Applying International Law to Cyber Space

How well can existing international law map to cyber space? A recent article in The Legal Intelligencer looks at the legal concept of a "duty to assist" and how it might apply in cyberspace.

"...international law requires anyone receiving an SOS signal to "proceed with all possible speed" to render assistance. Today, similar legal duties abound -- what we might call "duties to assist" -- whether in response to a pilot's mayday call, distress signals, or emergency numbers."

However, this duty does not currently extend to the Internet. The article argues (rightly) that existing efforts (more technology and the militarization of cyber space) will not prevent large scale international cyber attacks:

"Technological prevention measures -- thicker security firewalls and better mechanisms to detect and repel attacks -- will undoubtedly be part of any effective counterattack strategy. Similar progress may come from efforts to reach agreement on how militaries should operate in cyberspace and increased transnational coordination among law enforcement agencies.

"But these measures will not be enough to solve the problem. Open networks will always be vulnerable to malicious attack as new security measures generate improved hacking techniques in an endless game of cat and mouse. The laws of war that govern military uses of force do not translate easily into cyberspace. Criminal laws, similarly, are a blunt instrument for protection. The difficulties inherent in trying to identify the precise location from which attacks arise and the identities of anonymous attackers stem from the basic structure of the global internet. Those difficulties make enforcement of criminal penalties (or the laws of war) difficult and at times impossible."

The authors give a brief description of how this duty might work to improve the situation:

"A duty to assist can work without identifying the attackers. It focuses instead on minimizing the attack's effects. A victim would send out a distress call... and all those in a position to provide assistance -- whether governments or private actors -- would have an obligation to respond. Help could come in many forms. If attackers denied service to a computer resource, internet service providers could provide additional bandwidth. If an attack crossed through a nation's territory, that nation's government would have to deny attackers further use of its information networks and help trace the attack to its true origins."

Do Cyber-Attacks Require a 'Duty to Assist'?

Increased Espionage against US Defense Contractors

The Counterintelligence Directorate of the U.S. Defense Security Office recently released a report on espionage against the U.S. defense industry. The study identified four broad methods of information gathering including the use and misuse of technology:

1. Direct Request - Email requests for information, webcard purchase requests, price quote requests, phone calls, or marketing surveys
2. Suspicious Internet Activity - Confirmed intrusion, attempted intrusion, computer network attack, potential pre-attack, or spam
3. Solicitation and Seeking Employment - Offering technical and business services..., resume submissions, or sales offers
4. Foreign Visits and Targeting - Suspicious activity at a convention, unannounced visit..., solicitations to attend a convention, offers of paid travel to a seminar, targeting of travelers, questions beyond scope, or overt search and seizure

The alleged sources of attacks are world wide including:

• "East Asia and the Pacific and Near East entities remaining the most prolific collectors of United States technology or information"; and,
• Europe and Eurasia

The largest growth in cyber activity was from East Asia and the Pacific:

"Suspicious Internet activity with IP addresses originating in the East Asia and the Pacific region represented 79 percent of the regional cyber collection effort, a significant increase over last year’s 52 percent. These apparent cyber operations mainly targeted cleared defense contractor networks used for research and development documentation, especially those related to information systems technology."

The report noted an interesting trend between Asian and Near East activity and that of Europe and Eurasia [emphasis added]:

"Europe and Eurasia collectors do not need to use high-profile collection techniques because their covert collection methodologies are already efficient and effective as to render the more blatant, overt requests largely supplemental to other collection competencies. It is noteworthy that even though their overt collection efforts have declined, European and Eurasian cyber actors remain some of the most active targeters of United States technology."

The report contains in-depth analysis of the types of information targets and regional statistics and analysis of activity. The report forecasts increased cyber activity in the future:

"Government and commercial collection entities worldwide are highly likely to continue the use of cyber collection activities against United States government and its CDCs. Cyber intrusion offers a relatively low-risk, high-gain technique giving illicit collectors the opportunity to acquire sensitive and proprietary information stored on United States computer networks. Cyber targeting may also be utilized as a collection planning tool to identify targets of opportunity not readily apparent to traditional collectors. This cyber reconnaissance allows foreign elements to design targeting plans employing the full range of collection techniques on focused targets."

