A Legal Approach to New Security Mindset in Cyber World
Over the past twenty years, security procurement has outstripped its traditional meaning and strengthened different forms both for defensive and offensive components. Cyber threats started to pervade more in daily life, offensive and defensive requirements in security management become more of an issue. Not only the hackers, state sponsored attacks have raised the tension in international law and by thus the raising concerns related to laws of armed conflict in cyberspace, changing necessities of security and military have evolved. Technology, strategy, tactics and doctrines in security management towards coercive conditions of network-centric and effects based operations required the transformation of ever-evolving policies of procurement in cyber environment. The rise of the knowledge economy and devastating computer network attacks got hard to deal with armament issues, the nature of professionalism require governments to take diversified measures. It is obvious that the obscurity in cyber area is getting more anonymous and it evolves the term of ‘crime’ as many cyber criminals mean more for states in today’s world.
In 2013, James B. Comey, Director of FBI, stated that they anticipate that in the future, resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats. This statement basically raises three separate issues from defense acquisition perspective. First, and perhaps more seriously, what should be the security mindset for cyber-based threats? The second, what should be the ideal legal framework to classify cyber-related items? And the third; what should be the changes and policies that need to be embraced in procurement of cyber related technologies?
One of the other issues which have become increasingly important in security procurement is emergency management since it began to draw the attention of governments after several first attacks were directed to infrastructure of a state by hackers as well.
These show us one aspect that has become increasingly clear. There is no doubt that cyber environment is a risk area which does not automatically be extended to a military issue, however, the incidents against a state bring to the fore important issues for security. Since the nonconventional threats in cyberspace rise and designing the lawfulness in post-attack effort do not achieve the goals, the defense acquisition strategies should shift to a more collaborative approach with multilateral cross-sector coordination and the conceptual legal framework for security management should be based on security dominant practice.
The New Security, Threat and Risk
Over the next decades, governments plan to spend billions on technology in cyberspace as high-tech security concerns increase and new modern warfare requires. As this blurry and constantly shifting area in security continues, despite the measures on international law, underlying concepts will address more on issues about security. And this definitely requires re-defining far more fundamental issues. What are security, threat and risk in cyber deterrence perspective?
The word ‘security’ derives from the Latin securitas, which comes from sine, cura-sine (without), curalcurio (troubling). Thus, ‘security’ originally implied a condition of being without care, trouble or anxiety. This is not purely subjective, Cura relates to a state of mind and responsibilities- to be from worries, but also from responsibilities-so that security is neither wholly positive (feeling secure in oneself) or negative (negligent, reckless)
As Bourne expresses, the condition of security is being without threats to existence or something valued. While some say ‘security is about survival’ other argue that it is about ‘survival plus’; the ‘plus’ being some freedom from life determining threats, and therefore (having) some life choices’. While survival is an absolute, one either survives or perishes, security is a relative condition. The rich person, with security guards, alarms, fences, insurance policies, food, heat, water and luxurious accommodation, and the poor person, with meager food and no protection from the elements or the violence of others, are both surviving but do not enjoy the same security. While security may be a condition, a value and a process, it is always such in relation to some sense of insecurity, which may be viewed through several concepts- threats, enemies, dangers, vulnerabilities and risks.
In addition to this theoretical approach, coherence with existing cyber incidents and security theories requires deliberating onto today’s treaty law. As expressed in Article I of the UN Charter; ‘One of the purposes of United Nations is to maintain international peace and security, and to that end: to take effective collective measures for the prevention and removal of threats to the peace, and for the suppression of acts of aggression or other breaches of the peace, and to bring about by peaceful means, and in conformity with the principles of justice and international law, adjustment or settlement of international disputes or situations which might lead to a breach of the peace; and all members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations.’
