ASIL Live-Blogging, “Cyber-Security: Regulating Threats to the Internet under International Law”

Moderator: Susan W. Brenner, University of Dayton School of Law

Speakers: Eneken Tikk-Ringas, Munk School of International Affairs, University of Toronto; Joel Brenner, Cooley LLP; Col. Gary D. Brown, Office of the Judge Advocate, US Cyber Command; and Christopher Soghoian, Center of Applied Cybersecurity, Indiana University


Remarks by Eneken Tikk-Ringas

The events surrounding the so-called Estonian cyber attack were not technically cyber attacks; they were criminal actions, and treated as such.  It is worth noting that Estonia never invoked Article 5 of the NATO treaty with respect to the cyber attack.

Remarks by Gary D. Brown

While Estonia is often cited as cyber warfare, it was not cyber warfare; it was a criminal action.  In addition, the other example often cited, Georgia, was also not technically cyber warfare.  The best example was the cyber attack on Iran’s nuclear facilities.  In that case, the cyber action was certainly “an attack,” because something was broken – i.e. 1,000 centrifuges – during the cyber attack.  With that said, whether “something was broken” is not the only consideration in determining whether “an attack” occurred under IHL.  The biggest question is, what constitutes “an act of war” under international law?  While “an act of war” is not necessary to trigger IHL, perhaps it should be.  Regardless of this issue, the main question is, what types of cyber activities would merit a response?  In particular, what types of responses against non-State actors involving cyber attacks are legal under IHL?  [This question was never answered.]

Remarks by Christopher Soghoian

There are two kinds of attacks.  First, attacks that use security threats that are already known.   Second, attacks that use “zero day” flaws, i.e. flaws that are not known to the software vendor.  Why mention these?  Because the attacks on Iran’s nuclear facilities fall under the second category.  There was nothing Iran could do to protect itself against that attack.  The nuclear facilities were not connected to the internet; nevertheless, the cyber attack crippled Iran’s centrifuges.

There are also two kinds of attackers: States and “Anonymous.”  The above discussion referred to State-backed cyber attacks.  Anonymous takes matters into its own hands and attacks corporations and governments to cripple their systems.  Anonymous does not use “zero days”; it attacks known vulnerabilities in its targets.  Why does this matter?  Companies can do things to protect themselves against the first kind of attack.  However, companies can do nothing to protect themselves against a State-backed “zero day” attack.

Remarks by Joel Brenner

Practically speaking, cyber attacks should not fall under IHL.  Cyber warfare is really “a not war, but highly conflictual situation.”  We need to be very careful when discussing cyber warfare: it is not kinetic action; it is not an armed attack.  As such, IHL does not apply.  Nevertheless, it is a very serious situation which must be addressed.

Further Remarks by Gary D. Brown

The description of cyber warfare as “warfare” or “attacks” is not helpful in dealing with the phenomenon, from either a legal or practical standpoint.  “Cyber disruption” or “cyber interference,” although more appropriate to describe these events, are not sexy; therefore, no one precisely describes these events as such.

Question: how do we respond to a “cyber attack”?

The US does not define, in the relevant military manuals, what constitutes a “cyber attack.”  The reason for this is because a “cyber attack” is very fact-specific, which does not lend itself well to a definition.  Also, from a practical standpoint, it would be foolish for the US government to define what constitutes a cyber attack and what doesn’t, thereby tipping our hand to potential cyber attackers.


Cyber crime and espionage are much more prevalent problems than “cyber attacks.”

Remarks by Joel Brenner

China hacked into the DOD, stole a bunch of personal information, and then encrypted the information upon withdrawal, so the US has no idea what exactly was stolen.  Iran has stolen the technical details – including the defense measures – of the President’s helicopter.  Russia has perfected the art of identity theft through cyber crime.  As such, China, Iran and Russia are constantly engaged in cyber crime and cyber espionage; however, prosecution of these crimes is severely lacking.  As a result, both security and privacy are in the ditch.

Information security v. operational security

Everything from air conditioning to air traffic control data are vulnerable because they suffer from the same information security deficiencies.  The problem is, these information insecurities have now become operational insecurities.

Identity theft & economic espionage

The latter is much worse than the former, for the latter (intellectual property) drives the US economy.  Thus, while identity theft must be addressed, economic espionage must be the priority in our efforts to stop cyber crime.

Remarks by Christopher Soghoian

The government’s actions in response to these problems have made matters worse, both in terms of privacy and security.

Chip & PIN

Everywhere else in the world, “chip & pin” cards are used because they are safer and more secure.  However, the US has refused to follow suit because US credit card companies have decided it’s cheaper to handle the fraud claims than upgrade their systems by incorporating “chip & pin” technologies.

Remarks by Eneken Tikk-Ringas

As lawyers, we must think outside the box in addressing these issues.  The problem is not that we don’t know who the hackers are; the problem is that, legally, we don’t know how to deal with the hackers.

Remarks by Joel Brenner

The government is not behind the non-use of “chip & pin”; the credit card companies are.  Moreover, “chip & pin” is extremely expensive.  Nevertheless, as Christopher said, “chip & pin” is “low-hanging fruit” with which we can deal.  The other “low-hanging fruit” is infrastructure, which we have been very ineffective at addressing.


Remarks by Gary D. Brown

Obviously, the military is not that concerned with privacy.


Remarks by Christopher Soghoian

Cause and Effect: Botnets

Dangerous Botnets come from Spam which mainly advertise Viagra.  Thus, if we revamped the prescription drug market, we would eliminate Viagra ads, which would eliminate most Spam, which, in turn, would dramatically decrease dangerous Botnets.

Market Problems and Regulation

Many of the cyber crime tools which are being used were created by American companies, which sell not only to the US government, but also to other (less friendly) governments.  Thus, this market needs to be regulated to cut out the middle man – i.e. the software companies.  Software engineers should shell their product directly to the US government, in order to ensure that these tools do not end up in the hands of hostile governments and, ultimately, hackers or even terrorists.

Remarks by Joel Brenner

Certainly, public-private (i.e. government-company) sharing is a problem, but probably the best thing that can be done to address this issue is to have private companies share knowledge of these vulnerabilities with each other.  The problem is, many companies compete based on the cyber security systems that they offer as a product.  Thus, this cooperation is unlikely to happen absent legislation.

Remarks by Eneken Tikk-Ringas

The company-to-company sharing problem is not as severe in Europe, where there is more cooperation.


Remarks by Christopher Soghoian

As for State attribution, it is very difficult to determine the origin of “cyber attacks.”  Thus, it is difficult to attribute “cyber attacks” to a particular State.

As for privacy, as the systems currently exist, there is no such thing as privacy.  The government does what it wants, and orders companies (such as Facebook and Google) to provide it with the information it needs.  State security will always trump individual privacy.

Remarks by Gary D. Brown

As for State attribution, the military is not so concerned about attribution of cyber attacks to a person or a State; it is concerned about attribution to a machine.  If the military can shut down the machine, then the attack stops.

As for privacy, where is the personal responsibility?  If you leave your computer on all night, and someone hacks into it and uses it for nefarious purposes, the owner of the computer is somewhat responsible for propagating the problem (although the person is not likely criminally liable).


Leave a comment

Filed under News and Events, Public International Law

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s