A new Era: war, crime, terrorism and propaganda in the digital age

The evolution of the Internet has changed global dynamics and international relations drastically, possibly more than any other single invention or creation. But the Internet is not just a singular action, object, or device, it is the connection of communications, relationships, ideologies, government, infrastructure, commerce, and culture, shared by an ever-increasing percentage of the world's population.

A NEW ERA: WAR, CRIME, TERRORISM AND PROPAGANDA IN THE DIGITAL AGE by John Christian Sonderegger A Senior Honors Thesis Submitted to the Faculty of The University of Utah In Partial Fulfillment of the Requirements for the International Studies Honors Degree in Bachelor of Arts In The Department of Humanities Approved: ______________________________ John G. Francis Thesis Faculty Supervisor _______________________________ Hugh Cagle Honors Faculty Advisor _____________________________ Sylvia D. Torti, PhD Dean, Honors College April 2018 Copyright © 2018 All Rights Reserved TABLE OF CONTENTS INTRODUCTION 1 TYPES AND FREQUENCIES OF ATTACKS 12 DEFENSIVE DIFFICULTIES 19 THE RUSSIAN EXAMPLE 26 WHAT IS TO BE DONE 30 REFERENCES 36 ii INTRODUCTION The evolution of the Internet has changed global dynamics and international relations drastically, possibly more than any other single invention or creation. But the Internet is not just a singular action, object, or device, it is the connection of communications, relationships, ideologies, government, infrastructure, commerce, and culture, shared by an everincreasing percentage of the world’s population. The Internet allows for increasing standards of living across the globe as well as rapid and wide reaching promotion and sharing of ideas. Additionally, the Internet provides new channels for committing crime, slandering, vandalism, and even terrorism. The global nature of this network allows for these malicious acts to be committed on an increasingly international scale. While disenchanted individuals can take stabs at other individuals or corporations, it is also progressively more plausible for national governments to interact with each other in espionage and sabotage in a way that is simply impossible to replicate in the physical world. We have entered a modern world in which physical attacks are being overshadowed by the number and severity of cyber-attacks. This paper will focus on the rise in number of cyber-attacks in general and with an international perspective. Additionally, it will explore existing law and policy, both nationally and internationally, as well as some future possibilities for the law and privacy concerns. The United States and Russia present an interesting case study for these concepts, and the two countries’ relations when privacy policy is concerned are frequently portrayed in news stories and popular media. With the relations of the two countries in mind, this paper will explore the past and present state of affairs concerning cyber attacks, and the laws relating to these crimes which differ from crime as it related to the law before the expansion of the Internet and cyber-attacks. Cyber-attacks are troubling on an international scale for a variety of reasons. First, these forms of attack are relatively new forms of internationa l interference, given the recent birth and rise of the Internet. In fact, new occurrences and forms of these attacks are evolving at an alarming rate (Department of Defense, 2011). In conjunction with this rapid evolution of attack, forthcoming international and domestic policy alike struggle to keep pace with the crimes they attempt to quell. This raises many questions as to whether existing bodies of international law, such as those which govern physical terrorist attacks and governmental acts of war, are sufficient to legally prosecute alleged perpetrators, whether these existing laws ought to be expanded in their scope and wording to include modern issues, or whether international bodies such as NATO and the UN ought to put forth entirely new bodies of law specifically targeting these issues (Ugelow, Hoffman, 2012). Further issues arise in attempts to justify retaliation to serious cyber -acts with further cyber-attacks or even physical action under the Just War Theory. A final problem lies in assessing attribution – the large scale of anonymity and accessibility to the Internet blurs the lines in determining who is to blame for a cyber-attack. Additionally, guerilla cyber-warfare by unaffiliated individuals on 2 behalf of governments is nearly as prevalent as acts carried out by elected officials or members of government intelligence agencies. News media and academics use many varying terms in addressing illegal acts committed domestically or internationally by individuals and governments, including “cyber-warfare,” “cyber-terrorism,” “cyber-attack,” “cyber-act,” “net-attack,” and further related terms and phrases. A phrase such as “cyber-warfare” contains either grave safety implications or carries the connotation of physical infrastructure or processes being affected via the Internet, which is a pressing but narrow band of the spectrum of these acts. On the opposite end of the spectrum includes terms such as “cyber-activity,” which imply less-consequential interference with business or individuals. In this paper, we will primarily use the term “cyber-attack,” defined by Oona A. Hathaway and colleagues as “any action taken to undermine the functions of a computer network for a political or national security purpose” (Hathaway et. al., 2012). In discussing the means by which nations are justified in retaliation to a cyber-attack, the Just War Theory is often evaluated and applied by academics addressing the theoretical legality of such an attack. This presents a decent starting point and reference by which we can start addressing practical issues, but weaknesses to this approach include broad, sweeping conclusions necessary for a thought experiment of this nature. Applied to the sphere of the Internet, conventional Jus ad Bellum interpretation falls short of j ustifying use 3 of force in retaliation to a harmful cyber-attack if an instrumental or traditional view, i.e. examining the instruments or weapons used, is applied, as there are no physical weapons to evaluate in the way that chemical warfare or nuclear warheads can be analyzed (Van Raedmonck, 2010). Additionally, when analyzing Jus ad Bellum in light of cyber-attacks, a “use of force” and “armed attack,” as defined by Article 51 of the UN Charter differ significantly and the concept of proportionality is a complex and nuanced grey area left to interpretation on a case-by-case basis (United Nations, 1945). Again, the usefulness of theoretical Just War Theory has been called into question in the application of cyber-attacks, but to the extent that it provides a foundation with which we can begin to examine practical examples in international relations, this theoretical background does prove effective. For perspective on the rapidly-increasing nature of these attacks, comparative studies from the International Journal of Computer Trends and Technology showed an increase from under 500 to over 14,000 reported cyberattacks from the years 1995 to 20003 (Kaul, Prasad, 2015). This is a vast annual increase of attacks during still initial growth stages of the Internet, and it shows