Nations in Europe and beyond have already taken part in the first skirmishes of a new kind of warfare, where computers can be more deadly than a missile. However, NATO countries are still
fumbling in the dark when it comes to defining the rules of engagement for this new, 21st century type of warfare.
PLA Unit 61398. The name, which sounds like some sort of computer code, doesn’t give much away. Nor does the 12-storey building in the industrial part of Shanghai where PLA Unit 61398 resides give any indication that this is the centre of a recent media storm; the centre of a virtual war vortex that has military commanders across the globe asking questions like: are we allowed to kill an enemy hacker?
If your country is a member of NATO, then the answer seems to be…maybe…
China’s secret cyber war
Returning to the story of PLA Unit 61398, it’s a hacking group believed to be responsible for breaching the internet security of hundreds of companies around the world in what has seemed like a hunt for classified information.
One of the companies that found itself targeted was The New York Times, who asked the American information-security company Mandiant to find out what had happened.
Mandiant identified PLA Unit 61398 as the culprit and added that the unit had been carrying out hacking attacks since 2006. Apart from targeting companies and stealing business secrets, the unit was the likely culprit behind Operation Shady RA – a coordinated internet espionage attack that over several years tried to gain access to the servers of state agencies in countries like USA, Canada, Taiwan, South Korea as well as organisations like the UN.
“The details we have analysed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese government is aware of them,” Mandiant said in the report.
“Either they are coming from inside Unit 61398, or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighbourhood,” Kevin Mandia, founder and chief executive of Mandiant, added in an interview with The New York Times.
Mandiant went on to speculate that PLA Unit 61398 was, in fact, a part fully functioning part of the People's Liberation Army General Staff Department.
China has denied any sort of involvement, saying it itself had been the victim of malicious cyber-attacks, some origination in the US.
As it might have been. These attacks might even have come from somewhere deep in the US military system, which has previously been involved in cyber warfare.
The US Military were, for instance, partly responsible for developing the Stuxnet virus, which targeted Iranian nuclear facilities.
Korea, Estonia and the Tallinn Manual
The incidents show how nations are gearing up their capabilities to fight each other in cyberspace.
Recent developments have highlighted the risk of these virtual skirmishes could spread to the real world.
One incident involved of more than 48,000 computer servers, PC’s and automatic bank tellers in offices of banks and broadcasters throughout South Korea. It was discovered that the computers had been infected by malware, and a recent report by the South Korean authorities placed the responsibility for the attack on parts of the North Korean military, further heightening the tension between two nations who are technically still at war.
The developing war-like actions in the virtual world made NATO bring together a group of experts, who in 2009 were asked to come up with a set of rules for how the various member states could and should react when faced with an organised cyber-attack from another country.
The result was the recently released Tallinn Manual on the International Law Applicable to Cyber Warfare (TMILACW), written by the so-called Cooperative Cyber Defence Centre of Excellence.
In the TMILACW, the experts outline 95 points about cyber warfare and offer the following answer to whether or not hackers can be seen as enemy combatants:
“A cyber operation by a State directed against cyber infrastructure located in another State may violate the latter’s sovereignty. It certainly does so if it causes damage.”
So if a cyber-attack carried out by agents of country A brings down a plane belonging to country B, everything is clear – it’s definitely a military attack.
So does this merit a military response?
The TMILACW says yes, as long as the response tries to balance “[...] the level of harm inflicted and certain qualitative elements of a particular cyber operation.”
It does, however, struggle to answer questions like: so how do you deal with hackers? What sort of rights do they have? And how about attacks like those carried out by the Chinese hackers, who were after information, not bringing down planes or causing traffic lights to change colour, causing crashes?
“Acts of cyber intelligence gathering and cyber theft,” or “cyber operations that involve brief or periodic interruption of non-essential cyber services,” do not fall into this “armed attack” category,” the TMILACW states.
Two things are worth noting here. One, that TMILACW is in no way binding, so it’s up to the various members of NATO to decide if they’ll use its recommendation as words of gospel, or if they’ll make their own rules and two, there is no clear set in stone definition of when a country has the right to use physical force when responding to a cyber-attack.
According to the English Ministry of Defence, the manual is ‘an interesting contribution to the debate on international law applicable to cyber.’
“While MOD legal advisers may wish to consider the manual, they are not bound by the interpretations of the expert group who authored the document, and note that on some issues there was disagreement amongst the expert group which is recorded in the manual,” a spokesperson for the MoD said.
Cyber war – coming to an internet café near you?
While the rules and regulations surrounding cyber war are being worked out between nations, the current situation leaves much up to individual countries.
A fact highlighted already in 2012, when US State Department Legal Adviser Harold Koh gave a speech outlining the US’s position of how international law applies to cyberspace. In it he expressed views that correspond to those found in the TMILACW, except in certain areas, including when a cyber operation amounts to an armed attack, meaning that a state can fire back at the perpetrators with conventional weapons.
““The inherent right of self-defence potentially applies against any illegal use of force.… [T]here is no threshold for a use of deadly force to qualify as an ‘armed attack’ that may warrant a forcible response,” Mr Koh said.
To illustrate what this means if might be easiest to illustrate a scenario:
An agent of a certain nation uses a computer to launch a cyber-attack on another country. The US, for example. However, seeing as the systems the agent is attacking are pretty vulnerable, he or she hasn’t had need for advanced computer systems. In fact, the agent is sitting in a computer café in a busy city in a third country.
The question is: does the US have the right to launch a missile at the computer café in order to defend itself?
According to Mr Koh’s statement, the answer seems to be maybe – if the US deems that the attack is serious enough, then missiles could be flying into an internet café near you.
According to the Danish expert in the legal aspects of armed conflict and modern technology at the University of Copenhagen, Anders Henriksen, the scenario above is no-where near farfetched and an illustration of one of the legal and technical issues of warfare in the 21st century:
“The question of how to answer a cyber-attack is one of the grey areas, because agents only temporary access to a certain type of infrastructure – such as computers - to conduct their attacks,” he says, adding that:.
“In my view, it's about that we need to invent new rules and conventions but rather that we should try to see if we can agree on how we apply the existing law on the new form of warfare that cyber warfare poses.”