Shouldstatenationsorevenlarger

organizationsthatarevictimsofacyber
attackbeabletolaunchdestructivecounter
attack?

Published by: ROHIT REVO

Abstract:
This essay analyses the legal and technical issues facing large organizations and Nations
when launching counter cyber attacks and also explains the risks associated with such
actions. Around 85-90% of all business assets today are digital 1 and by 2017 there will be
about 3.6 billion internet users which would be 48% of the worlds projected population
(7.6 billion) 2 and $1.3 trillion of global mobile payments are predicted by 2017. 3 Thus the
virtualization of the global economy makes it an interesting target for Transnational
Organized Crime and Terror Networks apart from Rogue Nations and Non State actors.
Thus there is a big dependency between computer security and national security.

Cyberspace has been defined as the 5th domain of warfare 4 and Non State Actors and
Rogue Nations are developing cyber capabilities and using it as a weapon of choice in
asymmetric warfare against other Nation States who are also actively forming units
capable of launching counter cyber attacks.
According to one estimate more than 140 states are working for developing cyber
weapons.5 Traditional war that involved physical weapons and physical targets has given
way to cyber war, which involves cyber weapons and cyber warriors who cook up viruses,
worms, Trojan Horses and other internet attacks, to hijack and extract data from the
computers of their pretend enemies. 6
1

Forbes, Caution: Active Response to Cyber Attacks Has High Risk, viewed 1st October 2014,
<http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attackshas-high-risk>.

2 Cisco's Visual Networking Index Forecast Projects Nearly Half, viewed 1st October 2014,
<http://newsroom.cisco.com/release/1197391/
3 Juniper Research, Mobile Payments to Reach $1.3tn Annually by 2017, as NFC and Physical
Goods Sales Accelerate, viewed 1st October 2014,
<http://www.juniperresearch.com/viewpressrelease.php?pr=332>
4 William J. Lynn, III, Deputy Secretary of Defense, National Defense University, Washington,
D.C., Thursday, July 14, 2011 <http://www.defense.gov/speeches/speech.aspx?speechid=1593>
5 Infosec Institute, The Rise of Cyber Weapons and Relative Impact on Cyberspace
<http://resources.infosecinstitute.com/the-rise-of-cyber-weapons-and-relative-impact-oncyberspace/>
6 Web War II: What a future cyberwar will look like, 1st October 2014,
<http://www.bbc.com/news/magazine-17868789>

However some scholars claim that an attack on cyber space is not the same thing as a
physical attack in real world and hence does not warrant a retaliatory action.
While a counter attack may be a legitimate act of warfare in some circumstances, I argue
in this paper that fighting back adversaries and pursuing retaliatory cyber attacks is
counter productive and explain the legal and technical issues involved in this. It is more
worthwhile to build your own cyber defense mechanisms rather than orchestrating hot
cyber pursuits.
The essay carries out a literature review of retaliatory cyber attacks and draws up
arguments for and against such attacks and explains the risks and technical impacts of
these attacks.

Outline of Argument
Concerns related to cyber attacks are growing across the globe, as are the means
adopted by various countries to fight this menace.

Source: http://www.nec.com/en/global/solutions/safety/infomanagement/cyberattack.html

A real time cyber attacks map developed by Kaspersky shows the depth and breadth of

these attacks and it indicates that a cyber war might be happening currently. Cyber
attacks are already a persistent and disturbing aspect of international relations in the
twenty-first century 7 and the first signs of war between any two countries is likely to be a
series of coordinated cyber attacks.

