Malicious Life, episode 21 - The Legalities of the Cyber War

Catching a criminal is by no means easy, but there’s something we take for granted in any crime: that the criminal has a face and a name, that they used a specific weapon on a specific target, and that the crime had ended once it was complete.  

But what about a crime without a clear perpetrator, an unseen weapon, and an effect felt by far more people and far longer than it may have intended? What evidence would you present to a jury if their weapon was invisible, and their victim not one but one million people, most of whom may not even be aware they’ve just been attacked?

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Graham Cluley

Blogger, podcaster, researcher

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Liis Vihul

Chief Executive Officer of Cyber Law International

Ms. Liis Vihul is the Chief Executive Officer of Cyber Law International. She is also a member of the Estonian delegation at the United Nations Group of Governmental Experts on Information and Telecommunications in the Context of International Security, serves as the co-editor of the International Humanitarian Law Group in the Manual on International Law Applicable to Military Uses of Outer Space project, and is an Ambassador of the NATO Cooperative Cyber Defence Centre of Excellence.

Episode transcript:

Q: So you were witness to the crime committed that day?

A: Yes.

Q : Can you describe the incident for the jury?

A: Well, it was dark and it happened far away.  So I didn’t see much. All I know is there was an altercation, and one person left running with a bag while the other laid on the ground.

Q: What did the perpetrator look like?

A: I don’t know–he wore a mask and all-black clothing.

Q: Did you hear him say anything?  What did he sound like?

A: I-…I’m not sure.  His voice sounded deep, but I couldn’t discern an accent, and for all I know he could’ve just been faking a deep voice to sound more threatening.

Q: Did he use any sort of weapon?

A: Umm…maybe he had a gun?  I feel like he might have, but I couldn’t really tell.

Q: So what do you know about what happened?

A:

Q: Great…

We’ve all seen those corny courtroom procedures before.  A poor woman is found dead, a couple of seasoned lawyers with witty one-liners run evidence and cross-examine nervous witnesses on the stand, and ultimately some creepy-looking guy is locked up.

Catching a criminal is by no means easy, but there’s something we take for granted in our television shows: that the criminal has a face and a name; they used a specific weapon on a specific target; certain clues reveal why they did it; that the crime even ended once it was complete.  But what about a crime without a clear perpetrator, an unseen weapon, and an effect felt by far more people and far longer than it may have intended? What evidence would you present to a jury if their weapon were invisible, and their victim not one but one million people, most of whom may not even be aware they’ve been attacked?

Law & Cyberspace

If there’s one through line to every episode in season 2 of this show, it’s that the immaterial, ethereal nature of cyberspace makes it really difficult to figure out how to address the issues that come with future cyber warfare.  In few domains is this more true than in law, where specificity, hard evidence and proof are everything. Is it even possible to address international cyber war from a legal perspective? Luckily, there are people working on this. But the issues they face are daunting.  Here’s Malicious Life veteran Graham Cluley on why addressing cyber weaponry from a government standpoint might be doomed from the start:

[GRAHAM: Well, you know, I think that any country which is considering entering some international agreement to restrict the use of cyber weapons or spyware, attacks on each other, albeit – or even different companies inside their states as well. I say good luck to them, but it’s never going to work because the fundamental difference between a cyber-weapon and a conventional weapon is that it’s so easy to mask where the attack has come from. With an internet attack, you can go through proxy computers, which could be based on a completely different country on the other side of the world.

So for instance, if you were China and wanted to attack American computer systems, you’re not going to launch that attack directly from Chinese computers. First of all, you’re going to hack into computers in – I don’t know where – Belgium and then you go from those computers in Belgium. You then compromise PCs in South Africa and from those computers, then maybe you hop around a dozen more times before finally, attacking the computers which you really want to attack, which are in the United States for instance.

So it’s really impossible and impractical for the Americans to determine who it might be who’s attacking them, looking at the pure evidence. Compare that to when you might have a missile launched against you. When satellites around the world in geostationary orbit can see where the missile was fired from. They can look up the evidence. They can track the missile through the air. You don’t have that luxury when it comes to cyber-weapons as well.”

You’d think that Chinese hacking of international corporations, Russian disinformation campaigns in Western elections, or United States spying on, well, basically everyone, would be the kind of things that set off world wars.  In reality, these things are happening all the time. The oddest part is that none of it even causes much serious backlash–maybe some stern talking-tos and a couple days’ news coverage when stories break, but that’s about it. When it comes to cyber warfare, the lines about what’s okay and what’s not, or even what constitutes war and what straddles that line, is basically up to whoever’s involved at any given time.  It is the Wild West of law. But why weren’t there rules to begin with, if international cyber espionage has been an issue for decades? It seems that, like with other related issues to cyber security, nations tend to be late to the game here. Luckily, small groups of people are attacking cyber legality head-on.

