When nation states and organisations become victims of a cyber attack, should they be allowed to defend themselves and launch a counter attack? If so, what are the technical and legal issues that they should watch out for?
Cyber security plays an integral role in nation-states and large organisations as they are constantly under attack by cyber criminals who use malicious software to steal financial and intellectual property.
In April 2007, cyber-attacks were launched on the Estonian government and key political infrastructures. The attacks were carried out by an Estonian citizen, Dmitri Galushkevich. Estonia’s key defence against the attack was their ability to transmit its data connection to other countries. This would be impossible for a country such as the United States to perform due to their large online presence.
Estonian officials were convinced that Galushkevich wasn’t the only culprit involved, so they presented a list of IP addresses to Russian authorities to help find others involved. Russian authorities argued that there were “technicalities” within the treaty between their countries that prevented them from providing the information.
Sydney University Lecturer and Co-Director of the Sydney Centre for International Law, Dr Emily Crawford, explains that the Estonian cyber attack doesn’t fall within the international law framework for “use of force”.
She states that, “You’ll need to have an armed attack – a kinetic attack – so there needs to be a rifle fired or a bomb dropped. That’s what’s missing from the cyber realm.”
The recent cyber attacks on Sony Pictures in 2014 compromised thousands of Sony Pictures employees’ personal information such as their usernames and passwords, payroll details, credit card numbers and social security numbers.
If the Sony cyber attacks had shown use of force that lead to an armed attack, then Article 51 of the UN Charter and International Law would’ve been applicable to allow the United States to launch a counter attack.
If there is justified reasoning to launch an attack in the cyber realm, what are the loopholes that exist? Firstly, if an organisation or government is faced with a malware attack, the software has the ability to install itself through another programs installation process.
What this means is that the User Agreement within the fine print of the software outlines that users will be installing this software onto their computer. The poses great difficulty when an organisation attempts to launch a counter-attack, as there could be legal technicalities in motion protecting the offenders.
Even though actions are being taken to combat criminal activity in cyber space, this does not make them legal in the many countries or jurisdictions. Another implication is the anonymity of the internet. It is very easy to use VPN’s, and other software to hide an IP address. This could lead to misidentifying the attacker, and launching a counter attack against an innocent victim.
As cyber attacks continue to increase, governments and organisations must be vigilant in their incident response plans. But, launching a counter attack is simply not the answer as they have the ability to break a number of laws such as damaging intellectual property, spam and collateral damage.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.