Source: http://cybermap.kaspersky.com/#

Source: http://cybermap.kaspersky.com/#

7 Jeremy A. Rabkin and Ariel Rabkin, Why the Current Law of Armed Conflict Should Not Fetter
U.S. Cyber Strategy (2012), in Emerging Threats in National Security and Law, edited by Peter
Berkowitz, http://www.emergingthreatsessays.com p. 1

Cyber attack is asymmetric warfare in which an attacker with limited budget and publicly
available tools can cause huge damage to the public reputation and business confidence
of the organizations and governments, they are attacking. While there are many ethical
hackers or hackers who launch opportunistic attacks, there are a very large number of
hackers who are launching targeted attacks to either promote their ideology or to discredit
governments and business organization.
A cyber attack is far easier to orchestrate than cyber defense

as Mary Ellen argues that

International law raises substantial barriers to both using cyber weapons and defending
cyber space from cyber-attacks through the use of force. 9 Computer crime and cyberterrorism could be stopped dead in its track if those at risk implemented preventative
measures, 10 however given the changing nature of technology, hackers are always
finding poor processes and vulnerabilities in IT infrastructure within companies and
government bodies leaving them exposed to cyber attacks. Most cyber attacks have not
resulted in any armed conflicts so far, but there is a growing call for counter cyber attacks
in case of targeted attacks. However there is no agreement on how much of cyber activity
and intrusion will classify as a cyber armed attack. Thus the basis of initiating any offensive
cyber capability is missing, as there is no international agreement on legal interpretation
and to enforce it with respect to cyber-attacks. 11

A security study has found that more than one-third of breaches take hours to detect and
resolving breaches could take days, weeks, or months. 12 Thus identification of cyber
attackers in most cases would take time, which will enable the adversaries either to
regroup or move locations. The anonymity of the attacker who hides behind a vale of spoof
IP Addresses limits the options of launching counter attacks. Determining the true identity
of an attacker is a big challenge in cyber warfare. The attackers could be operating in a
8 Shackelford Scott J, From Nuclear War to Net War: Analogizing Cyber Attacks in International
Law (2009), Berkeley Journal of International Law, Volume 27 | Issue 1, p . 27
9 Mary Ellen OConnell, Cyber Security without Cyber War, J Conflict Security Law (Summer
2012) 17 (2): 187-209 doi:10.1093/jcsl/krs017,p. 203
10 Barton Paul and Nissanka Viv, Cyber-crime criminal offence or civil wrong?, Computer Law
& Security Review Volume 19, Issue 5, September 2003, p. 403
11 Waxman Matthew C, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4),
The Yale journal of international law, Vol. 36: 421, p. 425
12 TBG Security, viewed 2 October, 2014, <http://tbgsecurity.com/13-of-cyber-attacks-take-hoursto-detect>

different country and determining the geographical boundaries of cyber attack is very
difficult and launching offensive attacks raises questions of territorial state control. Cyber
attackers with cloaked identities, proxied network connections or bulletproof hosting
services, and operating bases in remote locations create problems in identification. 13
If an aggressor is sitting in Russia and launches an attack against an American asset,
even if the aggressor is located and identified it can take three to six months for Interpol to
pass a request along to the appropriate police agency for follow up. 14 The inability to
correctly identify the attacker coupled with the unknown collateral damage an offensive
cyber attack would cause, is the major reason why conducting cyber attacks is fraught with
risk. While the attackers could be small time players, the mere act of offensive cyber
attacks by large organizations and governments could classify them as committing the
same crime and expose them to lawsuits and more cyber attacks.
This symbiotic relationship of crime and cyber warfare complicates the broad battle-space
understanding for early warning vigilance or defensive and offensive maneuvers against
nebulous networks and masked relationships 15 . That is not to say that there are no
proponents for waging an offensive cyber attack. Some argue that building effective cyber
security measures involves fighting back adversaries. McLaughlin recommends that the
ability to commit an aggressive and completely devastating counter attack should be part
of an organizations incident response toolkit.16 UK has signaled that it will carry out
offensive cyber warfare 17 while US Patriot Act carries a prison term for 20 years for
committing cyber attacks.18 According to media reports, U.S. intelligence services have

