Coordinated Security

Next Article

Standing Strong

Strategic Vision vol. 10, no. 50 (September, 2021)

US seeks help holding states accountable for hacking attacks and cyber crime

Hon-min Yau

On June 14, 2021, after concluding their summit in Brussels, NATO leaders jointly announced the 2021 Brussels Summit Communiqué. Other than characterizing Russia and China as “security challenges,” one of the highlights was that NATO leaders concluded that a cyberattack could meet the threshold for invoking Article 5, the collective defense article, of the Washington Treaty. Security observers believe this development came in response to the many recent significant cyber security incidents, including the 2020 SolarWinds attacks, the 2021 Colonial Pipeline ransomware attack, and the 2021 Pulse Secure VPN attacks, which allegedly originated in either Russia or China.

In retrospect, the discussion of whether cyberattacks constitute an act of war within the international community is not new. Early in the 2014 Wales Summit, NATO members already agreed that international law applies to cyberspace and that cyber defense is part of NATO’s core task of collective defense. There are also various efforts within the United Nations (UN) to shape cyber norms and regulate accepted behavior in cyberspace. However, NATO’s high-profile reiteration in 2021 suggests that there is still a huge gap in expectations between what is anticipated by NATO and what is happing on the ground.

This article intends to briefly review this prolonged endeavor and identify the significant shifts in these international discussions regarding how to better deal with the challenges of cyber security.

Cyber crime wave

It would not be an overstatement to say that cyber security remains one of the critical security issues facing the administration of US President Joe Biden. Right after the US election, SolarWinds Inc., a leading vendor for IT operation management software, was hacked, allegedly by the Russian Foreign Intelligence Service. SolarWinds provides an integrated product, known as the Orion Platform, for organizations worldwide to configure, monitor, analyze, and manage devices within their IT infrastructures. The compromise of this platform is like giving hackers a free pass to a user’s system. This incident disrupted the normal operations of many US government agencies and top enterprises, and it is hard to assess the scale of the damage due to the advanced and persistent nature of this attack.

Not long after SolarWinds was compromised, another attack, known as the Pulse Secure hack, occurred in April 2021, allegedly by China. Pulse Secure is a vendor providing Virtual Private Network (VPN) infrastructure for organizations in both the public and private sectors. Since the global surge of COVID-19, many organizations have deployed VPNs to establish a secure communication channel for their employees to remotely access sensitive information via the public network. VPN technology allows both data integrity and confidentiality for these transmissions. The US Cyber security and Infrastructure Security Agency indicated that five federal agencies had been breached via the compromised VPN in this incident.

The latest well-known incident was in May 2021 when a Russian hacker group, DarkSide, hacked the Colonial Pipeline Co. The cyberattack on this company, which is the primary pipeline infrastructure in the eastern United States, temporarily halted its supply of gasoline and jet fuel, and forced some US airlines to change their schedules. In the end, 17 US states declared a state of emergency on May 9th to provide a legal basis for the use of traditional road transportation routes for their fuel supplies.

From the incidents discussed above, three trends emerge. First, cyberattacks in the 21st century are getting more intricate and sophisticated beyond just being an inconvenient nuisance, and even professional organizations cannot escape falling victim to these malicious activities. Second, the recent cyberattacks exhibit stealth and well-coordinated endeavors by groups mobilizing vast technical resources. The looming danger of cyber threats is no longer the product of scaremongering but can actually create an immense amount of financial loss and social turmoil. Finally, all these attacks have intensified both in their scale of damage and the extent of the parties involved. These cyberattacks target the weakest link in a supply chain and attack the IT infrastructure that modern-day operations rely on. Cyberspace itself has become the victim of these malicious activities.

Despite constant cyberattacks on governments and corporations around the world, there is still a lack of clarity in international norms governing our interpretations of malicious activities over cyberspace and recognized approaches to mitigate these problems. Traditionally, treaty law, customary law, and general principles of law are the three fundamental elements of international laws, based on Article 38 of the Statute of the International Court of Justice, used to deal with such international and transnational issues. The Budapest Convention by the European Union is the only binding international treaty, but it has not been signed by either Russia or China. Hence, challenges lie ahead in the international community’s effort to form some kind of consensus.

In the discussion of treaty law, since the early 21st century, the United Nations—being the dominant international institution—has been working via the UN Group of Governmental Experts (UNGGE) framework, composed mainly of Western countries, in the hopes of coming to some consensus on how to deal with conflicts in cyberspace. However, not only has this working group so far failed to agree on what constitutes the right of a state to self-defense in cyberspace, China and Russia initiated a new UN working group in 2019, the Open-Ended Working Group (OEWG), to undermine the dominance of the Western perspective in such discussions. By 2021, both the OEWG and UNGGE maintained that the principles of international law are applicable in cyberspace without agreeing about what constitutes armed conflict in cyberspace. Yet, the UNGGE has not yet extended its mandate, while the OEWG has already received UN support for its work up to 2025. Therefore, we can expect a long process of diplomatic negotiations between the East and West.

In terms of customary law, it is even more troublesome. The plausible deniability of cyberattacks hinders the international community’s ability to observe common practice. In addition, cyberspace is a latecomer in human conflict, and it is difficult to predict whether any cyber practice that is adopted will become long-standing. As such, this may be why the Biden administration has endeavored to initiate a discussion of this issue in other international venues, such as NATO and the G7 summit.