the speed with which perpetrators of such actions were able to adapt to and exploit the new system of interconnectedness. However, at the time of writing this research paper, there were an average of more attacks registered each minute than were reported in the final year of the IJCTT study (T-Sec, 2018). The Kapersky Lab’s real time projections of cyber-attacks combine the real time 4 detections of 8 different types of cyber-attacks, and their data consistently averages at over 100 attacks of each type each second, with considerably more during peak hours of activity (Kapersky, 2018). The raw frequency of attacks of all kinds, from large scale DDoS attacks on research databases and digital strongholds of personal information to perpetually automated and run attacks on the digital financial transactions that make up a large, often taken for granted, portion of the interactions on the Internet today, are staggering. One reason these crimes differ in magnitude from what could be accomplished physically by a perpetrator before the large growth of the Internet is that they can be automated to run infinitely and adaptively by computers. This compounding nature of cyber-attacks allows for exponentially greater attacks to be carried out than there are human attackers. But given the incredibly large numbers of attacks of all natures, the response of defensive software development firms and general cyber-security has grown proportionally, and it is pertinent to analyze the number of attacks carried out that have large significance, especially on an international scale. In 2016, the Center for Strategic and International Studies (CSIS), a non profit research organization concerned with international policy, security, and relations, published a list of over 200 cyber-attacks they deemed to be significant (CSIS, 2016). By “significant” attacks, the CSIS is referring to “cyberattacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars”. These incidents include 5 exploitation of large volumes of personal and financial information, the hacking of national defense systems, attacks which, while detrimental and significant, received little to no media attention, and even politically driven cyber -attacks such as the highly-publicized alleged Russian involvement in the 2016 US Presidential Election. The attackers range from teams of highly trained software developers and government-backed hackers to lay people with little to no training in the field of professional hacking. Several large-scale cyber-attacks in recent history illustrate the severity and range of these attacks. This paper will focus largely on Russia, the United States, their interactions and alleged cyber-attacks against other entities, as there are a number of these cases and accusations in very recent events. One such example is the 2014 Russian annexing of Crimea, during which cyber attacks were used to compromise communications and public infrastructures (Dannenberg, Cilluffo, 2014). On multiple occasions, Crimea has been subject to attack in the form of telecommunication and electrical blackouts, some of which have had lasted hours. This form of attack did not have the direct and visible repercussions of a bombing as conventional methods of attack before, but could have potentially had severe indirect effects such as endangering hospitals, government databases, and even affecting the lives and safety of average citizens across the country of Ukraine. This example shows an eerie example of the possible damage that can come from attacks with no visible attacker. However, it also provides an even 6 more important example of a common problem in assessing these situations – the difficulty in attribution. Attribution is a key issue in the application of laws to cyber-attacks, both theoretical and existing. The compounding nature of cyber-attacks allows for the frequency of attacks to outnumber the perpetrators vastly. The ability for an attacker to write a program that can multiply its efforts and draw on increasingly powerful computation hardware is largely different from, and more potentially dangerous than, physically carrying out a crime of similar nature. For example, if one were to attempt to physically rob a grocery store’s cash register, one would need to go through a large series of events and preparations in order to do so successfully. In order to successfully rob the store and not be charged with a crime, one must enter the store, forcibly remove or have someone remove money from the cash register, exit the store, and flee the scene, all without leaving any trace of their identity, DNA, appearance, or presence. This is a feat which was difficult in years before advanced computational progression and the expansion of the Internet, and while these technological advances have created numerous problems in the attribution of cyber-crimes, they have had the opposite effect in attribution of physical crimes. With the increasing storage ability for databases of DNA, personal information, financial transaction histories, license plate scanners, and surveillance systems among other technological and computational developments, success in this form of endeavor is extremely risky for a 7 potential perpetrator and has extremely low rates of success. To further extend the hypothetical situation, this form of physical robbery would be nearly impossible and have few to no incentives provided the robber needed to first purchase a plane ticket and cross an ocean. If a potential terrorist or agent of espionage aligned with a hostile government or movement were to physically attempt to breach another government’s defense systems, the likelihood of a successful attempt would only diminish, proving extremely costly, risky, and not advantageous. Contrasting this hypothetical with that of cyber-attacks, the differences between the forms of crimes is stark. In an online situation, one has the potential to program not one but several up to multiple thousands of attacks on any given target. Given the increasing computational power of modern computers both in terms of hardware and software, even the most primitive and easily-defended cyber-attack, a “brute force” attack in which software attempts to guess a password by systematically trying every combin ation of numbers and letters for the given password, has a higher potential of breaching a security system than someone physically entering the building of interest. Additionally, the incentive to do so increases when increasing anonymity and relative ease decrease the potential negative consequences and increase the potential for successful attempts. “China or Russia are frequently named in associate with attacks, but it is important to remember that the cost of entry makes cyber war type activities attractive to all nations. There is a low cost of 8 entry and a low risk of any significant consequences” (Winterfield, Andress 2012). Returning to the international expansion of the hypothetical, the incentives for a government or agency to use cyber-attacks in their efforts against another government or organization are much higher. In 2011, the “UK Cyber Security Strategy” was published as an official statement of intent by the English Government, and states numerous challenges government officials and agencies face in dealing with growing threats of cyber-attacks. In doing so, the document sums up the difficulty