13 Swanson Scott , Astrich Craig and Robinson Michael, Cyber Threat Indications & Warning:
Predict, Identify and Counter, Small War Journals, July 26, 2012, viewed 1st October 2014
<http://smallwarsjournal.com/jrnl/art/cyber-threat-indications-warning-predict-identify-and-counter>
14 McLaughlin, Kevin L, Cyber Attack! Is a Counter Attack Warranted? Information Security
Journal: A Global Perspective, Volume 20, Issue 1, 2011, p. 59
15 Swanson Scott , Astrich Craig and Robinson Michael, op. cit.
16 McLaughlin Kevin L, op. cit., p. 62
17 Financial Times, UK becomes first state to admit to offensive cyber attack capability, viewed 2
October 2014 <http://www.ft.com/intl/cms/s/0/9ac6ede6-28fd-11e3-ab6200144feab7de.html#axzz3Fv4mSUMX>

18 Washington Post, accessed 1 October 2014, <http://www.washingtonpost.com/world/nationalsecurity/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documentsshow/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814story.html>

already carried out 231 offensive cyber-operations in 2011.

19

There are software tools like Crowdstrike in the market, which allow you to feed fake data
to attackers and helps identify the patterns and motive of attackers and identify who is
conducting these attacks. The motivation of cyber attack is a typical factor in determining
response.
Responding to cyber attack requires quick decision making using systems that are
themselves targeted and hot pursuit can be applied in cyberspace just as in maritime
domain, which along with air, land, and space is viewed as a global commons.

20

Unlike conventional weapons that can be identified by intelligence and satellites, the
development of a cyber weapon is rather difficult to locate 21 as this could be done in the
confines of a private home with little or no connectivity.
The options for adopting a legal recourse can be a non-starter as cyber laws in different
countries vary and some countries may not adopt a hard line approach to cyber intrusions.
Thus countermeasures, sanctions and even law enforcement cannot substitute for frontline
computer and network security measures.22 There are no consistent guidelines to identify
a state sponsored cyber attacker vis--vis an opportunistic attacker, to identify the real
intent of attackers and also to pin point their exact geographical coordinates. Scholarly
articles have failed to arrive at a definition of how a cyber intrusion can be classified as a
cyber attack and how should passive and offensive strategies be initiated. Kenneth Geers
makes a valid point by suggesting that Propaganda and low-level computer network
exploitation (CNE) may trigger the first line of passive cyber defense, while the
manipulation of code in an operational weapons system could be grounds for real-world
retaliation. 23
19 Washington Post, accessed 1 October 2014, <http://www.washingtonpost.com/world/nationalsecurity/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documentsshow/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814story.html>
20 Farwell James and Rohozinski Rafal, The New Reality of Cyber War accessed 2 October
2014, < http://www.defenceiq.com/contributors/3464-james-farwell-and-rafal-rohozinski>
21 Paganini Pierluigi, Cyber Weapons, The Hacker New Magazine, April 2012, Issue 10 viewed
3 October, 2014, <http://news.thehackernews.com/THN-April2012.pdf>
22 Mary Ellen OConnell op. cit., p. 206
23 Geers Kenneth, Strategic Cyber Security, NATO Cooperative Cyber Defence Centre of
Excellence, p. 302

Kenneth Geers mentions two possible deterrence strategies: denial and punishment of
dealing with cyber attacks. He says, Punishment is the only real option, but this
deterrence strategy lacks credibility due to the daunting challenges of cyber attack
attribution and asymmetry. 24
Cyber war is preferred by some analysts over a traditional war in which physical weapons
are being used, as cyber war does not kill people and there is no physical damage.
However the collateral damage of using cyber weapons is either underestimated or
unknown.25 There is disagreement about the feasibility of designing cyber tools that can
be reliably employed with confidence about their collateral effects. 26 As networks
configurations and software updates constantly fix discrepancies, putting dedicated
resources for offensive cyber attacks may not be economically justified and it would make
more sense to employ them to build effective cyber defenses.
Most prominent cyber incident models like the IEEE based Cerebro

27

and NIST SP 800-

6128 dont advise destructive attacks on adversaries and instead focus on containment,
eradication and recovery.

