MC
Uploaded byMansoor Faridi, CISA
422 views

International Standards to Regulate Aggressive Cyber-behavior from a Foreign State_RR

This document discusses the need for international standards to regulate aggressive cyber behavior by foreign states. It provides background on how cyber warfare has become an effective new form of attack that lacks regulation. Current frameworks fail to fully address the issue as they focus on individuals rather than states. The document argues that comprehensive global standards are needed, but developing and implementing them faces challenges that require a collaborative effort between nations. It provides recommendations for a roadmap to establish centralized institutions to design, develop, enforce and prosecute violations of new international cyber standards.

Embed presentation

Download to read offline
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State International Standards to Regulate Aggressive Cyber-behaviour from a Foreign State Mansoor Faridi Fort Hays State University May 10, 2015 Author Note Mansoor Faridi, Department of Informatics, Fort Hays State University. Mansoor Faridi is a graduate student at Fort Hays State University specializing in Information Assurance Management. He lives in Toronto, Canada where he manages the Compliance function for a major Canadian Financial Institution. This position paper is a deliverable for Public Policy, Law, and Ethics in Informatics (INT610) course. Correspondence concerning this paper should be addressed to Mansoor Faridi. Contact: [m_faridi@mail.fhsu.edu]
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State ii Table of Contents Abstract .......................................................................................................................................1 Introduction ..................................................................................................................................2 Regulation of Foreign State’s Aggressive Cyber-behavior .........................................................3 Background ……………………………………………………………………………..3 Significance ……………………………………………………………………………..4 Present Frameworks Regulating Aggressive Cyber-behavior ......................................................5 Problem Definition ……………………………………………………………………...5 Current Status ...................................................................................................................6 Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior .......10 Challenges ......................................................................................................................10 Roadmap ........................................................................................................................12 Conclusion ................................................................................................................................14 References ..................................................................................................................................16 Appendices Appendix A – Cyber-attack representations Appendix B – Examples of recent incidents of nations' cyber warfare Appendix C – Cyber-attacks on various Nations (by category) Appendix D – Estimates cost of cybercrimes in U.S. and Globally Appendix E – Model to develop global standards regulating aggressive cyber-behavior
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 1 Abstract Where technological advancements have improved our quality of life, it has also exposed us to previously unknown threat vectors, such as, aggressive cyber-behaviour from a foreign State. This significant issue has materialized in the form of huge financial losses (and otherwise), and disruption of critical service provision. The main reason behind this problem is owing to absence of international standards regulating foreign State’s aggressive cyber-behavior. The global community has failed to develop a united front to develop and implement effective solutions to tackle this issue proactively. Some global and regional organizations have developed frameworks that also fail to address this issue fully, as their scope is domestic, focussing on individuals’ cyber-behaviour (as opposed to State), and solutions are theoretical in nature with no provisions defining investigation and prosecution mechanism. Since the rules of engagement of modern cyber-warfare are different than conventional military conflict, therefore, nations need to take this distinction into consideration when approaching the issue. Another important aspect is codification of international standards including the definition of scope, jurisdiction, forensic procedures, resources, investigative and prosecution authorities. This difficult feat is possible with mutual cooperation, active involvement, and maintaining compliance (by member nations) with these international standards regulating foreign state’s aggressive cyber-behavior. Keywords: best practices, coe, continuous improvement, cyber-hacktivism, cyber-law, cyber- terrorism, cyber-warfare, impact, interpol, nato, jurisdiction, sovereign, united nations, wegener
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 2 International Standards to Regulate Aggressive Cyber-behavior from a Foreign State Mansoor Faridi Fort Hays State University Introduction This position paper supports the argument that ‘there exists an imminent need to develop and implement international standards to regulate aggressive cyber-behavior from foreign State.’ First section provides background and significance of the issue, illustrates the magnitude of this problem with examples of sovereign nations attacking each other in cyber-space, concluding with estimates of financial losses incurred due to this aggressive cyber-behavior. Second section describes the issue in detail along with a description of frameworks developed by various global organizations to regulate cyber-behavior. However, all frameworks lack in scope (focus on regulating individuals’ cyber-behavior as opposed to that of the State), and intent (theoretical in nature without defining jurisdiction and prosecuting authorities). Third section lists and discusses major challenges hindering the development and implementation of the aforementioned global standards; it also provides some recommendations along with a roadmap to design, develop, and implement global standards. The section concludes by detailing an overall approach emphasizing collaborative engagement and launching of this initiative through globally recognized platforms, with respected world bodies supporting investigation and prosecution mechanisms. This position is based on an overall approach in a global context where centralized institutions are responsible for designing, developing, implementing, regulating, prosecuting, and enforcing international standards. The approach has been inspired by industry best practices and global standards and frameworks with a focus on continuous improvement to keep the standards agile, relevant, and up-to-date!
