Table of Content

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

World Conference on Cybersecurity (WCC) London International Model United Nations 19th Session | 2018

Table of Content

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Table of Contents

Introduction Letters ...... 1 Yuji DEVELLE ...... 1 Chloe AMELLAL ...... 1 Isabel VICARÍA BARKER ...... 2 Introduction to the Committee ...... 3 Topic A: Defining Cyberspace and Classifying Cyber-attacks ...... 5 Introduction ...... 5 Key Concepts ...... 6 Cyberspace ...... 6 Cyber warfare vs. cyber crime...... 8 Cyber-attacks ...... 10 Hacking ...... 11 Advanced persistent threats ...... 12 Bots, botnets and DDoS ...... 12 Legal Issues ...... 12 Cybercrime: Problem of applicable law ...... 12 Cyber warfare and international humanitarian law ...... 14 The Attribution Problem ...... 16 History of the Problem ...... 18 Timeline of notable attacks ...... 18 1998 - 2001 MOONLIGHT MAZE ...... 19 2005 - 2011 TITAN RAIN & BYZANTINE HADES ...... 19 2008 Russia-Georgia War ...... 20 2010 OLYMPIC GAMES ...... 21 2011 Winnti Hacks ...... 22 2012 Saudi Aramco Attacks ...... 22 December 2015 BlackEnergy 3 Malware causing Huge Blackout in Western Ukraine ...... 23 2016 US Elections Hacking Campaign ...... 23 Current Cases ...... 24 Cyber-attacks and Foreign Policy: The Case of Estonia ...... 25 Securing the Internet of Things ...... 26 Cyber criminality and ransomwares: an Asian case ...... 27 The Future ...... 27 II

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

The Tallinn Manual ...... 27 White House Directive #41 ...... 28 Bilateral Agreements ...... 29 United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security ...... 29 Collective Security Assurances ...... 31 Regulating Attack Toolkits ...... 31 Bloc Positions ...... 31 Questions a Resolution Should Answer ...... 32 Recommended reading & sources ...... 33

III

LONDON INTERNATIONAL MODEL UNITED NATIONS 2018 ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Introduction Letters

Yuji DEVELLE

Dear delegates, welcome to the World Conference on Cybersecurity at LIMUN 2018. My name is Yuji Develle, and I will be your Director for the weekend. I have a background in War Studies (King‟s College London) and Management (LSE) and am currently on an exchange in St. Petersburg, Russia. I have been doing MUN for seven years now, from delegate to Secretary General in the US, Europe and the UK. I look forward to helping you, veteran or new, reach your full potential at this conference. LIMUN is the best run conference in the world right now, and it‟s because of the effort everyone puts into getting the most out of the experience. I am looking forward to doing the same with you, with Chloe‟s political insight and Isabel‟s legal expertise, we are sure to have an exciting and challenging weekend ahead!

Chloe AMELLAL

Dear delegates, I am pleased to welcome you to the World Conference on Cybersecurity at LIMUN 2018! My name is Chloé Amellal, I am currently pursuing a BA in European Studies at King‟s College London. Starting off my „delegate career‟ as a member of KCL UNA and having participated in many MUN conferences in the

ZZ LONDONLONDON INTERNAINTERNATIONALTIONAL MODELMODEL UNITEDUNITED NATIONSNATIONS 20182018

United Kingdom, I served as the Vice President of Sciences Po Nations Unies during my year abroad in Paris. LIMUN holds a special place in my heart as it was the first conference I ever attended back then in 2015. This will be my second time returning to LIMUN as a chair and I am therefore thrilled to meet all of you during what promises to be an intense weekend! Good luck to you all with the research and see you in committee!

Isabel VICARÍA BARKER

Dear delegates, I am Isabel, a fifth-year law student at the LMU in Munich who is currently revising for the German bar exam. I did my specialty in international and European public law and I am finishing a certificate in information and computer law. My MUN career began back in high school and since then, I have participated in numerous conferences across Europe, Turkey and Israel and have served in various capacities. LIMUN 2018 will be my third LIMUN and I am very excited to be chairing this unique committee alongside Yuji and Chloe. I hope that delegates will come prepared and come up with original ideas in order to contribute to debate in a productive manner.

Please note that this background guide - as the name implies - is merely a guide and a starting point for the topic that will be discussed during the committee sessions conference. It is in no way intended to replace a delegate‟s research. Please make sure you conduct extensive research on this topic, especially with regards to your adopted country‟s stance on this topic. Only by doing so will you be able to participate productively and constructively in the debates!

If you have any questions or concerns, do not hesitate to contact us. Looking forward to meeting you all in February!

Yuji, Chloé & Isabel [email protected]

ZZ LONDONLONDON INTERNAINTERNATIONALTIONAL MODELMODEL UNITEDUNITED NATIONSNATIONS 20182018

Introduction to the Committee

The World Conference on Cybersecurity (WCC) is an exceptional gathering of delegates representing countries from around the world with the objective of discussing the pressing matters of cybersecurity dominating both the headlines and the clockworks of global politics. The members of this committee are mandated by their respective countries to formulate a final declaration, or „resolution‟, from which they can act upon after ratification.

Regular LIMUN Rules of Procedure (RoP) apply to this committee, bar an exception. Given the ad-hoc existence of the WCC, the authority of its delegates on matters of cybersecurity will span a far greater set of issues than, say, a UNGA body or a traditional „working group‟. The WCC will be discussing a range of issues including: legal definitions and classifications, geopolitical balancing, technical cybersecurity, and philosophical questions. The WCC will run a Lean Amendments procedure, which occur as follows:

a. Amendments may be introduced by raising a Motion to Introduce an Amendment; b. Once an amendment has been introduced, the Committee shall automatically enter into a five-minute moderated caucus on the amendment. The Director shall call upon delegations to speak upon the amendment. The moderated caucus shall end once the

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

time has elapsed or there are no further delegates wishing to speak. Once it has elapsed, delegates may motion to extend the moderated caucus. The Director may use their discretionary powers to overrule this motion if he or she deems it to be against the interest of the committee; c. As soon as an amendment has been debated, the Committee shall move directly into voting procedure on the amendment. d. If the amendment concerns the correction of grammatical errors, it shall be read out to the committee and then passed automatically; e. Amendments to perambulatory clauses are out of order; f. Amendments to amendments, or second-order amendments, are similarly out of order. A clause that has already been amended may be further amended.

The ensuing process of debate will follow regular RoP, but this may be relaxed in favour of more engaging processes, should there be a need for such during our talks. During the weekend, you will be faced with a crisis scenario that will require, from you, different processes and sets of skills. We will provide more information on this crisis closer to the date.

The reason for the WCC‟s existence is the growing gravity of cybersecurity threats on states around the world. Whether state-led or criminally-motivated, cyber- attacks have graduated to becoming sources of significant instability and insecurity in all countries. The WannaCry ransomware epidemic as well as the alleged hacks into the U.S. political system, have raised the profile of cybersecurity issues to boiling point. You delegates have been called to the WCC in order to delineate a framework for classifying, managing, and possibly conducting cyber-attacks. The commitments made here will define the red-lines within which states will act in cyberspace.