in attribution by stating that “with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred” (UK, 2011). As a practical example of difficulty in attributing cyber-attacks, in 2014 many digital traces left by the hackers responsible for a virus known as Sandworm which caused these electrical and communications grid failures were traced back to hackers using Russian ISPs. This suggests Russian governmental involvement or planning in these attacks, but cannot ultimately prove these attacks (Greenberg, 2017). This combined with the Russian government’s denial of involvement in the attacks makes any means of retribution for the Ukrainian people difficult. Viral attacks perpetrated by a small number of attackers or large-scale distributed denial-of-service (DDoS) attacks are very difficult to pin conclusively to a governmental body. In this case, only contextual and inferred evidence points us to an implied connection 9 to the Kremlin, such as Russia’s potential incentives to rehearse these attacks during a heated conflict before applying them on a broader scale in other more powerful countries, or possibly the use of this attack in sending a warning to other world powers, specifically the United States. This hypothetical warning would not be unwarranted, as the United States government is alleged to be involved in sponsoring harmful cyber-attacks as well, which we will examine later. The allegedly Kremlin-sponsored sabotage of Estonian governmental websites, bank cyber-organization, and many Estonian media outlets over the period of almost 3 weeks in 2007 is another example of both the damage that can be done during an anonymous cyber-attack, as well as the difficulty in unmasking the invisible culprits (Babak, et al. 2014). Leaders of the Estonian government named the government of the Russian Federation immediately as the backer of these attacks, again based mostly on circumstantial evidence. At this same time, physical riots in Estonia and attacks on the Estonian embassy in Moscow were taking place as the result of a controversy of the Estonian government’s decision to relocate a Soviet statue located in Tallinn. This combined with the confession of a small number of Russian hackers of their involvement lead officials around the globe to conclude that Russia as a whole was indeed at fault, but despite the logic and reasoning behind these claims, conclusive tangible evidence was never found that linked Kremlin agents to this attack. This attack was so influential that Tallinn is currently the home of The 10 NATO Cooperative Cyber Defence Centre of Excellence, and the Tallinn Manuals were named after the virtually besieged city (Schmitt & Vihul 2017). Both the NATO CDCCOE and the Tallinn Manuals will be examined further later. Russia is not the only world power being accused of involvement in international cyber-attacks. In 2010, the Stuxnet virus ravaged an Iranian nuclear facility which the United States was allegedly involved in backing (Masood, 2016). This elaborate virus targeted the centrifuges of the reactor and caused several to self-destruct. A virus capable of physically destroying a nuclear power plant is a clear example of the level of destruction that can be caused by invisible assailants. Fortunately, in the case of the Stuxnet virus in Iran, the damage caused to the reactor did not affect the lives of Iranian citizens. This example is one in which the Just War Theory could be applied and analyzed to assess whether physical retaliation was warranted, however, the difficulty of definitive attribution is still the key issue preventing this from happening. The United States was named as having sponsored the creation of the Stuxnet virus in addition to Israel. Officials and security analysts, including Edward Snowden, denounced the US in the following years of investigation. A final recent example of international cyber-activity is alleged Russian involvement in purchasing Facebook ads during the United States 2016 presidential election. This paper will examine in detail this example more than any others. In short, Facebook recently discovered a large number of advertisements created by either Russian nationals or Russians living in the 11 United States, all of which were targeted towards pages and groups where the creators knew the ads would have a politically divisive impact. Specifically, these ads were in favor of Presidential candidate Donald Trump and critical of Hillary Clinton. Again, the Kremlin denied any direct involvement in this large scale advertisement cyber-attack when Facebook and watch groups pointed the finger at Vladimir Putin. Again, attribution remains a key issue in this event, as the tasks were carried out by individual ac tors and it is impossible to affirmatively and conclusively link these actors with the Kremlin or other Russian intelligence agencies. While this event is not on the physical level of danger as a potential nuclear facility systems failure caused by a well-hidden virus, international influencing of an election through this kind of social media propaganda is unacceptable in the eyes of political leaders who believe forms of election interference such as this erode citizens’ trust in a representative democratic election. As the details of this cyber-interference are revealed, just as in the wakes of historic cyber-attacks leading up to these events, American citizens, policy-makers, and political leaders mimic the questions Russian literary and ideological figures have asked so famously: “What is to be done?” TYPES AND FREQUENCY OF ATTACKS As the scale of the Internet and its application increases rapidly, so do the means by which malicious individuals and groups can commit crimes and acts of terrorism. In contrast, the number of trained professionals in cyber 12 defense, both in the public and private sector worldwide, also increases. Governments, non-governmental organizations, and corporations alike are all diverting more funds towards stopping the numerous threats emerging in a more interconnected world. A large portion of cyber threats are those attacks which do not pose a national or international threat as far as governmental relations but are nonetheless directed towards large groups of individuals on a global scale. Of the large number of daily cyber-attacks mentioned in the previous section, rarely will an attack present a threat to a governmental facility or infrastructure. However, as outlined with the previous examples of lar ge attacks, these infrequent large-scale threats are particularly frightening and memorable. In this way, cyber-crimes parallel traditional crimes in that while many are committed on a daily basis against large numbers of people worldwide, it is rare that a crime on a nationally or internationally threatening level. Steve Winterfield and Jason Andress, in their work The Basics of Cyber Warfare : Understanding the Fundamentals of Cyber Warfare in Theory and Practice, outline several categories of attacks, useful for understanding types of threats and their relative danger to other types. Winterfield and Andress identify five overarching categories of attacks- advanced persistent threats (APTs), organized crime, “Insiders,” hacktivism, and a final group which they have dubbed “Script Kiddies” (Winterfield, Andress 2012). APTs comprise what 13 were classified as “significant attacks” in the previous section, including