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 3 Regulation of Foreign State’s Aggressive Cyber-behavior In my opinion, there is an imminent need to design, develop and implement robust, effective, and comprehensive international standards to regulate aggressive cyber-behavior instigated by a foreign nation state against another entity, such as another state, organization, person, etc. These standards should be supported by an international body (such as the United Nations, Interpol, etc.) to ensure its legal enforcement and effective implementation on a global scale. The sub-sections below describe the background and significance of this issue. Background In traditional warfare, strategic objectives are realized by executing offensive maneuvers. This cripples a nation by inflicting damage to its airfield, ports, roads, ordnance depot, defense and communication capabilities, etc. However, with technological advancements, the focus has shifted to a more sophisticated mode of warfare, which is equally lethal but entirely virtual [emphasis added] in nature (See Figure 1, Passeri, 2015). This is eloquently summed up by Noah Feldman (2015), Harvard Law professor, “Cyber- attacks … as a strategic matter … do not differ fundamentally from older tools of espionage and sabotage.” In fact, cyber-warfare is politically motivated hacking to conduct sabotage and cyber espionage (Cyberwarfare, 2015; See Appendix A, Chart A). The change in venue where the ‘war’ is being fought has led to a paradigm shift. This aggressive cyber-behavior is akin to cases of road-rage. Fortunately, we have traffic laws to deal with such menace; however, we do not have a holistic set of international standards regulate aggressive cyber-behavior from foreign State actors. This is defined as “attacks or series of attacks on critical information carried out by terrorists and instills fear by effects that are disruptive or destructive and has a political , religious and ideological motivation” (Schjolberg,
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 4 2007, p. 2). Table 1 below illustrates recent examples of cyber-attacks instigated by sovereign nations on other nations and entities (See Appendix B for details; Cyberwarfare, 2015). Table 1 Instances of nations’ cyber-warfare Next sub-section highlights the gravity and impact of cyber-crimes supported by statistics, and signifies how cyber-crimes expose the vulnerabilities of our data and information, as it relates to its privacy, security, integrity, and availability. Significance Through cyber-warfare, nations (or proxy agents acting on their behalf) try to gain illegal access to data and information, in order to sabotage, conduct espionage, harm critical infrastructure, assets, and disrupt mission critical operations (Awan, 2010, p. 6); resulting in significant financial losses, tarnished reputations, and even leading to total financial collapse. According to the InfoSec Institute (2013), estimated total global losses owing to cyber- crimes ranged from $300 billion to $1 trillion (See Table 2, McAfee, 2013, p. 4); which equates to a noticeable percentage of 0.4% to 1.4% of the world’s GDP! (See Appendix D) The magnitude of this problem, signified by the troubling statistics, is sufficiently alarming to trigger immediate response by policy makers globally (Wegener, 2014, p.2). If an issue of such paramount importance is not proactively tackled and addressed by developing policies and standards, then it will put us at a disadvantage to effectively combat cyber- warfare/cyber-terrorism instigated by rogue nations. According to Passeri (2015), the most
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 5 cyber-attacked countries are U.S., U.K., and Australia, respectively. However, in March 2015, U.S. was the subject of most cyber-hacktivism attacks worldwide (See Appendix C). In case of inaction, rogue states will continue to exhibit aggressive cyber-behavior, inflicting damage on other states without any threat of a retaliatory response; and the biggest loser in all this will be the general public, as they rely on their respective countries for provision of various services that are supported by critical infrastructure that is vulnerable to these threats. It is comforting to know that United States and United Nations have taken several steps in the right direction to address this issue head-on, which forms the topic of discussion in the next section. It is high time that a mechanism is established, as echoed by Leon Panetta (CIA Director, 2009 - 2011), “it was vital for the organization to be one step ahead of the game when it comes to challenges like cyber space security.” (Defence, 2010) Present Frameworks Regulating Aggressive Cyber-behavior Though the extent of losses is not fully quantified, however there is ample evidence available (See Appendix D) to estimate the extent of losses, and to determine major sources of threats emanating from certain rogue nations (See Appendix B) - what also remains unclear is the absence of repercussions (Hathaway et al., 2011, p. 52) in current international legal frameworks to deter nations from engaging in this aggressive cyber-behavior. The following sub- sections describe the problem, analyzing the frameworks by examining their shortcomings. Problem Definition Presently, comprehensive international standards do not exist, and some frameworks that do exist fail to address the issue of cyber-aggression perpetrated by a sovereign state, but rather by individuals. To date, satisfactory steps have not been taken to design and implement international standards effectively combatting foreign states’ aggressive cyber-behavior. Next