Include Mandate and Agenda of the committee. Also, discuss the pressing issues that your committee is currently dealing with.

ZZ LONDON LONDONINTERNA TIONALINTERNA MODELTIONAL UNITED MODEL NATIONS UNITED NATIONS2018 2018

Topic A: Defining Cyberspace and Classifying Cyber-attacks

Introduction

The exponential pace of technological change has shaken the very foundations of traditional security understanding. Over the past 50 years, international conflict has morphed into a shape beyond our wildest imaginations. Carl von Clausewitz, the father of modern warfare, once declared, „War is a mere continuation of policy by other means; War… is an act of violence to compel our opponent to fulfil our will‟ (Clausewitz). The „Fifth Domain‟ of warfare, cyberspace, and/or information warfare has given states and non-state actors new ways of achieving political ends through other means. It is our mandate to oversee frameworks and solutions to issues that lead to a destabilization of peace and security to both individuals and states alike. Cyberspace has long been a blind-spot for the international system, where criminal and inter-state threats jeopardize the trust and readiness of collective security in both the developed and developing world. Over the past two years, actors such as China, the USA, the E.U., and Great Britain all shifted their view on cyberspace to include not only a matter of information security/C4-infrastructure but also the Fifth Domain of Warfare.

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

The problem with classifying cyber-attacks as a fifth domain of warfare is that cyberspace differs radically from other domains (land, sea, air, and space). A key tenant of international peace & security is deterrence, which involves parties to a potential conflict dissuading each other via credit mutual threats. In cyber, however, parties have the ability to strike with a certain degree of anonymity and deliver crippling blows without technically inflicting “kinetic” (or physical) violence. Cyber deterrence proponents like Nigel Inkster and the U.S. Department Homeland Security generally agree that states are vulnerable to attacks but tend to branch into two camps: those who argue for an offensive strategy in which leading countries assert dominance in cyberspace early on, and those who believe in defensive bandwagoning, which includes collaboration between states and the private sector. Other key theories discuss whether cyber operations should even be considered acts of war: John Stone (Cyberwar Will Take Place!) and Thomas Rid (Cyberwar Will Not Take Place) are at odds. The answers to questions dealing with how nations approach cyberspace determine how countries will pursue or prevent cyber-conflict.

Key Concepts

As a highly technical field, the emerging cyber-security discipline is subject to many misunderstandings concerning key definitions and core legal issues. There is debate on defining cyberspace (the scope of cyber-attacks), cybersecurity (the practices revolving cyber-attacks), and the distinction between cyber-attacks and cyber-crime. Legal issues arise at every turn, from applicability in International - public as well as criminal - Law to the attribution process.

Cyberspace

The term “cyberspace” has been around since the 1960s (Lillemose & Kryger, 2015). While its coinage is often attributed to the author William Gibson in his novel “Neuromancer” (1984), it was in fact first coined by the Danish artist duo Susanne Ussing and Carsten Hoff in the 1960s (Lillemose & Kryger, 2015). They had been inspired by the post-war science called “cybernetics” - the most important contributor being Norbert Wiener, who defined it as “control and communication in the animal and the machine” - and the exhibition Cybernetic Serendipity held in London and together, they created a series of art works under the name “Atelier Cyberspace” (Lillemose & Kryger, 2015).

Today however, cyberspace is a term that is presumed, meaning that there is general consensus as what cyberspace is but no actual „official‟ or „universal‟

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

definition. Many official1 as well as academic documents will discuss cyberspace without defining or clarifying what is meant to be understood by said term. In fact, there are currently many different definitions for cyberspace; these stem from international organisations such as NATO, from different countries, from experts and from members of academia. Some of these have been reproduced here.

William Gibson defined cyberspace as “consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity”.

Ottis and Lorents from NATO‟s Cooperative Cyber Defence Centre of Excellence based in Tallinn, Estonia, define cyberspace as follows: “cyberspace is a time-dependent set of interconnected information systems and the human users that interact with these systems” (Ottis & Lorents, 2010).

The US Department of Defence defines cyberspace as a “global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” (Department of Defense, 2015) As Ottis and Lorents point out, “this definition is remarkable as it only refers to the (hardware) technology component, although software and data may be inferred from the wording. Noticeable is the lack of the human component, which is so important in Wiener‟s and Gibson‟s definitions”.

Zekos offers a somewhat more detailed definition of cyberspace: “Cyberspace is an amorphous space that does not occupy a set physical or geographic location. Moreover, a cyberspace in an electronic place and sovereignty and never before have we seen a space in which individuals, corporations, communities, governments and other entities can exist within and beyond the borders of the nation state in such an instantaneous, contemporaneous or ubiquitous manner. What we call “cyberspace” can be characterized as a multitude of individual but interconnect, electronic communications networks” (Zekos 2005).

None of these definitions should be considered “wrong” but as Ottis and Lorents argue, they tend to be vague or be missing important components nor do they adequately take into consideration the “dynamic nature” of cyberspace (Ottis & Lorents, 2010). In their opinion, a good definition of cyberspace should include a

1 Example: European Union‟s Joint Communication JOIN(2013) 1 final on "Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace" 7

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

technology, a human, a communication and a control element. They would define cyberspace as “a time-dependent set of interconnected information systems and the human users that interact with these systems” (Ottis & Lorents, 2010).

While there currently is no active discussion on the definition of cyberspace, it is a term that has yet to be defined by the international community. A definition should, as Ottis and Lorents suggest, reflect the many aspects and characteristics of cyberspace.

Cyber warfare vs. cyber crime

Cyber-crimes and cyber warfare are two terms that are inherently different, both in nature and effects that they emit. The next section will discuss the two different terms.

In contrast to cyberspace, cyber warfare is a term that has enjoyed much discussion in the past few years and as such, a universal normative definition has yet to be agreed upon. As with cyberspace, it is a term that is presumed, as reflected in the Tallinn Manual or the US‟ The Department of Defense Law Of War Manual - neither document actively defines, what cyber warfare is. The Tallinn Manual explicitly states that it uses the term “purely descriptive, non-normative sense” (Tallinn Manual 2.0 2013). It is a term generally used to describe how and to what extent humanitarian law is to be applied to cyber operations. It examines and contemplates what activities conducted in the virtual world or affecting network infrastructure can be considered acts of war.

Another aspect of the discussion surrounding cyber warfare is the question of the applicability of established principles of law. Some have argued in past that due to the unregulatable nature of the internet, these principles do not apply (Yoo, 2015). Others have argued the opposite, as did the US State Department Legal Advisor, Harold Koh in 2012 (Yoo, 2015). Those who follow the latter opinion however recognise that certain cyber operations “do not fit easily into the traditional categories”. If we use Carl von Clausewitz‟ definition, then a war must comprehend several key identifiers: violence, a clear political objective, two or more clearly

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

identified “combatants” and a clear link between the subject, object and means of the employed violence.

It should be noted that currently, - as it was the case for cyberspace and cyber warfare - there is no universal definition for cybercrime or a uniform approach to classifying them. For example, INTERPOL mainly distinguishes between two main groups of cybercrimes (INTERPOL). The European Union, on the other hand, in its Cyber Security Strategy of 2013 defines a cybercrime as follows:

“a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target. Cyber-crime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g. attacks against information systems, denial of service and malware)” (European Commission, 2013).