state sponsored espionage and terrorism (CSIS, 2016). Russian involvement in Estonia, with the Sandworm virus, and with deceptive Facebook ads in the United States as previously highlighted are all examples of APTs. Organized crime via the internet takes the form of numerous scams urging unknowing victims to send money to the scammer, or “phishing,” the practice of coercing victims into divulging personal or financial information, including bank account information or social security numbers and other personally identifying information, usually via email (FTC, 2018). The category of cyber criminals Winterfield and Andress refer to as “Insiders” relates to those with legitimate access to a corporate or governmental database or system who willingly exploits their access or knowledge for personal or financial gain, or who unknowingly lets in a threat (Winterfield, Andress 2012). While this group of threats is incredibly dangerous for businesses with financial and personal records of employees and clients, internal security compromise is especially threatening for government databases and interconnected public works or defense agencies. The Stuxnet virus targeting Iranian nuclear facilities in 2010 and the Estonian attacks in 2007 are both believed to be the result of internal security compromise, both of which posed large physical threats outside of the digital damages that can be caused in the private sector. Hacktivism involves politically or ideologically motivated cyber-attacks against corporate or government systems. However, this is usually carried out by private groups not 14 affiliated with a government organization, such as the famed group Anonymous. The difference between the attacks of this group and Russian use of Facebook ads for propaganda purposes lies in the government backing. That is what puts the Russian Facebook advertisement scandal more in the category of an APT as opposed to hacktivism. Hacktivist groups like the previously-mentioned Anonymous also frequently take public credit for their actions in order to spur political change instead of lying dormant under the radar of defensive cyber security agencies. The last category of cyberthreats, referred to playfully as “Script Kiddies,” denotes any number of novice or less-trained individuals and very small groups. The kinds of attacks perpetrated by unskilled individual actors are frequently minor and financial in nature, often trying to breach passwords for individual personal and financial accounts. While these attacks are increasingly prevalent and easy to perform with the rise in usage of and access to the Internet and online resources for performing cyber-attacks, these attacks are usually unlikely to pose serious threats to national security. Additionally, these attacks are often more easily attributable as novice hackers using personal computers often do not have access to large systems of IP addresses across borders that APT or organized crime perpetrators have and are therefore more easily located geographically. These types of threats, while frequent, are also the kinds of threats modernizing security system corporations have more power to defend against with highly advanced 15 encryption and encoding which increases the level of knowledge, experience, and computing power a potential hacker must have in order to breach lower level firewalls and security gates. One of the greatest cyber threats relating significant hacking on an international level is known as the Denial of Service (DoS) attack. A Denial of Service attack is when a server is overwhelmed by traffic from an attacker who does not exploit a weakness in the security of the network, but merely overloads the server with requests for information, which can slow down or shut down the server entirely (Babak, et al. 2014). In doing so, one can render a system or database unusable for others and inaccessible by the administrators of the server. These types of attacks are common in the private sector as hackers around the world attempt to infiltrate and corrupt a business website or database. In doing so, a hacker may be able to access personal information of clients stored in databases or deface the website for a limited period of time. These attacks are used by hacktivists who want to deny many people access to a website for ideological reasons. For example, an extremist group may launch a DoS attack against a website owned by a corporation which has voiced political or ideological views contrary to those of the group. The real -life analog of a hacktivist DoS attack would be a group organizing a picket line surrounding a government or corporate office and refusing to leave until their views are heard, making it difficult or impossible for other citizens to access the building or for the administrators to enter their work place. However, as with 16 the examples described previously, in the digital world, this action becomes much easier and much less traceable, therefore much more appealing for those who seek to do harm, and much more dangerous for those on the receiving end of this form of attack. Denial of Service attacks have two large advantages over other varying forms of cyber-attack. The first is that the nature of this attack is not breaching a security wall, encryption, or using inside information to attack from within. A DoS attack is merely taking advantage of the infrastructure of the Internet. There are security measures in place that monitor suspicious behavior, but during a DoS attack, the only suspicious register is that one or many computers are attempting to access a server at once. Returning to the physical parallel of protesters outside of a building, the protestors are not going through the intensive process of breaking and entering the building in order to make a statement or obtain information, they are making use of the nature of the building itself, which is that it must have paths and entrances for customers and employees to enter. In this way, any passer-by who had like-minded opinions could join in the protest and have as equal of an effect as any other individual in the confrontation by their presence alone, regardless of skill level. This points to the next major advantage of a DoS attack- the ability for any layperson to simply run prefabricated code in order to get effective results. What many computer scientists and cyber defense experts, including Winterfield and Andress, consider to be “script kiddies” are unskilled 17 perpetrators of a malicious cyber-crime using programs or coding that is readily available on the Internet. By downloading a program to run code from an easily accessible website or watching a tutorial video on YouTube, an individual with very limited experience with computers can have the capability of launching a cyber-attack with large consequences. However, there are limitations to DoS attacks. Many services exist solely in order to detect and handle these kinds of attacks, and it is true that if a hacker launches such an attack, the ISP address of the hacker can be detected and simply cut off before the hacker has the opportunity to cause severe damage. In response to this, hackers may team up and collaboratively perform many DoS attacks in order to broaden the effectiveness of their efforts, there is a more effective and more dangerous method. While Denial of Service attacks are an issue about which security