A New Systematic Modelling Methodology for Improving Cyber-Attack Evaluation on States' Critical Information Infrastructure (C

A new systematic modelling methodology for improving cyber-attack evaluation on states’ Critical Information Infrastructure (CII)

Kosmas Pipyros

March 2019

Information Security and Critical Infrastructure Protection (INFOSEC) Laboratory Department of Informatics

A new systematic modelling methodology for improving cyber-attack evaluation on states’ Critical Information Infrastructure (CII)

Kosmas Pipyros

A dissertation submitted for the partial fulfillment of a Ph.D. degree

January 2019

Department of Informatics Athens University of Economics & Business Athens, Greece

Supervising Committee:

Examination Committee:

1. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business (Chair). 2. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Deputy Rector). 3. Lilian Mitrou, Professor, University of the Aegean. 4. Evgenia Alexandropoulou, Professor, University of Macedonia. 5. Ioannis Mavridis, Professor, University of Macedonia. 6. Maria Kanellopoulou – Bottis, Associate Professor, Ionian University. 7. Panayiotis Kotzanikolaou, Assistant Professor, University of Piraeus.

iii

A new systematic modelling methodology for improving cyber-attack evaluation on states’ Critical Information Infrastructure (CII)

Kosmas Pipyros

Department of Informatics Athens University of Economics and Business 76 Patission Ave., Athens GR-10434, Greece

All rights reserved. No part of this manuscript may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author.

Disclaimer The views and opinions expressed in this thesis are those of the author and do not in any way represent the views, official policy or position of the Athens University of Economics and Business or his employer.

"Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως.”

(Ν. 5343/ 1932, άρθρο. 202)

Acknowledgements

Reaching to the end of my doctoral studies I consider myself very fortunate for being able to work with my encouraging professors of my supervising committee. I had the opportunity to meet them during my master’s degree and I would like to express my gratitude for giving me the opportunity to embark on a master’s degree in information systems security without having the necessary background because my bachelor’s degree is on Law. Their lectures were the inspiration for my PhD thesis and I feel very grateful for that. More specifically, I would like to express my appreciation to my Ph.D. Supervisor Prof. Theodoros Apostolopoulos for giving me the opportunity to accomplish this research. Professor, thank you for your continuous guidance, support and inspiration during the more than five years of my academic research, for your encouragements and for your enlightening suggestions. I would also like to express my deep gratitude and appreciation to Prof. Lilian Mitrou for her guidance, enthusiastic encouragement and useful comments during the development of this research work. This Ph.D. thesis would not have been accomplished without her valuable and constructive suggestions and recommendations. Her willingness to give her time so generously is very much appreciated. It gives me pleasure to express my deep sense of gratitude to Prof. Dimitris Gritzalis for his continuous guidance, meticulous suggestions and astute criticism during my PhD. Furthermore, his academic advices and support helped me to improve my work and to keep my progress on schedule. I would like also to express my thanks to Dr. Christos Thraskias for the stimulating discussions and his invaluable scientific advices and help during the development of our research method. He was the one that help me the most during my first research steps and I feel very grateful for his support and professionalism but mainly for his friendship. Finally, I would like to express my gratitude to my dearest wife, Sotiroula for her unconditional love, patience, support but especially for bringing to life our beloved son a few months ago. This dissertation is dedicated to him.

Athens, 28th December 2018

Dedication

To our son Theodore:

‘You have made me stronger, better and more fulfilled than I could have ever imagined.’

vii

Abstract

Over the past decades, rapid advances in Information and Communication Technologies (ICTs) have connected billions of individuals across the globe, integrated economies through connected supply chains, and spurred new efficiencies through World Wide Web (WWW). The rapid development ICTs, its presence in every aspect of human life and the high degree of dependency on cyberspace make cybersecurity a common objective for a society’s proper functioning and the well-being of its citizens. As the European Commission states in its Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace” (JOIN 1, European Commission, 2013), cyber security: “[…] commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure”. Despite the general integrity of digital networks and systems, deep digital integration has also created new vulnerabilities and threats by individual hackers, organized crime, terrorist groups and even nation states. Those threats, commonly referred to as cyber-attacks, include actions “[…] taken to undermine the functions of a computer network for a political or national security purpose”. Furthermore, the US National Research Council (2009) defines cyber-attacks as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks”. The more Critical Infrastructures (hereafter CI) are becoming independent from human intervention the higher the well-being of societies and citizens but also the vulnerability of states. The increasing number and complexity of cyber-attacks on states’ CI in recent years has been transforming cyberspace into a new battlefield where “the mouse and the keyboard being the new weapons” bringing out “cyber warfare” as the “5th dimension of war”. In 2010, the Pentagon has acknowledged cyberspace as a new field for war, after land, sea, air and space, which is vital for military operations (William J. Lynn, 2010). In order to defend USA Critical Information Infrastructure (hereafter CII) from cyber-attacks former US President Barack Obama (2009-2017) declared America’s digital infrastructure a strategic national asset (The White House, 2010). Moreover, former US Secretary of Defense Leon Panetta (2011-2013), during his speech “Defending the nation from cyber-attacks in 2011, pointed out that this is a pre- 9/11 moment and that a cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11”. The decision of the US government reflected the need to address the challenges posed with regard to cyber-attacks that could be qualified as cyberwar actions.

viii

Furthermore, at EU level, only for the year 2016 there were more than 4,000 ransomware attacks per day with 80% of the European companies to experience at least one cyber security incident. In addition, more than 150 countries and 230,000 systems across sectors and countries were affected with a substantial impact on essential services connected to CI. Therefore, Jean- Claud Juncker, President of the European Commission, in his recent State of the Union address to the European Commission in 13 September 2017 pointed out that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. Cyber-attacks know no borders, and no one is immune” (State of the Union 2017, European Commission). The number and complexity of cyber-attacks has been increasing steadily in recent years. The major players in today’s cyber conflicts are well organized and heavily funded teams with specific goals and objectives, working for or supported by a nation-state. Cyber-attacks such as those of Estonia (2007) and Iran (2010) demonstrate the significance and the magnitude of the problem. Moreover, at international level, the “WannaCry” ransomware attack of May 2017 affected hundreds of thousands of computers in 150 countries. In addition, the “NotPetya” attack a month later, which the United States publicly attributed to Russia, was deemed by the White House to be the most expensive cyber-attack in history (Center for Strategic & International Studies, Significant Cyber Incidents, 2018). The continuous increase in both the number and the intensity of cyber-attacks on states’ CII renders the research on defining and evaluating these categories of cyber-attacks into a pressing need. Today all the EU member states (ENISA) and most of the NATO member states have a National Cyber Security Strategy (NCSS) as a key policy feature, helping them to tackle risks which have the potential to undermine the achievement of economic and social benefits from cyberspace. In addition, the armed forces of several states establish cyber units and include cyber operations in their military doctrines and strategies. States are fully aware of cyber threats and are taking active steps to limit these threats. Furthermore, an increasing large number of states are also becoming meaningfully engaged with the offensive possibilities that cyberspace can offer. The rise of cyber arming of states is emerging by the establishment of military cyber units all around the world. The United States Cyber Command (USCYBERCOM) for the US, the Defence Cyber Operations Group (DCOG) for the UK, the Computer Network Operation (CNO) team for Germany, the Unit 8200 for Israel and the Units 61398 and 61486 for China are just a few examples which show that we are moving towards a true “cyber warfare age”. The explicit references in the NCSSs of many states that their cyber units are mandated to focus on offensive cyber operations leaves no room to doubt that we are on the crossroad of the “militarization of cyberspace” (Stiennon, 2016). Nevertheless the “militarization of cyberspace” and the integration of cyber units to the military affairs bring to the surface new dilemmas to be answered. How cyber operations of this art and these impacts should be considered from a legal point of view? Should they be considered as something new, requiring the formulation of new legal instruments on a domestic and ix

international level or should they be met by using the traditional legal framework of domestic and international law rules in force? For the time being, there are many difficulties, from a technical and institutional perspective, in applying international law rules in cyber operations. Despite of the fact that all EU member states have adopted measures of a binding nature at the organizational level, such as the creation of national cyber security strategies through which states’ CI are determined and protected in order to reduce the effects of cyber-attacks, these measures have a limited scope. Moreover, there are no multilateral agreements or international treaties providing a straightforward definition as to what “a cyber-attack” should entail, and as to the sanctions (economic or other) it should induce. In short, there is a lack in universal agreements regarding the process of monitoring, processing and effective sharing of the information required to track and trace assaulters (Lewis, 2009). In the cyber context, the identification and classification of the type of conflict to which particular hostilities apply as a matter of law is proving problematic. Despite the existence of a broad legal arsenal that can be deployed, at any given time, to the fight against cybercrime and to the protection of the states’ CIIs from cyber threats, the legal classification of a cyber-attack against an information system as a “use of force” or as an “armed attack” is controversial. The difficulty in applying the traditional rules of international humanitarian law to categorize cyber- attacks stems from a number of factors. The most important of them is the failure to estimate properly the impact of a cyber-attack and to determine the identity, or the political motivations of an attacker, until long after the event has occurred. Furthermore, in cyber warfare, the activities of key actors (states) can often not be easily distinguished from the activities of non-state actors (such as cybercriminals and terrorist groups), rendering the terrain of cyber conflict complicated. The combination of anonymity and parallel action from both state and non-state actors and the difficulty in distinguishing military from criminal actions makes the management of this type of conflicts complicated and the implementation of international humanitarian law rather problematic. The objective facts of every cyber operation incident are quite difficult to identify; thus, it cannot be claimed with certainty that the key criteria of both state involvement and gravity of effect are met. In addition, uncertainty regarding attribution along with the absence of a common understanding creates the risk of instability and misperception. Consequently, from a strategic point of view, the classification of cyber conflicts becomes quite challenging as a result of both the multi-layered nature and the multi-jurisdictional character of the attribution problem. The technical complexity of systems, the growing variety of exploitable attack vectors and the ubiquitous integration of Internet technology into all aspects of our daily lives compound the problem. The failure to adopt a comprehensive approach to the problem is frequently the norm, leading to an incomplete understanding of cyber-attacks and a failure to provide an appropriate solution. x

A plethora of cyber-attack evaluation methods exist today that help to understand the complexity of cyber-attacks. Most of these models however focus on delivering insight from a unidimensional perspective: technical detail or understanding of human-centric factors. Moreover, these approaches do not provide a holistic evaluation of the effects of cyber-attacks on states’ CI in order to establish a basic situational awareness understanding and to define the appropriate countermeasures. The existing literature on cyber-attack evaluation models can be divided in three broad categories (Happa and Fairclough, 2017): Technology-centric models, social-centric models and cyber-situational awareness and understanding models. Technology-centric models seek to define cyber operations from a technical perspective (e.g. how a piece of malware operates or how vulnerability can be exploited). Social-centric models attempt to understand cyber-attacks from a human perspective. Approaches focus on the identification of non-trustworthy individuals who might represent a cyber security risk to the discovery of how human-behavioural failures can be exploited as part of the cyber-attack process. Cyber situational awareness and understanding models attempt to adopt a high-level approach to considering cyber-attacks and focus on the environment in which the cyber-attack occurs and the resultant impact upon different elements. However, as it has already become apparent, it is no longer possible to consider only the technological perspective of cyber-attacks but is essential to think of all the related aspects. Furthermore, the above-mentioned technology-centric, social-centric and cyber-situational awareness models failed to accurately identify the extent of impact on socioeconomic consequences such as public health, safety, economical and psychological impacts which are directly linked to the collapse or degradation of states’ CII. Conclusively, none of the abovementioned cyber-attack methods are linked to international law and the consequences related to interstate violence. For those reasons, in this thesis, a systematic modelling methodology is presented for evaluating the effects of cyber-attacks on states’ CII. The new methodology is the outcome of interdisciplinary research in the fields of cyber security and international law. It integrates theories, perspectives, techniques, tools and data from those two bodies of specialized knowledge in order to solve a primary problem which is beyond the scope of each discipline or field of research practice and which is fundamental for each state in order to evaluate the level of intensity of cyber operations and to react lawfully, in accordance with international law. The analysis is focused on the United Nations Charter’s normative scheme of the “use of force” in order to define whether these attacks constitute a wrongful “use of force” under the principles of international law. This is primarily achieved by adopting an “effects-based” or “consequences-based” approach, which focuses on the overall effect of a cyber operation to the victim-state, as well as by using the qualitative criteria for recognizing the impact of cyber-attacks as proposed by the International Group of Experts (IGEs) in the Manual of the International Law applicable to Cyber warfare (The Tallinn Manual, 2013). Furthermore, Multi-Attribute Decision xi

Making (MADM) algorithms are applied and more specifically the Simple Additive Weighting (SAW) method and the Weighting Product Method (WPM). The interdisciplinary research with the use of both qualitative and quantitative methods of analysis allows to achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification. The usefulness of the methodology is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with “use of force”. Finally, the methodology could act as a basis for the assessment and classification of cyber-attacks that are intended towards Software-Intensive (SI) systems, component of a state’s CI. More specifically, the proposed methodology is differentiated from previous cyber-attack methods in the following ways: (a) by developing a combined multi-methodology, with the use of qualitative and quantitative methods of analysis, able to pinpoint and assess the provoked impact of cyber-attacks on states’ CII. (b) by developing algorithms and strategies that can be implemented for the identification and classification of cyber-attacks on states’ CII in accordance with international law. The identification and classification of the conflict in question is of seminal importance because the nature of the conflict in question determines the applicable legal regime. To the best of our knowledge, this is the first method that achieves an improved cyber-attack evaluation assessment, and as a result, a more accurate and complete cyber-attack classification under the principles of international law. More specifically, the chapters of the dissertation can be summarized as follows: Chapter 1 includes the research context and motivation, the delimitation of the research problem, the statement of approach to the research problem, contributions and the dissertation outline. Chapter 2 focuses on the globalization of the “cyber warfare” phenomenon by observing its evolutionary process from the early stages of its appearance until today. Through a comprehensive review of the “history” of cyber warfare, the chapter examines the scope, duration and intensity of major cyber-attacks, the provoked impact and the reaction of the states that were the victims of the attacks but also the impact caused at the international environment. Chapter 3 expands further by analyzing the European legal framework for an open, safe and secure cyberspace. Chapter 4 analyzes cyber-attacks and “cyber warfare” from the perspective of the international legal framework and clarifies further the decisive role of states (USA, Russia, China) and international organizations (NATO, ENISA, ICRC) for its evolution. Chapter 5 sets the theoretical background in terms of the new cyber-attack evaluation methodology. A classification of cyber-attacks under the prism of international law is being

xii

undertaken, while a thorough analysis and transformation of these rules is carried out in order to respond to the new challenges that arise. Chapter 6 introduces the development of a new systematic modelling methodology for evaluating the effects of cyber-attacks on states’ CII with the use of qualitative and quantitative methods of analysis. For the analysis of the new methodology a case study of kinetic and cyber- attacks on Supervisory Control and Data Acquisition (SCADA) system is employed. Subsequently, the new methodology is applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran and cyber-attack evaluation results are presented. Furthermore, taking as a starting point the proposed cyber-attack evaluation methodology, it is recognized that the same qualitative criteria proposed by the International Group of Experts for the evaluation and categorization of cyber-attacks are also employed as impact factors in risk-based criticality analysis methodologies to prioritize assets and infrastructures. More specifically, there is a strong interdependency between the proposed cyber-attack evaluation methodology and risk-based criticality analysis methodologies since both of them are using the same qualitative criteria during their evaluation process. For this reason, we propose the assessment of cyber-attacks by adopting risk-based criticality analysis methodologies. Chapter 7 focuses on the issues of limited jurisdiction and the problem of attribution as major obstacles that impede the implementation of international law rules to cyber warfare and lead to the lack of accountability of cyber-attacks. Furthermore, it presents related work in the field of cyber-attack modelling assessment and a comparative analysis of the proposed methodology with previous cyber-attack evaluation methodologies. Chapter 8 presents conclusions, recommendations, publications and proposal for future research. The thesis provides evidence by suggesting that there is a long way ahead for further research in the field of cyber-attack evaluation methodologies so as to achieve a more accurate and complete cyber-attack modelling assessment. This study can act as a basis for new ideas and new sources of investigation in the field of cyber-attack modelling assessment. In addition, an interdisciplinary assessment of the proposed methodology with past and current works in the field can be essential for exploiting the advantages of the proposed techniques in order to expand further with more useful conclusions.

xiii

(this page is intentionally left blank)

xiv

Extended Abstract in Greek

Ο βαθμός διείσδυσης των Τεχνολογιών Πληροφορικής και Επικοινωνιών (ΤΠΕ), κυρίως μέσω της ανάπτυξης ολοκληρωμένων πληροφοριακών συστημάτων, της διάχυσης και της συνδυαστικής αξιοποίησης των ευρυζωνικών επικοινωνιακών υποδομών, επέφερε σημαντικές αλλαγές σε κάθε πτυχή της ανθρώπινης έκφρασης επηρεάζοντας σημαντικά τη δημόσια διοίκηση, τη δημόσια υγεία και εκπαίδευση αλλά και την εθνική ασφάλεια. Τομείς και παραγωγικές διαδικασίες που σχετίζονται με την ενέργεια, τις μεταφορές, τις επικοινωνίες, τα χρηματοοικονομικά ή τη διατροφή είναι πλέον άρρηκτα συνδεδεμένοι με τις ΤΠΕ. Η σταδιακή μετατόπιση από το «Διαδίκτυο των Πραγμάτων» (Internet of Things) στο «Διαδίκτυο των Πάντων» (Internet of Everything), όπου δισεκατομμύρια συσκευές, εφαρμογές και δίκτυα (αλληλο)συνδέονται (μεταξύ τους) και είναι ικανά να αλληλεπιδρούν χωρίς ανθρώπινη παρέμβαση, μετασχηματίζουν εκ θεμελίων την παγκόσμια οικονομία και τον τρόπο ζωής μας. Αφετηρία και κοινό πεδίο αναφοράς των ανωτέρω καθίσταται ο κυβερνοχώρος. Ωστόσο, ο μεγάλος βαθμός εξάρτησης των πληροφοριακών συστημάτων και των κρίσιμων υποδομών από τον κυβερνοχώρο, σε συνάρτηση με το πλήθος των ευπαθειών και την πολυπλοκότητα των απειλών που υφίστανται εντός του, δημιουργούν ένα ιδιαίτερα ευάλωτο περιβάλλον, εκτεθειμένο στους κινδύνους κυβερνοεπιθέσεων. Μόνο κατά το έτος 2016 είχαμε 4.000 κυβερνοεπιθέσεις ημερησίως, σε επίπεδο Ευρωπαϊκής Ένωσης (ΕΕ), με σκοπό τον προσπορισμό οικονομικού οφέλους. Πρόκειται για αύξηση της τάξης του 300% σε σχέση με το 2015. Μάλιστα, σε ορισμένα κράτη-μέλη ποσοστό μεγαλύτερο του 50% των εγκληματικών πράξεων διεξήχθησαν μέσω του κυβερνοχώρου. Συνολικά, κατά το έτος 2016 περισσότερα από 230.000 πληροφοριακά συστήματα, διασυνδεδεμένα με κρίσιμες υποδομές σε 150 χώρες διεθνώς, έχουν δεχθεί κυβερνοεπιθέσεις με σοβαρό αντίκτυπο σε υπηρεσίες ζωτικής σημασίας. Χαρακτηριστική είναι η δήλωση του Προέδρου της Ευρωπαϊκής Επιτροπής Jean-Claude Juncker κατά τον ετήσιο απολογισμό του (State of the Union, 2017) σύμφωνα με την οποία «οι κυβερνοεπιθέσεις μπορεί να αποτελέσουν μεγαλύτερη απειλή στην αποσταθεροποίηση των δημοκρατιών και των κοινωνιών από τα όπλα και τα τανκς [….]. Οι κυβερνοεπιθέσεις δεν γνωρίζουν σύνορα και κανένας δεν είναι άτρωτος απέναντί τους». Επιπλέον, σε διεθνές επίπεδο, η κυβερνοεπίθεση «WannaCry Ransomware Attack» τον Μάιο του 2017 μόλυνε εκατομμύρια χρήστες σε περισσότερες από 150 χώρες παγκοσμίως ενώ ένα μήνα αργότερα η κυβερνοεπίθεση «NotPetya» χαρακτηρίστηκε ως η πιο δαπανηρή μέχρι σήμερα ενώ κατηγορήθηκε επισήμως η Ρωσία για την εκδήλωσή της από την κυβέρνηση των Ηνωμένων Πολιτειών (CSIS, 2018). Επιθέσεις όπως εκείνη της Εσθονίας (2007) και του Ιράν (2010) καταδεικνύουν το μέγεθος του προβλήματος. Δεν είναι τυχαίο ότι το σύνολο των κρατών-μελών της ΕΕ αλλά και σε παγκόσμιο επίπεδο (NATO), ο κυβερνοχώρος αναγνωρίζεται ως το πέμπτο πεδίο επιχειρήσεων και πολέμου σε συνέχεια της ξηράς, της θάλασσας, του αέρα και του

διαστήματος (Wales Summit Declaration, 2014/ Warsaw Summit Declaration, 2016) και γίνεται μια προσπάθεια προστασίας των κρίσιμων υποδομών μέσω των εθνικών στρατηγικών κυβερνοασφάλειας (NIS Directive, 2016). Πέραν της αυτονόητης ανάγκης για ενίσχυση της ασφάλειας εντός του κυβερνοχώρου ένα εξίσου σοβαρό ζήτημα αφορά τον τρόπο και το πλαίσιο αντίδρασης των κυβερνοεπιθέσεων μεγάλης κλίμακας σε εθνικό αλλά και διεθνές επίπεδο. Παράγοντες που επηρεάζουν το επίπεδο ασφάλειας και τον τρόπο αντίδρασης απέναντι στις κυβερνοεπιθέσεις είναι η κρισιμότητα και η έκταση των συνεπειών μιας επίθεσης καθώς επίσης και η ιδιότητα και η φύση του φορέα εκδήλωσης μιας κυβερνοεπίθεσης. Οι εν λόγω παράγοντες καθορίζουν παράλληλα και το αντίστοιχο θεσμικό πλαίσιο στη βάση του οποίου καλείται ένα κράτος να αντιμετωπίσει τις επιθέσεις στον κυβερνοχώρο. Ιδιαίτερα για εκείνες τις περιπτώσεις, όπου πίσω από τις κυβερνοεπιθέσεις εικάζεται ότι βρίσκονται κρατικοί φορείς ή αυτόνομες οντότητες υπό την καθοδήγηση ή ανοχή ενός κράτους (όπως εικάζεται ότι συνέβη στο παράδειγμα της Ρωσίας για την περίπτωση της Εσθονίας, των Ηνωμένων Πολιτειών και του Ισραήλ για την περίπτωση των επιθέσεων του Ιράν), τίθενται μείζονα ζητήματα που αφορούν τη φύση των αγαθών που πλήττονται, τη νομική αξιολόγηση των αδικημάτων και συνακόλουθα τον τρόπο αντιμετώπισης των κυβερνοεπιθέσεων. Άλλωστε, ο προσδιορισμός και η αξιολόγηση - κατηγοριοποίηση των εν λόγω επιθέσεων αποτελεί το πρώτο βήμα για τον καθορισμό του εφαρμοστέου θεσμικού πλαισίου προκειμένου να αντιμετωπιστούν αποτελεσματικά. Ωστόσο, στην πράξη, η νομική αξιολόγηση και η κατηγοριοποίηση των κυβερνοεπιθέσεων αποδεικνύονται ιδιαίτερα δυσχερείς. Οι κυριότεροι παράγοντες που επιτείνουν τη δυσχέρεια της αξιολόγησης και κατηγοριοποίησης των κυβερνοεπιθέσεων αφορούν αφενός τη δυσκολία εντοπισμού του επιτιθέμενου (γνωστό και ως «πρόβλημα απόδοσης ευθυνών» – attribution problem) και αφετέρου τη δυσκολία να εκτιμηθούν σωστά οι συνέπειες μιας κυβερνοεπίθεσης τόσο στο συγκεκριμένο κράτος που δέχεται την επίθεση όσο και στο διεθνές περιβάλλον. Πότε πρόκειται για μια «απλή» κυβερνοεπίθεση και πότε μπορεί να κανείς να ανιχνεύσει μια κλιμάκωση που ενδέχεται να την ανάγει ακόμη και στο επίπεδο του «κυβερνοπολέμου»; Μέχρι στιγμής, η δημοσιευμένη έρευνα έχει προσπαθήσει να αξιολογήσει την πολυπλοκότητα των κυβερνοεπιθέσεων μέσω μεθοδολογιών που επικεντρώνονται περισσότερο στην τεχνική ανάλυση των επιθέσεων και στον εντοπισμό των παραγόντων εκείνων που συνέβαλαν στην υλοποίησή τους. Η υπάρχουσα βιβλιογραφία των μοντέλων αξιολόγησης κυβερνοεπιθέσεων θα μπορούσε να κατηγοριοποιηθεί σε τρεις ευρύτερες ερευνητικές κατηγορίες: (α) Τα τεχνοκεντρικά μοντέλα (technology-centric models), (β) Τα ανθρωποκεντρικά μοντέλα (social-centric models) και (γ) Τα μοντέλα κατανόησης και ευαισθητοποίησης (cyber-situational awareness models) (Happa and Fairclough, 2017). Ωστόσο, καμία από τις ανωτέρω κατηγορίες μοντελοποίησης δεν φαίνεται να προσφέρει μια ολιστική αξιολόγηση των επιπτώσεων των κυβερνοεπιθέσεων στις κρίσιμες υποδομές ενός κράτους προκειμένου να καταστεί δυνατόν να αξιολογηθεί πότε οι εν λόγω επιθέσεις συνιστούν παράνομη xvi

«χρήση βίας» κατά παράβαση των αρχών του διεθνούς δικαίου και να προσδιορισθούν ενδεχόμενα αντίποινα. Τα ανωτέρω τεχνοκεντρικά και ανθρωποκεντρικά μοντέλα, καθώς και τα μοντέλα κατανόησης και ευαισθητοποίησης, επικεντρώνονται στον τεχνολογικό και ανθρωπολογικό παράγοντα και αδυνατούν να μας προσφέρουν μια ολοκληρωμένη εικόνα του εύρους των επιπτώσεων μιας κυβερνοεπίθεσης στις κρίσιμες υποδομές ενός κράτους. Περαιτέρω, κανένα από τα ανωτέρω μοντέλα δεν μελετά τις συνέπειες της διακρατικής βίας που προκαλούνται από κυβερνοεπιθέσεις σε διεθνές επίπεδο. Η παρούσα διδακτορική διατριβή προσεγγίζει το θέμα των κυβερνοεπιθέσεων από την πλευρά του διεθνούς δικαίου μέσω της ανάπτυξης μιας ολοκληρωμένης μεθοδολογίας αξιολόγησης των επιπτώσεων των κυβερνοεπιθέσεων στις κρίσιμες υποδομές ενός κράτους. Η ανάλυση επικεντρώνεται στο κανονιστικό πλαίσιο του Χάρτη των Ηνωμένων Εθνών και στην έννοια της «χρήσης βίας» (“use of force”) όπως καθορίζεται σε αυτόν, προκειμένου να προσδιορισθεί πότε οι κυβερνοεπιθέσεις συνιστούν - βάσει των αρχών του διεθνούς δικαίου - «παράνομη χρήση βίας». Πιο συγκεκριμένα, η παρούσα μεθοδολογία διαφοροποιείται από προγενέστερες μεθόδους αξιολόγησης κυβερνοεπιθέσεων με τους εξής τρόπους: α) Αναπτύσσει μια συνδυαστική πολύ-μεθοδολογία, με τη χρήση ποιοτικών και ποσοτικών μεθόδων αξιολόγησης, για την αξιολόγηση των επιπτώσεων των κυβερνοεπιθέσεων στις κρίσιμες υποδομές ενός κράτους. Η νέα μεθοδολογία στηρίζεται αφενός στα ποιοτικά κριτήρια αξιολόγησης των επιπτώσεων των κυβερνοεπιθέσεων, όπως έχουν προταθεί από το «Συμβούλιο των Εμπειρογνωμόνων» στο «Εγχειρίδιο του Ταλίν για την εφαρμογή των κανόνων του διεθνούς δικαίου στον κυβερνοπόλεμο» (Tallinn Manual of the International Law applicable to Cyber warfare) και αφετέρου στη χρήση πολύ-παραγοντικών μεθόδων λήψης αποφάσεων (Multi- attribute Decision Making Systems). Το νέο μοντέλο αξιολόγησης των κυβερνοεπιθέσεων συνδυάζει για πρώτη φορά τη θεωρία του διεθνούς δικαίου για την παράνομη «χρήση βίας» και τα ποιοτικά κριτήρια αξιολόγησης των κυβερνοεπιθέσεων του Εγχειριδίου του Ταλίν με τη χρήση αλγορίθμων λήψης αποφάσεων προτείνοντας παράλληλα ένα διαφορετικό τρόπο εφαρμογής και αξιοποίησης τους βασιζόμενο στα ιδιαίτερα χαρακτηριστικά τους. β) Αναπτύσσει αλγορίθμους και στρατηγικές που μπορούν να εφαρμοστούν σε πρακτικό επίπεδο, προκειμένου να καταστεί σαφές πότε οι κυβερνοεπιθέσεις συνιστούν «παράνομη χρήση βίας» κατά το διεθνές δίκαιο. Πιο συγκεκριμένα, τα κεφάλαια της παρούσας διατριβής συνοψίζονται ως εξής: Το Κεφάλαιο 1 περιλαμβάνει το ερευνητικό πλαίσιο, το σκοπό και τη μέθοδο εργασίας μας καθώς και τη συνοπτική περιγραφή της ερευνητικής συνεισφοράς στο γνωστικό πεδίο. Το Κεφάλαιο 2 επικεντρώνεται στη διεθνοποίηση του «φαινομένου του κυβερνοπολέμου» μελετώντας την εξελικτική του πορεία, από τα πρώτα στάδια της εμφάνισής του μέχρι σήμερα. Μέσω μιας σύντομης ιστορικής αναδρομής παρουσιάζονται τα σημαντικότερα περιστατικά κυβερνοεπιθέσεων και οι επιπτώσεις τους στα κράτη που δέχτηκαν κυβερνοεπιθέσεις και στο διεθνές περιβάλλον. xvii

Το Κεφάλαιο 3 εξετάζει του υπάρχοντες κανόνες δικαίου που αφορούν την προστασία των κρίσιμων υποδομών και την διασφάλιση των θεμελιωδών δικαιωμάτων των πολιτών σε Ευρωπαϊκό επίπεδο. Το Κεφάλαιο 4 επιχειρεί μια χαρτογράφηση του διεθνούς θεσμικού πλαισίου και παράλληλα αναλύει τη θέση σημαντικών κρατών (ΗΠΑ, Ρωσία, Κίνα) και διεθνών οργανισμών (ΝΑΤΟ, ΕΕ) για την εξέλιξή του. Το Κεφάλαιο 5 αποτελεί το θεωρητικό υπόβαθρο του προτεινόμενου μοντέλου αξιολόγησης κυβερνοεπιθέσεων. Επιχειρείται για πρώτη φορά μια μοντελοποίηση των κυβερνοεπιθέσεων, βάσει των αρχών του διεθνούς δικαίου, ενώ παράλληλα πραγματοποιείται και μια διεξοδική ανάλυση και αναπροσαρμογή των εν λόγω κανόνων προκειμένου να ανταποκριθούν στις νέες προκλήσεις που δημιουργούνται. Το Κεφάλαιο 6 παρουσιάζει το νέο μοντέλο αξιολόγησης των κυβερνοεπιθέσεων το οποίο στηρίζεται στη χρήση αλγορίθμων λήψης αποφάσεων (Multi-attribute Decision Making Systems) και στα ποιοτικά κριτήρια αξιολόγησης των κυβερνοεπιθέσεων, όπως προτάθηκαν από το «Συμβούλιο των Εμπειρογνωμόνων» στο «Εγχειρίδιο του Τάλλιν», προτείνοντας ωστόσο ένα διαφορετικό τρόπο εφαρμογής και αξιοποίησης τους, βασιζόμενο στα ιδιαίτερα χαρακτηριστικά τους. Για την αξιολόγηση της νέας μεθοδολογίας χρησιμοποιούνται αρχικά δύο υποθετικά παραδείγματα επιθέσεων στις κρίσιμες υποδομές ενός κράτους. Το πρώτο αφορά τη χρήση συμβατικών όπλων και το δεύτερο τη χρήση κυβερνοεπιθέσεων. Στη συνέχεια, το προτεινόμενο μοντέλο αξιολόγησης κυβερνοεπιθέσεων εφαρμόζεται στις επιθέσεις εναντίον της Εσθονίας και του Ιράν και χρήσιμα συμπεράσματα συνάγονται. Ο συνδυασμός ποιοτικών και ποσοτικών μεθοδολογιών ανάλυσης μας οδηγεί σε μια πιο ολοκληρωμένη και ακριβή αξιολόγηση και κατηγοριοποίηση των κυβερνοεπιθέσεων, βάσει των αρχών διεθνούς δικαίου. Επιπρόσθετα, έχοντας ως αφετηρία το προτεινόμενο μοντέλο αξιολόγησης κυβερνοεπιθέσεων, διαπιστώνεται ότι χρησιμοποιούνται τα ίδια αξιολογικά κριτήρια (για την αξιολόγηση των κυβερνοεπιθέσεων) με εκείνα που χρησιμοποιούνται στις μεθόδους αξιολόγησης κινδύνου βάσει επικινδυνότητας (risk-based criticality analysis methodologies). Αναδεικνύοντας την ταύτιση αφενός των εννόμων αγαθών που διακυβεύονται αφετέρου των αξιολογικών κριτηρίων για την κατηγοριοποίησή τους, προτείνουμε την εφαρμογή των εν λόγω μεθόδων αξιολόγησης κινδύνου βάσει επικινδυνότητας για την αξιολόγηση και κατηγοριοποίηση των κυβερνοεπιθέσεων. Το Κεφάλαιο 7 επικεντρώνεται στα θέματα της «περιορισμένης δικαιοδοσίας» και της «αδυναμίας καταλογισμού των ευθυνών» στον κυβερνοχώρο αναδεικνύοντας τα σημαντικότερα εμπόδια που δυσχεραίνουν την εφαρμογή των κανόνων διεθνούς δικαίου στις κυβερνοεπιθέσεις. Αναλυτικότερα, αναδεικνύεται το πρόβλημα της «περιορισμένης δικαιοδοσίας» λόγω αδυναμίας εφαρμογής του «κριτηρίου της εδαφικότητας» για τη συλλογή αποδεικτικού υλικού στο διαδικτυακό περιβάλλον και το πρόβλημα του «καταλογισμού των ευθυνών» στον φορέα εκδήλωσης της κυβερνοεπίθεσης λόγω της δυσκολίας αξιολογικής συσχέτισης των κυβερνοεπιθέσεων με το φορέα εκδήλωσης των επιθέσεων αυτών. Παράλληλα, εξετάζοντας τη xviii

διεθνή βιβλιογραφία, επικεντρώνεται σε υπάρχοντα μοντέλα αξιολόγησης κυβερνοεπιθέσεων, εντοπίζοντας τα ιδιαίτερα χαρακτηριστικά που διαφοροποιούν το προτεινόμενο μοντέλο αξιολόγησης κυβερνοεπιθέσεων από εκείνα. Η διατριβή ολοκληρώνεται με το Κεφάλαιο 8 όπου παρουσιάζονται τα συμπεράσματα και καταληκτικές παρατηρήσεις ενώ προτείνονται και μελλοντικές ερευνητικές προτάσεις.