The first category is that of traditional offences. These are crimes - such as burglary, extortion, fraud, identity theft, etc. - that have existed long before the “cyberspace era” but have become more sophisticated in the way they are committed. Technological advancement has enabled criminals to exploit it and in certain situations have made it easier Source: http://www.gao.gov/assets/270/262608.pdf for them to commit a certain crime. For example, a burglar does not necessarily need to break into a house in order to

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

access information stored on a computer. Instead, he or she may be able to do so by accessing the computer remotely and breaking into it. The diagram above shows how technology has changed traditional crimes.

The second category - content-related offences - refers to crimes that specifically require network access in order for the elements of an offence to be fulfilled. For instance, the definition offers the example of on-line distribution of child pornography. In order for the elements of the crime to be fulfilled, these videos and pictures would have to be distributed through an online medium. Should this not be the case, then no offence has been committed2.

Cyber-attacks

Now we must turn our attention to the term “cyber-attack”. Once again, there is no universal definition, as demonstrated by the amount of definitions currently used by different countries and organisations. The United States, for example, have defined the term several times. In 2001, the Chamber of Commerce defined a cyber- attack as “any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself” (Kissel 2013). In 2013 it published a new definition: “an attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity” (Kissel 2013). While there are similarities between the two, there are also differences. For instance, the 2001 definition is broader than the 2013 in the sense that it also encompasses attacks that intend to destroy information systems while the 2013 definition uses the phrase “compromise system integrity”. On the other hand, the 2013 definition is broader with regards to types of objects that can be the aim of a cyber-attack. The 2013 definition is similar to Germany‟s: “an attack is an intentional form of threat, namely an undesirable or unauthorized action with the objective to gain advantages or harm a third party respectively. Attackers can also act on behalf of third parties that want to gain advantages” (CCDCOE).

It will be up to the delegates to decide what elements they wish to incorporate into a definition. However, they should be aware that whatever definition they will decide upon will determine what acts will be considered cyber-attacks and how they are to be classified.

While cyber-crime and cyber warfare are two concepts that are easily distinguishable from one another, this is not necessarily the case for cyber-attacks. Depending on the circumstances surrounding a cyber-attack, it can be considered a

2 Although it should be noted that the distribution of child pornography is usually illegal; in this case however, it would fall under another offence and not the offence of online distribution. 10

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

(major) cybercrime or an act of cyber warfare. One aspect that could be taken into consideration when deciding this is the motivation for an attack. Cybercrimes, for example, are often committed for personal gain and therefore, generally speaking, the identity of the victim is of no relevance for the criminal. Therefore, if a hacker disables the network infrastructure of a hospital in return for a certain sum of money (so-called ransom cases), this would constitute an act of extortion. On the other hand, if the perpetrator disables the infrastructure of a hospital where a high-ranking military official is being treated, one could contemplate if this could constitute an act of cyber warfare. This would definitely be the case if a hacker shuts down the network infrastructure of, say, a war ship. However, if a hacker does so in order to extort money from the government, it is unclear if this should be considered an act of cyber war or a cybercrime.

Another factor to consider would be that of gravity. Cybercrimes, as previously illustrated, often affect individuals rather than the collective. Delegates could consider defining a threshold for when a cyber-attack because a grave cybercrime. For instance, it is one thing when a hacker breaks into a computer of another civilian and steals their financial information, it is another thing when a hacker breaks into the network systems of a big bank and steals the financial information of several thousand people.

Ultimately, there are different approaches when it comes to classifying cyber- attacks. It will be up to delegates to decide what factors should be taken into consideration when deciding if a cyber-attack should be considered an act of cyber warfare or a cybercrime. The ones elaborated upon are merely meant to serves as examples; delegates are more than encouraged to come up with further ones.

There are different methods to launching cyber-attacks and as previously mentioned; they can vary in both method and impact.

Hacking

Hacking is the unauthorized intrusion into a computer or a network (Technopedia). This can be achieved by hackers remotely exploiting software and/or security flaws in order to obtain confidential information, personal data exploit or influence public services and infrastructure (Hern, 2016) as well as placing malware onto hardware or into a network system. Sometimes hackers come across these flaws by accident and then exploit them (also referred to as “black hats”). These hackers can either be individual people, groups of individuals, criminal organisations or even groups with government backing.

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Advanced persistent threats

Advanced persistent threats – also referred to as APT – is “an attack in which an unauthorised user gains access to a system or network and remains there for an extended period of time without being detected” (Lord, 2017). These attacks do not always result in physical damage but rather is defined by ability to collect confidential data over a certain period of time (Lord, 2017). They tend to be carefully planned and target a specific individual or entity, which is way they are complex and tailored to the security situation of the individual or entity (Lord, 2017). They are able to access systems and network by either using malicious malware or using credentials of authorised individuals through phishing or other traditional offences (Lord, 2017). It is for this reason that APTs, often time-consuming and costly to pull- off, are reserved for “high-profile” targets. Depending on the nature of the information obtained, it may be sold, used as blackmail or passed on to third parties such as the press or even police agencies.

Bots, botnets and DDoS

Another increasingly popular method is through the use of botnets. A bot is “a type of malware that allows an attacker to take control over an affected computer. Also known as “Web robots”, bots are usually part of a network of infected machines, known as a “botnet”, which is typically made up of victim machines that stretch across the globe” (Norton, 2017). Some of these botnets consist of thousands of computers and other internet-connected devices. Read more about IoT-botnets on Bruce Schneier‟s blog.

Using a botnet, a “botherder” can disrupt a website by commanding all of its bots to send requests at the same time. The server becomes overloaded and it can either cause the server to be temporarily unable to respond to requests, but it can become so overloaded that it fails completely (Hern, 2016). In addition, it renders the server unable to respond to legitimate requests (Hern, 2016). This is what is referred to as a “distributed denial of service” or DDoS.

Legal Issues

Cybercrime: Problem of applicable law

One legal issue with regards to cybercrime is that of the applicable substantive law. First of all, it should be noted that first two categories mentioned by the European Union in its definition of cybercrime are not automatically relevant to what is sometimes referred to as “international criminal law”. International criminal law is

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

not the same as international public law. While international public law has its own sets of rules regarding the behaviour of international public law subjects, international criminal law governs the question of what national criminal law is to be applied on a certain case (substantive law) and in front of which court a suit may be filed (procedural law). There are a few international criminal law conventions currently in effect, for example, the Budapest Convention which was adopted in 2004. However, it does not establish the conditions under which a member state may exert its jurisdiction; rather, it tries to harmonise the definitions of certain computer- related crimes and imposes upon states the obligation to adopt laws prohibiting certain behaviour related to cybercrime. For example, Art. 4-1 imposes the following obligation on the contracting parties:

Article 4 – Data interference 1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.

The same thing can be said for directives of the EU. A directive is a law of the EU that obligates a state to implement certain rules into national law. With regards to cybercrime there is currently one directive in effect, Directive 2013/40/EU of the European Parliament and Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA. This directive only obligates EU member states.

