What kind of uncertainties and problems does the digital world bring with it, where the boundaries of cyberspace and physical world are crossed and who are the actors of this virtual space? The digital world built on zeros and ones and made of the result of human imagination, doesn’t have any boundaries as the real world does. In the modern world increasing importance of the cyberspace, which is due to its penetration into more and more human vital activity areas, makes it a subject of discussions and controversies. At the same time, the characteristics of cyberspace such as its asymmetric nature, difficulties connected with the attribution, the accessibility, legal uncertainties and its role as an effective atmosphere of complaints, cybercrimes, spying and other cyber operations, makes it an attractive space for both states and nongovernmental actors.
Actors of Cyberspace
Cyberspace [1] refers to the virtual world of computers. It’s an electronic environment which is used for forming the global network of computers to facilitate online communication. According to many IT specialists, including Redal Farmer and Chip Morningstar, people perceive the cyberspace more as an environment of social interaction rather than just a domain providing technical performance. The main feature of cyberspace is the interactive and virtual environment for a wide range of participants. It’s accessible almost to everyone who has internet access with a computer, smartphone or any other type of multimedia device that has a network connection.
In this domain many parallel-existing actors vary with their needs, aims and intentions. States, organizations and citizens are viewed as traditional actors of cyberspace. J. Sigholm distinguishes cyber-conflicts-involved 15 main non-governmental actors that differ with their motives, targets and methods of actions. These roles, however, don’t have any clear boundaries and can get changed and coincide depending on the situation. Some of them are shown below.
Actor | Motive | Target | Method |
Hacktivists | Political or social
change |
Decision makers or innocent victims | Protests through
website defacements or DDoS attacks |
Black-hat hackers | Ego, personal hostility, economical interest | Any | Malware, viruses, vulnerability exploits |
White-hat hackers | Idealism, creativity,
respect for law |
Any | Penetration testing, restoration |
Patriot hackers | Patriotism | Enemies of their own state | DDoS attacks |
Cyber terrorists | Political or social
change |
Innocent victims | Computer-based violence or destruction |
Organized cyber
criminals |
Financial interest | Individuals,
companies |
Usage of malicious programs in fraudulent purposes, DDoS for blackmail |
Cyber spies | Financial and
political interest |
Individuals,
companies, government (s) |
Frame of technique
to get information |
These actors often act not by their own undertakings, but by a third-side request whether it’s a state or an organization.
Virtual Domain as an Environment of Warfares
In the late 1990s, when the accessibility and usage of the Internet became a commonplace, warfares in the physical world have led to a corresponding response in cyberspace in form of cyber attacks against the state, which, first of all, were actualized by non-state actors. Hackers with nationalistic tendencies directed their cyber attacks against foreign states as a support to their governments, which was shown during the Kosovo conflict several times. For instance, a nationalist hacker group called the “Black Hand” [2] discarded the Kosovo-Albanian website and attacked NATO, USA, UK computers. Similar hacker groups had attacked US websites from China when the Embassy of China in Belgrade had been accidentally damaged during airstrikes in May 1999.
Cyber operations and attacks, harmonious with twenty-first-century technological developments, got more improved, and started targeting governments and organizations as well as individuals. As an example the cyber attack on Estonia carried out by pro-Russian “hacktivists” in 2007 may be given, which resulted in temporary degradation or loss of service on many commercial and government servers. Russia, however, not only didn’t admit responsibility, but also didn’t respond to the Estonian-side claims for investigating and extraditing the possible offenders. In 2009, it became clear that a cyber spying operation named “GhostNet” had access to the confidential information of state and private organizations in about 130 countries. It was supposed that the software that was carried out by the servers located in island Hainan, China, has been a tool for the government of China. But as China officially denied concern with the “GhostNet” and there was no convincing proof of the Chinese government being involved in its actions, states escaped direct accusations. Another example is the Stuxnet computer worm that was uncovered in 2010. It caused about a thousand nuclear-centrifuges damage to Iran’s nuclear program, and the USA and Israel were imputed by some cyber experts. Despite many accusations directed to the involvement of the USA and Israel, neither country has openly admitted responsibility concerning the incident. In 2012 a virus called “Shamoon” damaged some 30.000 computers in Saudi Aramco and was announced as “Cutting Sword of Justice”. In 2013 a cyber attack of “Syrian Electronic Army” (SEA) resulted in shutdown of the New York Times.
