• <div class="header-image" style="background-image: url(/live/image/gid/4/2635_V6N3_Header.rev.1522162449.jpg);">​</div><div class="header-background-color"/>

The Evolving Global Cyberwarfare Crisis

March 30, 2017
Shortly after last year’s dramatic US presidential election - when Republican nominee Donald Trump beat media-projected favorite Democrat Hillary Clinton - allegations of Russia’s hacking involvement in favor of Trump surfaced. US politicians demanded an investigation. Did the act of what people labeled as “cyber-crime” warrant this scale of public backlash? This article will attempt to provide a better understanding of the cyberwarfare scene from a trade and foreign policy perspective. It will conduct a deep-dive into the legislation and economics behind cybersecurity and cyberwarfare using case-studies, and an examination of current trends.

The intelligence community’s subsequent assessment of the allegations found Russian President Vladimir Putin to be centrally involved in cyberattacks that broke into the e-mail accounts of the Democratic National Committee and Hillary Clinton’s campaign chairman, John Podesta, interfering with the outcome of the United States presidential election.[1] The response was, expectedly, one of shock and distress; the incident questioned the inviolability of American democracy and undermined the presumption that the workings of an election are transparent and that the decision is up to the people of the nation. Russian officials have denied the allegations, and Putin has held that the accusations are merely another ploy on the part of the United States to undermine his power. [2] It is necessary to add some perspective to this incident; cyber warfare legislation has always been a weakly defined area of international law.[3] The legal ambiguities of cyber warfare, coupled with the rapid evolution of technology over the past few decades, have brought the world into an unprecedented realm of information access that often does not adhere to any national boundaries.

The appropriate legal response to uses of cyberspace, as in the role of Russia’s hacking in the election is unclear. Legislation on cyber-warfare is premature as litigators are unable to clearly classify ‘cyber-attacks’, ‘cyber-warfare’, and other related expressions under legal statute.[4] The most authoritative document in this field is the Tallinn Manual, which is a non-binding NATO publication prepared by military and legal experts.[5] In this document, ‘cyber-attacks’ are defined as ‘‘cyber operations’, whether offensive or defensive, that are expected to cause injury or death to persons or damage or destruction to objects.’[6] Under NATO’s definition, it is difficult to deem unlawful influence as a ‘cyber-attack.’ Yet, as had been observed in the US election, subversion through cyberspace, with no physical causality, can still create deleterious consequences.

<p>Image: The Interconnectedness of the World by Submarine Cables. Source: <a href="https://www.telegeography.com/telecom-resources/map-gallery/submarine-cable-map-2009/">Telegeography</a></p>

Image: The Interconnectedness of the World by Submarine Cables. Source: Telegeography

Moreover, the intersection of civil and military space runs against realist security ideations.[7]Today, armies are found developing in-house cybersecurity capabilities when better expertise might be available in the private sphere; the bureaucratization of a cyber-response is slower than that of an independent security agent. However, privatization of national security erodes the exclusive power of the nation-state, legitimizing unpredictable sub-state actors who are usually more damaging.

The Private Sector and Cybersecurity

The rise of the information economy is recent decades has presented a shift in firms towards storing valuable property online, on corporate networks. However, often, the risk associated with storing valuable information online, is underestimated, and allocated poorly, due to the complex relationships among financial institutions. This poorly-organized risk is apparent in the transfer of risk, when a person or firm responsible for protecting the information system is not the one feeling repercussions from its failure. A clear example of this lies in the healthcare industry, where online medical records are bought by hospital directors and insurance companies, who do not feel the same level of privacy-infringement risk as patients, and, therefore, leave much more up to chance.[8] Additionally, firm managers often neglect to consider the impact cybercrime could have on their companies when making decisions regarding costs. For one, companies look to minimize IT costs without considering the major spillover effects a failure in one sector of the company could have on another. This short-term decision can have a lasting impact on the long-term prosperity of the firm. However, it is important to acknowledge that as perfect security is not possible, management must constantly be making informed decisions regarding the trade-off between efficiency and security. With very stringent security requirements, many firms can find it difficult to operate at a competitive level with other companies in their industry.