However, the aforementioned legal instruments do not decide which law is applicable and thus never decide how a case is resolved. This is ultimately a question of domestic criminal law. Only a state can decide when and to what extent it will apply its own laws. Most criminal and penal codes will have provisions describing when and under which circumstances national criminal law is applied. With regards to cybercrime, things get a bit tricky, especially for those countries that have adopted the territoriality principle3. As Helmut Satzger explains:

“Most problematic are offences committed via the internet. Here the question arises whether it is legitimate to apply the national criminal laws of state A to internet content uploaded from state B and hosted on a server in state B for the sole reason that it can in principle be

3 Definition of territoriality principle: a state is entitled to claim criminal jurisdiction over any situation which occurres within its national territory (Satzger 2017). 13

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

retrieved by internet users in state A. The logical consequence of such a wide approach would be that the criminal law of every state would be globally applicable in those and similar cases, as internet access will normally be possible at any given place. The place where the offender – the provider of the problematic content – acted will in many cases be located abroad. Still, the question remains whether or not the criminal result of his or her acts occurs within the national territory (Satzger, 2017).”

Cyber warfare and international humanitarian law

As previously mentioned, there are some legal issues with regards to the applicability of international law - especially humanitarian law - to cyber operations. Many of these questions have been discussed in-depth by the authors of the Tallinn Manual. The Tallinn Manual is considered to be “the most comprehensive analysis of how existing international law applies to cyberspace” (Atlantic Council, 2017), which is authored by a group of experts coordinated by NATO. However, first of all, the following section will attempt to briefly elaborate upon the principles of international humanitarian law4 and then to what extent they apply in cyber-space.5

International humanitarian law - also referred to as “war law” - governs the rules that apply to hostile activities between states. This is also referred to as “ius in bello”.

On the one hand, there is the concept of “ius ad bellum” which regulates under what circumstances the use of force is justified. While it is not considered part of international humanitarian law, it is an important set of rules that exists independently next to jus in bello. In an ideal context, the application of ius ad bellum would precede the application of ius ad bellum. The use of force is not to be understood in a strict sense, but does not include political or economic pressure (Yoo, 2015). The use of force is also justified when acting in self-defence to counter an armed attack, as outline in Art 51 of the UN Charter (Yoo, 2015).

The Tallinn Manual, in its second section, analyses to what extent these general principles of international law apply to cyber operations. First off, it is unclear what type of “cyber activity” would constitute a “use of force”. It would have to be an act that “rose to the level of armed attack and acts that injure or kill persons or damage or destroy objects” (Yoo, 2015). The Tallinn Manual offers eight

4 For more general information, please refer to International Committee of the Red Cross here. 5 For more information on this topic, please refer to “Cyber Espionage or Cyberwar?: International Law, Domestic Law, and Self-Protective Measures” by Christopher S. Yoo, accessible here. 14

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

“nonexclusive” factors to aid in the answering of these questions: severity, immediacy, directness, invasiveness, measurability of effects, military character, state involvement, and presumptive legality (Yoo, 2015).

Another question that arises what constitutes an armed attack with regards to cyberspace. This is outlined in Rule 13 of the Tallinn Manual. According to the International Group of Experts, “to constitute an armed attack, conduct must exceed the scale and effects needed to qualify as a use of force” (Yoo, 2015). They also agree that any attack that causes injury, death or destruction of property would be enough to constitute an armed attack (Yoo, 2015). However, they also agree that activities such as cyber intelligence and cyber theft as well as interference of nonessential cyber services are not to be considered as armed attacks (Yoo, 2015).

Returning to the explanation on international humanitarian law, the “jus in bello” concept determines how countries are to conduct their activities during times of armed conflict. For it to be applied, certain conditions must be met: “it applies only under circumstances constituting “armed conflict;” it places restrictions on states when taking actions deemed to constitute “attacks;” and it only applies to actions by state actors and non-state actors under their control” (Yoo, 2015). Jus in bello distinguishes between two types of armed conflict: an international armed conflict and a non-international armed conflict. The former is the case when two countries are engaged in armed conflict and the latter when an armed conflict takes place within one state between two or more armed groups6. Jus in bello also requires that - as outlined in Article 48 of the Additional Protocol to the Geneva Convention - “the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives” (Yoo, 2015). Another important requirement for the application of jus in bello is that the act - or in this context, cyber operation - is attributable to a state (Yoo, 2015).

For jus in bello to be applicable to cyber operations, the presence of an armed conflict is required, as outlined in the Tallinn Manual. The authors came to the conclusion that that “armed conflict requires the existence of hostilities, which in turn „presuppose the collective application of means and methods of warfare, consisting of kinetic and/or cyber operations‟” (Yoo, 2015). However, there was a lack of consensus as to whether or not a single cyber operation met required threshold of violence to be considered as an armed attack (Yoo, 2015). So far, no cyber activity has been classified as an international armed conflict (Yoo, 2015).

6 For more information on this topic, please refer to “Cyber Espionage or Cyberwar?: International Law, Domestic Law, and Self-Protective Measures” by Christopher S. Yoo, accessible here. 15

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

With regards to the requirement to distinguish between civilian population and combatants, the same is to be held for cyber operations, as outlined in Section 2 & 3 of the Tallinn Manual (Yoo, 2015). Specifically, it “emphasizes the concept of violence used in Article 49 (1) of Additional Protocol I as the key concept that distinguishes attacks from other military operations and lists psychological cyber operations and cyber espionage as nonviolent operations that do not qualify as attacks” (Yoo, 2015).

The extent to which an act can be attributed to a country is generally determined by the Draft Articles on State Responsibility for Internationally Wrongful Acts (“DARS”), which is a non-binding legal document compiled by the International Law Commission. According to article 8, a conduct of a (private) person or group may be attributed to a state, if s/he or they are following the instructions or under control of a state. However, due to the ability to remain anonymous in cyberspace, it is often very difficult - if not impossible - to discern the source of an act (Yoo, 2015).

In any case, any regulations in this area will influence the way cyber-attacks should classified, as outlined above. Many cyber-attacks will be easily classified as either a cybercrime or an act of cyber warfare. However, there are instances where such a distinction will not be as simple. For example, will an act be deemed attributable to a state if a rogue private group based in one country disables important military infrastructure in another one and be therefore deemed as an act of cyber warfare? On the one hand, military equipment is targeted, which according to jus in bello is a legitimate target. On the other hand, it would be iniquitous to attribute the conduct of a rogue private group to a state. What about the constellation in which a private group, acting under orders of a state, hacks into the national health insurance of another country and steals the personal data of millions of people? While this act is attributable to another state, it would rather fulfil the elements of a crime rather than be considered an act of cyber warfare. Delegates should therefore contemplate all potential impacts of a certain system of classification.

The Attribution Problem

„Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems… as dependent mainly on available forensic evidence.‟ (Rid, T. and Buchanan, B, 2014)

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

„The question of “Who-done-it?” dominates all efforts from the crime scene to the court of law; a case can only be considered solved when the culprit of the crime has been identified and convicted. In the era of DNA identification and video monitoring, this strict guilty-versus-innocent divide poses little issue in the physical realm where an excellent standard of criminal investigations can be observed in most developed countries.‟ (Develle & Webster, 2015a) The technical process of properly finding the culprit in attacks takes weeks if not months. By then, the reputational damage of the attacks would be tremendous. Politically speaking, it is necessary for governments to be able to attribute responsibility to countries, governments and/or organizations.

