Laser-guided bombs line flight deck of aircraft carrier USS John F. Kennedy in preparation for air strikes against Iraq during Operation Desert Storm (PH2 Lipski)
Determining Hostile Intent in Cyberspace
By Ramberto A. Torruella, Jr.
kay, bogies have jinked back were inbound to the John F. Kennedy through the clutter, the Libyans relied on at me again for the fifth time. Carrier Strike Group. Two F-14 Tomcats guidance from shore-based radar stations O They’re on my nose now. Inside of VF-32 were assigned to intercept. for a ground-controlled intercept. The of 20 miles.” The Tomcats flew low, lost in the radar MiGs kept their noses pointed toward This was the report made by clutter kicked up by the sea’s surface, the Americans, hoping their radar would Commander Steven Collins, USN, Radar maneuvering several times to stay out burn through the clutter and give them Intercept Officer (RIO) of Gypsy 207, of the Libyan fighters’ engagement a chance to shoot first. It was clear the prior to arming his F-14’s radar-guided envelope. The Americans maintained Libyans wanted a fight. It was clear they missiles. Two Libyan MiG-23 Floggers a constant fire control lock on their had hostile intent. opponents. The MiGs matched each “13 miles. Fox 1! Fox 1!” the RIO American maneuver unerringly, ignoring shouted as the missiles left the rails of the the radar lock warnings growling in their Tomcat, initiating an engagement that Commander Ramberto A. Torruella, Jr., USN, is the Joint Staff J8 Models and Analysis cockpits. Because the radar on the MiG would end with two MiGs destroyed and Information Technology Support Branch Chief. fighters could not detect the Americans two Libyan pilots lost at sea (paraphrased
114 Features / Determining Hostile Intent in Cyberspace JFQ 75, 4th Quarter 2014 from “Splash Two MiGs,” an account of necessary to communicate complex Army experimented with a technology the 1989 Gulf of Sidra Incident).1 calculations. Commanders from Alex- that turned that land-based abstraction According to the Joint Chiefs of Staff, ander the Great to Napoleon used both (hold the high ground) into the start of hostile intent is defined as the threat of of these abstractions to send dispatches a useful warfighting domain; it started imminent use of force against the United in clear text and code—to communicate using balloons for aerial reconnaissance States, U.S. forces, or other designated with subordinates, coordinate actions of the battlefield.6 Soon, other countries persons or property.2 It is the indica- in real space, and hide their intentions experimented with using balloons for tion, the belief, a commander has that an from opponents. Eventually, special observation, bombing the enemy, or adversary is about to attack. That belief signal corps evolved to encrypt, trans- increasing the range of communications. provides the groundwork for “anticipa- mit, receive, and handle messages, first Most experiments met with modest tory self-defense,” an American legal at the rate of the written word and the success; the technology simply was not concept that allows a commander to at- horse, then at the rate of signal flags, robust enough to deliver consistent tack before being attacked.3 telegraphs, and flashing lights. Code battlefield results. From the point of view of the breakers ancient and modern fought a But once the airplane was invented, American pilots, the Libyan pilots showed silent war to understand enemy signals everything changed. Aerial reconnais- hostile intent by flying a vector toward and gain access to enemy information. sance became consistent and soon was the American Carrier Strike Group, But it was not until the late 20th vital to events on the ground. Artillery constantly maneuvering to threaten the century, when improvements in com- spotting was added to the airman’s list of American interceptors, and ignoring the munication and computing technology vital tasks as well as reconnaissance deep obvious warning signal of American fire raised the volume and velocity of data inside of enemy lines. Change occurred control radar locked onto their aircraft. flow from dozens of words per minute again when the first airman aimed a pistol Libyan actions gave the Americans the to 1.5 trillion words per minute, that the at an enemy observer in another aircraft. belief that an attack was imminent. The information domain gained enough sig- An arms race quickly ensued—planes Americans launched their own missile nificance to be treated as a warfare area in increased in number, specialized in strike as a result: a clear case of anticipa- its own right.4 An adversary with access to purpose, and carried specially developed tory self-defense, a preemptive attack that a commander’s data flow now possessed weapons meant to shoot down other spoils the anticipated attack of an enemy. a far richer set of information regard- aircraft. They flew faster and higher Interestingly, from the Libyan point of ing intentions and operations. More and fought for dominance of the air. view, the Americans also clearly showed importantly, if an adversary could deny Commanders now prioritized effects in hostile intent by constantly illuminating the commander necessary information the air over direct effects on the ground, the Libyan fighters with their fire control or, better yet, change information needed and air warfare, a new warfighting do- radar, the last step the Libyans would to make a