Information asymmetries regarding the market for secure software also poses issues to the private sector due to firms caring more about their reputations, and less about security. For one, firms have an incentive to under-report incidents, as not to tarnish their reputations with investors and consumers. Therefore, inaccurate information regarding the prevalence of cybercrime and information insecurity exists in the market, which makes it harder to manage risk in that area. This information asymmetry subsequently impacts the decision-making of buyers and vendors in the secure software industry – since ill-informed consumers and businesses are more likely to refuse premiums for protection, as they are ignorant of the magnitude of the threats, software vendors and less likely to invest in secure measures in the first place.

Despite the many cyber security issues that plague the private sector, the unparalleled technological development in the United States economy makes it a powerful tool to be used to combat cyber threats. Some policymakers are now exploring the idea of having governmental agencies such as the Department of Homeland Security work with private companies to create standardized cyber security protocols. Their rationale, along with those of other Information Specialists, is that private sector security protocols will be much more specific and holistic than any government directives. Additionally, the United States government views foreign governments as posing the most substantial cyber-threats to the nation; however, many private-sector businesses rank private groups such as “Anonymous,” and other cybercriminals ahead of countries such as Russia and China. These legislators, thus, believe, that the power that lies with these private groups in their ability to infiltrate national security, is best understood and combated by using the United States’ private sector. [9]

The Legal Situation in Detail

The impasse on cyber legislation can only be resolved by a strong supranational response. However, supranational organizations have not been enthusiastic about this thorny issue.[10] There are several possible reasons for this reluctance.

First, smaller states are driving cyberwarfare legislation. It is no coincidence that the defining document in this area was written in Tallinn. Estonia has been at the forefront of digital developments in Europe at least since the 2007 cyberattacks, when alleged Russian hackers crippled the Estonian government and other corporations.[11] Estonia is now becoming increasingly spooked by Russia’s alleged use of digital propaganda in Ukraine.[12]Estonia is rightfully vigilant. Previously, small states could hide under the umbrella of military alliances like NATO. Yet, if war is becoming less about hard power projection, small states will be left to secure their critical information independently (sensitive national information is not shared in such alliances), which leaves them much more vulnerable. Thus, it is evident why small states are driving change; without the protection of past alliances, these small states are looking to hold their own against information giants by pioneering their own cyberwarfare legislation.

Second, powerful nations fear the legitimization of cyberwarfare. Implementing binding resolutions will have the ancillary consequence of recognizing the legitimacy of cyber-attacks. This would grant belligerent actors greater firepower. Moreover, modern armies are built on computer systems. Any attack on their digital infrastructure could undermine the army more than any conventional force. Thus it is very understandable that powers such as the United States would prefer to wage conventional battles.

Third, cyberwarfare legislation requires thorough clarification of civil laws. The Universal Declaration of Human Rights achieved consensus chiefly over physical security rather than ideological ones. The regulation of cyberspace requires protection of digital identities and concerns, which are far more abstract by nature. Thus, any consensus on securitizing cyberspace must pass through the civil rights organs of the UN, where approval is slower by design.

Regardless of the reason, slow supranational organization has allowed individual nations to construct autonomous policy. For the purposes of clarifying the US election issue, an examination of US and Russian policy is in order.

US Cyber-Policy In Practice

<p>Image: Cybersecurity checkpoints in the United States. Source: <a href="https://iq.govwin.com/index.cfm?fractal=blogTool.dsp.blog&blogname=public&category=Information-Security&startRow=11">GovWin Blog on the Government Marketplace</a></p>

Image: Cybersecurity checkpoints in the United States. Source: GovWin Blog on the Government Marketplace

The Cyber Command of the United States of America was established in 2009 after the Estonian cyber-attacks.[13] In the same year, the Stuxnet worm infected Iranian nuclear facilities. While this act was never confirmed by the US, experts have determined that US and Israeli agencies likely carried out the attack to stymie the Iranian nuclear program.[14] If true, this would have marked a notable departure from the United States’ propagated cyberwarfare strategy of deterrence and defense, and demonstrates the power of cyberspace to subvert official policy. However, the US is typically conservative in its use of cyber-technology: the Cyber Command is designed to protect the ability of conventional military forces to function, and prevent escalation of violence to innocents. Moreover, the US is aware of high contagion risks, and thus officially restricts cyber capabilities to “support[ing] operational and contingency plans.”[15]

