily bypassed, all of the stakeholders involved in the security of such delicate and vital infrastructure are strongly suggested to put more emphasis on critical infrastructure resilience. A Critical Infrastructure is not only made of technologies but especially of people, processes and organizations. The Risk Analysis
212

Forum_1.indd 212 Forum_1.indd 212

22.10.2014 13:40:34 22.10.2014 13:40:34


and Risk Management must take in consideration all these components, plus cultural background, to be complete and successful.

With the clear intention of proposing an embryonic approach for establishing a cyber resilience policy, it can be said that such policy should based on four lines of defence. The first line of defence is at technical and physical level. Physical and technical resilience describe what the Critical Infrastructure has, in terms of implemented tangible safeguards to deter or slow down an adversary (fences, locks, bars, etc.), detect an attack (guards, sensors, electronic access control systems, etc.), and/or to mitigate vulnerabilities (shortcomings or weaknesses in the security posture). Traditional network security controls like firewall, intrusion prevention system, and anti-virus are widely deployed and adequate to keep known threats at bay, but are insufficient to mitigate the risk that is unknown (eg. 0-day vulnerabilities), unperceived (eg. lack of training or the presence of insiders) or that can be properly addressed (eg. software/hardware limits or the infrastructure's obsolescence). These legacy controls are often the key line in defense against these evolved threat actors, many of whom have access to sophisticated R&D resources. While the adversary innovates, in fact, the majority of security infrastructures continue to use dated technology as their primary defence [4].
213

Forum_1.indd 213 Forum_1.indd 213

22.10.2014 13:40:35 22.10.2014 13:40:35


Four lines of defense for modern resilience The second line of defence is at personal level. Personal resilience is a critical component of systems' resilience. The personal resilience gap of greatest concern is not in defining employer-specific roles and responsibilities an employee has in an emergency. It lies in the employees' own personal preparedness so the employees are available more quickly and with better focus to the organization that relies on them to carry out their emergency roles and responsibilities when emergencies occur. Creating a company's culture of resilience it's already an urgent need that will require to change the way companies perceive themselves in relation to a disaster or an emergency. In an increasingly volatile and uncertain world, one of the greatest assets an organization can have is the agility to survive unexpected emergency situations [5]. The third line of defence is at organizational level. It is suggested that organizational resilience is best achieved through a systematic decomposition of its elements, based on discernible criteria. This breakdown isolates each of the components and facilitates the identification of key attributes or characteristics. The major pillars of organizational resilience are technical resilience and personal resilience, as described above, and functional resilience intended as a clear responsibility and definition of what to do and who does it [6]. A fourth line of defence is the establishment of collaboration and partnership among different stakeholders. In Europe, the European Public Private Partnership for Resilience (EP3R) was estab214

Forum_1.indd 214 Forum_1.indd 214

22.10.2014 13:40:35 22.10.2014 13:40:35


lished as a follow-up to the policy initiative on Critical Information Infrastructure Protection (CIIP) adopted by the European Commission on 30 March 2009. The objectives of EP3R are to support Information sharing and stock taking of good policy and industrial practices, and foster common understanding, discuss public policy priorities, objectives and measures, improve the coherence and coordination of policies for security and resilience in Europe and identify and promote the adoption of good baseline practices for security and resilience7.1 International approaches on resilience On February 7th 2013, the "Cybersecurity Strategy of the European Union: an Open, Safe, and Secure Cyberspace"82 was presented through a press conference with the important remarks of Catherine Ashton9,3 EU high representative, Neelie 4Kroes10, Vice-President of the European Commission responsible for the Digital Agenda and Cecilia MalmstrÆm11,5 EU Commissioner for Home Affairs. The remarks revolve around the fact that we rely on cyberspace in almost every sector of our lives, and thus the importance of defending it from cyber attacks. Neelie Kroes underlines one of the critical point of the EU Strategy, that's to say cyber resilience: "We need to protect our networks and systems, and make them resilient. That can only happen when all actors play their part and take up their responsibilities. Cyber threats are not contained to national borders: nor should cyber security be. So our strategy is accompanied by a proposed Directive to strengthen
7 1http://www.enisa.europa.eu/activities/Resilience-and-CIIP/public-privatepartnership/european-public-private-partnership-for-resilience-ep3r 8 2European Commission (2013), Cybersecurity Strategy of the European Union: an Open, Safe and Secure Cyberspace., available from: http://ec.europa.eu/dgs/homeaffairs/e-library/documents/policies/organized-crime-and-human-trafficking/ cybercrime/docs/join_2013_1_en.pdf 9 3Remarks by EU high representative Catherine Ashton at the at press conference on the launch of the EU's Cyber Security Strategy, February 7th 2013, available from: http://www.consilium.europa.eu/uedocs/cms_Data/docs/pressdata/EN/ foraff/135287.pdf 10 4Neelie Kroes, "Using cybersecurity to promote European values", speech at the at press conference on the launch of the EU's Cyber Security Strategy, February 7th 2013, available from: http://europa.eu/rapid/press-release_SPEECH-13104_en.htm 11 5Cecilia MalmstrÆm, "Stepping up the fight against cybercriminals to secure a free and open Internet", speech at the at press conference on the launch of the EU's Cyber Security Strategy, February 7th 2013, available from: http://europa.eu/rapid/ press-release_SPEECH-13-105_en.htm

215

Forum_1.indd 215 Forum_1.indd 215

22.10.2014 13:40:35 22.10.2014 13:40:35


cyber-resilience within our single market. It will ensure companies take the measures needed for safe, stable networks. [...] Europe needs resilient systems and networks. Failing to act would impose significant costs: on consumers, on businesses, on society. A single cyber incident can cost from tens of thousands of euros for a small business -- to millions for a large-scale data breach. Yet the majority of them could be prevented just by users taking simple and cheap measures."121 On 12th February 2013, the president of the United States Barack Obama issued an Executive Order entitled "Improving Critical Infrastructure Cyber security"13,2 which has similar contents and measures to those included in the Cyber security strategy of the European Union. On March 19th, 2013 the much awaited and coveted Cyber security Decree143 (DPCM January 24th, 2013) was published in the Italian Official Gazzette. The Decree sets forth the new government architecture that is entrusted with the task of facing potential cyber security threats in Italy. The Prime Minister is at the top of the organisational structure established by the Decree along with the "Committee for the Security of the Italian Republic" (CISR), which has the task of defining national security strategy (the so-called "National Cyber Security Strategy"). A "collegial co-ordination body" supports the first level of such organizational structure. The collegial co-ordination body is chaired by the Director General of the Department for Information Security (DIS). The Military Adviser assisting the Prime Minister also attends the meetings of the collegial co-ordination body. On February 2014 the Italian Presidency of Council of Ministers has publically released the "National Strategic Framework for Cyberspace Security"154 and the "National Plan for Cyberspace Protection and ICT Security"16.5 The National Cyber security Strategic Framework sets out the strategic guidelines that must be pursued through a joint effort and
1Neelie Kroes remarks, op. cit. 2Barack Obama, "Improving Critical Infrastructure Cybersecurity" Executive Order of February 12, 2013, available from: http://www.whitehouse.gov/the-pressoffice/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity 143 Available at: http://www.gazzettaufficiale.it/atto/serie_generale/caricaDettaglioAtto/originario?atto.dataPubblicazioneGazzetta=2013-03-19&atto.codiceRedaz ionale=13A02504&elenco30giorni=true 15 4Available at: http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/ uploads/2014/02/italian-national-strategic-framework-for-cyberspace-security.pdf 16 5Available at: http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/ uploads/2014/02/italian-national-cyber-security-plan.pdf
13 12

216

Forum_1.indd 216 Forum_1.indd 216

22.10.2014 13:40:35 22.10.2014 13:40:35


a coordinated approach of all key stakeholders of the national cyber security architecture identified by the Prime Minister's Decree of the 24th January 2013, under the coordination and guidance of the Committee for the Security of the Republic. Undoubtedly, this is a sign of how an important challenge the cyber security of Critical Infrastructures -- and of their ICS -- is becoming in different contexts. References
[1] Sandro Bologna, Alessandro Fasani, Maurizio Martellini: Cyber Security Deterrence and IT Protection for Critical Infrastructures, SpringerBriefs in Computer Science 2013, pp 57-72 [2] Paul Theron, Sandro Bologna: Critical Information Infrastructure Protection and Resilience in the ICT Sector, Book, IGI Global, 2013. [3] Sandro Bologna, Stefano Mele, Alessandro Lazari, "Improving Critical Infrastructure Protection and Resilience against Terrorism Cyber Threats", NATO Advanced Research Workshop Managing Terrorism Threats to Critical Infrastructure -- Challenges for South Eastern Europe" Belgrade, Serbia, May, 2014. [4] General Dynamics 2010, Defending against cyber attacks with session-level network security. [5] Ann Coos, Ronald Bearse, 2013, Strengthening Resilience of the Nation's Most Important Asset: People, The CIP Report, December 2013. [6] Wayne Boone, 2014, Functional Resilience: The "Business End" of Organizational Resilience, The CIP Report, January 2014.

217

Forum_1.indd 217 Forum_1.indd 217

22.10.2014 13:40:35 22.10.2014 13:40:35


..



, - (). , , , . -- , , , . , . , . , , . , , , , (, ..), . , . . , . , . (, Microsoft), (, , ( )), . , , . : 218

Forum_1.indd 218 Forum_1.indd 218

22.10.2014 13:40:35 22.10.2014 13:40:35


, , .. ( ), , , . , , , , , , , , , . ? , , , , . . , - , , . , , . , , , , (, , ). , -- , , , .. , , . , ( ), , . , , (), . , 219

Forum_1.indd 219 Forum_1.indd 219

22.10.2014 13:40:35 22.10.2014 13:40:35


: « » « , , , , , , , ». , , , -. -- . . , , , . , , . , , , . , . ( - ), . () ( , ), . , . , , , -. , . , , . . , , -, . , , ( ) 220

Forum_1.indd 220 Forum_1.indd 220

22.10.2014 13:40:35 22.10.2014 13:40:35


. , . , , . , . , , . 2009 Ericsson , 2020 50 . , ( 2 -- ). « ». -- , 2012 . , . , , , . , , RFID, .. , - . , , . , , . . , . . , , , -- - -- . , ( « », « », «
221

Forum_1.indd 221 Forum_1.indd 221

22.10.2014 13:40:35 22.10.2014 13:40:35


») . , , . , , . . , , -- , . . , . , , , , . , , , , -- , . -- -- . , . , « - ». . . ? , , . , . , -. . , , . , , . , 222

Forum_1.indd 222 Forum_1.indd 222

22.10.2014 13:40:36 22.10.2014 13:40:36


. -- - . , , , .. -- , . . -- . «», . TheWallStreetJournal, , , . ( ) . , . . . - «» , , . , , «» . , , . -- . . , . -, , - . . , , . , , , . , , - ( ). --
223