decision, disastrous effects main, was born. detect prior to an American missile attack. could occur in real space. For instance, Determining hostile intent is often what if the Libyans were able to fool the Hostile Intent in an not this clear, but in this instance, within American radars and combat systems into Abstract Domain the physical realm of fighter jets, radars, believing their MiGs were farther away or Cyber warfighters learn from the evolu- and missiles, the evidence strongly sug- on a different vector? Would confusion tion of other domains, especially with gests that both parties demonstrated have ensued? Would the world be lament- regard to the legal authorities associ- hostile intent. ing (or celebrating) a different outcome? ated with the use of force and armed This is rarely the case in cyberspace. This is not the first time, and probably combat, the Law of Armed Conflict. not the last, that a change in technol- Just as aviators learned to apply the Law Information as a Weapon, ogy caused an abstraction to evolve into of Armed Conflict in their new domain, Cyberspace as an Abstraction a warfighting domain. Consider the so will commanders who operate in the The cyberspace realm is an abstraction, concept of the high ground. In the 6th cyber domain. with components located in a physi- century BCE, the military philosopher Cyberspace has its own unique chal- cal space but operations occurring in Sun Tzu plainly articulated the benefit lenges. Attributing a cyber attack is a nonphysical space, where the terrain of operations from the higher ground; difficult at best because commanders are is data and information is used as a a commander has greater visibility over rarely ever sure of the source of an attack weapon. This is not new. The ancient enemy movements and is better situated or intrusion, and establishing the forensic Phoenicians pioneered information as to defend against attack.5 It was even evidence needed to be certain is a time- an abstraction when they laid the foun- axiomatic in ancient times that military consuming and often imprecise science. dation for our alphabet, an abstraction possession of higher ground would Intentions are even harder to discern. necessary for transmitting concepts via greatly increase the chance of combat For example, does malware beaconing the written word. Medieval Arabs devel- success. During the late 18th century, to an Internet protocol address in China oped our number system, an abstraction however, the French Revolutionary indicate an attempt to steal data? Is it a
JFQ 75, 4th Quarter 2014 Torruella 115 F-14D Tomcat conducts mission over Persian Gulf region (U.S. Air Force/Rob Tabor) precursor for establishing a botnet? Is Classifying Use of Force point of view instead of an effects-based the malware even Chinese? Is placing in Cyberspace point of view of limiting coercion.9 This malware even considered a use of force? Article 2, Paragraph 4, of the United means that the framers intentionally Unfortunately, there is little to no inter- Nations (UN) Charter specifically states sought to limit how coercion could be national consensus on what constitutes a that “All Members shall refrain in their performed in international politics, not use of force in cyberspace.7 international relations from the threat limit the effects of coercion on a target This article discusses the legal au- or use of force against the territorial nation. For instance, armed attacks and thorities to use force in cyberspace. It integrity or political independence kinetic strikes are not authorized, nor discusses what constitutes the use of force of any state, or in any other manner are blockades, bombardments, or any in cyberspace and how a commander can inconsistent with the Purposes of the other classic use of military power, except determine if an opponent intends to use United Nations.” Force, in this case, in self-defense or as authorized by the force against the United States or its assets does not mean coercion, but the use UN Security Council for the peace and and interests. The article builds on a ru- of armed force as a tool of coercion or security of the international community. bric developed by Michael Schmitt to help persuasion. Matthew Waxman notes However, diplomatic isolation and eco- identify hostile intentions in cyberspace that the framers of the UN Charter did nomic coercion are perfectly authorized and, using a spectrum of cyber activity not set out to end coercive behaviors in by the charter. A nation can target an developed by Gary Brown and Owen international relations, but to end war embargo against another nation, but it Tullos, suggests in general what may be as a legitimate tool of policy except in cannot conduct a naval blockade without appropriate responses to hostile intent. the case of self-defense. The prohibition the express authorization of the Security Finally, the article briefly addresses the against force is a prohibition against Council. Both actions may have the same legal roles, responsibilities, and authorities armed attack.8 effect on the targeted nation—severe required for addressing the different types Waxman also notes that when the economic damage as a form of coercive of cyber attacks with an eye to identifying framers set about to prohibit the use of pressure—but the charter explicitly pro- and responding to hostile intent. force, they took an instruments-based hibits a blockade and not an embargo.