This is done via initial forensic findings + geopolitical estimations (“guesstimations”?). This is a major obstacle in the UN, as a Security Council resolution penalizing a damaging cyber-attack would theoretically need a referent object. Practically speaking, this lack of clarity would make majority votes for resolution close to impossible. After MOONLIGHT MAZE, Russian attribution was made due to knowledge of several geopolitical realities: - Since the End of the Cold War, espionage „has largely continued unabated‟ - Russian Military Doctrine (Chechnya War) recognized the importance of „command, control, intelligence and computers‟ (C4I), „but lacked the material means to realize this “military-technical revolution”.‟ (154) - Russia vigorously denied these allegations. This also raised issues concerning the degree to which the state and informal hacker groups have a relationship (or not). See: the Attribution Game

Attribution became a major obstacle in coordinating a response as the degree of state involvement was unknown. The image to the right shows the complexity in which 17

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

state involvement could fall for only one group of hackers, now imagine if multiple groups were to be involved (Healey, 2011).

“An undisclosed government source noted that the attack had been traced to Internet servers located 20 miles from Moscow…. The pattern of the intrusions suggested that the attackers had a regular office-like schedule from 8am to 5pm and never on Russian holidays. A senior Energy Department official suggested that it could be a “sponsored” intelligence activity due to how organized the attack was. Dion Stemfley, an analyst of the Defense Information Systems Agency (DISA), said that the attack could have been „state-allowed‟” (Healey, 2011). As the spectrum of state responsibility graphic demonstrates, states can be responsible for cyber-attacks on a number of levels. Depending on the degree of damning proof, found via cyber-forensics (usually cyber companies/labs that keep record and monitor Internet traffic for patterns), states could be made accountable for their involvement along this scale. Where will the WCC draw the line is a key question.

History of the Problem

Despite the relative „newness‟ of cyber aggression, the past three decades have gathered quite an extensive record of diverse cyber-attacks. Throughout the past 25 years, one notices the increasing complexity and boldness of attacks, regardless of whether those are attributed to states, state-sponsored actors, or independent non-state actors.

Cyber-attacks involve many different types of actors looking to use attacks in different ways to achieve different strategic ends. Many of the high-profile acts of cyber aggression have involved a combination of actors, making exclusive categorization close to impossible. Given the nature of the topic and the public-sector representation of the WCC, the following acts of cyber-aggression are disproportionately state-influenced and/or have deep geopolitical ramifications. However, it is important to keep in mind that cyber-attacks disproportionately affect the private sector. More on this will be looked upon in the “Current Events” section of the guide.

Timeline of notable attacks

- 1998 – 2001 MOONLIGHT MAZE

- 2005 - 2011 TITAN RAIN & BYZANTINE HADES

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

- 2008 Russia-Georgia War

- 2010 Operation OLYMPIC GAMES

- 2011 Winnti Hacks

- 2012 Saudi Aramco Attacks

- 2015 BlackEnergy 3 Malware in Ukraine

- 2016 US Election Hacking Campaign

1998 - 2001 MOONLIGHT MAZE

Widely known as the first major state-attributed cyber-attack in history (to Russia), operation MOONLIGHT MAZE led to compromising the US Military‟s non-classified inner network (NIPRNET). In March 1998, the DoD detected a penetration of NIPRNET. The attackers broke into computer networks affecting various non-classified areas of US government, including „NASA, the Department of Energy, and the Department of Defense‟. The FBI led an investigation, while the newly created JTF-CND (Joint Task Force for Computer Network Defense) was to coordinate a response‟ (Healey, 2013). While previous attacks were often attributed to non-state actors, MOONLIGHT MAZE marks the beginning of the state-led APT threats scares. As an APT, MOONLIGHT MAZE is still shrouded in mystery because cyber-attacks grant a much greater ability for states to conceal their actions. 2005 - 2011 TITAN RAIN & BYZANTINE HADES

The first publicly declared attacks were codenamed TITAN RAIN (Nakashima 2010). Over three or four years (no one knows how long because most of the evidence is hidden or corrupted), hackers with links to the People‟s Liberation Army (PLA) compromised hundreds of systems in US industry and government. They hacked an impressive portfolio of strategic companies including Lockheed Martin, Northrop Grumman, and BAE Systems. In 2010, Google reported that it was victim of a “highly sophisticated and targeted attack on our corporate infrastructure originating from China… theft of intellectual property.” The attackers took advantage of an Internet Explorer vulnerability affecting hundreds of the largest technology companies. This culminated in the 2011 attacks on RSA security, a computer and network security company. This gave the hackers access to the networks previously protected by RSA. The RSA breaches were used as a stepping stone for breaches on networks associated with the development of the F-35 Fighter

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Jet. There have eventually been suggestions that the fuselage of China‟s second stealth fighter jet, the J-31, resembles that of the F-22 and F-35. This entire episode of hacking campaigns affecting over 750 targets was codenamed by US counterintelligence officials as BYZANTINE HADES (Healey, 2013). Whether this was an act of espionage (because of the theft of key US documents and technology), deliberate aggression (an intentional attack aimed at degrading key American industries and infrastructure), or sabotage (a deliberate action aimed at weakening the influence of Google and other industries in China), is still undetermined. This string of attacks reveals a dire need for red lines defining and labelling attacks properly. 2008 Russia-Georgia War

The Russian cyber campaign occurring at the same time as the military campaign against Georgia in 2008 confirmed many existent thoughts within military circles (Healey, 2013). Cyberspace was to be an essential component of C4I (Communications, Control, Command, Computer and Intelligence) infrastructure for kinetic operations. Georgia moved its troops into South Ossetia from 7 August, capturing the regional capital and several other villages, allegedly in response to South Ossetia bombardments (in violation of the terms of the previous ceasefire). Russia retaliated with an invasion into Georgia the next day. However, Russia had long been working on a cyber campaign to undermine the military capabilities and political credibility of Georgia. As early as 19 July, Russian hackers focused on „denial and degradation of Georgian communications systems‟ as well as targeting many public-facing Georgian websites. The website of then-President Mikheil Saakashvili was victim of DDoS and site defacement (pictures posted comparing him with Hitler), taking the site down for 24 hours. „The pages of the Parliament, the Foreign Ministry, the Interior Ministry, several news agencies, and a few banks (were also hit)‟ (Healey, 2013). „Hackers used sophisticated DDoS methods against targets, incorporating SQL injections (where hackers rewrite a site‟s internal code to unlock information that was previously hidden) and cross-site scripting (where hackers rewrite their client access details to unlock information that was previously hidden).‟ They made no clear effort to hide the origin of such attacks, having written the code in Russian and embedding the „obvious statement “win+love+in+Rusia” in some of the messaging‟ (Nazario). Was the Georgian War a cyber war? Or was it simply a war, with cyber- support. Or, alternatively, was it a war, and was the cyber campaign a string of attacks disassociated from the war entirely?