experts are rightfully concerned, the extension of this variety in terms of danger posed is the Distributed Denial of Service (DDoS). A DDoS attack has all the advantages of a DoS attack and has fewer limitations. By creating a virtual army of attackers, one can “distribute” this attack across many many ISP addresses and servers simultaneously. In doing so, the numbers of requests for information can be multiplied by orders of magnitude relatively easily. In the stead of recruiting a similarly-skilled army of hackers in order to launch many similar attacks at the same time, one hacker can build a virtua l army of cyberattackers. Again, the means of operating this form of attack are not difficult to 18 come by for someone interested, and DDoS attacks still are only exploiting the existing infrastructure of the Internet. But with a virtual army, these attacks become even less manageable and exponentially more difficult to attribute. Additionally, these forms of attacks can make use of the personal computers of thousands of users of VPNs, further dispersing the origins of the attacks and using the personal belongings of law-abiding citizens in malicious activity. While DDoS attacks are demonstrably easy for a layperson to perform, and while many hackers and “script kiddies” utilize these kinds of attacks daily, they are also very frequently the means by which the largest and most significant cyber-attacks are carried out. Hactivist groups and large coordinated DDoS attacks on corporations can have extremely dangerous consequences for corporations and clients, both in the exploitation of personal information and in the sabotage of servers and websites, but state-sponsored DDoS attacks against other government agencies and databases can be simply devastating if the existing safeguards against these attacks fail. From a cost benefit analysis of the amount of money a government could spend in sponsoring skilled hackers to perform a hypothetical DDoS attack, the potential damage could far outreach the damage done by the same amount of foot soldiers, at a fraction of the cost, and with negligible risk because of the magnifying effect of the distribution of these attacks across ISP addresses all over the globe. While it is true that from a defensive position, a government can expect high rewards on spending in cyber-warfare experts, the evolution of the 19 sophistication of cyber-attacks is unparalleled by the progression of any conventional weaponry. Furthermore, the progression of conventional weaponry including unmanned drones, more intelligent airplanes, and nuclear weapons is increasingly reliant on the very technological infrastructures that are at risk of being hacked. Many of the “significant attacks,” including the devastating attacks on Estonia which were a critical point on the timeline of cyber-attacks, to which many of the most damaging contemporary cyberattacks are compared, were DDoS attacks (CSIS, 2016). Not only can these attacks, including DDoS attacks, have largely negative impact on the websites and databases of government agencies, but these kinds of attacks have the potential to be used to sabotage conventional defensive weaponry, all with incredibly low risk historically of attribution and actual legal or political action against the alleged government sponsor. It is for all these reasons that cyber security ought to be of the utmost priority in the efforts of governments and in state defense spending. DEFENSIVE DIFFICULTIES Several inherit characteristics of the Internet have made it difficult for the law, both on a national and international level, to be applied in cases of alleged cyber-attacks. Attribution, the current definitions of acts of war, especially internationally, and the question of jurisdiction over the Internet are 20 all largely contributing factors in the predicament which is the law as it applies to the Internet. Attribution has been previously discussed, but the key issue is that the digital registers of IP addresses are not enough to definitively identify a single person or even a group of people or region of the world from which a cyber attack originates. Cyber-attacks can be conducted by overriding personal computers that have already been infected by malware or which have been used to willingly join a popular anonymity network such as The Onion Router (TOR) for the sake of anonymous internet usage. Because of this, even a single, undistributed attack can be masked to originate from any corner of the world. This presents two challenges- first, it is much easier for a country to deny any formal involvement in an attack than with conventional attacks and acts of war. Second, it makes tracing the attack back to the original attacker(s) incredibly time consuming and expensive. This is a recurring problem, and the costs versus-benefits analysis of tracking down a potential hacker is the inverse of the incentives for the actual attack. Currently, the tools and staffing required in order to track and attribute cyber-attacks are quite large when compared to the amount that is spent on defensive cyber-security. While exact numbers of money spent by states in cyber-security are usually as confidential and guarded as the defense methods themselves, numbers from the public sector of cyber defense show that a large majority of defense budget is spent in preliminary defense while a small minority of spending is dedicated to forensics and 21 response following a cyber-threat (Filkins, 2016). Additionally, the same findings suggest that cyber-defense firms believe that defense spending is more effective than attribution of cyber-crimes. This belief is warranted, considering the hours it takes highly skilled security analysts to track even the least significant of cyber-attacks. The Dark Space Project, an extensive research project funded by the Defence Research and Development of Canada, analyzed current ways industry specialists deal with cyber-attacks and concluded that “Current approaches to cyber security are ill-suited to detecting and anticipating threats, which rely on a hybrid socio-technical vectors of attack,” and also affirm that in order to successfully repel cyber-attacks, a “common operational picture” of the Internet must be developed in a way that is translatable across the Canadian government and more broadly across borders (McMahon, Rohozinski, 2013). This essentially means that one of the difficulties currently facing defensive experts is the lack of communication across borders about breaches of security and the impacts those may have. Thus, one possible solution to this problem is the creation of an international security network that unilaterally and consistently tracks cyber-threats and origins, which can then be made use of by NATO, the EU or the UN in cyber-forensics. Government cyber-forensics are also bound by additional legal regulations in the ways by which they can investigate cyber-crimes. Where it is difficult from a technical standpoint to work in reverse from the point of attack 22 through various ISP addresses and servers used to levy a significant attack back to the point of origin, it is also difficult to do so in a transparent way that does not violate privacy rights or the same constitutional protections that bind government investigation of conventional crimes. Documents such as the European Union Data Protection Directive, or the Fourth