Cyberwar isn’t going to be about hacking power stations. It’s going to be far more subtle, and more dangerous.
Wandering the pretty, medieval streets of Tallinn’s old town, it is hard to believe that the tiny country of Estonia has anything at all to do with cyberwarfare. But first as victim of an attack and now as home to some of the leading thinkers on how the digital battlefield will develop, the country has played a key role in its emergence and evolution.
Estonia is a country of around 1.3 million people, facing the Baltic Sea and the Gulf of Finland, it borders Latvia to the south and Russia to the east. After decades as part of the Soviet Union, it regained independence in 1991.
Even today reminders of the Soviet times still abound in the capital Tallinn. There’s a museum in one of the big downtown hotels showing how the KGB would bug the rooms of foreign guests.
But Estonia does not intend to be defined by its past, but is instead intent on creating the most advanced digital state on the planet. Since independence, Estonia has invested heavily in digital services. It leads the way with internet voting—in the 2011 election nearly a quarter of voters cast their ballots that way—and electronic tax filing, all underpinned by a nationwide digital signature infrastructure.
Today, you can even become an Estonian e-resident regardless of where you live in the world so you can use that same infrastructure to electronically sign contracts or set up your own company in the country.
Plans by Estonian authorities to move a Soviet war memorial sparked a wave of website defacements and denial of service attacks in the country over a three week period, throwing Estonia’s government services, newspapers, and businesses offline. The attacks temporarily disabled the websites of banks, ministries and political parties. Many pointed the finger at Russian hackers (Russia denied any involvement in the incident) but the events demonstrated how a purely digital attack on a state could have real-world consequences.
The Tallinn Manual
While the impact of the attacks can be overstated—”inconvenient, not cyberwar” is how one local described it—it accelerated plans, already in place, to set up a NATO cyber defence think-tank in the country.
The Cooperative Cyber Defence Centre of Excellence (CDCOE) was established the year after the attacks took place as an institution created to figure out how to improve the digital defences of NATO members and what cyberwarfare would actually look like.
“Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is.”ADMIRAL MIKE ROGERS
As well as the cyber defence exercises it conducts annually, probably the centre’s most important work so far appeared in 2013: the Tallinn Manual on the International Law Applicable to Cyber Warfare, known simply as the Tallinn Manual.
While there is no international law that directly refers to the ultra-modern concept of cyber warfare, there is plenty that applies. So CDCOE assembled a panel of international legal experts to go through this existing law and show how it applies to cyber warfare. This formed the basis of the Tallinn Manual and the 95 so-called ‘black letter rules’ it contains (so named because that’s how they appear in the text).
Through these rules the manual attempts to define some of the basics of cyber warfare. At the most fundamental level, the rules state that an online attack on a state can, in certain circumstances, be the equivalent of an armed attack. It also lays out that such an attack is against international law, and that a state attacked in such a way has the right to hit back.
Other rules the manual spells out: don’t target civilians or launch indiscriminate attacks that could cripple civilian infrastructure. While many of these sorts of rules are well understood when it comes to standard warfare, setting it out in the context of digital warfare was groundbreaking.
While the manual argues that a cyber attack can be considered to be the equivalent of an armed attack if it causes physical harm to people or property, other attacks can also be considered a use of force depending on their severity or impact. For example, breaking into a military system would be more likely to be seen as serious, as opposed to hacking into a small business. In contrast, cyber attacks that generate “mere inconvenience or irritation” would never be considered to be a use of force.
The manual also delves into some of the trickier questions of cyber war: would Country A be justified in launching a pre-emptive military strike against a Country B if it knew Country B planned to blow up Country A’s main oil pipeline by hacking the microcontrollers managing its pipeline pressure? (Answer: probably yes.)
The manual even considers the legality of some scenarios verging on the science-fictional.
If an army hacked into and took control of enemy drones, would those drones have to be grounded and marked with the capturers insignia before being allowed to carry out reconnaissance flights? (Answer: maybe.)
But what’s striking is that the Tallinn Manual sets the rules for a war that hasn’t been fought yet.
No Digital Pearl Harbour
Although nearly every state around the globe has been developing a cyber warfare strategy, and some have been building up skills and perhaps even stockpiles of digital weapons, there haven’t been any digital attacks that have crossed the thresholds of armed attack as defined by the Tallinn Manual. No massed bot armies, no hackers blowing up power stations from their bedrooms.
Perhaps the closest was the use of the Stuxnet worm (most likely by the US) as part of a bid to derail the Iranian nuclear programme. By contrast, the attacks on Estonia itself would, for all the excitement around them, be towards the inconvenience and irritation end of the spectrum.
The Tallinn Manual doesn’t say much about the reality of the cut-and-thrust of the modern internet, where state-sponsored hackers, spies, and more are constantly probing the systems of other nations. This is a shadowy world where it is often unclear who the attackers are and what their intentions are (and just what the motivations of their backers are, too). It’s a world filled with misleading evidence, ambiguity and deniability.
Throughout history, states have used third parties and proxies to get their dirty work done. The difference is that by hacking into systems in countries across the world, these groups can have an impact far from their home territories.
