In May 2008, following sustained nation-state levels of cyberattacks on Estonia, James Mattis, NATO's supreme allied commander and a U.S. Marine Corps general, described the need for a cyberdefense center to be “compelling.” The aim was to “provide a capability to assist allied nations, upon request, to counter cyberattack.” By October, the center was granted full NATO accreditation and the Cooperative Cyberdefense Center of Excellence (CCDCOE) obtained the status of an international military organization.
Since then the agency has sought to enhance the capability, cooperation and information sharing among NATO nations and partners in cyberdefense via education, research and development, lessons learned and consultation. In particular, the Tallinn Manual on the International Law Applicable to Cyber Warfare – compiled for the CCDCOE with contributions from around 20 experts and published in April 2013 – aims to establish international law applicable to cyberwarfare.
“The 2007 cyber operations against Estonia and the 2008 cyber events in Georgia demonstrated that this new medium of future warfare should be taken seriously,” says William Boothby, an editor on the Tallinn Manual and a former deputy director of legal services in the U.K.'s Royal Air Force (RAF). The Stuxnet operation that reportedly damaged Iranian nuclear centrifuges reinforced the point, he adds.
“Many of the established legal principles apply surprisingly well to this man-made environment,” Boothby says. “Certain cyberevents could amount to a prohibited use of force under the UN Charter and they even amount to an ‘armed attack.' The law as to what warring parties can attack assumes that there is an act of violence. When using computers to cause harm, the experts concluded that it is the damaging or injuring effects of a cyberoperation that are important. Consequently, laws as to who or what may be attacked can also sensibly be applied to cyberwarfare operations. If the law on attack can be applied to cyberattacks, the law on weapons can also be sensibly applied to cyberweapons.”
Jamal Elmellas (left), technical director at Auriga Consulting, says that worldwide the most targeted verticals are government, energy, financial services and higher education. “We're already seeing sensors deployed on gas and electricity pipelines to monitor supply,” he says. “These are based on IP and could be susceptible to attack. In addition to the increased attack surface, the stakes are also higher with intellectual property – now a prized asset and key motivator.”
But investment in security hasn't kept pace, says Elmellas. “Many of the energy companies have inadequate risk management security policies and even fail to maintain updated anti-virus solutions. In the U.K., around 100,000 new pieces of malware are introduced every day. It can only be a matter of time before an attack against an entire nation's energy sector manifests itself.”
Examples include Stuxnet, Disttrack/Shamoon (targeting Saudi Aramco); Icefog (hired hackers focused on the supply chain); and Flame (a trojan aimed at the Iranian and Eastern European energy sectors). Typically these were zero-day attacks, used intelligent sector targeting and were aimed at the weakest link to exploit integration weaknesses.
“These attacks require weaknesses to be addressed and security implemented throughout the organization, from a secure code development lifecycle to holistic security governance covering all aspects – from power delivery to billing,” Elmellas explains. Secure communication mechanisms, he adds, are a must as is resilience testing for new technology introduced to the network (think tamper protection for field components such as smart meters). As well, he advises that incident management processes should be put in place and isolation readiness addressed in the event that a breach does occur.
Further, he suggests that the energy sector build a tiered security strategy into the design phase of all critical national infrastructure (CNI) control systems, embedding multi-firewall mechanisms and anti-virus into complex technological solutions, ensuring protection by spreading the load and placing targets across multiple platforms. Adopting a context sector-specific approach to the gathering of intelligence is vital, as is responsive risk management.
CCDCOE has also considered the moral issues of what is acceptable and unacceptable. Should cyber only be for retaliation? What about the impact on civilians when power stations or water facilities are attacked or their information accessed? Can it be justified?
Kristina Pennar, public affairs specialist at CCDCOE, says that using cyber for attack is a political issue which depends on the policies and strategies of a nation.
But, Bob Tarzey, director at research and analysis firm Quocirca, says, “The considerations are the same as for any decision regarding an offensive. In the court of public opinion, right and wrong can be pretty grey.”
International law divides the use of force into two main categories, going to war and the use of force once you are involved in war, says Eric Talbot Jensen, a professor at Brigham Young University Law School. His recent paper, “Future War, Future Law,” makes the case that advancing technology will dramatically affect the weapons and tactics of future armed conflict, including the places where conflicts are fought, the actors who will be in opposition, and the methods by which the battles are fought. He contends that cyber ought not to be left to retaliation.
“Cyber activities present ways to accomplish political goals that we could otherwise only accomplish with more violent means, such as bombs.” He points to Stuxnet, saying that the only alternative to stop Iran's nuclear development would have been to use military force.
“The law that limits attacks or damage to civilians is called the principle of proportionality,” Jensen adds. “Commanders deciding to make an attack that may cause injury or death to civilians or damage to civilian property, must be convinced that the death or damage will not be excessive to the military advantage anticipated.” One of the great attractions of cyber is that it will produce less collateral damage if it is precisely targeted, he says.
Sean Watts, a law professor at Creighton University School, whose primary research is international legal regulation of emerging forms of warfare, agrees. In a cyber context, proportionality would require an attacker to conduct some reconnaissance of its intended target to discover whether civilians or civilian infrastructure might be harmed, he says. “Cyber attacks may not be directed at civilians unless those civilians are participating directly in hostilities.”
Before launching any pre-emptive or retaliatory attack, all of the facts must be in hand – something that can only be achieved by understanding every piece of activity that takes place across a network, says Gordon Moulds, a strategic adviser for LogRhythm and a former air commodore for the RAF. “Only with in-depth knowledge can the scale of attack be understood, as well as increased accuracy of attribution.”
While in some instances collateral damage is inevitable, everything possible must be done to avoid it, Moulds says. He contends that in most instances the use of cyber will significantly reduce the likelihood of collateral damage compared with traditional methods – unlike in some recent conflicts where many ‘targets' were bombed with no thought to the consequences in cost and time to rebuild, resulting in a population worse off. “Cyberdisabling of a power station could be for a short duration and could prove to be a positive propaganda tool,” he says.
The growth in cyberattacks is certainly increasing, Moulds says, not only in terms of regularity, but also in sophistication. Part of the problem, he says, is that many systems simply aren't designed for the connected world we now live in – and this is particularly true of SCADA systems. Control system security has traditionally been limited to physical assets, rather than cybersecurity, given that when the systems were developed internet use was yet to be commonplace.
“Every single piece of activity that takes place over a network must be monitored in real time,” adds Moulds. With proactive, continuous monitoring in place, deeper visibility is granted and ‘normal' behavior can be baselined. “With this level of insight, any anomalous activity can be identified immediately and mitigation strategies executed.”
For this to occur, he adds, it is essential that every single piece of information available is gathered and shared with the necessary people in order for any defense to be effective. “It pays to know exactly what is happening on your own doorstep, rather than concentrating on what others are doing.”
However, based on his own experience as commander of Kandahar Airfield, he questions the extent to which real cooperation is taking place, comparing cyber to physical intelligence. There were 46 nations on his base, he explains, and many had their own intelligence and were unwilling to share it for various reasons. “After raising concerns about the severity of this situation we gained access to other nations' intelligence and it was only when all the pieces of the jigsaw puzzle were put together that we were able to fully analyze and assess what was likely to happen.”
A planned attack was foiled within days of this being implemented, he says. “It was only thanks to the joined-up intelligence that it was possible, showing how essential co-operation is and how important it is to have the full picture.”
A version of this article originally appeared in SC Magazine UK.