Each of these cyber incidents and diversity of the other ones that have taken place and continue to happen, generate important problems concerning the role and responsibility of the state in the cyber incidents. Do states perform sovereign control towards the physical infrastructures (physically located servers and cables in states’ territories) located in their area, and if so, then do the states carry the responsibility for the cyber operations done through them?
Sovereignty of a State in the Cyberspace: Cyber Sovereignty
The role of state sovereignty is widely discussed in the frames of scientific literature, so it led to the spread of the term “cyber sovereignty”, which, however, has not been consistently defined so far. If cyber sovereignty is an incomprehensible notion in general, which is often used in the cyberspace connected with the role and independence of the state, so the sovereignty itself is a clearly defined notion in the International law. It originates from the treaty of Westphalia, in 1648, by which the state is regarded as an institution with sovereignty over its territories and internal affairs, in which other states cannot interfere. Nonetheless, the transboundary nature of the cyberspace harbors doubts about the sovereignty of the state and, so a question arises: is it allowed and can this principle of International law be used in the cyberspace?
In 2013, the United Nations Group of Governmental Experts (UN GGE) came to a conclusion that International law, including state sovereignty, is applicable in the cyberspace. It supposes that the law about armed warfare is applicable in the cyberspace, and all rights and obligations under the principle of sovereignty as well. The argument of UN GGE is based on the fact that cyberspace does not exist without physical infrastructures and that these infrastructures are subjected to the national jurisdictions of the states. However, this decision does not eliminate the problem of legal regulation of cyberspace. On one hand, cyberspace depends on physical infrastructures under territorial principles, on the other hand, cyber activity cannot be restricted within the country or connected to the territory because of the interdependence of cyberspace.
The interest in cyber sovereignty and academic debates has grown especially after the discoveries made by Snowden. Nevertheless, as of 2007, studies of national strategies for cyber security and cyber defense available in English in 69 countries showed that only 15 [3] of the documents contained the term “sovereignty”, and only Canada uses the term “cyber sovereignty”.
Controversies over Cyber Sovereignty
Even though the UN GGE of Information Security has reached a certain level of compromises, the deep contradictions and disagreements continue to divide the international community mainly on three issues. The first is the contradictions between cyber sovereignty and the “spirit of the Internet”. The exclusivity of classical state sovereignty runs counter to the spirit of the Internet, which is based on the concept of unlimited mutuality. If it’s the cyber sovereignty that is highlighted, it can lead to each country to create its own cyberspace, which, in its turn, will lead to the fragmentation of the Internet. The second one is the contradiction between the cyber sovereignty and human rights, which can be shown with restrictions of freedom of speech on the Internet and free flow of information as well. And, finally, the third contradiction is between cyber sovereignty and the engagement of many stakeholders into the Internet governance. There’s a view that the cyber sovereignty will lead to controversies over the Internet governance model, i.e., sovereign state governance will challenge the existing universal governance model. These contradictions were also manifested in December 2012, within the framework of the World Summit of the Information Society, dedicated to international telecommunication. On one hand, the US and the business sector argued in favor of a non-state Internet governance model with strong involvement of the business sector, and on the other hand, the Russian Federation, China, Brazil, India and a number of developing countries insisted that the Internet should be managed internationally by an intergovernmental organization such as the International Telecommunication Union (ITU).
Problems of Cyberspace, Use of Force, Attribution, Cyber War
Another aspect of the International law that has been the subject of widespread debates, refers to the use of force in cyberspace and its possible consequences. It’s a concrete problem about how cyber attack can be qualified as use of force and, accordingly, whether it is considered as a violation of the sovereignty of another state. Qualifying of cyber attack as a use of force or an aggression can lead to the victim’s right to self-defense, which is considered a legitimate reason for war. It was supposed that the states could practically consider cyber attacks as acts of war, and it seems to be an agreement that a cyber attack targeting critical infrastructures of the country, may cause harms and can be imputed to the state organizations, which foresees a violation of the law on armed conflict. Although there has not been such cases to date, that cyber operations or cyber attacks led to physical injuries or long-term destruction of property, the cyber addiction of the modern world, however, makes the destructive nature of cyber attacks more probable in future scenarios.