The Tallinn Manual

The unlikely hero of cyber warfare regulation and codification that’s emerged only in this past decade is the small Soviet-bloc nation of Estonia.  Estonia has a unique history in the cyber realm. For example: it is, per capita, arguably the most wired country in all of Europe, despite only being an independent state since 1991.

Some background: after exiting the USSR, with some help from Sweden, Estonia underwent rapid technological change that all came to a climax in April of 2007, when a botnet attack from pro-Russian hackers essentially shut down the country’s network.  The conflict began over the moving of a Soviet-era statue in Tallinn, from the city’s center to a war cemetery, but ultimately the incident was remembered long afterward as a reminder, to a country that grew its cyber footprint so fast, that doing so opened up whole new forms of danger.

This would set a precedent for why, after joining NATO in 2004, the small Baltic nation proposed an international cyber defense center, and brought nineteen experts in the field together to write the Tallinn Manual in its capital city.  The 250-page document was designed to outline, in as comprehensive and exact terms as possible, how existing international law applies to the cyber realm. In its own words, The Tallinn Manual analysis rests on the understanding that the pre-cyber era international law applies to cyber operations, both conducted by and directed against states. This means that that cyber events do not occur in a legal vacuum and states both have rights and bear obligations under international law.”

But I’m an Electronics engineer, not an expert in international cyber law.  Luckily, I got to speak with someone who is–more so than just about anyone else on the face of the planet:

[Liis Vihul – “I’m Liis Vihul. I’m an international lawyer from Estonia. Today, I run my own cyber capacity-building training and then consultancy firm at Cyber Law International and before that, before establishing my own company, I spent nine years at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn where I was a senior analyst and I did research on international law including serving as the managing editor of the Tallinn Manual.”]

After three years of writing, the first Tallinn Manual was published in 2013, addressing some of the most major and dire potential international cyber conflict scenarios–like those involving state defense, or use of force and armed warfare.  Then a follow-up document, the Tallinn 2.0, was released in 2017, expanding on its predecessor to include rules regarding the handling of less major, more common cyber crimes.

So the Tallinn Manual is about as close today as anything is to providing a legal framework for nations engaging in cyber warfare.  The problem? The Tallinn book has only a little more jurisdiction than 50 Shades of Grey does over what nations actually do in cyber war.  Any discussion of the Manual has to be qualified by what it actually can do–provide a holistic legal guideline–and what it isn’t able to do–that is, put into practice or provide any actionable authority over these issues.

[Liis “The stated purpose is very modest and it does not have to do with codification. What we did in the Tallinn Manual was that we took all of the pre-existing or pre-cyber international law and asked the question. How did those legal rules that are not cyber-specific, they don’t have the word “cyber” in them and the classic example is the prohibition of the use of force under the UN Charter. The UN Charter says that states are not allowed to use force against other states. So what we did in the Tallinn Manual was that we took all those rules and asked, “What does it mean in the cyber context?”

For instance, that states are not allowed to use force. What is a cyber-use of force? And in going through all those various legal rules, our goal was just to create a tool for state legal advisers that would help them go through this legal analysis and so our goal was modest. We wanted to develop something that states that are either the victim of a hostile cyber-operation or states that are planning to engage in their own cyber-operations as they carry out the legal analysis of the operations. It would have a jumpstart to their analysis, something that would map the issues and would give them the various interpretations of international law in those specific circumstances.”]

So what the Tallinn Manual does is interpret existing laws, according to the views of its authors, not create any new ones or implement ways of enforcing anything.  Therefore, the document’s main function is as a framework for how such issues may be resolved in the future–a sort of first swing at problems that state actors will inevitably have to confront in the near future.

Not A Rulebook

But as we said earlier, the fact is that the rulebook can be scrapped in a moment, should a major power like the U.S., China or Russia force their will according to their own interpretations of international law.  In a sense, this is already happening today.

[Liis – “what needs to happen I think is that a lot of states need to do their homework now and they need to figure out for themselves which interpretations they want to do – want to take with respect to those gray areas of international law.”]

As of today cyber law, internationally and within the U.S., is something of a mixed bag.  On one hand, little real-life legislation has been passed by any major government body, even in the wake of, for instance, the 2016 Russian propaganda campaigns to influence American and European elections. In the past couple of years, few in American government have avoided being swept up in cyber issues from Russia, North Korea and China, and yet U.S. law hasn’t reflected the change in attitude.  Even if the U.S. or U.N. were to write formal legislation, it’s possible that we’re not yet at the point where such rules could be properly enforced. It’s not just that the United Nations has limited power to check major countries’ actions–as Graham mentioned earlier in this episode, the clandestine nature of cyber attacks means it’s much more difficult to provide sufficient proof to connect criminal and crime.  In fact, plausible deniability seems to be the foremost issue in creating cyber laws: when IPs are masked, malware is difficult to spot, and proxy hacker groups are used to do the bidding of military bodies, the levels of plausible deniability for countries engaging in cyber espionage is so deep that it’s hard to believe any well-executed effort could ever be properly tried and convicted in a court of law.