Although the Article 39 of the UN Charter states that ‘The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security’, Article 40 that states ‘In order to prevent an aggravation of the situation, the Security Council may, before making the recommendations or deciding upon the measures provided for in Article 39, call upon the parties concerned to comply with such provisional measures as it deems necessary or desirable. Such provisional measures shall be without prejudice to the rights, claims, or position of the parties concerned. The Security Council shall duly take account of failure to comply with such provisional measures.’, Article 41 that states ‘The Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of diplomatic relations.’ and Article 42 that states ‘Should the Security Council consider that measures provided for in Article 41 would be inadequate or have proved to be inadequate, it may take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security. Such action may include demonstrations, blockade, and other operations by air, sea, or land forces of Members of the United Nations.’ refers to unqualified measures when a security concern exits in cyber area.
As can be seen from the quoted provisions of the UN Charter, it appears that, the Security Council determines either it is a threat to or breach of peace which refers to traditional fatality or damaging actions and the measures are limited with conventional methods of warfare including but not limited to air, sea, or land forces operations at the utmost level.
Moreover, these measures also do not comply with ‘threat’ and ‘risk’ in cyberspace as those are construed for only threats and risks in conventional understanding. From theoretical approach and as to the results of incidents in cyberspace, the problems that arise from cyber activities span the security of fighting against terrorism, environment, intelligence, infrastructure, transportation and emergency management. Target and weapon intangibility which incorporate with many different high-tech methods rise and diversify the level of risk and threats in theory of ‘security as a condition’. Therefore, from defensive approach, countermeasures against cyber threats such of hacking backs are motivated by various actors and the legal challenges of self-defense become more of an issue.
Although the distinction between defense and offense seems clear in warfare, it is much more sophisticated when a cyber oriented action and circumstance or the diffusion of any attempt occurs. The characteristic of cyber actions for both offensive and defensive purposes as to deny, disrupt, destroy and degrade the information resulting with direct and indirect effects reflect or seems to reflect more sophisticated purposes.
Understanding the Defensive Dynamics
Threats and risks relate to and in many cases that are part of the security conditions itself. However the nature of defensive and offensive actions in cyberspace on many occasions requires alternating the reasoning and impacts of the applicable laws. There is no doubt that as cyber security becomes an era of war and war becomes more cyber-oriented; both sides fetch some parts from each other. As a result of this convergence, cyber security researchers are looking for a new approach to defeat the attackers. Eventually, researchers are trying to implement active defense approach to the cyber security.
Active defense includes an understanding of dealing with the attack source instead of trying to mitigate each attack one by one to defend the infrastructure. Attack source may be a single system, a whole network or the attacker himself. It is not only trying to catch the bullet but also to disarm the offender and to make it unable to be threat anymore. From conventional point of view, it may be compared to self-defense right to disarm and to neutralize an attacker to protect someone himself.
To give an example of active defense in cyberspace; security researchers have been assessing that the source code of the infamous ‘Mirai Bot’ malware, which caused very popular web sites unavailable on 21 October 2016 and determined the vulnerability which makes the bot dysfunctional. While your systems are under attack, you may use this vulnerability to corrupt the Mirai's working progress and terminate the attack from that system.
It seems that active defense perspective will take more place as the world continues to witness gigantic attacks more often. Trying to defend the network infrastructure only by eliminating the malicious traffic would not work effectively when the attack volume is too high. Firewalls or intrusion prevention systems which are commonly used by enterprises and government agencies are getting useless since they only block the traffic on the edge of their internet borders. They cannot let only the legitimate users as those conventional systems are too busy to deal with the bad traffic. Needless to say that conventional defense approach is not helping anymore as active defense offers to determine the source of the attack, to analyze the source, to attack instrument and to consider vulnerability against the attacker or sometimes to bring down the source host. Attacks are going to be more effective, defensive actions will inevitably embrace active defense and it might be a mainstream in cyber defense approach.
From legal perspective it is still uncertain in custom and treaty law that if a back attack against an attacker to terminate the ongoing attack is lawful or not or to what extent it is permitted. There may have an idea that just terminating the attack might be understandable, but active defense is a very thin line. A counter attack is not different from an attack in terms of the resulted effects. While this is a long list of sets of issues every action or even attempt to act may have an unexpected result with different legal outcomes. When trying to terminate the malicious functions, you may corrupt the system or cause an unexpected effect.