116 Features / Determining Hostile Intent in Cyberspace JFQ 75, 4th Quarter 2014 This creates a difficulty when dealing view of prohibited coercion, it really cyberspace approximates economic or with potentially hostile actions that occur does not address all actions in the cyber political coercion, the less likely it will be in cyberspace. By their very definition, realm, such as painting false targets in an viewed by a nation as an armed attack. cyber actions occur in an abstract realm of opponent’s radar. No damage was done Conversely, the more likely an action in data representation, not physical force. So so there is no kinetic equivalency. Those cyberspace approximates armed force, even if a cyber action causes tremendous areas still remain gray.13 the more likely it will be perceived as an destruction by overloading an electric Duncan Hollis also considers a armed attack, and hence an illegitimate grid or shutting down a critical energy “target-based” framework, where any use of force.16 Schmitt’s seven factors pipeline, legally speaking, the cyber ac- attack, cyber or kinetic, on a nation’s seek to differentiate between what makes tion is not necessarily a prohibited use of critical infrastructure should be construed armed force inappropriate and what force. as a prohibited use of force.14 However, makes economic and political coercion Andrew Folz notes that several legal this framework suffers from the same appropriate. Consider, for example, the frameworks have evolved that address the limitations as the quantum-of-damage differences in characteristics of an oil em- gap in the way international law views framework in that each nation will define bargo and a blockade. force in cyberspace. Almost all shift away what is considered critical infrastructure Schmitt’s seven factors are as follows: from a strictly instruments-based view. based on the strategic interests of the Severity: Armed attacks threaten The first is an effects-based approach nation. A cyber attack on gold mining •• physical injury or destruction of where the “quantum of damage and not production in the United States may be property, while economic and politi- the means of attack” determines if an treated as a routine crime, but South cal coercion do not. Cyber opera- action in cyberspace is a prohibited use Africa may consider its gold mining infra- tions that threaten physical harm are of force.10 This approach only looks at structure critical to its national interests more likely to be viewed as a use of the damage done as a result of the attack and would construe such an attack as a force. This includes such characteris- and ignores how an attack was deliv- prohibited use of force. tics as scope of the action, duration, ered. While this framework is relatively and intensity. simple to apply, it represents a major The Schmitt Analytical Immediacy: The damage due to an break from the way the international Framework •• armed attack usually occurs imme- community already deals with issues of One framework that stays true to the diately, while damage due to other force by completely setting aside the instruments-based method of determin- forms of coercion develops more instruments-based framework. Blockades ing what force is prohibited, yet pro- slowly. This gives the target nation and embargoes would essentially become vides an effective metric for determining time to respond to the pressure before the same thing, and the international whether a cyber action constitutes a use damage can takes place. Cyber actions community would lose major tools in of force, is that presented by Profes- whose consequences are immediate, conducting international relations. What sor Michael Schmitt of the Naval War leaving no time for a target nation to is worse, it would lead to a subjective College. After an interview, Andrew respond to pressure or mitigate the assessment of what constitutes a hostile Folz noted that Professor Schmitt’s consequences, are more likely to be action in cyberspace. If a quantum-of- framework had bridged the gap viewed as a use of force. damage approach is used, the critical between an instruments view of force Directness: Armed attacks can be question would be who determines what and effects in cyberspace: •• linked directly to the damage they a sufficient amount of damage is to con- cause, and other forms of coercion stitute a prohibitive use of force. Each Professor Schmitt