Amendment of the United States Constitution are examples of these kinds of limiting fact ors in cyber-forensics. For example, in the EU Data Protection Directive, personal data is defined as “any information that relates to an identified or identifiable living individual,” and strict regulations are put in place as to the means by which this information can be used and collected, as well as limitations on the ability for member states to share this data across borders (Journal of European Communities, 1995). This makes the process for finding probable cause in a cyber-attack case difficult, as well as puts additional burdens on cross-border collaboration within the EU. Similarly, the United States provision that citizens have the constitutional expectation against “unreasonable searches and seizures” limits the United States Government in its attempts to investigate cyber-crimes and in attempts to surveil potential hackers (US Constitution). From the standpoint of personal privacy and privacy related concerns, both examples of governmental restriction in surveillance and cyber-forensics offer needed protections to citizens and users of the Internet. While these and similar provisions may possibly slow or inhibit cyber-forensics, they are absolutely necessary in order to keep the integrity and security of the Internet 23 as a whole. In this conundrum lies another issue with the application of conventional law in the sphere of the Internet- the Internet as we know it today defies borders and jurisdictions, and the implementation of virtual borders and laws as are implemented in the physical world goes against the historic nature of the Internet and the interests of those who use it (Department of Defense, 2011). For this reason and the difficulties of attribution, governments historically only devote the large amount of resources necessary to attribute cyber-attacks in the most severe of cases, and even in these cases it is much less likely for hackers to be caught and tried than for conventional crimes. Again, where the costs of performing a cyber-attack are minimal in relation to the potential gains, the costs of investigation in terms of time and resources generally outweigh the rights concerns, difficulties, and potential gains of the investigation dramatically. Finally, the applications of current law, both at a national and international level, as drafted with the purpose of preventing conventional acts of war and aggression, leave somewhat of a grey area of interpretation when dealing with cyber-attacks. For example, often cited is Section 2(4) of the United Nations Charter, stating “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations” (United Nations, 1945). As demonstrated historically and in this paper, cyber-attacks can indeed have the qualities of a 24 “use of force” in terms of the potential damage done. Especially in cases of significant cyber-attacks against state resources and infrastructure systems, a properly executed cyber-attack can have as lethal an effect as a bomb. Similarly, the equally-reputable Article 51 of the Charter describes a nation’s “inherent right of individual or collective self-defence,” in response to a use of force (United Nations, 1945). However, the difficulty in the application of this law in the realm of cyberspace lies in the following words as a state’s right to self defense lies in response to an “armed attack,” which historically has been applied to conventional warfare. Currently, few international laws are written in ways that clearly define cyber-attacks as lethal to states in the same ways that conventional warfare is, and few international laws specify clearly the means of retribution and attribution for international cases of cyber-attacks (Ugelow, Hoffman, 2012). This compounds the previously stated legal and technical difficulties in cyber forensics and attribution. However, there are resources emerging continually for legal bodies both nationally and internationally in applying existing law in cyberspace. The Tallinn Manuals are the prime example of such a resource. The original manual was written as a response to the 2007 cyber-attacks that devastated Estonia and was organized by the NATO Cooperative Centre Cyber Defence Centre of Excellence (CCD COE), as an international study of the ways in which existing law can be applied to cyberspace. The manual, and it successor The Tallinn Manual 2.0, address many of the concerns raised by this 25 paper theoretically, but the manuals remain unofficial guidelines for existin g governing bodies and are not at this time codified laws (Schmitt & Vihul 2017). The Manuals are divided into sections of rules, which attempt to clarify concerns of legality in dealing with cyber-warfare. In Section 3, Rule 18 states that “Should the United Nations Security Council determine that an act constitutes a threat to the peace, breach of the peace, or act of aggression, it may authorize non-forceful measures, including cyber operations” (Schmitt & Vihul 2017). The Manual continues to clarify that “If the Security Council considers such measures to be inadequate, it may decide upon forceful measures, including cyber measures”. This assertion by the Group of Experts, the international body of lawyers and researchers who compiled the Manuals, clarifies several things. First, it asserts that cyber-attacks can indeed be uses of force and acts of aggression. Second, it demonstrates that cyber activity can be used as a “forceful measure,” both in state-sponsored attacks on another country and in what the UN Charter would consider “self-defense” against such an action. Third, it describes situations in which cyber-forces may be used in retaliation for conventional physical attacks, and the inverse, which is conventional retribution by land, air, and sea forces in response to cyberattacks. Not only does this provide options for the future of international relations in a digital age, but it reaffirms the significance of cyber -security and the lethal impacts cyber-attacks can potentially have. The Tallinn Manuals are currently the most comprehensive resources, if not among the most 26 comprehensive, in this particular area of research and policy. However, the intent of the manuals is the legal ways in which states and international bodies can apply the law to cyberspace, and not to detail the vast technical details of this application of the law in real scenarios. This is not a shortcoming of the documents considering the intentions, but as previously described, the technical difficulties in implementing the law in a continually-evolving digital world are numerous. In order to be a completely comprehensive source, more international collaboration by cyber-defense experts would be necessary to discuss formally the technical ways in which cyber-forensics and investigations of cyber-attacks are to be conducted, as permitted by governing bodies nationally and internationally. THE RUSSIAN EXAMPLE Starting in October of 2016, the United States Government made claims of state-sponsored cyber-attacks originating from the Russian Federation. The accusations of the cyber activity as a whole can be divided into three groups the hacking of the Democratic National Convention for the purpose of publishing classified information and documents to WikiLeaks, the compromise of state election services and databases, and finally a widespread advertising campaign for the purposes of either supporting Donald Trump as a candidate for President or attacking Hillary Clinton as a candidate for the same office. 