Cyber War Crimes: speculations on their inevitability
The British Defence Secretary Philip Hammond has announced that the UK is “developing a full-spectrum military cyber capability, including strike capability”. In doing so, has become the first Western politician to publicly acknowledge offensive operations in cyberspace as a state priority, although a few months earlier the head of the NSA spoke of creating cyberwarfare divisions.
The context of the British revelation was a Dr. Strangelove style interview in a nuclear bunker beneath Whitehall. The narrative was of “clinical cyber strikes” and claimed that “in contrast with bloody, dangerous and inaccurate bombing raids, entire cities could be conquered without a single loss of life, helping Britain to avoid a military war – and a public relations battle”.
The reality of cyberwar is likely to be dirty; more like a messy proxy-war than a disciplined confrontation between national armies. What is more, cyberwar arrives draped in the vestments of future war crimes. A closer reading of current evidence suggests it will generate activity across three areas that are definitely unethical and potentially illegal; namely funding dangerous militias, increasing the number of children enrolled in conflict, and poisoning public spaces.
Firstly, the threat of militias. Despite being a top-end engineering project, Stuxnet seems to have depended on shady private sector engagements. The zero day exploits used to deliver the payload were almost certainly a product of the growing black-market in vulnerabilities. Companies like French firm VUPEN are the Blackwaters of cyberwar, and even civilian law-enforcement agencies are willing to pay for exploits so they can slip spyware onto suspects' mobile phones according to Christopher Soghoian, principal technologist at the American Civil Liberties Union. As a case in point, the Syrian conflict has spawned several digital militias with dubious affiliations, from the established pro-regime Syrian Electronic Army to the spray of opposition splinter groups like the Jabhat Al Nusra Electronic Army. There's a murky nexus of mafia, malware and militias at the core of cyberwar which can only swell as the military ramps up it's budget for offensive capabilities. It's not hard to see what kind of mess can be created by mixing global demand with a militia and proxy wars; just look an the unending strife in Congo where various interests fight for, among other things, control of the mineral coltan which is used in mobile phones & laptops. Moreover, nothing about cyberwar can be separated from the surveillance systems exposed Edward Snowden. As Thomas Rid, Reader in War Studies at King’s College London says in the FT; “Building cyber weapons requires attacking first. You can’t build a cyber weapon without first knowing the target. This requires penetrating the target first, through aggressive probing for intelligence. The effect is escalation, not deterrence.” Cyberwar needs Prism, Bullrun and the rest.
The second disturbing trend is the focus on enrolling youth and children. The tabloid article interview with Hammond in which he revealed the switch to a cyber offensive stance also contained references to a new Cyber National Guard of part-time reservists which will be “open to computer whizzkids who cannot pass the current Territorial Army fitness tests, on the basis that press-ups do not aid computer skills. ‘A TA for computer geniuses’, as Mr Hammond called it”. While this may be rhetorical chaff to divert attention from other cuts in the defence budget, cyberwar raises a substantive issue about age and conflict. Hackers start young, and some will be behind those exploits that fetch high prices in the global black markets. We can also ask what part of existing cyber militias consist of kids too young to take up a Kalashnikov. As for the state, what should we make of DARPA's enthusiasm for funding the 'maker' agenda in education (as Tim O'Reilly's tweet says “@make and @otherlab plan to bring making to education … with the help of a DARPA mentor grant” ). In the past, the UK has been criticised by Amnesty International for using 'child soldiers' ("The United Kingdom is the only country in Europe which routinely sends children under the age of 18 into armed conflict”). The government's welcome switch in schools' ICT learning curriculum to make coding a priority is now taking place in a state that considers offensive cyberwar as central to future war strategy. While no-one is suggesting the education agenda has been set by the military, there is some sense in which they are moving in step. At the very least, the expansion of the malware-industrial complex will proliferate job ads like those from Raytheon which boast of youth culture: “Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies.”
A third strand of possible cyber war crimes is the nature of the weapons as indiscrimate rather than surgical. In this arms race, proliferation is baked in; techniques used by Stuxnet have surfaced in code used by regular cyber criminals (“The parallel is dropping the atomic bomb but also leaflets with the design of it” according to one think tank). The fact that Stuxnet itself was discovered by the outside world is attributed to a bug in the malware which led to it spreading beyond its intended target (the centrifuges in Iran's Natanz nuclear plant). A programming error introduced in an update led to the worm infecting an engineer's computer that had been connected to the centrifuges, and spreading further when the engineer returned home and connected his computer to the internet. In the past few months a couple of US-based engineers have exposed vulnerabilities in other SCADA (supervisory control and data acquisition) systems used to remotely monitor power stations and water utilities. “In the case of one vendor, Mr. Crain found that he could actually infiltrate a power station’s control center from afar. An attacker could use that capability to insert malware to take over the system, like Stuxnet”. This has led to a series of CERT (Cyber Emergency Response Team) advisories, such as: “The affected Triangle MicroWorks products are stand-alone or are third-party components, which communicate to outstation/slave devices using various transmission protocols. According to Triangle MicroWorks, the products are deployed across several sectors including electric utilities, transportation systems, water, and government facilities...The outstation can be sent into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network. The device must be shut down and restarted to reset the loop state”. Sujeet Shenoi of the Cyber Corps Program at the University of Tulsa 'fears the consequences of active strikes against infrastructure. “I think maybe the civilian courts ought to get together and bar these kinds of attacks,” he says'. As the Internet of Things infuses every aspect of our lives well beyond our industrial infrastructure, the potential for attack becomes fractal. If a hobbyist can create a search engine Shodan for exposed devices including traffic lights, security cameras and home heating systems, as well as industrial infrastructure, what will a serious cyberwar agency or militia be able to do? And what will be the inevitable unintended consequences? Despite Hammond's claim that “entire cities could be conquered without a single loss of life” we know that so-called non-lethal weapons like tear gas frequently kill; when, for example, the gas is fired in to enclosed spaces where there are older people or children. Cyberwar will attack the atmospheres of our lives in ways that will unpredictably toxic.
When all this or something similar comes to pass and, too late, we agree that cyber war crimes have occurred – what then? Do we rely on an institutional human rights framework which has failed to adapt to the age of networks? What class of professionals will be qualified to prosecute? In the USA, legislators charged with overseeing surveillance programmes were persuaded that metadata is innocuous, and the judiciary legitimised blanket interception by defining massive data sets as 'targeted facilities'. Perhaps we will look to 'the new politics of the internet', a networked politics which takes the commons as a priority. “What these new political models hope to achieve is not just decentralization, but self-organization...The internet has given not only the tools but also the language and culture required for so many people to participate in self-organized systems at global scales”. Perhaps the peace and anti-nuclear movement will be reinvigorated and combine Menwith Hill peace grannies with Tweets from the Streets. The politics that emerges from the internet also comes with the defence of the internet as a fundamental social good, whereas a notable characteristic shared by surveillance agencies, cyberwar programmes and, for that matter, the defenders of incumbent business models (think SOPA and ACTA) is a willingness to 'break' the internet in pursuit of their goals. The internet was imbued by its university origins with the academic ideals of free expression and the sharing of knowledge. As one of the leaders of Germany’s Pirate Party once said “We don’t offer a ready-made programme, but an entire operating system” and this could describe the internet itself, a space for global collaboration in the face of climate change and energy shocks. In this situation, waging war on the internet itself may at least constitute a crime against the commons.