recognized that discern- less so. The more directly a cyber nation, having different strengths and ca- ing the use-of-force threshold is really about action can be linked to its conse- pabilities in the cyber realm, would draw predicting how states will characterize quences, the more likely the action different conclusions. and respond to cyber incidents in light of will be viewed as a use of force. Another framework is to consider prevailing international norms. To aid Invasiveness: In an armed attack, the the “kinetic equivalency”11 of a cyber ac- in such predictions, his framework bridges •• action usually crosses into a target tion, where an action in cyberspace only the instrument and consequence-based ap- nation’s territory; other forms of constitutes the use of force if the damage proaches. In keeping with the Article 2(4) coercion generally stay beyond the caused by the action could also have been instrument based standard, his model con- target’s borders. So even though caused by kinetic attack.12 Overloading an sists of seven factors that represent the major armed attacks and economic/politi- electric grid or shutting down an energy distinctions between permissible (that is, cal acts may have roughly similar pipeline with a cyber action can now be economic and political) and impermissible consequences, the armed actions considered a use of force because those (armed) instruments of coercion.15 usually are, in the words of Schmitt, effects could also have been accomplished “a greater intrusion on the rights of with a missile or bomb. While this test Schmitt’s framework takes the the target state and, therefore, [are] stays more true to the instruments-based view that the more closely an action in
JFQ 75, 4th Quarter 2014 Torruella 117 more likely to disrupt international stability.” The more a cyber opera- Figure 1. Spectrum of Conflict tion violates or impairs the territorial Strategic Nuclear integrity or sovereignty of a state, the War Support for Insurgencies and more likely it will be viewed as a use Major Tactical Counterinsurgencies Theater Nuclear of force. War War Measurability: While the conse- Counterinsurgencies International •• Mil-to-Mil War quences of armed attack are usually Contacts Raids Limited Domestic Security Conventional Disaster easy to determine, the actual nega- Assistance Counter Strikes Conflict Relief Terrorism Domestic Arms tive consequences of other forms Control Civil of coercion are harder to measure. Support Peacemaking Combat Peace Environmental States are more likely to view a cyber Building Operations operation as a use of force if the con- sequences are easily identifiable and Level of Combat Counterdrug Peace Nation Enforcement objectively quantifiable. Assistance Show of Force •• Presumptive legitimacy: In almost Peacekeeping Sanctions Peace Humanitarian every nation, violence is an inappro- Enforcement Assistance Noncombatant priate response unless done in self- Evacuation Operations defense. However, all other forms of coercion are considered lawful unless specifically prohibited by law Level of Violence or treaty. Even actions prohibited by Note: Figure adapted from Army Vision 2010 (Washington, DC: Headquarters national law, such as espionage, are Department of the Army, n.d.), 5, available at
118 Features / Determining Hostile Intent in Cyberspace JFQ 75, 4th Quarter 2014 Table 2. Example of Completed Schmitt Analysis Presumptive Cyber action Severity Immediacy Directness Invasiveness Measurability Legitimacy Responsibility Ping map 1 1 5 7 7 1 3 Probe 2 1 5 7 7 2 3 Implant malware 3 4 5 7 7 3 3 Erase logs 5 5 5 8 7 6 4 Email fishing 4 4 5 5 5 5 5 Access networks 4 5 6 8 5 6 5 Access email 4 5 6 8 5 6 5 Steal data 6 6 6 9 8 6 6 Change or delete data 7 6 6 9 8 8 6 Distributed denial-of- 7 7 7 9 8 8 7 service attack (DDoS) Email bomb 7 5 6 7 7 6 5 Influence operations in 6 7 6 6 7 5 7 social media Disable critical 9 8 8 9 8 8 8 infrastructure Damage critical 9 9 8 9 8 8 8 infrastructure Attack financial 8 9 8 9 8 8 8 industry Military command and 9 9 9 9 9 9 9 control attack there are two shapes: one to the left attacks; cyber disruptions, which may in- appropriate countermeasures—we create that represents the spectrum of peace, terrupt the flow of information or disrupt a solid framework for determining hostile the other to the right that represents the operation of information systems but intent in cyberspace. the