Opinion

Cyberspace: the Wild West?

photo_camera Ciberespacio: ¿el Salvaje Oeste?

Difficulties exist in cyberspace, due to its own characteristics and the lack of comprehensive international regulation for the attribution of cyber-attacks, as well as for responding adequately to attempts to damage or destroy communication, command and control systems by malicious actors.

In the present century, cyberspace is considered an essential element in the lives of millions of people around the world. Through and within cyberspace, operations essential to economic development, social-political activity, security, industrial production, democratic practice and the protection of a state's critical infrastructure are carried out.

However, as a space of domination and competition, cyberspace has become a tool and medium for illegal activities, with a certain level of impunity, due to the lack of regulation of violent and warlike acts committed through cyberspace.

In order to explain the above, the analysis integrates four sections that detail the ins and outs of cyberspace, identify the elements that classify an adverse event as a cyber-attack, the difficulty of responding to it, and expose the need for a legal framework for the preservation of peace and security in cyberspace.Ciberespacio: ¿el Salvaje Oeste?

Characteristics of cyberspace

Cyberspace is an area of warfare in which the world's states seek to gain supremacy, differing from other areas of warfare in its global reach, speed and impact. Cyberspace is characterised by being a man-made space, being global in nature, having the internet as a central element, being a dual-use technology, being a means to carry out attacks anonymously, having geopolitical significance, not respecting internationally accepted behaviour, and making it difficult to attribute actions.

Cyberspace is a place created by man and for man, as it is where, collectively, the diverse activities of society converge, wrapping the transactions, relations and thoughts of all those users who connect. Cyberspace has no borders as it is an abstraction of the human mind, which has a global reach and tangible and intangible elements that allow the representation of the material world in a virtual space.

Cyberspace is not regulated by international humanitarian law due to its recent emergence. However, the negative impact of cyber-attacks and the destructive capacity of cyber-weapons have been increasing; therefore, states using them as means of defence and attack must do so with full consideration of the Geneva Conventions.

Attribution of violent actions is a slow and difficult task in cyberspace due to technical and organisational characteristics, the nature of the cyber-attack, the configuration of the internet and technological advances. Despite this, there are international efforts to ensure accurate attribution of acts and to prove the illegality of the act.

Cyberspace is considered a Global Common. In 1996, John Perry Barlow drafted the Declaration of Independence of the Internet to convince governments not to assume sovereignty over cyberspace. Soon after, cyberspace became the last of the Global Commons, just because it is a man-made virtual space with a common utility where information is the main asset.

Cyberspace is of geopolitical importance. Under conditions of hyper-connectivity and international competition to dominate cyberspace, controlling it is vital for the attainment, preservation and increase of a state's power. Today, cyberspace, along with information technologies, are strategic assets for the world's governments because whoever controls cyberspace will control the world. This has led to changes in national security policies, military doctrines and academic research that seek to establish models of cyber sovereignty.

Cyberspace is a dual-use tool. As a domain where dominance is sought and competition is emphasised, cyberspace is not only used for non-injurious activities, but has also become a tool and means to cause harm, steal, defraud, attack, disrupt, surprise, manipulate, lie and murder. Ironically, cyberspace serves as much to achieve conciliation, development and peace as it does to motivate conflict, backwardness and war.

In short, the characteristics of cyberspace make it a unique space with the potential to generate harm through cyber-attack. Non-attribution opens the door for actors to use cyberspace with impunity to further their geopolitical objectives. Therefore, regulating activities or operations and establishing penalties for misuse of their capabilities to the detriment of third parties cannot be postponed.Ciberespacio: ¿el Salvaje Oeste?

Under what conditions does a cyber attack occur?

Although the word "cyber-attack" is used to refer to adverse events that attack computerised command, control and communications systems, not all of them should be considered as a cyber-attack. The ultimate objective and the actors of a large-scale hack will be the elements that define the classification of the adverse event as a cybercrime or a cyberattack. Differentiating effectively will allow progress to be made in building an international legal framework to regulate cyber-attacks and the use of force to respond in such a situation.

In other words, if the hacking, carried out by a criminal or criminal group, is primarily aimed at taking advantage of vulnerabilities in the financial system and stealing money from bank accounts, it must be criminalised as fraud or theft, unless the legal framework of states determines otherwise, or a state is precisely identified as the actor or sponsor of such an act. If a terrorist group succeeds in taking control of strategic facilities or critical infrastructure by sabotage, such an event should be categorised/punished as either a terrorist act or sabotage; however, if a state carries out a cyber-operation with full knowledge of the facts and a politico-strategic objective against the computer systems of another state, it should be considered a cyber-attack, act of war or act of aggression.
 

Since aggression is the most obvious manifestation of the use of force between states and the main threat to international security, an armed response is acceptable, in legal and legitimate self-defence.  It is in the case of aggression between states that one can speak of a cyber-attack and justify the use of force as a means of defence. This is based on International Humanitarian Law, which establishes that states are the only actors that use force in defence of their interests when the sovereignty, survival, permanence and integrity of the state are at risk.