24 Geers Kenneth, op. cit., p. 121

25 Shackelford Scott J, op. cit., p 225
26 Leed Maren, Offensive Cyber Capabilities at the Operational Level, Centre for Strategic and
International Studies, September 2013, p. 5
27 Connell, A.; Palko, T.; Yasar, H., "Cerebro: A platform for collaborative incident response and
investigation," Technologies for Homeland Security (HST), 2013 IEEE International Conference,
pp.241,245, 12-14 Nov. 2013
28 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

Source: NIST- SP 800-61 process flow for cyber incident response

In a physical war against other Nation, in most cases a United Nations Security Resolution
is required, however there is no convention of who can launch a counter cyber attack. In
case of a physical or a nuclear war there is a defined command structure in place,
whereas the chain of command for conducting a cyber attack is nebulous. A decentralized
approach can cause confusion that will limit the efficiency of a coordinated cyber attack.
While Nation states have an inherent right to self-defense, the UN Charter Art 2(4) states
that All Members shall refrain in their international relations from the threat or use of force
against the territorial integrity or political independence of any State, or in any other
manner inconsistent with the Purposes of the United Nations. Thus an active pursuit of
cyber adversaries may put Nations at risk of violating UN regulations. International law
related to self-defense and armed invasions is still unclear after so many years of debate
as the onus of providing a credible proof of cyber attacks becomes the responsibility of the
country which is attacked. Thus forming an effective international cyber crime law will take
time, which will leave the field open for Nations to pursue cyber attackers and also provide
cyber criminals to spread terror and seek fame and satisfaction in disrupting digital
economies.
Life in the digital world mimics life in the real world. As traditional crime and terror moves
into digital space and traditional warfare moves into digital domain, there is a need to
replicate the same measures in online world as well. There are growing calls for cyber

disarmament and following the same protocols as defined in nuclear disarmament. While
the analogy is correct, the building of offensive cyber weapons has very low barriers to
entry as compared to nuclear world, where you need specialized equipment and human
resources and rare materials like Uranium and cyber attackers mostly individuals could
collaborate in real time to launch attacks. The life cycle cost of developing cyber weapons
are minimal and also have the potential to scale dramatically; a single algorithm could
disable a whole class of adversary systems.29
There is disagreement between experts about the feasibility of designing cyber tools that
can be reliably employed with confidence about their collateral effects. 30
If a retaliatory cyber attack causes a disruption in critical services or loss of life, then this
has the potential to escalate into a major conflict and rather than affecting the adversary
will put the offending entity at risk of civil liability and compensating for the loss of life and
damage to infrastructure if any. Protocol 1, Article 51 codifies the law of proportionality,
which indicates that the punishment offered should be commensurate with the crime
committed and that indiscriminate attacks are not tolerated. 31 An offensive attack in cyber
space may be seen as disproportionate to the intensity of crime conducted by cyber
attackers and if the offensive attacks put the lives of citizens in danger, this could be a
violation of UN laws.
A cyber attack can either have no direct physical consequence or it could facilitate kinetic
attacks, which results in physical destruction.

32

Any offensive cyber retaliation is more

likely to be seen as disproportionate by the global community and is likely to backlash and
private companies dont have the legal right of conducting hot pursuits across its business
boundaries.

Conclusion:
29 Leed Maren, op. cit., p 9.
30 Leed Maren, op. cit., p 5.
31 United Nations, 1994 Conventions and Additional protocols and their commentaries, viewed 4
October 2014, <https://www.icrc.org/ihl/WebART/470-750065>
32 Hathaway Oona A, Crootof Rebecca, et al, The law of cyber-attack, California Law Review,
2012, p 26

Due to the interconnectedness of the world, it is likely that a country can be a cyber
attacker as well as be a victim of cyber attacks. Currently there is no consensus about
when does a cyber attack warrant a counter retaliatory physical or cyber strike. Rather
than concentrating the efforts on counter attacks, it is prudent to build defence
mechanisms to dissuade cyber attackers so that they concentrate on less secure
environments.

