Could there be Cyberweapons ?!

      Comments Off on Could there be Cyberweapons ?!

Author: Hussain B Abdulameer.

Head of the International Studies Dept.

Published by: Center for Strategic Studies/ Kerbala University.

2 March 2021

The possibility of using ICT for military-political purposes is becoming a factor influencing modern international relations. A 2015 report by the UN Group of Governmental Experts indicates that several states are engaged in building ICT capabilities for military purposes[2]. First, the concepts and definitions used are recognized only by certain groups of states. Russia submitted an International Code of Conduct for Information Security to the United Nations General Assembly in 2011 over the “Shanghai Cooperation Organization” (SCO), an international organization established by eight states and primarily headed by Russian and Chinese administrations. Russia has developed a draft Convention on International Information Security in addition to the SCO’s joint proposal. This proposal contained the definitions for “Information Space” and “Information Warfare” and “Information Weapon”[3]: The term “Information Space” refers to the field of activity concerned with the development, production, conversion, transition, use, and storage of information, as well as its effects on individual and social consciousness, information infrastructure, and information itself. In turn, “Information War” is characterized as a confrontation among two or more states in the information space in order to destroy information systems, processes, and resources, vital structures, weakening political, economic, and social systems, and launching public psychological campaigns against the state’s population to destabilize society and the government. Along with pushing the state to take action in favor of the other party. The term “Information Weapon” is used defined as “information technology, means and methods used to conduct information war.”

This concept can be summed up virtually any ICT tools – both specialized and publicly available: the Internet, social networks and databases, mobile communication systems, telecommunications systems, etc. On the other hand, in NATO countries, the unofficial definition of cyber weapons is in “Tallinn Manual on the Applicability of International Law to Cyberwar.” The contribution of NATO making viewpoint queries relating to the enforcement of existing international agreements is essential in promoting multilateral campaigns in the cybersphere. The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), grounded in Tallinn, Estonia, has also significantly contributed to the cyber norms dialogue via the Tallinn Manual publication in 2013. In the following year, NATO has updated its reference guide and released version 2.0. The Tallinn Manuals brings helpful contributions to the assessment of how international laws work in the realm of cyberspace. However, it is merely a legal opinion and is not binding on governments.[4] The Tallinn manuals explain the Cyberweapons as: “Cyberweapons of war that, by design, use or intended use, are capable of causing injury or death; or damage or destruction of objects, that is, lead to the consequences necessary for qualifying a cyber operation as an attack.” The 2014 US Department of Defense’s Combined Doctrine of Cyber ​​Operations defines “cyberspace capability” as “a device, computer program, or method, including any combination of software or hardware, designed to be used in or through cyberspace.”[5] Thus, in the most general form, cyber weapons are specialized ICT tools designed to exert a destructive effect on computer systems and networks, the infrastructure they support, and the information stored in them.[6]

Secondly, several international legal aspects of using ICT for military purposes have not yet been determined. The UN Group of Governmental Experts, in its 2013 report, confirmed the applicability of international law in the information space. However, no simple solution to how international law should be implemented in cyberspace has yet to be found. In particular, at the moment, there is no uniform legal definition of cyber weapons, an armed attack in cyberspace, combatants, and it is not described how to ensure the observance of the rights of civilians.[7]

Thirdly, cyber weapons are specialized software, which predetermines the possibilities for their creation, distribution, and use[8]. Simple personal computers linked to the Internet may be used to launch violent attacks. Simultaneously, it is known that malicious software and its components can be purchased, and specialists can be hired. A low threshold for entry can lead to a significant expansion of the circle of actors who have access to cyber weapons. They can be not only states but also terrorist organizations and organized criminal groups. Now the process of proliferation of cyber weapons is practically not controlled, and the only mechanism that exists – “the Wassenaar Arrangement”[9]  on the Export Control of Conventional Arms and “Dual Use” goods and technologies – is interstate and does not affect, for example, terrorist or criminal groups[10].

Fourth, there are no mechanisms for fast and accurate attribution of cyberattacks at the current ICT development stage. Moreover, in conditions where it is impossible to identify the source of the threat, there is a possibility that the charge of the attack will be made without citing material facts, based on assumptions and inferences, according to the political environment. There are many such examples, including the recent accusations of Russia hacking into the servers of the US Democratic Party – no significant evidence has been presented.[11]

US Cyberweapons:

The United States has been actively using ICT for military and political purposes for a long time. This process was initiated by introducing the doctrine of network-centric wars, which was presented in the concept for developing the US Armed Forces until 2010, adopted since 1996. Network-centric warfare is also defined as “a military doctrine or theory of war that seeks to translate an information advantage, enabled in part by information technology, into a competitive advantage through the robust computer networking of well informed geographically dispersed forces.” It was pioneered by the United States Department of Defense in the 1990s. Adopting the doctrine of network-centric wars was dictated by the desire to increase combatants’ capabilities by combining them into a single network and achieving information superiority. Finally, information operations were entrenched in the US military development with the emergence of the “Joint Doctrine of Information Operations” – a document intended for the broadest distribution. According to this doctrine, information operations include Electronic Warfare, Computer Network Operations, Psychological Operations, Military Deception, Operations Security.[12]