Apart from the uncertainties surrounding the definition of cyber attack as a use of force, the issue of attribution cyber operations is one of the most important issues in the cyberspace. Attribution can be both a technical action based on technical and indirect proofs, and a political action when the state officials formally and publicly attribute the attack. Cyber attacks cannot be attributed to an obvious criminal with 100% confidence. Thus, there’s always a possibility that the accused side may not, in fact, be the real attacker. As we saw in the examples above, the uncertainties and difficulties of the attribution lead to the states not to admit responsibility for cyber operations originating from their territory, and the responsibility is a necessary precondition for the state to be able to refer to the right to self-defense.
This issue gets more complicated by the cyber operations of non-state actors. These actors bring bigger uncertainties about the attribution as the states can hire, sponsor or instruct such actors to launch a cyber attack on the other state from the territory of another state. Another issue in cyberspace is how theimpaired countries can respond to non-state actors located in another state. This issue is related to the issue of state responsibility and state control over non-state actors in cyberspace. The corresponding response often comes from non-state actors inside the attack-subjected state.
The next issue concerns the definition of cyber wars. The disagreements on cyber wars in the literature refer to the question: do cyber attacks fit the classic war concept that Clausewitz stated or not? It includes the main components of the war, i.e., violence, instrumental character, which includes the means (physical violence or threat of force) and the purpose (destruction of the enemy, coercion the winner’s will), political nature of the war. In literature, however, cyber attacks are often viewed as political crimes (sabotage, spying, destructive acts) rather than wars. At the same time, they can be used both in the ordinary war as an auxiliary part of the war and individually, so the question emerges: are cyber attacks considered to be cyber wars in a separate usage or not? Currently there’s no legal definition or of cyber war or an agreement about what is a war or act of the war in the cyberspace, and these uncertainties in the International law open a new window for the cyberspace actors.
Nonetheless, the idea of the cyber war is gradually becoming more up-to-date, and many states have their national strategies in cyber security, the ones who make up cyber war scenarios and consider the rapid development of military acts in cyberspace as one of the main priorities of the Armed Forces and scouting services. This tendency has led to cyberspace to be considered as the domain of war in the Armed Forces, beside the land, water and air. In early 2013, the US approved the plan of a long-scale expansion of its Cyber Command bringing it up to 5.000. Tendencies of such kind of cyber mobility can be seen in many countries. If developed countries may need potential protection while protecting vulnerable digital resources such as management and control systems, for developing countries cyber operations can be viewed as an attractive alternative to “wage” war against a relatively inexpensive and politically not-so-risky enemy, which has kinetic superiority on the battlefield.
Armenia, being a part of the cyber domain, doesn’t remain freehanded from the cyberspace processes, hence the challenges. Among the major cyber threats both the international cyber threats (for example, attacks by groups belonging to the Anonymous community) and the cyber attack threats from the state formations, especially from Azerbaijan (partly Turkey), and the possible attacks from non-state actors, as well, can be highlighted. In terms of vulnerability, especially the network connecting points of the non-state part differ. Taking into account the rapid growth of the cyberspace, the development of cyber defense potential, as well as the ability to respond to cyber attacks equivalently, is becoming a matter of vital importance for Armenia. This problem requires the state to update its cyber security concept regularly, continuously develop technical satiety and professional skills of the corresponding subdivisions, provide public awareness of cyber security threats, invest in area-regarding educational programs, as well as explore and localize international leading experience in the cyber security.
[1] The term “cyberspace” is credited to William Gibson, who used it in his book, “Neuromancer”, written in 1984. [2]A Serbian military union, established in 1901. Its activity is connected with the start of World War [3]The term “sovereignty” is seen in the cyber security strategies of Canada, Finland, France, Hungary, Portugal, Australia, UK, Saudi Arabia, Russia, Chile, Columbia, Ghana, Japan, Nigeria.References
Bibliography
Author: Tatev Ghazaryan© All rights are reserved.
Translator: Christine Bdoyan