In July 2021, the Microsoft Exchange Server was the subject of a wave of cyberattacks. Both the US and EU attributed the attacks to Chinese authorities, calling them “irresponsible”. The operation allowed cybercriminals, unaffiliated with the initial attackers, to exploit the same server vulnerabilities for their own purposes, significantly increasing the economic harm and security risk to companies and governments around the world using the Microsoft Exchange Server. The US and EU believe third-party access could have been easily avoided and reduced the harm done to affected entities around the world.
The US and EU may have agreed that the attack was irresponsible, but in international relations, there is still no holistic or commonly accepted framework of what characterizes a cyberattack as responsible or irresponsible, despite scholars putting forth proposals.
In a Lawfare article titled “Responsible Cyber Offense”, US scholars and cybersecurity practitioners Adams, Aitel, Perkovich, and Work propose six norms of responsible cyber offense. Their central claim is that cyber operations can be legitimate if they respect certain technical safeguards that minimize the collateral damage of a cyber operation and mitigate unintended consequences.
The authors of the six proposed norms contend that the US should reach reciprocal agreements with China and Russia about engaging in irresponsible behavior and push for international norms around it. The US and EU are also keen to tackle the practices of indiscriminate targeting and third-party access to “backdoors” or security vulnerabilities into their assessments of responsible state behavior.
Implementational Challenges
The six norms for offensive cyber operations laid out by Adams et al. are intended to avoid collateral damage and instability. Here are the norms included in their paper:
1. Test Tools Before Use
The authors contend that testing cyber weapons in a controlled environment is important for preventing collateral damage or unexpected outcomes when being used on real targets. In that respect, Cyber Ranges (simulation environments) should be used. For some cyber actors, testing in the real world is much more tempting, since it provides real-world experience and data. The challenge with enforcing this norm is that the incentives to rely on Cyber Ranges are low. Russia and Iran, for instance, have used foreign countries in their neighborhood as a testing ground for their cyber weapons. One drawback of using Cyber Ranges, from a state’s point of view is that you can never test the “adversary’s” reaction to your cyber intrusions until you are in their network.
2. Avoid Indiscriminate Targeting
Avoiding indiscriminate targeting is a goal all states should aim for. Some argue that this is achievable. But even the most well-resourced actors in cyberspace have failed to avoid indiscriminate attacks so far. Stuxnet, which was attributed to the United States and Israel has infected more than 100,000 computers worldwide and techniques used in the operation have been used by other malicious actors for their own purposes. In short, even a tailored access operation may affect targets that go way beyond what could be considered discriminate targeting.
3. Prohibit Targets Throughout the Operational Life Cycle
Hackers regularly hack Internet of Things (IoT) devices during the early stage of a cyber offense’s operational life cycle and use them to “pivot” to more high value targets within a corporate network in a later stage of an operational life cycle. For example, it seems acceptable to some attackers to compromise for instance x-ray systems in hospitals, if it enables them to pass malware on or exploit a different part of the network at a later stage. For instance, the hospital’s health database. However, even in an early stage of a cyber-attack, targeting medical IoT devices, for example, would not be acceptable under this norm, since this behavior could easily harm humans.[1] Due to the number of IoT devices entering the market, it is insufficient and impractical to list out all the types of devices that should be off-limits for offensive cyber operations.
Any new norm should also consider the geographical location of targeted internet infrastructure. Targeting infrastructure in allied countries, for instance, should be prohibited, at least amongst Western alliance members. In the past, US Cyber Command allegedly took down ISIS propaganda content on servers hosted in Germany, which shows that there is not yet a clear norm that would restrict such behavior amongst allies.
4. Constrain Automation
Automation is sometimes quintessential to cyber operations since malware can operate in disconnected networks. Constraining automation should, however, be part of any discussion on offensive cyber norms, since operations containing automated components could cause collateral damage through unplanned propagation. Defining the level of restriction, however, will be challenging, since less automation may reduce the potency of a cyber weapon by reducing its ability to propagate.
5. Prevent Criminal and Third-Party Access to Backdoors
States can close backdoors that may be easily identified by other actors. During the SolarWinds operation, for instance, Russian actors issued a kill switch to 99 percent of their targets, thereby closing Russian access to them. Sometimes decision-makers may misperceive what counts as an easily discoverable backdoor, as the Juniper Networks backdoor has shown. In this case, the NSA allegedly inserted a design flaw to spy on overseas communications of Juniper Network customers. The flaw was later identified and exploited by hackers affiliated with Chinese authorities.