Forum_1.indd 223 Forum_1.indd 223

22.10.2014 13:40:36 22.10.2014 13:40:36


, . , .. , , - . . , , , -- 90%. .

k

224

Forum_1.indd 224 Forum_1.indd 224

22.10.2014 13:40:36 22.10.2014 13:40:36


A.N.Kurbatskiy
Belarus State University

Personal information security and the rules of conduct in information space
It seems that the world got too much carried away by globalization and rapid development of civil society by means of new information and communication technologies (ICT). We act as a foolish vanguard in battle, the one that forgets about back areas while trying to achieve victory as quickly as possible. We tend to forget about our back areas -- nation states, specifics of national mentality, culture and education. But we must remember how such unprepared offense usually ends up. Of course, civil society should be developed, but ICTs provide only the prerequisite environment and the rate of ICT development cannot be rigidly linked with the rate of society development. In particular, we are quickly immersing in a virtual world, but as it turned out, are not ready for such a dive and do not care about personal information security. Traditionally, we are accustomed to the need to ensure information security of the state, information security of big, especially transnational, business (corporations, holdings, etc.), whereas personal information security remains in the shadows. In both real and virtual world there should be certain social regulators of behavior. In fact, attempts to adopt such rules have taken place since the inception of the Internet. Unfortunately for the time being they have not been very efficient. And at the same time it is good that the issues of rules of conduct have become a subject of a very active discussion. There are a number of proposals on the rules of conduct set forward by business (for example, Microsoft), by states and groups of states (Russia, SCO, NATO (Tallinn draft)), by UN Secretary General Group of Governmental Experts. Many experts, being in opposition to the national boundaries of the Internet, warn that it is potentially dangerous to adopt such rules of conduct for the Internet. It would be valid if the Internet was simply an environment for communication, however it is an environment for business, educational process, e-government services, etc. In this environment we increasingly frequently exercise a number of state functions (regulations), which also tend to be within national framework. It can be said that the states
225

Forum_1.indd 225 Forum_1.indd 225

22.10.2014 13:40:36 22.10.2014 13:40:36


were too late in assessing the importance of the Internet and the virtual space for society and individuals; while business, especially transnational, appeared at the forefront, but unfortunately, only in terms of profit. Who should actively formulate the rules? First of all, experts on behalf of government, society, and business. Let's recall history. At an early stage the Internet was created, formed and developed by a relatively narrow scientific and expert community with its fairly well-established rules and regulations, which as a matter of fact also functioned automatically in the emerging cyberspace. Basic technological architecture of the Internet was originally based on self-regulation which did not imply special hierarchy of management and identification of individuals receiving and transmitting information. But then, due to rapid growth of the Internet user base, it had become a global infrastructure for cross-border information exchange; global virtual space emerged, but basic technological features had not been fundamentally changed, only modified for the ease of use by millions of users (who certainly are not experts). If we recall, in a traditional society the rules of conduct were in fact also formed in the environment of experts -- whether that be a religious or university environment, or the environment of urban artisans, united in a guild, etc. That what is suitable for the expert community is usually not directly suitable for the whole society. Expert community is rarely independent (even if we are talking about the expert community of a rather conditionally independent civil society), it substantially depends on either state or business. Taking into consideration that virtual space is largely transboundary, it would be appropriate to form the corresponding expert environment as international one, under the auspices of reputable international organizations (UN), including experts from all stakeholders. One can fully agree with the wording developed by the UN Secretary General Working Group on Internet Governance: "Internet governance is the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet." It is important to strive that the opinion of expert community has a greater impact on opinion of both the governmental bodies, and influential business structures. We are wasting our time discussing whether or not there should be rules in virtual space. In the real world the state to a large extent
226

Forum_1.indd 226 Forum_1.indd 226

22.10.2014 13:40:36 22.10.2014 13:40:36


took upon itself the implementation and maintenance of rules. The young generation resides in the virtual world almost without any rules, and accordingly, personal information security is not provided. And the time passes very quickly, youth is gone quickly and generations change quickly. Unfortunately, many changes are occurring so rapidly that we have no time to keep track of them, and we live enthralled by illusions. For example, today there exist no student groups in traditional sense (on a massive scale). Youth relations in social networks of virtual space are often much more important (to large extent due to virtual convenience) than relations within the same student group. If we recall the process of forming of national (country-specific) elite (and as a consequence, of expert community), student groups in universities have always been an essential mechanism of this process. It is clear that rules and regulations can be viewed from the standpoint of information security of global network. Information security becomes a unique instrument of in essence forced action against citizens, groups of citizens, non-governmental organizations, undesirable business structures. But the same applies to unwanted states or groups of states. Once again without clear rules and regulations, there is a high degree of anonymity of such actions. Nowadays there are a lot of discussions about corporate social responsibility. Of course, it would be ideal if business was more socially responsible for its ICT products, including the development of virtual space. But unfortunately too hyped up (sometimes certainly artificially) competition for profit in the ICT sector will not provide a solution to this problem within a reasonable timeframe. New ICTs create new global initiatives in the form of complex global projects, which include a number of integrated ICTs. We often cannot guarantee the security of a standalone ICT, let alone if they are integrated. And while a lot of resources are spent on functionality prediction of such projects, security research is given whatever funds remain. Let's recall, for example, the Internet of things. Back in mid2009, Ericsson corporation announced a forecast that by 2020 some 50 billion different electronic devices in the world will have Internet connection. Naturally, the vast majority of them will work without human intervention (over M2M -- interface). Essentially, the Internet will become the «Internet of things». In this regard, the US National Strategy for Global Supply Chain Security, adopted in January 2012, is also interesting. From a technological point of view we can say that this strategy fits into the Internet of Things.
227

Forum_1.indd 227 Forum_1.indd 227

22.10.2014 13:40:36 22.10.2014 13:40:36


One of the main goals of this strategy is development of an integrated worldwide network of transportation, postal routes, facilities and infrastructures which facilitate the delivery of goods from point of production to the end consumer. Technologically, it is a combination of navigation technologies, RFID, Internet, etc. In terms of functional utility these trends are more or less clear. But it is not clear how to solve the issues of information security, in particular of personal information security. It is not clear how the reliability of Internet-connected instruments and devices would be provided on such a scale. What will happen with huge amount of information accumulated by these devices on the Internet? And this information will be directly or indirectly attributed to specific people. Again, it is the issue of personal information security. And the issue is not only about the obvious possibility that such information may be used by secret services, as David Petraeus, the head of the CIA, once said -- the new online devices are a treasure trove of data for the Agency. Such global initiatives as the Internet of things (and with it -- «smart home», «smart transportation», «smart city») will lead to more mass-produced software. This process will involve millions of new programmers with, as a rule, insufficient level of training. Clearly, to ensure the security of global initiatives for society and individuals we need secure and reliable software. But for time being these qualities cannot be guaranteed on a large scale. As of now there are no technologies and methods that would allow fast and, more importantly for business -- inexpensive production of reliable and secure software. In the world there are giant conveyors for software production that do not provide proper safety and reliability. Errors in software can lead to damage, which greatly exceeds the effect of their use. If we exaggerate a little, we can say that the safety of individuals, society and the state becomes increasingly dependent on software. It is quite obvious that today in such a dynamic time to become a business leader it is necessary to act outside the rules, break them -- and it is unlikely that business will actively implement rules and regulations in virtual space. To formulate the norm is not enough -- it has to be implemented -- and this process is very time consuming and expensive. And these costs can reduce the competitiveness of business, the goal of which is almost always to maximize profits. In this regard, it is better to look to the nation-states, as they retain national boundaries and «at least some rules of behavior in the real world».
228

Forum_1.indd 228 Forum_1.indd 228

22.10.2014 13:40:36 22.10.2014 13:40:36


Personal information security is closely associated with the rules of behavior in the virtual space. The rapid development of ICTs and globalization accelerate the transparency of individual in the virtual space. Are we ready for such transparency? Practically not, as in fact there exists no reasonable ensuring of personal information security. Changes on a global scale can happen a lot faster than one can think. Now we can see a clearly visible trend that more and more personal information is stored in online profiles. Personal life ceases to be personal. This trend is actively promoted by both ICTs and policies of ICT companies. See if we can use tablets completely offline, the same way we would use a laptop ten years ago. There is no guarantee that tablets provide personal information security. It is virtually impossible to use it offline for a long period of time -- its standard operating system constantly requires adjustments. Installed applications also constantly require adjustments, updates etc. If you don't make these adjustments -- there is no guarantee that at one point application or operating system will not lock up. All this entails you to be connected to the global network at least occasionally. And any connection means the possibility of personal information security violation. People should not be «crossed up» by not ensuring their personal information security. As Eric Schmidt said in an interview to The Wall Street Journal, upon reaching adulthood many of today's teens will have to change their names, because the young people of today describe each their step in social networks, almost unaware of the consequences of their actions. It is adult generation (which is responsible for the development of virtual space) that crosses these adolescents up. To great degree this is a question of education and training, and they increasingly retreat to virtual space. And therefore we need rules and norms of behavior. Nowadays, however, traditional norms of behavior are being rapidly broken up as well. Norms somehow «bond» the society; otherwise it will fragment into individuals who may eventually cease to be personalities. In fact, we can destroy the very concept of society, if we go «too far» with individualization. For the time being virtual space greatly contributes to individualization -- although not through development of abilities, but the other way around. On the Internet, we may at any time withdraw from communication -- that does not happen in regular society. As a result of accelerated fragmentation into loosely connected communities, it is difficult to propagate norms of behavior. It is likely that today voluntary codes of conduct will be insufficient. We require a com229

Forum_1.indd 229 Forum_1.indd 229

22.10.2014 13:40:36 22.10.2014 13:40:36


bination of organizational, legal, technical, technological, social and moral practices. Yet another aspect of personal information security. We have been given unsupervised access to a huge flow of information, and it brings, as it would seem, a huge potential for development. But we equally poorly study and teach how one should process this information, what should and what should not be believed. Previously, when the information was distributed by mass-media, it was somehow examined (censorship is also a kind of expertise). And now we do not know the real motives of the author of information, but due to traditions often believe it. And how in this case can we trust information about health or treatment, etc. Only experts with corresponding expertise are somehow able to determine the accuracy of the information. There are also examples of greatly inefficient straightforward use of information from Wikipedia in education. Speaking about the similarity of ethics in everyday life and in virtual space, one must not forget that in the course of an ordinary communication there is a fraction of anonymity, while during virtual communication -- it can reach up to 90%. And there is no factor of accountability for actions.

230

Forum_1.indd 230 Forum_1.indd 230

22.10.2014 13:40:36 22.10.2014 13:40:36



,

-
, . , , , . , . , -, , , . . . , , , . , . 2013 . , , , . - , , . 1996 66% ,
231

Forum_1.indd 231 Forum_1.indd 231

22.10.2014 13:40:37 22.10.2014 13:40:37


2012 12%1. , 2012 32%2. . «» , , , , . , , , . . , - . , , . , -- « »3. . , , , , 4, , 1 "State of the Internet in Q3 2012", comScore, December 5, 2012, http://www. comscore.com/Insights/Presentations_and_Whitepapers/2012/State_of_the_Internet_in_Q3_2012 2 "State of the Internet in Q1 2012", comScore, available at http://www.slideshare.net/alcancemg/state-of-theinternetq12012webinar-copy 3 BÈrÈnice Darnault, "Why the EU response to NSA leaks is contradictory", The World Outline, October 28, 2013, http://theworldoutline.com/2013/10/eusresponse-nsa-leaks-spying-scandal-contradictory/ 4 "Guardian worldview at root of national security row", The Commentator, October 10, 2013, http://www.thecommentator.com/article/4250/guardian_worldview_at_root_of_national_security_row

232

Forum_1.indd 232 Forum_1.indd 232

22.10.2014 13:40:37 22.10.2014 13:40:37


, . , , Guardian, -- . , , . , ( , , ) , . : , , ; , , , . , , , . , - , , , , , . , , () . 2013 233

Forum_1.indd 233 Forum_1.indd 233

22.10.2014 13:40:37 22.10.2014 13:40:37


, , () 5,1 «»6.2 , 2013 , , 7. 3 , «Handygate», . , . , , , 8.4 , , 1961 . 9. 5 , , , «
5 1 Carstens, Peter, "Pofalla: Amerikaner und Briten halten sich an deutsches Recht", Frankfurter Allgemeine Zeitung, August 1, 2013, http://www.faz.net/aktuell/politik/inland/spaehaffaere-pofalla-amerikaner-und-briten-halten-sich-andeutsches-recht-12528037.html 6 2 "Pofalla erklÄrt NSA-AffÄre fÝr beendet", Die Zeit, August 12, 2013, http:// www.zeit.de/politik/deutschland/2013-08/nsa-bnd-pofalla--bundestag-spaehaffaere-snowden-abkommen 7 3 "Zu Informationen, dass das Mobiltelefon der Bundeskanzlerin mÆglicherweise durch amerikanische Dienste Ýberwacht wird", Bundesregierung Pressemitteilung, October 23, 2013, http://www.bundesregierung.de/Content/DE/Pressemitteilungen/BPA/2013/10/2013-10-23-merkel-handyueberwachung.html 8 4 Smale, Alison, "Anger Growing Among Allies on U.S. Spying", The New York Times. October 23, 2013, http://www.nytimes.com/2013/10/24/world/europe/united-states-disputes-reports-of-wiretapping-in-Europe.html?_r=0 9 5 Troianovski, Anton, "Germany Warns of Repercussions from U.S. Spying", The Wall Street Journal, October 28, 2013, http://online.wsj.com/news/articles/SB 10001424052702304200804579163760331107226

234

Forum_1.indd 234 Forum_1.indd 234

22.10.2014 13:40:37 22.10.2014 13:40:37


, , , »10. 1 - . , , , . , , , , , , 11.2 , -. , -, , . -, «the Guardian» . 12,3 , 13. 4 , , «the
10 1 Anton Troianovski, "Germany to Boost Anti-Spy Efforts", Wall Street Journal, November 20, 2013, http://online.wsj.com/news/articles/SB100014240527023 04791704579209740311164308 11 2 "Power and Commerce in the Internet Age", Chatham House, London, November 25-26 2013, available at http://www.chathamhouse. org/Internet2013/agenda 12 3 Intelligence and Security Committee open evidence session, November 7, 2013, UK Parliament website, http://www.parliamentlive.tv/Main/Player. aspx?meetingId=14146 13 4 Catherine A. Traywick, "British Spies Aren't James Bonds, and 7 Other Things We Learned from Britain's Landmark Intelligence Hearing", Foreign Policy, November 7, 2013, http://blog.foreignpolicy.com/posts/2013/11/07/british_spies_ arent_james_bonds_and_7_other_things_we_learned_from_the_uks_landmar

235

Forum_1.indd 235 Forum_1.indd 235

22.10.2014 13:40:37 22.10.2014 13:40:37


Guardian»14. 1 - . , « 60%» , , , . , « »15.2 , , -- - 16 --3 , 17. 4 , . Financial Times: « ... , . ... , , -- . 2005 , »18.5

14 1Andrew Sparrow, "Guardian faces fresh criticism over Edward Snowden revelations", The Guardian, November 10, 2013, http://www.theguardian.com/ media/2013/nov/10/guardian-nsa-revelations-edward-snowden 15 2UK Home Secretary Hazel Blears, speaking at Intelligence and Security Committee open evidence session, November 7, 2013, UK Parliament website, http://www.parliamentlive.tv/Main/Player.aspx?meetingId=14146 16 3Scott Clement, "Poll: Most Americans say Snowden leaks harmed national security", The Washington Post, November 20, 2013, http://www.washingtonpost. com/politics/poll-most-americans-say-snowden-leaks-harmed-national-security/2013/11/20/13cc20b8-5229-11e3-9e2c-e1d01116fd98_story.html 17 4John Naughton, "Edward Snowden: public indifference is the real enemy in the NSA affair", The Observer, October 20, 2013, http://www.theguardian.com/ world/2013/oct/20/public-indifference-nsa-snowden-affair 18 5Gideon Rachman, "Why the British like their spies", Financial Times, November 10, 2013.

236

Forum_1.indd 236 Forum_1.indd 236

22.10.2014 13:40:37 22.10.2014 13:40:37


, - . . - . , (, , ) 19. 1 ( 20)2 . , , 21.3 , , «FRA», , 22.4 , « »23.5 , ,
19 1"Swedes `not afraid' of internet surveillance", The Local, November 8, 2013, http://www.thelocal.se/20131108/swedes-not-worried-about-internet-surveillancesurvey 20 2Keir Giles, "Cyber Attack on Finland is a Warning for the EU", Chatham House, November 8, 2013, http://www.chathamhouse.org/media/comment/ view/195392 21 3"Verkkovalvonta keskittymÄssÄ yhdelle taholle", Ilta-Sanomat, 18 November 2013, http://m.iltasanomat.fi/kotimaa/art-1288622010437.html 22 4"Intel agency seeks direct access to Swedes' data", The Local, November 19, 2013, http://www.thelocal.se/20131119/swedens-security-service-seeks-directdata-access 23 5"Bildt defends Sweden surveillance", The Local, November 3, 2013, http:// www.thelocal.se/20131103/bildt-defends-sweden-surveillance

237

Forum_1.indd 237 Forum_1.indd 237

22.10.2014 13:40:37 22.10.2014 13:40:37


, 24.1 , , . « », « . , , »25. 2 2007 , -, ( ), ( ). , , , « , »26.3 , , , , . , 2013 , , - . , , , , 27.4
24 1 Claus Blok Thomsen, Jakob Sorgenfri KjÔr, Jacob Svendsen, "Presset FE fortÔller om dansk spionage", Politiken, November 20, 2013, http://politiken.dk/ indland/ECE2138411/presset-fe-fortaeller-om-dansk-spionage/ 25 2 Draft "EU Human Rights Guidelines on Freedom of Expression Online and Offline", unpublished, version as at November 20, 2013. 26 3 Muscio v. Italy, European Court of Human Rights, "Information Note on the Court's case-law No. 102", November 2007, http://hudoc.echr.coe.int/sites/ eng/pages/search.aspx?i=002-2419 27 4 "Adoption de la loi controversÈe de programmation militaire", Le Monde, December 10, 2013, http://www.lemonde.fr/international/article/2013/12/10/adoption-definitive-de-la-controverse-loi-de-programmation-militaire_3528927_3210. html

238

Forum_1.indd 238 Forum_1.indd 238

22.10.2014 13:40:37 22.10.2014 13:40:37


, , , , 28.1 , , , , , , - , . ( ) . , . , , . , , - . , . .
28 1 Kim Willsher, "French officials can monitor internet users in real time under new law", The Guardian, December 11, 2013, http://www.theguardian.com/ world/2013/dec/11/french-officials-internet-users-real-time-law

k
239

Forum_1.indd 239 Forum_1.indd 239

22.10.2014 13:40:37 22.10.2014 13:40:37


Keir Giles
Conflict Studies Research Centre, UK

Legitimation of Online Surveillance and Monitoring
At the time of writing, it is almost one year since the world first heard the name of Edward Snowden. With the time that has passed since he began his campaign of distributing stolen classified records on US and allied espionage capabilities, some of the initial drama of the event has now faded and it is possible to begin to draw conclusions about the longer-term impacts of his actions. Leaving aside the severe detriment to the national security of the United States and its partner nations, and to the fight against organized crime and terrorism globally, Snowden and his accomplices have caused other effects which were unlikely to have been intentional. They have inadvertently accelerated two previously existing trends in internet use: worldwide, a shift in the median attitude of internet users to the ideal balance between privacy and security; and in the Euro-Atlantic community specifically, a trend toward legitimation of monitoring and surveillance of online activities. This short paper will describe each of trends, and the effects on them of the Snowden defection, in turn.
Attitudes to Rights and Security

Disclosures of alleged U.S. surveillance activities to the public by Snowden in June 2013 sparked heated international debate on the legality and morality of telecommunications monitoring. But public discussion in the U.S., Europe, and beyond, revealed widely varying societal attitudes to the issues involved. The recent growth of non-Anglophone online populations has led to a rapid movement away from Euro-Atlantic views of the nature of the internet and how it and its freedoms should be regulated. In 1996, the U.S. made up over 66% of the world's online population, whereas in 2012, it accounted for only 12%.1 According to one assessment, India saw an increase in numbers of internet users of 32% just in the year to March 2012.2
1 "State of the Internet in Q3 2012", comScore, December 5, 2012, http://www. comscore.com/Insights/Presentations_and_Whitepapers/2012/State_of_the_Internet_in_Q3_2012 2 "State of the Internet in Q1 2012", comScore, available at http://www.slideshare.net/alcancemg/state-of-theinternetq12012webinar-copy

