Key problems European states face when addressing the cyber threat. keeforce.com
Cyber Attack

*Disclaimer: I cannot hope to do justice to the topics that you are about to read. I will provide a bare-bones argument which will inform you of the issues that states face. I strongly encourage anyone interested in the discussed topics to do further reading to gather a much more rounded and informed insight.

The potential threats posed from the cyber-sphere cannot be understated. Modern societies are reliant on computers to function, from controlling power-distribution using SCARTA systems to change how we communicate and interact. With the incredible developments the internet and computers provide, states must also acknowledge and prepare for the vulnerabilities which exist within the cyber-sphere. On a daily basis, individuals, groups and even States participate in methods of cyber espionage, and the cyber-sphere is becoming increasingly regarded as an effective strategy in disrupting a State – we have already seen this during the 2007 Estonia cyber attacks, in 2008 whenRussia conducted cyber operations against Georgia and also the Stuxnet virus which aimed at damaging Iran's capacity to develop nuclear weapons. Over the forthcoming articles I aim briefly outlining some of the problems the cyber-sphere poses to states, starting with the problem of defining what constitutes a 'cyber attack'.

Differentiating between kinetic attacks and cyber attacks

When we think of an attack in 'conventional' terms, we think of explosions, bullets or fighting between groups of individuals, whereby the aims are to cause death, destruction or inhibit the ability of a party to achieve their goals. A kinetic attack involves boots on the ground fighting at close quarters and their actions have a direct effect upon whether someone lives or dies, i.e. if you shoot someone in the head they will die. Whilst the aims of a 'cyber attack' may be similar to their kinetic counterparts, currently a cyberattack cannot directly cause the deaths of a group of people. Instead, a cyber attack could effect something in such a capacity to indirectly cause death and/or destruction. Therefore, whilst a cyber attack may succeed in turning off the power to a hospital, the actual action does not cause destruction, but the lack of power to the hospital may cause death and destruction. If we can recognise that there are differences between the two types of 'attacks' then, the international community must also recognise that the current definitions and measures which we use to define acts of aggression and attacks may be outdated. 

Currently there is no internationally accepted definition of what constitutes a 'cyber attack' and instead states are left to their own volition to define what a cyber attack is. There have however been attempts to define what constitutes a Cyber attack. In 2012 authors of the Tallinn Manual which was a study on how international law applies to cyber-conflict provided this definition of a 'cyber attack’: “A 'cyber attack' is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”

Whilst in my humble opinion this offers a clear definition of what constitutes a 'cyber attack' this is not internationally recognised and therefore serves only as a possible guideline for legislators. With the lack of a clear definition of what constitutes a 'cyber attack' states face several problems when addressing cyber operations which are conducted against them.

Operational problems

A significant problem posed to responders of cyber operations is at what point an 'operation' becomes an attack. The way that we define an action has drastic effects on the way a State may respond to something, by branding a small DDoS operation an 'attack' you instantly elevate the operation from being something trivial, to something which requires the immediate response. Therefore, for responders to operations, it is important that they can differentiate between what is trivial and what is urgent so they can ultimately ensure that their response is not only effective but also proportionate to the current situation. This operational problem becomes interesting when we consider the opinions of multiple states. Whilst the EU and America may have a similar understanding of when a cyber operation develops into an attack, this is not the same for other States across the globe. States such as China and Russia, both who challenge Western eminence in the cybersphere, may provide alternative definitions of what constitutes a cyber attack. This is a problem for responders, the lack of a clear cut definition means that in the future, tensions may escalate significantly due to a misunderstanding between States over the point at which an operation becomes an attack and requires higher forms of deterrence to respond to the cyber threat.

Interestingly, the 2013 British 'Cyber Primer' which 'primes' their employees to recognise and garner a more rounded understanding of the significance of the cybersphere uses the term 'attack' very lightly. Whilst I have stressed the problems around branding something an 'attack' the Cyber Primer considers “social engineering; malware; local physical access; and supply chain corruption” as forms of attacks. It is interesting that the MoD considers these as attacks from the beginning. Instead of labelling them as 'operations' and then progressing to a stage where they become an 'attack' they instead choose to label them an attack, this may serve as a way of stressing the significance of the threat to readers of the primer which may be their aim. The necessity for an internationally recognised definition of what constitutes an 'attack' in the cybersphere is becoming increasingly important as the capacity for the cybersphere to drastically effect international politics becomes possible. Currently, the Tallinn Manual offers the best chance at providing a set of rules which can govern the cybersphere, however because of international agreements, it is up to states and businesses across the globe to regulate and work together to self-govern the cybersphere.

In my forthcoming articles I will explore the key problems European states face when addressing the cyber threat. My next article will look at two unique problems posed from the cyber sphere before finally offering an insight into how European states collectively respond to Cyberthreats.