Military doctrine and cyber law

Lack of a codified cyber law means that cyberoperations often violate international law, such as the Geneva Conventions, which set the standard for humanitarian treatment during war. The humanitarian principles of , distinction and proportionality are respected by kinetic – that is, conflict involving physical force – warfare, but are to be violated in cyber warfare. There is no agreed-upon international law regarding acceptable cyberspace activities. While the , a well-recognized guide created by legal and military experts, suggests how international law may apply to cyber operations, it is not legally binding. And until an international cyber warfare law is codified, cyber operations will remain rife with miscalculations by decision makers. 

In military doctrine, distinction means that attacks should hit only military targets and avoid harming civilians. However, the cyber domain is very interconnected, making distinctions difficult to adhere to in cyber warfare. Approximately 95% of Department of Defense telecommunication activity travels through public networks, meaning that an attack on a valid target could have an impact on civilians. For instance, broad-spectrum jamming, the deliberate disruption of frequencies to reduce a military’s ability to communicate, could negatively impact civilian emergency services. This makes a widespread cyber attack on civilian infrastructure the easiest way to cripple military targets. In addition, because of the reduced costs of striking civilian targets non-kinetically — non-physically — political actors are more likely to to take advantage of available targets.

Similar to the principle of distinction, the interconnectedness of the cyber domain raises problems with maintaining neutrality. Neutrality refers to the principle that countries not involved in a conflict should not be affected or targeted by the belligerent nations. However, with the development of cyberoperations, it is likely that neutrality will no longer be adhered to. The structure of the internet means that cyber attacks can be routed through several neutral nations before reaching a belligerent state. As such, carrying out a military attack via the cyber domain requires violations of neutrality, putting cyber doctrine and law into conflict with each other.

In contrast, cyber warfare adheres closely to the principle of proportionality. Proportionality outlines the requirement that the severity of military action should be proportionate between belligerents. As cyber attacks can be more or less severe according to need, there is no immediate conflict between proportionality and cyber military doctrine. So, while there is rampant disharmony between military doctrine and cyber ethics, there is also synergy between the two.

Military Doctrine and Cyber Ethics

Military doctrine demands that there exist a casus belli, a Latin term meaning “cause of war,” referring to the necessity for a justified reason to engage in conflict. Casus belli is necessary because not all attacks are equal – for instance, bombing a major city over a conflict at a border crossing is not considered justifiable. This principle applies to cyber attacks as much as it applies to kinetic strikes. As an example, let’s say a country decides to execute a Distributed Denial of Service attack (DDoS), a type of cyberattack where many computers overwhelm a website or network, to temporarily render a website unusable. It would not be a reasonable response for the receiving country to cripple the offending country’s critical infrastructure by exploiting vulnerabilities within the Internet of Things (IoT), the network of everyday devices (appliances, cameras and sensors) that oversee said infrastructure. In this way, ethics and cyber military doctrine can work in harmony in conducting cyberattacks.  

At the same time, however, there can be conflict between ethics and doctrine within casus belli. While the effects of a kinetic strike, such as a bombing, are often visible and immediately felt, the details of a cyberattack may take longer to realize. This could complicate the process of a proportional response. It is not always immediately clear if a cyberattack is responsible for loss of life, a criterion that is important in determining a proportional response. Cyberattacks could have secondary or tertiary that result in loss of life, such as attacking a network that supports a hospital or food distribution. All of these factors obscure potential responses. 

Casus belli is further complicated when considering that the effects of a cyberattack are often less visible to the average citizen. This means that the victim government cannot always rely on public outrage to justify a retaliatory strike. As a result, the ambiguity surrounding cyberattack ethics makes it difficult for decision makers to abide by expected ethical standards such as casus belli.

While doctrine provides for both kinetic and non-kinetic action, it is not prescriptive. As a result, military doctrine around cyberoperations is ambiguous, especially regarding current law or ethics. Conflict between doctrine, law and ethics often depends on humanitarian principles, international law and even the willingness of adversaries to abide by these principles. Without proper codification, the continued ambiguity of this rapidly developing doctrine can lead to miscalculations and escalated conflict.

[ edited this piece.]

The views expressed in this article are the author’s own and do not necessarily reflect 51łÔąĎ’s editorial policy.

The post Emerging Cyber Warfare Sets the Stage for New Legal Miscalculations appeared first on 51łÔąĎ.

The extent of US cyber vulnerability

Despite the relatively recent creation of cyberspace in the history of national security, its impact has quickly become ever-present. The United States military depends on internet technology for tasks that run the gamut from maintaining satellites and directing missiles to checking email, increasing the number of potential cyber risk vectors for the country. In the future, this could even expand to cases such as the technology aiming the rifles US soldiers use, as in the case of. Looking beyond military applications alone, both military and civilian Americans depend on cyberspace for their everyday lives, with recent research estimating over internet-connected items in use around the world in 2017, and 49% of the world’s population online, up from a mere 4% in 1999.

The internet is an easy way to infiltrate the lives of billions and is integral to processes such as communications, financial management, industrial innovation, and national defense. This already ubiquitous but still growing presence gives cyber-actors an ever-increasing reach, allowing them access to both military and civilian targets. The focus of these attacks is not confined to any one size: individuals and larger entities, such as corporations and government agencies, are equally at risk. These risks are especially felt in a country where outdated laws and infrastructure have created a for citizens.

The Chinese administration enjoys plausible deniability

Due to the overwhelming availability of the internet, and the unregulated and outdated infrastructure in the United States, cyber actors can often obscure their true identity and location, making it extremely difficult for authorities at the state or federal level to react to these malicious actors in a timely manner. Anyone can claim to be “John Smith from Topeka, Kansas.” While non-standard language use or that user’s IP address could indicate that to be untrue, language use is highly variable even among native English speakers, and IP addresses can be faked using VPNs to support whatever geographic mask the user wishes to wear. The structure of cyber-attacks can make them hard or impossible to identify.

Even when an operation or an attack can be identified and then traced back to adversary country, like China, foreign governments can easily deny that a cyber-attack originated from someone acting on behalf of the government. Instead, the CCP that the attack came from a “lone-wolf citizen-hacktivist”—meaning that the perpetrator was not authorized or condoned by the Chinese government—and that they would turn the bad actor over to the United States if they could be identified. The plausible deniability that an attack occurred and who conducted it is another reason cyber attacks are such a threat from the CCP.

US public opinion underprepared to respond to cyber attacks

It is, however, technological factors alone that render the United States especially vulnerable. The views of the populace within the US make it harder to respond seriously to cyber threats. Cyber-attacks and cyber-espionage, while causing significant economic and national security damage, are often not viewed as “real” attacks in the United States. By contrast, the Chinese population is more likely to view cyber attacks as a threat, even those that the US public might dismiss as insignificant. Cyber attacks can persist in the background for years, not causing tangible damage for the American citizen to see or feel and without a direct correlation to loss of life, severely hampering the ability to engender support from the average American for a counter-action.

What is more, China is not the sole perpetrator of spying over cyberspace—the United States has been caught exploiting cyber vulnerabilities, just as its allies and adversaries have. A kinetic response to non-kinetic Chinese attacks would be viewed as over-the-top in the United States, undermining public support for politicians’ actions. The United States thus finds itself hamstrung, and its inability to respond to cyber-attacks in a way that deters its adversaries sends the message that these attacks are an acceptable risk. Indeed, the perception is that the United States is unable to prevent unwanted access—an open invitation to continue.

On the Chinese side, this situation is markedly different. Many Chinese nationals are willing to support their government via cyber-attacks on the United States, something often seen as their civic duty. These cyber-attacks can be carried out by paid hackers working for the government, but are often carried out as a hobby, conducted by people who think of themselves as defending their homeland. Thus, the views of the Chinese populace allow for many more and farther-reaching cyber-attacks with legitimate plausible deniability for the CCP, a potent combination of the various factors that make the prospect of cyber-attacks so dangerous for the US.

Chinese cyber operations are already causing damage

In just the past few years, China has been linked to United States companies and government entities, hacking private German, targeting Southeast Asian nations in dispute with China over the South China Sea with, and possibly intercepting from United States defense and technology firms. This range of public, private, US and other government targets in a brief span of time indicates the wide extent of cyber-espionage that the People’s Republic is supporting. These, it bears noting, are only the efforts that have been caught and linked back to China.

Why Is the US Losing Against China in an Espionage War?

Even if the perpetrators are identified, however, cyber espionage is harder to punish than more traditional espionage techniques which may require direct contact, as the physical location of hackers can make extradition all but impossible, and, besides, the adversary government can easily claim that perpetrators operated of their own accord. Despite the United States government identifying CCP cyber-espionage, the has China over the actions of their hackers.

The threat posed by China to the US, furthermore, does not stop with espionage. Physically destructive operations utilizing cyber technology are an increasingly feasible option for the People’s Republic. As critical US infrastructure is increasingly networked, yet still outdated, the threat from attacks on American infrastructure is increasing. The CCP is of conducting cyber-attacks that temporarily disrupt critical infrastructure within the United States. Due to the age and design of the American power-grid, one of these attacks on a legitimate military target cascading effects through the grid, knocking out everything from railroads to grocery stores and to hospitals. Because of the United States’ inability to counter these attacks, cyber operations in a military context could play a much larger role if China and the US find themselves on opposite sides of a war in the future. If America goes to war to defend Taiwan from China, and China targets the American power-grid as a response, the American people may quickly remove their support for a far-away war that does not directly benefit them but does cost them lives and livelihood on home soil.

Offensive operations need not be limited to outright destruction of US assets. The CCP already has deployed other mechanisms of influence that are currently ongoing and which depend in a large part on Chinese cyber prowess. Recent examples include Chinese shaping of the narrative on COVID-19, promoting CCP-preferred policy, and a, information operation to change the outcome of the 2020 presidential election. These operations threaten the structure of American democracy, support for a national agenda, and mislead American citizens about what global outcomes support American needs.

In addition to national information operations originating from the government itself, the CCP has additional resources from what American would consider the “private sector.” In China, the 1993 Company Law mandates that all companies based in China allow specific groups in their company to operate on behalf of the CCP. In 2018 over 50% of private companies in China had members of the CCP, but for China’s largest 500 companies’ membership was and increasing. Two examples are TikTok and WeChat. These companies have data on millions of customers and potential access to millions more, which could potentially be used to manipulate those who interact with Chinese products.

What can the US do

There are two distinct strategies which the United States must pursue to reduce the cyber risk posed by the CCP. The first strategy is improving American cyber infrastructure; the second is ensuring effective punishment of malign cyber-actors who harm the United States.

To improve American cyber infrastructure, both government and private entities must secure systems, ensure data fidelity, and protect infrastructure. In 2020, the United States Government Accountability Office (GAO) recommended that US public and private entities need to take in order to address cyber risks. These actions range from “develop[ing] and execut[ing] a comprehensive strategy for national cybersecurity” to “strengthen[ing] the federal role in protecting the cybersecurity of critical infrastructure (e.g., electricity grid and telecommunications networks),” and would reduce the vulnerabilities in American cyberspace, denying access to nefarious actors and decreasing the damage that these bad actors can do if they are able to penetrate cyber defenses. The Biden Administration has expanded on these goals in their, released March 2023. Simply put, if United States cybersecurity is stronger, it will be harder for the CCP to exploit.

In addition to hardening American cyberspace, the United States must also begin punishing nefarious actors for attempted and successful penetrations of American cyberspace. Cases of hacking which are linked back to the CCP must result in sanctions against the Chinese government. Sanctions limiting the transfer of American intellectual property (IP) to Chinese companies would be one way to make a dent in the effects of hacking, since many instances of cyber-espionage against American companies stolen IP, reduced profits, and lost American jobs. By penalizing the same industries that benefit from hacking, the United States can avoid escalating the standard set for in-kind retaliation in the case that American companies are caught committing espionage against Chinese corporations.

Cyber-espionage, while difficult to track, is not untraceable. Although CCP cyber-espionage takes advantage of ubiquitous connectivity, anonymity, and the United States’ reluctance to react, it can be detected and dealt with. Attackers are not always capable of entering and exiting networks without leaving a trail of evidence. This may ultimately lead to their arrest or, at the very least, the discovery of their identity and employment by state actors.

In summary, the Chinese Communist Party’s cyber capabilities are currently a severe threat to the United States through cyber-espionage, the risk of attacks, and influence operations. Without increasing American cyber defenses and sanctioning malign actors, the United States will remain vulnerable to CCP cyber operations. The United States government has already proposed specific steps for reducing cyber risk and strengthening the nation against a top threat. But actions must follow these statements. By following through on these recommendations, the United States can begin to defend itself against a dangerous adversary.

[ edited this piece.]

The views expressed in this article are the author’s own and do not necessarily reflect 51łÔąĎ’s editorial policy.

The post The US Must Act Now To Overcome Chinese Cyber Threat appeared first on 51łÔąĎ.