In brief, as the threat in cyber area grows, measures are required to be taken more reactively and proactive action takes more places without any concern of lawfulness. The security policies and techniques related to technologies that are used to maintain the security or have dual use capabilities with military effects getting more fragile as the security policies in cyberspace are not being discussed productively. It is obvious that the rising concerns about the future of the threat and risks in security do not suffice to set the rules in such proliferation environment.
In addition, priorities and necessities have already evolved the liberty and security in changing world after highly skilled rouge hacker groups and their sophisticated techniques have been backed by governments. Forgotten were that it's possible to determine which actor is behind it by profiling the techniques and instruments, but it's not quite possible get a certain proof. The fact that active defense in cyberspace points to diversified implications in security notion and to the purpose of those actions.
Conceptual Framework of Cyber in Legal Understanding and Procurement of Cyber Defense Capabilities
No one did know about cyber sabotage before it was described by Reed in 2004. Moreover the world ‘cyber’ was only used in science fiction three decades ago. Despite the fact of widespread belief that cyber will be the highest risky area in modern warfare, there is no regulatory framework on international law that set outs the armament principles for global security, except the UN Arms Trade Treaty dated 2014 which is only for conventional arms. Moreover, Tallinn Manual on the International Law Applicable to Cyber Warfare, even published in 2013, does not refer to any procurement and trading issues of cyber capabilities. Is this only for tools and instruments in cyber are not conventional weapons?
Bellais and Droff state that ‘In the main arms-producing countries, Ministries of Defense are looking for alternative ways to acquire defense capabilities. Over the past two decades, several reform projects have been experimented to go beyond the model inherited from Cold War, but they did not succeed in delivering expected results. One way wonder whether such defense acquisition systems correspond to their core mission: supplying boots on the ground with adequate capacities. The research agenda and reforms programmes are biased since they focus mainly on ‘how ‘to procure. While reforming existing mechanisms seems to fail or to deliver well below expectations, one may wonder in fact whether the true question should concern ‘why’ and ‘what’ to buy with regard to military needs but also place that technology takes in conceiving defense capabilities.’
There is no doubt that it is not easy to explain the 'security procurement' when it is cyber. From a legal point of view, articles used for cyber attacks are not conventional weapons, those are only technologies that are used to subvert a network in the hands of hackers. However, they mean more than 'defense capability' in today's world. In order to examine and understand fully the extent of procurement in cyber security, variety of the purposes and types of attacks should be first examined.
Days argue the difference of cyber -activism and cyber-hacktivisim and he expresses that cyber-activists use the internet to promote their messages more effectively but do not break the law whilst hackers do the opposite and break the law. As he expresses, internet is used as fifth domain of publicity by cyber activists to spread their message and it is a part of free speech in a modern democracy providing it is lawful. He adds that, hacktivists are different as they use illegal hacking techniques for many purposes.
From some perspectives we can agree that cyber activism is lawful unless it breaks the law, however the question arises that to what extent should using hacking techniques to express yourselves remain in limits of freedom of speech? And what are the legal hacking techniques, if any?
While the above descriptive classification to refer lawfulness as the dominant factor in reasoning of an attack, and to classify on purpose basis, it definitely does not cover every aspect of cyber threat or occurrence. To characterize the legal nature of the attacks in cyberspace, it is not always helpful to understand the purpose or direct/indirect conclusions. In most cases there is only one archetype, which is hacking, with variety of purposes and conclusions.