Limiting the right to wage war and launch cyber-attacks is something that makes it possible to distinguish between "that which undermines public security" and "an attack on national security", in order to provide an appropriate and legitimate response. However, in the current context of clandestine operations, indirect confrontations, use of proxies to wage war, contracts with private military security companies, increased involvement of private initiative in military operations, use of cyberspace as a battlefield, intensive use of technology in warfare and reliance on computerised systems, there is evidence of a grey zone where security overlaps, attribution of attacks becomes more difficult, the distinction between peace and war is blurred, non-state actors are used, and non-conventional measures are justified in the conduct and resolution of conflicts.

This grey zone is particularly useful in cyberspace, as the characteristics of cyberattacks make them difficult to attribute with precision. Cyber-attacks are a relatively new phenomenon and a threat to national and international security that leaves little legal room for manoeuvre for the states that suffer them. No one knows what the next cyber-attack will look like, but it is expected to be more complex, persistent, automated, targeted, personalised, adaptive, evasive, stealthy, disruptive and dangerous.Ciberespacio: ¿el Salvaje Oeste?

The difficulty of responding to a cyber-attack: The SolarWinds Case

The hacking of SolarWinds Inc. has revived the existing debate on how to respond to a cyber-attack. Given the scale and scope of the hacking against SolarWinds, US society - quite logically, but with little reflection - is calling for a counterattack with the full force of the state. In a sense, the response demands that anyone who dares to attack the United States (US) receive the force of arms in response, implementing the "Law of Talion". This would provide an initial defence based on deterrence and fear. However, the US government's reaction requires precise and thoughtful considerations. While the US is notable for its diverse, lethal and comprehensive cyber-arsenal, it is also clear that its most significant vulnerability is the combination of hyper-connectivity and digital dependency it experiences.

Strategically, the US government recognises that it must address the fragility of cyber defence if it is to emerge victorious from a cyber conflict. The US cannot use its cyber power without ensuring that escalating virtual and cyber violence causes greater damage to its enemy. That requires a foolproof defence that, in the current context, is not feasible.
 

Ciberespacio: ¿el Salvaje Oeste?

Indeed, President-elect Joe Biden is clear that "good defence is not enough", and declared that potential adversaries must be disrupted and deterred from even daring to launch a cyberattack, hinting that he will take action in the face of such cyberattacks. Biden's words, in some ways, suggest offence as the best defence.

Regulation of cyberspace operations

The need for clear, concise and precise regulation of the activities of different actors in cyberspace has been evidenced by the occurrence of adverse and damaging events for some state and non-state actors, who have been hampered in responding effectively. Adverse events include acts of cyber espionage, information leaks, personalised cyber attacks and acts of retaliation or show of force.  The following are representative examples of acts that transgress the law using cyberspace:Ciberespacio: ¿el Salvaje Oeste?

The hacking against the SolarWinds company, allegedly by Russian hackers, has reignited the debate about the lack of regulation and thus certainty of operations in cyberspace. This is again a topic of debate, 24 years after the Moonlight Maze cyber-attack against government agencies and renowned universities. This event is considered to be "the first coordinated cyber espionage attack with global reach", managing to steal classified information and yet remain unpunished.
In the realm of leaks of sensitive information, Edward Snowden is the most obvious example of insider threats to companies.

Although Snowden revealed information about US spying and intervention programmes, he did not elaborate on the tools or methods used for their implementation and/or operation. As such, there were no repercussions against the US government, but there were repercussions against Snowden.

The Stuxnet and Saudi Aramco cases. In the first case, the US and Israel used Stuxnet - a Trojan considered to be the first cyber-weapon - to disrupt or stop Iran's nuclear programme. It was the cyber-attack that broke the Digital Rubicon, started the cyber arms race, and changed the way war is waged. In fact, in response to the Stuxnet cyberattack, Iran wiped the data from thousands of Saudi Aramco Company computers, disrupting all of its activities. Both events went unpunished despite the damage and inconvenience caused.

The lessons learned from the SolarWinds cyberespionage, from cyberattacks like Stuxnet and from information leaks like Edward Snowden's, make it clear that cyberspace operations operate with few internationally accepted rules of conduct. Cyberspace, as President Obama once put it, is "the Wild West" or lawless territory, where the actions of governments, terrorists and technology companies converge, testing the boundaries of legality with little or no repercussions.Ciberespacio: ¿el Salvaje Oeste?

Conclusions

Under the conditions of hyperconnectivity and dependence on cyberspace, there are multiple details of operation and functioning that require urgent attention by governments if they are to avoid the belief that there is no difference between acts of public cybersecurity and cyberwarfare, nor control over the acquisition of cyberweapons, due to free access to cyberspace and the difficulty of attributing violent and illegal acts.

Cyberspace is the fifth domain of warfare and, consequently, the existing international legal framework must be amended to include the regulation of cyber operations and cyber attacks. Cyberspace cannot and should not be an unregulated territory for its use as a means of causing harm or carrying out acts of war, as the resulting impunity would encourage new actors to join cybercrime, violence to escalate and acts of illegitimate use of force to go unpunished. How long will the international community continue to allow this to happen?


Adolfo Arreola, research professor at the Universidad Anáhuac, Mexico/CEEEP