Thursday, June 27, 2013

Bits, Bytes, and Bombs: The Uncertain Law of Cyber-Warfare

Professor Matthew Waxman, Faculty Chair, Roger Hertog Program on Law and National Security
Columbia Law School Alumni Breakfast, May 22, 2013

Last month, Professor Matthew Waxman of Columbia Law School spoke about cyber-security to a gathering of law school alumni.  The topic certainly seemed to be of interest to alums – the session hosted by Kirkland & Ellis attracted over 50 attendees – and Professor Waxman noted that cyber-security was the legal topic that generates the most interest at Columbia Law School.

I. Is Cyber-security a threat?

Professor Waxman was quite unequivocal on this point: cyber-security is the number 1 threat to US.  Of course, “cyber-security” is a broad term, which he defined as broadly including four different types of threats:

- malicious hacking, often done for fun without broader motives
- cybercrime
- espionage – for political or corporate reasons
- cyber attacks – which would essentially be cyber-warfare, with the intention of crippling our ability to respond to an enemy via attacks on our infrastructure, financial systems, etc.

There is something of a vocabulary problem - what is a cyberattack, especially in something other than a country-to-country context?  Professor Waxman argues that unless it is a massive effort, such as a Distributed Denial of Services (DDOS) meant to cripple or take down a company or institution, such activity does not really constitute a cyberattack.

For example, is spam disruptive or criminal?  In this situation at least, the solution likely not to be legal, but based in the private sector, e.g., email providers have algorithms to filter out spam, and those algorithms are always being improved.

Professor Waxman felt that, while there are often warnings in the news media from the government and other commentators about a large-scale cyber-warfare assault, he feels that a massive attack – what is often termed a “cyber Pearl Harbor” – is unlikely in near term.  The real threat to the U.S. is instead “death from a thousand cuts” – small-scale attacks, thefts, intrusions, etc. that can create a tremendous amount of cumulative damage.  These sorts of attacks have apparently been going on for quite a while, but the extent of their damage is not known, perhaps because not all victims are aware that they have been infiltrated or damaged and because victims who are aware – whether private-sector or governmental – are reluctant to discuss such matters.

One additional point that Professor Waxman raised about cyber-warfare – the U.S. is conducting a lot of cyber attacks – the federal government is just not talking about it.  Referring to his experience as part of the national security establishment at the Departments of State and Defense and the National Security Council, he said that the highest levels of secrecy and confidentiality were found regarding the offensive cyber capabilities of the U.S.

II. Domestic law

This is a critical but not well-defined area in cybersecurity.  Since the U.S. is a global technology leader, it is dependent on its digital infrastructure for the workings of its governments, private enterprise, and the society in general.  Furthermore, the U.S. in general is dependent on private players to supply, maintain and improve the critical elements of our technology infrastructure – phones, Internet, etc. – with 85% of digital infrastructure being in private hands.

He argues that we could strengthen our technology infrastructure by encouraging the private sector to provide higher security standards and to share more information between and among private and government players.  In addition, the government could play stronger role in private sector cyber-security, but this of course would be controversial.  He cited the NSA are being the most capable government agency in this arena – of course, this discussion from Professor Waxman was before the Snowden leak controversy.  It’s difficult to say whether this scandal demonstrates the heightened need for private-government cooperation in cybersecurity or the potential pitfalls of such cooperation.

In any case, Professor Waxman cited several counter-pressures that existed pre-Snowden that argued against increased private-government cooperation.  For one thing, the technology industry is reluctant for the government to do anything to stifle innovation, and we do have a general national interest in promoting innovation.  There is a general concern among the public about regulation, and the various scandals since Professor Waxman’s talk have only heightened the public’s sensitivity to regulations.  These scandals have also exacerbated Professor Waxman’s third roadblock: civil liberties concern of increased government involvement in private-sector cybersecurity.

As a result, he feels that information sharing has been “patchy.”  Sharing with the government raises concerns about liability and privacy.  Sharing among companies is also problematic since they are often dealing with competitors.  Furthermore, the interests among companies and government are not necessarily aligned – sharing with the U.S. government may discourage other countries from doing business with those companies.
One additional item impeding increased governmental action in this area not mentioned by Professor Waxman is that the technology industry is not a monolith with a single set of objectives and interests.  Often, there are competing sets of interests that pit industry sectors against each other.  For example, the heated disputes of the Stop Online Piracy Act and the issue of Net Neutrality demonstrate that government actions on behalf of one group of industry participants are often viewed as harmful by another group.

As a result, Professor Waxman does not expect any radical federal reform in this area any time soon.