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

2010 OLYMPIC GAMES

After Georgia, it was the United States‟ turn. Codenamed „OLYMPIC GAMES‟, an American cyber-offensive campaign aimed at Iran‟s critical national infrastructure – its nuclear enrichment program in particular – marked a new era of complexity and boldness in nation-state cyber-attacks. STUXNET, Flame, and Duqu had some degree of commonality, with STUXNET as the centrepiece of the operation. The story is well-known; In the summer of 2010, a spiked USB was plugged into a Siemens PLC (a controller with access to some of the facilities core functions) of the Natanz uranium enrichment facility, rendering up to 1000 of the 9000 IR-1 type gas centrifuges unusable (Healey, 2013). STUXNET was first discovered in 2010 by Kaspersky Labs, and thought to be development since 2005. It was a malicious computer worm (malware jumping autonomously from host-to-host computer damaging core-functions in its path) targeted at programmable logic-controllers (PLCs: the computers used to run power- plants and energy infrastructure). The worm exploited four zero-day flaws (computer- security vulnerabilities that can be exploited by hackers) which enabled it to enter Iranian PLCs, collect information and damage the systems until the fast-spinning centrifuges tore themselves apart. The worm affected over 200,000 computers and caused over 1,000 physical degradations. It was later found that an infected USB- stick carrying the payload (the malware, in this case, the worm) and the rootkit (a supporting software, in this case, responsible for hiding STUXNET‟s presence on the Iranian network) spread until it infected as many PLCs with extended control over the centrifuges. The worm then infected the PLCs by rewriting their core code (telling them to execute random operations) while sending a “business as usual” feedback loop to users. By far the most spectacular instance of cyber-aggression, this attack did what aerial bombardment could covertly and without many political ramifications. Unfortunately, US and Israeli intelligence (to whom this attack is attributed) could not control the spread of the Flame and Duqu malware across Iranian infrastructure and international energy infrastructure. They were caught soon enough. Iran‟s nuclear program was to be the centrepiece of Iran‟s domestic prosperity and military defence strategy - clearly critical national infrastructure. This set a precedent for the deliberate degradation and destruction of important hardware in other countries.

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

2011 Winnti Hacks7

Winnti, an allegedly Chinese hacking group, has been active for years and mostly targets the Asian video-gaming industry. The group steals digital certificates (online identifiers required to grant computers access to websites, or, “passports for the Internet”) and uses them to sneak into the update servers of gaming companies to prepare for man-in-the-middle (MiTM: when hackers impersonate other people to gain access) attacks for intellectual property theft (IP theft: when hackers steal proprietary data such as trade secrets, algorithms, passwords, etc.). Similar attacks occurred in 2011 on South Korean social networks Cyworlds and Nate, this time via a Trojan Horse (when hackers pretend to be something else to gain access) impersonating TNK, a Japanese video-gaming company. Qualitative analysis of the incidents point towards IP theft at a grand scale, that goes beyond company secrets but also towards the ID-theft of users across Asia. Additional attacks in 2013 with similar indicators of compromise (IOCs: specific cyber artefacts made during a cyber-attack) and signatures (IOCs indicative of the methods or products used by a specific group/gang) targeted Tibetan and Uyghur activists using the digital signature of MGAME Corp, yet another video- gaming company. This new information points towards the Chinese security services having a role in the incident. This attack demonstrates how easily hackers can impersonate other actors in order to bypass basic security mechanics. 2012 Saudi Aramco Attacks

The Shamoon (or Disttrack) modular computer virus was used to conduct cyber espionage in the oil and gas sector. The most notable attack was one targeting Saudi Arabia‟s largest oil company, Aramco. The virus quickly overwrites files in computers throughout a network with JPEG files, simultaneously compiling a list of files from specific locations in the system and sending them back to the attacker. It then finishes with an overwrite of the master boot record to prevent system reboots, which renders workstations unbootable and therefore makes it hard to recover data (workstations have to be fixed manually one at a time). Over 30,000 Saudi Aramco workstations were destroyed (“Saudi Aramco” 2014). The virus has hit companies throughout the energy sector, and the Shia- affiliated group Cutting Sword of Justice had the strongest claim over the attack. Early investigations pointed towards Iran being involved in the attacks. Should Saudi Arabia have been a less careful in the attack attributions, this cyber-attack could have – given the geopolitical tensions - triggered a war (“Saudi Aramco” 2014).

7 The following section is based on GReAT, 2013. 22

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

December 2015 BlackEnergy 3 Malware causing Huge Blackout in Western Ukraine8

Along with the OPM Hack, the Ukrainian Power Grid attack of December 2015 was a major wake up call for governments of the Western world concerning the potential destructiveness and strategic threat of cyber-attacks. Over 230,000 residents in the Ivano-Frankivsk region of Western Ukraine lost power just before Christmas. F-Secure Labs identified Quedagh (a Russia-based gang known to target political organisations) as the main user of the BlackEnergy malware toolkit (a set of software tools helping hackers create and propagate cyber-attacks), which was modified to provide extra bang for the buck (F-Secure Labs). F-Secure believes a phishing email could have been opened by a Ukrainian employee. After entering a SCADA (Supervisory control and data acquisition), the hackers took 30 electricity substations offline, damaged 2 power distribution platforms, and removed 2 or 3 backup power supplies to ensure maximum duration of damage (F-Secure Labs). Drives were wiped permanently with KillDisk, passwords were changed to prevent operators from accessing control functions, and a Ukrainian telephone company was TDoS‟d (like DDoS but specific to shutting down telecommunications platforms) to prevent customers from contacting the electricity company. Following a manual restoration of power, the power came back after 3 to 6 hours (ICS CERT). BlackEnergy was used in patterns attributable to Russia in the past, such as when Russia conducted a swathe of attacks on Georgia during the 2008 Georgian War. Typical of Russian underground operations, the greater degree of plausible deniability proposed by the usage of the BlackEnergy 3 kit (because it‟s used by so many criminals) allows for bolder attacks. Toolkits and botnets are the weaponry of cyber-conflict; their increasing availability and ease of use make attacks all the simpler to execute. 2016 US Elections Hacking Campaign

A well-timed data leak is all it takes to completely change the course of a political campaign, and thus the course of a country‟s policy-making. For instance, data leaks and other attacks have significantly impacted the course of events and the media narrative surrounding the US election campaign. This campaign of hacks included the Democratic National Committee (DNC), the Clinton Campaign and the White House. In June, an attack widely attributed to Pro-Russian hacker groups “Cozy Bear” and “Fancy Bear”, stole opposition research by the Democrats on Donald Trump (Galperina, 2016). A month later, in time for the Democratic National

8 The following section is based on Peters, 2016, Leyden, 2016 Develle & Webster, 2015b. 23

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Convention, the DNC had the contents of its 22,000 emails leaked to the world via WikiLeaks. It is highly likely that this earlier compromise enabled the same hackers (under the alias Guccifer 2.0) to access the DNC email database (and a week later, the Clinton Campaign database). There is a growing consensus amongst the cybersecurity and intelligence community that Russia is behind the hacks (or at least condoning them).