So, what’s international law worth if it can’t actually stop near-invisible crimes from nations of too-great power?  Where does one go from here?

Well, maybe there’s a way..Did you wonder at any point why the Tallinn’s authors designed it that way?  That perhaps it wasn’t just that they couldn’t enforce their laws, but that they actually meant to do something functionally different? After all, that’s what Liis herself is saying:

“The stated purpose is very modest and it does not have to do with codification.”

The Tallinn Manual has zero authority to police either nation’s actions in cyber warfare.  However, if the Tallinn or a similar legal framework were to become widely recognized and accepted among international bodies, it wouldn’t even have to enforce its rules to have an effect.

How To Create A Legal Language

[Liis: So why should states follow those rules?

There are a couple of answers to this question. One is the issue of reciprocity. In other words, states I believe have – should have a real interest in abiding by those rules because if they don’t then respect civilian cyber-infrastructure during armed conflict, then their own civilian cyber infrastructure will become targetable as well. So it’s the issue of reciprocity.

Then for states that – they have made a commitment to certain rules. So it will be out of question for those states to actually breach those rules in the cyber-context even though they might get away with those breaches. I think that is an aspect that all liberal democracies buy into. So I think these are two immediate answers that come to my mind.]

And there’s another thing. We often think of law simply as the rules for what is acceptable and what isn’t.  But there’s something else laws do by nature: they codify a language around misdeeds.

The rules of conventional warfare have long been written, and whether you realize it or not, we’ve all already internalized them.  We all inherently know the difference between imposing sanctions, lining soldiers along the border of a neighboring country, and nuking a city: it’s not just that these three scenarios impose different levels of harm, but they convey different messages.  All world leaders alike know what it means to send spy ships to sit off a foreign coast, or give refuge to a wanted criminal of another state: these are symbolic ways of communication, part of a common language of kinetic warfare. The Tallinn Manual can serve the same purpose.

A good example of this idea was front and center in September 2015 when the world’s two most powerful people–Barack Obama and Chinese President Xi Jinpeng–met in Washington D.C.  It’s been an elephant in the room for years now, in any diplomatic talks between the two nations: estimates were showing that the U.S. economy loses up to 600 billion dollars per year to intellectual property theft, and China accounts for almost 90 percent of that total.  Just two months prior to his meeting with Xi, the NSA publicly released a graphic map indicating over 600 successful Chinese hacks–affecting Lockheed Martin, Google, and more, over the prior five years–with red dots on a map of the United States indicating locations of targeted companies.  All in all, it looks like a teenage America going through the worst stages of puberty: pimples all over, particularly around hubs like New York City and Silicon Valley. The news likely either gave Obama the evidence he needed to hit hard in his meeting, or spurred corporate America to pressure Obama to do so, or both.

So Obama’s approach was a patient, drawn out diplomatic one, but it didn’t exist in a total vacuum.  One year prior, a major court case set a new precedent for Chinese companies: the potential for real-life consequences for cyber theft.  The case was United States of America versus five Chinese state officials charged with stealing technical data, installing malware on computers, as well as stealing personal data from individuals and companies involved in U.S. power and manufacturing.  This case marked the first time in history that state-sponsored theft of trade secrets had ever been met with legal action.

Although it didn’t amount to all that much, the mere existence of U.S. v Wang Dong (and company) marked a big step forward: since Obama’s meeting with Xi Jinpeng in 2015, Chinese hacking of U.S. corporations has dropped 90 percent! The effect was so strong that Donald Trump, who’s made a habit of repealing Obama-era policies, quietly renewed the deal back in November.

This is also the potential power of the Tallinn project.  Not only does it set a precedent for nations to one day write their own laws, but it’s setting a snowball rolling on a new, collective language of cyber warfare.  One day corporate hacks, election meddling and power grid shutdowns will all exist on a legal spectrum, and leaders of the world will be able to conduct the dance of war in referencing common knowledge of what’s lawful, what’s unlawful, and what’s super-duper illegal in cyberspace.

Perhaps the question then is not what laws will be written, but how and when…

[Liis – “Yeah, I hope it’s not going to take a major sad event for states to really take this issue seriously.”]


Sources:

http://www.post-gazette.com/attachment/2014/05/19/PDF-Indictment-of-five-Chinese-military-officials-related-to-computer-fraud-against-four-U-S-companies-and-one-union.pdf

https://www.youtube.com/watch?v=Am4gOf-KDG0

https://www.politico.com/story/2017/11/08/trump-obama-china-hacking-deal-244658

https://www.wired.com/2007/08/ff-estonia/

https://ccdcoe.org/history.html

https://ccdcoe.org/sites/default/files/documents/CCDCOE_Tallinn_Manual_Onepager_web.pdf

https://www.cnbc.com/2015/10/19/china-hacking-us-companies-for-secrets-despite-cyber-pact-.html

https://www.nytimes.com/news-event/russian-election-hacking

http://www.cnn.com/2015/06/25/opinions/france-spy-claims/index.html