III. Is international law therefore a solution?

Professor Waxman does not expect radical reform, e.g., a cybersecurity treaty, in the international area either.  As with obstacles to domestic law reform, the major states don't have aligned interests.  As he put it, half the world wants an open Internet, and half wants to control the Internet – primarily Russia and China.

Therefore, we are more likely to see attempts at "translation" of existing international law applied to the new technology, which of course had not been contemplated at the time of the formulation of international rules of behaviors.  For example, while there is well-established international law on use of military force, there is not such a body of law on cyber attacks. 

Therefore, when is a cyberattack a military attack?  One point of view is that the answer is Never, since existing law talks about bombs and bullets, not bits.  Professor Waxman disagrees with that view, and prefers to look at the effect of a cyberattack, e.g., the use of a cyber attack to bring down airplanes or to cause a power plant to explode.  In other words, to create damage that is the equivalent of that which could be done by a traditional, physical, military attack.

This can be helpful in some situations, but not all.  What if a cyber attack were to cause something bad, but nothing blows up – i.e., it is not the direct equivalent of a traditional military attack?  For example, what if someone directly causes a 10% decline in stock market?

There are additional problems related to trying to equate cyber and military attacks, such as attribution in a provable way.  While this can certainly be the case in a physical attack – e.g., who actually planted that bomb? – the ephemeral nature of cyberspace likely compounds the problem of reliably proving the source of an attack – just as China denies such activities while the U.S. has pinpointed a single office building in China as housing the Chinese Army unit responsible for such activities.

Despite those denials, Professor Waxman cites Chinese attacks as creating the biggest threat of cumulating low-level intrusions cited above.  He argues that biggest current threat from China is theft of data relating to financial, technology, government secrets.  They are, however, also looking for potential vulnerabilities in our infrastructure that could be exploited at some point in the future.

The U.S. response to date has been so-called “naming and shaming,” which he does not think it's a good solution.  The most hopeful comment he made on this topic was that China is not likely to attack the U.S. in a massive way since they own so much US debt.  Depending on economic considerations to outweigh Chinese political and military interests does not seem to be a long-term solution.

The other irony in seeking clarity, as mentioned earlier, is that the U.S. is quite powerful in this area.  It may have been the first to cross the line and have committed the potential act of war with the Stuxnet virus, which allegedly infiltrated the control system for Iran’s nuclear reprocessing facility and caused centrifuges to blow up.  If someone did that to us, we would probably view it as a act of war, justifying the use of military force in self-defense.

As a result, it is probably in the interest of many companies, including the U.S., to not call attention the Stuxnet incident.  General reaction from rest of international community has been, as he puts it, "anxious hand-wringing."  Most countries probably prefer the Stuxnet incident as a preferred alternative to either an Iranian nuclear bomb or a direct attack by the U.S. or Israel on Iranian nuclear facilities.

Stuxnet does, however, open a Pandora's Box for the future.  For starters, we don't know what other countries are capable of.  There have been official denials from U.S. and Israel, and a low-key response from Iran.  Presumably, Iran is embarrassed about its vulnerability, but it does not want to make problem worse by providing information about what was or was not done, how it was detected, etc.

Professor Waxman cited a pattern of weapons development and usage in military history.  First, international players try banning the weapon, but that generally doesn't work.  Then, everyone tries to find out how it will change warfare – but of course, forecasts usually vary widely and generally miss the mark.

The recent NSA scandal also hints at the extent of U.S. cyber capabilities.  Further, to the extent that the federal government’s defense of its activities is that it did not spy on U.S. citizens, only foreign ones, that is unlikely to make other governments very comfortable.

IV. Private sector remedies

If you are being hacked, what are your rights? Can you hack back? What about in self-defense? Professor Waxman noted numerous questions in the current law as to where to draw the lines.   He felt that the private sector is drawing the conclusion that government can't provide security in the private sphere the way it can in the public sphere, e.g., with police on the beat, courts, armies and other law enforcement and defense infrastructure.

There may be areas, such as cybersecurity compliance, where incremental progress can be made on topics where there is general agreement.  For example, requiring disclosures of data breaches, and instituting liability for the misuse of stolen data.  Fear of liability, especially for exposing security breaches, have held back progress in this area even where the general public could benefit.  For example, increased information sharing would strengthen the system overall, even though there are disincentives to sharing individual experiences.  This could potentially be addressed through legislation to incentivize information sharing, and possibly even provide safe harbor for liability from such episodes

Unfortunately, it will be difficult for the law keep up in an area of rapid technological change.  Changes in law usually take time, and well-funded competing interests make sweeping solutions difficult.  

With regard to self-help in the meantime, Professor Waxman admitted that he assumes his personal computers have been hacked and hijacked.