Recommendations

Given the climate of support, and necessity of protecting civilians, international negotiators must expedite cyber legislation. This could take many forms. First, security organs could be restructured to allow small, motivated states to drive change further. Former UN Secretary-General Ban Ki Moon reiterated at the Small Nation States conference that small nations make up in ideas what they lack in size.[16] Consultative committees and caucuses must thus be led by these small nations. Second, international bodies need to adopt community-driven approaches to security. With expertise of cyber-security lying in the private as well as public sphere, the Security Council would do well to consult non-governmental agencies. Third, the line between civil and military space needs to be clearly defined. Estonia embarked on a digital citizenry drive which clearly articulates digital private property and digital rights. This catalyzes the process of segregating the internet to limit contagion effects of potential attacks. Moreover, the articulation of a digital identity allows treaties with legal precedents, like the Geneva Convention, to apply to cyberspace easily.

Conclusion

In short, the US election issue is only the tip of the iceberg of issues in cyber-warfare legislation. Violent declarations of aggression must be accompanied with legal pressures for clear definitions, along with set precedents for sound progress for cyber-defense to have any meaning. In the meantime, cyber-attacks will continue to occupy a slippery space in international legislation fraught by loose language and hot temperaments.

References

  [1] http://www.newyorker.com/news/news-desk/russias-view-of-the-election-hacks-denials-amusement-comeuppance

  [2] https://www.theatlantic.com/international/archive/2017/01/russian-hacking-trump/510689/

  [3] https://fas.org/sgp/crs/misc/R43831.pdf

  [4] http://www.inss.org.il/uploadimages/import/(file)1308129610.pdf

  [5] http://www.americanforeignrelations.com/E-N/North-Atlantic-Treaty-Organization-Nato-construction-and-rearmament.html

  [6] https://www.icrc.org/eng/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm

  [7] https://doi.org/10.1017/S1816383113000246

  [8] https://www.nap.edu/read/12997/chapter/3#9

  [9] http://reason.org/news/show/apr-2013-cybersecurity

  [10] https://www.iiss.org/en/publications/survival/sections/2015-1e95/survival–global-politics-and-strategy-august-september-2015-c6ba/57-4-02-gompert-and-libicki-eab1

  [11] http://www.nbcnews.com/id/31801246/ns/technology_and_science-security/t/look-estonias-cyber-attack/#.WKJVbBIrI_U

  [12] http://www.tandfonline.com/doi/full/10.1080/13523260.2015.1061765

  [13] https://www.law.upenn.edu/live/files/3474-oconnell-m-cyber-security-without-cyber-war-2012

  [14] https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html?utm_term=.2d9fa9c3d9a5

  [15] https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html?utm_term=.2d9fa9c3d9a5

  [16] http://www.kdu.ac.lk/southern_campus/images/documents/symposium/symposium2012/papers/ts/TheComplexSecurityParadigmofSmallIslandDevelopmentState.pdf

Student Blog Disclaimer
  • The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Penn Wharton Public Policy Initiative’s strategies, recommendations, or opinions.

PENN WHARTON PPI
RESOURCE SPOTLIGHT:

  • <h3>The World Bank Data (U.S.)</h3><p><img width="130" height="118" alt="" src="/live/image/gid/4/width/130/height/118/484_world-bank-logo.rev.1407788945.jpg" class="lw_image lw_image484 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/130/height/118/484_world-bank-logo.rev.1407788945.jpg 2x, /live/image/scale/3x/gid/4/width/130/height/118/484_world-bank-logo.rev.1407788945.jpg 3x" data-max-w="1406" data-max-h="1275"/>The <strong>World Bank</strong> provides World Development Indicators, Surveys, and data on Finances and Climate Change.</p><p> Quick link: <a href="http://data.worldbank.org/country/united-states" target="_blank">http://data.worldbank.org/country/united-states</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Internal Revenue Service: Tax Statistics</h3><p><img width="155" height="200" alt="" src="/live/image/gid/4/width/155/height/200/486_irs_logo.rev.1407789424.jpg" class="lw_image lw_image486 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/155/height/200/486_irs_logo.rev.1407789424.jpg 2x" data-max-w="463" data-max-h="596"/>Find statistics on business tax, individual tax, charitable and exempt organizations, IRS operations and budget, and income (SOI), as well as statistics by form, products, publications, papers, and other IRS data.</p><p> Quick link to <strong>Tax Statistics, where you will find a wide range of tables, articles, and data</strong> that describe and measure elements of the U.S. tax system: <a href="http://www.irs.gov/uac/Tax-Stats-2" target="_blank">http://www.irs.gov/uac/Tax-Stats-2</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Congressional Budget Office</h3><p><img width="180" height="180" alt="" src="/live/image/gid/4/width/180/height/180/380_cbo-logo.rev.1406822035.jpg" class="lw_image lw_image380 lw_align_right" data-max-w="180" data-max-h="180"/>Since its founding in 1974, the Congressional Budget Office (CBO) has produced independent analyses of budgetary and economic issues to support the Congressional budget process.</p><p> The agency is strictly nonpartisan and conducts objective, impartial analysis, which is evident in each of the dozens of reports and hundreds of cost estimates that its economists and policy analysts produce each year. CBO does not make policy recommendations, and each report and cost estimate discloses the agency’s assumptions and methodologies. <strong>CBO provides budgetary and economic information in a variety of ways and at various points in the legislative process.</strong> Products include baseline budget projections and economic forecasts, analysis of the President’s budget, cost estimates, analysis of federal mandates, working papers, and more.</p><p> Quick link to Products page: <a href="http://www.cbo.gov/about/our-products" target="_blank">http://www.cbo.gov/about/our-products</a></p><p> Quick link to Topics: <a href="http://www.cbo.gov/topics" target="_blank">http://www.cbo.gov/topics</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>The Penn World Table</h3><p> The Penn World Table provides purchasing power parity and national income accounts converted to international prices for 189 countries/territories for some or all of the years 1950-2010.</p><p><a href="https://pwt.sas.upenn.edu/php_site/pwt71/pwt71_form.php" target="_blank">Quick link.</a> </p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>USDA Nutrition Assistance Data</h3><p><img width="180" height="124" alt="" src="/live/image/gid/4/width/180/height/124/485_usda_logo.rev.1407789238.jpg" class="lw_image lw_image485 lw_align_right" srcset="/live/image/scale/2x/gid/4/width/180/height/124/485_usda_logo.rev.1407789238.jpg 2x, /live/image/scale/3x/gid/4/width/180/height/124/485_usda_logo.rev.1407789238.jpg 3x" data-max-w="1233" data-max-h="850"/>Data and research regarding the following <strong>USDA Nutrition Assistance</strong> programs are available through this site:</p><ul><li>Supplemental Nutrition Assistance Program (SNAP) </li><li>Food Distribution Programs </li><li>School Meals </li><li>Women, Infants and Children </li></ul><p> Quick link: <a href="http://www.fns.usda.gov/data-and-statistics" target="_blank">http://www.fns.usda.gov/data-and-statistics</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Federal Reserve Economic Data (FRED®)</h3><p><strong><img width="180" height="79" alt="" src="/live/image/gid/4/width/180/height/79/481_fred-logo.rev.1407788243.jpg" class="lw_image lw_image481 lw_align_right" data-max-w="222" data-max-h="97"/>An online database consisting of more than 72,000 economic data time series from 54 national, international, public, and private sources.</strong> FRED®, created and maintained by Research Department at the Federal Reserve Bank of St. Louis, goes far beyond simply providing data: It combines data with a powerful mix of tools that help the user understand, interact with, display, and disseminate the data.</p><p> Quick link to data page: <a href="http://research.stlouisfed.org/fred2/tags/series" target="_blank">http://research.stlouisfed.org/fred2/tags/series</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>National Center for Education Statistics</h3><p><strong><img width="400" height="80" alt="" src="/live/image/gid/4/width/400/height/80/479_nces.rev.1407787656.jpg" class="lw_image lw_image479 lw_align_right" data-max-w="400" data-max-h="80"/>The National Center for Education Statistics (NCES) is the primary federal entity for collecting and analyzing data related to education in the U.S. and other nations.