The formal establishment of military units dedicated to cyberspace missions is primarily a phenomenon of the  21st  century. There have been significant shifts in the United States’ views and approaches to using ICT for military-political purposes since the first decade of this century. In 2001, in the following “Four-Year US Defense Development Program,” cyber operations were singled out as an independent type of military activity, and cyberspace itself was recognized as a new sphere of confrontation.[13] The following fundamental change was the creation in 2010 of the Army Cyber Command and the Fleet Cyber Command[14], responsible for conducting operations in cyberspace, protecting military systems and networks, and coordinating cyber defense among all military branches. This dual subordination and the Memorandum of Understanding signed in 2010 between the Department of Defense and the Department of Homeland Security contributed to the early development of Cyber ​​Command’s capabilities. Shortly after that, in 2011, a US  Secretary of the  Army  John  M.  McHugh confirmed America’s cyber offensive capabilities, effectively recognizing cyber weapons.[15]

Some of the above aspects were developed in the Cyber Strategy of the US Department of Defense 2015. It is stated that particular formations for performing operations in cyberspace will be divided into three groups: cyber defense units (protection of the Ministry of Defense’s information infrastructure), national defense units (protection of the state and state interests, high-level attacks), and combat units. In addition, the conceptual foundations of deterrence in cyberspace received a more straightforward design.[16]

The sum of money dedicated to cyberspace operations shows that this is one of the US Department of Defense’s top priorities. Realizing the rising scope and depth of attacks on government IT networks, the US administration expanded funding for cybersecurity in its 2016 budget to improve defenses and make cyberspace more stable. Overall IT spending is costs to be $86.4 billion in the President’s budget request. Protection IT will cost $37.3 billion (in fact, cyber weapons), while non-defense IT will cost $49 billion. According to acting federal CIO Lisa Schlosser, an increase in cybersecurity investment is driving the increase. The 2016 budget provides $14 billion in cybersecurity funding, which marks a 10% rise over 2015. Schlosser said in a 2 February briefing that the Department of Defense receives the bulk of the cyber funding. It was also expected to raise Cyber Command’s workforce to 6,000 cyber professionals spread across three task areas, divided into 133 teams[17].

Scope of Cyberweapons:

The Hoover Institution coined the word “electronic weapons of mass destruction” to promote the concept of cyber weapons as weapons of mass destruction (eWMD). The possible implications of a cyber-attack are becoming increasingly worrying. Given our society’s dependency on critical infrastructure, eWMDs have the potential to be the cyber equivalent of a military blockade in our new, digital economy. Similarly, as Clay Wilson points out, the International Working Group is now using the term “CBRNCy” (chemical, biological, radiological, nuclear, and cyber) to incorporate emerging cyber threats in their current WMD discussions and non-proliferation.[18]

According to Jeffrey Carr, cyber weapons cannot be categorized as weapons of mass destruction because they still lack the efficiency to kill humans as firearms or explosives, and there is no historical or legal proof to substantiate such a description. No usage of cyber weapons qualifies as a weapon of mass destruction under the US Code’s definition, in the legal, historical, or vernacular meanings of the word. Many academic scholars agreed that while cyber weapons have yet to cause any casualties, classifying them as weapons of mass destruction is especially difficult.[19]

Based on cyberspace features, cyber weapons are not considered weapons of mass destruction, but at the same time, cyber weapons pose severe challenges to the public and private sectors alike. Attribution of cyber behavior, the dual-use aspect of cyber weapons, unpredictability and the possibility of collateral harm, and the ability to use cyberweapons as a force multiplier for traditional military operations are all essential considerations.[20]

[1] – Elisa D. Harris, James M. Acton, and Herbert Lin. “Chapter 3: Governance of Information Technology and Cyber Weapons.” American Academy of Arts & Sciences. https://tinyurl.com/phbwfkk4

[2] – Elisa D. Harris, James M. Acton, and Herbert Lin. “Chapter 3: Governance of Information Technology and Cyber Weapons.” American Academy of Arts & Sciences. https://tinyurl.com/phbwfkk4

[3] – Cristian Barbieri, Jean-Pierre Darnisand Carolina Polito. “Non-proliferation Regime for Cyber Weapons. A Tentative Study.” Istituto Affari Internazionali, March 2018. p.6. http://www.iai.it/sites/default/files/iai1803.pdf

[4] – Ibid. p.24.

[5] – Joint Force Development. “Cyberspace Operations.” 8 June 2018. page.GL-4 https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf

[6] – Elisa D. Harris, and others. Op Cit.

[7] – Cristian Barbieri, and others. Op Cit. p.22.

[8] – Elisa D. Harris, and others. Op Cit.

[9] – The Wassenaar Accord is an agreement concluded in July-December 1996 in Wassenaar (Netherlands) by 33 countries with the aim of increasing responsibility for transfers of conventional weapons and “dual-use” goods and technologies to prevent their destabilizing accumulations. https://en.wikipedia.org/wiki/Wassenaar_Arrangement

[10] – Cristian Barbieri, and others. Op Cit. p.32.

[11] – Ibid. p.21.     

[12] – Network-centric warfare. Wikipedia. https://en.wikipedia.org/wiki/Network-centric_warfare#cite_ref-4

[13]  – Ibid.

[14] – Jeffrey L. Caton. “Army Support of Military Cyberspace Operations: Joint Context and Globalescalation Implication.”  Strategic Studies Institute and The United States Army War College. January 2015. p.10. also p.24.  https://www.files.ethz.ch/isn/187504/pub1246.pdf

[15] – Ibid. pp. 25-26.   

[16] – Ibid. pp. 13-14. 

[17] – Ibid. p.13.   

[18] – Cristian Barbieri, and others. Op Cit. p.20.

[19] – Ibid. p.20.

[20] – Ibid. p.2.