In the last two decades, the world has seen a rapid digitalization of services, both in civil society and state functions, thanks to the Internet and to the world wide web. As much as this is considered a positive evolution in terms of connectivity, this spreading interdependence also entails new risks.
In fact, the increasingly growing role of technology in our daily lives is a vulnerability for actors with malicious intentions, whether they come from the public or the private sector.
The more services are moved online, the more society becomes vulnerable to offences from and towards computers. In particular, a sensitive target is what is called the ‘Internet-of-things’, or IoT. The Internet-of-things is the network of interconnected computer based physical world devices that we use every day, its components ranging from webpages to smartphones, from pacemakers to navigation systems. An attack targeted to the IoT of a specific country can shut off very essential utilities, like ATMs or hospital machines.
The first mass scale cyberattack to a nation occurred at the end of April 2007, when Estonia was hit by hackers allegedly backed by the Kremlin, that shut down the main government and news outlet sites by overcrowding them with requests coming from a network of infected computers. For three weeks, cyberattacks flowed to the country and blocked many important sites, and the attempts to permanently stop the stream of requests both by Estonian and NATO experts proved successful only in the mid-May.
Cyberattacks aimed to a country and sponsored by another state’s institutions actually raise a compelling issue: is a virtual offence like the one aimed to Estonia such an aggressive stance that allows the victim to respond with a military intervention?
The case of the attack to Estonia may seem negligible if we consider the reasons that unleashed it , namely the removal of a Soviet-era statue from the center of Tallinn to a military cemetery. But some other examples reveal a more concerning usage of technologies: it is the case of the Stuxnet malware (malicious software), detected on Iranian nuclear plants’ computers in 2006.
This computer worm was allegedly planted by the American government, supposedly in collaboration with the Mossad. It was spread via Microsoft Windows to the nuclear plant of Natanz, situated in the central region of Iran. The malware did little harm to computers infected, but was potentially very dangerous: in fact, its function was to modify the signal sent from centrifuges separating nuclear materials to PLCs (programmable logic controllers, computers used to direct assembly lines of all kinds).
Briefly, the worm was able to gradually increase the speed of the centrifuges and make them spin out of control, while showing to the PLCs normal speed and temperature values that were recorded in the initial phase of the attack. This offense destroyed one fifth of Iranian centrifuges, since the virus spread to other nuclear plants in the country before being detected and neutralized.
The most concerning fact, however, is that this malware can be adapted to control almost any kind of industrial plant, since PLCs are used in many different production lines. Therefore, a cyberattack that uses a worm similar to Stuxnet could be able to paralyze the entire industrial system of a county.
These types of operations are a source of tension in the international community, nevertheless, victims of cyberattacks cannot pinpoint exactly who the instigator of the offence is, as in the Estonian and the Iranian attacks. In both cases it was impossible to prove find undeniable evidence that the hackers responsible of the attacks were backed by the Russian and the American governments.
Using a proxy is, indeed, one of the benefits of cyberwarfare: the attacks are very effective, but thanks to the anonymity that the cyberspace offers, offenders still have with a believable level of deniability.
The most problematic feature of cyber-warfare, however, is the one that also prevents to finding of a clear response to cyber-attacks: its lack of a clear and specific definition. Of course it is clear what a cyber-attack concretely is, what is still nebulous is its status under international law or under war law. This ambiguity is not casual, because once a clear-cut interpretation is established, this will bound governments to react accordingly to them, increasing the risk of an escalation towards a full-blown conflict.
When it comes to ius ad bellum (which regulates whether a country may resort to war to solve a dispute) and ius in bello (which is the code of conduct that the belligerent parts have to follow), it is difficult to categorize certain types of cyber operations under the traditional divisions imposed by classic war theory. For instance, are cyberattacks an acceptable reason to wage war against a country that is sponsoring them?
The answer to this question has important concrete consequences: if a particularly powerful virtual offence is directed towards a NATO Member State by a governmental actor, would this be enough to trigger Article 5 of the North Atlantic Treaty, the so-called ‘collective defense clause’? A positive answer to this dilemma officially recognized under international law would significantly increase the risks of escalations and aggressive behavior, augmenting the tensions of an already strained international environment.
The nature of cyberwarfare is that it can be a reason to declare war against an enemy but, at the same time, it will not be the only tool with which the conflict is carried out. In fact, virtual attacks just add one layer of weapons available to battle, but they are not substitutes of traditional fighting techniques.
Even though physical war will probably always exist, the causes that can unleash it changed over time. According to the Worldwide Threat Assessment Record composed by the US Office of the Director National Intelligence, the top global threat to international security are cyber threats, and they have been in first position since 2014.
Given the perception of the cyber domain as both helpful instrument and looming danger, it is necessary for states to elaborate a clear strategy in order to be ready and prepared in dealing with these kind of challenges. Especially when it comes to external interference in national elections.
Regulation of cyberwarfare is necessary, even if it proves to be a double edged sword: fundamental to national security, but also potentially dangerous. Transnational by nature, cybercrime needs to be tackled with an international cooperation approach, especially since in the last few years it has been used to interfere in national elections.
Cybercrime and cyberattacks are considered a threat to the core values of societies like rule of law or respect of human rights, but cooperation in this field is still limited. The main instrument in dealing with this issue is the 2001 Budapest Convention of the Council of Europe, which is legally binding for the 60 countries that ratified the agreement. The Convention on Cybercrime aims to set up a regime of collaboration via harmonization of national laws and by providing means to national authorities, so they can effectively counteract virtual felonies. The whole process is organized and supervised by the Cybercrime Convention Committee.
Given the sensitive subject, the reaching of the agreement and its widespread ratification is remarkable, however, the Budapest Convention has evident limits. For instance, it was written in 2001, almost 17 years ago, and in the realm of technology changes occur at an impressive speed, that needs to be matched by policy makers looking to regulate it.
Another remarkable effort is the Tallinn Manual, and its updated version Tallinn Manual 2.0, an academic non-binding study written by a group of twenty experts on invitation of the NATO Cooperative Cyber Defense Centre of Excellence. This research focuses on the implications and the influences that the cyber world has on national security and how these threats should be faced. Despite its interesting and innovative content, the Manual is not binding, and it does not impose a code of conduct or a set of rules that states are forced to follow.
The attention that the most powerful countries give to cyberwarfare and cyberspace in general demonstrates that they represent a huge part of our lives, as sources both as positive innovations and sources of threats. However, policymakers do not give the same amount of consideration to the need of finding a clear definition and setting precise rules to regulate this issue.
Governments are taking advantage of the grey area around the discussion of cyber threats and cyberattacks. Because, if on one hand there is exposure to huge vulnerabilities, on the other there is also the possibility to use these instruments to obtain precious information or to sabotage enemies in a more subtle way that cannot be offered by traditional tools. But how long can this situation last? Is there going to be a huge attack that will set off the will to finally regulate?
For now, the only certain answer is that cybercrime and cyber threats are not disappearing, and the battle to find new vulnerabilities will only become harsher as technology quickly continues to develop. For this reason, some may say that states have the responsibility to protects their citizens by stopping to take advantage of ambiguities, and finally starting to set updated and detailed binding common rules.