</strong> NCES is located within the U.S. Department of Education and the Institute of Education Sciences. NCES has an extensive Statistical Standards Program that consults and advises on methodological and statistical aspects involved in the design, collection, and analysis of data collections in the Center. To learn more about the NCES, <a href="http://nces.ed.gov/about/" target="_blank">click here</a>.</p><p> Quick link to NCES Data Tools: <a href="http://nces.ed.gov/datatools/index.asp?DataToolSectionID=4" target="_blank">http://nces.ed.gov/datatools/index.asp?DataToolSectionID=4</a></p><p> Quick link to Quick Tables and Figures: <a href="http://nces.ed.gov/quicktables/" target="_blank">http://nces.ed.gov/quicktables/</a></p><p> Quick link to NCES Fast Facts (Note: The primary purpose of the Fast Facts website is to provide users with concise information on a range of educational issues, from early childhood to adult learning.): <a href="http://nces.ed.gov/fastfacts/" target="_blank">http://nces.ed.gov/fastfacts/#</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>NOAA National Climatic Data Center</h3><p><img width="200" height="198" alt="" src="/live/image/gid/4/width/200/height/198/483_noaa_logo.rev.1407788692.jpg" class="lw_image lw_image483 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/200/height/198/483_noaa_logo.rev.1407788692.jpg 2x, /live/image/scale/3x/gid/4/width/200/height/198/483_noaa_logo.rev.1407788692.jpg 3x" data-max-w="954" data-max-h="945"/>NOAA’s National Climatic Data Center (NCDC) is responsible for preserving, monitoring, assessing, and providing public access to the Nation’s treasure of <strong>climate and historical weather data and information</strong>.</p><p> Quick link to home page: <a href="http://www.ncdc.noaa.gov/" target="_blank">http://www.ncdc.noaa.gov/</a></p><p> Quick link to NCDC’s climate and weather datasets, products, and various web pages and resources: <a href="http://www.ncdc.noaa.gov/data-access/quick-links" target="_blank">http://www.ncdc.noaa.gov/data-access/quick-links</a></p><p> Quick link to Text & Map Search: <a href="http://www.ncdc.noaa.gov/cdo-web/" target="_blank">http://www.ncdc.noaa.gov/cdo-web/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>Federal Aviation Administration: Accident & Incident Data</h3><p><img width="100" height="100" alt="" src="/live/image/gid/4/width/100/height/100/80_faa-logo.rev.1402681347.jpg" class="lw_image lw_image80 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/100/height/100/80_faa-logo.rev.1402681347.jpg 2x, /live/image/scale/3x/gid/4/width/100/height/100/80_faa-logo.rev.1402681347.jpg 3x" data-max-w="550" data-max-h="550"/>The NTSB issues an accident report following each investigation. These reports are available online for reports issued since 1996, with older reports coming online soon. The reports listing is sortable by the event date, report date, city, and state.</p><p> Quick link: <a href="http://www.faa.gov/data_research/accident_incident/" target="_blank">http://www.faa.gov/data_research/accident_incident/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>National Bureau of Economic Research (Public Use Data Archive)</h3><p><img width="180" height="43" alt="" src="/live/image/gid/4/width/180/height/43/478_nber.rev.1407530465.jpg" class="lw_image lw_image478 lw_align_right" data-max-w="329" data-max-h="79"/>Founded in 1920, the <strong>National Bureau of Economic Research</strong> is a private, nonprofit, nonpartisan research organization dedicated to promoting a greater understanding of how the economy works. The NBER is committed to undertaking and disseminating unbiased economic research among public policymakers, business professionals, and the academic community.</p><p> Quick Link to <strong>Public Use Data Archive</strong>: <a href="http://www.nber.org/data/" target="_blank">http://www.nber.org/data/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>HUD State of the Cities Data Systems</h3><p><strong><img width="200" height="200" alt="" src="/live/image/gid/4/width/200/height/200/482_hud_logo.rev.1407788472.jpg" class="lw_image lw_image482 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/200/height/200/482_hud_logo.rev.1407788472.jpg 2x, /live/image/scale/3x/gid/4/width/200/height/200/482_hud_logo.rev.1407788472.jpg 3x" data-max-w="612" data-max-h="613"/>The SOCDS provides data for individual Metropolitan Areas, Central Cities, and Suburbs.</strong> It is a portal for non-national data made available through a number of outside institutions (e.g. Census, BLS, FBI and others).</p><p> Quick link: <a href="http://www.huduser.org/portal/datasets/socds.html" target="_blank">http://www.huduser.org/portal/datasets/socds.html</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>
  • <h3>MapStats</h3><p> A feature of FedStats, MapStats allows users to search for <strong>state, county, city, congressional district, or Federal judicial district data</strong> (demographic, economic, and geographic).</p><p> Quick link: <a href="http://www.fedstats.gov/mapstats/" target="_blank">http://www.fedstats.gov/mapstats/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>