A Rx to prevent cyberwars: Declare cyberattacks war crimes and all state sponsored cyberattack participants personally liable.
The world is dependent on computers and the internet. This has changed the way we think, work and interact including the way nations make war and maintain peace. The term “cyberwars” has entered our lexicon. New norms of behavior have to be agreed upon and new criminal statutes enacted to respond to this change, including a new definition of “war crimes” for the digital world.
A war crime is a disregard for human life, a serious violation of the law of war [a true non-sequitur] which, in the context of cyberwarfare, includes the intentional killing of civilians, destruction of civilian property, the use of weapons causing superfluous injury and unnecessary suffering, causing great suffering or serious injury to body and health which, most importantly, gives rises to individual criminal responsibility.
Cyberwars are no longer hypothetical war games, they are real. In 2006 a joint US Israel program used computer cyber-weapons to attack, disable and delay Iran’s nuclear program. That year Aramco, Saudi Arabia’s national oil company was attacked and 30,000 computers were compromised and rendered inoperative; in the United States a denial of service attack froze the operations of major financial institutions; between 2010 and 2014 the US Department of Energy computer systems were “successfully compromised … more than 150 times”; in 2007 “the government of Estonia was subjected to cyber terrorism … by the Nashi, a pro-Kremlin group from Transnistria.”
In October, 2013 the Secretary of Defense warned that the United States was facing a “cyber-Pearl Harbor” that could destroy our communications systems, power grids, financial networks, military defense networks, basically the whole shebang by compromising our computers using cyber weapons and the internet. “An aggressor nation or extremist group could use these … cyber tools to gain control of …” critical assets, wreak havoc and “let loose the dogs of war”.
That December The New York Times and The Wall Street Journal reported that their websites, editors and reporters had been hacked by the Chinese government, its agencies or by individuals under their control “seeking to control the free flow of information”.
Also in 2013 Germany, our NATO ally, formally announced the establishment of a 130 hacker-strong “Computer Network Operations Unit”, part of the BDN, the intelligence agency, which would act as a cyber defense unit and have “enhanced capabilities” presumably offensive in nature.
In retrospect, the era of the “drone war” was short and geographically limited to low tech regional conflicts, Somalia, the South Sudan, Eritrea, Ethiopia. There are new weapons to deploy. The New York Times reported [“Broad Powers Seen for Obama in Cyberstrikes”, February 4, 2013] that “a secret legal review on the use of America’s growing arsenal of cyber-weapons has concluded that President Obama has the broad power to order a pre-emptive strike”, a marked escalation from the severely limited capabilities of a drone attack now that we have abandoned the folly of inter-continental ballistic missiles.
Not all cyber actions are designed to destroy; some are limited to propaganda, mischief and misinformation. The 2016 presidential election has demonstrated the ability of a foreign power to influence and manipulate the course of domestic events. No one was killed, no property was destroyed but nevertheless this was an attack on the sovereignty of a nation state. Yet even when designed not to bring about physical harm a cyber-attack can inadvertently cause disaster. “Olympic Games” the joint US Israeli effort to thwart Iran’s nuclear program used a cyber weapon, a “worm”. The “worm” went rogue and went on a rampage infecting computers worldwide. Had the rogue worm sabotaged a nuclear device Teheran would have been a new Hiroshima.
Governments have adopted a “if you fuck with us and our computers, we will fuck with you and yours” attitude. Once a cyber incursion has been detected, such as the hacking of the Democratic National Committee emails or the Grizzly Steppe Russian malware detected on Vermont’s Burlington Electric’s electric grid, traditional diplomatic sanctions are brought into play – in exchange of volleys, diplomats are expelled, economic restrictions imposed, a tit for tat response that gets the guilty participants off the hook.
This does not begin to address the issue: cyberwars by design are attacks upon civilian populations and civilian infrastructures; only collaterally do they affect military command and control.
To deter attacks on civilian targets the international community must institute an across the board prohibition of state sponsored cyber warfare. If not we will repeat the cold war with each state enhancing its cyber defenses while maximizing its offensive capabilities. Even if such as consensus is reached there will be rogue states that will violate the letter and the spirit of such measures – witness North Korea, Israel and Iran violating nuclear non-proliferation regimes and Security Council resolutions.
The Second World War made the point that collective guilt cannot be punished – you can’t judge all Germans guilty of war crimes event though many were complicit. That’s why the elements of a “cyber war crime” must have “individual responsibility” as a starting point, as a warning and deterrent.
I spent five years living with war crimes and war criminals as defense counsel before the International Criminal Tribunal for the former Yugoslavia [ICTY], the ad hoc United Nations court at The Hague. I was not present when the crimes were committed, I was present when the accused was confronted by witnesses and evidence, convicted or found not guilty. I listened to testimony, reviewed evidence, interviewed witnesses and victims; so I have more than a casual acquaintance with the issues. Unlike Nuremberg, the ICTY’s mandate was to demonstrate an individual’s position no longer afforded protection from prosecution and that guilt was individual burden.
The operative language of the ICTY indictments was that the accused “planned, instigated, ordered, committed, or in whose planning, preparation or execution [the accused] otherwise aided and abetted” making him/her/them personally and individually liable for the war crime charged.
International law has failed to address individual criminal responsibility in cyber conflicts. The Tallinn Manual on the International Law Applicable to Cyber Warfare , an “academic, non-binding study on how international law … applies to cyber conflicts”, a NATO sponsored effort, is command responsibility sensitive. It ignores the issue of individual liability and tries to apply outdated brick and mortar rules to the digital age. Likewise domestic law is hobbled by common criminal considerations: wire fraud, mail fraud, bank fraud, interception of communications, computer hacking, identity theft etc. – see Title 18 United States Code § 1343 et seq. A fresh approach is needed.
A blanket, top to bottom chain of command – head of state, defense minister, joints chief of staff, corps commander, bureau chief, team leader, lowly hacker – individual and collective guilt of war crimes in the event of participation in a cyber-attack. That’s my prescription for the prevention cyberattacks and cyberwars.
Deyan Ranko Brashich is a contributor writing from New York. He is the author of Letters from America, Contrary Views and Dispatches. His contact and blog “Contrary Views” is at www.deyanbrashich.com