240

Forum_1.indd 240 Forum_1.indd 240

22.10.2014 13:40:38 22.10.2014 13:40:38


One effect of this shift is an adjustment in median attitudes of internet users to the ideal balance of privacy against security on the internet. The average global internet user no longer shares the Anglosphere's attitude to individual rights, which have traditionally been significantly stronger by comparison to those of the state than in other cultural traditions. Specifically, the average attitude to the legitimacy of monitoring and surveillance of notionally private communications and activities online, for the purpose of prevention of terrorism and crime and for espionage, is now also distinctly different. This trend needs to be caveated: as with all discussion of user attitudes online, it is only a very small percentage of overall users that devote any thought at all to privacy or security issues. The majority of users worldwide continue to engage in their shopping and social media use without losing sleep over who is monitoring them or for what purpose. In addition, a clear distinction needs to be drawn between average societal attitudes overall, and the public statements of leadership figures, with their occasional "theatrical outraged reactions"3.1 But within that thinking minority of users, the importance accorded to individual privacy versus the security of the state or society is shifting away from liberal Western attitudes. The consequence is that when sections of the English-language media appointed themselves to the role of gatekeepers and arbiters, deciding for themselves what classified information they would release to the public according to their own definitions of national security4,2 this approach failed to reflect the overall attitudes of internet users in the Anglosphere, and even less so those of internet users overall. The editorial decisions and policy of, for example, the UK's Guardian newspaper, chimed with the attitudes of a percentage of its liberal readership -- but the tone of outrage was not mirrored elsewhere.
Legitimation

Alongside this shift in attitude, another trend is discernable specifically in the North Atlantic and Western European international community. This Euro-Atlantic area has traditionally been a bastion of individual rights and freedoms: but the national debates
3 1BÈrÈnice Darnault, "Why the EU response to NSA leaks is contradictory", The World Outline, October 28, 2013, http://theworldoutline.com/2013/10/eusresponse-nsa-leaks-spying-scandal-contradictory/ 4 2"Guardian worldview at root of national security row", The Commentator, October 10, 2013, http://www.thecommentator.com/article/4250/guardian_worldview_at_root_of_national_security_row

241

Forum_1.indd 241 Forum_1.indd 241

22.10.2014 13:40:38 22.10.2014 13:40:38


that became possible once the often false shock and outrage at Snowden's allegations had died down also showed a distinct movement towards acceptance, up to and including active legitimation, of online monitoring and surveillance. This movement takes two distinct forms: either new legislation to cover monitoring and surveillance activity, and ensure that it is carried out on a sound legal basis, or confirmation through public debate that the activities are indeed already legitimate under existing legislation. National examples are available in both categories, and will be discussed below, after examining an exception that proves the rule: the case of Germany. Sudden and uncontrolled disclosure of monitoring and surveillance systems affecting Germany triggered interesting socio-political reactions, partly related to Germany's unique history in Europe as a nation previously divided into one state with a strong respect for individual rights, and another where state surveillance and control of the population were all-pervasive. Although privacy and data protection are major concerns in modern Germany and treated as fundamental rights, the initial German reactions to disclosures of NSA internet monitoring activities were untroubled. In August 2013, Ronald Pofalla, Chief of Staff of the German Chancellery and Federal Minister for Special Affairs, stated that the NSA and GCHQ had acted in accordance with German law5,1 and that any scandal was now "over"6.2 Subsequently, however, it was reported in October 2013 that Chancellor Angela Merkel's personal mobile phone was under surveillance by U.S. agencies7.3 During investigation of what became known in Germany as the "Handygate affair", further monitoring of German citizens and leaders was revealed. Public disapprobation was fuelled by disconcerting allegations that the German Bundestag was being monitored from the nearby U.S. embassy. With the embassy under special protection by German police and
5 1Carstens, Peter, "Pofalla: Amerikaner und Briten halten sich an deutsches Recht", Frankfurter Allgemeine Zeitung, August 1, 2013, http://www.faz.net/aktuell/politik/inland/spaehaffaere-pofalla-amerikaner-und-briten-halten-sich-andeutsches-recht-12528037.html 6 2"Pofalla erklÄrt NSA-AffÄre fÝr beendet", Die Zeit, August 12, 2013, http:// www.zeit.de/politik/deutschland/2013-08/nsa-bnd-pofalla--bundestag-spaehaffaere-snowden-abkommen 7 3"Zu Informationen, dass das Mobiltelefon der Bundeskanzlerin mÆglicherweise durch amerikanische Dienste Ýberwacht wird", Bundesregierung Pressemitteilung, October 23, 2013, http://www.bundesregierung.de/Content/DE/Pressemitteilungen/BPA/2013/10/2013-10-23-merkel-handyueberwachung.html

242

Forum_1.indd 242 Forum_1.indd 242

22.10.2014 13:40:38 22.10.2014 13:40:38


military services, the suggestion that German taxes had been used to protect an installation spying on German leaders and citizens contributed to a strong public backlash against monitoring and surveillance activities8.1 Commentators compared early bland government assurances that all actions were legal, and a refusal to engage with public concerns, followed by sudden and shocking disclosures, to the erection of the Berlin Wall in 1961. With public concern directed primarily at the United States, and only occasional reminders that "the U.S. isn't the only country German intelligence believes may be spying on the country's leadership"9,2 Germany was forced to remonstrate publicly with its U.S. allies, with further potential severe implications for future legitimate monitoring operations within Germany10.3 Elsewhere, however, a different history and socio-cultural framework has led to entirely different reactions. The USA and UK are examples of nations where monitoring and surveillance has been confirmed as legitimate under existing legislation.
US and UK Attitudes

In the USA, the debate is complex and ongoing, but appears to be reaching the conclusion that the activities themselves were legal, but the system for ensuring their oversight was not fit for purpose and required adjustment and greater transparency11. 4 The British debate is coloured by the particular role of the UK in two key aspects of the 2013 disclosures on internet surveillance: the prominent role of GCHQ as a partner of the NSA in facilitating surveillance, and the prominent role of The Guardian newspaper in disseminating stolen classified information on alleged surveillance activities. After initial confusion and concern over sensationalised reporting of Snowden's allegations, the appearance before Parliament's
8 1Smale, Alison, "Anger Growing Among Allies on U.S. Spying", The New York Times. October 23, 2013, http://www.nytimes.com/2013/10/24/world/europe/united-states-disputes-reports-of-wiretapping-in-Europe.html?_r=0 9 2Anton Troianovski, "Germany to Boost Anti-Spy Efforts", Wall Street Journal, November 20, 2013, http://online.wsj.com/news/articles/SB100014240527023 04791704579209740311164308 10 3Troianovski, Anton, "Germany Warns of Repercussions from U.S. Spying", The Wall Street Journal, October 28, 2013, http://online.wsj.com/news/articles/SB 10001424052702304200804579163760331107226 11 4As outlined at "Power and Commerce in the Internet Age", Chatham House, London, November 25-26 2013, agenda available at http://www.chathamhouse.org/ Internet2013/agenda

243

Forum_1.indd 243 Forum_1.indd 243

22.10.2014 13:40:38 22.10.2014 13:40:38


Intelligence and Security Committee of the chiefs of the three UK intelligence and security services1 began a significant shift in public opinion2. Afterwards, there were indications that even the most liberal-minded of observers were beginning to realise the extent of the damage done by The Guardian's misguided crusade3. Public perception of internet surveillance in the UK shows the result. Polling suggests that "60% plus" say the intelligence services have the right amount of power to monitor activity on the internet or need more -- even though there is a perceived need for more transparency and an "informed dialogue with the public"4. Broadly, UK public opinion appears to be in line with the perception reflected in U.S. polls that releasing classified information on internet surveillance was harmful to national security5 -- to the palpable frustration of liberal journalists that the rest of the UK does not see it their way6. It has been argued that this results from a higher British perception of the security interests that are at stake. As described in the Financial Times: "The basic narrative of British history... is of a country that has had to ward off a succession of attempted foreign invasions. The role of the intelligence services in protecting the UK is both noted and celebrated... Most British citizens accept and, indeed, celebrate the role of the state in keeping the country free and independent -- and the role of the intelligence services has historically been integral to that task. The threat from terrorism, as witnessed in the London bomb12 1Intelligence and Security Committee open evidence session, November 7, 2013, UK Parliament website, http://www.parliamentlive.tv/Main/Player. aspx?meetingId=14146 13 2Catherine A. Traywick, "British Spies Aren't James Bonds, and 7 Other Things We Learned from Britain's Landmark Intelligence Hearing", Foreign Policy, November 7, 2013, http://blog.foreignpolicy.com/posts/2013/11/07/british_spies_ arent_james_bonds_and_7_other_things_we_learned_from_the_uks_landmar 14 3Andrew Sparrow, "Guardian faces fresh criticism over Edward Snowden revelations", The Guardian, November 10, 2013, http://www.theguardian.com/ media/2013/nov/10/guardian-nsa-revelations-edward-snowden 15 4UK Home Secretary Hazel Blears, speaking at Intelligence and Security Committee open evidence session, November 7, 2013, UK Parliament website, http://www.parliamentlive.tv/Main/Player.aspx?meetingId=14146 16 5Scott Clement, "Poll: Most Americans say Snowden leaks harmed national security", The Washington Post, November 20, 2013, http://www.washingtonpost. com/politics/poll-most-americans-say-snowden-leaks-harmed-national-security/2013/11/20/13cc20b8-5229-11e3-9e2c-e1d01116fd98_story.html 17 6John Naughton, "Edward Snowden: public indifference is the real enemy in the NSA affair", The Observer, October 20, 2013, http://www.theguardian.com/ world/2013/oct/20/public-indifference-nsa-snowden-affair

244

Forum_1.indd 244 Forum_1.indd 244

22.10.2014 13:40:38 22.10.2014 13:40:38


ings of 2005, has only increased the awareness of the need for good intelligence"18.1
Attitudes in Europe

Unlike in the United Kingdom, in several European nations the move towards public legitimation of internet interception and surveillance activities has taken the form of new legislation. A number of European countries have moved to establish or reinforce a firm legal framework for their own interception and surveillance activities. Nordic EU member states have challenged assumptions with their reactions in the aftermath of the Snowden defection. The debate in Nordic countries, which might ordinarily have been expected to be staunch advocates of privacy rights, has been tempered by a more specific threat perception and an acute awareness of the vulnerabilities of those 2states19. In Finland, news of a sophisticated attack and data breach at the Ministry for Foreign Affairs (MFA), which private sources blamed on Russia20,3 gave impetus to public discussion of possible new laws on legal intercept -- with much of the debate focusing not on whether this should take place, but under which government agency it would best 4fit21. In Sweden, although interception is already legal under the "FRA Law", the authorities are now seeking to enhance their 5 powers22. Swedish Foreign Minister Carl Bildt described cooperation with foreign intelligence services on communications intelligence gathering against Russia as "hardly sensational"23.6 And authorities in Denmark felt sufficiently secure in the legitimacy of their work to pre-empt inaccurate reporting by journalists supplied