xix

(this page is intentionally left blank)

Table of Contents Disclaimer ...... v Acknowledgements ...... vi Dedication ...... vii Abstract ...... viii Extended Abstract in Greek ...... xv List of Figures ...... xxv List of Tables ...... xxv List of Equations ...... xxv List of Acronyms ...... xxvi Chapter 1: Introduction ...... 1 1.1 Research context and motivation ...... 1

1.2 Research statement and approach ...... 2

1.3 Contributions ...... 6

1.4 Dissertation outline ...... 8

Chapter 2: Background ...... 12 2.1 Cyber – related terms and definitions ...... 12

2.2 A short history of cyber warfare ...... 19

2.3 The increasing growth of cyber operations ...... 20

2.3.1 The realization phase ...... 21

2.3.1.1 The Siberian Gas Pipeline Explosion...... 21

2.3.1.2 The Morris worm ...... 21

2.3.1.3 The WANK worm ...... 22

2.3.2 The take-off phase (1998-2003) ...... 23

2.3.2.1 The “Moonlight Maze” cyber operation ...... 23

2.3.3 The militarization phase (2003-present) ...... 24

2.3.3.1 Titan Rain ...... 24

2.3.3.2 GhostNet ...... 24

2.3.3.3 Operation Aurora ...... 25

2.3.3.4 The Attack on RSA ...... 26

2.3.3.5 Cyber-attacks against Estonia ...... 27

2.3.3.6 Cyber-attacks against Georgia ...... 28

2.3.3.7 Cyber-attacks against Iran ...... 29

xxi

2.4 The development of cybersecurity culture worldwide ...... 31 Chapter 3: The European legal framework for an open, safe and secure cyberspace...... 35 3.1 The International Convention on Cybercrime (or The Budapest Convention) ...... 35

3.2 Council Directive 2008/114/EC “on the identification of European critical infrastructures and the assessment of the need to improve their protection”...... 37

3.3 Communication 149 (2009) on Critical Information Infrastructure Protection “Protecting Europe form large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”...... 38

3.4 Joint Communication 1 (2013) “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”...... 39

3.5 Directive 2013/40/EU of the European Parliament and of the Council “on attacks against information systems and replacing Council Framework Decision 2005/222/JHA”...... 40

3.6 Directive 2016/1148/EU of the European Parliament and of the Council “concerning measures for a high common level of security of networks and information systems across the Union”...... 42 Chapter 4: The International legal framework of Cyber security / Cyber warfare ...... 46 4.1 Resolution A/RES/55/63 adopted by the General Assembly combating the criminal misuse of information technologies...... 48

4.2 Resolution A/RES/56/121 adopted by the General Assembly combating the criminal misuse of information technologies...... 48

4.3 Resolution A/RES/57/239 adopted by the General Assembly for the creation of a global culture of cybersecurity...... 48

4.4 Resolution A/RES/58/199 adopted by the General Assembly for the creation of a global culture of cybersecurity and the protection of critical information infrastructures...... 49

4.5 Resolution A/RES/64/211 adopted by the General Assembly for the creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures...... 49

4.6 Letter A/66/359 for an “International Code of Conduct for Information Security” from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General...... 50

4.7 Report A/68/98 of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.51 xxii

4.8 The Tallinn Manual on the International Law Applicable to Cyber Warfare...... 51

4.9 Microsoft’s initiative entitled “International Cybersecurity Norms: Reducing conflict in an Internet-dependent world”...... 53 Chapter 5: Redefining the current International Legal Framework to address the new challenges ...... 59 5.1 Cyber-attacks / Cyber warfare under the prism of Jus ad bellum ...... 59

5.2 The level of intensity of cyber operations ...... 65

5.3 The “Scale and Effects” model assessment ...... 67

5.4 The qualitative criteria for cyber-attack evaluation ...... 68

Chapter 6: Multi-attribute decision making methods for cyber-attack evaluation…………………………………………………………………………72 6.1 Introduction ...... 72

6.2 The Simple Additive Weighting (SAW) Method ...... 73

6.3 The Weighting Product Method (WPM) ...... 76

6.4 A new strategy for cyber-attack evaluation in the context of Tallinn Manual ..... 77

6.5 Application of the new cyber-attack evaluation methodology to the Estonian and the Iranian cyber-attacks ...... 80

6.6 Cyber-attack evaluation using criticality analysis methodologies: A proactive cyber defence tool ...... 84 Chapter 7: Difficulties for the implementation of International Law to Cyber- attacks / Other Methods for Cyber-attack Evaluation ...... 88 7.1. Limitations in Jurisdiction ...... 88

7.2. The problem of Attribution ...... 90

7.3 Related work in the field of cyber-attack evaluation assessment ...... 96

7.3.1 The technology-centric modelling assessment ...... 96

7.3.2 The social-centric modelling assessment ...... 97

7.3.3 The cyber – situational awareness modelling assessment...... 98

Chapter 8: Conclusions ...... 101 8.1 Summary and discussion ...... 101

8.2 Publications ...... 103

8.3 Future work ...... 104

8.4 Concluding remarks ...... 105

References ...... 108

xxiii

xxiv

List of Figures Figure 1: Phases of Cyber Conflict History (Healey, 2013) ...... 20 Figure 2: Level of intensity of cyber operation (Pipyros et al., 2016) ...... 66 Figure 3: The qualitative scale for cyber-attacks evaluation proposed by Michael Schmitt . 75 Figure 4: The schematic diagram of the new methodology for cyber-attack evaluation ...... 77 Figure 5: Techniques for Cyber Attack Attribution (Wheeler & Larsen) ...... 93

List of Tables Table 1: The qualitative criteria for cyber-attack evaluation (The Tallinn Manual, 2013) .... 69 Table 2: The decision table in MADM methods ...... 72 Table 3: The decision table for kinetic and cyber-attacks (Michael, Wingfield and Wijesekera)………………………………………………………………………………….74 Table 4: Ranking using the SAW method ...... 74 Table 5: Ranking using the WPM method ...... 76 Table 6: The decision table for kinetic and cyber-attacks for “Intensity” score calculation .. 78 Table 7: Ranking using the SAW method for “Intensity” score calculation ...... 78 Table 8: Calculating the “Total Intensity” score ...... 78 Table 9: Calculating the overall score ...... 79 Table 10: The decision table for the Estonian and the Iranian cyber-attacks ...... 80 Table 11: Ranking using the SAW method for the Estonian and the Iranian cyber-attacks .. 80 Table 12: Ranking using the WPM method for the Estonian and the Iranian cyber-attacks . 81 Table 13: The decision table for the cyber-attacks against Estonia and Iran for “Intensity” score calculation…………………………………………………………………………..…82 Table 14: Ranking using the SAW method for the Estonian and the Iranian cyber-attacks .. 82 Table 15: Calculating the “Total Intensity” score for the Estonian and the Iranian cyber- attacks…………………………………………………………………………………...…..82 Table 16: Calculating the overall score for the Estonian and the Iranian cyber-attacks ...... 83

List of Equations Equation 1: Overall score with SAW method ...... 74 Equation 2: Overall score with WPM method ...... 76

xxv

List of Acronyms

CCD COE Cyber Defence Center of Excellence

CI Critical Infrastructure

CII Critical Information Infrastructure

CIP Critical Infrastructure Protection

CNO Computer Network Operation

CSDP Common Security and Defence Policy

CSIRT Computer Security Incident Response Team

DCOG Defence Cyber Operations Group

DDoS Distributed denial of service

DoD Department of Defence

ECIs European Critical Infrastructures

ENISA European Network and Information Security Agency

EPCIP European Programme for Critical Infrastructure Protection

EC3 European Cybercrime Centre

EU European Union

EUROJUST European Union’s Judicial Cooperation Unit

EUROPOL European Union’s Law Enforcement Agency

FBI Federal Bureau of Investigation

GSD General Staff Department’s

ICTs Information and Communication Technologies

IDSs Intrusion Detection Systems

IGEs International Group of Experts

IHL International Humanitarian Law

IoT Internet of Things

IP Internet Protocol

IWM Information Warfare Monitor

MADM Multi-Attribute Decision Making

xxvi

MIT Massachusetts Institute of Technology

MUCD Military Unit Cover Designator

NASA National Aeronautics and Space Administration

NATO North Atlantic Treaty Organisation

NCSS National Cyber Security Strategy

NGOs Non-Governmental Organizations

NIPRNET Non-Classified Internet Protocol Router Network

NIS Network and Information Security

NSA National Security Agency

PLA People’s Liberation Army

PRC People’s Republic of China

SAW Simple Additive Weighting method

SCADA Supervisory Control and Data Acquisition

SCO Shanghai Cooperation Organization

SI Software-Intensive systems

UN United Nations

USA United States of America

USCYBERCOM United States Cyber Command

WANK Worms against Nuclear Killers

WPM Weighting Product Method

ΕU European Union

xxvii

(this page is intentionally left blank)

xxviii

Chapter 1: Introduction

1.1 Research context and motivation We are living in the cyber-age. In the 21st century the rapid developments of Information and Communication Technologies (ICTs) have fundamentally transformed the global economy and the way of life. Public safety, transportation and communication, energy, healthcare, logistics, government and education are using cutting-edge technologies such as intelligent sensors, wireless communication, cloud computing and data analysis techniques, with a variety of applications within different infrastructures in order to provide instant access to information, to communication and to create new economic opportunities. The Internet of Things (IoT) in which billions of things such as devices, applications and networks, are interconnected to each other and are capable to interact without any human intervention, is changing the perspective of our lives by providing a new world full of possibilities to help advance prosperity. However, the more the systems, infrastructures, societies and economies are becoming independent from human intervention the higher their vulnerability and the complexity to deal with new risks and threats that menace the sovereignty of states and the well-being of societies and citizens. The integration of new technologies that are enabled with cloud computing services in growing with an interlinkage of infrastructures which are amounting to a new dimension of vulnerability. The increasing number and complexity of cyber-threats in recent years are transforming cyberspace into a new battlefield where “the mouse and the keyboard being the new weapons” bringing out “cyber warfare” as the “5th dimension of war” (The Economist, 2010). The wide range of cyber-attacks against Estonia’s Critical Information Infrastructures (CIIs) in 2007, following the country’s spat with Russia over the removal of a war memorial, were the first large-scale attacks that were meant to harm the functionality of the state and to cause a number of adverse effects on the operation of public administration and the economy (Tikk et al., 2010). The specific assault quickly led to the cultivation of fear among citizens and to the destabilization of the country’s financial system, threatening Estonia’s national security. A smaller range of cyber operations followed, such as the cyber-attacks against Georgia (June 2008), Lithuania (August 2008), Kazakhstan (January 2009) and Ukraine (March and May 2014). Meanwhile, Advanced Persistent Threats (APTs) (Virvilis and Gritzalis, 2013a) clearly demonstrate the fact that cyber warfare is an increasingly alarming phenomenon. Examples of such include “Ghostnet” (Kassner, 2009), a large-scale cyber spying operation against the US; “Operation Aurora” (Zetter, 2010), a targeted malware attack against at least 30 major US companies – including Google and Adobe; “Stuxnet” (Farwell and Rohozinski, 2011), a zero-day malware leading to a sabotage against Iran’s nuclear program; and

Introduction

“DarkSeoul” (Virvilis and Gritzalis, 2013b), a sophisticated malware that attacked South Korean financial institutions and the Korean broadcaster YTN (Sang-Hun, 2013). All these incidents brought about a series of discussions over the issue of cyber-attacks and their eventual political, economic and social impacts in the state-victim of the attacks but also the impact on the international relationships regarding this new kind of warfare and its consequences in the global strategic environment.

1.2 Research statement and approach In February 2013, the European Commission and High Representative of the EU for Foreign Affairs and Security Policy (Joint Communication, European Commission, 7.2.2013) published its cybersecurity strategy. This strategy declared that ‘The EU’s core values apply as much in the digital as in the physical world. The same laws and norms that apply in other areas of our day-to-day lives apply also in the cyber domain. It gave five strategic priorities to address cyberthreats, including the development of cyber defence policy and capabilities related to the common security and defence policy (CSDP). One of the strategic priorities included the development of cyber defence capabilities, policies and collaboration at EU level between civilian and military stakeholders as well as at the international level between the EU and other international partners like NATO, the UN, the Organization for Security and Co-operation in Europe (OSCE), as well as centers of excellence, industry and academia. In the year 2016 the Joint Declaration between the President of the European Council, the President of the European Commission and the Secretary General of the North Atlantic Treaty Organisation (Warsaw, 8.8.2016) paved the way for substantive future collaboration between EU and NATO, with cybersecurity having a prominent role. Furthermore, the second important evolution has been the adoption by the European Parliament and the Council of the Directive on Security of Network and Information Systems (the NIS Directive) (European Parliament and Council 2013). Though not directly connected to the CSDP, this was nevertheless the first piece of EU-wide legislation on cybersecurity and at the same time the vehicle for shaping policies and cyber capacities at both the EU and the member-state level (NATO Allies). To meet the emerging cyber security threats most countries at the European and the international level declared digital infrastructure as a strategic national asset and developed national cyber security strategies to set strategic principles, guidelines, objectives and specific technical measures in order to mitigate risk associated with cyber security (National Cybersecurity Strategies Map, ENISA). Such decisions reflect the need to address the challenges posed with regard to cyber-attacks that could be qualified as cyberwar actions. The continuous increase in both the number and the intensity of cyber-attacks on states’ CII renders the research on defining and evaluating these categories of cyber-attacks into a pressing need.

Introduction

However, being able to precisely define, evaluate and categorize cyber-attacks is becoming increasingly difficult. The technical complexity of systems, the growing variety of exploitable attack vectors and the ubiquitous integration of Internet technology into all aspects of our daily lives compound the problem. The failure to adopt a comprehensive approach to the problem is frequently the norm, leading to an incomplete understanding of cyber-attacks and a failure to provide an appropriate solution. A first range of questions relate to the adequacy and suitability of the existing “old” – developed over generations to be applied on attacks using kinetic weapons and armed violence – and the terminology used (such as force and aggression) to control “the brave new world of cyber warfare (Jolley, 2013). We have to bear in mind that terms themselves, such as CII, are steadily evolving due to the impacts of the advancing domination of online communications and cyberspace on the “real world” and ubiquitous computing. The difficulties to define and to identify the effects and impacts of a cyber-attack in order to be equated to an “armed attack” are obvious: if in the “traditional” legal framework emphasis is given on human and/or material destruction, authors are arguing also for “unavailability” of CII as equivalent criterion (Tsagourias, 2012). Despite the progress made on regulation and research level to address the issues raised, there are still significant gaps in reaching a safe and definitive approach on when a cyber-attack constitutes a wrongful “use of force” or when the right to self-defence should be recognized (Robinson et al., 2015). A plethora of cyber-attack evaluation methods exist today that help to understand the complexity of cyber-attacks. Most of these models however focus on delivering insight from a unidimensional perspective: technical detail or understanding of human-centric factors. Moreover, these approaches do not provide a holistic evaluation of the effects of cyber-attacks on states’ CII in order to establish a basic situational awareness understanding and to define the appropriate countermeasures. According to Happa and Fairclough (2017), the existing literature on cyber-attack evaluation models can be divided in three broad categories: Technology-centric models, social- centric models and cyber-situational awareness and understanding models. Technology-centric models seek to define cyber operations from a technical perspective (e.g. how a piece of malware operates or how vulnerability can be exploited). Social-centric models attempt to understand cyber-attacks from a human perspective. Approaches focus on the identification of non-trustworthy individuals who might represent a cyber security risk to the discovery of how human-behavioural failures can be exploited as part of the cyber-attack process. Cyber situational awareness and understanding models attempt to adopt a high-level approach to considering cyber-attacks and focus on the environment in which the cyber-attack occurs and the resultant impact upon different elements.

Introduction

However, as it has already become apparent, it is no longer possible to consider only the technological, social or situational awareness perspective of cyber-attacks but is essential to think of all the related aspects. Furthermore, the above-mentioned technology-centric, social- centric and cyber-situational awareness models failed to accurately identify the extent of impact of cyber-attacks on socioeconomic sectors such as public safety, transportation and communications, energy, healthcare, logistics, government and education, economical and psychological impacts which are directly linked to the collapse or degradation of CII. In addition, none of the abovementioned cyber-attack methods are linked to international law and the extent of consequences related to interstate violence. For those reasons, in this thesis, a new systematic modelling methodology for evaluating the effects of cyber-attacks on states’ CII is introduced. This is primarily achieved by adopting an “effects-based” or “consequences-based” approach, which focuses on the overall effect of a cyber operation to the victim-state, as well as by using the qualitative criteria for recognizing the impact of cyber-attacks as proposed by the International Group of Experts (IGEs) in the Manual of the International Law applicable to Cyber warfare (The Tallinn Manual, 2013). Furthermore, Multi-Attribute Decision Making (MADM) algorithms are applied and more specifically the Simple Additive Weighting (SAW) method and the Weighting Product Method (WPM). The analysis is focused on the United Nations Charter’s normative scheme of the “use of force”, in order to define whether these attacks constitute “use of force” under the principles of international law. By using the qualitative criteria as proposed by the IGEs for recognizing the impact of cyber-attacks and by applying MADM methods, cyber-attack evaluation results are presented. For the analysis a case study of kinetic and cyber-attacks on Supervisory Control and Data Acquisition (SCADA) system is employed. Pros and cons of the SAW method and the WPM are evaluated. The weaknesses of applying the SAW method in cyber-attacks modelling assessment, as well as the difficulty in defining an appropriate quantitative scale for the classification of such attacks when using WPM (due to the nonlinear relationship between attributes and overall score in WPM), lead us to the creation of a new systematic evaluation strategy. The new cyber-attack evaluation methodology combines the use of the above-mentioned decision-making algorithms and introduces a new grouping of the IGEs qualitative criteria based on their distinctive features for achieving an improved cyber-attack modelling assessment. Different quantitative scales are applied in the distinct qualitative criteria groups in order to quantify them based on their characteristics. The new cyber-attack evaluation methodology is applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran and cyber-attack evaluation results are presented. The correlation of both qualitative and quantitative methods of analysis allows to

Introduction achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification. The usefulness of the methodology is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with interstate violence. The threshold inquiry is crucial to assessing the level of violence between states in order to justify a lawful response. Because the UN Charter prohibits the unauthorized “use of force”, a state must be able to quickly and safely assess whether a cyber-attack constitutes a “use of force” triggering the international condemnation and economic sanctions, (active) “cyber self-defense” – or an “armed-attack” (with the use of conventional military weapons) as forceful response. There were significant obstacles during the development of the new cyber-attack evaluation methodology. The most crucial was that at the beginning of the research it was not clear if international law applied to cyber operations, whether in offense or defence. On one side, Russia, China and other countries was is favor for an international treaty, similar to those agreed on chemical weapons, and they have pushed for such an approach to regulating cyberspace (O’ Connell, 2012). On the other side, the United States have repeatedly resisted such proposals arguing in favor of an update of the international law rules so that they can address these issues properly. In 2011, the United States set forth its position on the matter in the “International Strategy for Cyberspace” where it is mentioned that “the development of norms for state conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Longstanding international norms guiding state behaviour in times of peace and conflict – apply to cyberspace (The White House Cyber Strategy, 2011). Besides, the threshold question of the “Tallinn Manual of International Law applicable to cyber warfare” (2013) was whether the existing international law rules apply to cyber issues at all, and if so, how. The IGEs was unanimous in its estimation that both the Jus ad bellum, the body of international law that governs a state’s resort to force as an instrument of its national policy and the Jus in bello, the international law regulating the conduct of armed conflict apply to cyber operations. Following the same interpretation, the European Commission, in its proposal for a cyber security strategy emphasized that “the legal obligations enshrined in the International Covenant on Civil and Political Rights, the European Convention on Human Rights and the EU Charter of Fundamental Rights should be also respected online, pointed out that if armed conflicts extend to cyberspace, International Humanitarian Law and, as appropriate, Human Rights law will apply to the case at hand” (Joint Communication, European Commission, 2013). However, even though there is a general – if not universal – agreement in the legal literature that both Jus ad bellum and Jus in bello are applicable to cyber warfare, there is a huge amount of disagreement and confusion as to how they are applicable. Legitimate state activity in cyberspace remains an unfulfilled task amongst the international community due to

Introduction the lack of precedent to guide international regulation of cyberspace intrusions and the rapid spread of cyber warfare (Meyer, 2012). Another important limitation during our research was the technical complexity of determining the perpetrators and of positively identifying the key actors of cyber operations, resulting in many difficulties to handle the “attribution” problem. Establishing accountability for cyber-attacks is a very complicated issue. Attribution, in the context of cyber warfare, presents unique difficulties that are not apparent in other conventional means and methods of armed conflict. For example, cyber weapons are easy to conceal because they are just abstract patterns of bits, looking just like legitimate data and programs until subjected to detailed inspection (Ween et al., 2017). Furthermore, cyber weapons do not require physical proximity of the attacker to the victim since information is automatically and quickly forwarded on the Internet and most of times it will be unlikely to come with intrinsic attribution data due to cyber weapons capabilities to leave no traces (Brenner, 2007). In addition, cyber weapons can easily implement delayed effects after they are installed, waiting for the right conditions or specified times to act (Stuxnet worm and the cyber operation against Iran is the most representative example). This means that the relationship between cause and effect of a cyber weapon can be difficult to observe and specific countermeasures to apply (Schmitt and Vihul, 2014). Finally, a key problem with attributing cyber aggression to a state is that much of the evidence will likely be circumstantial (data can be changed easily without leaving traces) and will not meet the legal requirements for assigning state responsibility. Thus, even if a state is entirely sure who the attacker was, it may be unable to justify a lawful response to the international community (O’Connell, 2012). The abovementioned difficulties and restrictions are taken into account for the development of the new cyber-attack evaluation methodology. Through a critical review and transformation of international law rules, a classification of cyber-attacks under the prism of international law is presented. The lack of clarity on when a cyber-attack would constitute “use of force” under article 2(4) of the UN Charter is the core research question that this dissertation is dealing with. Additionally, the dissertation approaches the multi-layered process of attribution in combination with the variety of jurisdictional bases in international law which makes the successful tackling of cyber-attacks difficult. The combination of qualitative and quantitative methods of analysis and the join of international law with multi-attribute decision making systems is the core element which differentiate our methodology.

1.3 Contributions In summary, this thesis makes the following contributions: It sets the boundaries of cyber warfare by providing a straight-forward definition which helps to avoid confusion and

Introduction misperception with other uses of cyber-attacks such as cybercrime, cyber espionage, cyber terrorism and “hacktivism”. However, these areas are inevitably intertwined with cyber warfare because actors involved often support the aims of sovereign states or contribute technology and methodology that are adapted by the growing cyber operations within the military or intelligence operations of states (Stiennon, 2016). Furthermore, it traces the history of cyber warfare and provides an overview of the “cyber-warfare” phenomenon by examining its evolutionary process from the early stages of its appearance until today. The three phases of cyber warfare, namely realization, take-off and militarization phase are critically analyzed and a number of crucial cyber-attacks of each phase are taken into consideration in order to show the development of cyber warfare and the rise of cyber threats worldwide. Furthermore, it presents a critical review of the existing legal framework of cyber warfare at the European and International levels. It examines the main approaches of the states on the matter, the differences between these approaches and how they influence its evolution through the years. These approaches and the role of International Organizations was the axes that have contributed substantially to the development of a legal framework as exists today and to a culture of cybersecurity worldwide. In addition, the thesis provides a thorough analysis and transformation of international law rules in order to respond to the new challenges that arise. A classification of cyber-attacks under the prism of these rules is applied. Moreover, taking into account the legal uncertainty and the inability to implement the traditional rules of international law to cyber warfare in order to face the new reality of cyber weapons, the thesis identifies technical, legal and, last but not least, political difficulties in applying international law rules to cyber warfare. Finally, the thesis approaches the existing literature on cyber-attack evaluation models and categorizes them in three broad categories, namely the technology-centric models, the social- centric models and the cyber-situational awareness and understanding models. Conclusively, the dissertation contributes with the development of a new systematic modelling methodology with the use of qualitative and quantitative methods of analysis, for evaluating the effects of cyber-attacks on states’ CII. This is primally achieved by exploiting the theory of international law and by using multi-attribute decision making systems. The correlation of both qualitative and quantitative methods of analysis allows to achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification. The new methodology is applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran, and useful conclusions are drawn fulfilling the aim of the research. Beyond that, a critical review of the existing cyber-attack evaluation models and of risk-based criticality analysis methodologies with the new cyber-attack evaluation methodology is presented highlighting similarities and differences.

Introduction

1.4 Dissertation outline

The rest of the dissertation is organized as follows: Chapter 2 focuses on the globalization of the “cyber warfare phenomenon” by observing its evolutionary process from the early stages of its appearance until today. Through a comprehensive review of the history of cyber warfare, the chapter examines the scope, duration and intensity of major cyber-attacks, the provoked impact and the reaction of the states that were the victims of the cyber-attacks but also the impact caused at the international environment. Chapter 3 aims to sketch the existing regulatory framework at the European level in order to protect critical infrastructures from large-scale cyber-attacks and to create an open, safe and secure cyberspace. Chapter 4 analyzes cyber-attacks and “cyber warfare” from the perspective of the international legal framework and clarifies further the decisive role of states (USA, Russia, China) and international organizations for its evolution. The chapter concludes that the existing legal framework seem inadequate to deal effectively with cyber operations and, from a strictly legal standpoint, it indicates that addressing cyber-attacks does not fall within the jurisdiction of just one legal branch. This is mainly because of the fact that the concept of cyber warfare itself is open to many different interpretations, ranging from cyber operations performed by the states within the context of armed conflict, under International Humanitarian Law (IHL), to illicit activities of all kinds performed by non-state actors including cybercriminals and terrorist groups. Chapter 5 sets the theoretical background in terms of the new cyber-attack evaluation methodology. For the first time to our best knowledge, a classification of cyber-attacks under the prism of international law is being undertaken, while a thorough analysis and transformation of these rules is carried out in order to respond to the new challenges that arise. Chapter 6 introduces the development of a new systematic modelling methodology for evaluating the effects of cyber-attacks on states’ CII with the use of qualitative and quantitative methods of analysis. This is primary achieved with the use of the qualitative criteria, as proposed by the IGEs in the “Tallinn Manual”, and the application, for the first time to our best knowledge, of multi-attribute decision making algorithms for cyber-attack evaluation. More specifically, pros and cons of the Simple Additive Weighting (SAW) method and the Weighting Product Method (WPM) lead us to present a new evaluation strategy which combines the use of the abovementioned decision-making algorithms and introduces a new grouping of the IGE’s qualitative criteria based on their distinctive features. For the analysis of the new cyber-attack evaluation methodology a case study of kinetic and cyber-attacks on Supervisory Control and Data Acquisition (SCADA) system is employed.

Introduction

Moreover, the new methodology is applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran and cyber-attack evaluation results are presented. The correlation of both qualitative and quantitative methods of analysis allows to achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification. Furthermore, taking as a starting point the proposed cyber-attack evaluation methodology, it is recognized that the same qualitative criteria proposed by the International Group of Experts for the evaluation and categorization of cyber-attacks are also employed as impact factors in risk-based criticality analysis methodologies to prioritize assets and infrastructures. More specifically, there is a strong interdependency between the proposed cyber-attack evaluation methodology and risk-based criticality analysis methodologies since both of them are using the same qualitative criteria during their evaluation process. For those reasons, we propose the assessment of cyber-attacks by adopting risk-based criticality analysis methodologies. Chapter 7 focuses on two major issues relating to cyber operations, namely “attribution” and “jurisdiction”. The multi-layered process of attribution in combination with a variety of jurisdictional bases in international law makes the successful tackling of cyber-attacks difficult. The chapter aims to identify technical, legal and, last but not least, political difficulties and emphasize the complexity in applying international law rules in cyber operations. Furthermore, it presents the related work in the field of cyber-attack modelling assessment and more specifically, a comparative analysis of the proposed methodology with previous cyber-attack evaluation methodologies is implemented. Chapter 8 presents conclusions, recommendations, publications and proposal for future research. The purpose of the new cyber-attack evaluation methodology is not to provide an absolute algorithm for producing the “right answer” in any given input. Although the methodology is an important instance of interpretive legal triage to the issue of cyber warfare under the Jus ad bellum, this is not to say that it has resolved the issue definitely. The threshold of a “use of force” must be balanced between on the one hand state’s willingness to avoid any harmful consequences caused by the actions of others states and on the other hand its motivation to preserve their freedom of action. As such, the proposed systematic methodology is applied in order to portray a better modelling evaluation of cyber-attacks in areas where there is ambiguity related to the “use of force” concept. Its usefulness is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with the “use of force” threshold. Future work will be focused on the expansion of the proposed methodology by incorporating machine learning and data mining techniques in order to produce a data model that will allow a comprehensive understanding of cyber-attacks and its classification. Moreover, an

Introduction interdisciplinary assessment of the proposed methodology with past and current works in the field of cyber-attack modelling assessment will be essential for taking a full advantage of the proposed techniques in order to expand further research and development. In addition, further research could be focused on a comparative study of national cyber security strategies worldwide for the creation of an evaluation framework which will incorporate risk prediction, analysis and reaction tools in order to deal effectively with cyber-attacks. The framework will present risk-based and damage-recovery processes in order to effectively protect and accelerate damage appraisals after cyber-attacks. Furthermore, leaving behind the fiend of cyber-attack modeling assessment and taking into account the General Data Protection Regulation (GDPR) (2016/679 EU) an interesting research topic will be the creation of a methodology to guide on the implementation of the appropriate measures and to mitigate risk on the basis of an objective data protection impact assessment. Finally, possible paths for future research could be concentrate on the development of a research roadmap for cybercrime and cyber terrorism. The dissertation interpolates material from three journal papers and three conference papers coauthored with the members of the supervising committee.

(this page is intentionally left blank)

Chapter 2: Background

The chapter focuses on the globalization of the “cyber warfare” phenomenon by observing its evolutionary process from the early stages of its appearance until today. At first, it includes the definition of cyber-related terms in order to create a common understanding of what constitutes cyber warfare. Afterwards, through a comprehensive review of the history of cyber warfare, the chapter examines the scope, duration and intensity of major cyber-attacks, the provoked impact and the reaction of the states that were the victims of the attacks but also the impact caused at the international environment. The chapter concludes with specific actions that Institutions and International Organizations took in order to establish cyber situation awareness and to develop cybersecurity culture worldwide.

2.1 Cyber – related terms and definitions In the 21st century, cyberspace is the new frontier, a new world full of possibilities to help advance prosperity. Cyberspace and the rapid development of updated ICTs have fundamentally transformed the global economy and the way of life by providing billions of people across the world with instant access to information, to communication and to new economic opportunities. New technologies, e-services and interconnected networks have become increasingly embedded in our daily life. At the same time, national security, education, government, healthcare, public safety, as well as sectors such as energy, transportation, communication, e-commerce and financial services are closely related to, if not dependent on, cyberspace and digital technologies. Digitalization has transformed our lives bringing to the surface innumerable social and economic benefits, while at the same time technological dependencies have altered security risks. As ICTs are connecting through cyberspace, in order to provide the proper functioning of CI and the well-being of its citizens, it’s more than clear on the one side that there is an interdependency between cyberspace and new ICTs and on the other side that cyberspace plays an important role acting as the connecting link between them. Cyberspace is composed of hundreds of millions of interconnected computers, servers, routers, switches and fiber optic cables that allows a states’ proper functioning. It is the global information environment that allows users to create, modify, save, exchange and utilize information through the use of electromagnetic spectra and the independence of interconnected networks. Having said that, one cannot overlook the fact that cyberspace is defined more by the social interactions involved rather than by its technical features/implementations. It is a domain that is becoming more and more a communication channel of information exchange between people functioning in accordance with formal rules, legal regulations in use in the territories of

Background particular countries and operating thanks to the connection of technical resources located on the territory of every single country (Morningstar and Farmer, 2003). Kuehl (2009) concludes in four aspects that a cyberspace definition should reflect: Firstly, an operational space where people and organisations use to act and create effects, either solely in cyberspace or across into other domains. Secondly, a natural domain made up of electromagnetic activity and entered using electronic technology. Thirdly, an information-based domain where people enter into cyberspace in order to create, modify, exchange and exploit information. Fourthly, interconnected networks allowing electromagnetic activity to carry information. Conclusively, Kuehl reflects these four aspects into a comprehensive definition of cyberspace according to which cyberspace is “a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies”. His definition accurately communicates the unique aspects of cyberspace. Furthermore, the US Department of Defence defined cyberspace as “an interdependent and interrelated infrastructural IT network, including the internet, telecommunication networks, computer systems and the systems managing production processes and control in strategic sectors connected to national security” (National Infrastructure Protection Plan, 2009). In conclusion, it is worth mentioning that the Pentagon (2010) has acknowledged cyberspace as a new field of war which is vital for military operations while The Economist, in an online article in July 2010, described cyberspace as the “fifth domain of warfare” after land, see, air and space. Critical infrastructure is defined as those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period of time, would have a significant impact on the society and the well-being of the citizens, or would affect state’s ability to ensure national stability and security and to conduct national defence (Emergency management Australia, 2003). Furthermore, the US define critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact of security, national economic security, national public health or safety, or any combination of these matters. In general, critical infrastructure are those facilities, the body of systems, networks and assets necessary for a country to function and upon which daily life depends. It also includes some functions, sites and organisations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (nuclear and chemical facilities for example). Although CI is similar to every state, due to the basic requirements of life, the infrastructure deemed critical can vary according to a nation’s needs, resources and development level.