spectrum of combat. Both use the not cause physical damage or injury; and same sliding scale with level of effort cyber attack, which may cause physical Determining Hostile on the left and level of violence across damage to property or injury to people. Intent in Cyberspace the bottom. Note the overlap near Enabling operations tend to be stealthy, Establishing that framework starts with the center. Actions that occur in that and cyber attacks tend to be easily at- understanding the strategic situation. overlap region may have different con- tributable, at least to the point of origin if Where is the Nation or joint force notations depending on the strategic not the nation responsible. operating with regard to the spectrum situation. Does the commander, for The Brown and Tullos spectrum of conflict (figure 2)? How do partner instance, desire de-escalation to main- is meant to be used in concert with nations and potential adversaries view tain the peace, or escalation to maintain Schmitt’s framework. Schmitt’s frame- the strategic situation? Understanding pressure in accordance with a UN Secu- work provides a detailed metric that is this landscape helps establish priorities rity Council directive? Any determina- excellent for operational-/strategic-level and appropriately weighs factors during tion of hostile intent in cyberspace must forensic analysis of an attack but may be the Schmitt analysis. include an understanding of the strate- too complex for use at the tactical level. Conducting the Schmitt Analysis. gic situation, especially as it pertains to Brown and Tullos completely abandon The analysis begins with a list of potential the spectrum of conflict. the instruments-based metric for deter- actions in cyberspace (see table 1). This Gary Brown and Owen Tullos sug- mining if use of force is warranted, but list of actions is not meant to be specific gest a spectrum for cyber activity that is the spectrum is helpful, especially when or exhaustive but strategic and general, based on the effects of actions in cyber- combined with the overall strategic similar in manner to how the Standing space (see figure 2).17 They postulate picture, in establishing what immediate Rules of Engagement issued by the that cyber actions fall into three basic actions are appropriate when a cyber Chairman of the Joint Chiefs of Staff start categories: enabling actions, which have action is detected. Taken together— out as strategic and general but are modi- little impact on the operations of a na- Schmitt for the strategic analysis and fied with more specificity by commanders tion’s information infrastructure but can understanding the operational landscape, closer to the conflict. The list should set the stage for future operations and and Brown and Tullos for deploying generally and broadly cover the body of
JFQ 75, 4th Quarter 2014 Torruella 119 Figure 3. Example of Schmitt Analysis Stack peace, so the response may be to simply monitor and report the covert access. As 70 tensions rise in the area of responsibility, Responsibility the response may be adjusted to block Presumptive Legitimacy and report, or even to conduct a counter Measureability 60 cyber action against the adversary. Invasiveness When used in conjunction with one Directness Immediacy another, the Schmitt Analysis and Brown- Severity Tullos Cyber Action Response Spectrum 50 provide a commander with a flexible tool to determine an appropriate range of responses to a range of cyber actions. 40 Additionally, both can be useful in coor- dinating cyber responses from different agencies with differing legal authorities. Figure 5 gives an example of how such 30 authorities may be specified. Note that this matrix shows responsibility for ac- tion. The Defense Information Systems 20 Agency or the National Security Agency may respond to a ping map or probe on a Department of Defense (DOD) 10 network, but has no legal authority to pursue the perpetrator who resides in the United States; law enforcement would be responsible for that action, and DOD 0 entities would have to coordinate with DDoS Probe law enforcement to take action. Ping map Erase logs Steal data Email bomb Email fishing Access email
Access network Conclusion Implant malware Attack military C2 Use of force is not simply in the eye Change or delete data
Attack financial industry of the beholder; there is a rugged, Influence ops social media Disable critical infrastructure