18 1Gideon Rachman, "Why the British like their spies", Financial Times, November 10, 2013. 19 2"Swedes `not afraid' of internet surveillance", The Local, November 8, 2013, http://www.thelocal.se/20131108/swedes-not-worried-about-internet-surveillancesurvey 20 3Keir Giles, "Cyber Attack on Finland is a Warning for the EU", Chatham House, November 8, 2013, http://www.chathamhouse.org/media/comment/ view/195392 21 4"Verkkovalvonta keskittymÄssÄ yhdelle taholle", Ilta-Sanomat, 18 November 2013, http://m.iltasanomat.fi/kotimaa/art-1288622010437.html 22 5"Intel agency seeks direct access to Swedes' data", The Local, November 19, 2013, http://www.thelocal.se/20131119/swedens-security-service-seeks-directdata-access 23 6"Bildt defends Sweden surveillance", The Local, November 3, 2013, http:// www.thelocal.se/20131103/bildt-defends-sweden-surveillance

245

Forum_1.indd 245 Forum_1.indd 245

22.10.2014 13:40:38 22.10.2014 13:40:38


with Snowden material by going on the record to describe previously classified collection programmes24.1 Elsewhere in Europe, there are numerous and varying assessments of the legality of interception of communications, even within the narrow focus of privacy as a human rights issue. According to a draft of the "EU Human Rights Guidelines on Freedom of Expression Online and Offline", "lack of respect for the right of privacy and data protection constitutes a restriction of freedom of expression. Illegal surveillance of communications, their interception, as well as the illegal collection of personal data violates the right to privacy and freedom2 of expression"25. Yet in 2007, the European Court of Human Rights ruled as inadmissible (manifestly ill-founded) a complaint by an Italian internet user under Article 8 (right to respect for private and family life) of the European Convention on Human Rights. Although the complaint related to spam rather than surveillance, the Court declared that "once connected to the Internet, e-mail users no longer enjoyed effective protection of their privacy"26.3 Now, Italy and especially France are moving to ensure that a national, rather than European, legal basis for monitoring and surveillance is in place. Most recently at the time of writing, a law was passed in France in December 2013 allowing surveillance of internet users in real time and without prior legal authorisation, by a much increased range of public officials including police, gendarmes, intelligence and anti-terrorist agencies as well as several government ministries27.4 The law gave rise to accusations of cynicism, being passed just weeks after France expressed outrage that the NSA had allegedly been engaged in similar activities, at which President FranÃois Hollande expressed his "extreme reprobation"28.5
24 1Claus Blok Thomsen, Jakob Sorgenfri KjÔr, Jacob Svendsen, "Presset FE fortÔller om dansk spionage", Politiken, November 20, 2013, http://politiken.dk/ indland/ECE2138411/presset-fe-fortaeller-om-dansk-spionage/ 25 2Draft "EU Human Rights Guidelines on Freedom of Expression Online and Offline", unpublished, version as at November 20, 2013. 26 3Muscio v. Italy, European Court of Human Rights, "Information Note on the Court's case-law No. 102", November 2007, http://hudoc.echr.coe.int/sites/ eng/pages/search.aspx?i=002-2419 27 4"Adoption de la loi controversÈe de programmation militaire", Le Monde, December 10, 2013, http://www.lemonde.fr/international/article/2013/12/10/adoptiondefinitive-de-la-controverse-loi-de-programmation-militaire_3528927_3210.html 28 5Kim Willsher, "French officials can monitor internet users in real time under new law", The Guardian, December 11, 2013, http://www.theguardian.com/ world/2013/dec/11/french-officials-internet-users-real-time-law

246

Forum_1.indd 246 Forum_1.indd 246

22.10.2014 13:40:38 22.10.2014 13:40:38


In this way, disclosure of alleged surveillance activities by the NSA and GCHQ is having the effect of ensuring that more of the U.S. and UK's partner nations are ensuring they have the legal framework in place to be able to participate in this activity on an unarguably legitimate basis. Although disclosure of the alleged capability and reach of U.S. and allied surveillance mechanisms prompted strident and outraged reportage in some sections of the English-language media, public opinion has not followed suit. Instead, a more balanced and sober assessment of national security needs is leading European states to pass legislation through due democratic process to ensure that internet monitoring of specific threats to security continues unhindered. It follows that active measures online in order to prevent and pre-empt threats to national security will continue to be perceived as legitimate despite concerns over privacy, and these measures should be expected to continue unrestrained by the new environment of enhanced public awareness. When Edward Snowden and his associates were considering the likely results of their accusations against the NSA, this is unlikely to have been among their desired outcomes.

247

Forum_1.indd 247 Forum_1.indd 247

22.10.2014 13:40:38 22.10.2014 13:40:38



,

?

2011 Mitsubishi Heavy Industry (MHI) -- . . , MHI . , MHI , , . , , , . , , . , , . . 2010 Stuxnet « ». , . . , .
248

Forum_1.indd 248 Forum_1.indd 248

22.10.2014 13:40:38 22.10.2014 13:40:38


, , . , : , , , . , , , , . . , , , . . 2012 -, 2013 « ». , , . , . , , ( ) -- . , .


, , , , . : ;
249

Forum_1.indd 249 Forum_1.indd 249

22.10.2014 13:40:39 22.10.2014 13:40:39


; , ; . «», «» «». . . . « » (j-initiative for ybersecurity). -- (2013 .), . 2015 . « » . , , . , , . , , , , , . , , ..; ; , , , . , « », . , - ,
250

Forum_1.indd 250 Forum_1.indd 250

22.10.2014 13:40:39 22.10.2014 13:40:39


- . . 2011 . « », 2013 . , , , , . , -- , , , , , . , , , . , . , 2014 Meridian, . 2015 , . , , , -, . 13 ,
251

Forum_1.indd 251 Forum_1.indd 251

22.10.2014 13:40:39 22.10.2014 13:40:39


. .


: , . . -- , , . , , , . . . - , . , - , - , - . , JASPER TSUBAME.
252

Forum_1.indd 252 Forum_1.indd 252

22.10.2014 13:40:39 22.10.2014 13:40:39


, . - . , 2012 «-: -» -. « - » . , . 2013 - . , , -. -- « » -- . , , « », ( ). , . , « » . , , , , . .

253

Forum_1.indd 253 Forum_1.indd 253

22.10.2014 13:40:39 22.10.2014 13:40:39


, , , , . , , . , , , , . , , . , . , , , «» . , , . . , , . , . , , . , - , . , , . , , . , , ? -

254

Forum_1.indd 254 Forum_1.indd 254

22.10.2014 13:40:39 22.10.2014 13:40:39


. , . . , - . , 95% . , , . , , , -- , , . , . , , , . , , . . 1990- , , , . , , , , , , . 2015 2014 . , , . , « ». -- , , . , , ..,
255

Forum_1.indd 255 Forum_1.indd 255

22.10.2014 13:40:39 22.10.2014 13:40:39


. , . , , , . , -- , , , . , , , . : « -- ». , , , . , , , . , , . . , , . , , , .
1. National Information Security Council "Japan Cybersecurity Strategy" June 13, 2013 http://www.nisc.go.jp/active/kihon/pdf/cybersecuritystrategy-en.pdf 2. National Information Security Council "International Strategy on Cybersecurity Cooperation ~ J-initiative for cybersecurity" October 2013 http://www.nisc.go.jp/active/kihon/pdf/InternationalStrategyonCybersecurityCooperation_e.pdf 3. The Government of Japan "National Security Strategy of Japan" December 2013 http://www.cas.go.jp/jp/siryou/131217anzenhoshou/ nss-e.pdf 256

Forum_1.indd 256 Forum_1.indd 256

22.10.2014 13:40:39 22.10.2014 13:40:39


4. Center Strategic for International Studies "The Armitage-Nye Report: U.S.-Japan Alliance: Anchoring Stability in Asia": August 2012 http//csis.org/event/us-japan-alliance-anchoring-stability-asia 5. Joint ministerial statement of the Asean-Japan ministerial policy meeting on Cybersecurity Cooperation, Tokyo, 13 September 2013 http:// www.meti.go.jp/press/2013/09/20130913005/20130913005-5.pdf 6. MERIDIAN Connecting an Protecting previous conference, Meridian 2013, Buenos Aires http://meridianprocess.org/cms. aspx?e=21&id=6&cg=a4cab139-a2b6-4789-bed5-bb106880674d

k

257

Forum_1.indd 257 Forum_1.indd 257

22.10.2014 13:40:39 22.10.2014 13:40:39


Yoko Nitta
National Security Institute, Japan

Japan's Approaches towards Cybersecurity

How to respond to uncertainty?
Background

It was a wake-up call for Japanese government when Mitsubishi Heavy Industry (MHI) got virus infection by targeted attacks in 2011. The industry is the biggest contractor of Ministry of Defense (MOD) for defense equipment in Japan. Which means MHI has dealt with the top-level confidential information for Japan's armed force defense. To make things matter worse, MHI did not report what happened to MOD although there is a strict regulation for report under that condition. It did not stay only as a cyber attack from the unknown but it pointed Japanese government the trust matter with their contractors. Concerns have grown over the misuse of cyberspace by criminals, terrorists, states and their proxies for disruptive and malicious activities. Cases of cyber espionage, attacks on critical infrastructure, financial thefts and cyber terrorism have grown manifold. Cyber security has become a high-profile issue between China and the US. The use of the worm Stuxnet in 2010 to disrupt Iranian centrifuges being used for uranium enrichment has raised concerns about undeclared cyber warfare ICTs are being used for purposes that are "inconsistent with national peace and security". Attribution of cyber crime being a difficult exercise, the actors misuse cyberspace with impunity. Japanese government set up National Information Security Council (NISC) within Cabinet Office before that. NISC has dual responsibilities of national security and emergency response systems. The responsibility of NISC is supposed to interpret complicated technical issues, transform of technical and managerial issues into poles and directives and coordinates the political debate concerning emerging cyber security measures. NISC coordinate ministries, main ministries are : the Ministry of Internal Affairs and Communication (MIC), the Ministry of Economy, Trade and Industry (METI), the National Police Agency (NPA), and the Ministry of
258

Forum_1.indd 258 Forum_1.indd 258

22.10.2014 13:40:39 22.10.2014 13:40:39


Defense(MOD). MIC deals with communication and network policies, METI works on Japan IT polices, NPA deals with fighting cyber crimes and MOD is responsible for national security. Plus US- Japan alliance gives a impact on this new dimension and Japan has followed its US direction for since the US President Obama already made an announcement that US regard cyber as the domain of fifth war, which means US focuses on the use of cyber technologies military operations. Followed by the pressure Armitage -- Nye report published in 2012, Japanese government launched `Japan Cybersecurity Strategy' in June 2013. Also, environment surrounded Japan has changed dramatically in terms of cyberspace and real- space have been merged and integrated which has increased serious risks surrounding cyberspace. Cyber attacks against government institutions and critical infrastructures have become a reality, advent of conditions where everything is connected to the internet (Internet of Things) have increased the spread of the risks, cyber attacks can be effaced from anywhere in the world, and carried out in cyberspaces affiliated with Japan as a springboard for attacks elsewhere.
Cybersecurity Strategy

