Commentary | December 13, 2011

Making Peace After Cyber War

This article originally appeared in the Swedish magazine Skydd & Säkerhet (Protection & Security) on Nov. 8, 2011. It was translated into English by the author.

In a conventional war, there is always a counterpart to negotiate with to make peace. Concluding a peace after battles in cyberspace is not that easy. You may not even know who is behind an attack or how to make contact with the counterpart. It is even more difficult to make peace agreements stick.

Questions around war and peace in cyberspace were at the center of this year’s Worldwide Security Conference, which was held October 3–5, at the World Customs Organization headquarters in Brussels. The conference is organized annually by the EastWest Institute (EWI), together with the World Customs Organization (WCO) and the chair country of G8, this year France.

The conference is open, but it is intended mainly for diplomats, leading politicians, security experts, scientists and media. This year’s conference focused on the possibilities of preventing war-like attacks in cyberspace.

EWI has previously published reports on rules for cyber conflicts. They are intended to be some kind of modern guidelines corresponding to international law in war.

The Internet was designed by the U.S. Defense Department to be impossible to wipe out. An unexpected side effect was that Internet has opened an arena for attacks, vilification, hate propaganda, and many other crimes.

As there is no central or international authority to appeal to, difficulties arise when trying to prevent fraud or similar crimes. Therefore, EWI has in recent years paid much attention to the question of creating trust in an environment where it is easy to hide behind anonymity.

Another problem in cyberspace is that a minor actor, such as a lone hacker or a small group of hackers, can wreak enormous damage.

The threshold to becoming a conflict-driving or warring party is very low. The hacker group Anonymous in October succeeded in what no government had done―to get the group Los Zetas, which is highly capable in the use of violence and is in control of a large part of the drug trade from Northern Mexico, to back off from a kidnapping by threatening to divulge names of names of members and associates of the organization.

The problem of “false flag,” which has occurred in naval warfare for example, appears in new forms when cyber actors are hiding behind false or stolen identities and are making use of other actors’ channels for communication. The problems are accentuated by the fact that forensic analyses of origins or authenticity become almost impossible.

With ever larger sectors become dependent upon continuous connection through the internet, almost all parts of society enter the risk zone for a cyber war. According to the laws of traditional warfare, it is a crime under international law to attack hospital structures marked with red crosses. A hospital can, however, have its medical records and logistics centers in other geographic locations and be forced to close if a cyber attack is directed at infrastructure such as power grids. It is not obvious that a domain or an IP address belongs to a hospital.

Measures discussed in order to protect hospitals included giving hospitals a top-level domain of their own with close monitoring, such as “.hosp.” Then an attacker would know that he is attacking a target that according to international law has a special level of protection.

Before the operations in the civil war against Gadhafi, the Pentagon discussed the possibilities of initiating the hostilities with a “cyber offensive” to jam or even strike out Gadhafi's air defenses. The proposal, however, got serious criticism, as it could create a precedent for other countries such as China or Russia for their own cyber raids.

An analyst remarked that the United States would not want to appear as “the one who broke the glass cover to this kind of warfare.”

The United States has also, on several occasions, chosen to carry out conventional attacks, using usual protective measures, such as airborne radar, instead of blocking Net links to radar systems.

Last year, a worm called Stuxnet contributed to knocking out a large number of centrifuges in the Natanz plant, blocking an important part of Iran’s production capacity for nuclear material. No group has claimed responsibility.

American public authorities have also carried out a large number of war games to find out what would happen during cyber war, including everything from hacker attacks against critical infrastructure to economic warfare against American interests. The results, together with practical experiences, have lead to a realization by the U.S. Defense Department that they must modernize their strategic doctrine in order to give guidance for cyber warfare.

Other countries have also written their own strategic IT doctrines. At the conference, the retired Russian Colonel General Vladislav P. Sherstyuk presented a policy report from the Russian Federation that had been launched just one week before. The report contains clear position markers about the measures which will be put in place by the Russian Federation to ensure that other countries are fully in control of their IT structures.

The International Organization for Standardization (ISO), through its standard ISO 27 000, has set basic rules for information security. Probably being the first country in the world in this respect, the government of the People’s Republic of China has let an outside expert carry out a third party certification of the country’s IT security. It indicates that the leadership of the country takes IT issues most earnestly.

Cyber warfare raises a number of questions for diplomacy and international law. Who is the counterpart or the enemy? What rules will apply for revenge and counterattack? Is a country to he held responsible for an attack carried out through its territory, i.e. its IT structure? With whom should one make peace? How is peace to be monitored?

EWI, an American think tank headquartered in New York with offices in Brussels and Moscow, has for more than 30 years been involved in “back channel diplomacy.” They have gathered experts from Russia, the United States and others to create a platform for dialogue when a cyber attack could be approaching. The question has many facets, such as how to create a common terminology.

The idea is to have a diplomatic protocol ready long before the outbreak of the first cyber war. In addition, they would like to create secure channels for crisis communication, such as the famous Moscow–Washington “hot line,” with an encrypted telephone line between United States and the Soviet Union in the most frozen days of the Cold War.

“We ought to focus more on crating 'cyber peace' than avoiding cyber war,” said researcher Stuart Goldman in summary.

He meant that states and other actors must focus on methods and channels that make it possible to create a trust and cooperation in cyberspace.