These allegations about Russia‟s role in the U.S. campaign have been strengthened with the publication of a report by American top intelligence agencies (Yourish, 2017). The report found that the Kremlin had indeed directed a cyberattack to deny Hillary Clinton the presidency and help put Donald Trump in the White House (Shear & Sanger, 2017). Investigation is currently going on with some Trump associates being suspected of being connected to Russia and aware of the political manoeuvre.

The attacks set a new precedent in how bold Russian actors have become in intervening in the politics of other states, this time striking across the Atlantic. It is no wonder however, as this specific electoral campaign is set to deeply affect Russia‟s Source: Information is Beautiful, 11/12/2017. Link economic sanctions and its future influence in the region. The United States has had a long history of intervening in the electoral process of Eastern European states. No real condemnation of the chief Russian suspects was made in Washington or Moscow. The USA enforced White House Directive #41 which created a scheme that color-coded various degrees of cyber- attack severity and organized the executive strategy for cyber-attack response (Koebler, 2016).

Current Cases

Because the cyberspace is a relatively recent concept, the problems linked to it such as cyber-attacks tend to appear progressively with the development of new technologies. They can have a different scope and aim at individuals or companies,

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

however the most ominous are the attacks destined to paralyze or hinder the functioning of foreign state institutions and governments. The main issue is the traceability of cyber-attacks as they are often launched from devices that are not located in the attacker‟s country. Thus, despite suspicions, most cases nonetheless remain officially unresolved as it is hard to track down the exact source and perpetrator of a cyber-attack.

Cyber-attacks and Foreign Policy: The Case of Estonia

In 2007, the Republic of Estonia fell victim to a three-week wave of massive cyber-attacks that disabled very diverse structures such as websites of government ministries, political parties, newspapers, banks and companies (Traynor, 2007).

Although it has always denied its responsibility, the Russian government is widely suspected to be the source of these attacks, that were seen by Estonia as a sanction against the removal of the Bronze Soldier Soviet war memorial in central Tallinn (McGuinness, 2017).

The type of attack that was used is called DDoS, Distributed Denial of Bronze Soldier Soviet War Memorial, Tallinn. Service; it aims at preventing Source: Academic encyclopedia internet users to access certain websites or services online (US-CERT, 2013).

Estonia is one of the European pioneers in „e-government‟, with a lot of its official infrastructures depending on new technologies, hence an increased vulnerability to the damages caused by cyber-attacks. The country tried to get under EU and NATO protection, however, Jaak Aaviksoo, the former Estonian Minister of Defence reminded that “At present, NATO does not define cyber-attacks as a clear military action. This means that the provisions of Article V of the North Atlantic Treaty, or, in other words collective self-defence, will not automatically be extended to the attacked country" (Traynor, 2007).

As cyber-defence has become a matter of utmost importance to Estonia, the country decided to take its 2017 Presidency of the Council of the European Union as an opportunity to reinforce cooperation to fight and cope with cyber-attacks in the EU. For instance, it organized in Tallinn on 7th September a strategic level exercise called 'EU CYBRID 2017' on cyber defence for the EU defence ministers. (Estonian

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Presidency of the Council of the EU website, 2017). This resulted in the creation of the Tallinn manual 2.0 helping legal advisors deal with cyber issues.

This case proves that collective actions and legal dispositions yet remain to be taken to tackle threats and effective attacks linked to the cyberspace and the security of states.

Securing the Internet of Things

In October 2016, one of the largest attacks on US and European internet structure was launched by an unknown entity. It specifically targeted the internet infrastructure provider „Dyn‟ and led to the taking down of widely-used websites such as Facebook, Twitter and Netflix. The attack, which did not technically imply any network breach from Dyn, was a basic DDoS. However, a specific feature of the attack made it remarkable: to launch it en masse, the hackers not only relied on computers but also on everyday life objects such as webcams and digital recorders. (Thielman, 2016)

The increasing presence of „smart‟ devices in a wide number of households has made these types of attacks easier: “suddenly, people who buy coffeemakers and refrigerators are adding more computers to the internet. It‟s unlikely they‟re making sure those coffeemakers are defended from malware as well.” (Thielman, 2016)

The objects used mainly contained circuit boards and software manufactured by the Chinese tech firm Hangzhou Xiongmai, which pinned the blame on users who were using easy-to-hack default passwords on their devices (Mimoso, 2016).

This case shows how important it should be, for companies but also for states that could be the next target, to raise awareness among users of connected devices. Indeed, if such an attack can cause harm to the credibility of tech companies or make them lose substantial benefits due to the inaccessibility of their website, the damages caused to official institutions could be much worse for the states‟ security.

Moreover, the case draws attention to the need for a better cyber-protection in the Internet of things. While the tech company selling the device is responsible for making sure it is protected against malwares, it is also the duty of the customer to ensure he/she is using all the available protections to have a secure device (strong passwords etc.)

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Cyber criminality and ransomwares: an Asian case

In June 2017, the major Indian container port was shut down because of a cyberattack. A terminal operated by the A.P. Moller-Maersk at the Jawaharlal Nehru Port Trust near Mumbai could not load and unload shipments as it was unable to identify which belonged to whom. (Kotoky & Pandya, 2017) This triggered substantial organisational problems that could only be solved by meeting the attacker‟s demands.

The virus called Petya forced the owner of the infected device to pay a ransom, in this case $300 in cryptocurrency, in order to unlock their system. This type of attack is likely to become more common as companies and governmental structures are becoming increasingly dependent on digital tools to stock their data and communicate. Indeed, ransomware attacks have increased by 50 percent according to Verizon Communications Inc. Ransomwares are malicious software that could prevent a business from running and totally disable the key tools needed by companies and states to function.

It is worth noting that the protection against ransomwares remains uneven depending on the structure targeted: „While banks and retailers have strengthened defences against certain types of attacks, such as those targeting credit card data, many others are still catching up in building their defences.‟ (Kotoky & Pandya, 2017) In this case, the attack only impacted IT systems, but one must think of how the ransomware threat will evolve in the near future to also impact connected objects or home automation systems, which might be even more vulnerable (Bloomberg, 2017).

The Future

States and international bodies have recently made critical overtures towards reversing the status quo.

The Tallinn Manual

After the 2007 Estonian Cyber-Campaigns, the newly created NATO CCD- COE (a panel of cybersecurity and information warfare experts) got together to write this foundational document for the „rules of cyber-war‟ which can be found in the bibliography. The Tallinn Manual explains that „[s]tates may not knowingly allow cyber infrastructure located in their territory to be used for acts that adversely affect other 27

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

states.‟ States may be responsible for attacks happening, without their prior knowledge, as „the State itself is responsible under international law for any actions of individuals or groups placed under its direction‟ (Schmitt, 2017). This is very similar to the Responsibility to Protect doctrine and coherent with the UN Charter‟s obligations towards instilling international peace and security. To what extent States must enforce this principle is yet to be decided upon however. The Manual also states that the „International Group of Experts agreed that, at minimum, any cyber operation that caused harm to individuals or damage to objects qualified as a use of force... [but that] cyber operations that merely cause inconvenience or irritation do not qualify as use of force‟ (Koebler, 2016). What is damaging? Until when is an attack merely an inconvenience? White House Directive #41

This directive, signed and proposed in the aftermath of the DNC Hack, gives the responsibility of evaluating cyber-attacks on CNI to the Federal Bureau of Investigation (FBI). Almost a picture-perfect copy of George W. Bush‟s Terror alert schema, Barack Obama‟s „Cyber Incident Severity Schema‟ looks as follows:

Source: MotherBoard Vice

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Although this schema is limited to the USA, the WCC could adapt the schematic (Koebler, 2016). Of course, such schemas are useless if not followed-up on nationally by corresponding cybersecurity strategies (Office of the Press Secretary, 2016).