Basic principles of the strategy constructs a world-leading, resilient and vigorous cyberspace for national security/ crisis management, social/economic development, and safety/security of public. Main pillars of the basic principles are to ensure free flow of information, to respond to increasingly serious risks, to enhance risk-based approach, to act in partnership based on shared responsibilities. The key words of the strategy are `Resilient', ` Dynamic', ` World-Leading'. Japan main recent efforts based on these key words are the following: To strengthen protection for cyberspace, the strategy revises of the Standards for Information Security Measure for the Central Government Computer Systems, To build fundaments, the strategy revises the information security human resource development program, world-leading cyberspace issues international strategy on cybersecurity cooperation ~ j-initiative for cybersecurity~, ASEAN -- Japan Commemorative Summit Meeting was held last December (2013), and to strengthen the function of NISC is scheduled in 2015. Japan `Cybersecurity Strategy' lays out the three main efforts. For Resilient Cyberspace, Government Organizations, Independent Administrative Organizations, etc. plays a role as strengthening Government Security Operation Coordination team (GSOC), accurate and quick response through cooperation Cyber Incident
259

Forum_1.indd 259 Forum_1.indd 259

22.10.2014 13:40:39 22.10.2014 13:40:39


Mobile Assistant Team (CYMAT)and CSIRT, conducting incident response drills, specifying roles of related organizations such as the police and the Self Defense Forces, to measure for new threats pursuant to new services, including Social Network Service (SNS) and group mail. Critical Infrastructures Industries strengthen information sharing with government organizations and system vendors, etc., executing cross-sector exercises for ensuring business continuity, build a platform for evaluation and authentication of such systems as control systems used by critical infrastructure, in compliance with international standards. The other main efforts based on the `Cybersecurity Strategy ` is dealt with by enterprises and individuals. They promote investment in security by small and medium-sized businesses, through incentives sun as tax systems, to measure by IT-related businesses including notifying malware infection to individuals by ISPs and to ensure the traceability of cyber crimes, such as by examining the way to store logs. The second main effort is to get the fundamentals for Dynamic Cyberspace. Information Security Policy Council revised the Information Security Human Resource Development Program and its Research and Development Strategy in 2011. The third effort is to have launched `International Strategy' last October 2013. The strategy is to promote international measures related to vulnerabilities, threats, and attacks in cyberspace with the participation by government organizations and CSIRTS from countries such as the US, Germany, the UK and Japan. Also it is aims at sharing best practices for the protection of critical infrastructure, exchanging information on measures such as international cooperation with participation by government officials in charge of protecting critical infrastructure from countries such as the US, the UK, Germany and Japan. Japan is going to cooperation on this issue with US, UK India, EU and ASEAN. Japan contributes international rule making in cyberspace attending the related international conferences. Plus, Japan is going to host MERIDIAN this coming autumn. Also the strategy issues annual report on cybersecurity and strengthens the function of NISC scheduled in 2015 to become fully its operations, renaming as Cyber Security Center. Japanese government will aim for the new system to become fully operations. In this regard, NISC is to promote information security as a hub of cooperation between the public and private sectors and to cross-monitor the information security status of ministries and agencies through the Government Security Operation Coordination (GSOC) team.
260

Forum_1.indd 260 Forum_1.indd 260

22.10.2014 13:40:40 22.10.2014 13:40:40


Thirteen sectors have been incorporated as the ones to be focused as critical infrastructure in Japan and the specific miniseries and its related organization are to responsible for each field. NISC is to coordinate and cooperate for the critical infrastructure.
International Strategy on Cybersecurity Cooperation

Three directions of Japan's contrition for strengthening international cooperation are: Incremental fostering of common global understanding, Japan's contraption to the global community and expansion of the technological frontier at the global level. The priority areas of the international strategy are the following: for implementation of dynamic responses to cyber incidents, Japan builds a mechanism for international cooperation and partnership for global responses to expanding cyberspace such as enhancing multilayered mechanism for information sharing, working on appropriate response to cyber crime and establishing framework of cooperation for international security in cyberspace. For building up " fundamentals" for dynamic response, Japan raises the cybersecurity standard of basic capability and response mechanisms at the global level supporting for building a global framework for cyber hygiene, promoting awareness-rapid activities, enhancing research and elopement through international cooperation. For international rule making for cybersecurity, Japan promotes international rule making for ensuring stable use of cyberspace formulating international standards of technology and pursuing international rule making. Japan's regional intiatives have been enhanced; for the Asia Pacific, Japan has cooperated closely with Asia Pacific region, which is crucial due to geographical proximity and close economic ties. In this regard, Japan will have continued to strengthen the relationship with the ASEAN through policy dialogues as ASEAN-JAPAN Ministerial Meeting on Cybersecurity Cooperation, ASEAN-Japan Information Security Policy Meeting, and ASEAN-Japan Ministerial Meeting on Transnational rime, promoting initiatives such as capacity building for human resources development and promoting joint projects such as JASPER and TSUBAME. Plus, Japan will promote Japan-India cyber dialogue. Japan will deepen partnership with the U.S. centered on the Japan-U.S. Security arrangements. Regarding EU-Japan cooperation on cyberseucrity, "Japan-EU ICT Internet" was held in Tokyo in November 2012 as a first attempt to comprehensively exchange information on policy and technology trends of internet security. The second forum was held
261

Forum_1.indd 261 Forum_1.indd 261

22.10.2014 13:40:40 22.10.2014 13:40:40


as "EU-Japan ICT Security Workshop" in Brussels last December. Both sides updated their recent policy and technology measures as well as exchanged good practices as ICS (industrial Control System) security and R&D on trend foresting / quick response to cyber attacks. Joint R&D cooperation for improving cyber-resilience has been also promoted through FP7 since 2013. Also this May, twenty second EU- Japan Summit was held in Brussels. In the Joint press statement, " The EU and Japan Acting together for Global Peace and Prosperity", it reforest to their decision to launch cyber dialogue.
Cyber Norms

Regarding global partnership in cyber space, Japan recognizes cyberspace as "global commons" in GGE(Group of Governmental Experts). It stresses the need for a common understanding on how norms based on existing international law could be applied in cyberspace. The critical recommendation made by the GGE is that "States must meet their international obligations regarding internationally wrongful acts attributable to them" and Japan supports it. Also the reports UN submitted goes on to recommend confidence-building measures in cyberspace such as voluntary exchange of views and information sharing, creation of bilateral, regional and multilateral frameworks, increased co-operation on incident response and synergy among law enforcement agencies. The emphasis is on the need to enhance common understanding and co-operation. This is important considering several critics hold that given the nature of threats in cyberspace where attribution is difficult, the application of international norms may not be possible. There has been intense debate whether cyberspace also requires international cyber security confidence-building measures and rules on the lines of similar conventions in other areas of international security. In fact, countries like Russia, Tajikistan, China, Uzbekistan, Kazakhstan and Kyrgyzstan have come out with drafts for cyberspace. Experts take note of this but do not take a clear view whether a cyber convention to govern states' behaviour in cyberspace is needed. This is because there are considerable gaps in the thinking of the US on one hand and Russia and China on the other with regard to a cyber convention. It implies that whatever norms are agreed upon must have international legitimacy and UN blessing.
262

Forum_1.indd 262 Forum_1.indd 262

22.10.2014 13:40:40 22.10.2014 13:40:40


One weakness of the report is that it does not offer clear guidance on how to build consensus on key cyber security issues. In cyberspace, even the vocabulary is contentious. A common understanding of issues such as what is cyber warfare and what implies the use of force needs to be developed. It would be useful to set up a UN mandated forum, much like the UN Committee on the Peaceful Uses of Outer Space, to deliberate on technical and legal issues. The International Law Commission could also be involved to develop the international law governing cyberspace. In the context of cyber warfare, involving attacks on their critical infrastructure by states or proxies, use of force in cyberspace becomes important. The cyber doctrines of some states stipulate that attacks would elicit response that may not be confined to cyberspace. A lot of conceptual work still needs to be done to understand if cyberspace is emerging as a new arena of warfare. Does the international law codified in Geneva Conventions apply to cyberspace? The report has skirted these issues and focused on the lowest common denominator of cyber norms. This is necessary but not a sufficient condition to ensure cyber security. Any counties cannot force its sovereignty to cyberspace. However, it will be possible to enforce that if they can claim her territory in some ways in cyber space. For instance, Japan is an island country and her capacity of international telecommunication relies on marine cable up to 95%. Therefore, it is possible to regard the part from landing station of marine cable is the domain of Japan's sovereignty. No matter he/ she is foreigner, server belong to non-Japanese, it would be simple to think if the substance or the material located within Japan belongs to Japan. Suppose Japan's sovereignty extends to. This aligns with the case that foreigners get punished in Japan if they commit the crime here. The government of Japan, U.S. and Australia regards free flow of information, internet freedom, is a critical value and should be ensured. Excessive intervention by the government to cyber space should be avoided. It is indeed the most crucial part since 1990's when internet has been accepted by many people and we should not lose that. Therefore, they try to avoid discussion only within U.N. and have tried to pursue multistakeholder approach in which they expect diverse actors to discuss the cyber issues. Cyber space convention will be held at Hague in Netherlands in 2015 and GGE will re-start in 2014. We need to monitor whether we could get the result by then or take a rain check, which is a situation for a time being.
263

Forum_1.indd 263 Forum_1.indd 263

22.10.2014 13:40:40 22.10.2014 13:40:40


Further Implications

U.S. government has insisted that cyber space should be recognized as " global commons " in their various reports. Global commons is the remain which one country cannot control but every countries rely on its area. However, cyber space is just an accumulated of telecommunication servers, lines and memory tips, etc, and it is not appropriate that cyber space should be viewed as the conventional global commons. If it is seen as an accumulated ones of equipment, cyber space is quite vulnerable and partial breakdown or collapse. The reason why each countries stick to this issue is because military and economy strongly relies on cyber space now. Cyber space is the fifth domain of warfare but it rather connects the other four fields, land, sea, air and space, smoothly and facilitates human activities. The governance of cyber space is different because it used to go well but government tried to intervene and it became a political issue. Engineers often say that `If it ain't broke, don't fix it.' Whether internet governance is broken or not and the definition of it has discussed for the past decades. Now that security issues are getting more serious and stable and safe governance is in need and discussion should be curbed. The state-led cyber space management that Russia and China has insisted will change the course of conventional governance to government and it is possible to lose its dynamism which cyber space bas produced. Now we need to make sure that the cyber space is a global common and recognize its vulnerability and should enhance its security. Keeping physical infrastructure, seeking for free flow of information as contents and developing the rule setting to connect them is essential. Bibliography
1. National Information Security Council "Japan Cybersecurity Strategy" June 13, 2013 http://www.nisc.go.jp/active/kihon/pdf/cybersecuritystrategy-en.pdf 2. National Information Security Council "International Strategy on Cybersecurity Cooperation ~ J-initiative for cybersecurity" October 2013 http://www.nisc.go.jp/active/kihon/pdf/InternationalStrategyonCybersecurityCooperation_e.pdf 3. The Government of Japan "National Security Strategy of Japan" December 2013 http://www.cas.go.jp/jp/siryou/131217anzenhoshou/ nss-e.pdf