Background

Furthermore, Critical Information Infrastructure (CII) are defined as “ICT systems that are Critical Infrastructures for themselves or that are essential for the operation of Critical Infrastructures (2008/114/EC). CII can be seen as an essential part of the comprehensive efforts for Critical Infrastructure protection. Critical Infrastructure Protection (CIP) covers the protection of a nation’s infrastructure across various sectors such as agriculture, food and water supply, public health, emergency services, commercial and governmental facilities, defense industrial base sector, information and telecommunications, energy, transportation, banking, finance andchemical sector. CII is composed of physical components (networks, wires, satellites, computers etc.) and an immaterial component, which is the actual information transported by and through the physical components (ENISA, 2016) and CII protection is focused on the protection of the underlying information infrastructure. As it becomes clear the rapid development of digital technology, its presence in every aspect of human life and the high degree of dependence on cyberspace makes information security a common objective for a society’s proper functioning and the well-being of its citizens. Information security, according to the ISO/IEC 27001 (2013) information security standard, is the protection of the so-called C-I-A triad, where confidentiality refers to the process of ensuring that information is accessible only to authorised users, integrity relates to the process of safeguarding accuracy and completeness of information and of processing methods and availability associates to ensure that authorised users have access to information whenever required. Furthermore, since cyber threats are becoming more sophisticated with the blending of distinct types of attack into more damaging forms, cybersecurity has become a matter of global interest and importance. As a consequence, most nations today have officially published some form of strategy document outlining their official stance on cyberspace, cyber terrorism, cybercrime and cybersecurity. But what do we really mean when we refer to cyber security? The International Telecommunication Union (ITU) defines cybersecurity as “the collection of tools, policies, security, concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunication systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment (ITU Global Cybersecurity Agenda, 2008). Furthermore, as the European Commission states in its Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace” cyber

Background security “commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure” (Joint Communication 1, European Commission, 2013). In light of the above, cybersecurity can be defined as the protection of cyberspace itself, the electronic information, the ICTs that support cyberspace, and the users of cyberspace in their personal, societal and national capacity, including any of their interests, either tangible or intangible, that are vulnerable to attacks originating in cyberspace. As such, cybersecurity is not necessarily only the protection of cyberspace itself, but also the protection of those that function in cyberspace and any of their assets that can be reached via cyberspace (Solms and Niekerk, 2013) Governments began to realize the need to be fully aware and to take action in response to threats from cyberspace. In 2010, the Pentagon has acknowledged cyberspace as a new field for war, after land, sea, air and space, which is vital for military operations (William J. Lynn, 2010). In order to defend CII from cyber-attacks, former US President Barack Obama (2009- 2017) declared America’s digital infrastructure a strategic national asset (The White House, 2010). The Whitehouse (2011) published a cybersecurity strategy that provides the stance of the USA on cyber-related issues and outlines a unified approach to the USA’s engagement with other countries on cyber issues. Furthermore, former US Secretary of Defense Leon Panetta (2011-2013), during his speech “Defending the nation from cyber-attacks” in 2011, pointed out that this is a pre- 9/11 moment and that a cyber-attack perpetrated by nations or violent extremists’ groups could be as destructive as the terrorist attack on 9/11. These attacks that are unleashed on computer networks and are intended to disrupt, degrade and ultimately destroy the CI and the associated services offered through computer systems are commonly referred to as cyber-attacks and include actions taken to undermine the functions of computer networks for a political or national security purpose (Hathaway et al., 2012). The decision of the US government reflected the need to address the challenges posed with regard to cyber-attacks that could be qualified as cyberwar actions. Additionally, in the UK government, officials have warned of a lack of preparedness in cyberspace and have announced cybersecurity as a top priority. Taking active steps in that direction, they have announced new investments to bolster cyber defence and have committed 650 million pounds over four years of a transformative National Cyber Security Programme (The UK Cyber Security Strategy, 2011). The continuous increase in both the number and the intensity of cyber-attacks on states’ CII renders the research on defining and evaluating these categories of cyber-attacks into a pressing need. But what do we really mean when we refer to cyber-attacks? Actually, neither the definition of “attack” nor the definition of cyber-attack is officially defined. However, defining “cyber- attack” is a crucial starting point for analyzing their status under the principles of international law. The term “cyber-attack” can refer to a range of activities conducted through the use of

Background

ICTs taken to undermine the functions of computer networks and systems and eventually to provoke long-lasting, destructive effects. The U.S. National Research Council (2009) defined cyber-attacks as “the use of deliberate action to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and programs resident in, or transiting these systems or networks” (Owens et al., 2009). Furthermore, the Shanghai Cooperation Organization (SCO), a security cooperation group composed of China, Russia and most of the former Soviet Central Asian republics, as well as observers including Iran, India, Pakistan, has adopted a much more expansive means-based approach to cyber-attacks. They defined cyber-attacks as “the threats posed by possible use of ICTs and means for the purposes incompatible with ensuring international security and stability in both civil and military spheres”. Hence, the SCO adopted an expansive term of cyber-attacks to include the use of cyber-technology to undermine political or national stability. Additionally, the International Group of Experts in the Tallinn Manual on International Law applicable to Cyber warfare or “The Tallinn Manual” (2013) defined cyber-attack as “a cyber-operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” and cyber operations as “the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace”. Over and above, the US DoD Dictionary of Military and Associated Terms defines “cyber operations” as “the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace”. The Tallinn Manual on the International Law Applicable to Cyber Warfare, slightly modifies this language and defines cyber operations as “the employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace”. More descriptively, the International Committee of the Red Cross (ICRC)’s definition refers to “operations against or via a computer or a computer system through a data stream. Such operations aim to do different things, for instance to infiltrate a system and collect, export, destroy, change, or encrypt data or to trigger, alter or otherwise manipulate processes, controlled by the infiltrated computer system” (Droege, 2012). The lack of consensus internationally on what defines cyber-attacks or cyber-operations expands further to other cyber-related terms such as the term of cyber-crime, cyber terrorism, cyber war and/or cyber warfare. More specifically, even though the term of cybercrime has entered into common usage, yet there is significant confusion amongst academics, computer security experts and users to the extent of real cybercrime. The Council of Europe’s Cybercrime Treaty uses the term “cybercrime” to refer to offences ranging from criminal activity against data to content and copyright infringement (Convention of Cybercrime, 2001). More specifically, cybercrime is a term used to refer to a wide range of criminal activities involving computers and information systems that are either used as a tool to unleash an attack or as the primary target of an attack. Such criminal activities may include traditional offences such as

Background fraud and forgery, more serious crimes such as internet-based child pornography or racial hatred, and IT-specific offenses such as attacks against information systems. As such, the term covers all criminal offences committed with the aid of information technologies and communication networks. Cybercrime includes any crime that is facilitated or committed using a computer network, or hardware device and which causes unauthorized network breaches and theft of intellectual property and other data. Generally speaking, cybercrimes can be classified in three categories: (a) crimes that can be committed through computers, (b) crimes which are specific to computers and the Internet, and (c) crimes to which the use of computers and computer networks is incidental (Sieber, 1998). As it is evident, any crime where ICTs are used as a tool in the commission of an offence or as the target of an offence is considered a cybercrime. Most cybercrimes are financially motivated and include but are not limited to phishing attempts, theft or manipulation of data or services via hacking or viruses, identity theft, and bank or e-commerce fraud based upon stolen credentials (Gordon and Ford, 2006). Additionally, the current legal framework surrounding cyber terrorism is equally complicated. Cyber terrorism can be defined as a politically motivated crime of state and / or non-state actors against computers, networks and the information stored therein. Its aim is to provoke a severe or long-term disruption of public life or to cause serious damage to economic activity with the intention of severely intimidating the population, of forcing public authorities or an international organisation to carry out, tolerate or omit an act or of profoundly unsettling or destroying the political, constitutional, economic or social foundations of a state or an international organisation (Austrian Cyber Security Strategy, 2013). Furthermore, according to the United States Federal Bureau of Investigations, cyber terrorism is “any premeditated, politically motivated attack against information computer systems, computer programs and data, which results in violence against non-combatant targets by sub-national groups or clandestine agents”. As such, cyber terrorism is the use of disruptive activities or the threat thereof, in cyberspace, with the intention to further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives. Finally, the terms of cyberwar and cyber warfare are lucking an international generally accepted definition. Cyberwar is typically conceptualized as state-on-state action equivalent to an armed attack or use of force in cyberspace that may trigger a military response with a proportional kinetic use of force (Theohary and Rollins, 2015). It refers to acts of war in cyberspace with means which are predominantly associated with information technology. In a broader sense, it implies the support of military campaigns in traditional operational spaces – i.e. ground, sea, air and outer space – through measures taken in the virtual space. The US and Russia in a bilateral policy report on cybersecurity (Godwin et al., 2014) define cyberwar as “an escalated state of cyber conflict between or among states in which cyber-attacks are carried out by state-actors against cyber infrastructure as part of a military campaign”.

Background

However, most policy makers and academics would agree that the term “cyberwar” is a loaded word since there has yet to occur an act of aggression that comfortably meets the understandings of a “war”. Therefore, the term “cyber warfare” is preferable in the international literature than the term “cyber war”. Cyber warfare “is a more open-ended term, more useful in exploring an environment that is not only virtual but also largely unchartered” (Cornish et al., 2009). It can be defined as “an extension of policy by actions taken in cyberspace by state actors (or by non-state actors with significant state direction or support) that constitute a serious threat to another’s state’s security, or an action of the same nature taken in response to a serious threat to a state’s security (actual or perceived)” (Shakarian, 2013). Cyber warfare is a state of conflict between two or more political actors characterized by the deliberate hostile and cost-inducing use of cyber-attacks against an adversary’s critical or military infrastructure with coercive intent to extract political concessions or to acquire a comparative advantage for strategic purposes (Liff, 2012). This means that isolated or small-scale acts of cyber aggression, which do not provoke death or destruction but still can cause damage to CII without having direct kinetic affects, may well still qualify as acts of cyber warfare. Cyber warfare denotes “warlike” acts, even one can debate whether all actions falling within our concept are truly acts of “war” (Stiennon, 2016). Probably the most important problem relating to cyber-attacks, cyber operations and cyber warfare is the lack of clear-cut legal framework to define, assess and face such attacks. There is no commonly accepted definition of cyber warfare and of any subsequent actions resulting from it, but rather many cloudy descriptions of the term. Today, no international, legally binding instruments exists to regulate the interstate relations in cyberspace. As a result, there are no clear criteria for determining whether a cyber-attack is criminal, an act of terrorism or a nation- state’s use of force equivalent to an armed attack. Additionally, each state perceives the notion of cyber warfare differently, depending on its priorities and on the interests, it serves, which leads to major problems in relation to the fighting of such attacks both on a technical and an institutional level. The undeveloped and inconsistent legal framework existing, at national and international level, pose major challenges to cyber defence as on the one hand the successful prosecution of cyber-attackers, where possible, may rely on legislation not specifically written for cyber offences and on the other hand there are no universal international agreements on the monitoring, record keeping and cooperation necessary to track and trace attackers. Cyber- attacks often cross multiple jurisdictional, administrative and national boundaries which mean that any efforts to bring perpetrators to justice are often frustrated. So, there is a great need for addressing the issue at international level for more extensive cooperation among states on evidence collection and criminal prosecution of those involved in cyber-attacks. Inherently, the dissertation answers to this question by setting the threshold to determine whether a cyber-

Background attack constitute a “use of force” under the principles of international law. However, before we proceed to that, it will be interesting to follow the history of cyber warfare from the early stages of its appearance until today.

2.2 A short history of cyber warfare

Healey (2013), in his book “A Fierce Domain: Conflict in Cyberspace from 1986 to 2012”, divided the history of cyber warfare in three evolutionary stages as follow: a) the “realization phase” during the early era of the internet b) the “take-off phase” during the interim period of pre- and post- 9/11 in which attacks were still mainly of an information-gathering nature and c) the “militarization phase” during which cyber warfare may cause similar damage to a state’s strategic capabilities and critical infrastructure as a kinetic attack on a colossal level. Figure 1 below describes these stages:

Stages Realization Take-off Militarization

Timeframe 1980 1998-2003 2003-present

Attackers have Attackers have Attackers have advantage over Dynamics advantage over advantage over Defenders Defenders Defenders

United States and United States and United States, Russia, China, Who has few other Russia with many and many more actors with Capabilities? superpowers small actors substantial capabilities

Background

Hackers, Hacktivists, Neo-Hacktivists, espionage Hacktivists, patriotic hackers, agents, malware, national Adversaries viruses, and viruses, and militaries, spies, and their worms worms proxies, hacktivists

The Siberian Gas Pipeline Solar Sunrise, Titan Rain, Explosion (1982)

Morris Worm Moonlight Maze, Estonia, (1988) Major Incidents The WANK Allied Force, Georgia, Worm (1989)

Chinese Patriot Rome Labs (1994) Iran (Stuxnet) Hackers

Citibank (1994)

Information Information US Doctrine Cyber warfare Warfare Operations

Figure 1: Phases of Cyber Conflict History (Healey, 2013)

2.3 The increasing growth of cyber operations From the “Morris worm” (Eisenberg et al, 1989) of the “realization phase” and the “Moonlight Maze” (Elkus, 2013) of the “take-off phase” we are moving forward to the modern “militarization phase” with the “Stuxnet” worm (Langner, 2013) to be the most sophisticated malware attack publicly recorded. The aim of this sub-chapter is to present the three phases of cyber warfare, as mentioned above, and to illustrate the evolutionary development of cybersecurity culture worldwide. In the following section the increasing growth of cyber operations will be analyzed by examining a number of key touchstones.

Background

2.3.1 The realization phase

The primary instances of this type of offences can be traced back in the 1980s, and they seem to evolve together with the rapid technological changes and challenges including the Internet itself. These cyber instances are considered the first large-scale attacks and acted as wake-up calls to governments and the scientific community. In the following subsections three of the most interesting early cases of the first phase of cyber conflict history are discussed, namely the Siberian gas pipeline explosion, the Morris worm and the WANK worm in terms of the quick phase of the events, the scale of their effects and the provoked consequences to the states of the attack and to the international community.

2.3.1.1 The Siberian Gas Pipeline Explosion

Contrary to the commonly accepted view that Stuxnet was the first cyber operation that caused physical destruction (Langner, 2011) similar cyber events can be found back in 1982. Thomas Reed, a former US Air Force secretary who was in Ronald Reagan’s National Security Council, in his book “At the Abyss: An inside history of the Cold War” (2007) claimed that the United States allowed intentionally the Soviet Union to steal pipeline control software from a Canadian company. The software included a Trojan horse that caused the major explosion of the trans-Siberian gas pipeline in June 1982. The Trojan planted on the Russian Supervisory Control and Data Acquisition (SCADA) system that controlled the pipeline and during a pressure test doubled the usual pressure far beyond those acceptable to pipeline joints and welds. The created pressure provoked a massive explosion. Although there is no concrete evidence to support Reed’s statement, in a collection of intelligence documents known as “the Farewell Dossier” (Weiss, 1996), it is stated a consistent effort of the US to sabotage multiple Soviet Union’s projects. Russia officially denied the argument that the trans-Siberian pipeline explosion was the result of a logic bomb that controlled the pipeline saying that the explosion was a result of poor construction (a leak in the pipeline). Whether the above-mentioned incident was a result of a logic bomb or not it is a fact that the cyber warfare history is intimately bound up with the history of cyber-attacks from the earliest experimental or nuisance worms and viruses to sophisticated attacks on SCADA systems. The next cyber security incident of the first “realization phase” of cyber conflict history will be the Morris worm.

2.3.1.2 The Morris worm

The Morris worm acted as a wake-up call to the international scientific community and as a catalyzer for the first steps towards the regulation of cyberspace. Robert Tappan Morris, a

Background graduate student at Cornell University, designed and launched the worm on November 1988 from the computer systems of the Massachusetts Institute of Technology (MIT). His intention was to explore the size of the Internet. The worm used weaknesses in the UNIX system and replicated itself without being detected. Subsequently, it slowed down the affected computers to the point of being unusable. The worm crashed 6000 computers – nearly 10 percent of the Internet in 1988. The damage assessed at $100,000 - $10,000,000, illustrating the difficulty of evaluating cyber-attack consequences, a prominent problem even today (Haizler, 2017). The incident shifted the focus from interoperability, which was the main concern until then, to cyber security issues. Robert Tappan Morris was the first person to be convicted under the US’ Computer Fraud and Abuse Act of 1986 (Eisenberg et al, 1989). He now works as a Professor at MIT.

2.3.1.3 The WANK worm

In 1989, a year after the Morris Worm, the WANK (Worms against Nuclear Killers) worm penetrated NASA’s (National Aeronautics and Space Administration) networks in protest of NASA’s use of radioactive plutonium to fuel the Galileo probe’s booster system. The worm coincidentally appeared on the shared internal network between NASA and the US Department of Energy days before the launch of a NASA space shuttle carrying the Galileo spacecraft. The number of successful penetrations is estimated into 250 computer machines. WANK was programmed to trick users into believing that files were being deleted by displaying a file deletion dialogue that could not be aborted, even though no files were actually erased by the worm. The worm is believed to had been created by Melbourne-based hackers and was the first political motivated worm since it had a clear antinuclear message (Dreyfus, 1998). Julian Assange, an Australian computer programmer and the founder of WikiLeaks, was believed to be involved, though he refused any involvement in the incident (Leigh and Harding, 2011). A number of advanced and sophisticated cyber-attacks occurred after the WANK worm such as the Strano Network’s “Netstrike” on the French Government’s websites in 1995, the Electronic Disturbance Theatre’s “Web sit-ins” focusing against websites in Mexico and USA and aiming at the support of Mexican Zapatistas in 1998 and the Internet Black Tigers “suicide email bombings” targeting Sri Lanka embassies and used as a means of opposing the governmental propaganda (Berson and Denning, 2011). All these incidents, even though they were limited in range, brought about a series of discussions over the issue of cyber operations and their eventual political, economic and social impacts to the victim-state, but also the impact in international relations regarding this new kind of warfare and its consequences in the global strategic environment. However, the incidents mentioned above were small-scale of limited range and intensity in terms of the extent of damage caused to the victims of cyber-attacks. Moreover, the majority of these attacks was not perpetrated by governments or tied to state-

Background level conflicts. The perpetrators were mainly individuals or small groups acting independently, presumably without anyone’s guidance or control. Their aim was to draw attention to themselves in relation to their political, social or economic goals. Having presented the “realization phase” of the history of cyber warfare, with representative cyber-attack incidents of this period, the following part will consider the next phase of the cyber conflict history, known as the “Take-off phase”.

2.3.2 The take-off phase (1998-2003)

The “Take-off phase” is chronically placed during the interim period of pre- and post- 9/11. The cyber-attacks of this period were an important progression in cyber warfare’s history due to their implications on future conflicts. They pointed out the future shift in the modern battlefield from a kinetic war – in which enemies have names and physical locations, and in which attacks can be witnessed and assessed, into an asymmetrical warfare with offensive cyber operations, where attacks might be invisible, adversaries are unknown, and damage is hard to quantify. The incidents of that time-period led to a dramatic shift in state’s cyber security approaches. The most representative example of that period is the “Moonlight Maze” cyber operation.

2.3.2.1 The “Moonlight Maze” cyber operation

The most significant cyber operation in the 1990s, which is considered to be a state- sponsored operation, was given the code name “Moonlight Maze”. In March 1998, US officials of the Department of Defence (DoD) accidentally discovered that the Non-Classified Internet Protocol Router Network (NIPRNET) was penetrated. The intruders probed computer systems at the Pentagon, the Department of Energy, private universities and research labs and lifted thousands of files containing information on technical research, contracts, encryption techniques, and unclassified specifications of DoD war-planning systems. Soon they ascertained that the probing had occurred continually for nearly two years. After comprehensive investigation from the FBI in cooperation with the DoD, the US government formally accused the Russian Academy of Sciences, an entity linked to the Russian military, by provided the telephone numbers from which the attacks supposedly originated. Russia denied any involvement in the incident claiming that phone numbers were non-operative. The US suspicions that the government of Russia was behind the attack have never been conclusively proven (Kaspersky Lab, 2017). The Pentagon responded by investing $200 million to purchase new encryption technology, firewalls and intrusion detection technologies (Loeb, 2001). Undoubtedly “Moonlight Maze” was a wake-up call that aggressive extraction from information resources by state, state-sponsored, or state-sympathetic organizations would be an

Background enduring part of the cyber conflict landscape. Its ambiguity also symbolizes “an era of cyber conflict in which few easy answers can be found concerning the origin, dynamics, and / or goals of adversarial espionage threats” (Healey, 2013).

2.3.3 The militarization phase (2003-present)

From the “Morris worm” of the “realization phase” and the “Moonlight Maze” of the “take- off phase” we are moving forward to the modern “militarization phase”. The first cyber operations to be regarded as of military nature, as early instances of the “militarization phase”, were those that emerged during the Kosovo era involving conflicts conducted by non-state actors, the so-called “patriotic hackers”, who seemed, however, to act, if not under the umbrella, certainly under the tolerance of the respective national governmental agencies. These types of conflict were characterized “as the first war on the Internet, in recognition of not only the cyber- attacks but also the broader role played by the Internet, especially in the dissemination of information about the conflict” (Berson and Denning, 2011).

2.3.3.1 Titan Rain

Meanwhile, a series of sophisticated cyber-attacks with the code name “Titan Rain” were detected from the FBI in 2004. The attacks had started in 2003 and is believed to have been ongoing for at least three years. Attackers from the People’s Republic of China (PRC) with suspected links to the official military force of China, the People’s Liberation Army (PLA), successfully penetrated to the US Army Information Systems Command, the Defense Information Systems Agency, the Naval Ocean Systems Center, the US Army Space and Strategic Defense installations, Lockheed Martin, NASA, Redstone Arsenal, and the British Foreign Office (Bodmer et al., 2012). Though China was the main suspect behind these attacks, the Chinese government denied any involvement. “Titan Rain” reportedly attacked multiple high-end political systems. According to US officials, the majority of successful hacks gained access to “low risk” computers, containing little to no confidential information. However, while no classified U.S. networks appeared to have been compromised, there was an immense quality of valuable data on open systems, particularly in government research facilities and in the private sector (Lewis, 2005). Even though the access to the US technical, financial and strategic information were unclassified, when it all comes together it could reveal the strengths and weaknesses of the U.S, making such an attack extremely damaging.

2.3.3.2 GhostNet

“Titan Rain” was the first notable cyber espionage case orchestrated from China. However, it seems that China has been developing its cyberspace doctrine and capabilities since the late

Background

1990s as part of its military modernization programme. The Chinese authorities have made it clear since at least 1993 that they consider cyberspace as a strategic domain and cyber espionage as an important aspect of war fighting, especially in terms of intelligence, surveillance and reconnaissance. The Chinese doctrine of “active defence” placed an emphasis on the development of cyber warfare capabilities. People’s Liberation Army (PLA), the armed forces of China, invested significant resources in order to acquire operational capacity in cyberspace. Their aim was to develop defensive and offensive capabilities in the “5th dimension of warfare” and to achieve strategic advantage over their allies and especially USA (Mulvenon and Yang, 1999). Over the last decade, the vast majority of Advanced Persistent Threat (APT) attacks have seemingly originated from China. “Titan Rain” was just the first notable example. A large-scale cyber spying operation discovered in March 2009, whose command and control infrastructure were based mainly in the People’s Liberation Army and has infiltrated high-value political, economic and strategic targets. “GhostNet” was the name given to this high-level cyber exploitation. The report of the 10-months investigation of the Information Warfare Monitor (IWM), the public-private research institution that involved in the investigation, revealed a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts were considered high-value targets and included computers located at ministries of foreign affairs, embassies, international organizations, news media, and Non- Governmental Organizations (NGOs). “GhostNet” was capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras. The log files from the victims of these attacks provided evidence of Chinese cyber espionage since infected computers connected to IP addresses assigned to China (Information Warfare Monitor, 2009). Even though, no formal accusation took place, “GhostNet” revealed, with the most emphatic way, the tremendous capabilities of cyber exploitation and the urgent need of cyber security at the highest level.

2.3.3.3 Operation Aurora

China’s cyber activities continued and the following years. A series of sophisticated cyber- attacks related to APTs took place from 15 of December 2009 to 4 January 2010. Attackers breached at least 34 high-tech and financial services companies in the US. Google, Yahoo, Adobe, Symantec, Juniper Networks, Rackspace, Northrop Grumman and Morgan Stanley were among the targets that were affected. The attack was given the name “Operation Aurora” by an independent cyber security company, based on the analysis of the malicious binary files related to the attacks (MacAfee Labs 2010). David Drummond (2010) Senior Vice President, Corporate Development and Chief Legal Officer of Google was the first to announce highly sophisticated and targeted cyber-attacks on its infrastructure that resulted in the theft of intellectual property. The attackers used spear-phishing emails that included links to a malicious

Background website. In addition, a zero-day vulnerability on Internet Explorer ended up to remote code execution and subsequently the installation of a Remote Administration Tool (RAT). ‘Mandiant’ (2013), a cyber-forensics firm, provided attribution evidence which pointed directly to the Chinese government by saying in its report that “APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398”. In May 2014, the US Justice Department filed a detailed indictment against the named agents of PLA Unit 61398. The indictment said “Chinese firms hired the same PLA Unit to build a secret database to hold corporate intelligence. In one instance, the hackers broke into Westinghouse’s network, a leading US company in the nuclear industry, to learn the company’s strategy for negotiating with one of China’s state-owned enterprises. The hackers stole roughly 700,000 pages of emails, including some from its chief executive” (Schmidt and Sanger, 2014).

2.3.3.4 The Attack on RSA

The various acts of cyber espionage emanating from China came full circle with the 2011 attacks on the security firm RSA. RSA specializes in cryptography and security. It is among the first companies to provide a public-key cryptosystem which is widely used for secure data transmission (Koblitz, 1997). Nowadays, its aim is to provide business driven security solutions that help businesses and organizations to effectively detect and respond to cyber security incidents, to manage risk and to protect what matters the most for them. RSA collaborates with the White House, the National Security Agency (NSA), the Pentagon, the Department of Homeland Security and many top defense contractors. In 2011 the attackers obtained information that allowed them to gain access to organizations that used RSA’s products for secure authentication. The attack was orchestrated by using social engineering techniques. More specifically, they sent cleverly crafted emails with the subject line “2011 Recruitment Plan” and with an attached Excel file. The attached file contained malware that used a previously unknown flaw in Adobe’s Flash software to install a backdoor (RSA, 2011). These hackers apparently used RSA as a stepping-stone by stealing data that would allow them to gain access to other targets that used RSA products for secure authentication. They gained access to the security tokens produced by RSA which allowed them to connect remotely to US defence contractors and eventually to exfiltrate encrypted data. For that reason, it is believed that several US defence institutions and not RSA was the real target of the attack (RSA, 2014). Although the impact of the attack remains ambiguous, recent revelations by Edward Snowden (The Diplomat, 2015) linked the attack on the RSA with the attacks on the Lockheed Martin networks and the interception of the development plan of F-35, the fifth-generation combat aircraft designed by Lockheed Martin Aeronautics. After the attack, contractors were

Background obliged to redesign specialized communications and antenna arrays and to rewrite software in order to protect the systems of the F-35 aircraft from hacking. Furthermore, aircraft designers linked the frame of China’s second stealth fighter jet, the J-31, with that of the F-35. The attack against RSA was a clear example of an indirect external attack, as the attackers goal was to exfiltrate information which would allow them to gain access to companies/organizations which were using RSA security products for authentication. The RSA cyber-exploitation acted as a crucial reference point in the history of cyber warfare. It highlighted the very real possibility of significant harm from the exfiltration through cyberspace and led to increase awareness of the threat that cyber-attacks could pose on a states’ CII. Furthermore, it contributed to the development of more sophisticated security mechanisms to combat such threats.

2.3.3.5 Cyber-attacks against Estonia

In terms of wide range attacks, the leading one took place in April 2007 in Estonia and lasted for almost three weeks. The main reason for this event was the decision by the Government of Estonia to remove the Bronze Soldier monument which served as a memorial by nationalistic organizations aiming to undermine the national status of Estonia to the benefit of Russia. The decision of the Estonian government generated a wave of reactions causing the injury of one hundred people and the death of one, while the financial cost reached the amount of 4.5 million euro. The Government of Estonia, under the pressure of these events, proceeded to the cursory removal of the monument (Tikk et al., 2010). Nationalistic reactions were transferred from the streets to Cyberspace with patriotic hackers engaging in a coordinated large-scale attack, which was directed against Estonia's critical ICTs - such as electronics and telecommunications infrastructures - leading to the deregulation of the country's financial system and threatening its national security. The decision of nationalistic organizations to shift the ‘battle field’ from the streets to cyberspace was not a random one. As early as the mid-nineties, Estonia had been characterized as an e-state since all of its critical services (such as e-banking and healthcare) were provided to its citizens through the web. The wide spread use of internet by its citizens, allowed Estonia in 2000 to pursue and manage to ensure that the electronic submission of documents, through a system that relied on a national ID for user identification and digital signature, would generate similar legal effects to the ones generated through the typical way of document submission. In fact, Estonia is the first country in the world that relied on internet voting to conduct elections, while many private initiatives (Skype, Retio) of international impact, were initiated within the country’s narrow geographical limits. These attacks were meant to harm the functionality of the state causing a number of adverse effects to the operation of public administration and the economy (Tikk et al., 2010).

Background

The specific assault which quickly led to the cultivation of fear among citizens and of a sense that nothing was functioning in the country, aimed at the undermining of Estonia’s social cohesion (Blank, 2008). The case in question, which was clearly an unprecedented act of psychological terror, demonstrated in its full range the close interrelation that exists between cyber security and national security and the key role that the former plays in ensuring a country’s social stability and the prosperity of its citizens. At the same time, it revealed the insufficiency of the European security institutions such as the European Union (EU), NATO, and the Security Council to stand by Estonia during the critical time-period that the country was under cyber-attack. The Estonia attack was followed by a number of smaller range ones such as the attack against Georgia and Lithuania in June and August 2008 respectively and the attack against Kazakhstan in January 2009. All these assaults were allegedly driven by Russia, which was also undertaking military interventions in the area during the same time period (Tikk et al., 2008). These cyber-attacks allowed Russia to promote its political and economic interests while at the same time prevented it from becoming the recipient of international hue and cry, since the nature of the attacks rendered it impossible to verify the identity of the attacker (Bumgarner and Borg, 2008).

2.3.3.6 Cyber-attacks against Georgia

The cyber-attacks against Estonia in 2007 demonstrated the degree to which nations persuade patriotic hackers and cyber professionals to exert pressure on a hostile nation. However, these techniques had yet to be matched with military force. This changed in 2008, during the South Ossetia War, when traditional Russian forces invaded the Republic of Georgia with the concurrent support of Russian hackers. The conflict between Russia and Georgia centered on a territorial dispute over the independent regions of Abkhasia and South Ossetia in Georgia, which had local independence movements supported by Russia (Shakarian, 2008). In 2008, Georgia attempted to reassert its control over the South Ossetia, and Russia responded with significant force, invading Georgian territory in conjunction with offensive cyber-attacks. These attacks were not only designed to control the flow of information or influence people’s perceptions. They were also part of information exfiltration activities that were designed to steal and accumulate military and political intelligence from Georgian networks. These activities occurred in waves and featured different techniques that ranged from distributed denial of service (DDoS) attacks to website defacements (Bumgarner and Borg, 2009). Though these attacks utilized simple methods were executed in more robust and interesting ways representing an organized cyber operation, than the cyber capabilities that had been used against Estonia. It is believed that they reduced Georgia’s decision-making capability and impaired the operational flexibility of Georgian forces (Tikk et al, 2008).

Background

The coordination for the cyber-attacks appeared to have been implemented weeks before any shots were fired between the adversarial parties. The cyber-attacks targeted the pages of the Georgian President’s website, the pages of Parliament, the Foreign Ministry, the Interior Ministry, several new agencies and a few banks. Concurrently with the Russian invasion of Georgia, the cyber-attacks escalated and focused largely on the denial of service and degradation of the Georgian communication systems. The Georgian government was unable to effectively communicate with its citizens or the outside world and to deliver its own version of events. Internationally, this meant that the Russian version of events tended to predominate (Tikk et al, 2010). Especially the cyber-attacks of the banking sector had several repercussions that affected everyday life in Georgia and made the period of the invasion more difficult for the population. The persistent attacks on the systems of several banks forced them to shut down their electronic services until the threat had passed. This not only significantly disrupted the connection of foreign banks, but also apparently paralyzed the Georgian payment system, leaving some Georgians without access to money. Due to limited or zero access to financial means, many Georgians could not buy anything in stores. This in turn significantly decreased demand for goods during that time. Furthermore, the economic disorientation of the Georgian citizens had a psychological effect that intensified the fears of the public (Healey, 2013). Despite technical difficulties in attribution, the geopolitical situation, timing and the forensic evidence available by cyber security analysts leaves no room for doubt that the cyber-attacks originated from Russia. The successful attacks to Georgia’s networks, to banks and key government websites were unique in that it was the first time cyber warfare had been weeded to traditional methods of warfare. The cyber-attacks against Georgia occurred in the wider context of an outbreak of physical hostilities. This fact has changed the threat landscape for all states that rely on computing and networks to conduct commerce, communicate with their citizens and interface with their critical infrastructure (Bryant, 2016).

2.3.3.7 Cyber-attacks against Iran

A few years later, in June 2010, a malicious computer worm named “Stuxnet” struck the Iranian nuclear facility at Natanz and infected over 50,000-100,000 computers resulting in destroying more than half of them in Iran (Farwell and Rohozinski, 2011). The Symantec Security Response Team (W.32 Stuxnet Dossier, 2011) which reverse-engineered the worm and issued a detailed report on its operation, characterized Stuxnet as “the first of many milestones in malicious code history - one of the most sophisticated and unusual pieces of software ever created”. This was recorded as the first cyber operation to exploit four zero-day (unpatched) vulnerabilities, compromised two digital certificates, injected code into industrial control systems and hided the code from the operator. The worm’s code was approximately 500

Background

Kbytes, fifty times as big as a typical computer worm and was written in multiple languages. Additionally, it was the first instance of cyber operation known to cause physical damage across international boundaries. Stuxnet worm was of such complexity –requiring significant resources to develop – that few attackers would be capable of producing a similar threat. Its sophistication suggests that the creators had deep knowledge of its target and access to immense resources, perhaps with governmental support. The choice of the particular targets also reveals a political motive (Collins and McCombie, 2012). The Stuxnet worm was highly selective not only about its targets but also in specific conditions on the targets. Unlike earlier worms which did not have physical consequences, it appeared to aim directly to take control of critical physical infrastructure. It reportedly attacked Windows computers looking for a particular Programmable Logic Controller (PLC) made by Siemens on the vulnerable computers. Moreover, it waited for a specific program condition before it would attempt to take over control by manipulating some of the settings. Stuxnet worm was estimated to have infected 50,000–100,000 computers, mainly in Iran, India, Indonesia, and Pakistan. The Iranian government admitted that Stuxnet had set back the nuclear program, but it only affected a limited number of centrifuges. Furthermore, it acknowledges that Stuxnet struck 12 industrial plants, both in and out of Iran (Karnouskos, 2011). Ralph Langner (2011), a German security expert familiar with industrial systems security, expressed his belief that Stuxnet was the first real “cyber weapon” because it aimed to attack a physical-military target. Iran suspected U.S. and Israel involvement behind Stuxnet, although both have denied responsibility. Notwithstanding, according to the New York Times (Sanger, 2012), the worm was part of a sustained US campaign of cyber operations against the Iranian nuclear program known as “Olympic Games”. The program began during the George W. Bush administration and accelerated under Obama. It featured collaboration with Israel for both operational and strategic reasons: The United States needed access to Israeli clandestine intelligence networks in Iran, and the United States wanted to dissuade Israel from launching an airstrike against Iran. The actual technical work was carried out by the US National Security Agency (NSA) and Israel’s Unit 8200 and the attack was rehearsed at Israel’s “Dimona” nuclear facility. Iran downplayed the Stuxnet attack as a failure. Although the full extent of damage caused by Stuxnet is unknown, the cyber operation on Iran’s uranium facilities had set back the nuclear program by at least two years, according to the Iranian government. Considering all the facts it can be claimed that Stuxnet was more successful than a kinetic military strike, as it produced the same results but avoided casualties and averted a full-scale war. The above list of incidents is by no means intended to be exhaustive but should sufficiently explain why the armed forces have become increasingly concerned with cyber security. The aggressions mentioned above as well as several cases of Advanced Persistent Threats (APTs)

Background that have been detected the following years (Flame, Duqu, Red October, Regin) (Virvilis and Gritzalis, 2013a) leaves no room for doubt that cyber threats are an increasing alarming phenomenon. At the same time, the magnitude and the complexity of cyber-attacks forced states to revise their policies and to develop and implement cyber security strategies which will be able to face the new challenges and to integrate the values of prosperity, security and safety in the age of digitalization. In the next section it will be presented the response of NATO and EU to these cyber-attacks incidents and the rise of cyber arming in leading states.

