How can countries at war assess the potential harm that cyber operations may cause to civilians? In this post, part of our series on avoiding civilian harm during military cyber operations, Ellie Shami argues that while it is clear States must implement measures to minimize the harm caused by any means and methods of warfare during armed conflicts, the unique characteristics of cyberspace as a warfare domain set new challenges in doing so.

 

Alongside COVID-19, the world has been grappling with a second global crisis over the last year: a ‘cyber pandemic’. There was a nearly 200% increase in interactive intrusion activity[1] globally between 2019 and 2020, signaling cyber attacks as a clear risk with the potential to negatively impact millions of lives. Within the health sector alone, an 18 percent increase of cyber attacks on healthcare providers – targeting hospital networks, research facilities, and other critical infrastructure – impacted just under 13.5 million patients.

Cyber risks are now so prevalent that it is hard to believe it was just over a decade ago when the world witnessed what experts believe to be the first case of a coordinated cyber attack synchronized with other warfare domains. This was during the 2008 Georgia-Russia war: while the two States were engaging in combat across three warfare domains – land, air, and sea – Georgia was facing a fourth battleground: cyberspace.

The cyber attack on Georgia actually began several weeks before any physical confrontations, targeting websites and digital assets of the Georgian military and government as well as civilian websites. Eventually, the attacks lead to a decreased functionality of the Georgian internet and significantly contributed to hindering Georgia’s military and the government’s ability to react, respond and communicate during its armed conflict with Russia.

In the end, no critical infrastructure was disabled, nor were any other targets that could have led to direct loss of lives. This suggests that the attackers had put thought into assessing the impact cyber attacks would have on civilian lives. But how and why would they make such calculations?

When assessing incidental civilian harm (in military parlance also referred to as ‘collateral damage’) before executing a kinetic attack, assessment methodologies, such as the Joint Tactics, Techniques, and Procedures for Intelligence Support to Targeting, usually refer to two main aspects: quantity of harmed or otherwise affected civilians and quality of the attack’s impact, i.e., the severity of impact on the civilians. For example, when assessing the incidental civilian harm before firing a missile against a military objective, one should ask questions such as: is the area surrounding the objective populated? How many people are expected to be in the attack range? How badly might they be injured? When performing such assessments with regards to cyberspace operations, the nature of ICTs presents several challenges both quantitatively and qualitatively.

Quantitative assessment

In the cyber context, discussions regarding attack range are replaced by the number of affected users, systems or network components. One challenge when assessing the attack’s scope of impact is to achieve the degrees of assurance that might be possible with conventional kinetic weapons. The number of civilians potentially harmed could be enormous, given global interconnectivity and the number of users, systems and network components that might be affected.

The assessment process involves understanding the extent of the interconnectedness and inter-dependence of the attacked ICT, the effect they have on each other, and the complicated network connections and information flow between them. It is a complicated process that, depending on the attack’s target, may require significant resources and expertise. One difference from such an assessment for kinetic attacks is the lack of transparency in cyberspace of all of these connections and dependencies.

In addition, the interconnectivity of ICT poses a challenge to preventing an attack from spreading beyond its desired targets. For example, in June 2017, a Ukrainian financial application MEDoc was infected with the ‘NotPetya’ malware, which not only spread throughout Ukraine but to hundreds of companies worldwide. The malware rendered the infected computers completely unusable, crippling global companies such as Merck pharmaceuticals and the Maersk shipping company, with total damage estimated at ten billion USD. Information Systems Security Partners (ISSP) estimates NotPetya’s impact in Ukraine affected 300 companies, while an official of the Ukrainian government estimated that ten percent of all computers in the country were impacted. Whether the NotPetya attack is considered an act of war or not, it is an important case study demonstrating the inter-connected nature of ICT elements, as well as a reminder of the increasing potential damage to civilian systems by cyber attacks globally.

Both technical and operational measures can be taken to prevent such spreading from occurring, for example by using a malware that operates only on devices with specific unique components, or limiting the number of times malware can duplicate when spreading in a computer network (see the new ICRC report at p. 22-24). However, even while operating in an ‘air-gapped environment’, leakage of the attack tool is possible, as shown in past cases. For instance, the attack tool known as ‘Stuxnet’ used in a cyberattack on Iranian nuclear facilities was found on other computer networks around the world. Thankfully, successful technical measures were put in place to prevent incidental harm to untargeted assets, by restricting the malware used in the attack to operate only on a specific controller that was regulating a specific piece of equipment that is unique to enriching uranium.