264

Forum_1.indd 264 Forum_1.indd 264

22.10.2014 13:40:40 22.10.2014 13:40:40


4. Center Strategic for International Studies "The Armitage-Nye Report: U.S.-Japan Alliance: Anchoring Stability in Asia": August 2012 http//csis.org/event/us-japan-alliance-anchoring-stability-asia 5. JOINT MINISTERIAL STATEMENT OF THE ASEAN-JAPAN MINISTERIAL POLICY MEETING ON CYBERSECURITY COOPERATION Tokyo, 13 September 2013 http://www.meti.go.jp/press/2013/ 09/20130913005/20130913005-5.pdf 6. MERIDIAN Connecting an Protecting previous conference, Meridian 2013, Buenos Aires http://meridianprocess.org/cms. aspx?e=21&id=6&cg=a4cab139-a2b6-4789-bed5-bb106880674d

265

Forum_1.indd 265 Forum_1.indd 265

22.10.2014 13:40:40 22.10.2014 13:40:40



,

:

1. : . 1980- . , . , Nintendo, «Family Computer» ( ). . : « », « , ». 1980- 1990- . , . 2. , , . . , . 2002 , . , 1980- . , 1990- .
266

Forum_1.indd 266 Forum_1.indd 266

22.10.2014 13:40:40 22.10.2014 13:40:40


. , : « , ». . . , , . , . 3. . . , , . . , . , . , 1 , . - , , . , , ,
1 «» -- , , . , , , . , , , - . , .

267

Forum_1.indd 267 Forum_1.indd 267

22.10.2014 13:40:40 22.10.2014 13:40:40


. , , Wi-Fi, , . , , . , . , -- , . « , » , , -, « », , . , , . , , - . , : , ; ; . , . , - . . , . 4. . ,
268

Forum_1.indd 268 Forum_1.indd 268

22.10.2014 13:40:40 22.10.2014 13:40:40


-. , , . , . . . , (). , - . 5. : · IAJapan (- ) ; · EMA ( ) ; · I-ROI ( ) ; · JISPA ( ) . -. 2013 (DCA). , -. : , . 2 DCA () « », « , ».
269

Forum_1.indd 269 Forum_1.indd 269

22.10.2014 13:40:41 22.10.2014 13:40:41


DCA , , . DCA - . DCA (), . , DCA - , , , , , . DCA , DCA, . , - , , , -. , . 6. , . -, -- ? , . ? ? , , «», « ». : « ?» - -- , . , . , - ? , ?
270

Forum_1.indd 270 Forum_1.indd 270

22.10.2014 13:40:41 22.10.2014 13:40:41


: « , , ?» , , . , : « , ». , . . , . , , . : « - - ?» , . , - , , . , , , , . , - , . , - . , DCA « » . , . - - .

271

Forum_1.indd 271 Forum_1.indd 271

22.10.2014 13:40:41 22.10.2014 13:40:41


Dr. Masayoshi Kuboya
Tokai University, Japan

Cyberspace Credibility in Japan: Information Literacy and Regulation

1. ICT and its negative impacts on children: Why Japanese worry In the mid 1980s, computers became widespread in Japan. As for average Japanese families, video consoles were the first computer in their houses. Game software manufacturer Nintendo made the iconic game console and called it the "Family Computer". ICT's negative impacts on the young generation became a serious social issue. Many Japanese adults said, "Don't play with video games", or "Real life cannot be reset, real life is different from the virtual game world". This kind of argument was a major concern in the society in the 1980s and 1990s. This brief paper seeks to explore how Japan has developed its cyberspace credibility. 2. Parental Responsibility for Young People's Internet Use Although there are today some regulations on video games, the proper use of game consoles largely relies on parents. Japan's regulation system is not governmental but self-regulated by the industry. Japan's game industry launched CERO, Computer Entertainment Rating Organization, which introduced the voluntary regulation system. When the system was established by the game industry in Japan in 2002, similar regulatory systems had already been enforced in western countries. For example, the UK had introduced their regulation system as early as the 80s. USA, France and Germany built up their systems in the 1990s. In the UK, legal regulation and self-regulation are combined. The US government enacted a law, which stated: "if the industry does not build up its own voluntary regulatory system in a year, the US government will enforce a legal system". This led to a prompt installation of self-regulation. In Japan, such a legal, or governmental, background cannot be found. In addition, the Japanese industry did not want to have such regulations at first and reluctantly imported the system from
272

Forum_1.indd 272 Forum_1.indd 272

22.10.2014 13:40:41 22.10.2014 13:40:41


overseas. As a result, parental guide as a self-restraint has come to be preferred. 3. Internet Credibility in Japan There are two ways to ensure internet credibility. The first method is mechanical and technical. This method usually enforces a filtering system and prevents people from having access to malicious information. As a feature for mobile phones, this method is very powerful. When parents buy a cell-phone for their child, they have to tell the user's age to retail shop staff. So they can activate a strong filtering system, which is provided by the mobile phone carrier. All children's Japanese style feature phones1 seem to have strong filtering systems which children cannot deactivate by themselves. In the case of home computers, the method is still powerful because parents can monitor children's behavior when they sit beside them. Unfortunately, other mobile devices, including smart phones, mobile pcs and tablets, are difficult to control. These devices usually have a wi-fi system, and children can access the internet without passing through a mobile phone carrier network. Of course, parents cannot always sit beside and monitor them when their children use these devices. We have to notice that filtering cannot cover all in the era of smart phones. The second method is a human way. This method tries to facilitate people's ability, especially information literacy. In the Japanese legal system, the "Act on Development of an Environment that Provides Safe and Secure Internet Use for Young People" requires that every person or organization which owns a website must make an effort to assign a "specified server administrator", who must oversee that the website does not contain harmful information. Apart from legal requirements, the Japanese Government has tried to instruct children to be able to deal with various risks on the internet. As a first step, the Government has assessed youngsters'
1 Another name of "Japanese style feature phone" is "Galapagos mobile phone". "Galapagos" comes from the islands in South-eastern Pacific Ocean, which is totally isolated from any continents and whose evolution process is very unique. Before smart phone became widespread in the world, Japanese mobile phone companies had developed the multi-functional mobile phones which can access to the internet through mobile phone carriers' servers and networks. Briefly speaking, these phones' screens are smaller than smart phones and website administrators have to make a specific webpage just for these phones. After smart phones got popularity in Japan, the number who uses Japanese style feature phones has been gradually decreasing.

273

Forum_1.indd 273 Forum_1.indd 273

22.10.2014 13:40:41 22.10.2014 13:40:41


ICT capabilities and skills, to develop a measurement called the Internet Literacy Assessment Indicator for Students (ILAS). ILAS tries to measure several competencies, including the following three; to deal with the problems of illegal and harmful contents, to communicate adequately on the internet, and to protect privacy and use adequate security instruments. These competencies are not only for children and should be acquired of adults, too. Then, we can say that ILAS is also useful for measuring national literacy. At the international level, ILAS is a pioneering work for young people's information literacy. The Japanese Government is trying to contribute to international society by promoting this indicator. 4. Local Policies on Information Literacy in Japan Some local authorities also try to facilitate people's information literacy. For example, the Ibaraki prefectural government designates media education instructors. These instructors hold seminars for parents to teach them that they are most responsible for their children's secure internet use. Although the instructors may often hold seminars for children and teach them directly, they organize seminars for parents as a priority to be held before or after the seminars for children. In this manner, parents' responsibility is also emphasized here. The second case involves Soka city. The municipal government requires its server administrators to participate in a training program conducted by a non-profit organization. The NPO issues a certificate stating that the city office designates properly-trained persons in charge of maintaining its websites. 5. NPOs on Information Literacy in Japan These are some examples of NPO activities promoting information literacy: · IAJapan (Internet Association Japan) engages in developing filtering systems. · EMA (Content Evaluation and Monitoring Association) evaluates mobile sites. · I-ROI (Internet-Rating Observation Institute) issues certificates for self content assessment. · JISPA (Japan Internet Safety Promotion Association) promotes self-guideline for website administrators. Here I focus on I-ROI's effort. I-ROI launched the Digital Contents Assessor (DCA) program in 2013. The DCA assessor
274

Forum_1.indd 274 Forum_1.indd 274

22.10.2014 13:40:41 22.10.2014 13:40:41


has competencies about secure internet use. The competencies are not technically-oriented but socially-oriented. DCAs fall into 3 categories; user, administrator and instructor levels. A DCA level 2 administrator level personnel corresponds to the "specified server administrator" in the "Act on Development of an Environment that Provides Safe and Secure Internet Use for Young People". In the DCA program, adequate competencies for secure internet use are taught. The competencies focus on not only children's internet use but also adults' internet use. A notable fact of I-ROI's DCA program is collaboration with schools and universities. DCA level 3, the user level, certificate can be granted to students through designated college classes. That is, I-ROI's DCA program employs a socially-oriented, human-oriented approach, engaging in education of human resources, to issue certificates to persons who have proper knowledge. If many people take I-ROI's DCA programs and declare that they have DCA certificates, the DCA program will be well acknowledged by the general public. And then, when people find an I-ROI mark on some website, they can be confident that the site is safe and reliable. People can evaluate the safety level of a website by the I-ROI mark shown on the site. If we can make this ideal situation come true, we can develop the credibility of the internet. 6. Some Arguments To conclude, I will ask some questions. The first one is "which should be prioritized, safety or liberty?" As I mentioned above, Japanese Governmental policies and laws largely focus on children's internet use. Do we need to focus on adults' use too? Should the government constrain adults' freedom of speech? As of now, even for children, the Japanese current legal requirement is not "obligation" but "obligation to make an effort". The next argument is "what should governments do?" ILAS is a good work and it will facilitate discussions. However, this is just an indicator for analysis. So, do we need some other policy or method to develop internet credibility? Or, do you trust people or NPOs more than the government? These questions can be rephrased: "Which is to be preferred, governmental regulation, parental education or NPO activities?" In my view, education and social consensus are better than governmental regulation. In fact, the Japanese national government
275

Forum_1.indd 275 Forum_1.indd 275

22.10.2014 13:40:41 22.10.2014 13:40:41


has repeatedly recommended to local governments: "Do not make guidelines by themselves, refer to NPO". In the case of the Tokyo metropolitan government, it tried to make its guideline by itself. In response, the national government has given an enforcement order. The order says that national and local governments should respect the role of NPOs. The purpose is that the national government wants to promote NPO's activities while minimizing governmental involvement. The last question is "technically-oriented approach or sociallyoriented approach?" As I mentioned above, it is getting harder and harder to filter the internet and other virtual networks. Therefore, I think the importance of the socially-oriented approach will definitely increase in the near future. Actually, a public official pointed out that nobody took account of smart phones when considering the filtering system a few years ago. This means the technicallyoriented approach needs to keep up with new technologies, which is very difficult to do. Of course, the socially-oriented approach has just reached the starting line. As I noted above, I-ROI's DCA program tries to make "ideal situation" come true to develop the credibility of the internet. I know it is not easy to make this ideal situation come true. Both technically-oriented and socially-oriented approaches will live side-by-side for a while.

k

276

Forum_1.indd 276 Forum_1.indd 276

22.10.2014 13:40:41 22.10.2014 13:40:41


.., .., ..
..