It should be noted that many governments do not probably make their laws following the description of cyber-crime, cyber-warfare and cyber-threat. The governments do not go into the legal nature of each area and in most countries there is no specific form of enforcement offices to combat against such risks. Honestly, there is no distinctive and contested consensus on those terms and determination of such fine line with each other even in international law practice. Many officers seem to be using these terms where there is anything related to cyber regardless of their game field or relevancy with international law. Many governments believe that cooperating is the only and ideal way to secure the cyberspace for long term. From legal perspective; no approach to consider cyber in its game field has been discussed yet. Alike in a security management process, setting the risk thresholds and determining the relevancy of a occurrences have not been brought forward enough. For example, very limited countries have legal regulations to categorize a cyber related condition as either threat, or risk, or crime or threat or warfare or espionage or occurrence or to whom and to what extent. Regardless of whether the attack is cyber oriented, many governments do not apply legal policies to understand their vulnerabilities to ensure the security in more defensive manner. For example, while the 822 kilometers length border, between the Syria and Turkey is protected by soldiers, not only today, any cyber threat/attack against border security is alike no man's land from security law perspective. Meanwhile in many countries military and civil capabilities have eventually began to cooperate however this is not enough for establishing cyber security law policies yet. In the need to establish a safe environment to understand the content and extent of lawfulness in cyberspace, it is important to clarify that even where a cyber action is unlawful is not about cyber security, certain parts of the cyber crime could give rise to cyber security. In other words, cyber threat means different in international law, homeland security and criminal law perspective.
Indeed, there have been many varying approaches to cyber actions by governments. Some have taken common good approach and imposed the restrictive laws while taking the issue in consideration of sovereignty and national interest and enforced strict proscriptive policies. Some have discussed the information exchange requirements between security authorities and technology companies. However none of those have served to purpose of reducing the cost of combat cyber threats.
For defense, it is more sophisticated than homeland security. Therefore, even it seems easier to control the 'defense capable cyber articles' in some countries as to local laws allow to apply the fundamental principles, we observe that those are again limited with conventional munitions and munitions related 'technical data'. For example; the scope of The International Traffic in Arms Regulations (ITAR) Part-120, saying that not only the defense articles, defense services are also subject to control regime, puts forwards a proper extent to control the procurement of defense capabilities. However, no reference to any system related cyber technologies and non existence of definition of 'defense capable cyber articles' in ITAR, would probably make US government to fall short in combat cyber threats efficiently.
Having considered the different types and variants of the cyber attacks and despite the fine line between crime and warfare threats, references to the divisibility in consideration of offences and threat to national security would help us whether the cyber threat is military or a typical criminal issues and once rule makers classify the contents and extents of a cyber threat from procurement perspective as well.
The duty to maintain the security in cyber world must abstain from discussions about conventional military control regimes which will make the policies onerous. It shall be applied wide interpretation of defense articles as requiring the control of technical data against risks. Similarly, the coordination of security procurement in such a technically complex area would serve to the benefits of governments as many of them are dual use.
Mis-use of Cyber Capabilities
The mis-use of cyber capabilities as a term only used only for states include not to support any state-sponsored attack and not to use the capabilities for espionage activities. It is a longstanding discussion that to what extent spying and intelligence are linked to each other.
An insight on Wikipedia on this issue says that government intelligence is very much distinct from espionage, and is not illegal in the UK, providing that the organizations of individuals are registered, often with the Information Commissioner's Office, and are acting within the restrictions of the Regulation of Investigatory Powers Act (RIPA). 'Intelligence' is considered legally as "information of all sorts gathered by a government or organization to guide its decisions. It includes information that may be both public and private, obtained from many different public or secret sources. It could consist entirely of information from either publicly available or secret sources, or be a combination of the two. However, espionage and intelligence can be linked. According to the MI5 website, "foreign intelligence officers acting in the UK under diplomatic cover may enjoy immunity from prosecution. Such persons can only be tried for spying (or, indeed, any criminal offence) if diplomatic immunity is waived beforehand. Those officers operating without diplomatic cover have no such immunity from prosecution. There are also laws surrounding government and organizational intelligence and surveillance. Generally, the body involved should be issued with some form of warrant or permission from the government, and should be enacting their procedures in the interest of protecting national security or the safety of public citizens. Those carrying out intelligence missions should act within not only RIPA, but also the Data Protection Act and Human Rights Act. However, there are spy equipment laws and legal requirements around intelligence methods that vary for each form of intelligence enacted.