Damage critical infrastructure tested framework that is reflected in the United Nations Charter that governs actions that may occur in cyberspace that Determining Response with the what is acceptable coercion and what is have impacts in the theater or area of Brown-Tullos Spectrum. The Schmitt prohibited use of force. Staying as close operations. Analysis Stack (figure 3) gives a good to that framework as possible when Schmitt did not intend for his model indication of what a commander can determining hostile intent in cyberspace to be a quantitative tool but rather to be consider a hostile act in cyberspace. means we stay close to the use-of-force used as a heuristic. Keeping that in mind, Figure 4 takes the stack of actions, lessons and applications of the past six an analyst would use the seven factors from least hostile to most hostile, and decades. An evolutionary development to perform a qualitative analysis of each lays them on the Brown-Tullos Cyber of the legal basis is more appropriate action on the list; each action would be Action Response Spectrum. Using the than a revolutionary development. evaluated for each Schmitt factor on how three general categories in Brown-Tullos Some issues of concern remain: even close the effects of that action would be (enabling operations, cyber disruption, though it is useful for evaluating the to the kinetic effects of an armed attack. cyber attack), a commander can develop strategic/operational cyber landscape, the For simplicity’s sake, analysis would use general responses appropriate to the level Schmitt framework was never meant for a scale of 1 to 10—where a 1 means that of hostility indicated by the action. More real-time battlefield analysis. The analyti- characteristic is far away from a kinetic importantly, the commander can add cal framework presented is meant to give effect and a 10 is exactly like a kinetic or subtract responses, or even move re- the commander a feel for how hostile a effect. Once each action is evaluated for sponses up and down the spectrum based cyber action is and help plan appropriate each factor (see table 2), the results could on the strategic environment in the the- responses ahead of time. The analysis is then be stacked to give a reasonable ater. For instance, an adversary’s access to also not meant to be static but dynamic, comparison of which cyber action is more an unclassified network may be consid- based on continuous analysis of the hostile compared to another. ered enabling operations in a theater at cyber landscape. New tools, techniques,
120 Features / Determining Hostile Intent in Cyberspace JFQ 75, 4th Quarter 2014 vulnerabilities, and mitigations must be Figure 4. Example of Brown-Tullos continuously taken into account with Cyber Action Response Spectrum the strategic situation to accurately stack all the factors and give a commander the Cyber Action right situational awareness. Additionally, the Brown-Tullos spectrum starts out as an effects-based spectrum and only takes into account the instruments of force after Schmitt has been applied. Both must be used together, therefore, one for the Ping map Probe Implant malware Erase logs Email fishing Access network Access email Steal data Change or deleteDDoS data Email bomb Influence ops social mediaDisable critical infrastructureDamage critical infrastructureAttack financialAttack industry military C2 strategic/operational analysis, the other to communicate immediate actions at the tactical level. Enabling Operations Cyber Disruption Cyber Attack The real test for any method of de- termining hostile intent is how it works operationally—that is, how easily it can be employed on the battlefield. The cyber De Marche
Cyber Response battlefield is not physical; it is abstract, Block and Report Kinetic Response but its effects have real consequences in Monitor and Report the physical world. The results of tests Cyber Response can be quickly seen and applied, and the method improved in a short period of time. JFQ Figure 5. Responsibility for Threats in Cyberspace
Title 18 Title 6 Title 10/32/50 Treaties UN Charter Law Enforcement Homeland Security National Defense Signatory Parties UN Security Council Less Destructive Nation States Notes Ping map Ping map Enabling Probe Probe Operations 1 “Splash Two MiGs,” Fly.Historicwings. Implant malware Implant malware Com, January 4, 2013, available at
JFQ 75, 4th Quarter 2014 Torruella 121