ICRC report on cyberoperations

The just-published report of International Committee of the Red Cross (ICRC) on humanitarian consequences of cyber operations brings the much-needed, currently lacking expert insight and context in the debate around cyber warfare. I am also happy because I had an opportunity to co-author this report; the (now public) part of my advising role at ICRC.

ICRC is a neutral and impartial organization, among its tasks is the monitoring the application (or preparing the development) of International Humanitarian Law, sometimes known under the name of rules of armed conflict. As such, this body of international laws (Geneva Conventions, with additional protocols) might form the basic rules of "cyber war" - in the context of armed conflict.

Cyberwarfare (cyber conflict) can have measurable and significant consequences in not so distant future. Countries already announced change of approach towards cyberspace, including with treating it as a domain of warfare. This means preparedness to treat spaces such as IT infrastructure, information space, as subject to potential conflict activity.

Most serious past conflicts resulted in significant consequences. This both to the fighting parties, the belligerents (combatants, etc.), but more worrying, also to civilians and civilian infrastructure. However, due to somewhat limited understanding and narrow perception of cyber conflict, humanitarian aspect are too often not present in the debate.

In this note, I merely touch on a selection of topics in the 80-page report. The ICRC report is an account of an expert meeting I helped organize, and the background research input performed (annex).

The reports span technical, policy, and international spheres. On the technical side, it focuses on high impact cyberattacks, deliberately discussing some of the worst case scenarios. It is speaks on various aspects of cyber operations (who can do what? how much does it take to run a successful cyberattack?). It discusses the potential impact to health service delivery, the impact on essential services such as the provision of electricity, water, etc (“critical infrastructure”), or core internet services and systemic effects. The section on possible way forward (cyber norms) discusses national and international norms, including the potential need to develop the law.

On high level, some of the technical concerns revolve around specific vulnerabilities of infrastructure; risks of over-reaction to hostile cyber operations; offensive cyber tools proliferation; risks that the difficulties of attack attribution will hinder the applicability of international law.

Most current offensive cyber attacks occur in peacetime; as such they are not subject to the laws of armed conflict. It is, however, important to understand the offensive potential, as well as the mechanics, during armed conflict.

Cyber operations

Offensive operations in cyberspace can be targeted and specific. Depending on many factors, they can be prepared to be proportional, and distinguish the targets. Preparing the operation is a meticulous task. Not all consequences can always be predicted.

Most (serious) offensive cyber attacks discussed in public are espionage - access operations - with aims of stealing data. However, some cyberattacks can be much more serious (effects operations), and result in disruption or destruction of data, or sometimes even physical effects. In some cases, such activity could be classified as resorting to the use of force.

The difference in classification is mainly in the intent/purpose of the attack. In the technical realm, it is manifested in the type of used payload, the malicious code to be executed on targeted systems. But cyberattack intent is usually difficult to decipher. This is why a risk of overreaction on the side of the attacked party is a concern. When stakes are high and time is pressing, situation might get serious - and escalation could spin out of control.

Supply chain

Supply-chain risks are important to consider. They are spoken of. They have been done in the past.

They are also serious because of the existence of trusted nodes, software update infrastructure is a good example, and forms a potentially tempting (albeit controversial) target. The hard truth about the hyper-connectedness of the internet.

“the majority of the computer devices in the world are only one or two steps away from a trusted system that a determined attacker could compromise.“.

This means that preemptive compromise of trusted systems would make attacks significantly easier.

“State actor developing its readiness to act in the event of armed conflict might want to achieve persistent access to one or more of these important trusted systems“.

Exploit markets

Offensive tools and exploits can be acquired on the market. Prices vary, but the price of some “tools” significantly increased over the last two decades. The report provides one of the reasons responsible for today’s high price.

“intelligence and/or military cyber capabilities might be one of the factors fuelling the zero-day exploits market “.

Exploit prices are a consequence of both the security level of target software, but also of the high demand from buyers. There are many reasons why iPhone exploits are much more expensive than, say, for a random IoT device.

As for the exploit price, more specifically:

“In 2018, the cost of exploits for some systems or products were hundreds of thousands – or even potentially one million – dollars, while exploits for less secure systems cost much less (e.g. $10,000 for a bug in an Internet of Things device). “

Attacks on health sector

This part considered cyberattacks on hospitals, health services, medical devices, etc. I omit this point (and invite you to look in the report), except the part on the potential explanation why there have been no confirmed casualties of cyberattacks.

“no actors that have attacked the health-care sector with lethal intent have been identified. However, the discussion also highlighted the fact that incidents tended not to be thoroughly investigated and, consequently, it would be difficult to even establish whether the fatalities caused by a medical device malfunctioning were the result of a cyber attack.

