War may be morphing to cyber-war

The nature of war is changing and acts that are not at present considered to be “war” may become the primary means by which war is waged in the future.

There are differing definitions of the term “cyber warfare”, resulting in different understandings of consequences and preventive measures. Strictly speaking, it refers to massive state-organized assaults, akin to conventional warfare, but it is also used more generally.  Indeed, the term “war” is often used figuratively, as in economic war, the war on drugs, and the war on terrorism.  The Inter-Parliamentary Union recently adopted a resolution in 2015 titled “Cyber warfare: a serious threat to peace and global stability”; that resolution states: “…cyber warfare may encompass, but is not necessarily limited to, operations against a computer or a computer system through a data stream as a means and method of warfare that is intended to gather intelligence for the purpose of economic, political or social destabilization or that can reasonably be expected to cause death, injury, destruction or damage during, but not exclusively in, armed conflicts”.

Cyber-war

Cyber-war may replace mass killings and bombing as the preferred way of forcing an adversary to submit.

It is increasingly apparent that the security of IoT (Internet of Things) devices is inadequate and that that could have catastrophic consequences.  Further, unlike physical weapons, cyber-weapons can be replicated at essentially no cost, so their production and stockpiling presents dangers that are even greater than the production and stockpiling of physical weapons.

The WannaCry incident can be considered a harbinger of things to come: a state-sponsored cyber-attack on the infrastructure of another country (e.g. the electrical power grid, the airline control system, government computer systems, etc.).  Such an attack could paralyse a state in the same way that intensive aerial bombardment can paralyse it.

With the increasing importance of ICTs, and the increasing dependency of everything on ICTs, we may reach a stage where force can be used effectively to destroy ICT systems, thus achieving the desired goal of forcing an adversary to surrender without having to kill people directly or to bomb facilities.

This is very different from the current use of ICTs in warfare, which is (1) to improve the performance of weapons systems such as artillery, missiles, etc. (2) to improve the performance of reconnaissance and intelligence systems such as radar, surveillance satellites, etc. and (3) to improve logistics, for example by optimizing routing of soldiers, equipment, and supplies, etc.

And it is different from the development and deployment of “killer robots”, properly referred to as lethal autonomous weapon systems.

Geneva Digital Convention

There is a need for a treaty under which states agree, inter alia, not to attack civilian digital infrastructure in times of peace, not to acquire or stockpile malware, and immediately to inform concerned manufacturers when they become aware of vulnerabilities in software or hardware.

In March 2017, Wikileaks published information on use by the US Central Intelligence Agency (CIA) of various hacking tools and malware.  According to that information, the tools in question include malware that can be used to infect various Internet of Things (IoT) devices, including home television sets (TVs), and can be used to monitor conversations near the TV even if the user thinks that the TV has been turned off.  Further, similar capabilities can be used to infect smartphones and turn them into monitoring devices, even when the user thinks that they have been turned off.

Moreover, according to the information published by Wikileaks, the CIA has lost control of its arsenal of hacking tools, which are now available to entities other than the CIA, including presumably cyber-criminals.

Even worse, the tools are designed to conceal who is using them, so attacks using these tools cannot be traced back to the source of the attack.  Instead, the source appears to be some unrelated third party, who then gets blamed for the attack.

More recently, the WannaCry attack in mid-May 2017 prompted Microsoft to renew the call it had made a few months earlier for a “Geneva Digital Convention”.

Microsoft has made three specific proposals:

• Clauses for a binding treaty
• An agreement between high-tech companies
• The creation of an organization that would seek to attribute cyber-attacks, that is, to determine who initiated the cyber-attack

However, one could go further than what Microsoft has proposed regarding treaty clauses, and call on all states to agree, in an instrument that is binding under international law:

• that the Internet must be used only for peaceful purposes
• that offensive cyber-attacks include any form of surveillance and/or eavesdropping that is not necessary and proportionate and authorized by the national courts of the target of the surveillance
• not to conduct, procure, or promote offensive cyber-attacks, in particular those that target private parties or critical infrastructure
• to limit their cyber-war research and capabilities, and their cyber-operations to purely defensive means, which do not include counterattacks
• not to produce, procure, or favor the production of tools and/or malware that can be used for offensive cyber-attacks
• to assist all efforts to detect, contain, respond to and recover from cyber-attacks

• to report any vulnerabilities that they learn of to vendors
• to follow up with vendors to ensure that known vulnerabilities are cured
• not to stockpile, sell, or exploit any vulnerabilities that they learn of that could be used for offensive cyber-attacks

This binding agreement should also prohibit mass surveillance.

Mass Surveillance

Surveillance of citizens other than on the individual order of a judge violates human rights, is not effective, and is a form of cyber-attack.

It is well know that many states, including states that consider themselves to be democratic, have implemented mass surveillance.  In this context, “mass surveillance” is any form of surveillance and/or eavesdropping that is not necessary and proportionate and authorized by the national courts of the target of the surveillance.

The stated goal of such surveillance is to combat what the states in question consider to be terrorism.

But such surveillance is not and cannot be effective in countering individual acts of violence: could it prevent bank robberies?

It is urgent to recognize that current forms of mass surveillance violate the human right to privacy and are a form of cyber-attack.

The UN Human Rights Council Special Rapporteur on privacy has convened groups to discuss this matter.

- Richard Hill, APIG. http://www.apig.ch and http://www.hill-a.ch

Article published in ALAI’s Spanish language magazine América Latina en Movimiento No 535, September 2018: Paz y NoViolencia: Rebeldía a un sistema violento (Peace and NonViolence: Rebellion against a violent system). Co-edition with Pressenza).