Arming for Virtual Battle The Dangerous New Rules of Cyberwar
Now that wars are also being fought on digital battlefields, experts in international law have established rules for cyberwar. But many questions remain unanswered. Will it be appropriate to respond to a cyber attack with military means in the future?
The attack came via ordinary email, when selected South Korean companies received messages supposedly containing credit card information in the middle of the week before last.
Recipients who opened the emails also opened the door to the enemy, because it was in fact an attack from the Internet. Instead of the expected credit card information, the recipients actually downloaded a time bomb onto their computers, which was programmed to ignite on Wednesday at 2 p.m. Korean time.
At that moment, chaos erupted on more than 30,000 computers in South Korean television stations and banks. The message "Please install an operating system on your hard disk" appeared on the screens of affected computers, and cash machines ceased to operate. The malware, which experts have now dubbed "DarkSeoul," deleted data from the hard disks, making it impossible to reboot the infected computers.
DarkSeoul was one of the most serious digital attacks in the world this year, but cyber defense centers in Western capitals receive alerts almost weekly. The most serious attack to date originated in the United States. In 2010, high-tech warriors, acting on orders from the US president, smuggled the destructive "Stuxnet" computer worm into Iranian nuclear facilities.
The volume of cyber attacks is only likely to grow. Military leaders in the US and its European NATO partners are outfitting new battalions for the impending data war. Meanwhile, international law experts worldwide are arguing with politicians over the nature of the new threat. Is this already war? Or are the attacks acts of sabotage and terrorism? And if a new type of war is indeed brewing, can military means be used to respond to cyber attacks?
The War of the Future
A few days before the computer disaster in Seoul, a group led by NATO published a thin, blue booklet. It provides dangerous responses to all of these questions. The "Tallinn Manual on the International Law Applicable to Cyber Warfare" is probably no thicker than the American president's thumb. It is not an official NATO document, and yet in the hands of President Barack Obama it has the potential to change the world.
The rules that influential international law experts have compiled in the handbook could blur the lines between war and peace and allow a serious data attack to rapidly escalate into a real war with bombs and missiles. Military leaders could also interpret it as an invitation to launch a preventive first strike in a cyberwar.
At the invitation of a NATO think tank in the Estonian capital Tallinn, and at a meeting presided over by a US military lawyer with ties to the Pentagon, leading international law experts had discussed the rules of the war of the future. International law is, for the most part, customary law. Experts determine what is and can be considered customary law.
The resulting document, the "Tallinn Manual," is the first informal rulebook for the war of the future. But it has no reassuring effect. On the contrary, it permits nations to respond to data attacks with the weapons of real war.
Two years ago, the Pentagon clarified where this could lead, when it stated that anyone who attempted to shut down the electric grid in the world's most powerful nation with a computer worm could expect to see a missile in response.
A Private Digital Infrastructure
The risks of a cyberwar were invoked more clearly than ever in Washington in recent weeks. In mid-March, Obama assembled 13 top US business leaders in the Situation Room in the White House basement, the most secret of all secret conference rooms. The group included the heads of UPS, JPMorgan Chase and ExxonMobil. There was only one topic: How can America win the war on the Internet?
The day before, Director of National Intelligence James Clapper had characterized the cyber threat as the "biggest peril currently facing the United States."
The White House was unwilling to reveal what exactly the business leaders and the president discussed in the Situation Room. But it was mostly about making it clear to the companies how threatened they are and strengthening their willingness to cooperate, says Rice University IT expert Christopher Bronk.
The president urgently needs their cooperation, because the US has allowed the laws of the market to govern its digital infrastructure. All networks are operated by private companies. If there is a war on the Internet, both the battlefields and the weapons will be in private hands.
This is why the White House is spending so much time and effort to prepare for possible counterattacks. The aim is to scare the country's enemies, says retired General James Cartwright, author of the Pentagon's current cyber strategy.
Responsible for that strategy is the 900-employee Cyber Command at the Pentagon, established three years ago and located in Fort Meade near the National Security Agency, the country's largest intelligence agency. General Keith Alexander heads both organizations. The Cyber Command, which is expected to have about 4,900 employees within a few years, will be divided into various defensive and offensive "Cyber Mission Forces" in the future.
Wild West Online
It's probably no coincidence that the Tallinn manual is being published now. Developed under the leadership of US military lawyer Michael Schmitt, NATO representatives describe the manual as the "most important legal document of the cyber era."
In the past, Schmitt has examined the legality of the use of top-secret nuclear weapons systems and the pros and cons of US drone attacks. Visitors to his office at the Naval War College in Rhode Island, the world's oldest naval academy, must first pass through several security checkpoints.
"Let's be honest," says Schmitt. "Everyone has treated the Internet as a sort of Wild West, a lawless zone. But international law has to be just as applicable to online weapons as conventional weapons."
It's easier said than done, though. When does malware become a weapon? When does a hacker become a warrior, and when does horseplay or espionage qualify as an "armed attack," as defined under international law? The answers to such detailed questions can spell the difference between war and peace.
James Lewis of the Washington-based Center for Strategic and International Studies (CSIS), one of the country's top cyberwar experts, is somewhat skeptical about the new manual. He sees it as "a push to lower the threshold for military action." For Lewis, responding to a "denial of service" attack with military means is "really crazy." He says the Tallinn manual "shows is that you should never let lawyers go off by themselves."
Claus Kress, an international law expert and the director of the Institute for International Peace and Security Law at the University of Cologne, sees the manual as "setting the course," with "consequences for the entire law of the use of force." Important "legal thresholds," which in the past were intended to protect the world against the military escalation of political conflicts or acts of terror, are becoming "subject to renegotiation," he says.
According to Kress, the most critical issue is the "recognition of a national right of self-defense against certain cyber attacks." This corresponds to a state of defense, as defined under Article 51 of the Charter of the United Nations, which grants any nation that becomes the victim of an "armed attack" the right to defend itself by force of arms. The article gained new importance after Sept. 11, 2001, when the US declared the invasion of Afghanistan an act of self-defense against al-Qaida and NATO proclaimed the application of its mutual defense clause to come to the aid of the superpower.
- Part 1: The Dangerous New Rules of Cyberwar
- Part 2: Changing the Logic of War
© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH