The US Government, like most others, is openly building up offensive ‘cyber’ capabilities, but the arms race is on before the world has even seen a real cyber attack, says Robert Clark, operational attorney for the U.S. Army Cyber Command.
“With all due respect to all my friends out here doing this, we’ve never seen a cyber attack because I’m looking at a very specific definition of what a cyber attack is,” Clark on Tuesday told the AusCERT conference in Queensland.
“Stuxnet was not a cyber attack. Estonia, nope. Georgia, nope.”
The cyber attacks on Estonia and Georgia could not be considered real because neither could be tied back to a nation-state.
“If you can’t tie it back to a nation state, you can’t call it a cyber attack because the law of armed conflict applies between states, not individuals,” said Clark.
China remains the poster-child for industrial and national espionage, but Clark noted that while espionage on domestic turf carries tough penalties, espionage is not illegal under international law and was rife. The question of where and when to use ‘cyber’ force, however, is more complicated.
Stuxnet, thought to have been developed by Israel with the aid of the US, was definitely a “game changer”, said Clark, but it too failed to qualify for one reason.
“Iran didn’t call it an attack. They didn’t step up and say, ‘We’ve had a cyber attack’. Why? I don’t know,” said Clark, explaining that a critical criterion for an attack is the target's declaration that the incident is, in fact, ‘an attack’.
“The nation state that gets attacked gets to announce and decide whether they have suffered a ‘use of force’ or an ‘armed attack’.”
In turn that might influence how to define a proportional response.
Still, Stuxnet did satisfy two other conditions of ‘armed conflict’, including physical destruction of a system and, assuming Israel was behind it, a proportional response to an “imminent threat”.
“Under the law of armed conflict, you have to have necessity, proportionality; it’s got to be a non-discriminatory weapon, which means it’s got to be a targeted weapon,” said Clarke.
“[Stuxnet] was very discriminatory because it was looking for that one SCADA system, that Siemens machine, with the Iranian subsystem and the Finnish aspect in there.”
Symantec researchers in 2010 detailed the trigger for Stuxnet was at least 33 frequency converter drives made by Fararo Paya in Iran or by Finnish company Vacon. Because it was unlikely to find Iran’s equipment anywhere but Iran, the finding suggested the malware was designed specifically to target Iran's facility.
“And if it wasn’t there, this thing goes off the box June 24th 2012, or it would just go away or just lay there dormant, doing nothing. So it was a very discriminatory device.”
Was Stuxnet proportional if it was an attack by one state on another?
“I don’t know. Which one is better: dropping a 20,000 pound bomb on the dang thing or knocking it out with a cyber attack? So no deaths, just destruction—very proportional to the threat being faced,” said Clark.