27 These three alleged groups of actions, two carried out covertly and one visibly perceptible, all constitute forms of cyber-attacks as defined previously. Hacking of state election services and hacking of the Democratic National Convention both fall under the category of an Advanced Persistent Threat, if sponsored directly by the Kremlin. The majority of official publications and news reports are devoted to the exploration of the alleged Kremlin-sponsored media campaign in support of Donald Trump or in opposition to Hillary Clinton, whi ch is both a form of hacktivism and an APT. In official and declassified releases from US Government agencies in 2016, the FBI, CIA, and NSA issued the following claims: We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess: Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments. We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence. 28 The statement primarily addresses the media campaign and states that the details of the other two forms of cyber-attacks are classified, in accordance with current investigations into the situation (ICA 2017). These agencies collectively recognize the difficulty in attribution, but assert that the claims are based on multiple counts from various sources of these illegal activities. This case illustrates what would constitute a “significant attack,” as detailed previously, and as such has become a good example of when government funds and private firms allocate the resources necessary to conduct the difficult cyber-forensic work required for attribution, and ultimately for any legal action to be taken on an international scale. Following the compromise of the DNC, the DNC contracted with CrowdStrike Inc., in order to investigate the origins of the attacks. Because of the public nature of this particular investigation, CrowdStrike released many details of the technical means by which they gathered the evidence necessary to come to strong conclusions of association with the Russian government, which ultimately influenced the coordinated allegations from the FBI, CIA and NSA. CrowdStrike describes that certain lines of code gathered from historic Russian cyber attacks from one or both of the actors Fancy Bear and Cozy Bear were present in the hacking of the DNC (Alperovirch, 2016). CrowdStrike’s statement also relates how these lines of code are specific enough and unique enough that they can assert that their use by these Russian hacking groups was neither 29 accidental nor previously unutilized. While it should be noted that CrowdStrike’s official statement in regards to these investigations was published on the company’s blog, and that the company has incentive to portray itself positively in these actions, CrowdStrike’s efforts in this case were definitively positive examples of ways in which attribution, though difficult to confirm for certain given the nature of cyber-attacks as previously described, can be strongly suggested. The effectiveness of the Russia hacking was crucial. The story was a largely-discussed issue among news media, security experts, and political debates. Many, including experts such as Allan Lichtman, allege that the effect this cyber-propaganda and hacking combined with Donald Trump’s possible involvement in this situation are grounds for his removal from office as President (Lichtman, 2017). Security expert Malcom Nance remarks of a dramatic approval rating increase of not only Donald Trump but also of the Russian Federation and Vladimir Putin’s actions amongst Republican voters as a result of the ad campaign, and concludes that the Russian interference was indeed a very significant example of a cyber-attack (Nance, Lamb, 2017). One popular news article captures additional concerns of the Russian interference, stating the following: “Most observers are missing the point. Russia is helping Trump’s campaign, yes, but it is not doing so solely or even necessarily with the goal of placing him in the Oval Office. Rather, these 30 efforts seek to produce a divided electorate and a president with no clear mandate to govern. The ultimate objective is to diminish and tarnish American democracy. Unfortunately, that effort is going very well indeed” (Weisburd, Watts, et al., 2016). The attack has been confirmed to have at least some effect on the results of the election with the potential to scramble the faith American voters have in the election system and the government as a whole. As seen in this case, cyberattacks have the potential for becoming the new standard for terrorism, activism and propaganda. This particular case is highly significant in the modernizing world of cyber-defense. While it is true that cyber-attacks are rapidly evolving and that attacks are rising in numbers, this case shows an example of the lines of defense which are modernizing in order to match the demand. One of the issues related to private sector cyber-defense firms such as CrowdStrike as well as governmental and international cyber-defense agencies is that the methods and findings of cyber-forensics following a significant cyber-attack are largely and necessarily classified. However, significant attacks with largely public consequences such as this case are both vital resources for the detection and investigation of future cyber-attacks and critical sources of precedent for the international legalities of such a case. At the time of writing this paper, the case of alleged government-sponsored cyber-attacks by the Russian Federation in the United States Presidential Election of 2016 is still under investigation and 31 the legal approaches and ramifications have yet to be seen. Despite this, the case lends itself to productive analysis for the future of cyber-warfare and provides examples for both the modernization of offense and defense in the virtual field. WHAT IS TO BE DONE? As discussed throughout this paper, the past and present of international crime are very different worlds. In the past, the costs of waging conventional war, espionage, and propaganda were all high for governments and activist groups, both in monetary and legal terms. The conquest of the Internet as a tool has led to the complicating factors discussed including the increase in ease of conducting attacks, the increasing difficulty of attribution, the access potential hackers have to programs and cyber-attacks that can have large impacts. Additionally, the increased reliance of states and governments on the Internet, databases, and virtual systems in public works and safety as well as in the operation of conventional warfare, has opened new paths for potential hackers and terrorists to exploit. All while the costs of waging such an attack, financially and legally, are very low in relation to conventional warfare of the past. In a large part, as there have been shown to be large risks and weaknesses in state databases and internet-of-things-based public works and defense systems such as nuclear reactors, power grids, and the like, state 32 responses to the continual rise in this new wave of crime and espionage ought to be equally matched by increases in state spending in this area of defense, whether in addition to or perhaps instead of conventional forms of defense. As this form of