The storage of offensive cyber capabilities must be taken into consideration when discussing the prevention of third-party access to backdoors, too. Offensive tools that have not yet been deployed could also be accessed by third party actors through backdoors. In 2016, hacker group the Shadow Brokers did just that by acquiring and leaking advanced malware attributed to the NSA. If states were to reduce the number of malware tools they store, by focusing on defensive cyber tools over offensive ones, the risk of their leakage would decrease too.
6. Responsible Operational Design, Engineering and Oversight
Control and oversight of cyber operations is necessary, especially because the supposed lack of oversight is used by actors such as China and Russia as a fig leaf for their cyber operations. But control and oversight are also difficult to achieve. States must maintain oversight over employees conducting cyber operations and mitigate the risk of former cyber warriors acting for another state as mercenaries.
The public coverage of a case in which three former US intelligence and military operatives used their advanced offensive cyber skills in the United Arab Emirates to spy on human rights defenders and US citizens may have provided the impetus for US lawmakers to craft new laws to restrict the export of advanced cyber offense skills from the US. Nevertheless, oversight in the US and beyond remains a challenge, especially if cyber soldiers are not cooperative and outside the reach of domestic law enforcement agencies.
It is almost impossible to determine whether cyber operations are “responsible” or not.
All the above technical norms on “responsible cyber offense” are well-intentioned. However, even if states follow these norms of conduct, their behavior is still not “responsible”. Things can easily get out of control, because of how difficult it is to control the spread of, and access to, offensive cyber capabilities.
Definitional Challenges
The term “responsible offensive cyber operation” describes both a concept (a certain way of conducting offensive cyber activities) and adds a value judgement to it (it is the right way to do it). The term should be avoided, since it implicitly conveys that responsible cyber offense is good, while reckless operations are bad. This assertion is faulty.
When states want to send a clear message in the physical world, they may scramble jets or level sanctions. But in cyberspace, there is no clear way of signaling. Therefore, it is often very difficult to know whether a cyber operation was launched with specific intentions or not. If, for instance, a state actor were to avoid indiscriminate targeting, it could be interpreted that that state intends to act “responsibly”, but it could also just be due to technical reasons, because that state wants to maintain a low profile to evade detection and remain in selected networks for longer. It is almost impossible to determine whether cyber operations are “responsible” or not.
Focus on Cyber Defense
Offensive cyber operations, whether intended for espionage or attack, are destabilizing the international technological landscape, no matter how they are conducted. To carry them out, states regularly undermine supply chains and hoard cutting-edge malware, which can be exploited by other states or even criminals. This can lead to wide-ranging unintended consequences, some of which have been illustrated above. Hence, it is in the general interest of all states that engage in cyber offense to curtail the magnitude and scope of their own offensive cyber operations and to seriously engage in a discussion to form some international norms on this issue.
Ultimately, cyber-attacks are never responsible, no matter how many safeguards and oversight mechanisms are included. States should focus on holding each other to account for conducting themselves responsibly in cyberspace. This should start with states declaring, without hypocrisy, that certain targets are off-limits for cyber-attacks (such as national critical infrastructure) and that they will prioritize defense over offense. While a future focused on cyber-defense and states honoring their commitments is unlikely, it is important to advocate for due to the wide-ranging impacts offensive cyber operations can have, and how easily they can spiral out of control.
Instead of focusing on offensive capabilities, states should prioritize building a more defensible cyberspace.
Instead of focusing on offensive capabilities, states should prioritize making progress in building a more defensible cyberspace. This could be achieved by strengthening encryption, widening the roll-out of multi-factor authentication for system access, and faster patching of vulnerabilities within organizations. Unfortunately, states have been pushing to weaken encryption, which would lower the bar for cybercriminals and hostile state-actors to exploit systems. With regard to multi-factor authentication, a recent Microsoft study, showed that it blocks 99 percent of commonly used attacks. Faster patching could also reduce the time-period that cutting-edge malware can be used, therefore raising costs on the offensive side.
States could also take several other measures to make cyber offense more difficult or less appealing. For instance, by setting traps through which malicious attackers could be deceived into attacking systems containing malware or disinformation. Through this deceptive measure, they could be made increasingly aware that during a cyber operation they may unwittingly download malware from the attacked system and as a result damage their own system. The disinformation contained in a network would make cyber offense operations even more cumbersome.
Defense should be the priority for state actors, but offense may sometimes be necessary, as a direct reaction to an attack. For example, to stop disruptive behavior from abroad. Even in this case, the norms for offensive cyber behavior outlined above are difficult for states to implement and the nature of cyber operations would make it hard for states to justify responsible intent to each other.
[1] See also 2021 GGE report, norm 13(f) paragraph 45 and 2021 OEWG report, paragraph 26 underlining the importance of protecting health care facilities.