Due diligence

Recent developments indicate that the United States is promoting states’ responsibility to conduct due diligence, from the third element mentioned above; the general principles of law. Traditionally, due to the difficulty of attribution, nations and states often claim no knowledge of cyberattacks originating from their territory. They do this in order to evade responsibility for such cyber incidents. Hence, the discussion of cyber security in policy circles often focuses on exploiting cyberspace, instead of protecting cyberspace. However, as stated by the White House on June 13 during the 2021 G7 Summit in the United Kingdom, “The international community— both governments and private sector actors—must work together to ensure that critical infrastructure is resilient against this threat … and that states address the criminal activity taking place within their borders.” Washington believes that the time is ripe to change the mindset, from thinking about states’ right to exploit cyberspace, to states’ obligation to protect cyberspace.

Such due diligence is not a recent development. Although international laws governing new technologies are often crafted after the technologies have been exploited for conflict, the general principles of law

The plausible deniability of cyber-attacks hinders the international community’s ability to observe the common practice by members of the international community.

are often derived from primary sources, such as domestic law and natural law, or secondary sources that inform the primary source, such as work by scholars. Hence, the Tallinn Manual on the International Law Applicable to Cyber Warfare, sponsored by researchers from the NATO Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia, has become very influential given the current legal vacuum over cyberspace internationally. One of the key principles in the latest Tallinn Manual 2.0 is a government’s responsibility for due diligence: “A state must exercise due diligence in not allowing its territory, or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states.” In an analogy of protecting the international environment, this suggests an alternative way forward for the international community to deal with cyber threats.

Coincidentally, just prior to the start of the NATO summit, on May 30, 2021, JBS USA Holdings, Inc., a US food processing company and one of the biggest meat processors for the global market, was attacked with ransomware by the hacker group REvil, believed to be based in Russia. The attack raised concerns among the general public about the disruption of the food supply and inflation of the price of meat. On June 13, 2021, the United States announced along with other G7 countries that nations which allow ransomware groups to operate from within their borders, and make no effort to stop such attacks, will be held accountable for their lack of action. In short, what makes the 2021 Brussels Summit Communiqué issued on June 14, 2021, different from the 2014 Wales Summit Declaration is that NATO’s emphasis is on those states “turning a blind eye to cyber criminals operating from their territory, including those who target and disrupt critical infrastructure.” The United States is emphasizing the responsibility of states to provide a safe cyber environment as a remedy to cyber threats.

Although strong words from organizations like NATO and the G7 are an attempt to send a message to the international community about governments’ responsibilities in cyberspace, the future of due diligence remains uncertain. For example, on December 8, 2020, Israel’s Deputy Attorney General Roy Schöndorf suggested that nations cooperate to fight cyber threats through the voluntary cooperation of Computer Emergency Response Teams, but that it is uncertain what other actions might legally constitute due diligence. Chinese legal experts have always been known for expressing their concerns about existing international law, especially to govern actions taking place in cyberspace, given the difficulty of distinguishing military from civilian facilities, and Beijing’s official stance is still unclear on this matter. Given that Biden has severely criticized Russia for having “some responsibility” in the Colonial Pipeline Hack due to the fact that the ransomware emanated from Russia, it is doubtful whether Russia would accept such a proposal. As a result of these observations, on June 16, 2021, after Joe Biden and Russian President Vladimir Putin met in Geneva for their first face-to-face summit, there is still no clear conclusion that has been reached regarding cyberattacks.

No end in sight

To sum up, cyberattacks blur the line between peace and war, and there is no evidence to indicate these activities will cease anytime soon. The recent cyberattacks suggest that the security breach goes beyond the traditional monetary motivation and espionage purposes by targeting essential critical infrastructure to create massive disruptions to the civilian population. To mitigate the risk, the following strategies could be suggested to the world, and in particular to Taipei, given the fact that Taiwan is often the target of China-based cyberattacks.

First, for geopolitical reasons, some countries often take a passive role in cyber security, to politically benefit from the chaos created by cyberattacks originating from their soil. But such a policy inevitably makes one’s digital territory a safe haven for illegal activities, and inevitably encourages malicious actors. Cyberattacks, like air pollution, respect no border or authority, and thus constitute a transnational issue. Governments’ professed ignorance of malicious cyber activities within their borders has every possibility of backfiring and endangering the wellbeing of their people in the interconnected world. It is time for the international community to deal with cyber problems from a globalist perspective, not just a national approach.

Second, the challenges of establishing countries’ due diligence in cyberspace lies in governments’ exploitation of so-called plausible deniability, even when there is substantial evidence to attribute the origin of attacks. Very often, the evidence that is presented is vehemently denied, disputed, or opposed. The contention is always about states’ choice between genuine intentions or insincere commitment to deal with cyber pollution. A possible way forward may be for the international community to focus on establishing clear standards and to forge a consensus on what constitutes careless guardianship over one’s digital space.

Finally, although shaping new norms is often considered a great power game, this does not mean that Taiwan has no role. Taiwan has a good reputation in the ICT industry, and its national team of white hat hackers won second place in 2019, and third place in 2021, at the international annual hacking competition titled DEFCON CTF (Capture the Flag). It would also be a good time for Taiwan to translate these unique cyber security capacities into digital forensic capabilities. Despite its lack of recognition in the international community, Taiwan is well-positioned to raise its international profile and contribute to global security by leveraging its considerable expertise in this field.

Dr. Hon-min Yau is an assistant professor at the Graduate Institute of Strategic Studies, War College, at the ROC National Defense University. He can be reached for comment at cf22517855@gmail.com