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 6 sub-section describes various frameworks developed to date, and why they failed to regulate foreign state’s aggressive cyber-behavior. Current Status International standards are drafted by various entities based on the premise afforded by international laws. Presently, the international law of countermeasures does not define when a cyber-attack is unlawful, nor does it clearly differentiate between the instigator as an individual or a sovereign state. It simply provides that when a State commits an international law violation, an injured State may respond with a reciprocal act. In the cyber-attack context, injured State may employ active defenses as reciprocal countermeasures, in which injured State ceases obeying the same or a related obligation to the one the responsible State violated. The challenges to such a response is firstly to identify attacker’s identity, as it may not be a State but a proxy working on its behalf. Secondly, it is difficult to deploy countermeasures to only injure the actor that perpetuated the attack. For these reasons, the customary law of countermeasures offers only a partial answer to the problem of sovereign cyber-attacks (Kanuck, 2010, p. 1586; Hathaway et al., 2011, pp. 45-47). However, some mechanisms (listed below) have been developed to regulate aggressive cyber-behavior (Hathaway et al., 2011, p. 48) of individuals, which can be extended to sovereign states as well after revising their scope and modifying the overall intent.  The United Nations: Headquartered in Cyberjaya, Malaysia, the International Multilateral Partnership Against Cyber Threats (IMPACT) was created in 2008 (IMPACT, 2015) with United Nations support to serve as a politically neutral global platform that brings together governments of the world, industry and academia to enhance the global community’s capabilities in dealing with cyber threats. With a total of 152 member
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 7 states, IMPACT coordinates its partners’ resources to fight cyber-crimes that go beyond political borders. IMPACT provides research and training services, policy planning, and cyber-intelligence gathering & sharing with its partners, however, it lacks any prosecution and/or enforcement authority. It can be concluded that at present, United Nations role vis-a-vis cyber-security remains largely limited to facilitating discussions and information sharing among member states, failing to address the issue at hand.  North Atlantic Treaty Organization (NATO): In 2008, a NATO summit prompted the creation of two new NATO divisions focused on cyber-attacks: the Cyber Defense Management Authority and the Cooperative Cyber Defense Centre of Excellence (Hathaway et al., 2011, pp. 50-51). The Cyber Defense Management Authority aims to centralize cyber-defense capabilities across NATO members. Due to lack of publicly available information, it is speculated that the Authority is believed to possess “real-time electronic monitoring capabilities for pinpointing threats and sharing critical cyber intelligence in real-time”, with the ultimate goal of becoming an operational war room for cyber-defense. The Cooperative Cyber Defense Centre of Excellence aspires to “advance the development of long-term NATO cyber defense doctrine and strategy.” In conflict with NATO's Article 5, member states do not feel compelled, and are not bound, to "assist” each other in case of a cyber-attack on any member state. NATO’s creation of these two divisions represents the recognition of the problem and a tangible step in the right direction; however, both divisions lack any prosecution and/or enforcement authority to deter aggressive cyber-behavior by a sovereign state.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 8  The Council of Europe: In 2001, the Council of Europe promulgated a common criminal policy aimed at the protection of society against cybercrime, through legislation and international cooperation (Council, 2015). The rules of this framework do not appear to apply to government actions, whether taken for law enforcement or national security purposes. Member states have implicitly ensured full cooperation during investigation and/or prosecution, however, the most developed international legal framework voids itself by ignoring ‘government actions’, and hence fails to serve as a deterrent.  The Organization of American States: The Organization of American States (OAS) aims to build and strengthen cyber-security capacity in the member states through technical assistance and training, policy roundtables, crisis management exercises, and the exchange of best practices related to information and communication technologies. In 2004, OAS approved the creation of a cyber-security program to build cyber security capacity in OAS member states, recognizing that the responsibility for securing cyberspace lies with a wide range of national and regional entities from the public and private sectors working on both policy and technical issues. The main objectives focus around developing threat identification and mitigation capabilities, timely communication to all member states, and strategic planning activities supported by all member states (OAS, 2015). Again, OAS’ cyber security program fails to formalize prosecution mechanism to criminalize and prosecute illegal/aggressive cyber-behavior from a sovereign state.  The Shanghai Cooperation Organization: In its Yekaterinburg Declaration of June 16, 2009, member states have recognized the significance of cyber-security issues but have