warfare continues to prove itself dangerous with the same level of potential as conventional warfare, a proportional amount of resources ought to be allocated towards cyber-defense. The Dark Space Project, a significant source of literature on the matter of proactive cyber defense, claims ultimately that while the previously stated difficulties are ever-present, technology and funding are not even the biggest obstacles for cyber-security, but that cooperation on a national and international level amongst defense experts in a commonly-accessible fashion is crucial to the future of cyber-security (McMahon, Rohozinski, 2013). The study’s findings are summed up by its succinct declaration: “ The answer to the e-spionage threat requires a coordinated response”. Thus, while the technical difficulty in attribution or even the rising scale of attacks and significant attacks are largely contributing factors to these situations, the largest may be how we can cooperate in the future to both anticipate and prevent against attacks as well as to provide justice in the aftermath of these attacks. Additionally, while the numbers of large and significant cyber-attacks continue to increase and access for potential hackers to the resources necessary to carry out such attacks does the same, two aspects of the response to cyber-crime also become more prevalent. First, the need to conduct cyber33 forensics and take legal action or retaliate increases as the number of significant attacks increase. The Russian example of 2016-2017 is a good manifestation of this. The attack proved effective not only in reaching the targeted Facebook users and providing misleading information for voters during an American election cycle, the attack effectively led to a large -scale questioning of the election system as a whole. The distrust in the government sparked by the Russian media campaign was matched by a significant investigation, with the help of private security specialists and firms. Second, while the technology to conduct attacks has been shown to increase exponentially since the beginning stages of the Internet’s growth, so has the hardware and software required to combat these attacks. If total number of cyber-attacks is to be weighed against what was defined as “significant attacks,” the ratio of normal attacks to significant attacks goes down over the years ( TSec, 2018)(CSIS, 2016). Much of the current legislation nationally and internationally that is or can be applied in the digital realm either leaves a lot of room for interpretation or is not incredibly effective legally, when applied to cases of cyber-attacks. As discussed, a large reason for this is the difficulty in attribution. When potential armies of invisible attackers come from all ends of the earth, it is very hard to trace the attacks back to a single commander. Again, however, while attribution is difficult, it is not impossible. 34 Despite the technological progression in cyber-forensics and cyberdefense, there is little codified law specifically detailing cyber-attacks and appropriate or justified responses and retribution. The Tallinn Manuals are good examples of literature in the field of cyber-crime, and they serve as the best example of literature applying existing laws to cases of cyber-attacks, however, they are a theoretical collection of suggested applications, as opposed to a legally-binding document. More theoretical work ought to be done in the footsteps of the Tallinn Manuals. However, in an age of evolving crime, the law must evolve to provide justice in the new era. Crime, terrorism, activism, propaganda, and war are changing rapidly in the era of the Internet. While there is continual development in the technical lines of defenses, if there is not further development in the fields of cyber policy and law, significant cyber-attacks will increase in both numbers and magnitude. These attacks have been shown to be increasing over the past decades, and prioritization of cyber-defense and cyber-forensics on a national and international scale will help alleviate future disasters and provide recourse for when they do. As political interest groups and nations transition from fighting with spies and soldiers to hackers with computers, so should we shift our defense to allow for a safer interconnected world. 35 REFERENCES “Cyberthreat Real-Time Map.” Kaspersky Cyberthreat Real-Time Map, 2018, cybermap.kaspersky.com/stats/. “DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.” Official Journal of the European Communities, 24 Oct. 1995. “Phishing.” Consumer Information, Federal Trade Commission, 13 Mar. 2018, www.consumer.ftc.gov/articles/0003-phishing. “Significant Cyber Incidents Since 2006.” Center for Strategic and International Studies, Aug. 2016. “The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World .” The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World , Stationery Office, 2011. “T-Sec Radar.” Sicherheitstacho, 2018, sicherheitstacho.eu/start/main. Akghar, Babak, et al. Cyber Crime and Cyber Terrorism Investigator's Handbook. William Andrew, 2014. Alperovitch, Dmitri. “Bears in the Midst: Intrusion into the Democratic National Committee ».” CrowdStrike, 15 June 2016, www.crowdstrike.com/blog/bearsmidst-intrusion-democratic-national-committee/. Dannenberg, Robert, and Frank J Cilluffo. “Putin’s Russia: A Geopolitical Analysis.” Homeland Security Policy Institute, no. 24, 21 Nov. 2014. Filkins, Barbara. “IT Security Spending Trends.” SANS Institute, Feb. 2016. 36 Greenberg, Andy. “How An Entire Nation Became Russia's Test Lab for Cyberwar.” Wired, Conde Nast, 20 June 2017, www.wired.com/story/russianhackers-attack-ukraine/. Hathaway, Oona A, et al. The Law of Cyber-Attack. California Law Review, Aug. 2012. Kaul, Chitra, and Dr. B.m.k Prasad. “Analysis of the Cyber Attacks over the Past Decade and Impact of Them on Private Sector.” International Journal of Computer Trends and Technology, vol. 23, no. 1, 2015, pp. 35–38. Lichtman, Allan. The Case for Impeachment. Dey Street Books, 2017. Masood, Rahat. “Assessment of Cyber Security Challenges in Nuclear Power Plants Security Incidents, Threats, and Initiatives.” Cyber Security and Privacy Research Institute, 15 Aug. 2016. McMahon, Dave, and Rafal Rohozinski. “The Dark Space Project.” The Dark Space Project, 2013. Nance, Malcom, and Brian Lamb. “Q&A With Malcolm Nance.” C-Span, 28 Apr. 2017. Schmitt, Michael N., and Liis Vihul. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge University Press, 2017. Ugelow, Lisa, and Lance J Hoffman. “FIGHTING ON A NEW BATTLEFIELD ARMED WITH OLD LAWS.” Journal of Constitutional Law, vol. 14, no. 4, May 2012. United Nations, Charter of the United Nations, 24 October 1945, 1 UNTS XVI United States, Congress, “Department of Defense Strategy for Operating in Cyberspace.” Department of Defense Strategy for Operating in Cyberspace, Dept. of Defense, 2011. 37 Van Raemdonck, Nathalie. “ The Targeted Killing of Terrorists: a Just War Assessment.” Vrije Universiteit Brussel, 2010. Wiesburd, Andrew, et al. “Trolling for Trump: How Russia Is Trying to Destroy Our Democracy.” War on the Rocks, 5 Nov. 2016, warontherocks.com/2016/11/trolling-for-trump-how-russia-is-trying-to-destroyour-democracy/. Winterfeld, Steve, and Jason Andress. The Basics of Cyber Warfare Understanding the Fundamentals of Cyber Warfare in Theory and Practice. Syngress, 2012. 38