REFERENCES
Barton Paul and Nissanka Viv, Cyber-crime criminal offence or civil wrong?, Computer Law &
Security Review Volume 19, Issue 5, September 2003, p. 403
Cisco's Visual Networking Index Forecast Projects Nearly Half, viewed 1st October 2014,
<http://newsroom.cisco.com/release/1197391/
Connell, A.; Palko, T.; Yasar, H., "Cerebro: A platform for collaborative incident response and
investigation," Technologies for Homeland Security (HST), 2013 IEEE International Conference,
pp.241,245, 12-14 Nov. 2013
Farwell James and Rohozinski Rafal, The New Reality of Cyber War accessed 2 October 2014,
< http://www.defenceiq.com/contributors/3464-james-farwell-and-rafal-rohozinski>
FBI, Terrorism 2000/2001, viewed 5 October 2014, <http://www.fbi.gov/statsservices/publications/terror/terrorism-2000-2001#The%20USA%20PATRIOT>
Financial Times, UK becomes first state to admit to offensive cyber attack capability, viewed 2
October 2014 <http://www.ft.com/intl/cms/s/0/9ac6ede6-28fd-11e3-ab6200144feab7de.html#axzz3Fv4mSUMX>
Forbes, Caution: Active Response to Cyber Attacks Has High Risk, viewed 1st October 2014, <

http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attackshas-high-risk>
Geers Kenneth, Strategic Cyber Security, NATO Cooperative Cyber Defence Centre of
Excellence, p. 302
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Hathaway Oona A, Crootof Rebecca, et al, The law of cyber-attack, California Law Review,
2012, p 26

Infosec Institute, The Rise of Cyber Weapons and Relative Impact on Cyberspace
<http://resources.infosecinstitute.com/the-rise-of-cyber-weapons-and-relative-impact-oncyberspace/>
Jeremy A. Rabkin and Ariel Rabkin, Why the Current Law of Armed Conflict Should Not Fetter
U.S. Cyber Strategy (2012), in Emerging Threats in National Security and Law, edited by Peter
Berkowitz, http://www.emergingthreatsessays.com p. 1
Juniper Research, Mobile Payments to Reach $1.3tn Annually by 2017, as NFC and Physical
Goods Sales Accelerate, viewed 1st October 2014,
<http://www.juniperresearch.com/viewpressrelease.php?pr=332>
Leed Maren, Offensive Cyber Capabilities at the Operational Level, Centre for Strategic and
International Studies, September 2013, p. 5
Mary Ellen OConnell, Cyber Security without Cyber War, J Conflict Security Law (Summer
2012) 17 (2): 187-209 doi:10.1093/jcsl/krs017,p. 203
McLaughlin, Kevin L, Cyber Attack! Is a Counter Attack Warranted? Information Security
Journal: A Global Perspective, Volume 20, Issue 1, 2011, p. 59
Paganini Pierluigi, Cyber Weapons, The Hacker New Magazine, April 2012, Issue 10 viewed 3
October, 2014, <http://news.thehackernews.com/THN-April2012.pdf>
Shackelford Scott J, From Nuclear War to Net War: Analogizing Cyber Attacks in International
Law (2009), Berkeley Journal of International Law, Volume 27 | Issue 1, p . 27
Swanson Scott , Astrich Craig and Robinson Michael, Cyber Threat Indications & Warning:
Predict, Identify and Counter, Small War Journals, July 26, 2012, viewed 1st October 2014
<http://smallwarsjournal.com/jrnl/art/cyber-threat-indications-warning-predict-identify-andcounter>
TBG Security, viewed 2 October, 2014, <http://tbgsecurity.com/13-of-cyber-attacks-take-hours-todetect>
United Nations, 1994 Conventions and Additional protocols and their commentaries, viewed 4
October 2014, <https://www.icrc.org/ihl/WebART/470-750065>
Waxman Matthew C, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4),
The Yale journal of international law, Vol. 36: 421, p. 425
Web War II: What a future cyberwar will look like, 1st October 2014,
<http://www.bbc.com/news/magazine-17868789>
William J. Lynn, III, Deputy Secretary of Defense, National Defense University, Washington, D.C.,
Thursday, July 14, 2011 <http://www.defense.gov/speeches/speech.aspx?speechid=1593>
Washington Post, accessed 1 October 2014, <http://www.washingtonpost.com/world/nationalsecurity/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documentsshow/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814story.html>