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 9 not formalized any concrete actions. The absence of any framework and standards renders this initiative invalid when combating sovereign state’s cyber aggression.  INTERPOL: INTERPOL is committed to becoming a global coordination body on the detection and prevention of digital crimes through its INTERPOL Global Complex for Innovation (IGCI), currently being constructed in Singapore. This new center provides proactive research into new areas and latest training techniques, and coordinates operations in the field (INTERPOL, 2015). INTERPOL supports operations by local law enforcement agencies by providing subject matter expertise and forensic support. INTERPOL does not clearly spell out any frameworks, standards and/or mechanisms through which it can support successful prosecution of a rogue State in any world body, such as, the International court of Justice (ICJ, 2015). Therefore, despite their noble intentions, they have failed to address the issue at hand.  United States: The United States Cyber Command (USCYBERCOM) is a United States armed forces sub-unified command subordinate to United States Strategic Command. USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks, conduct full spectrum military cyberspace operations in order to enable actions in all domains, and ensure US/Allied freedom of action in cyberspace and deny the same to their adversaries (Cyberwar in the U.S., 2015). USCYBERCOM’s approach is clearly offensive in nature from a military perspective. Its main aim is to attack and cripple the enemy state's capability from launching any further cyber-attacks on the United States. This unilateral strategy is also missing the elements of design and implementation of international standards to regulate
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 10 cyber-behavior, but rather to punish any cyber-aggression with an equally proportionate response. Other agencies, including the Federal Communications Commission (FCC), have also regulated various cyberspace aspects with a domestic scope, failing to define and address global jurisdiction and standards. In summary, the efforts described above by the respective organizations have been theoretical in nature - mostly focusing on research and development, policy planning, serving as centers of excellence, being a facilitator, etc. Aforementioned organizations have failed to establish a comprehensive legal framework and standards required for effective governance and regulation of foreign state’s aggressive cyber-behavior. Next section discusses the challenges in developing and implementing global standards that will deter foreign states’ aggressive cyber- behavior, along with a roadmap to design, develop and implement effective international standards that none of the above entities have developed thus far. Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior This section describes and explains major challenges behind developing and implementing global standards, along with a recommended roadmap to achieve this task. Challenges Following is a list of challenges hindering development and implementation of global standards (Shinder, 2011) to regulate aggressive cyber-behavior from a foreign state:  Lack of standards: At present, there are no local and/or global standards developed and implemented to regulate aggressive cyber-behavior of state actor.  Forensics: Due to sheer complexity and virtual nature of the crime, standards to collect, sanitize, and analyze forensic evidence, has not been determined.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 11  Establishing identity: Cyber-criminals operate under false identities which can be undetected, but there are no standards developed to identify the culprit accurately.  Jurisdictional issues: Traditional subjective doctrine does not hold as there are no clearly marked boundaries during the commission of cyber-crime, which crosses political boundaries. Nations can determine the exact location of Internet activity to a certain extent by assigning Internet Protocol (IP) addresses and Domain Name Server (DNS) addresses to computers that coincide with their physical addresses, but cyber-terrorists can easily evade this identification system by masking their origin. The Victim State may base their prosecution (before international courts) on the principle of universal jurisdiction, however, this has been contested by many jurists and one of its significant limitations is that cyber-terrorists cannot be prosecuted preventively. The potential Victim State must wait for the crime to occur, and then prosecute (Stockton & Goldman, 2014, pp. 231-250).  