Two cyber warfare trends are catching the eye, but both raise the same major question. First, cyber attacks have been democratised in recent years because of social media and easy to use denial of service attack (DDoS) tools. Popular armies have returned, made up not of a mass of bodies charging, a Clausewitzian centre of gravity on a field, but constituted by curious and enthusiastic citizens on the internet. As William Merrin argued at a keynote in 2009, security has been crowdsourced. US officials set up webcams along the Mexico border so that citizens can sit at leisure and watch for shadowy figures moving through the desert (and they do watch). Other national leaders have encouraged citizens to launch DDoS attacks against strategic targets. Sometimes, ordinary people just feel the urge to participate without any guidance, for instance the ‘Help Israel win’ group of students who targeted Hamas in the 2008-09 Gaza conflict. If thousands or even millions of people act collectively this way, where does legal responsibility lie for any harm caused? Is there legal responsibility for encouraging people to participate? Are people using digital media today out of patriotic gusto in ways that will later incriminate them?
Second, news media have reported a new super-cyber-weapon this week, the first digital nuke, apparently capable of destroying real-world objects. Previous malware just shut down systems or stole data. Once this new piece of malware touches a digital system (e.g. through a USB stick) the malware itself secretly takes control of the system, and can make it destroy whatever it is managing – a bank, a nuclear plant, whatever you can imagine. The designer can tell it what to target, but thereafter the software does its own thing. In terms of responsibility, whoever funds, designs and delivers such a weapon would seem the locus of responsibility. But not many nations have the expertise to detect such software. Successful attacks would just seem like industrial mishaps. Expect reports of mystery explosions near you (especially if you live in Iran).
Where does this leave international law? We’ve caught up with World War II and the regulation of mass armies and nukes. Who has the technical expertise, political will and diplomatic savvy to draw up laws for a world of crowdsourced armies and weaponized software?
Ben, Hi. Doesn't the Stuxnet worm tends to show that responsibility has not been crowd-sourced or “democratized” at least for the most serious types of cyber weapons? It seems unlikely that a worm designed specifically to attack Siemen's industrial computer systems in Iran which are not connected to the Internet for security reasons could have or would have been written by anyone not working for a state.
Vikash: agreed. My point is that we're getting both mass (crowdsourced) and elite/state high-end cyberwar trends, but both raise difficult questions about identifying and attributing responsibility and then holding actors to account. Even if we work out which state developed stuxnet and targeted Iran, if this is really what happened, who can, should and will take legal action against them?
Ben: thanks for the clarification. But I am still a bit confused about the idea of taking legal action against whoever created the Stuxnet worm. Stuxnet seems to be oriented toward sabotage. I don't recall states responding to sabotage of this magnitude (which is most likely orchestrated by a team of advanced programmers working for a state intelligence agency) with legal action. The most likely response of Iran will be to either accept the underlying threat being communicated or respond on the same plane of action.
This is a very interesting article and, while all the legal points you raise are just, don't you think that, overall, “cyberwar”, “cyberterrorism” as well as all the other rather new and, from the public's point of view, interesting terms and phrases, as well as the discourse surrounding them, make the problem of cyber warfare seem bigger than it really is?
I'm wondering because, whereas some experts say it's going to be the biggest change in warfare since the invention of guns, others, equally qualified experts in both the political and technical domain, say that, if at all, “cyberwar”, as in one state hacking another state, will be one of many weapons used. The tend to argue that, once you get town to the nitty-gritty technicalties of actually getting into a network and making it work (or not work!) for your own purposes, you will find that this is an incredibly difficult, if not impossible, task: it is unreliable (one may not succeed and/or be detected, and then what?) and it's damage is often temporary (that is, it can be repared/reproduced – like, for example, a banking system).
What it is, though, it is new, kind of sexy and, above all, scary (all those semi-apocalyptical scenarious we've all heard of), especially, because, if an attack were to occur, we won't know what hit us, just as you say! States' wouldn't know who to punish, making them a look helpless and exposed. Together that adds up to a nice recipe that politicians and the media can make a meal of: those who pose the question, identify the problem can then act on it in the name of security.
Do you have any thoughts on that?