TARGETING U.S. TECHNOLOGIES: A TREND ANALYSIS OF REPORTING FROM DEFENSE INDUSTRY

Recommended Reading: Shadows in the Cloud

In a followup to the "Tracking GhostNet" report, a new analysis of attacks against Tibetan and Indian cyber targets has been released titled "Shadows in the Cloud: Investigating Cyber Espionage 2.0". I highly recommend this report.

The report is an excellent synopsis of an in-depth investigation into attacks and information thefts that:

"...documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information."

The analysis shows strong links to the People's Republic of China as the origin of the attacks.

I have not completed a detailed reading of the report but a first pass provides two immediate impressions:

1. The strong similarities with investigations performed in the late 1980s involving espionage by the then Soviet Union using German nationals a proxies; and,


2. The analysis, including attribution, appear to be sound.

The similarities described in this report to other, known cases of computer based espionage is striking. The only major difference between the Soviet espionage case of the 1980's and this one is that most of the techniques of infiltration, compromise and data theft are now automated. The patterns of behavior, use of proxies and movement and collection of information are very similar.

Furthermore, this analysis, at least on first reading, appears to be careful, methodical and does not suffer from some of the errors made by other technicians analyzing large-scale international cyber attacks (see Analyzing the Google Attacks - Plenty of Room for Mistakes).

This care of analysis is best summed up by the authors when discussing the attribution of the source of the attacks (emphasis added):

"Attribution concerning cyber espionage networks is a complex task, given the inherently obscure modus operandi of the agents or groups under investigation. Cyber criminals aim to mask their identities, and the networks investigated in this report are dispersed across multiple platforms and national jurisdictions. Complicating matters further is the politicization of attribution questions, particularly concerning Chinese intentions around information warfare. Clearly this investigation and our analysis tracks back directly to the PRC, and to known entities within the criminal underground of the PRC. There is also an obvious correlation to be drawn between the victims, the nature of the documents stolen, and the strategic interests of the Chinese state. But correlations do not equal causation. It is certainly possible that the attackers were directed in some manner — either by sub-contract or privateering — by agents of the Chinese state, but we have no evidence to prove that assertion. It is also possible that the agents behind the Shadow network are operating for motives other than political espionage, as our investigation and analysis only uncovered a slice of what is undoubtedly a larger set of networks. Even more remote, but still at least within the realm of possibility, is the false flag scenario, that another government altogether is masking a political espionage operation to appear as if it is coming from within the PRC. Drawing these different scenarios and alternative explanations together, the most plausible explanation, and the one supported by the evidence, is that the Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground. Given the often murky relationships that can exist between this underground and elements of the state, the information collected by the Shadow network may end up in the possession of some entity of the Chinese government."

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

North Korea Develops Its Own Operating System Aimed at User Monitoring

South Korea's Science and Technology Policy Institute has released information concerning a homegrown operating system developed by North Korea called Red Star. It appears to be based on Linux and Microsoft code and primarily developed to monitor and limit user activities.

The South Korean report also states:

"North Korea has launched a cyber-war unit that targets sites in South Korea and the US"

but no further details were provided in the BBC article.


North Korean Red Star operating system details emerge

Fine Line between Criminal Activity and National Security

NPR ran a lengthy report on cyber war centered around last month's congressional testimony by the Director of National Intelligence Dennis Blair citing cyber attacks as a top threat to U.S. security.

One important factor noted in the broadcast is the fine line between criminal activity and national security threats. The difference is not so much technique as motive:

"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says [Richard] Clarke [former Presidential cyber security adviser]. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."

Cyber Insecurity: U.S. Struggles To Confront Threat