There are technical possibilities, but there might be no intent (lethal cyberattacks could lead to significant repercussions, so what would be the motivation to kill?). Also, is anyone even looking?

The annex of the report contains an account partially explaining the current challenges of medical device cybersecurity, it is worth to cite it in verbatim:

“once systems are installed, they may be in place for years and may never get a security update; this may be because the systems or software in question are no longer supported by the manufacturer. The **lifecycle of medical devices is typically 5–15 years**, or longer.

Attacks that tamper with medical devices could result in wrong doses being administered or distort the result of technical analyses used during the diagnostic process. For example, connected pacemakers could be instructed to issue non-standard and potentially lethal shocks. Computer tomography (CT) systems could be targeted in numerous ways; specific concerns include the ability to tamper with radiation doses during a CT scan, with the subsystem responsible for reconstructing images, or with the subsystems that link image results with actual patients. In extreme cases, these actions could be life-threatening. If devices like insulin pumps are tampered with, patients could overdose and be injured or die as a direct or indirect result. Attacks on medical devices, including the ability to administer incorrect drug doses, appear to be technically possible – albeit complex – while the likelihood that they could be carried out indiscriminately on a large scale is unknown. However, they would probably not be extremely difficult to detect given the visibility of the effects. “

Cyberattacks on industrial infrastructure

The report highlights the unexpectedly fast development of attacks on industrial control systems, including with physical effects. On the operational side, the report contains an interesting account of the challenges facing threat actors interested in significant cyberattacks.

“In general, it could take anywhere between a few people and a hundred people, depending on a wide range of factors, although most tasks will require tens rather than hundreds of people. It must be noted, however, that, beyond the number of people, such operations demand significant expertise, experience, tools, and infrastructure. The following factors, among others, will affect the required capabilities: how strong the target’s cyber security posture is; how wide and long-lasting of an impact the attacker seeks; the speed at which it needs to be done; the resources committed to the operation; whether the available resources need to be simultaneously spread among different tasks or targets or can focus on a single target; and whether the operation requires human intelligence and/or human involvement on the spot, since industrial control systems operations may be blended operations (i.e. not carried out solely through digital means).“

Perhaps something not typically discussed when analyzing the consequences of cyberattacks. What would be the impact of operating in armed conflict?

“Circumstances, such as an armed conflict, could trigger States’ decision to go after these targets, and they may have the expertise, resources, and access to information required to significantly reduce the timespan currently observed. In armed-conflict situations, operational requirements may dictate that the operations take place rapidly at the expense of stealth “

Cyberoperations in armed conflict

Cyberattacks in armed conflict may look different than the ones we see today. Only one reason

“time constraints that belligerents can face during armed conflicts are of a totally different magnitude. It may therefore be easier to attribute attacks during armed conflict “.

Lack of time means more rough edges, but also potentially simpler to detect or link to the attacking party.

Speaking of the Big Picture, there is a long debate around what exactly cyberwar is or isn’t. It’s too easy to forget that war has a long history. It is even easier to forget that just because “cyberwar” contains “cyber”, the “war” element means that the conflict will not be limited to “cyber”

“Some experts noted that they did not expect an armed conflict to be waged exclusively in cyberspace or through cyber means. The notion of cyber war, which was understood to refer to such a hypothetical situation, was therefore considered unhelpful and a misnomer, as no armed conflict has ever remained confined to the domain in which it began. One expert expressed the view that an armed conflict could, however, be initiated through cyber operations. Assuming a State was able to cause an impact similar to that of a kinetic attack, which this expert deemed difficult but possible, it could constitute a use of force under the United Nations Charter “

When there is an armed conflict, don’t expect it to be limited to cyber. Intuitively it is simple to understand. While there were battles limited to specific domains (i.e. land-only, sea-only, air-only), the actual war activity tends to be broader. Consequently, in some contexts and situations even kinetic response to cyberattack cannot be ruled out (to some degree even hinted by recent non-precedent). It’s too easy to forget this while reading about yet another more or less random cyberattack. It makes little sense to consider two types of “cyber war” and “not merely cyber war”.

While speaking of airborne warfare, naval warfare or cyber warfare is justified, does it really help to separate “cyberwar” from “war”?

Summary

The report provides a totally different angle to cybersecurity than the one usually seen. Its analytical focus on the event impact is deliberate and is meant to put the focus on humanitarian aspects of what is possible (even if difficult), when, and how.

I hope the report will serve an important input during the work of the Open-Ended Working Group and Group of Governmental Expert, both bodies working on cybersecurity within the United Nations.

Finally, I am happy I had the opportunity to contribute to the research and analysis. The way from conception to publication was long. It is an interesting experience and I must say that I have learned a lot. I also find the cross-section of technology, research, policy, national regulations and international law as fascinating. That was a cause worth pursuing.

me@lukaszolejnik.com