An important concern of mis-use of a cyber capability, regardless of whether it is intelligence activity or not, also relates to who conducts it. This concern is also applied to inter governmental authorities as to an authority might not willingly take a part in misuse of cyber capabilities while providing the information or data as requested by other agencies. From individual perspective, the fear is that an individual will use the cyber generated information for his purposes. So what should be the case where there is mis-use of cyber capabilities by a state authority? Another question that arises is with what should the classified information be provided through cyber capabilities? Does state has active or passive responsibility of maintaining the security while conducting or combatting cyber activities? How should the lawful response be against misuse of cyber capability? Is back-hacking lawful in this regard?
In any cases, as to the nature of cyber world, the fragility both in practice and legal policies usually lead the alliance of stakeholders in command. Whether intentional or not the, the truth is that misuse of cyber capabilities are actual and widespread effect on security which directly link to defense and homeland security. Oddly, this new type of risk area against collective and individual security still does not go in depth through understanding of data in privacy issues and offer a bulk of consolidated methodology considering its dynamics. This is in line with the views of data protection strategists however may involve conflicting interests when consider the level of threat intensity.
Public Private Partnerships Against Cyber Risks
The Great Chicago fire in 1871,September 11 attacks, Deepwater Horizon and Hurricane Katrina all highlight the best practices of public private partnerships in emergency management in United States. Therefore the content of homeland security is more than emergency management and should be guided by local and international laws and policies in combating terrorism, natural hazards and accidents, border and transportation security and cyber risks. The reality is that both government and private industry have separate roles in homeland security. Laws and policies in cyberspace are essential in homeland security as to the requirement of cooperation between government authorities and private companies relate to critical security mission. National Cyber Security Alliance (NCSA) of United States, which is best example of public private partnership in cyberspace, has been established in 2001 as an awareness project to empower computer users to use the internet securely. The NCSA includes founding sponsors from information technologies companies such as Symantec, Cisco Systems, Microsoft, McAfee, SAIC and EMC and members from Bank of America, Facebook, Lockheed Martin, Google and Visa.
Such initiatives are crucial to make better policies and cooperation among government officers and all relevant parties. For example, NCSA's project of 'National Cyber Security Awareness Month' has been promoted by Department of Homeland Security and White House in U.S to create broader cyber security awareness.
As the examples of incidents and occurrences in cyberspace require the collaborative management of security, public private partnerships seem to drive the changes in policy making and offer more secured life of computer networks. The exchange of resources, ideas, capabilities to combat cyber threats also create strategic ecosystem of industrial cooperation.
Since 1990s, security issues have constantly been evolving. Homeland security means different than it meant thirty years ago, criminal suspects have been hired by state backed organizations, risk mitigation, prevention and preparedness programs have evolved as they need more cooperative and consolidated structure. The social media has become emerging as a communication tool, smart phones and computer networks are getting more integrated into our lives. And with this rapid chance and involvement of computer networks, security concerns have become more of an issue of states, organizations and individuals. In a very short term of approximately thirty years, defense doctrines have also evolved and cutting edge technologies and scientific talents in new industrial eras become more crucial as those were changing the interaction of internet and things at every level. Moreover crime economy has been started to be funded, upcoming risk of biological/chemical terror, back burner issues ten years ago are now more top.
Today militaries and intelligent units are charged not only with conventional risks but in addition seeks new technologies for their rapidly changing needs against technology. Many governments have tendency to privatize the defense related functions as risk characteristics in offensive and defensive policies have inevitably evolved.
Although this rapid change, the crosscurrents in security laws and policies challenge in several aspects. Law of security navigates its way in international approach and it seems discussions around treaty law perspective are not adequate to establish the policies and laws on intrinsic feature of cyber related security. In other words, security is more than a condition and a threat with less capable policies to ensure in cyber world. Even a non-binding document, NATO's Tallinn Manual do not need to navigate the collective defense against a cyber risk somehow. Aggravating, none of international organizations have drafted a binding policy on cyber risks yet. Moreover, it seems that versatility of rapid change in technology would manipulate the crime and terror if international society delays to realize the new mindset of security in cyber world.