Transcript Lecture Notes - Computer Science & Engineering

Incident Response
Need for Attack Analysis
Reading List

This class
– Michael N. Schmitt, Computer Network Attack and the Use of
Force in International Law. Thoughts on a Normative
Framework., 37 Colum. J. Transnat'l L. 885, 1999,
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993
– Homeland Security News Wire, U.S. weighing retaliatory
measures against China for hacking campaign,
http://www.homelandsecuritynewswire.com/dr20130220-u-sweighing-retaliatory-measures-against-china-for-hackingcampaign
CSCE 727 - Farkas
2
How to Respond?

Civilian organizations
 National security
CSCE 727 - Farkas
3
How to Response? Civilian

Actions to avoid further loss from intrusion
 Terminate intrusion and protect against
reoccurrence
 Law enforcement – prosecute
 Enhance defensive security
CSCE 727 - Farkas
4
Rules Defining the Use of Force
Art. 39
R
E
S
P
O
N
S
E
Art. 2(4)
Threat to
the peace
Art. 51
Threat of force
Use of force
Armed attack
Hostile intent
Hostile act
Anticipatory
self-defense
Self-defense
Jus ad bellum applies
Jus in bello applies
Peacetime regime applies
Computer Science and Engineering
5
Use of Force in Cyberspace




Cyber vs. Kinetic Attack
Academic State-of-the-Art: Effects-Based
Analysis
Problem: Charter Paradigm Means-Based
The Schmitt Reconciliation
– Distinguishing Military from Diplomatic
and Economic Coercion
– Seven Factors
CSCE 727 - Farkas
6
Schmitt Factors

Severity
 Immediacy
 Directness
 Invasiveness
 Measurability
 Presumptive Legitimacy
 Responsibility
CSCE 727 - Farkas
7
Severity of cyber attacks: cause (or have the possibility of )
physical harm.
Severity
Armed attacks threaten
physical injury or
destruction of property
to a much greater extent
than other forms of
coercion. Physical
well-being usually
occupies the [lowest,
most basic level] of the
human hierarchy of
need.
People
People Killed;
Killed;
Severe
Property
Severe
Property
Damage
Damage
People Injured;
Moderate
Property Damage
How many people were
killed?
How large an area was
attacked? (Scope)
How much damage was
done within this area?
(Intensity)
People Unaffected;
No Discernable
Property Damage
CSCE 727 - Farkas
8
Immediacy of cyber attacks: time needed for the
consequences to manifest without the ability to mitigate
Immediacy
harmful effects or seek
peaceful options to resolve the
problem.
The negative
consequences of armed
coercion, or threat
thereof, usually occur
with great immediacy,
while those of other
forms of coercion
develop more slowly.
People Killed;
Seconds
to Minutes
Severe Property Damage
Over how long a period
did the action take
place? (Duration)
How soon were its
effects felt?
Hours to Days
How soon until its
effects abate?
Weeks to Months
CSCE 727 - Farkas
9
Directness of cyber attacks: connection between the cyber
operation and the harmful
consequences.
Directness
The consequences of
armed coercion are
more directly tied to the
actus reus than in other
forms of coercion,
which often depend on
numerous contributory
factors to operate.
The voluntary and wrongful act
or omission that constitutes the
physical components of a
crime. Because a person cannot
be punished for bad thoughts
alone, there can be no criminal
liability without actus reus.
CSCE 727 - Farkas
Action
SoleKilled;
Cause of
People
Result Damage
Severe Property
Action Identifiable as
One Cause of Result,
and to an Indefinite
Degree
Was the action distinctly
identifiable from
parallel or competing
actions?
Was the action the
proximate cause of the
effects?
Action Played No
Identifiable Role in
Result
10
Invasiveness of cyber attacks: impairment of territorial
Invasiveness
integrity or sovereignty
of a state.
In armed coercion, the act
causing the harm usually
crosses into the target state,
whereas in economic warfare
the acts generally occur
beyond the target’s borders.
As a result, even though
armed and economic acts
may have roughly similar
consequences, the former
represents a greater intrusion
on the rights of the target
state and, therefore, is more
likely to disrupt international
stability.
CSCE 727 - Farkas
Border Physically
People Killed;
Crossed;
Action Has
Severe Property Damage
Point Locus
Border Electronically
Crossed; Action Occurs
Over Diffuse Area
Did the action involve
physically crossing the
target country’s
borders?
Was the locus of the
action within the target
country?
Border Not Crossed;
Action Has No
Identifiable Locus in
Target Country
11
Measurability of cyber attacks: identifying consequences
and measure of damage.
(quantitative models, e.g.,
Measurability
economic modeling)
While the consequences of
armed coercion are usually
easy to ascertain (e.g., a
certain level of
destruction), the actual
negative consequences of
other forms of coercion are
harder to measure. This
fact renders the
appropriateness of
community condemnation,
and the degree of
vehemence contained
therein, less suspect in the
case of armed force.
CSCE 727 - Farkas
Effects Can Be
Quantified Immediately
People Killed;
by
Traditional
Severe Property Means
Damage
(BDA, etc.) with High
Degree of Certainty
Effects Can Be Estimated
by Rough Order of
Magnitude with
Moderate Certainty
Can the effects of the
action be quantified?
Are the effects of the
action distinct from the
results of parallel or
competing actions?
What was the level of
certainty?
Effects Cannot be
Separated from Those of
Other Actions; Overall
Certainty is Low
12
Presumptive
legitimacy of cyber
attacks: similar to nonPresumptive
Legitimacy
cyber operations, e.g., espionage, propaganda, etc.
In most cases, whether under
domestic or international
law, the application of
violence is deemed
illegitimate absent some
specific exception such as
self-defense. The cognitive
approach is prohibitory. By
contrast, most other forms of
coercion—again in the
domestic and international
sphere—are presumptively
lawful, absent a prohibition
to the contrary. The
cognitive approach is
permissive.
CSCE 727 - Farkas
Action Accomplished by
People Killed;
Means
of Kinetic
Severe Property Damage
Attack
Action Accomplished in
Cyberspace but
Manifested by a
“Smoking Hole” in
Physical Space
Has this type of action
achieved a customary
acceptance within the
international
community?
Is the means
qualitatively similar to
others presumed
legitimate under
international law?
Action Accomplished in
Cyberspace and Effects
Not Apparent in
Physical World
13
Responsibility for cyber attacks: state acknowledging the
Responsibility
action.
Armed coercion is the
exclusive province of
states; only they may
generally engage in uses of
force across borders, and in
most cases only they have
the ability to do so with
any meaningful impact.
By contrast, nongovernmental entities are
often capable of engaging
in other forms of coercion
(propaganda, boycotts,
etc.).
CSCE 727 - Farkas
Responsibility for
People
Killed;
Action
Acknowledged
Property
bySevere
Acting
State; Damage
Degree
of Involvement Large
Target State Government
Aware of Acting State’s
Responsibility; Public Role
Unacknowledged; Degree
of Involvement Moderate
Is the action directly or
indirectly attributable to
the acting state?
But for the acting state’s
sake, would the action
have occurred?
Action Unattributable
to Acting State; Degree
of Involvement Low
14
Overall Analysis
Use People
of Force
Under
Killed;
Article
2(4)
Severe
Property
Damage
Arguably Use of Force
or Not
Not a Use of Force
Under Article 2(4)
CSCE 727 - Farkas
15
Next Class

Soft Power Analysis
CSCE 727 - Farkas
16