2.4 The development of cybersecurity culture worldwide

Despite the growing rise of cyber espionage as a tool of nation states, the events in Estonia in 2007 were the hallmark that most scholars pointed to as the beginning of the era of cyber warfare. Those cyber-attacks highlighted for the first time the potential vulnerability of any country, for their societies, economies and institutions. Even NATO itself stressed out the high vulnerability that could be provoked from the disruption or penetration of Allie’s information and communication systems. During the cyber-attacks it was revealed the insufficiency of NATO and other formal institutions to stand by Estonia during the critical time of the attacks. However, international support was offered by several states with the aim to limit the consequences. In response to the cyber-attacks against Estonia NATO proceeded to the creation of NATO Cooperative Cyber Defence Center of Excellence (CCD COE) in Tallinn, Estonia. The Center was established in May 2008. It received full accreditation by NATO and attained the status of International Military Organisation with a mission to enhance the capability, cooperation and information sharing among NATO, its member nations and partners in cyber defence. NATO CCD COE’s focus is on education, research and development of multiple issues related to cyber incidents. More specifically, its main goal is to design the doctrine, concept, development and validation within the NATO members, to improve cyber defence interoperability, to provide cyber defence support for experimentation and to analyze the legal aspects of cyber defence. Although it is not part of the NATO Command Structure, the Center offers recognised expertise and experience on cyber defence (NATO Cooperative Cyber Defence Centre of Excellence Official Webpage). Furthermore, to keep pace with the rapidly changing threat landscape, NATO recognised that cyber defence is part of NATO’s core task of collective defence and adopted an enhanced policy and an action plan on cyber defence, endorsed by Allies at the Wales Summit in September 2014. The policy establishes that cyber defence is part of the Alliance’s core task of collective defence having as a top priority the protection of the communications and information systems owned and operated by the Alliance. The policy also provides for

Background optimization cyber defence governance, procedures for assistance to Allied countries in response to cyber-attacks, and the integration of cyber defence into operational planning, including civil emergency planning. In addition, NATO’s policy defines ways to take awareness, education, training and exercise activities forward, and encourages further progress in various cooperation initiatives, including those with partner countries and international organisations. It also foresees boosting NATO’s cooperation with the industry on information sharing, exchange of best practices and exploration of innovative technologies to enhance cyber defence. Allies have also committed to enhancing information sharing and mutual assistance in preventing, mitigating and recovering from cyber-attacks (Wales Summit Declaration, 2014). Besides, at the Warsaw Summit in July 2016, heads of states reaffirmed NATO’s defensive mandate and recognised that cyber-attacks present a clear challenge to the security of the Alliance that could be as harmful to modern societies as a conventional attack. Cyberspace was recognised as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land, and at sea. Treating cyberspace as an operational domain it will enable the Alliance to improve its cyber defence capabilities and to better protect its missions and operations. Furthermore, it will give NATO a better framework to manage resources, skills, capabilities and coordinate decisions benefiting from the latest cutting-edge technologies (Warsaw Summit Declaration, 2016). In this constantly changing cyber threats environment, NATO and EU member states started to develop a flexible and dynamic cybersecurity framework to meet the new, global threats. For the EU member states, the development of a National Cyber Security Strategy (NCSS) is a prerequisite under the 2013 EU legislative proposal “Cybersecurity Strategy of the European Union: Αn open, safe and secure cyberspace» to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. A NCSS is a plan of actions designed to improve the security and resilience of national infrastructures and services. It is a high-level top-down approach to cyber security that establishes a range of national objectives and priorities that should be achieved in a specific timeframe (ENISA, 2012). The development of a NCSS comprises the vision, the scope, the policy and regulations of the state and aims to bolster the security and resiliency of CIIs, which is pivotal for driving the modern economy and technology-reliant society. The 2013 EU legislative proposal for a NCSS was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016 with the Directive 2016/1148 on security of Network and Information Systems (NIS Directive). The Directive laid down – amongst other measures – obligations for all EU member states to adopt a national strategy on the security of networks and information systems. Furthermore, it provided legal measures to boost the overall level of cyber security in Europe (the full spectrum of NIS Directive will be analyzed in the next chapter).

Background

Today all the EU member states and most of the NATO member states have a NCSS as a key policy feature, helping them to tackle risks which have the potential to undermine the achievement of economic and social benefits from cyberspace. In addition, the armed forces of several states establish cyber units and include cyber operations in their military doctrines and strategies. States are now fully aware of cyber threats and are taking active steps to limit these threats. Furthermore, the increasing militarization of cyberspace is reflected not only in the incorporation of cyber operations in military doctrines, but also in the creation of cyber units within national armies. An increasing large number of states are becoming meaningfully engaged with the offensive possibilities that cyberspace can offer. The rise of cyber arming of states is emerging by the establishment of military cyber units all around the world. Most famously, the United States Cyber Command (USCYBERCOM) for the US, the Defence Cyber Operations Group (DCOG) for the UK, the Computer Network Operation (CNO) team for Germany, the Unit 8200 for Israel and the Units 61398 and 61486 for China are just a few examples which show that we are moving towards a true “cyber warfare age”. Other states, including Argentina, Belgium, Brazil, Canada, Colombia, Denmark, France, India, Iran, Japan, the Netherlands, South Korea and Switzerland, have also established military cyber units. Furthermore, the explicit references in the NCSSs of many states that their cyber units are mandated to focus on offensive cyber operations leaves no room to doubt that we are on the crossroad of the “militarization of cyberspace” (Stiennon, 2016). Nevertheless the “militarization of cyberspace” and the integration of cyber units to the military affairs bring to the surface new dilemmas to be answered. How cyber operations of this art and these impacts should be considered from a legal point of view? Should they be considered as something new, requiring the formulation of new legal instruments on a domestic and international level or should they be met by using the traditional legal framework of domestic and international law rules in force? In order to find a proper response, the regulatory framework dealing with cyber threats at the European and International level will be analyzed.

(this page is intentionally left blank)

Chapter 3: The European legal framework for an open, safe and secure cyberspace

Cyberspace, broadly understood, is a global domain of international significance that extends far beyond the domain of internal affairs of any state. Crucially, the uses and abuses of this complex borderless virtual space impinge on vital state interests in the physical world, including national security, public safety and economic development. To delineate this zone of freedom for states and other international actors, it is necessary to identify, interpret and apply relevant legal rules to it (Mačák, 2016). This chapter examines the European legal framework concerning cybercrime, cyber security and cyber warfare and analyses the existing normative framework for the protection of citizens, societies and economies from offenses committed through cyberspace. A thorough analysis of the the European Conventions, Directives and Joint Communications is being is being provided and useful conclusions concerning the EU policies and guidelines to the Members States are being presented. More specifically, the aim of this chapter is to focus on the international Convention of Cybercrime, the EU Council Directive on the identification of critical infrastructures and the assessment of the need to improve their protection and the Directive concerning measures for a high common level of security of Network and Information Systems (NIS) across the EU. Furthermore, the EU Communication documents concerning critical information infrastructure protection and the development of a cyber security strategy across the EU are being analysed. Finally, the chapter focuses on the issues of limited jurisdiction and the problem of attribution as major obstacles that impede to estimate properly the impact of a cyber-attack and to determine the identity and the motivations of an attacker.

3.1 The International Convention on Cybercrime (or The Budapest Convention)

The first attempt, on a multinational level, to deal effectively with information technology (IT) specific offences and the challenges posed by the – often transborder – nature of cybercrime, was the adoption by the Council of Europe of the International Convention on Cybercrime, also known as the Budapest Convention (CETS 185, 23.11.2001, Council of Europe, 2009). The Convention on Cybercrime was the first international Treaty designed to address several categories of crimes committed via cyberspace following considerations by the Council that the transnational character of cybercrime could only be tackled at the global level. Most states already have criminalized these ordinary crimes, and their existing laws may or may not be sufficiently broad to extend to situations involving computer networks. Therefore, in the course of implementing the Convention’s articles, states must examine their existing laws

The European Legal Framework for an open, safe and secure Cyberspace to determine whether they apply to situations in which computer systems or networks are involved. If existing offences already cover such conduct, there is no requirement to amend existing offences or enact new ones. However, the institutionalization of specific cybercrimes such as child pornography and offences related to “cyber-forgery”, “cyber-fraud” and copyright acknowledge the fact that in many countries certain traditional legal interests were not sufficiently protected against new forms of interference and attacks. The Cybercrime Convention was aimed principally at harmonizing the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime. It was incorporated both criminalization provisions and other connected provisions in the area of computer or computer-related crimes. Furthermore, it was aimed at providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form. Finally, the Convention was set up a fast and effective regime of international co-operation. Specific cyber-space offences such as illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighboring rights were identified and dealt with the Cybercrime Convention. Furthermore, common safeguards and applicable powers such as expedited preservation of stored data, partial disclosure of traffic data and interception of content data were determined. Additionally, the Convention covered mutual assistance where no legal basis (treaty, reciprocal legislation) existed between parties and set up a 24h/7d network for ensuring assistance among Parties (Explanatory Report to the Convention on Cybercrime, 2001). The Convention’s main goal was to establish a “common criminal policy” to better combat computer-related crimes worldwide, especially those committed through the use of telecommunication networks as those which violate human dignity and the protection of minors, by harmonizing national legislation, enhancing law enforcement and judicial capabilities, and improving international cooperation (Archick, 2004). Thirty-eight countries, including the United States, Canada, Japan and South Africa from the non-members of the EU, have signed the Convention on Cybercrime. The Convention is divided into three principal parts. The first part addresses the substantive cybercrime offenses that each ratifying state is obliged to adopt in its national law. The second part concerns investigative procedures which member states must implement, and the third part relates to mechanisms to enhance international cooperation. More specifically, the Convention requires from the ratifying Parties to adopt such measures as may be necessary, including, where appropriate, domestic legislation, to ensure that criminal acts within the scope of this Convention are under no circumstances justifiable wherever and by whomever committed. Furthermore, the Parties should enact certain procedural mechanisms and procedures to

The European Legal Framework for an open, safe and secure Cyberspace facilitate the investigation of cybercrimes or any crime committed with a computer for which evidence may be found in “electronic form”. Finally, the Convention provides that Parties shall cooperate with each other to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of criminal offenses (Vatis, 2010). The Budapest Convention led to the creation of a reference framework aiming to address computer and internet crimes by introducing not only substantial rules but also (and perhaps mainly) procedural rules and the basis of international cooperation for law enforcement and exchange of respective information. The Convention on Cybercrime addressed direct threats arising from cyberspace, legally defined as acts aimed toward confidentiality, integrity and availability of computer data and systems (Chapter II, Section 1, CETS 185, 23.11.2001, Council of Europe, 2009). The specific Convention, which dealt with crimes that were mainly, but not exclusively, carried out by private individuals, without state intervention, aimed at the protection of private property and public goods, and it laid the ground for the harmonization by member states of their relevant national laws focusing ultimately on the protection of society against cybercrime. However, the Cybercrime Convention did not address concerns that may be raised by cyber- attacks that are not just criminal acts but may also constitute espionage or use of force under the specific legal framework of international law. The next legislative initiative launched at EU level resulted into the adoption of the Council Directive 2008/114/EC “on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection” (The Council of the European Union, L 345/75) which is analyzed below.

3.2 Council Directive 2008/114/EC “on the identification of European critical infrastructures and the assessment of the need to improve their protection”.

Following the cyber-attacks, especially against Estonia and Georgia, it became obvious that the existence of critical infrastructures plays a key role in ensuring a country’s national security. As a result, the Council Directive 2008/114/EC of December 8, 2008 “on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection” adopted a framework for the identification of critical infrastructures in the sectors of energy, transportation and ICTs, which would serve as a first step toward the adoption of an overall strategy for their protection in the fight against terrorism. However, the first step in determining which infrastructures should be considered as national critical infrastructures was made in 2006 by the European Commission (COM 786, 2006), which introduced a Communication, setting out the principles and instruments needed to implement the European

The European Legal Framework for an open, safe and secure Cyberspace

Programme for Critical Infrastructure Protection (EPCIP). This was the first time that international organisations such as the United Nations, the North Atlantic Treaty Organisation, the European Union and in particular the European Union Agency for Network and Information Security (ENISA) adopted instruments to protect critical (information) infrastructure from large scale cyber-attacks. The objective of the 2008/114/EC Directive was to establish procedures for the identification and designation of European Critical Infrastructures (‘ECIs’), and a common approach to the assessment of the need to improve the protection of such infrastructures in order to contribute to the protection of society and citizens. The high dependence of all actors (in the public and private sector) on Critical Information Infrastructures (CIIs), the cross-border interconnectedness and interdependencies of CIIs with other infrastructures, as well as the vulnerabilities and the threats they face, raised the need to address their security and resilience in a systemic perspective as the frontline of defense against cyber operations. According to article 3 of the Directive, member states should indicate, at national level, those infrastructure and operations-services whose eventual deterioration or malfunction could have serious effects on public health, the financial system and the prosperity and security of citizens. Furthermore, according to article 5, member states have to conduct a risk analysis, based on major threat scenarios, to select and to prioritize important assets and finally to implement security countermeasures for their protection. The aim of the Directive was to develop common methodologies for the identification and classification of risks, threats and vulnerabilities to infrastructure assets of all EU member states and to facilitate improvements in the protection of ECIs which eventually will contribute to the protection of EU citizens.

3.3 Communication 149 (2009) on Critical Information Infrastructure Protection “Protecting Europe form large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”.

The next European initiative addressing the protection of CIIs from large-scale cyber- attacks was the 2009 Communication (COM 149, 30.03.2009; European Commission) from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on CII Protection entitled “Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience”. The Communication focused on prevention, preparedness and awareness and defined an action plan to strengthen the security and resilience of CIIs which was based on five axes: (i) Preparedness and prevention: to ensure preparedness at all levels, (ii) Detection and response: to provide adequate early warning mechanisms, (iii) Mitigation and recovery: to reinforce EU defense mechanisms for CII, (iv) International cooperation: to promote EU

The European Legal Framework for an open, safe and secure Cyberspace priorities internationally, and (v) Criteria for the ICT sector: to support the implementation of the Directive 2008/114/EC “on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection”. The proposed actions were complementary to those to prevent, fight and prosecute criminal and terrorist activities targeting CIIs and synergetic with current and prospective EU research efforts in the field of network and information security, as well as with international initiatives in this area. The Communication emphasized the need for coordinated collective action by pointing out that “cyber-attacks have risen to an unprecedented level of sophistication. Simple experiments are now turning into sophisticated activities performed for profit or political reasons. The recent large-scale cyber-attacks on Estonia, Lithuania and Georgia are the most widely covered examples of a general trend. The huge number of viruses, worms and other forms of malware, the expansion of botnets and the continuous rise of spam confirm the severity of the problem”. The high dependency on CIIs, their cross-border interconnectedness and interdependencies with other infrastructure, as well as the vulnerabilities and the threats they face raised the need to address their security and resilience in a systematic perspective. As such, the implementation of the action plan was aimed to reinforce the tactical and operational cooperation at the EU level from all stakeholders including the full participation of member states, private sector and European Institutions in order to ensure the security and resilience of CIIs as the frontline of defence against cyber-attacks.

3.4 Joint Communication 1 (2013) “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”.

Afterwards, in February 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, presented a proposal for a cyber security strategy along with a draft Directive (JOIN, 07.02.2013, European Commission, 2013), addressing the issue of Network and Information Security (NIS). As referred to in the EU’s relevant press release (IP/13/17, 07.02.2013): […] the cyber security strategy, for an Open, Safe and Secure Cyberspace, represents the EU’s comprehensive vision on the best possible way to prevent and respond to cyber disruptions and attacks. The specific strategy, was aiming at further promoting the European values of freedom and democracy, served not only as a means of communicating the EU’s idea of cyber security but also as a basis for the adoption of a common legal framework relating to cyber- attacks, their overall impact and the potential ways of addressing them. Their actions aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber security policy and cyber defence.

The European Legal Framework for an open, safe and secure Cyberspace

Furthermore, the Joint Communication outlined EU’s vision in terms of five priorities: (i) To achieve cyber resilience, (ii) To drastically reduce cybercrime, (iii) To develop cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP), (iv) To develop the industrial and technological resources for cyber security, and (v)To establish a coherent international cyberspace policy for the European Union and to promote core EU values. The draft Directive included specific actions that could enhance the EU’s overall performance in order to ensure a coordinated response to strengthen cybersecurity in Europe. These actions were both short and long term and incorporated a variety of policy tools where different types of actors such as member states, EU institutions and the private sector were involved. According to the draft Directive, each member state much adopt a NIS strategy and designate national NIS competent authorities in order to prevent, manage and respond to cybersecurity threat incidents. In addition, member states must establish a mechanism in order to cooperate and share best practices and early warnings management on risks and incidents through a secure infrastructure. Finally, each member state must create and implement a national cyber security strategy where public and private administrators of crucial sectors, such as financial services, healthcare, energy and transport, should adopt risk management practices and report major security incidents on their core services. The overall goal of the NIS Directive is to establish a secure and trustworthy digital environment throughout the EU and to protect effectively citizen’s freedoms and rights. On 12 August 2013, the European Parliament and the Council of the EU proceeded to the adoption of Directive 2013/40/EU “on attacks against information systems and replacing Council Framework Decision 2005/222/JHA”. The provision of the specific Directive is analyzed bellow.

3.5 Directive 2013/40/EU of the European Parliament and of the Council “on attacks against information systems and replacing Council Framework Decision 2005/222/JHA”.

Significant gaps and differences in member states’ laws and criminal procedures in the area of attacks against information systems hinder the fight against organized crime and cyber terrorism. The transnational and borderless nature of modern information systems means that attacks against such systems have a cross-border dimension. The Directive 2013/40/EU “on attacks against information systems and replacing Council Framework Decision 2005/222/JHA” underlined the urgent need for further actions to approximate criminal law in this area. The Directive was developed upon the Budapest Convention on Cybercrime (Recital

The European Legal Framework for an open, safe and secure Cyberspace

15 of the Directive) and indicated a new strategy for combating cybercrime, including attacks against information systems. The Directive did not aim to modify the existing legal framework but to reinforce its efficiency, with a focus on the mechanisms of enforcement. It aimed at the establishment of a common institutional framework for approximating the constituent elements of criminal offences relating to attacks on information systems and seeked to improve cooperation between the competent authorities and institutions (ENISA, EUROJUST and EUROPOL, EC3) to fight cybercrime effectively. The Directive’s main goal was to ensure an appropriate level of protection of information systems and to create an effective and comprehensive framework of prevention measures accompanying criminal law responses to cybercrime. To this end, member states must take appropriate measures to protect their CI from cyber-attacks and to increase the resilience of their information systems so that they are protected more effectively against cybercrime. More specifically, Directive 2013/40/EU underlined the necessity of further development to ensure a common approach of the Member States of the European Union to criminal law in the area of attacks against information systems. As there were still relevant differences between member states’ laws, it tried to curb legislative disparity concerning the punishment of attacks against information systems by establishing a set of common minimum rules on criminal offences, penalties, liability of legal persons, jurisdiction and exchange of information (Iglezakis, 2016). The Directive aimed to harmonize the criminalization of specific types of conduct such as illegal access to information systems or illegal system and data interference. and did not address the prevention of NIS risks and incidents, the response to NIS incidents and the mitigation of their impact. The harmonization of the member states’ national criminal law entailed not only a minimum set of computer related offences, but also their corresponding sanctions by imposing harsher sanctions for cybercrime offenses. In order to ensure an effective European response to cybercrime, each member state needed to incriminate offences considered relevant enough to pose a menace to certain legal interests. In particular, the Directive paid attention to the growing and risky criminal offences against confidentiality, integrity, availability and authenticity of computer systems (Freitas and Goncalves, 2015). The Directive intended at protecting information systems by the penalization of specific offenses against information systems namely illegal access, illegal interception, data interference, system interference and misuse of devices. The European legislator, when proscribing the types of conduct that are to be punished, was focused on the process resulted to interference to data and/or system and, in the final analysis, to the interference with fundamental rights or legal interests. The criteria of impact(s) and/or motivation of the attacker can be detected in the aggravating circumstances enumerated in Article 9 of the Directive, namely: (a)

The European Legal Framework for an open, safe and secure Cyberspace committing the punishable criminal offense within a framework of criminal organization, (b) causing serious damages, (c) attacking critical infrastructures and (d) identify theft. As Mitrou (2016) highlighted “the legal classification resulting from the criminalized types of conduct is related to some type/taxonomy of attacks against information systems but there it is no direct matching between them”. Furthermore, the Directive raised awareness of the potential risks to critical infrastructures of the member states and highlighted the importance of networks such as the G8 or the Council of Europe’s network of points of contact available on a 24 hour, seven-day-a-week basis for the purpose of investigations or proceeding concerning criminal offenses relating to information systems and associated data (Directive 2013/40/EU, Recital 22). Given the speed with which large-scale cyber-attacks can be carried out, member states should be able to respond promptly to urgent requests from this network of contact points. However, it did not address the prevention of NIS risks and incidents, the response to NIS incidents and the mitigation of their impact. The Directive’s purpose was to address large-scale events and to contribute to the creation of a safer information society and of an area of freedom, security and justice. Eventually, the Directive was a decisive step towards creating a cyberspace and cybersecurity policy in Europe by creating a cohesive approach with regard to cybersecurity measures and by minimizing discrepancies within and between Member States (Mitrou, 2016). In 2013, the European Commission proposed the Directive on security of network and information systems (NIS Directive) aiming at ensuring a high common level of cybersecurity in the EU. On 6 July 2016, the European Parliament and the Council of the European Union proceeded to the adoption of Directive 2016/1148/EU “concerning measures for a high common level of security of networks and information systems across the Union” which is analyzed below.

3.6 Directive 2016/1148/EU of the European Parliament and of the Council “concerning measures for a high common level of security of networks and information systems across the Union”.

The specific Directive, recognizing that network and information systems security play a vital role to the functioning of economic and societal activities, adopted a global approach at Union level concerning common minimum capacity building and planning requirements in order to respond effectively to the major threats that cyber-attacks pose to the well-functioning of the internal market. The increasing magnitude and frequency of cyber-attacks impeded the pursuit of economics activities, generated substantial financial losses and caused major damage to the economy of the Union. The different level of network and information systems security

The European Legal Framework for an open, safe and secure Cyberspace among member states undermined the overall level of protection within the Union. Fragmented approaches concerning the level of preparedness and the lack of common requirements on operators of essential services and digital service providers prevented the creation of a global and effective mechanism for cooperation at Union level. Member states have very different levels of preparedness, which has led to fragmented approaches across the Union. The existing capabilities are not sufficient to ensure a high level of security of network and information systems within the Union. Responding effectively to the challenges of the security of network and information systems therefore requires a global approach at Union level covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators of essential services and digital service providers. The Directive provides legal measures to increase the overall level of cybersecurity in the EU by increasing cybersecurity capabilities in member states, enhancing cooperation on cybersecurity among member states, and requiring operators of essential services to take appropriate security measures. More specifically, it defines six main objectives which have to be adopted by the member states (Article 1(2) of the Directive): (a) Each member state has to adopt a National Network and Information Security (NIS) strategy. (b) A cooperation group has to be created to support and facilitate strategic cooperation among Member States and to exchange information. (c) A Computer Security Incident Response Team (CSIRT) network has to be created to focus operational cooperation and to work for confidence and trust between member states. (d) Every member state has to establish security and notification requirements for operators of essential services. (e) Every member state has to establish security and notification requirements for digital service providers. (f) Every member state has to designate three new national institutions: National Competent authorities, single points of contact, and CSIRTs. These three institutions have to be tasked with security of network and information systems The Directive builds on three main pillars: (a) Ensuring member states preparedness by requiring them to be appropriately equipped via a competent national NIS authority and a CSIRT. (b) Ensuring cooperation among all the member states, by setting up a ‘Cooperation Group’ in order to support and facilitate strategic cooperation and the exchange of information among member states, and a ‘CSIRT Network’, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks and (c) ensuring a culture of security across sectors which are vital for the economy and society.

The European Legal Framework for an open, safe and secure Cyberspace

Businesses with an important role for society and economy that are identified by the member states as operators of essential services under the NIS Directive will have to take appropriate security measures and to notify serious incidents to the relevant national authority. These sectors include energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Also, key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the NIS Directive. According to the Directive, member states must adopt, at national level, all the necessary measures, concerning legal rules, policies and administrative measures, in order to ensure a high level of network and information systems security within the Union. These measures include the adoption of a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures, national competent authorities and CSIRTs. More specifically, the national strategy incorporates (a) the objectives and priorities on the security of network and information systems, (b) a governance framework to achieve the objectives and priorities, including roles and responsibilities of the government bodies and the other relevant actors, (c) the identification of measures relating to preparedness, response and recovery, including cooperation between the public and the private sector, (d) an indication of the education, awareness-raising and training programs, (e) an indication of the research and development plans relating to the national strategy on the security of network and information systems, (f) a risk assessment plan to identify risks and (g) a list of the various actors involved in the implementation of the national strategy on the security of network and information systems. Each member state must designate one or more national competent authorities which will monitor, audit and test the application of the national security strategy and a single point of contact which shall ensure cross-border cooperation of member states authorities. Furthermore, each member state must designate one or more CSIRTs which will be responsible for risk and incident handling in accordance with a well-defined process. The Directive establishes a Cooperation Group composed by representatives of member states, the Commission and ENISA in order to support and facilitate strategic cooperation and the exchange of information among member states and to develop trust and confidence. Additionally, a network of the national CSIRTs is established in order to contribute to the development of confidence and trust between the member states and to promote swift and effective operational cooperation. Conclusively, the Directive lays down measures with a view to achieving and maintaining a high level of security of network and information systems within the Union so as to improve the functioning of the internal market.

(This page is left blank intentionally)

Chapter 4: The International legal framework of Cyber security / Cyber warfare

Having presented the European framework for an open, safe and secure cyberspace, dealing with cybercrime and protecting EU from large scale cyber-attacks the next step is to move forward at the international level and to examine the corresponding actions worldwide in order to enhance preparedness, security and resilience of states in cyberspace and to protect effectively critical infrastructures from large-scale cyber-attacks. If cybercrime and other related crimes and offenses committed by individuals or private entities for personal gain, is essentially a domestic matter of law, cyber activities conducted by states against other states fall under the remit of international law. Since cyber threats have become a concern for international community, the question on what norms will guide state’s behaviour in cyberspace is in full swing. Devastating by the two world wars of the last century, nations developed a framework of international law that sets necessary standards against which actions by governments can be judged, condemned and eventually even punished by the international community. The United Nations (UN) was established following the conclusion of the Second World War and in the light of Allied planning and intentions expressed during that conflict. The purposes of the UN are set out in article 1 of the Charter as follows: 1. To maintain international peace and security, and to that end, to take effective collective measures for the prevention and removal of threats to the peace, and for the suppression of acts of aggression or other breaches of the peace, and to bring about by peaceful means, and in conformity with the principles of justice and international law, adjustment or settlement of international disputes or situations which lead to a breach of the peace; 2. To develop friendly relations among nations based on respect for the principle of equal rights and self-determination of peoples, and to take other appropriate measures to strengthen universal peace; 3. To achieve international co-operation in solving international problems of an economic, social, cultural or humanitarian character, and in promoting and encouraging respect for human rights and for fundamental freedoms for all without distinction as to race, sex, language, or religion; 4. To be a centre for harmonizing the actions of nations in the attainment of these common ends. As the main global forum for states to discuss and agree upon issues regarding international security, the UN has been one of the main venues to address issues of international cyber security. Established to promote international co-operation, the UN is an intergovernmental organisation committed to maintaining international peace and security, developing friendly

The International Legal Framework of Cyber security / Cyber warfare relations among nations and endorsing social progress, better living standards and human rights. The UN is based upon the sovereign equality of states and the principles of fulfilment in good faith of the obligations contained in the Charter, the peaceful settlement of disputes and the prohibition on the use of force. It is also provided that member states must assist the organisation in its activities taken in accordance with the Chapter and must refrain from assisting states which the UN is taking preventive or enforcement action (Shaw, 2014). The Organisation provides a global forum of 193 member states to express their views and tackle a wide range of issues. The UN’s activities regarding cyber security can be seen as highly fragmented as the subject is addressed in many of its different intergovernmental bodies and organizational platforms. Many entities in the UN can issue Resolutions, but in practice most are passed by the UN General Assembly or the UN Security Council. The UN Security Council is intended to operate as an efficient executive organ of limited membership, functioning continuously. It is given primary responsibility for the maintenance of international peace and security. The UN Security Council consists of fifteen members, five of them being permanent members (USA, UK, Russia, China and France). These permanent members, chosen on the basis of power politics in 1945, have a veto. It acts on behalf of the members of the organisation as a whole in performing its functions, and its decisions are binding upon all member states. Its powers are concentrated in two particular categories, the peaceful settlement of disputes and the adoption of enforcement measures (Shaw, 2014). Additionally, The UN General Assembly is the parliamentary body of the UN and consists of representatives of all the member states. Membership of the UN, as provided by article 4 of the Charter, is open to: All other peace- loving states which accept the obligations contained in the present Charter and, the judgment of the organisation, are able and willing to carry out these obligations and is affected by a decision of the General Assembly upon the recommendation of the Security Council. The UN General Assembly has a purely recommendatory role and in that sense its Resolutions are not binding. Today, almost all Resolutions, with the exception of those adopted by the UN Security Council, are recommendatory and legally non-binding on the Member States. However, up until now, no Resolutions concerning cyber security issues have been adopted by the UN Security Council (Shaw, 2014). The most significant efforts to clarify the application of existing legal framework is the work of the UN Group of Governmental Experts (UN GGE) in the field of ICTs and in the context of international security. The UN General Assembly called for the views of the UN member states on information security and established three UN Groups of Governmental Experts (GGEs). The Resolutions adopted by UN General Assembly are presented below:

The International Legal Framework of Cyber security / Cyber warfare

4.1 Resolution A/RES/55/63 adopted by the General Assembly combating the criminal misuse of information technologies.

On a multinational level, the first attempt to deal effectively with information technologies specific offences was the Resolution A/RES/55/63 adopted by the General Assembly of the United Nations, on 22 January 2001, entitled “Combating the criminal misuse of information technologies” (A/RES/55/63/2001). The Resolution underlined the need for enhanced coordination and cooperation in the investigation and prosecution of international cases of criminal misuse of information technologies among all concerned states. According to the Resolution, effective law enforcement mechanisms should be established between states to ensure the timely gathering and exchange of information to criminal investigations and the protection of individual freedoms and privacy from computer-related crimes with an emphasis on the preservation of confidentiality, integrity and availability of data and computer systems from unauthorized impairment.

4.2 Resolution A/RES/56/121 adopted by the General Assembly combating the criminal misuse of information technologies.

Afterwards the Resolution 56/121 was followed, adopted by the General Assembly on 23 January 2002, entitled as the previous Resolution “Combating the criminal misuse of information technologies” (A/RES/56/121/2002). The specific Resolution recognised the significant impact that criminal misuse of information technologies may have on all states and underlined the need for cooperation between states and the private sector in promoting safety and confidence to cyberspace and in combating computer-related crimes. Therefore, member states were invited to incorporate at national level, the corresponding legal framework, policies and practices to combat the criminal misuse of information technologies.

4.3 Resolution A/RES/57/239 adopted by the General Assembly for the creation of a global culture of cybersecurity.

The next UN initiative adopted by the General Assembly was the Resolution A/RES/57/239 on 31 January 2003 for the “Creation of a global culture of cybersecurity” (A/RES/57/239/2003). The growing number of threats and vulnerabilities in combination with the increasing interconnectivity of information systems and networks between states, businesses, organizations and individual users raises new security issues for all. The Resolution recognized that gaps in the use of information technologies by states can diminish the effectiveness of international cooperation in combating the criminal misuse of information technology and in creating a global culture of cybersecurity. Furthermore, it was pointed out that priority must be given to cybersecurity planning and management through prevention. The Resolution proposed the implementation of nine elements for the creation of a global culture of

The International Legal Framework of Cyber security / Cyber warfare cybersecurity among states. The elements are (a) Awareness, (b) Responsibility, (c) Response, (d) Ethics, (e) Democracy, (f) Risk assessment, (g) Security design and implementation, (h) Security management and (i) Reassessment. Member states and international organizations were invited to consider these elements in their efforts to develop, throughout their societies, a culture of cybersecurity in the application and use of information technologies.

4.4 Resolution A/RES/58/199 adopted by the General Assembly for the creation of a global culture of cybersecurity and the protection of critical information infrastructures.

A year later, on 30 January 2004, the General Assembly adopted the Resolution A/RES/58/199 for the “Creation of a global culture of cybersecurity and the protection of critical information infrastructures” (A/RES/58/199/2004). The Resolution recognized the growing importance of information technologies for the promotion of socio-economic development and the increasing interconnectivity of CII to provide essential goods and services and set out as a priority the effective protection of CII nationally and internationally. To that end, the Resolution proposes specific elements for protecting CII such as having emergency warning networks regarding cyber-vulnerabilities, threats and incidents, raising awareness to facilitate stakeholders’ understanding of the nature and extent of their CII, examining infrastructures and identify interdependencies among them, promoting partnerships among stakeholders and creating crisis communication networks. States must have adequate substantive and procedural laws to investigate and prosecute attacks on CII and to engage in international cooperation in order to coordinate such investigations with other states, as appropriate.

4.5 Resolution A/RES/64/211 adopted by the General Assembly for the creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures.

A few years later, on 21 December 2009, the General Assembly adopted the Resolution A/RES/64/211 for the “Creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures” (A/RES/64/211/2010). The Resolution, recognizing that confidence and security in the use of ICTs are among the main pillars of the information society and that a robust global culture of cybersecurity needs to be encouraged, promoted, developed and vigorously implemented, proposed a voluntary self-assessment tool for states to protect critical information infrastructures. The self-assessment tool grown on the assessment of the role of ICTs in national security and economy, the understanding of the vulnerabilities and threats faced in every sector, the determination of cybersecurity risks in relation to CIIs and the designation of the goals of the national cybersecurity and CII protection

The International Legal Framework of Cyber security / Cyber warfare strategy. Member states should identify key stakeholders and determine their role in the development of cybersecurity policies and operations. The overall goal of the resolution is to motivate member states to define, through appropriate legislation, cybersecurity needs and strategies, policy processes, stakeholder roles and responsibilities and incident management and recovery tools in order to develop a global culture of cybersecurity. Member states were invited to use the voluntary self-assessment tool as a standard for achieving their goal of strengthening cybersecurity.