, , , . -- . «»

-- . V6 (= W3 = WWW). , « » «», . , , . , , . . , , . . , , . [3] , . . , . , . . 1. -- , 277

Forum_1.indd 277 Forum_1.indd 277

22.10.2014 13:40:41 22.10.2014 13:40:41


(FHE) -- . , FHE . [5], . . . , ( ) . 2. . , , . . , , . [4], . , « », , . 3. . . , , , . , , , . , , . : 278

Forum_1.indd 278 Forum_1.indd 278

22.10.2014 13:40:41 22.10.2014 13:40:41


. , , . (.. ) , . , , , , ­. [2], . , . , , . 4. . , . . , , , . . - . (. [1]), , . . , , . . : . 5. , , 279

Forum_1.indd 279 Forum_1.indd 279

22.10.2014 13:40:42 22.10.2014 13:40:42


: . ( « »). , , , () . , . , copyright . ? . : « , , ». , , . . «» . 6. : · ; · ; · . , . . . . , . « » - .
280

Forum_1.indd 280 Forum_1.indd 280

22.10.2014 13:40:42 22.10.2014 13:40:42



[1] Tansu Alpcan and Tamer Baar. Network Security: A Decision and Game Theoretic Approach. Cambridge University Press, 2011. [2] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. J. ACM, 59(2):6:1­6:48, May 2012. [3] Claude E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, Vol 28, pp. 656­715, October 1949. [4] Gustavus J. Simmons. Subliminal communication is easy using the DSA. In Tor Helleseth, editor, EUROCRYPT'93, volume 765 of Lecture Notes in Computer Science, pages 218­232. Springer, 1993. [5] Marten van Dijk and Ari Juels. On the impossibility of cryptography alone for privacy-preserving cloud computing. In Proceedings of the 5th USENIX Conference on Hot Topics in Security, HotSec'10, pages 1­8, Berkeley, CA, USA, 2010. USENIX Association.

281

Forum_1.indd 281 Forum_1.indd 281

22.10.2014 13:40:42 22.10.2014 13:40:42


N.P.Varnovskiy, O.A.Logachev, V.V.Yashchenko
Lomonosov Moscow State University Institute of Information Security Issues

Mathematics and Information Security

Was man nicht weiú, das eben brauchte man Und was man weiú, kann man nicht brauchen -- Johann Wolfgang von GÆthe. "Faust"

Information security is an extremely attractive topic. Search engines when feeded with this term return hundreds millions of references to resources in V6 (= W3 = WWW). However when term "information security" is combined with "mathematics" the figures are orders of magnitude lower. This in part reflects common belief that information security is a management task, not a scientific problem. Therefore the role of mathematics is restricted to provide methods, such as data encryption, raw materials for constructing security systems. This is a great misunderstanding. Currently huge amounts of information are transmitted, stored, retrieved and processed by millions of users. Threats to information are numerous. In the simplest model of two abonents who sent confident data over an only channel one considers the simplest threat of reading this data by passive adversary. The classical result due to Shannon [3] says that in this setting secure data transmission is possible. One is tempted to extrapolate this possibility result to models with wider classes of threats. The problem is not only in the lack of justification. For certain threats there is no solution. Next we consider some examples. 1. Cloud computing Recent breakthrough in mathematical cryptography, namely solution of the long-standing problem of fully homomorphic encryption (FHE) caused a lot of misunderstanding. It is widely believed that FHE solves, at least theoretically, a problem of secure cloud computing. In fact, it is proved [5] that secure cloud computing is impossible already in the case of two users. This negative result does not rule out a possibility of secure cloud computation in certain applications. But there is no general solution. It could even be the case that any new application (or a
282

Forum_1.indd 282 Forum_1.indd 282

22.10.2014 13:40:42 22.10.2014 13:40:42


small class thereof) requires investigation of possibility of secure cloud computing in this given setting. 2. Covert channels One of the well-known threats is that of employing cryptography by criminals for sending information over networks. The common sense suggests an evident solution, namely, restricting the right of using cryptographic methods. In this circumstances criminals might resort to steganography. It is believed that steganography usage can be suppressed if one has efficient methods for detecting covert channels. However there exist so-called subliminal channels (see [4]) which could not be detected even theoretically. It might be the case that the "clever solution" of restricting usage of cryptography turns a hard to solve problem into a unsolvable one. 3. Obfuscation Computer programs constitute a specific brand of information. It is common to consider program security as a battle against computer viruses. But the class of threats to software is larger, it includes, e.g., violations of intellectual property. Most of the problems of program security could be solved if a trusted platform is available. However, as a rule users run their programs in adversarial environment. Therefore there remains ultimate chance. A program should secure itself. Research stimulated by this informal idea resulted in the concept of obfuscation. This is an equivalent (i.e. preserving functionality) transformation of a program that renders the latter unintelligible. The strongest definition of obfuscation requires that adversary given an obfuscated program can extract no more useful information than that given by input-output behavior of the same program. Such a strong obfuscation was shown [2] to be impossible. This was followed by a number of papers proving related negative results in somewhat weaker settings. Stated in short, the possibility of protecting programs in adversarial environments remains questionable. 4. Network security Consider a mathematical model of a large scale communication network and the simplest threat of failing to deliver messages to
283

Forum_1.indd 283 Forum_1.indd 283

22.10.2014 13:40:42 22.10.2014 13:40:42


addressees. Abonents of the network are assumed to be of one of the next types. Cooperative abonents always follow communication protocol. Selfish ones do not exhibit adversarial behaviour but on the other hand they do not want to spend much resources and sometimes refuse to transmit messages. Malicious abonents are not restricted in their adversarial behaviour. Such a model of communication network was analysed using game-theoretic methods. Nash equilibria of corresponding games show (see [1]) that scenarios with selfish and malicious abonents are more optimistic as compared with the case of cooperative and malicious ones. At the first glance this might seem to be a paradox. In fact, this point of view is based on the common belief that the best thing to do for providing information security is to establish a centralized hierarchical service. But there is no justification for this opinion. Mathematical results suggest the next hypothesis: chaotic nature of large scale networks turns out to be the best defence against malicious behaviour of abonents. 5. Law enforcement In the context of cybercrime law there is an extensive discussion of how this should work. And no attention is paid to the main question: what can be taken by a court as an evidence of cybercrime. Consider a simple example of a mathematical model for electronic watermarks (in literature a misleading term "digital watermarks" is used). An owner of intellectual property that exists in electronic form wants to prove to arbiter that a file in question has e-watermark embedded by him (the owner). To this end he exposes to arbiter some private information that might be a multi-megabyte string. Then a complicated program runs on these data for hours and finally outputs owner's copyright. What should an arbiter do in such a case? An acceptable proof might look like this. An owner shows to arbiter a picture and says: replace all blue and yellow pixels by white, red and green by black ones and then in the right upper corner you would find my hand-written signature. Note that we consider an idealized model where everything has rigorous mathematical definitions. But the problem of arbitration is not solved. Nothing to say about real-life "evidence" of cybercrime.
284

Forum_1.indd 284 Forum_1.indd 284

22.10.2014 13:40:42 22.10.2014 13:40:42


6. Conclusion The general line of research in the field of information security is as follows: · for given sets of applications and threats define a mathematical model; · in this model study existence of solution to the information security problems; · in the case of positive answer devise appropriate methods and systems. Note that in the general case situation changes drastically as compared to the case of secure data transmission. There is no hope for general solutions or standards. In the worst possible scenario each new application would require a complete R&D cycle. Negative results are proved in mathematical models. This means that solutions do not exist even in idealized settings. In real-life scenarios no "clever solutions" are possible due to the main threat. References
[1] Tansu Alpcan and Tamer Baar. Network Security: A Decision and Game Theoretic Approach. Cambridge University Press, 2011. [2] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. J. ACM, 59(2):6:1­6:48, May 2012. [3] Claude E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, Vol. 28, pp. 656­715, October 1949. [4] Gustavus J. Simmons. Subliminal communication is easy using the DSA. In Tor Helleseth, editor, EUROCRYPT'93, volume 765 of Lecture Notes in Computer Science, pages 218­232. Springer, 1993. [5] Marten van Dijk and Ari Juels. On the impossibility of cryptography alone for privacy-preserving cloud computing. In Proceedings of the 5th USENIX Conference on Hot Topics in Security, HotSec'10, pages 1­8, Berkeley, CA, USA, 2010. USENIX Association.

285

Forum_1.indd 285 Forum_1.indd 285

22.10.2014 13:40:42 22.10.2014 13:40:42


Eighth International Forum «Partnership of State Authorities, Civil Society and the Business Community in Ensuring International Information Security» and Ninth Scientific Conference of the International Information Security Research Consortium April 21­24, 2014. GarmischPartenkirchen, Munich, Germany, 2014. -- Moscow: Moscow University Press, 2014. -- 288 p. The proceedings of the Eighth International Forum «Partnership of State Authorities, Civil Society and the Business Community in Ensuring International Information Security» and the Ninth Scientific Conference of the International Information Security Research Consortium include reports by leading domestic and foreign experts engaged in research of Information security, Cybersecurity and International Information security. Key words: Information security, Cybersecurity, International Information security, Critical Infrastructure protection, International Law, International Humanitarian Law, Cyberconflicts, Cyberwar.

Forum_1.indd 286 Forum_1.indd 286

22.10.2014 13:40:42 22.10.2014 13:40:42


« , » 21­24 2014 -,

17.10.2014. 60â901/16. . . . . . . 18,0. .-. . 14,93. 200 . . 10 274. 0000. . 125009, , . . , 5. .: (495) 629-50-91. : (495) 697-66-71. .: (495) 939-33-23 ( ). E-mail: secretary-msu-press@yandex.ru : www.msu.ru/depts/MSUPubl2005 -: http://msupublishing.ru : , . , 11 ( , ). E-mail: izd-mgu@yandex.ru. .: (495) 939-34-93 . 119991, -1, , , . 1, . 15

Forum_1.indd 287 Forum_1.indd 287

22.10.2014 13:40:42 22.10.2014 13:40:42


Forum_1.indd 288 Forum_1.indd 288

10.11.2014 12:17:00 10.11.2014 12:17:00