While past experiences of military cyber operations can be valuable to ensure an effective risk analysis, complex assessments that have to be made during the targeting process itself may require more advanced assessment methods. These may include creating models of targeted systems (so-called ‘cyber ranges’) to simulate the attack, which could be used together with advanced AI capabilities to further mimic the diversity and complexity of real ‘internet’, or at least large and complex sets of integrated environments and networks. Another option could be creating an assessment using scenario-based analysis, by examining past cases where similar systems failed as a result of disasters or human action and analyzing the extent of harm caused to civilians by the system failures, in order to assess the extent of harm that may be anticipated as a result of cyber operations targeting those or similar systems.

Unfortunately, such prevention measures or assessment methods might not always be possible to implement and could require a considerable investment of resources which might simply not be available for some smaller or less cyber-developed States, excluding them from being able to conduct some of the more complex offensive military cyber operations, as the lack of resources does not justify irresponsible conduct in the cyberspace (see also ICRC report at p. 20-21).

Qualitative assessment

The impact of a cyber attack is often categorized and measured in terms of its effect on data: data confidentiality (i.e. ensuring that information is disclosed only to those who are authorized to view it);  data integrity (i.e. ensuring that information has not been changed accidentally or deliberately, and that it is accurate and complete); and data availability (i.e. ensuring that the business/operational purpose of the system can be met and that it is accessible to those who need to use it).. Discussing the quality of the attack’s impact in these terms allows to analyze how significant the damage was to the ability to use the system and its data, in addition to assessing any physical damage that could be caused.

However, simply assessing the direct damage to ICT is not sufficient to fully understand the harmful ways in which it may impact civilian lives. In some cases, the impact is clear, as with power grids providing electricity, oil pipes capable of causing both pollution and physical explosions if damaged, and healthcare centers providing critical care to patients. The effects of damaging other civilian assets or services can be much more ambiguous, and lasting impact can be much harder to assess in advance.

For instance, disabling a country’s access to the internet can not only interrupt its communication with the world and its citizens’ access to information, but interfere with many other services provided by both the government and public entities which rely on the internet. A more moderate example could be corrupting the data in a public database being used by many, not only preventing using it directly but also disrupting any other system or entity which uses its data. The lasting impact of such scenarios is hard to assess, as the attack affects not only its direct target.

Methods of assessment 

As a relatively new warfare domain, cyber lacks designated methods for assessing the harm to civilian lives, during armed conflict or otherwise. While the existing assessment methods for kinetic attacks could be modified to be used in the context of cyber operations, they overlook some characteristics unique to cyberspace, and may be considered as relatively closed and static systems compared to the more complex and dynamic military cyber targeting environments. Creating designated methods suitable to cyber operations during armed conflicts could help resolve these issues, thus allowing more accurate assessments and more responsible operations.

The new ICRC report outlines several cyber-specific assessment methods for assessing the harm to civilian lives by cyber operations during armed conflicts. Some examples mentioned here before include using ‘cyber-ranges’ or performing a scenario-based analysis using cases studies, in addition to adding cyber-designated questions to existing assessment methods for kinetic attacks. (see also ICRC report p.20-23). In addition, states can execute cyber-operations post intelligence-gathering operations with the purpose of understanding the connectivity of the target, allowing for a more accurate cyber operation.

 * * * * *

When facing the difficulties posed by the unique characteristics of cyberspace during such assessment processes, I believe countries, international organizations and other stakeholders alike should work together in creating shared resources, similar to the resources and methodologies regarding kinetic attacks which are usually shared between allied States or even made publicly available, i.e. the Joint Tactics, Techniques, and Procedures for Intelligence Support to Targeting mentioned above, or the Collateral Damage Estimation Methodology (CDEM). The ICRC report on avoiding harm to civilian lives by cyber operations during armed conflicts should be used as a stepping stone to the international cyber community in creating such shared resources, discussing assessment methods, and collaborating to enable safer, more responsible conduct in cyberspace.

Creating such shared resources will not only enrich the collective knowledge base, but will assist parties who cannot allocate the sufficient resources to assess the harm to civilians by cyber operations in mitigating their gap, hopefully resulting in less harmful cyber operations and a more responsible approach towards the conduct of military cyber operations.

[1] As defined by Crowdstrike: interactive intrusions — those involving the use of hands-on-keyboard techniques. Crowdstrike 2021 Global Threat Report, 22 February 2020.

See also