The next initiative for a comprehensive multilateral treaty in the area of cybersecurity, concerning the rights and obligations of states regarding international law, was a proposal from Russia, China, Tajikistan and Uzbekistan for a “International Code of Conduct for Information Security”, submitted to the UN General Assembly in 2011. The United Nations Doc A/66/359 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the Secretary-General, on 14 September 2011, delineated an international code of conduct for information security by recognizing the need for a mutual understanding of the issues of cybersecurity and by underlining the importance of the security, continuity and stability of CIIs from threats and vulnerabilities. The purpose of the UN Doc A/66/359 was “to identify the rights and responsibilities of states in information space, promote their constructive and responsible behaviour and enhance their cooperation in addressing the common threats and challenges in cyberspace, so as to ensure that ICTs, including networks, are to be solely used to benefit social and economic development and people’s well-being, with the objective of maintaining international peace and security”. To that end, each state subscribing to the international code of conduct, pledges to comply with the United Nations Charter and universally recognized norms governing international relations that enshrine respect for the sovereignty, territorial integrity and political independence of all states, respect for human rights and fundamental freedoms. Furthermore, states must engage not to use ICTs for the purpose to carry hostile activities or acts of aggression that could pose threats to international peace and security. Finally, they must bolster bilateral, regional and international cooperation in the field of information security and to enhance coordination among relevant international organizations in order to combat effectively criminal and terrorist activities that undermine political, economic and social stability of the states. The United Nations Doc A/66/359 gave rise to extensive international attention and discussion. Consequently, the international code of conduct for information security, as proposed by China,

The International Legal Framework of Cyber security / Cyber warfare

Russia, Tajikistan and Uzbekistan, was revised in 13 January 2015 with the UN Doc 69/723 by taking into full consideration the comments and suggestions from all parties. Undoubtedly, it was a large step to push forward the international debate on international norms and to help forge an early consensus on information security.

4.7 Report A/68/98 of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

Last but not least, from the UN perspective it must be mentioned the A/68/98 Report (2013) drafted by the Group of Governmental Experts (UN-GGE) on Developments in the field of Information and Telecommunications in the Context of International Security, among experts from fifteen countries on a number of issues related to a “peaceful, secure, resilient and open ICT environment”. The UN-GGE examined the issue of norms concerning ICTs in relation to international security and concluded that international law and in particular the United Nation Charter, is applicable and essential to maintaining peace and security. Furthermore, the Group recognized that state’s sovereignty and the international norms and principles that flow from it apply to states’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory. Into that context, states must meet their international obligations regarding internationally wrongful acts attributable to them. The Report recommends further study to promote common understandings on how such norms apply to state behaviour and the use of ICTs by states. Given the unique attributes of ICTs, the Report notes that additional norms could be developed over time. The Group recommends the holding of regular institutional dialogue on these issues under the auspices of the United Nations as well as regular dialogue in other forums, to advance these measures. An important step into that direction was the “Tallinn Manual on the International Law Applicable to Cyber warfare”, a project developed under the auspices of the NATO Cooperative Cyber Defense Centre of Excellence (CCD COE). Into that direction, an International Group of Experts led by Professor Michael Schmitt published in 2013 “The Tallinn Manual of the International Law applicable to Cyber Warfare” which is analyzed below.

4.8 The Tallinn Manual on the International Law Applicable to Cyber Warfare.

The first non-binding document attempted to address cyber-attacks using the instrumentarium of international law and to produce a manual on the law governing cyber warfare was produced in 2013. The “Tallinn Manual on the International Law Applicable to Cyber Warfare” or “the Tallinn Manual” (Schmitt, 2013) was a project launched by

The International Legal Framework of Cyber security / Cyber warfare international law practitioners and scholars at the invitation of the NATO CCD COE, in an effort to examine how extant legal norms applied to this “new” form of warfare. The main goal of the Tallinn Manual was to clarify the complex legal issues surrounding cyber operations, with particular attention paid to those involving the “jus ad bellum”, the body of international law that governs a state’s resort to force as an instrument of its national policy, and the “jus in bello”, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict or international humanitarian law). In the Tallinn Manual, the International Group of Experts came to the unanimous conclusion that the general principles of international law should also apply to cyberspace. The Manual aimed to identify how the “lex lata” (the law as it exists) applies to cyber operations above the level of the “use of force”. Its task was to determine how exactly this type of law can be applied and to identify any cyber-unique aspects thereof. The rules set forth in the Tallinn Manual provide specific provisions (Rules) on the topic intending to act as customary international law. The Manual is not legally binding and does not reflect NATO doctrine or the official position of any state or organization. It is essentially a scholarly exercise that examines if the existing international law applies in the cyber context and identifies potential difficulties in their application to different types of cyber operations. However, the Tallinn Manual has been criticized in relation to the composition of the Group of Experts, the methodology employed, its scope and certain aspects of its contents. The Group of Experts that drafted the Manual comprised international law academics, practitioners, serving or former military officials, technical experts, as well as observers from NATO, ICRC, and the US CYBERCOM, all participating in their personal capacity. It included, however, only military and academic lawyers and technical experts from but a few Western states. It is indeed a fact that, of the 23 members of the Group of Experts, nine (including the Project’s Director) were from the United States, while none was from states that are reportedly heavily involved in cyber operations, both as authors and targets, such as Russia, China, Iran and Israel. If this can certainly be seen as a limitation, it should not be forgotten that the members participated in the initiative in their individual capacity: Even if a Russian expert had been invited, he or she would have not necessarily expressed the views of the Russian government (Roscini, 2014). In addition, even NATO governments have openly disagreed with some of the fundamental concepts detailed in the Tallinn Manual, with ranking officials in the US Department of Defense legal team recently arguing that the “principle of sovereignty does not have the force of a primary rule of international law, and as such does not prohibit attacking the civilian infrastructure of another state “provided that the effects do not rise to the level of an unlawful use or an unlawful intervention. Similar ambiguity exists over numerous other issues, including when states are permitted to use force (the thresholds below an armed attack), the definition of “armed force,” the application of international law to non-state actors (often acting at the behest

The International Legal Framework of Cyber security / Cyber warfare of a government), the level of “permissible” doubt allowed before undertaking an attack that might affect civilians, and indeed the respective application of international humanitarian and/or human rights law (Roscini, 2014). The Tallinn Manual should not be underestimated in terms of its function as a significant consultative document. Up to now, the “Tallinn Manual” is the most complete task for the use of international law rules (jus ad bellum and jus in bello) to interpret cyber warfare and, in any case, is a good starting point for further analysis and understanding of the international law applicable to cyber warfare. More important than being a useful compilation of rules, it includes commentary reflecting the different views on some of the tricky issues raised by the introduction of cyber warfare. More recently, on February 2017, NATO CCD COE proceeded to the publication of the second version of the “Tallinn Manual on the International Law applicable to Cyber warfare (Tallinn Manual 2.0)”, which deals with cyber-attacks that are evaluated below the threshold of the “use of force” and which are carried out during a period of peacetime. The handbook presents a critical review of the evolution of cyber-attacks over the past decade and extends the existing reflection of how to apply traditional rules of international law into the cyber context by shifting the gravity center from the large-scale cyber-attacks to more limited, in terms of scale and effects, cyber-attacks that essentially constitute the majority of the attacks we face on a regular basis. Furthermore, Tallinn Manual 2.0 addresses issues of state responsibility, international telecommunication law and human rights law. Finally, despite the fact that cyber norms were, in principle, the result of government-to- government deliberations, the private sector was affected by and influenced the development of cyber norms through cooperation and partnership mechanisms. A worthwhile effort from the private sector to encourage the international community to deal effectively with the new threats and vulnerabilities that cyber-attacks pose was Microsoft’s initiative on December 2014, which is analyzed below.

4.9 Microsoft’s initiative entitled “International Cybersecurity Norms: Reducing conflict in an Internet-dependent world”.

Microsoft, in order to limit the effects of legal uncertainty in cyberspace and to better define what type of government behaviours should be ‘out of bounds’ in cyberspace so that events do not escalate to warfare, shared a white paper about cybersecurity norms for nation-states and the global ICT industry named “International Cybersecurity Norms, Reducing conflict in an Internet-dependent world” (2014). Considering the growing number of offensive capabilities, Microsoft proposed six cybersecurity norms (2017) that limit potential conflict in cyberspace and encourage the international community to establish norms of behaviour for cybersecurity

The International Legal Framework of Cyber security / Cyber warfare as an essential step in protecting national security in the modern world and maintaining trust in services provided online. The proposed cyber norms, which of course are not legally binding, but they could be embedded by States in a future cybersecurity Convention, are presented below (McKay et al., 2014): 1) States should not target ICT companies to insert vulnerabilities (backdoors) or take actions that would otherwise undermine public trust in products and services: “The global technology industry is founded on trust, in that consumers, enterprises, and governments depend on ICT for critical functions. Although the private sector can and does invest considerably in efforts to advance and demonstrate the assurance and integrity of products and services, states have the unique capability to direct disproportionately larger resources to exploit these products or services and to taint the broad ICT supply chains by which they are delivered. Exploiting of commercial off-the-shelf (COTS) products and services – which puts at risk every computer user dependent on that technology, even if that user is of no interest to a government – would be an action with the potential to create unacceptable impacts globally, since the degradation of trust in ICT would threaten innovation and economic security. Sophisticated state-resourced tradecraft targeting ICT companies to place backdoors or vulnerabilities in COTS products – or compromising signing keys to enable government to misrepresent the provenance of software – may exceed the commercially reasonable limits of the private sector operational security and integrity controls. Governments should also refrain from undermining international security standards efforts to benefit their own interests”. 2) States should have a clear principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them: “It is well-documented that governments around the world are active participants in the cyber vulnerability market and that they exploit gray and black markets. The Heartbleed vulnerability, discovered in 2014, fueled additional speculation as to how governments stockpile vulnerabilities in ICT products rather than disclosing them to vendors to fix before they are exploited. In April 2014, in response to specific allegations against the US government, the White House published its framework approach to addressing if or when the federal government may withhold knowledge of a vulnerability from the public: “This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case. The White House further noted that building up a “huge stockpile of undisclosed vulnerabilities” while leaving the Internet vulnerable and people unprotected would not be in the national security interest of the United States.

The International Legal Framework of Cyber security / Cyber warfare

Although the White House reserved the right to use vulnerabilities as a method of intelligence collection, this approach does reflect a positive analysis that short-term gains to advance one objective could also create impacts that threaten other objectives, such as economic growth, technological innovation, and trust in government. For those reasons Microsoft recommended that other governments similarly develop and publicly publish their policies on vulnerability handling and that they have a partiality for reporting vulnerabilities to vendors. When doing so, they should adhere to the principles of coordinated vulnerability disclosure. 3) States should exercise restraint in developing cyber weapons and should ensure that any which are developed are limited, precise, and not reusable: Microsoft recognized that governments will develop cyber weapons and protocols for their own use. When governments do build them, therefore, they should ensure that they are building cyber weapons that are controllable, precise, and not reusable by others, consistent with the concepts of distinction, discrimination, and distribution previously discussed, to limit the impacts associated with these actions. 4) States should commit to nonproliferation activities related to cyber weapons: As states increase investments in offensive cyber capabilities, care must be taken to not proliferate weapons or techniques for weaponizing code. States should establish processes to identify the intelligence, law enforcement, and financial sanctions tools that can and should be used against governments and individuals who use or intend to use cyber weapons in violation of law or international norms. Furthermore, states should agree to control the proliferation of cyber weapons in cooperation with international partners and, to the extent practicable, private industry. Implementing this norm will not only help limit state actions that could have unacceptable impacts but also will help reduce the possibility that cyber weapons could be used by non-state actors. 5) States should limit their engagement in cyber offensive operations to avoid creating a mass event: Governments should review and update their current policy positions with an appreciation for the unintended consequences or impacts in cyberspace that could escalate conflict, incite war or disproportionately harm civilian ICT. During an armed conflict, as regulated by the law of war, any attack must be justified by military necessity, intended to help in the military defeat of the enemy, with a military objective. Furthermore, the harm caused to civilians or civilian property must be proportional in relation to the concrete and direct military advantage anticipated. In other words, the action should be to advance defined and accepted military objectives and should not create disproportional impacts. These strictures can and should be applied to offensive cyber operations. States should recognize that attacks targeting the confidentiality, integrity, or availability of ICT systems, services, and data can have a mass effect beyond any reasonable sense of proportionality and required global action.

The International Legal Framework of Cyber security / Cyber warfare

6) States should assist private sector efforts to detect, contain, respond to, and recover from events in cyberspace: Although governments play an increasingly important role in cyberspace, the first line of defense against cyber-attacks remains the private sector, with its globally distributed telemetry, situational awareness, and well-established incident response functions. There has not been evidence of governmental interference with private sector recovery efforts following a severe cyber-attack, but governments should commit to not interfere with the core capabilities or mechanisms required for response and recovery, including CERTs, individual response personnel, and technical response systems. Intervening in private sector response and recovery would be akin to attacking medical personnel at military hospitals. Additionally, governments should go one step further and, when asked by the private sector, commit to assist with recovery and response needs that have global and regional implications. For example, repairing cuts in underwater sea cables often requires permits and cross-border movement of technical equipment or experts, and governments can help ensure that those actions are expedited. Alternatively, a cyber event with large-scale impacts could require the rapid movement of hardware from one place to another, the need for international technical collaboration between and among governments and the private sector, and the waiving of legal barriers in times of national emergency to facilitate recovery. These norms should not only be designed to strengthen cybersecurity but also to preserve the utility of a globally connected society. The proposed norms are intended to reduce the possibility that ICT products and services could be used, abused, or exploited by nation states as part of offensive operations that result in unacceptable impacts, such undermining trust in ICT; set boundaries for how cyber weapons are developed, contained, and used; and create a meaningful global framework for managing vulnerabilities. In addition, Microsoft (2017) has further called for a new international organization that brings together governmental and private sector experts to investigate and share evidence to attribute cyber-attacks to responsible governments. Conclusively, this was the first non-state driven norm-making initiative hoping to catalyze the progress on the development of effective cybersecurity norms and eventually to “set the limits” of acceptable and unacceptable behaviours of governments and the private sector in cyberspace. Nevertheless, despite the existence of a broad legal arsenal at EU and International level that can be deployed, to the fight against cybercrime and to the protection of the states’ CIIs from cyber threats, the legal classification of cyber-attacks is steel problematic. The above- mentioned efforts, however important, have fallen short of a workable agreement. The lack of commonly accepted “cyber warfare – related” terms at international level has hindered the establishment of a common code of communication among states. Moreover, it has given rise to a number of controversial perceptions regarding the legal classification of the terms and their

The International Legal Framework of Cyber security / Cyber warfare further conceptual approach. However, such a classification is critical in deciding on the applicable legal framework. More specifically, in order for the notions of “cyber-attack” and “cyber warfare” to be assessed from a legal point of view, it must be determined to which area of law they fall, or they can be classified to. Given the fact that the most complicated and high intensity cyber-attacks were state sponsored cyber-attacks performed however by state / non-state actors in order to generate international effects while retaining both their anonymity and motive, it can be claimed that these cyber-attacks were fallen under the umbrella of international law. However, even though today there is a general recognition that international law applies to cyberspace, in the recent past there was an opposite view from some States (such as China and Russia) and academics. According to that view, international law was not sufficient enough to address the complicated issues that “cyber-attacks” and “cyber warfare” pose and for that reason they were claiming that cyber incidents should be met not by employing the traditional international law rules in force but by considering the introduction of new legislation – new agreements on an international/multinational level. Within this context, it is important to take a closer look at the founders – supporters of each one of these controversial viewpoints. However, before doing that, it is essential to clarify again that international law incorporates two major sets of rules i.e. Jus ad bellum, the body of international law that governs a state’s resort to force as an instrument of its national policy and which focuses on the criteria for going to war in the first place (it covers issues such as right purpose, duly constituted authority and last resort), and the Jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict or international humanitarian law) that relates to the concept of just war – fighting (covering non-combatant immunity and proportionality). Since the core purpose of the dissertation is to determine whether a cyber- attack constitutes a wrongful “use of force”, by setting the threshold under the principles of international law, only the Jus ad bellum framework will be analysed, leaving aside the Jus in bello framework where cyber-attacks are taking place in parallel with armed operations of a state against the territorial integrity of another state.

(this page is intentionally left blank)

Chapter 5: Redefining the current International Legal Framework to address the new challenges

This chapter sets the theoretical background in terms of the new cyber-attack evaluation methodology. At first, a thorough analysis of the international legal framework concerning cyber-attacks and cyber warfare is being presented, taking into consideration the different legal approaches on the matter. Furthermore, a classification of cyber-attacks under the prism of international law is being undertaken, while a transformation of these rules is carried out in order to respond to the new challenges that arise.

5.1 Cyber-attacks / Cyber warfare under the prism of Jus ad bellum

When the United Nations Charter was adopted (1945), states were menaced and threaten only by kinetic means and methods of warfare and in its context, aggression was understood as the use of armed force against sovereignty, territorial integrity or political independence of another state (A/RES/29/3314). Aerial bombardment, ground assault, missile strikes, and other territorial incursions were the traditional kinetic methods of warfare in the military battlefield. Military operations were always focused on destroying enemy forces through the application of physical effects with the use of kinetic means of warfare. Death, injury and destruction provoked by kinetic attacks were the prerequisite criterion to define an attack as “unauthorized use of force". Many academics, military personnel and policy makers were unable to equate in their minds a cyber-attack with the image of a classical kinetic armed attack. That was only because they were thinking of cyber-attacks in the peacetime context of “hacking” and ignored the potential effects that could ensue from a large-scale cyber-attack which could cause human fatalities and devastation of property. Cyber warfare is inherently “international” in nature (and thus, requires an international legal response (Morth, 1998). However, despite the fact that there has been considerable progress towards the development of national cyber security strategies (ENISA, 2012) and the adoption of the “Directive 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union” (L 194, 2016), it is doubtful if such strategies and rules can deal adequately and effectively with the challenges posed by cyber-attacks that are (to be) qualified as cyberwar acts (Jougleux et al, 2016). However, the uncertainty surrounding cyber legislation does not mean that they are taken place in a normative void. On the contrary, to the fundamental question if international law is applicable to cyber warfare, the International Group of Experts in “the

Redefining the current International Legal Framework to address the new challenges

Tallinn Manual” (Schmitt, 2013) came to the unanimous conclusion that the general principles of international law should also apply to cyberspace. Its task was to determine how exactly this type of law can be applied and to identify any cyber-unique aspects thereof. The rules set forth in the Tallinn Manual provide specific provisions (Rules) on the topic intending to act as customary international law. As far as the jus ad bellum is concerned, the principal issue is one of reconciling cyber-attacks with a well-entrenched law that seems made-to-measure for kinetic warfare. The pivotal challenge that has to be overcome is getting through the portals of the relevant provisions of the Charter of the United Nations (Roscini, 2014). Seminar studies in international law literature that deal to the problem of cyber warfare first appeared in the late 1990s (Morth, 1998; Schmitt, 1999; Sharp, 1999) at a time when the discussion over how to deal with interstate cyber-attacks within the framework of international law was largely hypothetical. The need for international law to engage with the issue became rather more urgent, particularly following the various Distributed Denial of Service (DDoS) Attacks against Estonia’s IT infrastructure in 2007. Nonetheless, international law has not caught up with this modern form of conflict: cyber warfare, at least in the first instance, remains insufficiently regulated by the law (Hoisington, 2009). The main approach in the existing scholarly research to resolve the problem of inexistence of a specific international legal regulation for cyber-attacks has been to try to adapt the existing prohibition of the use of force under article 2(4) of the United Nations (UN) Charter. Article 2(4) has long been at the centre of the legal literature on cyber warfare. It is the key legal provision setting out the prohibition of “use of force” in modern international law: It declares that: “All members shall refrain in their international relations from the threat of use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”. The prohibition is unquestionably one of the most fundamental rules of the UN system and is commonly referred to as a “cornerstone” provision. Additionally, alongside its inclusion in the Charter, the prohibition is also a norm of customary international law, meaning that even non-UN member states are similarly bound. As such, the prohibition binds all the states of the world (Green, 2016). In consistency with this provision, all cyber-attacks that have as a purpose to directly cause either death or injury to human beings or damage to tangible goods, should undoubtedly be characterized as “use of armed force” and thus be prohibited. As such, article 2(4) of the UN Charter prohibits the use of force by one state against the other. There are, of course, exceptions to this rule that are found elsewhere in the Charter. For example, article 51 of the UN Charter provides for a right to use force in self-defence and, under articles 39-42, the UN Security Council can authorise the lawful “use of force”. However, viewing cyber warfare through the prism of article 2(4) presents an immediate problem. While a few writers have simply assumed that the prohibition of the “use of force”

Redefining the current International Legal Framework to address the new challenges covers acts of cyber warfare (Graham, 2010) it is, in fact, far from straightforward to apply article 2(4) to cyber-attacks. In this line, the main debate in the literature has largely associated with the question of whether cyber warfare falls within the scope of article 2(4). It is a common consensus that the prohibition of the use of force in article 2(4) includes physical armed force, but excludes non-physical acts, such as economic or political coercion. But what about cyber- attacks which do not cause death, injury or physical destruction directly but rather indirectly? How should these acts be characterized? Thus, the main issue of concern is whether the modern phenomenon of cyber warfare should be correctly analogised with physical violence or with “non-physical” methods of interstate coercion. However, as cyber warfare covers a wide spectrum of actions, it is not a simple matter to analogise it to other types of coercive behaviour. It is, therefore, extremely difficult to determine whether article 2(4) clearly encompasses (or clearly excludes) the concept of aggressive cyber operations (Kodar, 2009). Unfortunately, article 2(4) itself does not define what it means by ‘force’ with this to be a major impediment. Actually, neither the definition of “attack” nor the definition of cyber-attack is officially defined. However, defining “cyber-attack” is a crucial starting point for analyzing their status under the principles of international law. As underlined by Tsagourias (2012), although no definition of what constitutes an “armed attack” is provided in the UN Charter, it has been accepted that an “armed attack” is a “use of force”, defined as such by its gravity and its effects rather than by the instrument employed. Long before the advent of cyberspace, an initial debate between states and scholars was whether actions, such as economic and political coercion, should be considered “force” for the purposes of article 2(4), or whether the provision is restricted to what might be termed “armed force”. Furthermore, in terms of considering the “travaux preparatoires” of the Charter, it is evident that states at the time took a restrictive view of what they meant by “force”, in that they saw acts of economic or political coercion as falling outside of the “use of force” concept. Reference to the recorded views of the state drafters of the UN Charter, therefore, clearly indicates that the provision was originally intended to cover armed force only. The restrictive view of the meaning of ‘force’ subsequently taken by states was particularly evident in the drafting of the UN General Assembly’s Declaration on Friendly Relations (UN Doc. A/RES/25/2625, 1970). In that context, states formally debated whether “economic, political and other forms of pressure against the territorial integrity or political independence of any state were illegal uses of force”. The general view of the plenary sessions was clearly that they did not. A similarly restrictive understanding of “force” can also be seen in the UN General Assembly’s Definition of Aggression, adopted in 1974 (UN Doc. A/RES/3314, 1974). The above-mentioned arguments lead to another critical question. Are cyber-attacks considered “armed force” or “non-armed force”? The traditional way to defining the distinction between “armed force” and “non-armed force” was based on armed force being an action of an

Redefining the current International Legal Framework to address the new challenges

“explosive nature, involving shockwaves and heat” (Brownlie). In other words, the distinction was seen as being based upon the physical, kinetic nature of the force used. Cyber warfare does not, of course, involve such kinetic, physical action. The nature of (or what might be called the “act of launching”) the majority of cyber-attacks will have rather more in common with economic attacks (Goldsmith, 2013). On this basis, in the early literature on cyber warfare, some writers argued that cyber aggression should rightly be analogised to economic or political coercion and, thus, excluded from the article 2(4) prohibition (Kanuk, 1996). In contrast, others took the view that cyber warfare has more, or certainly can have more, in common with the destruction caused by physical attacks, and so should be analogised to conventional warfare (Morth, 1998). Long before the launch of the Internet, concerns had already been advanced that the traditional approach to understanding what was covered by the notion of “armed force” for the purposes of article 2(4) was insufficient. Most famously, Brownlie (1963) took the view that a distinction based on the nature of the action missed a crucial point, namely its effects. Brownlie had in mind actions such as the use of “bacteriological, biological and chemical devices”, rather than cyber warfare, even though the point he made is today equally relevant in the cyber context. The use of biological, chemical and radiological weapons can ultimately have devastating physical effects without necessarily being “kinetic actions” in themselves (Schmitt, 2010). Yet, even when Brownlie was writing in the 1960s, it was unquestionable that states considered the use of such weapons by on state against another to be a breach of article 2(4) of the UN Charter (Roscini, 2010). As such, Brownlie argued that the distinction should be – or, rather, already was – on based on the effect of an attack and not its nature. As underlined by Tsagourias (2012), although no definition of what constitutes an “armed attack” is provided in the UN Charter, it has been accepted that an “armed attack” is a “use of force”, defined as such by its gravity and its effects rather than by the instrument employed. For those raisons, most of the authors in the field have adopted an ‘effect-based’ approach to the meaning of “force” in article 2(4), including in the context of cyber warfare (Goldsmith, 2013, Haslam, 2000, Kodar, 2009, Silver, 2002). Certainly, analogising the effects of a cyber- attack seems to better encapsulate the wide spectrum of activities that can be considered “cyber warfare” than the all-or-nothing categorization approach of referencing the nature of force used. An “effects-based” understanding of what constitute “force” for the purposes of article 2(4) provides a more nuanced way of assessing whether cyber warfare qualifies. Instead of analogising cyber warfare to the nature of an existing action (a near impossible task as cyber- attacks have their own unique nature), one can instead look at the results of a cyber-attack and compare this to the results of other types of action. Taking this approach, it would seem that cyber-attacks that have notably injurious consequences would constitute “force” and, thus,

Redefining the current International Legal Framework to address the new challenges would be a breach of article 2(4); interstate cyber aggression resulting in less damage would not. However, despite the widespread adoption in doctrine, problems still exist with a test for evaluating the effects of a cyber-attack. One such issue is that by focusing on effects, breaches of the law may in part be determined by the ‘durability’ of the victim state (Nguyen, 2013). More powerful states are likely to be better able to defend themselves against cyber aggression, either because their more advanced cyber security programmes can stop an attack prior to its having had any “effects” at all, or because the infrastructure of the state is better able to deal with the implications of a cyber-attack that does in fact hit (meaning that where one state might suffer devastating effects, another may suffer far less damage from the same sort of attack). If “effects” are what matter, an attack that might not be considered as falling within the scope of article 2(4) if directed at a powerful state may incongruously qualify if the victim was a weaker one (Green, 2011). Perhaps the most problematic issue of concern is that the “effect-based approach” leads the discussion down yet another interpretive rabbit -hole. To the “effects” of what exactly are the effects of cyber warfare to be analogised? Or, to put it rather more simply: Where is the threshold? Writing in the 1960s, Brownlie (1963) indicated that the weapons used needed to cause “destruction to life and property” to qualify as “force”. More recently, and specifically in relation to cyber warfare, Dinstein (2011) has argued that the term “force” in article 2(4) must denote violence. It does not matter what specific means -kinetic or electronic- are used to bring it about, but the end result must be that “violence occurred”. However, the vast majority of interstate cyber-attacks, at least of those that have so far transpired, would probably not meet Dinstein’s “occurrence of violence” version of the effects-based test for inclusion in the article 2(4) prohibition. Dinstein’s approach has thus been criticised (Handler, 2012) on the basis that looking only at violent, physical effects is too limiting. It has been argued that this excludes too many cyber- attacks from the reach of article 2(4). For example, a cyber-attack “that corrupts data on a stock exchange and which in turn causes widespread economic harm but no direct physical damage” would have devastating effects but would not be considered a breach of article 2(4) of the UN Charter. Thus, some – still following an “effects-based approach” – argue that cyber-attacks that are particularly severe in spite of not leading to physical destruction should be included (Waxman, 2011). Under such an understanding, a cyber-attack that results in physical damage or physical violence qualifies, and all other cyber-attacks do not. The sorts of “cyber doomsday scenarios” that are set out in the literature with increasing regularity, such as the use of computers to melt down a nuclear power plant, turn a state’s unmanned military drones against it, drop its planes from the sky and so on, would clearly be covered (Clarke and Knake, 2010). The effects of such

Redefining the current International Legal Framework to address the new challenges actions would be equal, and even exceed, the physical consequences of a use of traditional military force. Indeed, even below the level of such ultimate doomsday cyber-attacks, actions like the use of the Stuxnet virus against Iran in 2010 would also probably qualify because Stuxnet led to physical damage to property. Attacks such as those against Estonia in 2007, or Georgia in 2008, can be devastating in many ways, of course, but only in terms of the disruption of infrastructure and economic loss (Nguyen, 2013). In instances where no physical destruction results the consequences of the cyber aggression would be analogised to the effects of economic force, which, as has been discussed above, is not covered by article 2(4) of the UN Charter. The counter-argument to this, perhaps inevitably, is that economic actions can also have devastating, albeit non-physical, effects. Purely economic attacks are, as has been noted, excluded from article 2(4) per se, however severe their consequences. To allow certain acts of cyber warfare to be included in article 2(4)’s scope, on the basis that their (non-physical) effects were particularly devastating, would be to arbitrarily ignore the fact that equally injurious actions have long been considered excluded. This could lead to a slippery slope down which any and all “forcible” action would be included in the prohibition (Hoisington, 2009). It can be argued that the strength of article 2(4) is that it is reserved for the severe forms of force – physical military action between states – and that it would be devalue its normative weight to allow other actions to be included (Banks, 2013). Yet, at present, there is confusion regarding the implementation of international law rules to cyber warfare. More specifically, the following have not been clarified: (a) in which cases cyber-attacks constitute a “threat or use of force” so that the prohibition of article 2(4) of the UN Charter can apply (Chapter of the UN, 1945); (b) in which cases cyber-attacks constitute a “threat to the peace, breach of the peace, or act of aggression” (Chapter VII of the UN, 1945) so that the UN Security Council may decide upon measures to restore international peace and security under Article 42 of the UN Charter; and (c) in which cases cyber-attacks can be treated as “armed attack”, making it possible for a UN member state to respond by exercising its legitimate right of self-defense under article 51 of the UN Charter (Chapter VII of the United Nations, 1945). The threshold inquiry is crucial to assessing the level of violence between states in order to justify a lawful response. Because the UN Charter prohibits the unauthorized “use of force”, a state must be able to quickly and safely assess whether a cyber operation constitutes a “use of force” triggering the international condemnation and economic sanctions, (active) “cyber self- defense” - or an “armed attack” (with the use of conventional military weapons) as forceful response. Nevertheless, despite the progress made on regulation and research level to address the issues raised, there are still significant gaps in reaching a safe and definitive approach on when a cyber-attack constitutes “use of force” when the right to self-defence should be recognized (Robinson et al, 2015).-

Redefining the current International Legal Framework to address the new challenges

5.2 The level of intensity of cyber operations As already mentioned and extensively analysed, both the “International Group of Experts” invited by NATO Cooperative Cyber Defence Centre of Excellence for the production of the “Manual on the International Law applicable to Cyber warfare” (2013) and the “UN Group of Governmental Experts on Developments in the field of Information and Telecommunications in the Context of International Security” (2013) reaffirmed that “long-standing international norms guiding state behaviour in times of peace and conflict, also apply to cyberspace” (Tallinn Manual, 2013) and that “international law, and in particular the Chapter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment (Report A/68/98/2013). However, when a cyber operation amounts to a “use of force” and is thus prohibited by article 2(4) of the UN Charter? Or to put it more precisely is there a minimum threshold of gravity that the destructive consequences of a cyber operation need to reach in order to be a violation of article 2(4)? In the cyber context, the identification and classification of the type of conflict to which particular hostilities apply as a matter of law, is proving problematic. The difficulty in applying the traditional rules of international law, so as to deal effectively with cyber-attacks stems from a number of factors. The most important of them is the failure to estimate properly the impact of a cyber-attack on the attacked-state and on the international environment. Also, the lack of certainty to positively identify the offender of an attack makes it almost impossible to handle the “attribution problem” (Schmitt, 2011; Pipyros et al. 2016). Moreover, the identification and classification of the conflict in question is always the first step in any international humanitarian law analysis, for the nature of the conflict determines the applicable legal regime. Accordingly, classification is a subject of seminal importance (Schmitt, 2013). Cyber operations, based on their intensity and according to international law, can be categorized as follows: (a) The lowest level of intensity includes those cyber-attacks that are nothing more than mere inconvenience for the state’s functionality. They do not provoke serious problems, nor have any impact for the stakeholders of the attack. These cyber-attacks do not constitute a “use of force” or threat thereof in violation of international law. (b) The second level of intensity includes those cyber-attacks reaching the level of “use of force”. As foreseen in article 2(4) of the UN Charter “all Members shall refrain, in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations”. To elaborate further, this means that uses or threats of force that endanger national or international stability fall within article 2(4)’s prescriptive envelope (Schmitt, 1999). (c) The third level of intensity refers to cyber operations in which the Security Council is actively involved by taking action so as to maintain or restore international peace and stability.

Redefining the current International Legal Framework to address the new challenges

In those cases, the Security Council Resolution determines if there is a threat to the peace, breach of the peace or act of aggression, and calls for provisional measures (economic or trade sanctions) or gives authority to its peacekeeping forces to use force as may be necessary. (d) The highest level of intensity is for cyber operations reaching a level of an armed attack. In these cases, there is an inherent right of self-defence under Chapter VII of the UN. Figure 2 illustrates the level of intensity of cyber operations according to the provisions of the UN Charter.

Figure 2: Level of intensity of cyber operation (Pipyros et al., 2016)

However, the UN Charter does not provide any criteria for determining when an act amounts to “use of force” or to an “armed attack”. Moreover, it does not provide any specifications for the Security Council in deciding what measures, and to which extent, must be taken to maintain or to restore international peace and security. Moreover, Rule 10 of the Tallinn Manual, based on article 2(4) of the United Nations Charter, entitled “Prohibition of the use of force” notes that “a cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any state, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful” (Tallinn Manual, 2013). Nevertheless, this rule does not specify in which cases cyber operations can be considered as attacks that rise to the level of a “use of force” calling thus for the application of the prohibition of article 2(4) of the UN Charter (extended to Rule 10 of the Tallinn Manual). A potential answer to this question could be given by the next Rule of the Tallinn Manual, i.e. Rule 11 stating that “a cyber-operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force” (Tallinn Manual, 2013). It is therefore understood that in order for a cyber-operation to be characterized as a “use of force” a parallel interpretation is being employed, meaning that an effort is being made to identify cyber operations that are equivalent in terms of their results to other actions, kinetic or not, that would be described, in conventional terms, as “uses of force”.

Redefining the current International Legal Framework to address the new challenges

Based on the same logic, and following article 51 of the UN Charter, Rule 13 of the Tallinn Manual entitled “Self-Defence against Armed Attacks” states that “a state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self- defense. Whether a cyber operation constitutes an armed attack depends on its scale and effects” (Tallinn Manual, 2013). However, in this case also, it is not clear in which cases cyber-attacks meet the scale and effects requirements so that they can be regarded, classified and handled as an “armed attack”, allowing a UN member state to respond by exercising its legitimate right of self-defense, under article 51 of the UN Charter. So, it can be understood that in both Rule 11 and Rule 13 of the Tallinn Manual, the term “scale and effects” is a shorthand term that refers to those quantitative and qualitative criteria that should be analyzed in order for someone to be able to determine whether a cyber operation qualifies as a “use of force” or an “armed attack”.