Bilateral Agreements

In 2015, the United States and China had a summit to discuss security issues between the two powers. One important feature was something many called a „cyber- truce‟ (Duggal, 2015).

Although both countries officially denied having taken part in economic cyber-espionage and cybercrime, they have nevertheless engaged in high-level agreements. They agreed to provide timely responses to each other's requests for information and assistance concerning malicious cyber activities. They also committed themselves to holding cyber- criminals accountable to their own legal systems, to provide updates to each other regarding the status and results of investigations, to create a summit level Group of Experts from both countries, and more (Duggal 2015). As reported by FireEye, this set of agreements lead to a dramatic decrease in the quantity of cybercrime between the two countries (FireEye iSight Intelligence). The report concludes that the agreement probably forced both parties to adopt more covert attack tactics and to focus on strategically relevant targets. Such dialogue can only be part of a solution. United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security

In July 2015, the twenty UN GGE countries (Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, Israel, Japan, Kenya, Malaysia, Mexico, Pakistan, Russian Federation, Ukraine, United Kingdom, and the United States of America) redacted a report based on „equitable geographical distribution‟ (cyber sovereignty) and including key „cyber powers‟. In 2013, the only remarkable declaration produced was an affirmation that „international law applied (without exception) to cyberspace‟ (NATO CCD-COE). 29

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

„The 2015 report focuses on (1) existing and emerging threats; (2) norms, rules, and principles for the responsible behaviour of states; (3) confidence-building measures (CBMs); (4) international cooperation and capacity-building; (5) the applicability of international law, and (6) recommendations for future work. Unsurprisingly, as the report represents a diplomatic consensus, it remains rather general‟ (NATO CCD-COE). The following limiting norms, good practices, and positive duties were suggested (summarized by the NATO CCD-COE): “Limiting Norms: - states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; - states should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure; - states should take steps to ensure supply chain security, and should seek to prevent the proliferation of malicious ICT and the use of harmful hidden functions; - states should not conduct or knowingly support activity to harm the information systems of another state‟s emergency response teams (CERT/CSIRTS) and should not use their own teams for malicious international activity; - states should respect the UN resolutions that are linked to human rights on the internet and to the right to privacy in the digital age.

Good practices and positive duties: - states should cooperate to increase stability and security in the use of ICTs and to prevent harmful practices; - states should consider all relevant information in case of ICT incidents; - states should consider how best to cooperate to exchange information, to assist each other, and to prosecute terrorist and criminal use of ICTs; - states should take appropriate measures to protect their critical infrastructure; - states should respond to appropriate requests for assistance by other states whose critical infrastructure is subject to malicious ICT acts;” (NATO CCD- COE).

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

Collective Security Assurances

International security organizations like NATO could apply deterrence theory in cyberspace, enabling the creation of “cyber framework nations”, or case-countries which would serve as examples to the rest of alliance of cyber-defence best practice (Atlantic Council). Operational partnerships with the private sector (PPPs) and other international organizations (the EU, UN, or even other states like Russia) would be in order. Such regional approaches are attracting attention around the world, such as this document‟s call for ASEAN leadership in regional strategic cyber defence (Noor 2015).

Regulating Attack Toolkits

Malware or virus toolkits and botnet operators have often acted as intermediaries for malicious attacks in cyberspace. A possible way to disarm cyber- criminals and states in this space would be to work towards regulating (or cracking down on) these intermediaries. Often found on the Darknet, these middlemen are difficult to track but easy to find. Despite strong encryption like that of the most popular rerouter “The Onion Router” (Tor), intelligence and law enforcement have caught such actors with “honeypots” (fake websites, identities, or applications built to lure criminals into revealing their identities). One example of toolkit regulation is the regulation of dual-use technologies, tech that could be used for good or for evil. „Embarrassed by evidence suggesting surveillance technologies FinFisher GmbH and Hacking Team have been used by repressive regimes to target activists and journalists‟, the EU „is expected to propose tighter regulations on the export of dual-use goods‟ (Towsend 2016).

Bloc Positions

This debate is difficult to split along a dichotomy. A whole swathe of issues is addressed in the debate and it is much better to approach the topic with one‟s national interest close at heart, rather than rely on this list to orient you in debate. However, the following countries are likely to work closely together. Assertive in Cyberspace: USA, UK, Australia, Canada, New Zealand, Israel and most of NATO Often seen repeating the same refrain on many DISEC committees, these countries believe in enhancing the current status quo in cyberspace. It ensures information freedom of movement and gives unprecedented access to US-linked 31

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

intelligence. It condemns the use cyber-attacks to further political ends asymmetrically, while maintaining that if those ends are justified, cyber-defence does also involve a certain measure of offensive capabilities. Cyber-Sovereignty: Russia, China, Brazil, Germany, India, Turkey and many more who typically place a premium on national sovereignty This bloc will be found defending the „regionalisation‟ (Russia) or „localisation‟ (China) of cyberspace, into component parts subject to the laws and regulations of those spaces. According to this theory, this enables countries to better detect and prevent cybercrime, and defend themselves from externally based cyber- attacks. Its proponents also typically advocate for equality of actions amongst all states: “Why am I not allowed to spy on you, if you‟re spying on me?” Cyber-War Veterans: Estonia, Georgia, Ukraine, Iran, Saudi Arabia, South Korea, etc. These countries discuss cyber-aggression in the context of cyber warfare. To these states, the question of cyber-defence is an urgent matter, to be articulated through the language of collective defence and updated relevant UN texts. Regional Regulation: Relevant members of the EU and Relevant members of ASEAN (mainly Japan, the Philippines and Malaysia) These countries have made inroads in discussing cyber defence on the regional level. They argue for the transnational nature of cyber-threats mandates and multi- stakeholder and regional approach to defence. The EU has, with its ground-breaking Human Rights policy, made progress towards the ethical use of cyberspace.

Questions a Resolution Should Answer

- How should cyberspace be defined? - What is a cybercrime? What is an act of cyber aggression? What should be the main criteria that distinguishe one from another (motivation, damaged caused, etc.)? - How do we classify criminal acts and acts of aggression? When are one or both acts an act of cyberwar? If at all. - How do we fix the „attribution problem‟? - Whose responsibility is it to reduce cyber insecurity? What resources do we provide them with to do get this job done?

ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018

- Can a crisis-readiness-preparedness framework be created for cyber-attacks at the multinational level? If so, at what point can this framework be mandated for a response? - What approach should states adopt to ensure their legislation keeps up with technological progress? - How could states better include their citizens in their cyberdefense strategies? - How could countries better coordinate their actions to fight international cybercrime?