On the subject of such attacks—which can be extremely serious but never quite reach the level of an actual attack by force—the manual has little to say. However, these kinds of attacks are the ones that take place every single day. Cyberwar has become the continuation of politics by digital means.
“The scope of cyber attacks is very, very wide, so that’s why with the first Tallinn Manual we took the most severe case of armed attack and the use of force,” explains Colonel Artur Suzik, the director of CCDCOE until August 2015. “But the majority of cyber incidents nation states face occur outside of the conflict law, so there was a clear need to expand the legal analysis to this area.”
That doesn’t mean the manual is a failure, or irrelevant. Indeed, it may even be that by making clear that digital attacks are covered by an array of existing international law, the Tallinn Manual has forced countries to rethink their approaches to cyber warfare. That is, because the manual does a good job of defining just what kinds of attack might lead to a missile being lobbed in your direction, states launching hacking attacks have been careful to keep their operations (just) below that threshold, say experts.
An expanded Tallinn Manual 2.0 is due to be published next year looking at how international law addresses malicious cyber operations by state (and non-state) actors during peacetime.
The new manual will try to create the same ‘black letter rules’ around much trickier concepts, such as when countries are responsible for hostile cyber operations launched against other states from their territory, and when such operations violate the sovereignty of the state.
It will take the analysis into the much complicated and murky environment of the day-to-day cyber attacks that don’t ever reach the level of physical attacks, but are no less dangerous for it.
Few, for example, could have imagined a couple of years ago that a hacking attack against a film studio could lead to an international incident, or that the theft of HR records from the obscure Office of Personnel Management could create such consternation.
Politicians and diplomats are still struggling to work out how to deal with the near-constant stream of other data leaks from all sorts of government agencies that are blamed on state-sponsored hackers. And there is little in the way of consensus on how to deal with it or often even how to label it. When does hacking become espionage and when does that evolve into something that could escalate into the use of armed force?
And while many industry watchers saw the attacks on Estonia and built out of that lurid ‘Digital Pearl Harbour’ style scenarios where a country could be toppled by a digital attack launched by a dedicated few, this has not taken place. The reality has turned out to be less far less dramatic, but much more complicated to tackle.
That’s not to say that the apocalyptic scenario of state-backed hackers causing mayhem by breaking into industrial control systems (the technology that runs power stations or chemical plants) is utterly impossible – just extremely unlikely, and extremely hard and extremely expensive. Cyberwar, as it was envisaged, has not taken place.
But it’s entirely possible that by watching and waiting for a explosive Hollywood-style catastrophe that we’ve missed the much more insidious and protracted cyberwar that has been going on for years already.
Hybrid information war
Earlier this year, the cyber think-tank held a conference to bring together some of the biggest thinkers on cyber warfare in Tallinn to discuss the most recent developments in cyber war theory ahead of the publication of the new Tallinn Manual at an event called CyCon.
For what was effectively a technology conference, there were a lot of people in uniform. In attendance was not only the head of the NSA, Admiral Mike Rogers, but also the Assistant Secretary General of NATO, Sorin Ducaru, reflecting the level of concern around cyber defence among the allies.
Despite the subject matter, it wasn’t all serious. Speakers, including surveillance chief Admiral Rogers, were presented on-stage with a thank you present of a mug with an ear for a handle.
Both men reflected a cautious, slowly-developing approach when it comes to the use of the internet by the military. NATO itself, for example, only recently decided that a major digital attack on a member state could be covered by Article 5 of its collective defence clause (one of the most fundamental tenets of NATO, that an armed attack on one member should be considered an armed attack on them all). And, Ducaru insisted, “NATO doesn’t have any interest [in militarising] cyberspace or to have an ungoverned space.”
Rogers emphasised that the use of the internet by the US military is still evolving, with defence the priority. “Our view is that cyber is another operational domain, much as the seas are, much as the land is, much as space is, and increasingly, it is an environment in which we will conduct a series of very traditional military evolutions from the defensive things to the application of capabilities to generate specific kinds of effects,” he said. “We think cyber will evolve over time, much as we’ve seen the other domains, in the more traditional arenas.”
To put it another way: cyberwarfare models are maturing in the same way that other technologies mature. To take a more prosaic example, the evolution of cyberwarfare is a lot like the cycle e-commerce went through. There was a lot of initial excitement and investment from retailers in building separate e-commerce operations or businesses, but gradually these became not just a standard part of their operation but for many retailers the core of their business, just as cyberwarfare planning and strategy is gradually becoming a part of mainstream military planning.
However that doesn’t mean that all countries are taking the same approach to strategy or that they even agree on what should be included in the term cyberwarfare. Some countries have a very narrow model of what cyberwarfare should look like – that is should focus on hacking and damaging systems. Others see it as just one part of a much wider information warfare spectrum which stretches from hacking to disinformation and propaganda. Indeed, much of the criticism of the Tallinn Manual has been around how it represents a NATO—and specifically Western—outlook on what cyberwarfare should look like.
By Steve Ranger
Steve Ranger is the UK editor of TechRepublic, and has been writing about the impact of technology on people, business and culture for more than a decade. Before joining TechRepublic he was the editor of silicon.com.