5.3 The “Scale and Effects” model assessment

The “scale and effects” concept, which was initially introduced in the so-called Nicaragua Judgment of the International Court of Justice (June 27, 1986) in a “case concerning military and paramilitary activities in and against Nicaragua”, refers to a set of criteria that gather the qualitative and quantitative characteristics for determining whether or not, a hostile act rises to the level of “use of force” or to the level of “armed attack”. In the Nicaragua Judgment, the International Court of Justice identified the “scale and effects” criteria as those qualitative and quantitative elements that help differentiate an “armed attack” from “a mere frontier incident” (Westlaw, 2007). More specifically, the International Court of Justice noted the need to “distinguish the most grave forms of force (those constituting an armed attack) from other less grave forms” but chose to give no further details on the subject at hand. As a result, the parameters relating to a clear detection of the “scale and effects” criteria have not been further identified apart from the indication that they need to be grave. Therefore, the question remains in relation to the specification of the criteria required to identify which cyber-attacks qualify as “use of force” and, by extension, in relation to the handling of those cases that do not meet the necessary criteria to qualify as “use of force”. Taking into consideration that the UN Charter does not provide any criteria for determining when an act amounts to a “use of force”, the International Group of Experts (Tallinn Manual, 2013) adopted an interpretation according to which the critical element for identifying an attack as “use of force” or as “armed attack” is the breadth of the impact of this attack. More specifically, they concluded that a cyber-operation shall amount to a “use of force” or to an “armed attack”, if its impact is analogous to the one resulting from an action otherwise qualifying as a kinetic armed attack. By this logic, any attack producing similar results to the

Redefining the current International Legal Framework to address the new challenges ones generated by an attack with the use of conventional weapons, resulting thus in death or destruction, shall meet the requirements of the “scale and effects” criteria. Although, the International Group of Experts acknowledged the existence of a legal gap in relation to the identification of the exact point (threshold) at which an event such as death, injury, damage, destruction or suffering caused by a cyber operation, fails to qualify as an “armed attack”, they were assertive as to what does not qualify as an “armed attack”, i.e., acts of cyber intelligence gathering and cyber theft, as well as cyber operations that involve brief or periodic interruption of non-essential cyber services” (Tallinn Manual, 2013).

5.4 The qualitative criteria for cyber-attack evaluation

Taking for granted the fact that the law is unclear as to the characterization and evaluation of a number of cyber-attacks, especially in the case of “use of force”, whose impact is not immediately visible, and taking into account the total absence of an institutional framework for the evaluation of the “use of force” and “armed attack” concepts in cyberspace, the International Group of Experts proceeded to adopt an approach, following Schmitt’s consequences-based analysis (Schmitt, 1999), that aims objectively to identify the likelihood of classifying a cyber operation as a “use of force”. This approach focuses on recognizing the impact of cyber-attacks and on equating them to the corresponding impact caused by other actions (non-kinetic or kinetic) that the international community would describe as “uses of force”. In these cases, the parallelism and the subsequent analogous treatment of conventional operations that verge on being characterized as “uses of force” will be the outcome of the evaluation of non-exclusive criteria (factors) based on a case- by-case assessment. Table 1 provides the criteria, as proposed by the International Group of Experts. The criteria mentioned above have a non-binding nature. They are predictive tools, not normative standards and shall serve as indicators that states are likely to take into consideration when making “use of force” appraisals. Moreover, as Professor Schmitt stated, “the factors must operate in concert”. As an example, a highly invasive operation that causes only inconvenience, such as temporary denial of service, is unlikely to be classified as “use of force”. By contrast, a number of states may categorize massive cyber operations that cripple an economy as “use of force” even though economic or political coercion is presumptively lawful.

Redefining the current International Legal Framework to address the new challenges

Severity Determined by the scope, duration and intensity of the caused consequences of a cyber-operation.

Immediacy Refers to the speed to which consequences manifest themselves. Directness Examines the chain of causation. Invasiveness Refers to the degree to which cyber operations intrude into the target state or its cyber systems contrary to the interests of that state.

Measurability of effects The more quantifiable and identifiable a set or consequences, the easier it will be for a state to assess a situation when determining whether the cyber operation in question has reached the level of a use of force.

Military Character A nexus between the cyber operation in question and military operations heightens the likelihood of characterization as a use of force.

State Involvement The clearer and closer a nexus between a state and cyber operations, the more likely is that other states will characterize them as uses of force by that state.

Presumptive Legality International law is generally prohibitive in nature. Acts that are not forbidden are permitted. Absent an express treaty or accepted customary law prohibition, an act is presumptively legal.

Table 1: The qualitative criteria for cyber-attack evaluation (The Tallinn Manual, 2013) Schmitt himself appear to have never intended to provide an absolute algorithm for solving what are some of the most technically and legally challenging questions a state may face. Instead, the International Group of Experts, following Schmitt’s approach, saw it as a framework for analyzing the effects of key factors on the legal nature of a cyber-attack and the appropriate responses. As such, the Schmitt analysis is useful as a “legal interpretation tool” as an analysis method for highlighting areas of uncertainty or disagreement in multiple legal analyses and for providing a framework for evaluating differences in the interpretation of the law. Michael et al (2003) demonstrated, via a case study of kinetic and cyber-attacks on Supervisory Control and Data Acquisition (SCADA) system, the application of the Schmitt Analysis to the question of whether the attacks have risen to the level of “use of force” under international law. Their aim was to perform a more academically rigorous evaluation of the factors affecting a lawful response to a cyber-attack on safety-critical software-intensive information system. This was achieved by taking into account both the quantitative and the qualitative aspects of the attacks, so as to reduce the “grey areas” of legal uncertainty and disagreement to an absolute minimum and to allow the most complete range of effective responses against those who attack a nation’s critical infrastructure. Two case scenarios of kinetic and cyber-attacks on the Washington Metro, i.e., the Washington DC’s subway system, were demonstrated. The first case scenario involved terrorists released chemical gas on the Washington Metro during rush hour. The terrorists were

Redefining the current International Legal Framework to address the new challenges citizens of countries with which the US, at the time of attack, was normally at peace. The second case scenario, as in the first, involved again an attack on the Washington Metro at rush hour. However, in this case scenario the terrorists used malicious code to strike the software-intensive automatic train protection system of the Metro. The attack was orchestrated from outside the US by using compromised administrative computers that were used by Metro officials to monitor operations. Michael et al (2003) applied a quantitative scale to each of the seven identified factors (namely, Severity, Immediacy, Directness, Invasiveness, Measurability, Presumptive Legitimacy, and Responsibility) in order to evaluate the effects of both the kinetic and cyber- attack case scenarios. In their analysis each factor is graphically reproduced providing a brief description of the importance or distinctiveness of the factor, formulation of questions that would satisfy the requirements of the factor and a vertical scale of the factor itself with one quantitative choice located at the bottom and the other located at the top. Schmitt divided the spectrum into three broad bands, one each for relatively clear cases of each qualitative choice, and a central “gray area” for factually uncertain determinations. By applying the quantitative scale to each of the seven identified factors, any given operation could be described in qualitative terms as being closer to the one end of the spectrum or the other. In other words, an action’s qualitative nature (in seven more or less binary areas) could be determined by applying any fixed quantitative figure (say, a one-to-ten scale). Schmitt’s contribution in translating the qualitative Charter paradigm into its quantitative components - the legal equivalent of going from analogue to digital - provides a framework for scholars and practitioners to organize analysis in something other than a quantum cloud of subjective uncertainty. In the following chapter a new systematic modelling methodology is presented aiming to evaluating the effects of cyber-attacks on states’ CII in order to answer the question of whether these attacks have risen to the level of “use of force” under the principles of international law. In order for this to be achieved two approaches are taken into consideration. First, the use of the International Group of Expert’s approach, which is a transformation of the current Schmitt’s consequence-based approach (Tallinn Manual, 2013). More specifically this approach has been differentiated by the replacement of the factor “Responsibility” with the factor “State Involvement”, which however has similar conceptual and semantic interpretation, and by the adoption of the factor “Military Character” as a crucial factor for the determination of a cyber- attack as a “use of force”. Secondly, Multiple Attribute Decision Making (MADM) methods are applied. The analysis is based on the same case scenarios of kinetic and cyber-attacks on SCADA system as argued by Michael et al. (2003). Considering both the qualitative and quantitative aspects of such attacks and adding for the first time the “Military Character” attribute, as defined by the Tallinn Manual in the calculation procedure, a more accurate and complete evaluation of such attacks is proposed.

(this page is intentionally left blank)

Chapter 6: Multi-attribute decision making methods for cyber-attack evaluation

This chapter introduces the development of a systematic modelling methodology for evaluating the effects of cyber-attacks on states’ CII with the use of qualitative and quantitative methods of analysis. For the analysis of the new methodology a case study of kinetic and cyber- attacks on SCADA system is employed. Moreover, the new methodology is applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran and cyber-attack evaluation results are presented.

6.1 Introduction

Multiple Attribute Decision Making (MADM) involves “making preference decisions (such as evaluation, prioritization and selection) over the available alternatives that are characterized by multiple, usually conflicting attributes” (Hwang and Yoon, 1981). The problems of MADM are diverse and can be found in virtually any topic. Franklin, more than 200 years ago, recognized the presence of multiple attributes in everyday decisions, and suggested a workable solution (MacCrimmon, 1973). Each decision table (or decision matrix) in MADM methods has four main parts, namely: (a) alternatives, (b) attributes, (c) weight or relative importance of each attribute, and (d) measures of performance of alternatives with respect to the attributes. The decision table is shown in Table 2 and identifies alternatives as Ai (i=1,2,…,N), attributes as Bj (j=1,2,…,M), weights of attributes as wj (j=1,2,…,M) and the measures of performance of alternatives as mij (i=1,2, …,N and j=1,2,…,M). Given the decision table information to the decision-making method, the task of the decision maker is to find the best alternative and/or to rank the entire set of alternatives. Additionally, all the elements in the decision table must be normalized to the same units, so that all possible attributes in the decision problem can be considered (Rao, 2007).

Attributes

Alternatives B1 B2 - BM

(W1) (W2) - (WM)

A1 m11 m12 - m1M - - - - -

AN mN1 mN2 - mNM

Table 2: The decision table in MADM methods

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

By using Schmitt’s analysis, three different MADM methods are applied for evaluating the effects of cyber-attacks in order to answer the question of whether these attacks have risen to the level of “use of force” under jus ad bellum, that body of international law that governs a state’s resort to force as an instrument of its national policy. This is primarily achieved by adopting the “effects-based” or “consequences-based” approach, which focuses on the overall effect of a cyber operation to the victim-state, as well as by using the qualitative criteria for recognizing the impact of cyber-attacks as proposed by the International Group of Experts in the Tallinn Manual. Furthermore, MADM methods are applied and more specifically the Simple Additive Weighting (SAW) method and the Weighted Product Method (WPM). For the analysis, the same case study of kinetic and cyber-attack scenarios as did Michael et al (2003) in the context of Schmitt’s analysis (Schmitt, 1999) are employed. The pros and cons of each MADM method are evaluated and cyber-attack evaluation results are presented. The weaknesses of each MADM method lead the author to present a new cyber-attack evaluation methodology that combines the use of decision-making algorithms of MADM methods and introduces a new grouping of the International Group of Experts criteria based on their distinctive features. The correlations of both qualitative and quantitative methods of analysis results to an improved cyber-attack evaluation assessment and as an outcome a more accurate and complete cyber-attack classification. Finally, the two MADM methods (SAW and WPM) and the proposed methodology are being applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran, and cyber-attack evaluation results are being presented. The correlation of both qualitative and quantitative methods of analysis allow us to achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification. The usefulness of the methodology is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with “use of force” content.

6.2 The Simple Additive Weighting (SAW) Method

In this section the SAW methodology is described in detail for ranking cyber-attacks on safety-critical information systems. The SAW method is probably the best known and most widely used. This method calculates the overall score of an alternative as the weighted sum of the attribute scores or utilities. This is also called the weighted sum method (Fishburn, 1967). It is the simplest and still the widest used MADM method. Here, each attribute is given a weight, and the sum of all weights must be 1. Each alternative is assessed with regard to every attribute. The overall or composite performance score of an alternative is given by the following equation:

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

Equation 1: Overall score with SAW method

where Pi is the overall, or composite, score of the alternatives Ai. The alternatives with the highest value of Pi are considered the best alternatives. Table 3 demonstrates the decision matrix for a kinetic and a cyber-attack on SCADA system, as presented by Michael et al (2003). It is important to note that besides the criteria that the above-mentioned authors used, in this study and in the calculation procedure one more attribute is added, i.e., the “Military Character” as defined by the International Group of Experts in the Tallinn Manual. The same weights are given to the attributes as in Michael et al (2003). They are normalized in a scale of 1. Moreover, “Military Character” attribute was given the maximum weight of 0.16, as it is a crucial factor for the characterization of a cyber operation in such a question as a “use of force”.

Attributes Measurability Presumptive State Military Alternatives Severity Immediacy Directness Invasiveness of effects Legality Involvement Character 0.15 0.12 0.08 0.16 0.09 0.12 0.12 0.16 Kinetic- 8 8 8 9 8 8 5 8 Attack Cyber- 8 9 9 5 9 5 5 4 Attack

Table 3: The decision table for kinetic and cyber-attacks (Michael, Wingfield and Wijesekera)

In Table 4, the kinetic and cyber-attack, which are described in the decision matrix of Table 3, are evaluated using the SAW method. It appears that the kinetic attack is more critical than the cyber one.

Alternatives SAW (Pi) Kinetic-Attack 7.8 Cyber-attack 6.45

Table 4: Ranking using the SAW method

Schmitt (1999) divided the spectrum into three broad bands, one for relatively clear cases of each qualitative choice and a central “grey area” for factually uncertain determinations (Fi- gure 3).

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

Figure 3: The qualitative scale for cyber-attacks evaluation proposed by Michael Schmitt

Using the quantitative scale of Figure 3 and taking into account the results of Table 4, the impact of the kinetic attack can be placed on the low end of the high range on the Schmitt scale. Respectively, the impact of the cyber-attack can be placed on the high end of the central “grey area” on the Schmitt scale. Therefore, a “use of force” occurred only in the first scenario (kinetic attack). Taking into consideration both the qualitative and the quantitative aspects of such attacks and adding the “Military Character” attribute, as defined by the International Group of Experts in the calculation procedure, a more accurate and complete evaluation of such attacks is achieved. Nonetheless, there are still specific weaknesses using the SAW method. In order to show these weaknesses, the following example is presented. Using the kinetic attack of Michael et al (2003), let’s assume a hypothetical attack where the “State Involvement” attribute is given a value of zero and the other attributes hold the same values as presented above. The SAW method for this case will place the consequences of the attack on the high end of the central “grey area” on the Schmitt scale where it cannot be identified if an armed attack occurred or not. However, it is generally known that when the “State Involvement” attribute value of an attack is next to zero, this attack is unlikely to be classified as a “use of force”. This is because the clearer and closer a nexus between a state and a cyber operation, the more likely is to be characterized as a “use of force”. Absent a “State Involvement” it is unlikely that a cyber operation will be characterized as a “use of force”. Therefore, it should be classified in the low range on the Schmitt scale, not in the central area. This example shows that it cannot appropriately model such kinds of attacks when applying the SAW methodology (Pipyros et al., 2016).

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

6.3 The Weighting Product Method (WPM)

The Weighted Product Method was introduced by Bridgman (1922). According to Yoon and Hwang (1995) the method possesses sound logic and is computationally simple but has not been widely utilized. Contrary to the SAW method, the different measurement units here do not have to be transformed into a dimensionless scale by a normalization process. This is because in the WPM method the attributes are connected by multiplication. The weights become exponents associated with each attribute value. In this method, the overall or composite performance score of alternatives is given by Equation 2:

Equation 2: Overall score with WPM method

Each value of an alternative with respect to an attribute, i.e. mij, is raised to the power of the relative weight of the corresponding attribute. The alternative with the highest Pi value is considered the best alternative. In Table 5, using the WPM method we evaluate the kinetic and cyber-attacks described in the decision matrix of Table 3. We observe again that the kinetic attack is more critical than the cyber one. WPM operates on the premise that, in the absence of a conclusive definitional threshold with widespread acceptance within the international community, states must be highly sensitive to the international community’s probable assessment of whether a cyber-operation violates the prohibition on the “use of force”.

Alternatives WPM (Pi) Kinetic-Attack 7.7051 Cyber-Attack 6.1392

Table 5: Ranking using the WPM method

Assuming again the hypothetical attack of the previous section, where the “State Involve- ment” attribute of kinetic attack is given with a value of zero while keeping the same values for other attributes, it is easily understood that the overall performance score (which is a product) becomes zero now. This is because in the WPM method, the attributes are connected by multiplication. Thus, the WPM method for this case will place the consequences of the attack as not a “use of force” whichever quantitative scale someone decides to use. Although applying WPM in some kind of attacks gives better results than SAW, the lack of a definitional threshold for the appropriate ranking and classification of them seems to be a major drawback. Moreover, the nonlinear relationship between attributes and overall score in WPM makes more difficult

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation the definition of a quantitative scale for the classification of attacks than using the SAW method (where a linear relationship exists). For the above, in the following section it is presented a new strategy for cyber-attacks evaluation that combines the use of the first two decision making algorithms and introduces a new grouping of Schmitt’s criteria for achieving a better modelling of attacks.

6.4 A new strategy for cyber-attack evaluation in the context of Tallinn Manual

In this section the analysis is continued by presenting a new modelling methodology that introduces a new calculation procedure and a new usage of the Schmitt’s criteria for the better modelling and evaluation of cyber-attacks (Pipyros et al, 2017). This new strategy combines the use of the previous two decision making algorithms and introduces a new grouping of Schmitt’s criteria based on their properties for achieving a better modelling of attacks. Figure 4 is a schematic diagram of this new strategy for cyber operations evaluation. The next paragraphs describe the new methodology.

Figure 4: The schematic diagram of the new methodology for cyber-attack evaluation

Firstly, as shown in Figure 4, “Severity”, “Immediacy”, “Invasiveness” and “Directness” are grouped together giving a new group named “Intensity”. “Severity” refers to the degree of destruction of critical infrastructure or loss of human lives. It is, self-evidently, the most significant factor of the analysis. “Immediacy” focuses on the temporal aspects of the consequences in question whereas “Directness” examines the chain of causation (the indirect causal connection between the initial act and its effects). Furthermore “Invasiveness” refers to the degree to which cyber-attacks intrude into the target state or its cyber systems contrary to the interests of that state. The more secure a targeted cyber system, the greater the concern as to its penetration. The four criteria are grouped together for two reasons: a) they are referred to the magnitude (intensity) of a cyber-attack, and b) they can be quantified by using the same quantitative scale (say, a one-to-ten scale). These attributes are the base of the calculation procedure and by

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation applying the SAW method the “Intensity” group score of a cyber-attack can be calculated. Table 6 demonstrates the decision matrix for the above mentioned kinetic and cyber-attack on SCADA system so as to calculate the “Intensity” score of such attacks. For doing so, we should use in the decision matrix the four Schmitt’s criteria: “Severity”, “Immediacy”, “Directness” and “Invasiveness”. The weights of these attributes need to be redefined again in this example such that they could meet the requirement that the sum of all weights must be 1.

Attributes Alternatives Severity Immediacy Directness Invasiveness 0.29 0.24 0.16 0.31 Kinetic-Attack 8 8 8 9 Cyber- Attack 8 9 9 5

Table 6: The decision table for kinetic and cyber-attacks for “Intensity” score calculation

In Table 7 and by using the SAW method, the “Intensity” score of the kinetic and of the cyber-attacks is been calculated as described in the decision matrix of Table 6. It appears that the “Intensity” score of the kinetic attack is higher than the cyber one.

Alternatives Intensity (Pi) Kinetic-Attack 8.31 Cyber-Attack 7.47

Table 7: Ranking using the SAW method for “Intensity” score calculation

Next, as presented in Figure 4, the “Intensity” score of an attack is being multiplied by the “Measurability” attribute to calculate the “Total Intensity” score. The more quantifiable and identifiable a set of consequences, the easier it will be for a state to assess the situation when determining whether the cyber operation in question has reached the level of a “use of force”. The “Measurability” attribute can be quantified by using the quantitative scale from 0 to 1. By using a value of 1 it means that a complete and accurate (100%) measurement of the effects of an attack can be achieved. By using zero it means that the effects of an attack are not measurable. In Table 8, the “Total Intensity” score of the kinetic and cyber-attacks is being calculated as described in the decision matrix of Table 6.

Alternatives Intensity (Pi) Measurability Total Intensity Kinetic-Attack 8.31 0.9 7.479 Cyber-Attack 7.47 0.8 5.976

Table 8: Calculating the “Total Intensity” score

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

Last but not least, “State Involvement”, “Military Character” and “Presumptive Legitimacy” are some of the most valuable factors for the characterization of a cyber-operation as a “use of force” or not. The extent of “State Involvement” in a cyber-operation lies along a continuum from operations conducted by a state itself to those in which its involvement is peripheral. The clearer and closer a nexus between a state and a cyber operation, the more likely is that it will be characterized as “use of force” by other states. Furthermore, a nexus between the cyber operation in question and military operations heightens the likelihood of characterization as a “use of force”. The “use of force” has traditionally been understood to imply force employed by the military or other armed forces. This contention supported by the fact that the UN Charter is particularly concerned with military actions. Finally, absent an express treaty or accepted customary international law prohibition, an act is presumptively legal. This being so, acts like propaganda, espionage, psychological operations are less likely to be considered by states as uses of force. Only if the criteria of “State Involvement”, “Military Character” and “Presumptive Legitimacy” are met, a state can characterize a cyber-attack as a “use of force”. For this reason, in order to quantify them we use binary logic assigning to them the values 0 or 1 (false or true). In Figure 4, the attributes “Total Intensity”, “Military Character”, “State Involvement” and “Presumptive Legitimacy” are connected with multiplication. Thus, the last three should be “true” in order to have a non-zero overall score as a final result in the evaluation procedure. If one of them is zero, the overall score will be also zero. Therefore, for the evaluation of cyber- attacks by using this methodology it is of fundamental importance to be able to decide if these three criteria are met or not. In Table 9, we calculate the overall score of the kinetic and cyber-attacks described in the decision matrix of Table 6 by using our methodology. It is observed that the kinetic attack is more critical than the cyber one.

Total State Military Presumptive Overall Alternatives Intensity Involvement Character Legitimacy Score

Kinetic 7.479 1 1 1 7.479 Attack

Cyber-attack 5.976 0 0 0 0

Table 9: Calculating the overall score

Thus, using again the quantitative scale of Figure 4 and taking into account the results of Table 9, the consequences of the kinetic attack can be placed on the low end of the high range on the Schmitt scale and the consequences of the cyber-attack on the low range on the Schmitt scale. Therefore, a “use of force” occurred only in the first scenario (kinetic attack).

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

6.5 Application of the new cyber-attack evaluation methodology to the Estonian and the Iranian cyber-attacks

In the next section, by using the IGEs approach as described in the Tallinn Manual and by applying the three Multi-attribute Decision Making Methods (SAW, WPM and the proposed cyber-attack evaluation methodology that analyzed above), the real-life cyber-attack incidents against Estonia and Iran are evaluated in order to answer the question of whether these cyber- attacks have risen to the level of “use of force” under the principle of international law (Pipyros, Mitrou and Gritzalis, 2017). Table 10 demonstrates the decision matrix for the cyber-attacks against Estonia and Iran. It is important to note that the weight value of each attribute was evaluated based on the consequences analysis approach of the IGEs. Additionally, the weight of each attribute in each alternative was evaluated based on the real-life cyber-attack analysis of section 2.2.3. Furthermore, they were normalized in a scale of 1. Attributes Measurability Presumptive State Military Alternatives Severity Immediacy Directness Invasiveness of effects Legality Involvement Character 0.18 0.16 0.08 0.08 0.08 0.08 0.18 0.16 The Estonian 7 8 6 7 7 5 5 6 Cyber- Attack The Iranian Cyber- 9 7 8 10 8 9 5 8 Attack

Table 10: The decision table for the Estonian and the Iranian cyber-attacks

In table 11, the cyber-attacks against Estonia and Iran, which are described in the decision matrix of Table 10, are evaluated using the SAW method. It appears that the cyber-attack in Iran is more critical than the Estonia one.

Alternatives SAW (Pi) The Estonian Cyber-Attack 7.8 The Iranian Cyber-Attack 6.45

Table 11: Ranking using the SAW method for the Estonian and the Iranian cyber-attacks

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

Using the qualitative scale of Figure 4 and taking into consideration the results of Table 11, the impact of the Estonian cyber-attack can be placed on the high end of the central “grey area” on the Schmitt scale. Therefore, the cyber-attack against Estonia is arguably a “use of force”. On the contrary, the impact of the Iranian cyber-attack can be placed on the low end of the high range on the Schmitt scale. Therefore, the cyber-attack on Iran’s nuclear facilities was definitely a “use of force”. Having presented and calculated the Estonian and the Iranian cyber-attacks by using SAW method, I will proceed to the evaluation and calculation of those attacks by using WPM. In table 12, the Estonian and the Iranian cyber-attacks are evaluated using the WPM and the decision matrix of Table 10. It is observed that the cyber-attack against Iran is more critical than the Estonian case (similarly as in the SAW method). WPM operates on the premise that, in the absence of a conclusive definitional threshold with widespread acceptance within the international community, states must be highly sensitive to the international community’s probable assessment of whether a cyber operation violates the prohibition on the “use of force”.

Alternatives WPM (Pi) The Estonian Cyber-Attack 6.31 The Iranian Cyber-Attack 7.55

Table 12: Ranking using the WPM method for the Estonian and the Iranian cyber-attacks

However, the weaknesses using the SAW and the WPM methods, as described above, lead to the evaluation of the real-life cyber-attacks of Estonia and Iran by using the new cyber-attack evaluation methodology which introduces a new calculation procedure and a new usage of the IGEs qualitative criteria for the better evaluation and classification of cyber-attacks. The calculation procedure of the new cyber-attack evaluation methodology, with the use of the previous two decision making algorithms and the differentiation of the IGEs qualitative criteria based on their distinctive features, have been described in the previous section and its schematic diagram is given in Figure 4. In the next paragraphs the new methodology is applied to the Estonian and the Iranian cyber-attacks. Table 13 demonstrates the decision matrix of the Estonian and Iranian cyber-attacks so as to calculate the “Intensity” score of such attacks. For doing so, we should use in the decision matrix the four IGE’s criteria namely “Severity”, “Immediacy”, “Directness” and “Invasiveness”. The weights of these attributes need to be redefined again such that they could meet the requirement that the sum of all weights must be 1.

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

Attributes Alternatives Severity Immediacy Directness Invasiveness 0.38 0.30 0.16 0.16 The Estonian Cyber-Attack 7 8 6 7 The Iranian Cyber-Attack 9 7 8 10

Table 13: The decision table for the cyber-attacks against Estonia and Iran for “Intensity” score calculation

In Table 14 and by using the SAW method, the “Intensity” score of the Estonian and the Iranian cyber-attacks, as described in the decision matrix of Table 13, are calculated. It appears that the “Intensity” score of the cyber-attack against Iran is higher than the cyber-attack against Estonia.

Alternatives Intensity (Pi) The Estonian Cyber-Attack 7.14 The Iranian Cyber-Attack 8.40

Table 14: Ranking using the SAW method for the Estonian and the Iranian cyber-attacks

Next, as presented in Figure 4, the “Intensity” score of the Estonian and the Iranian cyber- attacks are multiplied by the “Measurability” attribute to calculate the “Total Intensity” score. The more quantifiable and identifiable a set of consequences, the easier it will be for a state to assess the situation when determining whether the cyber operation in question has reached the level of a “use of force”. The “Measurability” attribute can be qualified by using the quantitative scale from 0 to 1. By using a value of 1 it means that a complete and accurate (100%) measurement of the effects of an attack can be achieved. By using zero it means that the effects of an attack are not measurable. In Table 15, the “Total Intensity” score of the cyber-attacks against Estonia and Iran, as described in the decision matrix of 13, is calculated.

Alternatives Intensity (Pi) Measurability of effects Total Intensity The Estonian Cyber-Attack 7.14 0.7 4.99 The Iranian Cyber-Attack 8.40 0.8 6.72

Table 15: Calculating the “Total Intensity” score for the Estonian and the Iranian cyber-attacks

In Table 16, the “Overall Score” of the cyber-attacks against Estonia and Iran, as described in the decision matrix of Table 13, is calculated be using the proposed methodology. It is observed that the cyber-attack in Iran is more critical than the Estonia one.

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

Total State Military Presumptive Overall Alternatives Intensity Involvement Character Legitimacy Score

The Estonian Cyber- 4.99 1 1 1 4.99 Attack

The Iranian Cyber- 6.77 1 1 1 6.77 attack

Table 16: Calculating the overall score for the Estonian and the Iranian cyber-attacks

Thus, using again the quantitative scale of Figure 4 and considering the results of Table 16, the consequences of the cyber-attack against Estonia are placed in the mean of the central “grey area” on the Schmitt scale which denotes that the cyber-attack against Estonia was arguably a “use of force”. Then again, the consequences of the cyber-attack against Iran are placed on the low end of the high range on the Schmitt scale which denotes that the cyber-attack against Iran was actually a “use of force”. In conclusion the existing legal norms do not offer a comprehensive framework in the way that states can shape policy to the threat of hostile cyber operations. Furthermore, state practice is lacking in characterizing a cyber operation as a “use of force” or not. Even though there were many cyber operations that could be reach the level of a “use of force”, in none of these cases states have been identified as the initiator of the cyber operation which might amount to a “use of force”. The threshold of a “use of force” must be balanced between on the one hand state’s willingness to avoid any harmful consequences caused by the actions of others states and one the other hand its motivation to preserve their freedom of action. The evaluation criteria proposed by the International Group of Experts in the Tallinn Manual seek to balance these conflicting objectives through consideration. However, as Schmitt admitted (2011) “the criteria are admittedly imprecise, thereby permitting states significant latitude in characterizing a cyber- operation as a ‘use of force’ or not”. Furthermore, a state, depending on the attendant circumstances, may look also to other factors such as the prevailing political environment, whether the operation portends the future “use of force”, the identity of the attacker and the nature of the target. In fact, a finding that a cyber or a kinetic attack is a “use of force” is a political and not legal decision, as it shows the states willingness to involve itself in a particular matter. For the above-mentioned reasons, the author has chosen to present this new cyber-attack evaluation methodology in a manner to provide clear structure for discussion. It was not my intent to provide an absolute algorithm for producing the “right answer” given any input. The proposed systematic methodology is applied in order to portray a better modelling evaluation of cyber-attacks. Its differentiation from previous cyber-attack methods is acknowledged in the following ways: (a) By developing a combined multi-methodology, with the use of qualitative

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

and quantitative methods of analysis, able to pinpoint and assess the provoked impact of cyber- attacks on states’ CII. (b) By developing algorithms and strategies that can be implemented for the identification and classification of cyber-attacks on states’ CII in accordance with international law. The identification and classification of the conflict is of seminal importance because the nature of the conflict in question determines the applicable legal regime. This is the first method that achieves an improved cyber-attack evaluation assessment, and as a result, a more accurate and complete cyber-attack classification under the principles of international law. The usefulness of the methodology is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with interstate violence. The threshold inquiry is crucial to assessing the level of violence between states in order to justify a lawful response. Because the UN Charter prohibits the unauthorized “use of force”, a state must be able to quickly and safely assess whether a cyber-attack constitutes a “use of force” triggering the international condemnation and economic sanctions, (active) “cyber self-defense” – or an “armed-attack” (with the use of conventional military weapons) as forceful response. Finally, the methodology could act as a basis for the assessment and classification of cyber-attacks that are intended towards Software- Intensive (SI) systems, component of a state’s CII. In the following section, similarities between the proposed methodology and the risk-based criticality analysis methodologies used for assessing CII will be identified. Possible application of the risk-based criticality analysis methodologies to the cyber-attack framework assessment could be operate as a proactive cyber defence tool.

6.6 Cyber-attack evaluation using criticality analysis methodologies: A proactive cyber defence tool As it can be understood, the characterization and categorization of cyber-attacks depends largely on the size of their consequences. In other words, the categorization of this type of attacks lies heavily on their impact level both in terms of loss of human lives and in terms of destruction of critical infrastructures. So, the degree of the visible as well as the long-term effects of a cyber-attack constitute a critical factor for its categorization and the greater the degree of impact of a cyber-attack the more the chances to be characterized as a 'use of force', or even worst, as an ‘armed attack’ when its size is so great as to cause loss of human lives. So, the critical issue here is the method of measurability of the impact of cyber-attack. Unfortunately, as it has already become apparent, the relevant criteria proposed by the International Group of Experts have failed to accurately identify the precise extent of impact of a cyber-attack, since its effects are often not readily visible on the short hand and the measurability of the effects of a cyber-attack is frequently a matter of subjective interpretation.

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation

If the impact level of cyber-attacks could be determined through the use of qualitative and quantitative criteria, it would be possibly much easier to classify and categorize them based on the principles of International Humanitarian Law. On the other hand, one can easily notice that the same impact factors proposed by the International Group of Experts for the categorization and characterization of cyber-attacks are also employed as criteria in risk criticality analysis methodologies to prioritize assets and infrastructures. For example, at the European level, the Council Directive 2008/114/EC of 8 December 2008 ‘on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection’, following a relevant European Commission Communication (COM 786, 07.06.2007), identified the following criteria as the minimum set of criteria that should be considered by member states when attempting to assess their critical infrastructures: (i) public safety–including issues such as population affected, loss of life, medical illness, serious injury, evacuation, (ii) economic effect – which takes into consideration the GDP effect, the significance of economic loss and/or the degradation of products or services, (iii) environmental effect – i.e. effect on the public and the surrounding environment, (iv) interdependency – which has to do with interdependencies between critical infrastructure elements, (v) political effects – that is, confidence in the government and (vi) psychological effects – i.e. psychological effects on the population. The evaluation of these criteria takes place in terms of their scope (local, regional, national and international) and time (during and after the incident) (Theoharidou, Kotzanikolaou and Gritzalis, 2009). Respectively, at the international level, the U.S. National Infrastructure Protection Plan identifies the following criteria for evaluating consequences: (i) public health and safety – including their effect on human life and physical well-being, (ii) economic – which takes into consideration direct and indirect economic losses (iii) psychological – i.e. their effect on public morale and the degree of confidence of the people in economic and political institutions and (iv) governance/mission – which related to the effect on the ability of the government or industry to maintain order, deliver essential services, ensure public health and safety and carry out national security – related missions (U.S. Department of Homeland Security, 2009). It becomes clear that the evaluation criteria used for assessing critical ICTs, are focused more on evaluating risks related to external impacts that is, impacts associated with socioeconomic consequences and their effect on citizens, since they are directly linked to the critical infrastructures affected per se and indirectly associated to the implications of the collapse or degradation of these critical ICTs for the well-being of the citizens. This approach comes in contrast to the traditional risk analysis methodologies that focus more on the implications of the collapse or deterioration of infrastructure in the respective department or agency that relates to it (internal impacts), rather than on the external impacts of this collapse or deterioration to the citizens. Consequently, there is a strong interdependency between cyber-attacks and the

Multi-Attribute Decision Making Methods for Cyber-attack Evaluation corresponding risk criticality analysis methodologies used for assessing critical infrastructure and networks (ICTs) since in both cases are characterized by the same impact factors during their evaluation process. Based on everything mentioned above, one could proceed to an assessment of cyber-attacks by adopting risk-based criticality analysis methodologies. A case in point is the generic risk- based criticality analysis methodology proposed by Theoharidou, Kotzanikolaou and Gritzalis (2009) by which, a detailed list of impact criteria is presented for assessing the criticality level of infrastructures. What differentiates this method from traditional risk analysis methodologies is the fact that it assumes the same societal and sector-based impact factors used by the International Group of Experts for characterizing and assessing the intensity of cyber-attacks, allowing thus the parallelism and the adoption of the same evaluation criteria for assessing cyber-attacks. This criticality analysis methodology, whose primary role is to be used as a base for assessing risk associated with critical ICTs, can also serve as a scale for measuring the intensity of cyber-attacks in order to enable a quantification of the ‘scale and effect’ criteria, using qualitative and quantitative variables such as the ones recommended by the International Group of Experts in the Tallinn Manual, and possible adopting other criteria, so that it can become easier to identify when such acts verge on the so-called ‘use of force’ standard, which is used for determining whether or not a state has violated Article 2(4) of the United Nations Charter and the related customary international law prohibition. Furthermore, the same methodology could be used to indicate whether a cyber-operation comes to the level of being characterized as a ‘use of force’ or as an ‘armed attack’ allowing thus a UN member state to respond by exercising its legitimate right of self-defense according to Article 51 of the UN Charter. Similarly, the above method could serve as a scale for the Security Council to decide when a cyber-attack constitutes ‘threat to the peace, breach of the peace or act of aggression’, so that the required measures to restore international peace and security under Article 42 of the UN Charter can be adopted. In other words, the adoption of the criticality risk analysis methodology can serve as a means for estimating the impact of a cyber- attack in the host country and in the international environment. Conclusively, the discussed evaluation methodology, using as a reference point the above- mentioned criteria, could be used as a method for stressing areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with ‘use of force’. In addition, this methodology can act as a basis for the assessment and classification of cyber-attacks that are intended towards software systems that may constitute a component of a critical infrastructure.

