Cybersecurity 2018 – The Year in Preview: International Law and Cyber Warfare

Editors’ Note: This is the seventh in a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Previous installments include analyses of HIPAA compliance, emerging security threats, federal enforcement trends, state enforcement trends, biometrics, and education. Up next: a deep dive into the SEC’s enforcement actions.

In this series, we’ve written about emerging threats and the industries they target. This post addresses one thread that ties them all together—cyber warfare.

Cyber warfare refers generally to the malicious use of information and communication technologies (ICTs) by state actors. This is particularly problematic, as state actors have more resources and are more sophisticated than run-of-the-mill cyber criminals. State actors are believed to be behind some of the most notable cyber attacks of this past year, such as the WannaCry ransomware attack, which some have attributed to North Korea.

Experts recognize the need for an international approach to rein in this behavior. However, given the events of this year, international consensus on such an approach appears unlikely. What follows are some significant developments from 2017, which shed light on what 2018 might have in store.

A Setback for International Rules on Cyber War

Back in November 2016, we wrote about the lack of any formal agreement among nations on how international law should apply to cyber warfare. Next year, we likely won’t see much meaningful headway in this area. This is due in part to the collapse of the fifth “GGE”—that is, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

The GGE was tasked with setting international norms for state behavior in cyber space. And for years, its member countries had been making slow but steady progress. In 2013, they agreed in the first instance that international law—particularly, the U.N. Charter—applied. They also agreed that state sovereignty was to be a bedrock principle, and that states were responsible for the “internationally wrongful acts attributable to them” and could not use proxies to commit “internationally wrongful acts.” These developments might seem minimal, but they were important stepping-stones to other pressing matters.

But this year, the GGE failed to agree on a draft for its fifth report. The sticking point appears to have been Article 51 of the UN Charter, dealing with the right to self-defense. That right is triggered by an “armed attack”—generally, a physical incursion into one state’s territory by armed forces under another state’s command. Certain GGE members worried about equating this concept with the “malicious use of ICTs.”

GGE members might also have been concerned about implicit approval of “countermeasures.” As experts Michael Schmitt and Liis Vihul explain, “[c]ountermeasures are actions or omissions that would be unlawful but for the fact that they respond to an internationally wrongful act of another State and are designed to cause the latter to comply with its legal obligations.” They give as an example the “hack-back in response to another State’s unlawful cyber operation.”

Commentators have criticized the falling out as a “manufactured controversy.” Indeed, the GGE had already agreed that the UN Charter applied, presumably in full. In any event, the GGE will not submit a fifth report, leaving an uncertain future for an international framework.

This does not mean that we are left without any guidance. In 2016, we wrote about the Talinn Manual—an ambitious attempt by a group of NATO-affiliated experts to distill from the laws of war several rules to govern cyber warfare. This year, the group released an update—the Talinn Manual 2.0. The new version takes the next step of setting out additional principles for how international law should apply to state cyber behavior in peacetime. But of course, the manual is mere guidance.

Experts appear to agree that some form of international order is preferable to the Wild West. As Arun M. Sukumar has noted, “[f]or those opposing the inclusion of specific legal principles, it should be clear that the tide is turning. Governments today increasingly desire rules that predict state behavior.” So does the private sector.

More Transparency in the Processes for Disclosure of Zero-Day Vulnerabilities?

Without international consensus on a legal framework, individual nations will begin to lead by example. One way the United States has started to do this is by releasing details of its process for notifying developers about zero-day vulnerabilities.

The intelligence community has warned Congress that “more than 30 nations are adopting offensive cyber capabilities” and integrating them into “military operations and planning.” These operations include the use of “zero-day” vulnerabilities—that is, vulnerabilities in equipment and software that are unknown to developers that, in some cases, bad actors can exploit and gain remote access to operating systems and web browsers. A recent study by RAND Corporation of 200 zero-day vulnerabilities found that they have an “average life expectancy—the time between initial private discovery and public disclosure—of 6.9 years.” The study also found that it is highly unlikely that two separate actors will discover the same zero-day vulnerability.

Just last week, the United States released its Vulnerabilities Equities Policy and Process, a document describing how the government balances different factors in deciding when to notify vendors about zero-day vulnerabilities. The United States is the only country to have done this so far. The United Kingdom, Canada, and some European countries have either acknowledged having a process or that they are working on developing one. But we don’t know much more than that.

Experts have criticized this lack of transparency, and are using the United States’ disclosure to prompt a discussion on the further development of similar processes in other countries. They warn that “multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs.” Perhaps the United States’ release of its process will spur other countries into action.

More Cyber Attacks Causing Physical Disruption: The Threat to Critical Infrastructure

Last year, we wrote about cyber threats to the energy industry. Those threats continue to intensify. Just last week, Reuters reported a “watershed” cyber-attack against an unspecified “critical infrastructure facility.” That attack targeted a workstation running a safety shutdown system that is “widely used in the energy industry, including at nuclear facilities, and oil and gas plants.” The malware apparently “sought to reprogram controllers used to identify safety issues.” Cyber security professionals believe that the attackers were probing the safety system with the eventual goal of modifying it so that it would fail to detect a breach. FireEye, the cyber-security firm that discovered the malware—dubbed “TRITON”—reported with “moderate confidence” that the attacker was “sponsored by a nation state” actor.

FireEye did not disclose the location of the attacked facility or the nature of its operations. But some have theorized that the attack occurred in a facility in Saudi Arabia. These kinds of attacks have not yet occurred in the United States.

TRITON must be taken seriously. It is the third of a class of detected malware capable of physically disrupting a facility’s operations. (The first was Stuxnet, which disrupted equipment in Iranian nuclear facilities.) Now more than ever, it is important for utility companies and other critical infrastructure entities to guard against potential attacks that pose physical threats to their operations.

We at the Security, Privacy and the Law will remain vigilant in the coming year. Be sure to check back with us for the latest developments on international law and cyber warfare.