(this page is intentionally left blank)

Chapter 7: Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation

The chapter approaches the multi-layered process of attribution in combination with the variety of jurisdictional bases as major obstacles that impede the implementation of the proposed methodology (and international law in general) and lead to the lack of accountability of cyber- attacks. Furthermore, it presents related work in the field of cyber-attack modelling assessment and a comparative analysis of the proposed methodology with previous cyber-attack evaluation methodologies.

7.1. Limitations in Jurisdiction

One of the most important issues relating to cyber-attacks is the so-called “jurisdiction issue”. The open architecture of the internet, which allows billions of users around the world to interact with each other and the number of services offered on a global basis (by servers/ISPs which may be located on the other side of the planet), complicates the issue of jurisdiction for crimes taking place in cyberspace. In general, jurisdiction concerns the power of the state under international law to regulate or otherwise impact upon people, property and circumstances and reflects the basic principles of state sovereignty, equality of states and non-interference in domestic affairs. Jurisdiction is a central feature of state sovereignty for it is an exercise of authority which may alter or create or terminate legal relationships and obligations. It follows from the nature of the state sovereignty to exercise domestic jurisdiction which means jurisdiction within its own territorial frontiers (Ryngaert, 2008). Even though primarily territorial, jurisdiction may also be based on other grounds, such as nationality, while enforcement is restricted by territorial factors. As Kaspersen (2009) suggested in a draft paper prepared for the Council of Europe, the jurisdiction issue complicates the use of a nation’s cybercrime law to prosecute violations that occur over the internet. According to Public International Law, the main and most common principle – which is also applicable to cybercrime (Economic Crime Division, 2009) – is the “territoriality principle”, which denotes that a sovereign state has the authority to prosecute criminal acts that are committed within its borders. However, according to Kaspersen, the internet environment is different in the sense that it is usually possible to gather on-line electronic evidence that is physically located in a computer system in one territory but that is available (retrievable by means of software) to the law enforcement authorities of another territory (of another state). In principle, public international law does not permit extraterritorial jurisdiction to gather such (evidentiary) material. Limitations

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation are stricter in this case than concerning the assertion of extraterritorial jurisdiction to regulate. The state concerned should be requested to render mutual assistance to provide for the material needed. Despite dedicated regulation – such as the Cybercrime Convention and the Directive 2013/40/EU – intended to increase the speed of procedures of mutual assistance, this may nevertheless not always ensure the availability of the evidentiary material. These arguments relate to the practical difficulty of law enforcement in the case of private actions and are directly linked to the cybercrime jurisdiction issue. But what if the situation under consideration concerns an act that is generated or is motivated by a state, where the attacker must be identified as a state actor, that is, as an actor committing an armed attack and not just a criminal act? In these cases, states may bear responsibility for cyber operations that their agents carry out or for which the states can alternatively be held accountable by the virtue of the law of state responsibility. Also, in some cases, the actions of non-state actors may be attributed to the states. However, there is no official document (an agreement or a treaty) indicating the judicial mechanism to be used in those cases that a state is behind a cyber-attack. There are only a couple of bilateral agreements (such as the Mutual Legal Assistance Treaty – “MLAT”) between Estonia and Russia, the utility of which is doubtful, as it proved out in practice (despite earlier promises, Russia refused to provide assistance to Estonia under the MLAT, when such a need arose). In general, the cyber-attack actor bears no consequences for his actions. The only official, but non-binding, document that exists, aiming to shade a light on cyber warfare jurisdiction issues is Rule 2 of the Tallinn Manual which states: […Without prejudice to applicable international obligations, a state may exercise its jurisdiction: over persons engaged in cyber activities on its territory; over cyber infrastructure located on its territory; and extraterritorially, in accordance with international law]. The term “jurisdiction” encompasses the authority to prescribe, enforce, and adjudicate. It extends to all matters, including those that are civil, criminal or administrative in nature. According to the European Court of Justice, territorial jurisdiction entails two forms of jurisdiction namely subjective territorial jurisdiction, which allows a state to deal with acts which begun within its territory, irrespective of the fact that they were completed abroad, and objective territorial jurisdiction, which allows a state to handle acts that initiated abroad and were, at least partly, terminated within its own territory. Subjective territorial jurisdiction applies even in those cases that the offending cyber acts have no influence on the state putting in effect such jurisdiction. Objective territorial jurisdiction on the other hand, gives the jurisdiction for handling cyber-attack incidents to the State where the incident has consequences irrespective of the fact that the act started outside that State’s territory. State practice indicates that states exercise jurisdiction in cyberspace on the basis of the objective territorial jurisdiction, meaning that a state will assert

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation jurisdiction over online activity if the effects of that activity are felt on its territory. Although this is a common-sense approach, it may degrade fundamental human rights such as freedom of expression in cyberspace, and may, more broadly, endanger the potential for economic, political, social and cultural exchange (Kohl, 2015). The territoriality criterion, however, is not always safe, as the use of ICTs allows the assaulter, by taking advantage of the multiple internet service providers or the existing cloud-based services, to hide his territorial (as well as his physical) identity by creating replications and dynamic relocations of data or by spoofing the geo-coordinates of the computing devices. Moreover, there is always the possibility of an IT device and/or system to become the instrument of a cyber-attack without its user’s/owner’s knowledge. In this case, the device can become a zombie device (through the implantation of special software on it) and participate in cyber-attacks while its user is completely unaware of the fact. So, while the leading actors are usually national-state actors, the activities of non-state actors, including, cybercriminals and terrorist groups, create confusion and misperception as to the actual cyber warfare “players”. As a consequence, cyberspace conflicts allow for the combination of crime, espionage and military action in ways that often make it quite difficult – if not impossible – to distinguish them. In the two most striking cases, namely, the cyber-attacks against Estonia and Georgia, Russia, the territory of which was identified as the starting point of the cyber-attacks, refused to provide any help to these countries in their efforts to detect and punish the offenders despite of the fact that there was a binding agreement that required it to do so. Hence, the issue of jurisdiction is complicated and difficult to address. Concisely, the variety of jurisdictional bases in international law and the technical difficulties to identify the attacker constrict the effective confrontation of cyber operations.

7.2. The problem of Attribution

Probably the most crucial problem arising with respect to cyber operations and to the way they are developed, is the technical complexity of determining the perpetrators and of positively identifying the key actor of cyber operations, resulting, thus, in major difficulties to handle the issue of “attribution”. This is due to the fact that the process of decoding and identifying the location of the system that originated the attack is lengthy and expensive. Determining perpetrator’s identity and motivation becomes even more challenging in cases of attacks involving intermediaries who may or may not be willing participants in the attacks. In such cases, determining motivation seems difficult, mainly due to the complex architecture and geography of cyberspace. The identification of the perpetrator’s motivation, although extremely challenging, is necessary for making a distinction between cybercrime, cyber terrorism and cyber warfare, given

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation the fact that the actors behind an attack may range from criminal actors to nation states. So, effective attribution is a precondition for determining whether the actor is a criminal, a terrorist or even a state actor posing a potentially greater national security threat (Finklea and Theohary, 2015). However, successful attribution, while depending largely on the available forensic evidence, is a lot more than that. The process of matching an offender to an offence is an extremely challenging one in any domain, let alone cyberspace – and it calls for the minimization of uncertainty in terms of tactics, operations and strategy. Attribution is a multi-layered process, and it requires a range of skills in a number of levels. It is a procedure that necessitates careful management, good leadership, stress-testing, prudent communication and the ability to recognize limitations and challenges. In terms of tactics, the most crucial point is to appreciate the incident primarily in its technical aspects. Regarding operations, the key goal must be to understand both the profile of the attacker and the architecture of the attack. And as far as strategy is concerned, the key issues include the identification of the perpetrator of an attack, the assessment of the consequences of that attack, the significance of the impact of the attack in the state and the decision of appropriate response. Throughout this process, a critical parameter should be the identification of a government or organization, and not of individuals, as the key actor of an attack. Undoubtedly, the process of attribution is a techno-political one that depends largely on what is at stake in terms of politics (Rid and Buchanan, 2015). So, whenever a state is engaging in a cyber-operation and its actions cannot be justified under the self-defense doctrine or do not have the UN Security Council authorization, it can be claimed that this state violates Article 2(4) of the UN Charter and the prohibition on the use of force. Respectively, a state can be held responsible for cyber warfare operations that rise to the level of unlawful “use of force” when these operations are launched by its agents. Thus, for a violation to result in state responsibility, it must be attributable to a state. But in which cases can a state be held accountable for the actions of individuals or groups? Clearly, a state can be held legally responsible for actions taken by their entities or governmental organizations. However, in the case of non-state actors, such as private individuals, organized groups and terrorist organizations, a state can be held legally responsible only if it can be proven without doubt that these non-state actors were acting under the instructions or the control of the state (Schmitt, 2014). Within the cyber warfare framework, then, states can be held responsible for violating the prohibition on the “use of force” when it can be proven that they have either instructed private individuals or groups to carry out the operations or when it can be confirmed that they are heavily involved in them through involvement of their entities or government organs. A decision on that can be made only on a case-by-case basis through the examination of the extent and nature of the

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation relationship of the state with the actor/actors and on its involvement in the operations under consideration. For example, in the Nicaragua case (1986), the International Court of Justice considered it imperative to address the required degree of control for attribution, by examining whether the effective control criterion was met, allowing thus for holding a state responsible for violations committed by non-state actors in relation to the use of force prohibition. It is noteworthy to consider though that, although the tribunal rejected the claim of effective control, the technical legal issue taken into consideration to reach that decision was the nature of the armed conflict and not the state responsibility. Then again, in the Tadic case (1999), the International Criminal Tribunal for the Former Yugoslavia addressed the issue under consideration in a different way. It held that the authority exercised by the Government of the Federal Republic of Yugoslavia over the Bosnia Serb armed groups: […] required by international law for considering the armed conflict to be international was overall control going beyond the mere financing and equipping of such forces and involving also participation in the planning and supervision of military operations (Schmitt, 2011). In general terms, it can be alleged that in those cases where the effective control criterion is not met, the state may not bear direct responsibility for private acts, but rather an indirect one, meaning that it can be held responsible for tolerating the private action in question or for not undertaking any action to prevent it. To deal and possibly eliminate this phenomenon, it has been suggested (By….whom?) that the states bear an international obligation on the ground of the principles of international law both to prevent non-state actors, acting from within their territory, from committing cyber-attacks; and to offer their support to the states that become victims of the attacks. Moreover, in case of no compliance with this obligation, it has been recommended for the victim-states of the cyber-attacks to have the legal right to respond by retaliating, even if it cannot be proven that there is a “causal link” between non-state actors who carried out the attack and the Government’s “tolerance”. This measure, which allows the victim-states to protect themselves from cyber-attacks originated from within the territory of a hostile state, is called “Active Cyber Defense” (Gaycken, 2010). In such cases, there is an urge to establish meaningful accountability for improper actions taken by the adversaries or for negligence on their behalf, affecting the confidentiality, integrity and availability of CIIs of the state-target of the attack. Establishing accountability for activities in and through cyberspace is now at least as important as attribution (Shanahan, 2014). Many different technical approaches have been developed in an attempt to address the attribution problem. Some of these techniques are already in use while others are simply proposals that have not been put into practice yet. Figure 5 illustrates the most used techniques for cyber- attack attribution.

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation

Techniques for Cyber Attack Attribution 1.Store Logs & Traceback Queries 9. Exploit/Force Attacker Self- Identification (e.g., beacons, web bugs, cookies, watermarking) 2. Perform Input Debugging 10. Observe Honeypot/honeynet 3. Modify Transmitted Messages 11. Employ Forward-deployed Intrusion Detection Systems (IDSs) 4. Transmit Separate Messages 12. Perform Filtering (e.g., (e.g., iTrace) Network Ingress Filtering) 5. Reconfigure & Observe Network 13. Implement Spoof Prevention 6. Query Hosts 14. Secure Hosts/Routers 7. Insert Host Monitor Functions 15. Surveil Attacker (e.g., “Hack Back”) 8. Match Streams (via headers, 16. Employ Reverse Flow content, and/or timing) 17. Combine Techniques

Figure 5: Techniques for Cyber Attack Attribution (Wheeler & Larsen)

An overview of these techniques is given below (Wheeler and Larsen, 2003): Store Logs & Traceback Queries: In this technique, routers store the messages’ logs as they go through a network and provide information on queries regarding the origin of these messages. The drawback of this technique is that it cannot be easily implemented since it’s almost impossible to follow the continuous flow of messages on a regular basis (it can prove an extremely costly technique). Moreover, its implementation may raise privacy concerns. Perform Input Debugging: In this technique, the receiver of an attack takes advantage of adjacent routers to identify probable attack patterns. This approach is often used against DDoS attacks. However, it cannot be effective when there is data stream. Modify Transmitted Messages: In this technique, messages are marked by routers as they are transmitted, allowing for the identification of their course. The implementation of this technique can increase bandwidth and/or decrease network performance. In addition, it can affect some authentication mechanisms. Transmit Separate Messages (e.g., iTrace): When a router transmits a message, it also transmits a separate message to facilitate attribution. This technique lacks in performance. For

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation example, if separate messages are sent for all messages, this can easily overwhelm the network resources. In addition, if routing does not concern the entire set of messages sent, this can make attribution prove ineffective. Reconfigure & Observe Network: This technique takes advantage of the network’s reconfiguration to select information on possible changes and use it to backtrack to a previous step. Its main drawback is that it may be difficult to implement it on large networks and it may cause new security vulnerabilities. Query Hosts: This technique uses query hosts to collect internal state information that can help in attribution. In this case, the pre-existence of a query function is necessary. Moreover, it is required that the attacker does not control the host. Otherwise, the information will be much less reliable. Insert Host Monitor Functions (e.g. Hack Back): This technique is similar to the previous one except from the fact that the pre-existing query function has been installed without permission of the owner and the information is elicited without the host being aware of it. In this case significant legal issues relating to privacy and civil liberties are raised. Match Streams (via headers, content, and/or timing): This technique relies on the observation of the streams of data entering and exiting a network or host, and on the decision regarding the matching of input and output streams. This method can be effective, but it is also being difficult to implement since matching can be proved a difficult technical problem. Exploit/Force Attacker Self-Identification: This technique is relying on highly technical and specialized approaches (e.g., beacons, web bugs, cookies and watermarking) and it can directly reveal the attacker’s identity. Observe Honeypot/honeynet: Honeypots are decoy systems that are only accessed by attackers (since anyone using them is by definition an attacker). They can only attribute attacks that go through them, while their monitoring and analysis is necessary. Employ Forward-deployed Intrusion Detection Systems (IDSs): This technique is implemented by putting IDSs as close as possible to potential attackers. The effectiveness of this method depends on the placement of the IDSs and requires significant monitoring capabilities. Perform Filtering (e.g. Network Ingress Filtering): This technique requires that all messages entering a network have a source address in a valid range for that network entry point. Network ingress filtering for IP is easily implemented using the TCP/IP infrastructure and can be deployed incrementally (one network at a time). However, for a given network, network ingress filtering must be implemented by nearly every entry point of the network to be effective. This limits the range of possible attack sources. Implement Spoof Prevention: Modify protocols or their implementations to be more resistant to spoofing (forging ‘from’ information). This greatly reduces the number of intermediate systems

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation that need to be examined, but often protocols and/or implementations cannot be easily modified to do so. This technique relies on protocol modification to implement spoof prevention. This reduces to a great extent the number of intermediate systems that need to be examined. Employ Reverse Flow: This technique reverses specially mark data back to the attacker, by using detectors, and then it detects these markings, using intermediate systems. The combination of more than one of these techniques is more likely to succeed, although it will generally cost more to implement. However, there is limited experience in combining techniques. Each of these techniques can be applied to many different network protocols. Yet, an analysis of all these techniques will show that they can only be considered under the greater regulatory context of different legal jurisdictions (Mudrinich, 2012). In addition, any proposals for a public, personally identifiable packet-level mechanism, intended to contribute to the transition of Internet from a model of online anonymity to a new model of “pseudonymity” (through converting IPv4 addresses to IPv6 ones and assigning these new addresses to a unique individual after having that individuals’ identity authenticated in some verifiable way) should be treated with caution, as many questions are raised relating both to the users’ safety and to the protection of privacy. Privacy has emerged as a concern of modern societies aiming to ensure liberty and creativity. The ability to control the release of personal information constitutes a critical factor for the establishment of acceptable levels of trust in a society. International principles of privacy are reflected in Article 12 of the UN Universal Declaration of Human Rights (1948). Moreover, the EU has implemented a comprehensive legal framework on data protection and privacy consisting of a number of official documents such as the Regulation (EU) 2016/679 of the European Parliament and of the Council “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and repealing Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Furthermore, the Directive 2002/58/EC “concerning the processing of personal data and the protection of privacy in the electronic communications” and the Privacy Enhancing Technologies (PETs) Communication [COM 228/2007; European Commission, 2007 “on Promoting Data Protection by PETs”]. So, the emergence of a system, contradicting with the current European and International legal framework, that would turn Internet into a state surveillance device, restricting users’ freedom and privacy, would constitute a direct threat to their privacy. Conclusively, the process of attribution is a multi-layered one that requires both the employment of technical means and the adoption of legal and policy tools. The technologies implemented so far to deal with it are rather incomplete in nature and, thus, according to the assessment of effective attribution, their effectiveness is questionable. The difficulty in applying these techniques stems mainly from the existence of legal constraints in establishing meaningful

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation accountability for cyber warfare acts and in implementing the existing legal framework to deal with them, while simultaneously respecting citizen’s privacy and civil liberties.

7.3 Related work in the field of cyber-attack evaluation assessment Being able to precisely define, evaluate and categorize cyber-attacks is becoming increasingly difficult. The technical complexity of systems, the growing variety of exploitable attack vectors and the ubiquitous integration of Internet technology into all aspects of our daily lives compound the problem. The failure to adopt a comprehensive approach to the problem is frequently the norm, leading to an incomplete understanding of cyber-attacks and a failure to provide an appropriate solution. A plethora of cyber-attack evaluation methods exist today that help to understand the complexity of cyber-attacks. Nevertheless, most of these models are focused on delivering insight from a unidimensional perspective: technical detail or understanding of human-centric factors. Furthermore, none of these approaches provide a holistic evaluation of the effects of cyber-attacks on states’ CII in order to establish a basic situational awareness understanding and to define the appropriate countermeasures. According to Happa and Fairclough (2017) the existing literature on cyber-attack evaluation models can be divided in three broad categories: (i) Technology-centric models, (ii) social-centric models and (iii) cyber-situational awareness and understanding models. Description of each category and some of the most important models of each category is provided below.

7.3.1 The technology-centric modelling assessment Technology-centric models seek to define cyber operations from a technical perspective (e.g. how a piece of malware operates or how vulnerability can be exploited). These models usually require a high degree of technical knowledge in order to be comprehended the full implications of a cyber-attack and through which to generate the necessary degree of understanding. Important models of this category include: a) Bishop’s taxonomy (1995) describes vulnerabilities in a form useful to intrusion detection mechanisms. He presents techniques to discover and to inhibit or eliminate exploitation of these vulnerabilities. His taxonomy expresses cyber-attacks in the form of six axes namely: Nature of a flaw, Time of introduction, Exploitation gain, Effect domain, Minimum number necessary and the source of the identification of the vulnerability). He examines vulnerabilities in the UNIX operating system and network and classifies the security-related problems along the six axes. The unique contribution of his work is an analysis of how to use previous security analysis methodologies to improve systems security and how to write programs with minimal exploitable security flaws.

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation

b) Cohen’s “cyber defence mirror model” (1997) which expresses network attacks based on a defined set of properties namely: Non-orthogonally, Correlation, Hardware non-specificity, Description, Applicability and Incompleteness. In an effort to create a common reference language for security analysts, the paper describes almost a hundred different classes of attack methods gathered from many different sources. c) Howard’s and Longstaff’s process-based model (1998) which is a minimum set of “high- level” terms, along with a structure indicating their relationship. The methodology considers five stages of a cyber-attack namely Attackers, Tools, Access, Results and Objectives in order to classify computer security incident and vulnerability information. A more complete and accurate analysis of security incidents and a better understanding of the nature of a cyber-attack is achieved through the classification. d) The “Validation Exposure Randomness De-allocation Improper Conditions Taxonomy” (VERDICT) proposed by Lough (2001) which is a comprehensive analysis of a general methodology that facilitates design of secure protocols. VERDICT is an insightful technical model to understand cyber-attacks based upon four characteristics namely: Improper validation, improper exposure, improper randomness and improper de-allocation. e) AVOIDIT which is a cyber-attacks taxonomy model proposed by Simmons et al. (2009). AVOIDIT is a classification methodology which uses five major classifiers to characterize the nature of a cyber-attack namely: Attack Vector, Operational Impact, Defense, Information Impact and Target. It is presented in a tree-like structure to neatly classify common vulnerabilities used to launch cyber-attacks. The classification scheme contributes by helping the defender to protect CII by providing vital attack information. f) “Cyber Kill-chain” proposed by Hutchins et al. (2011) which is a process-based model for describing the stages of a cyber-attack. The “Kill-chain” phases are Reconnaissance, Weaponization, Delivery, Exploit, Installation, Command & Control (C2) and Action on Objectives. The “Cyber Kill-chain” model provides a structure to analyze intrusions, extract indicators and drive defensive courses of action. Its application reduces the likelihood of adversary success, informs network defense investment and resource prioritization, and yields relevant metrics of performance and effectiveness. In conclusion, the model serves as a framework to measure the effectiveness of defenders’ actions by mitigating not just vulnerability, but the threat component of risk, too.

7.3.2 The social-centric modelling assessment Social-centric models attempt to understand cyber-attacks from a human perspective. Approaches focus on the identification of non-trustworthy individuals who might represent a cyber

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation security risk to the discovery of how human-behavioural failures can be exploited as part of the cyber-attack process. Examples of this category include: a) Greitzer et al. (2009) describes an approach to predictive modelling for insider threat mitigation by incorporating both cyber and psychosocial data within an anticipatory decision framework. More specifically, the developed methodology uses psychosocial indicators as well as cyber indicators in order to predict possible malicious exploits. The model automates the detection of high-risk activities on which to focus and inform the analysis conducted by responsible cybersecurity analysts. Furthermore, methods and metrics for evaluating analytic insider threat tools are described by the same authors (Greitzer et al., 2013). b) Kandias et al. (2010) proposes a model for insider threat prediction by combining approaches, techniques and tools from computer science and psychology. It utilizes real time monitoring, capturing and user’s technological trait in an information system and analyzing it for misbehaviour. The model is using data from psychometric tests, so as to assess for each user the predisposition to malicious acts and the stress level, which is an enabler for the user to overcome his moral inhibitions, under the condition that the collection of such data complies with the legal framework. The method identifies those users that they can potentially be dangerous for the information system and the organization. Additionally, a method to predict the insider threat via social media is described by Kandias et al. (2013) with the use of machine learning techniques. An assumption free flat data representation technique is used to compare and highlight the common behaviour manifested by the users in order to decide over the users’ attitude. c) Stavrou et al. (2014) proposed a business process modelling for insider threat monitoring and handling. This approach enhances business process monitoring tools with information evaluated from Social Media by examining the online behaviour of users and pinpoints potential insiders with critical roles in the organization’s processes. d) The Corporate Insider Threat Detection (CITD) conceptual model presented by Legg et al. (2015) describes a model for detecting insider threats by exploring hypotheses from measurements of the real world. The model suggests that any measurement is likely to fail on its own but is likely to yield indicators of insider threats using machine learning and visual analytics.

7.3.3 The cyber – situational awareness modelling assessment Cyber situational awareness and understanding models attempt to adopt a high-level approach to considering cyber-attacks and focus on the environment in which the cyber-attack occurs and the resultant impact upon different elements or layers within it. Examples of this category include: a) The UK Defence and Science Technology Laboratory (DSTL) (2012) describes a layered model for situational awareness in cyberspace. It consists of six layers of interaction namely:

Difficulties for the implementation of International Law to Cyber-attacks / Other Methods for Cyber-attack Evaluation

Social, People, Persona, Information, Network and Real World and attacks can exist on any one or more of these layers. b) NATO Cyber Security Framework Manual (NATO, 2012) contains an interdisciplinary approach of legal, policy, strategic and technical perspectives of cyber security. This framework supports the NATO Cyber Defence Policy. c) Conti et al. (2013) propose a framework for designing a “comprehensive cyber common operating picture (CCOP) in order to provide military decision-makers with a useful command and control operating tool to maintain situational awareness. CCOP uses techniques for network monitoring, intrusion detection, incident response, security visualization and military command center design. However, as it has already become apparent, it is no longer possible to consider only the technological, social and situational awareness perspective of cyber-attacks but is essential to examine all the generated aspects. Furthermore, the above-mentioned technology-centric, social- centric and cyber-situational awareness-centric models failed to accurately identify the extent of impact on socioeconomic consequences such as public health, safety, economical and psychological impacts which are directly linked to the collapse or degradation of CII. In addition, none of the above-mentioned cyber-attack methods are linked to international law and the consequences related to interstate violence. On that grounds, in the following chapters a new systematic modelling methodology will be presented. The purpose of the new methodology will be to evaluate the effects of cyber-attacks on states’ CII in order to answer the question of whether these attacks have risen to the level of a “use of force” under jus ad bellum, the legal branch of international law that governs a state’s resort to force as an instrument of its national policy. However, in order of this to be achieved it is required first to update the current international legal framework so as to address the new challenges that arise. Accordingly, in the following chapter a classification of cyber-attacks under the prism of international law will be presented so as to set the theoretical background of the new cyber-attack evaluation methodology.

(this page is intentionally left blank)

100

Chapter 8: Conclusions

8.1 Summary and discussion In this thesis, the aim was to present a new systematic modelling methodology for evaluating the effects of cyber-attacks on states’ CII in order to define whether these attacks constitute a wrongful “use of force” under the Jus ad bellum, that body of international law that governs a state’s resort to force as an instrument of its national policy. In order for this to be achieved an “effects-based” or “consequences-based” approach was adopted, which focuses on the overall effect of a cyber operation to the victim-state. Additionally, the qualitative criteria for recognizing the impact of cyber-attacks, as proposed by the IGEs in “The Tallinn Manual” were used. Furthermore, multi-attribute decision making systems were applied. Evidently, the characterization and classification of cyber-attacks on state’s CII depends largely on the extent of their consequences. In other words, the categorization of the type of attack lies heavily on its impact level both in terms of the loss of human lives and in terms of the destruction of critical infrastructures. Therefore, the degree of the immediate as well as of the long-term effects of a cyber-attack constitutes a critical factor for its categorization. Furthermore, the greater the degree of impact of a cyber-attack, the greater the chances are that it will be characterized as “use of force”, or even worse, as “armed attack” when its magnitude is so great as to cause loss of human lives. Thus, the main issue of investigation is to define the method of measurability of the impact of a cyber-attack. The main contribution of the thesis relies on the development of a new systematic modelling methodology that combines the IGEs qualitative criteria with MADM methods. For the analysis, a case study of kinetic and cyber-attacks on SCADA system are employed. The pros and cons of each MADM method are evaluated and the results of cyber-attack evaluation were presented. The weaknesses of each MADM method lead us to present a new cyber-attack evaluation strategy that combines the use of decision-making algorithms of MADM methods and introduces a new grouping of the IGEs qualitative criteria based on their distinctive attributes. The correlations of both qualitative and quantitative methods lead us to achieve an improved cyber-attack evaluation assessment, and as a result, a more accurate and complete cyber-attack classification. Despite the constructive contribution of the “Tallinn Manual”, the international legal regime is lagging behind the problems to deal with. The existing norms do not offer a comprehensive legal framework in the way that states can shape policy to the threat of hostile cyber operations. Furthermore, the use of interpretative methods such as analogies and teleological and systematic understanding is lacking the necessary legal safety. Additionally, state practice is lacking in characterizing a cyber operation as a “use of force” or not.

101

Conclusions

For the time being, there are many difficulties, from a technical and institutional perspective, in applying international law rules in cyber operations. In fact, the international community of states needs something more than bilateral agreements which do not bring about any sanctions in case of non-compliance. Despite the fact that some states have adopted measures of a binding nature at the organizational level (creation of a national cyber security strategy by determination of CII) to reduce the effects of cyber-attacks, these measures have a limited scope. Moreover, there are no multilateral agreements or international treaties providing a straightforward definition as to what “a cyber-attack” should entail, and as to the sanctions (economic or other) it should induce. In short, there is a lack in universal agreements regarding the process of monitoring, processing and effective sharing of the information required to track and trace assaulters. In cyber warfare, the activities of key actors (states) can often not be easily distinguished from the activities of non-state actors (such as cybercriminals and terrorists groups), rendering the terrain of cyber conflict complicated. The combination of anonymity and parallel action from both state and non-state actors and the difficulty in distinguishing military from criminal actions makes the management of this type of conflicts complicated and the implementation of international humanitarian law rather problematic. The objective facts of every cyber operation incident are quite difficult to identify; thus, it cannot be claimed with certainty that the key criteria of both state involvement and gravity of effect are met. In addition, uncertainty regarding attribution along with the absence of a common understanding creates the risk of instability and misperception. Consequently, from a strategic point of view, the classification of cyber conflicts becomes quite challenging as a result of both the multi-layered nature and the multi-jurisdictional character of the attribution problem. However, for the sake of multiple safety decision making with regard to respond to a cyber- attack has to be based on commonly accepted principles and pre-existing norms. Assessing the feasibility, legitimization and legality of responses of cyber-attacks, equivalent to armed attacks, seems to remain to a large extent “a matter of speculation and hypothetical reasoning (Kessler and Werner, 2013). Therefore, the systematic modelling methodology could be used as a “legal interpretation tool” in areas where there is uncertainty or disagreement in multiple legal analyses and for providing a framework for evaluating differences in interpretation of the law. In conclusion, the existing legal norms do not offer a comprehensive legal framework that can shape policy to the threat of hostile cyber operations. Even though there were many cyber operations that could be reach the level of a “use of force”, in none of these cases states have been identified as the initiator of the cyber operation which might amount to a “use of force”. Moreover, as Schmitt admitted (2011) “the criteria are admittedly imprecise, thereby permitting states significant latitude in characterizing a cyber operation as a ’use of force’ or not”. A state, depending on the attendant circumstances, may look also to other factors such as the prevailing

102

Conclusions political environment, whether the operation portends the future “use of force”, the identity of the attacker and the nature of the target. In fact, a finding that a cyber or a kinetic attack is a “use of force” is a political and not legal decision, as it shows a state willingness to involve itself in a particular matter. The proposed systematic methodology is applied in order to portray a better modelling evaluation of cyber-attacks in areas where there is ambiguity related to the “use of force” concept. However, it was not the purpose to provide an absolute algorithm for producing the “right answer” given any input. The threshold of a “use of force” must be balanced between on the one hand state’s willingness to avoid any harmful consequences caused by the actions of others states and on the other hand its motivation to preserve their freedom of action. The evaluation criteria proposed by the IGEs in the “Tallinn Manual” seek to balance these conflicting objectives through consideration. As such, the usefulness of the methodology is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with the “use of force” concept. Conclusively, this methodology could act as a basis for the assessment and classification of cyber-attacks that are intended towards software-intensive IS that may constitute a component of a CII.

8.2 Publications

The research work related to this PhD thesis has been published in peer-reviewed journals and conferences namely:

. Publications in peer-reviewed, academic journals:

J1. Kosmas Pipyros, Lilian Mitrou, Dimitris Gritzalis and Theodoros Apostolopoulos: “Cyber operations and International Humanitarian Law: A review of obstacles in applying international law rules in cyber warfare”, Information & Computer Security, Vol. 24, No.1, pp.38-52, 2016.

J2. Kosmas Pipyros, Christos Thraskias, Lilian Mitrou, Dimitris Gritzalis and Theodoros Apostolopoulos: “A new strategy for improving cyber-attacks evaluation in the context of Tallinn Manual”, Computers & Security (Special Issue), Vol. 74, pp. 371- 383, 2018.

J3. Kosmas Pipyros, Lilian Mitrou: «Cyber-attack or Cyber warfare», Journal of Media & Communication Network (ΔiΜΕ&Ε), National Legal Library, issue 2, February 2018 (in Greek).

103

Conclusions

. Publications in peer-reviewed, international conferences:

C1. Kosmas Pipyros, Lilian Mitrou, Dimitris Gritzalis, Theodore Apostolopoulos: “A cyber-attack evaluation methodology”, In Proc. of the 13th European Conference on Cyber warfare and Security (ECCWS-2014), pp. 264-270, ACPI, Greece, July 2014.

C2. Kosmas Pipyros, Christos Thraskias, Lilian Mitrou, Dimitris Gritzalis, Theodore Apostolopoulos: “Cyber-Attacks Evaluation Using Simple Additive Weighting Method on the Basis of Schmitt’s Analysis”, In Proc. of the 10th Mediterranean Conference on Information Systems (MCIS-2016), Springer, Cyprus, September 2016.

C3. Kosmas Pipyros, Lilian Mitrou, Dimitris Gritzalis: “Evaluating the effects of cyber- attacks on critical infrastructures in the context of Tallinn Manual”, In Proc. of the 2nd Conference on Cyber Security in Maritime Domain, NATO Maritime Interdiction Operational Training Centre (NMIOTC), Greece, September 2017.

8.3 Future work It can be argued that this research can be set as a basis for further investigation and research. The above-mentioned results demonstrate that there is a long way ahead for further research in the field of cyber-attack evaluation methodologies so as to achieve a more accurate and complete cyber-attack modelling assessment. Future work should focus on the expansion of the proposed methodology by incorporating machine learning and data mining techniques in order to produce a data model that will allow a comprehensive understanding of cyber-attacks and its classification. Furthermore, an interdisciplinary assessment of the proposed methodology with past and current works in the field of cyber-attack modelling assessment it will be essential for taking a full advantage of the proposed techniques in order to expand further research and development. Moreover, this study can act as a repository for new ideas and new sources of investigation in the field of cyber-attacks modelling assessment. For example, further research could be focused on a comparative study of national cyber security strategies worldwide for the creation of an evaluation framework which will incorporate risk prediction, analysis and reaction tools in order to deal effectively with cyber-attacks. The framework will present risk-based and damage- recovery processes in order to effectively protect and accelerate damage appraisals after cyber- attacks. In addition, leaving behind the fiend of cyber-attack modeling assessment and taking into account the General Data Protection Regulation (GDPR) (2016/679 EU) an interesting research topic will be the creation of a methodology to guidance on the implementation of the appropriate

104

Conclusions measures in order to mitigate risk on the basis of an objective data protection impact assessment. Finally, possible paths for future research could be concentrate on the development of a research roadmap for cybercrime and cyber terrorism.

8.4 Concluding remarks

Cyber conflict constitutes a new and challenging problem. The increasing number and complexity of cyber-attacks on states’ CII in recent years are transforming cyberspace into a new battlefield where “the mouse and the keyboard being the new weapons” bringing out “cyber warfare” as the “5th dimension of war”. Cyber-attacks such as those against Estonia and Iran brought about a series of discussions over the issue of their eventual political, economic and social impacts in the state-victim of the attacks, but also the impact on the international relationships regarding this new kind of warfare and its consequences in the global strategic environment. However, being able to precisely define, evaluate and categorize cyber-attacks is becoming increasingly difficult. The technical complexity of systems, the growing variety of exploitable attack vectors and the ubiquitous integration of Internet technology into all aspects of our daily lives compound the problem. The failure to adopt a comprehensive approach to the problem is frequently the norm, leading to an incomplete understanding of cyber-attacks and a failure to provide an appropriate solution. A plethora of cyber-attack evaluation methods exist today that help to understand the complexity of cyber-attacks. Most of these models however focus on delivering insight from a unidimensional perspective: technical detail or understanding of human-centric factors. Moreover, these approaches do not provide a holistic evaluation of the effects of cyber-attacks on states’ CII in order to establish a basic situational awareness understanding and to define the appropriate countermeasures. However, as it has already become apparent, it is no longer possible to consider only the technological perspective of cyber-attacks but is essential to think of all the generated aspects. Furthermore, the above-mentioned technology-centric, social-centric and cyber-situational awareness models failed to accurately identify the extent of impact on socioeconomic consequences such as public health, safety, economical and psychological impacts which are directly linked to the collapse or degradation of CII. In addition, none of the abovementioned cyber-attack methods are linked to international law and the consequences related to interstate violence. For these reasons, in this thesis, a systematic modelling methodology for evaluating the effects of cyber-attacks on states CII was introduced. The analysis was focused on the United Nations Charter’s normative scheme of the “use of force”, in order to define whether these attacks constitute a wrongful “use of force” under the principles of international law. By using the

105

Conclusions

qualitative criteria as proposed by the IGEs for recognizing the impact of cyber-attacks and by applying MADM methods, cyber-attack evaluation results were presented. For the analysis a case study of kinetic and cyber-attacks on Supervisory Control and Data Acquisition (SCADA) system was employed. Pros and cons of the SAW method and the WPM were evaluated. The weaknesses of applying the SAW method in cyber-attacks modelling assessment, as well as the difficulty in defining an appropriate quantitative scale for the classification of such attacks when using WPM (due to the nonlinear relationship between attributes and overall score in WPM), led us to the creation of a new systematic evaluation strategy. The new cyber-attack evaluation methodology combined the use of the above-mentioned decision-making algorithms and introduced a new grouping of the IGEs qualitative criteria based on their properties for achieving an improved cyber-attack modelling assessment. Different quantitative scales were applied in the distinct qualitative criteria groups in order to quantify them based on their characteristics. The new methodology was applied in real-life cyber-attacks, namely the large-scale attacks against Estonia and Iran and cyber-attack evaluation results were presented. The correlation of both qualitative and quantitative methods of analysis allowed to achieve an improved cyber-attack evaluation assessment and as a result a more accurate and complete cyber-attack classification. The usefulness of the methodology is perceived in areas where there is uncertainty or disagreement in a number of legal analyses, and for making available a means for addressing all issues having to do with interstate violence. The threshold inquiry is crucial to assessing the level of violence between states in order to justify a lawful response. Because the UN Charter prohibits the unauthorized “use of force”, a state must be able to quickly and safely assess whether a cyber- attack constitutes a “use of force” triggering the international condemnation and economic sanctions, (active) “cyber self-defense” – or an “armed-attack” (with the use of conventional military weapons) as forceful response. Finally, the methodology could act as a basis for the assessment and classification of cyber-attacks that are intended towards Software-Intensive (SI) systems, component of a state’s CII.

106

(this page is intentionally left blank)

107

References

Adam P. Liff (2012) Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War, Journal of Strategic Studies, 35:3, 401-428, DOI: 10.1080/01402390.2012.663252 Anthony Ween, Peter Dortmans, Nitin Thakur and Cayt Rowe (2017): Framing cyber warfare: an analyst’s perspective, Journal of Defence Modeling and Simulation, Applications, Methodology, Technology, Special Issue: Cyber Modeling and Simulation 1-11, DOI: 10.1177/1548512917725620 Archick, Kristin: Cybercrime (2004): The Council of Europe Convention, CRS Report for Congress, 22 July 2004. Austrian Cyber Security Strategy (2013), Available at: https://www.bmi.gv.at/504/files/130415_strategie_cybersicherheit_en_web.pdf Banks, W. (2013) ‘The role of counterterrorism law in shaping ad bellum norms for cyber warfare’, International Law Studies, vol. 89, pp. 157–97. Berson, T. and Denning, D. (2011), “Cyber warfare”, IEEE Security & Privacy, Vol. 9 No. 5, pp. 13-15. Brenner, S. W. (2007). ‘” At Light Speed”: Attribution and Response to Cybercrime/Terrorism/Warfare.’ The Journal of Criminal Law and Criminology, 97(2), pp. 379-475. Brownlie, I. (1963) International law and the use of force by states, Oxford: Clarendon Press. Bruno Lete and Peter Chase (2018), “Shaping Responsible State Behavior in Cyberspace”, The German Marshall Fund of the United States & Microsoft. Bishop M. “A taxonomy of UNIX system and network vulnerabilities”. Technical report CSE 95-10. Department of Computer Science, University of California at Davis; 1995. Bodmer, Kilger, Carpenter & Jones (2012). Reserve Deception: Organized Cyber Threat Counter – Exploitation. New York: McGraw-Hill Osborne Media. Catherina A. Theohary and John W. Rollins (2015), Cyber warfare and Cyber terrorism: In brief, Congressional Research Service, Available at: https://fas.org/sgp/crs/natsec/R43955.pdf Centre for Defence Enterprise. Cyber Situational Awareness. Defence Science and Technology Laboratory. Ministry of Defence, UK; 2012. Available at: http://nationalarchives.gov.uk/web archive/. Center of Strategic & International Studies, Significant Cyber Incidents since 2006. Available at: https://www.csis.org/programs/cybersecurity-and-governance/technology-policy- program/other-projects-cybersecurity Cedric Ryngaert; Litigating Abuses Committed by Private Military Companies, European Journal of International Law, Vol 19, Issue 5, 1 November 2008, Pages 1035– 1053, https://doi.org/10.1093/ejil/chn056 Clarke, R.A. and Knake, R.K. (2010) Cyber war: The next threat to national security and what to do about it, New York: Harper Collins.

108

References

Cohen. Fred (1997). Information system attacks: A preliminary classification scheme. Computers & Security, 16, 1, 29-46. Collins Sean and McCombie Stephen: Stuxnet: The emergence of a new cyber weapon and its implications, Journal of Policing, Intelligence and Counter Terrorism, 2012, Vol. 7, No. 1, pp. 80-91. Conti G, Nelson J, Raymond D. Towards a cyber common operating picture. In: Podins K, Stinissen J, Maybaum M, editors. Proc. of the 5th international on cyber conflict. Tallinn: NATO CCD COE Publications; 2013. Cornish, P., Hughes, R. and Livingstone, D. (2009), Cyberspace and the National security of the United Kingdom, Chatham House Report, Royal Institute of International Affairs, London. Cordula Droege (2012), Get off my cloud: cyber warfare, international humanitarian law, and the protection of civilians, International Review of the Red Cross (ICRC), Vol. 94, n.886, International Committee of the Red Cross (ICRC). Council Directive (2002/58/EC), of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector (Directive on privacy and electronic communications), Official Journal of the European Communities L 201/37. Council Directive (95/46/EC), of the European Parliament and of the Council of 8 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities No L 281/31. Council Directive 2008/114/EC of 8 December 2008 “on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection”, OJ L 345/75. Council Directive 2013/40/EU, of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, Official Journal of the European Union L 218/8. Council of Europe (2001): Convention on Cybercrime, European Treaty Series 185. Daniel T. Kuehl: (2009) From Cyberspace to Cyberpower: Defining the Problem, in Cyberpower and National Security, Franklin D. Kramer, Stuart H. Starr and Larry K. Wentz (ed.), University of Nebraska Press, Protomac books, DOI: 10.2307/j.ctt1djmhj1 Department of Defense: The Department of Defense Cyber Strategy, Washington, DC 20301 -1000, 17 April 2015. Department of Homeland Security, National Infrastructure Protection Plan, Washington: US Department of Homeland Security, 2009. Dinstein, Y. (2011) War, aggression and self-defence, 5th edition, Cambridge: Cambridge University Press. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, Official Journal of the European Union, L 194/1, 19.7.2016. Dreyfuss, S., (1998) Computer Hackers: juvenile delinquents or international saboteurs? Presented at the February 1998 Internet Crime conference held by the Australian Institute of Criminology.

109

References

Available at: http://www.aic.gov.au/conferences/internet/dreyfus.pdf Drummond, D., 2010. Official Google Blog: A new approach to China. Available at: http://googleblog.blogspot.gr/2010/01/new-approach-to-china.html#!/2010/01/new-approach- to-china.html Eisenberg Ted, Gries David, Hartmanis Juris, Holcomb Don, Lynn M. Stuart, Santoro Thomas: The Cornell Commission: On Morris and the Worm, Communications of the ACM 32, no. 6 (1989). Elkus Adam: Moonlight Maze in A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, Vienna, VA: Cyber Conflict Studies Association, 2013. Emergency Management Australia (2003), Critical Infrastructure Emergency Risk Management and Assurance Handbook, Available at: ηttps://reliefweb.int/sites/reliefweb.int/files/resources/9ADDC00DA63FEEA2C1256DB8005 B3195-ema-risk-03.pdf Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul Cyber Attacks Against Georgia: Legal Lessons Identified, Cooperative Cyber Defense Center of Excellence (CCD COE 2008). European Commission (2006), On a European Programme for Critical Infrastructure Protection (Communication) COM, 786 final. European Commission (2007), On promoting data protection by privacy enhancing technologies (PETs) (Communication) COM, 228 final. European Commission (2009), On critical information infrastructure protection, protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience, Communication 149 final, Brussels, 30. 03.09. European Commission (2013), Cyber security Strategy of the European Union: an open safe and secure cyberspace, Joint Communication to the European Parliament, the Council, The European Economic and Social Committee and the Committee of the Regions, JOIN, 1 Final, Brussels, 7.2.2013. European Economic and Social Committee and the Committee of the Regions, JOIN 1 Final, Brussels, 7.2.2013. European Network and Information Security Agency: National Cyber Security Strategies – Practical Guide on Development and Execution, December 2012. European Network and Information Security Agency: National Cyber Security Strategies (NCSSs) Map, Available at: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map European Treaty Series 185, Project on Cybercrime, 23.11.2001, Council of Europe, Budapest. Falliere Nicolas, O Murchu Liam and Chien Eric: W.32 Stuxnet Dossier, Version 1.4, Symantec Security Response, February 2011. Farwell James and Rohozinski Rafal: Stuxnet and the Future of Cyber War” Survival, Global Politics and Strategy, 2011 Vol. 53, Issue 1, pp. 23-40. Finklea, K. and Theohary, C. (2015), Cybercrime: conceptual issues for congress and US Law Enforcement, Congressional Research Service Report, available at: www.fas.org/sgp/crs/ misc/R42547.pdf.

110

References

Fishburn Peter: Additive utilities with incomplete product set: Applications to priorities and assignments. Operations Research, 1967, Vol. 15, No. 3, pp. 537-542. Franz-Stefan Gady: New Snowden Documents Reveal Chinese Behind F-35 Hack, The Diplomat, 27- 01-2015, Available at: http://thediplomat.com/2015/01/new-snowden-documents-reveal- chinese-behind-f-35-hack/ Freitas, Pedro Miguel F. and Gonçalves, Nuno (2015) Illegal access to information systems and the Directive 2013/40/EU, International Review of Law, Computers & Technology, 29:1, 50-62, DOI: 10.1080/13600869.2015.1016278 Gaycken, Sandro (2010), The necessity of (some) certainty – a critical remark concerning Matthew Sklerov’s concept of ‘active defense, Journal of Military and Strategic Studies, Vol. 12 No. 2. General Assembly A/66/359, Letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General: “International code of conduct for information security”, United Nations, 14 September 2011. General Assembly A/68/98, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, United Nations, 24 June 2013. General Assembly A/69/723, Letter dated 9 January 2015 from the Permanent Representatives of China, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General: “International code of conduct for information security”, United Nations, 13 January 2015. General Assembly Resolution A/RES/29/3314: Definition of Aggression, United Nations, 14 December 1974. General Assembly Resolution A/RES/55/63: Combating the criminal misuse of information technologies, United Nations, 22 January 2001. General Assembly Resolution A/RES/56/121: Combating the criminal misuse of information technologies, United Nations, 23 January 2002. General Assembly Resolution A/RES/57/239: Creation of a global culture of cybersecurity, United Nations, 31 January 2003. General Assembly Resolution A/RES/58/199: Creation of a global culture of cybersecurity and the protection of critical information infrastructures, United Nations, 30 January 2004. General Assembly Resolution A/RES/64/211: Creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures, United Nations, 17 March 2010. Graham, D.E. (2010) ‘Cyber threats and the law of war’, National Security Law and Policy, vol. 4, no. 1, pp. 87–102. Greitzer FL, Ferryman TA. Methods and metrics for evaluating analytic insider treat tools. In: Proc. of the 2013 IEEE security and privacy workshops, California, USA. 2013. p. 90–7.

111

References

Greitzer FL, Paulson PR, Kangas LJ, Franklin LR, Edgar TW, Frincke DA. Predictive modeling for insider threat mitigation. Technical report PNNL-60737. Pacific Northwest National Laboratory; 2009. Godwin III, J. B., Kulpin, A., Rauscher, K. F., & Yaschenko, V. (2014). Critical Terminology Foundations 2. Retrieved from New York: http://www.ewi.info/idea/criticalterminology- foundations-2 Goldsmith, J. (2013) ‘How cyber changes the laws of war’, European Journal of International Law, vol. 24, no. 1, pp. 129–38. Haizler Omry: The United States’ Cyber Warfare History: Implications on Modern Cyber Operational Structures and Policymaking, Cyber, Intelligence and Security, vol. 1, no. 1, 2017. Happa J, Fairclough G. A model to facilitate discussions about cyber-attacks. In: Taddeo M, Glorioso L, editors. Ethics and policies for cyber operations. Philosophical Studies Series 124. Springer International Publishing Switzerland; 2017. p. 169–85. Handler, S.G. (2012) ‘New cyber face of battle: developing a legal approach to accommodate emerging trends in warfare’, Stanford Journal of International Law, vol. 48, no. 1, pp. 209–38. Haslam, E. (2000) ‘Information warfare: technological changes and international law’, Journal of Conflict and Security Law, vol. 5, pp. 157–75. Hathaway, O., Crootof, R., Levitz, Ph., Nix, H., Nowlan, A., Perdue, W. and Spiegel, J. (2012), The law of cyber-attack, California Law Review, Vol. 100 No. 4, pp. 817-886. Hoisington, M. (2009), Cyber warfare and the use of force giving rise to the right of self-defence, Boston College International and Comparative Law, vol.32, pp. 439-454. Howard JD, Longstaff TA. A common language for computer security incidents. Sandia National Laboratories; 1998. Hwang Ching-Lai, Yoon Kwangsun: Multiple Attribute Decision Making: Methods and Applications, Berlin/Heidelberg/New-York: Springer Verlag, 1981. Hutchins EM, Cloppert MJ, Amin RM. Intelligence-driven computer network defence informed by analysis of adversary campaigns and intrusion kill chains. In: Proc. of the 6th annual international conference on information warfare and security, Washington, DC. 2011. ISO 27001 SECURITY, ‘ISO/IEC 27001: 2013 Information technology — Security techniques — Information security management systems, Available at: https://www.iso.org/standard/54534.html ITU Global Cybersecurity Agenda (2008), Report of the Chairman of High-Level Experts Group (HLEG) to ITU Secretary-General, Available at: https://www.itu.int/en/action/cybersecurity/Documents/gca-chairman-report.pdf James A. Green (2014) ‘Questioning the peremptory status of the prohibition of the use of force’, Michigan Journal of International Law, vol. 32, no. 2, pp. 215–57. James A. Green (2016), The Regulation of Cyber warfare under the jus ad bellum, in Cyber warfare: A multidisciplinary analysis (Editor James A. Green), Routledge Studies in Conflict, Security and Technology.

112

References

James A. Lewis: Computer Espionage, Titan Rain and Chin”, Center of Strategic and International Studies – Technology and Public Policy Program, December 2005. James C. Mulvenon and Richard H. Yang (ed.) The Peoples Liberation Army in the Information Age, Conference Proceedings, RAND National Security Research Division, 1999. James Michael, Thomas Wingfield and Duminda Wijesekera. 2003. Measured Responses to Cyber- attacks using Schmitt Analysis: A Case Study of Attack Scenarios for a Software-Intensive System. In Proc. of the Twenty-Seventh Annual International on Computer Software and Applications Conference, IEEE. Jason Healey, (ed.): A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, Vienna, VA: Cyber Conflict Studies Association, 2013). John Bumgarner and Scott Borg, Overview by the US-CCU of the Cyber Campaign against Georgia in August 2008, (A US-CCU Special Report, August 2009) , Available at: http://www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign- Overview.pdf> Joint Declaration by the President of the European Council, the President of the European Commission, and the Secretary General of the North Atlantic Treaty Organization, (Warsaw, 08.06.2016), Available at: https://www.consilium.europa.eu/media/21481/nato-eu-declaration-8-july-en- final.pdf Jolley, J.: Article 2(4) and cyber warfare: How do old rules control the brave new world? International Law Research 2013;2:1.Canadian Center of Science and Education. Jougleux Philippe, Lilian Mitrou and Tatiana-Eleni Synodinou: The Legal Regulation of Cyber Attacks, In Ioannis Iglezakis (editor), Kluwer Law International, 20 June 2016. Juan Andres Guerrero-Saade, Daniel Moore, Costin Raiu, Thomas Rid: Penquin’s Moonlit Maze. The Dawn of Nation-State Digital Espionage, Kaspersky Lab, 3 April 2017, Available at: https://securelist.com/penquins-moonlit-maze/77883/. Kandias M, Mylonas A, Virvilis N, Theoharidou M, Gritzalis D. An insider threat prediction model. In: Proc. of the 7th international conference on trust, privacy and security in digital business. Spain: Springer; 2010. p. 26–37. Kandias M, Stavrou V, Bozovic N, Mitrou L, Gritzalis D. Predicting the insider threat via social media: the YouTube case. In: Proc. of the 12th workshop on privacy in the electronic society. Berlin: ACM Press; 2013. p. 261–6. Kanuk, S.P. (1996) ‘Information warfare: new challenges for public international law’, Harvard International Law Journal, vol. 37, pp. 272–92. Karnouskos Stamatis: Stuxnet worm impact on industrial cyber-physical system security, in Proc. of the 37th Annual Conference on IEEE Industrial Electronics Society, Australia, 2011. Kaspersen Henrik, Cybercrime and Internet Jurisdiction, Project on Cybercrime prepared by the Economic Crime Division, 2009. Kessler Oliver and Werner G. Wouter: Expertise, Uncertainty and International Law: A Study of the Tallinn Manual on Cyber warfare. Leiden Journal of International Law, 26 (04), 2013, pp. 793– 810.

113

References

Koblitz, Neal: Cryptography as a teaching tool, Cryptologia, 1997, vol. 21, No. 4, pp. 317-326. Kodar, E. (2009) ‘Computer network attacks in the grey areas of jus ad bellum and jus in bello ’, Baltic Yearbook of International Law , vol. 9, pp. 133–55. Klimburg A, editor. National cyber security framework manual. Tallinn: NATO Cooperative Cyber Defence Centre of Excellence Publication; 2012. Kolini, Farzan and Janczewski, Lech: Clustering and Topic Modelling: A new Approach for Analysis of National Cyber Security Strategies. PACIS Proceedings 2017.126 Available at:http://aisel.aisnet.org/pacis2017/126 Langner Ralph: Stuxnet: Dissecting a Cyber Warfare Weapon, IEEE Security & Privacy, Vol. 9, Iss. 3., 2011 Langner Ralph: Stuxnet’s Secret Twin: The real program to sabotage Iran’s nuclear facilities was far more sophisticated than anyone realized, Foreign Policy, 2013. Legg, Philip (2015) Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity, In: IEEE Symposium on Visualization for Cyber Security, Chicago, Illinois, USA, 26 October 2015. Leigh David and Harding Luke, WikiLeaks: Inside Julian Assange's War on Secrecy (2011), p. 42 Lilian Mitrou (2016), Attacks against Information Systems: Technical Definitions, The Legal Regulation of Cyber-Attacks (Ed. Iglezakis), Wolters Kluwer, pp. 9-17. Loeb Vernon, Pentagon Computers Under Assault, Washington Post, 7 May 2001. Lough DL. A taxonomy of computer attacks with applications to wireless networks. Blacksburg: University Libraries. Virginia Polytechnic Institute and State University; 2001. Lynn, W. (2010) Defending a New Domain: The Pentagon’s Cyber strategy, Foreign Affairs, vol. 89, no. 5, Available: www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new- domain [2 Oct 2013]. Mačák, Kubo (2016): Is the International Law of Cyber Security in Crisis?, in Proc. of the 8th International Conference on Cyber Conflict, NATO CCD COE Publications, Tallinn. MacCrimmon Kenneth: Multiple Criteria Decision Making: An Overview of Multiple Objective Decision Making. University of South Carolina Press, 1973, pp. 18-44. Malcomlm N. Shaw (2014), International Law (Seventh Edition), Cambridge University Press. Mandiant (2013): APT1: Exposing one of China’s Cyber Espionage Units, Available at: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf MacAfee (2010), Protecting Your Critical Assets. Lessons Learned from Operation Aurora, White Paper, MacAfee Foundstone Professional Services. McKay Angela, Neutze Jan, Nicholas Paul and Sullivan Kevin (2014): International Cybersecurity Norms: Reducing conflict in an Internet-dependent world, Microsoft Publications. Michael James, Wingfield Thomas and Wijesekera Duminda: Measured Responses to Cyber-attacks using Schmitt Analysis: A Case Study of Attack Scenarios for a Software-Intensive System, In Proc. of the Twenty-Seventh Annual International on Computer Software and Applications Conference, IEEE, 2003.

114

References

Michael Kassner (2009), Ghostnet: Why it’s a big deal, Available at: http://www.techrepublic.com/blog/it-security/ghostnet-why-its-a-big-deal/1339/ Michael S. Schmidt and David E. Sanger: 5 in China Army Face U.S. Charges of Cyber-attacks, The New York Times, 19 May 2014. Available at: https://www.nytimes.com/2014/05/20/us/us-to- charge-chinese-workers-with-cyberspying.html?mcubz=1 Michael Schmitt. 1999. Computer Network Attack and the Use of Force in International Law: Thoughts on a normative framework. Columbia Journal of Transnational Law, 37, 885-937. Michael Schmitt: Cyber operations and the Jus Ad Bellum Revisited, Villanova Law Review 56, 2011, pp. 569-606. Microsoft Policy Papers, "An Attribution Organization to Strengthen Trust Online," Microsoft, April 2017 Morningstar, C. and Farmer, F. R. (2003) The Lessons of Lucasfilm's Habitat: The New Media Reader,

Wardrip-Fruin and Nick Montfort (ed.), Cambridge: The MIT Press. Morth Todd: Considering our position: Viewing information warfare as a use of force prohibited by article 2(4) of the UN Charter, Case Western Reserve Journal of International Law, 1998, Vol.30, Iss 2, pp 567-600. Mudrinich, Eric (2012), Cyber 3.0: the department of defense strategy for operating in cyberspace and the attribution problem, The Air Force Law Review, Vol. 68, pp. 167-205. NATO Cooperative Cyber Defence Centre of Excellence Official Webpage, Available at: https://www.ccdcoe.org/ NATO Wales Summit Declaration by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales, Press Release 120, Issued on 05 September2014, Available at: https://www.nato.int/cps/ic/natohq/official_texts_112964.htm NATO Warsaw Summit Declaration by the Heads of State and Government participating in the meeting of the North Atlantic Council in Warsaw 8-9 July 2016, Press Release 100. Nguyen, R. (2013) ‘Navigating jus ad bellum in the age of cyber warfare’, California Law Review, vol. 101, pp. 1079–129. O’Connell, M. (2012), “Cyber security without cyber war”, Journal of Conflict & Security Law, Vol. 17 No. 2, pp. 187-209. Owens W, Dam K, Lin H.: Technology, policy, law and ethics regarding U.S. acquisition and use of cyber-attack capabilities. The National Academies Press; 2009. Panetta Leon: Defending the Nation from Cyber Attack, Business executives for National Security, October 2012. Available at: URL: http://www.bens.org/document.doc?id=188 Paul Meyer (2012), Diplomatic Alternatives to Cyber-warfare, The RUSI Journal, 157:1, 14-19, DOI: 10.1080/03071847.2012.664357 Percy Williams Bridgman. 1922. Dimensionless Analysis. New Haven. Yale University Press. Pipyros K., Mitrou L., Gritzalis D., Evaluating the effects of cyber-attacks on critical infrastructures in the context of Tallinn manual, 2nd NMIOTC Conference on Cyber Security in Maritime Domain, Greece, September 2017.

115

References

Pipyros K., Thraskias C., Mitrou L., Gritzalis D., Apostolopoulos T., A new strategy for improving cyber-attacks evaluation in the context of Tallinn manual, Computers & Security (Special Issue), April 2017. Pipyros Kosmas, Mitrou Lilian, Gritzalis Dimitris and Apostolopoulos Theodoros: A review of obstacles in applying international law rules in cyber warfare, Information & Computer Security, 2016, Vol. 24, Iss 1, pp. 38-52. Pipyros Kosmas, Thraskias Christos, Mitrou Lilian, Gritzalis Dimitris and Apostolopoulos Theodoros: Cyber-Attacks Evaluation Using Simple Additive Weighting Method on the Basis of Schmitt’s Analysis. In Proc. of the 10th Mediterranean Conference on Information Systems, 2016, MCIS Proceedings, 41. Prosecutor v. Dusko Tadic (Appeal Judgement), IT-94-1-A, International Criminal Tribunal for the former Yugoslavia (ICTY), 15 July 1999, available at: http://www.refworld.org/cases,ICTY,40277f504.html Ravipudi Venkata Rao. 2007. Decision Making in the Manufacturing Environment Using Graph Theory and Fuzzy Multiple Decision Making (MADM) Methods. Springer – Verlag London. Reed, T., 2007. At the abyss: an insider’s history of the Cold War, Random House LLC. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union L 119/1, 4-5-2016. Rid Thomas and Buchanan Ben: Attributing Cyber-attacks, Journal of Strategic Studies, Vol. 38, Issue 1-2, 2015. Robinson Michael, Jones Kevin and Janicke Helge: (2015): Cyber warfare: Issues and Challenges, Computers & Security, Vol. 49, pp. 70-94. Roscini, M. (2010) ‘Worldwide warfare – Jus ad bellum and the use of cyber force’, Max Planck Yearbook of United Nations Law, vol. 14, pp. 85–130. Roscini, M. (2014). Cyber Operations and the Use of Force in International Law. Oxford University Press. Rossouw von Solms and Johan van Niekerk (2013), From information security to cyber security, Computers& Security, Vol.38, pp. 97-102 RSA, 2011. Anatomy of an Attack - Speaking of Security - The RSA Blog and Podcast. Available at: https://blogs.rsa.com/anatomy-of-an-attack/ RSA, 2014. RSA Online fraud report, Available at: http://www.emc.com/collateral/fraud-report/rsa- online-fraud-report-012014.pdf Sang-Hun, Ch. (2013) Computer Networks in South Korea are paralyzed in Cyber-attacks, Available at: http://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network- crashes.html?pagewanted=all&_r=0 [2 Oct 2013]. Sanger David: Obama Order Sped up Wave of Cyber-attacks against Iran, The New York Times, 2012, Available at: http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of- cyberattacks-against-iran.html

116

References

Sarah Gordon and Richard Ford (2006), On the definition and classification of cybercrime, Journal of Virology, Vol.2, Issue 2, pp. 13-20. Sharp, W.G.(1999), Cyberspace and the use of force, Falls Church: Aegis Research Corp. Schmitt, Michael (1999): Computer network attack and the use of force in international law: thoughts on a normative framework, Columbia Journal of Transnational Law, Vol. 37, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id_1603800 Schmitt, Michael (2010) ‘Cyber operations in international law: the use of force, collective security, self- defense and armed conflicts’, Committee on Deterring Cyber Attacks, Nations Research Council: The National Academic Press. Schmitt, Michael (2011): Cyber operations and the jus ad bellum revisited, Villanova Law Review, 56, pp. 569-606, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id_2184850 Schmitt, Michael (2013): Classification of Cyber Conflict, Journal of Conflict and Security Law, Vol. 17, No 2, pp. 245-260. Schmitt, Michael N. and Vihul, Liis, Proxy Wars in Cyber Space: The Evolving International Law of Attribution (May 31, 2014). I(II) Fletcher Security Review 55-73 (2014). Available at SSRN: https://ssrn.com/abstract=2388202 Schmitt, Michael (Ed.). 2013. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press. Schmitt, Michael (Ed.). 2016. Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare. Cambridge University Press. Shakarian, Paulo: The Russian Cyber Campaign against Georgia, Military Review, vol.91, No. 6, 2011. Shanahan, John (2014), Achieving accountability in cyberspace: revolution or evolution?, Joint Force Quarterly, National Defence University, No. 73, pp. 20-25. Silver, D.B. (2002) ‘Computer network attack as a use of force under Article 2(4)’, International Law Studies, vol. 76, pp. 73–98. Stephen Blank, ‘Web War I: Is Europe’s First Information War a New Kind of War?’, (2008) Vol. 27(3), Comparative Strategy, Available at: http://www.tandfonline.com/doi/abs/10.1080/01495930802185312#.UlHrFBBww-Y Sieber, Ulrich (1998), Legal Aspects of Computer-Related Crime in the Information Society, COMCRIME Study prepared for the European Commission, Available at: http://www.edc.uoc.gr/~panas/PATRA/sieber.pdf Simmons C, Ellis C, Shiva S, Dasgupta D, Wu Q. AVOIDIT: Α cyber-attack taxonomy. Technical report: CS-09-003. University of Memphis; 2009. Stavrou V, Kandias M, Karoulas G, Gritzalis D. Business process modeling for insider threat monitoring and handling. In: Proc. of the 11th international conference on trust, privacy & security in digital business. Germany: Springer; 2014. p. 119–31. Stiennon Richard, A short history of cyber warfare in James A. Green (ed.) Cyber warfare: A multidisciplinary analysis, Routledge Studies in Conflict, Security and Technology, Taylor and Francis Group, 2016.

117

References

The Economist. 2010. Cyber War in the fifth domain: Are the mouse and the keyboard the new weapons of conflict?, Available at: www.economist.com/node/16478792 The SecDev Group & Munk Centre for International Studies of University of Toronto. Tracking GhostNet: Investigating a Cyber Espionage Network. Information Warfare Monitor, 29 March 2009 The UK Cyber Security Strategy (2011), Protecting and promoting the UK in a digital world, Available at:https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_dat a/file/60961/uk-cyber-security-strategy-final.pdf The White House, (2010) National Security Strategy, Washington: Seal of the President of the United States. The White House, (2011) International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World. Theoharidou, M., Kotzanikolaou, P., and Gritzalis, D. (2009) Risk-based criticality analysis, Critical Infrastructure Protection III, Springer, pp. 35-49.

Tikk, E., Kaska, K. and Vihul, L. (2010), International Cyber Incidents: Legal Considerations, CCD COE Publications. Tsagourias Nicholas: Cyber-attacks, self-defence and the problem of attribution, Journal of Conflict and Security Law, 1 July 2012, Vol. 17, Iss 2, pp. 229-244. UN Doc. A/RES/25/2625, 1970’: Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations, GA Res. 2625 (XXV), 25th sess., 24 October. UN Doc. A/RES/3314, 1974’: Definition of Aggression, GA Res. 3314, 29th sess., 14 December. UN General Assembly, Universal Declaration of Human Rights, 10 December 1948, 217 A (III), available at: http://www.refworld.org/docid/3ae6b3712c.html United Nations, Charter of the United Nations, 24 October 1945, 1 UNTS XVI, available at: http://www.refworld.org/docid/3ae6b3930.html. Vatis A. Michael (2010): The Council of Europe Convention on Cybercrime, Proceedings of a Workshop on Deterring Cyber-attacks, Informing Strategies and Developing Options for U.S. Policy, The National Academies Press, Washington, D.C. Virvilis Nikos, Gritzalis Dimitris: The Big Four - What we did wrong in Advanced Persistent Threat detection?, in Proc. of the 8th International Conference on Availability, Reliability and Security (ARES-2013), pp. 248-254, IEEE, Germany, September 2013. Virvilis N., Gritzalis D., Trusted Computing vs. Advanced Persistent Threats: Can a defender win this game?, in Proc. of 10th IEEE International Conference on Autonomic and Trusted Computing (ATC-2013), pp. 396-403, IEEE Press, Italy, December 2013. Waxman, M.C. (2011) ‘Cyber-attacks and the use of force: back to the future of Article 2(4)’, Yale Journal of International Law, vol. 36, pp. 421–59. Weiss, G.W., 1996. The Farewell Dossier, Defence Technical Information Center, U.S. Department of Defence.

118

References

Westlaw (2007): Case concerning military and paramilitary activities in and against Nicaragua, available at: www.ilsa.org/jessup/jessup08/basicmats/icjnicaragua.pdf. Wheeler David and Larsen Gregory (2003), Techniques for Cyber Attack Attribution, Institute for Defense Analyses, Paper P-3792. William D. Bryant: International Conflict and Cyberspace Superiority: Theory and Practice, Routledge- Taylor & Francis Group, 2016. Yoon K. Paul and Hwang Ching-Lai: Multiple Attribute Decision Making: An Introduction, Sage University Paper Series on Quantitative Applications in the Social Sciences, 1995, pp. 7-14. Zetter, K. (2010) Google Hack Attack was Ultra Sophisticated, New Details Show, Available at: http://www.wired.com/threatlevel/2010/01/operation-aurora/#ixzz0deHCunGn

119