Compliance: There is no law or regulation forcing countries to comply with certain standards or best practices. Countries can operate aggressively in the cyber landscape without any threat of punitive actions. Some countries have even gained notoriety by providing safe haven to hackers who operate on their behalf. Thus far, nations have not displayed a collective will to tackle the aforementioned challenges in order to develop global standards that will deter rogue states from committing cyber-crimes against other nations. Next sub-section provides some practical approaches to develop and implement a mutually-agreed upon set of global standards.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 12 Roadmap Following suggested roadmap (Figure 1) can help with designing global standards to regulate aggressive cyber-behavior, along with recommendations to implement those standards. This roadmap is approached by keeping industry best practices and various program developm- ent methodologies in view, with a specific focus on continuous improvement (See Appendix E). Figure 1. Proposed model to develop and implement international standards vis-à-vis cyber-behavior  Consensus building: In this preliminary stage, states should recognize the need for mutual cooperation, recognize the issue that we are all confronted with, and with collective determination, work jointly in defining, developing, and implementing global standards to regulate foreign states’ aggressive cyber-behavior.  Global body creation: In this stage, all states must mutually agree to create a regulatory body with the power to enforce and prosecute aggressive cyber-behavior of a rogue nation. This should be formalized in policies, framework, and international standards.  Ownership: In this stage, states should develop internal policies and procedures to play an active role in the ‘global body’ and submit themselves to the decisions of this body. States should also allocating resources and maintain compliance at all times.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 13  Design & development of tools: In this stage, Global body should leverage best practices to design and develop tools. These tools will support proposed universal framework and international standards to regulate aggressive cyber-behavior from a foreign state.  Development of procedures and processes: In this stage, procedures and processes should be documented to operationalize international standards. The most important aspect of these documents will be to define the scope, prosecution authority, logistics, and functional & administrative ownership. Defining these aspects clearly should take away the ambiguity that surrounds forensics, identity issues, and jurisdictional issues.  Jurisdiction and logistics: Even though this has been touched upon in the last step, but the success of this exercise hinges on proper definition of jurisdiction and scope, therefore, it warrants a policy document clearly detailing matters regarding scope, jurisdiction, and enforcement mechanism. It should also define prosecution authorities (e.g. ICJ) and policing accountabilities (e.g. INTERPOL) for those jurisdictions (on a rotating basis), allocation of resources, and periodicity around periodic review of this critical document.  Monitor and control: In this stage, the overall monitoring and controlling aspects should be defined. All violations should be identified, logged, addressed; and reviewed on a periodic basis. These records will also enable investigators to perform analysis to determine recurring trends, anomalies and outliers. The Global body should publish reports highlighting topics of significant public interest and areas of concern.  Continuous improvement: In this crucial stage, the Global body will be in an excellent position to advance its Research and Development (R&D) interests by leveraging other member states and also serve as a Center of Excellence on matters relating to standards for cyber security issues, research, advisory, best practice sharing, etc. All of these
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 14 activities will enable continuous improvement of this mode, and of the standards themselves. Conclusion This position paper is in support of the position that there lies an imminent need to develop and implement international standards to regulate aggressive cyber-behaviour of a foreign State. At the hand of rogue nations' aggressive cyber-activities, various countries have suffered enormous financial losses, with estimates ranging from $300 billion to $1 trillion. The significance and scope of this problem has been realized by various world bodies, resulting in varied responses. All proposed solutions have been theoretical, lacking concrete actions vis-a-vis defining global standards, jurisdiction, and prosecution mechanisms. Also, all of these solutions are geared toward regulating individual cyber-behavior within prescribed political boundaries, as opposed to regulating sovereign state’s aggressive cyber-behavior. Cyber-warfare’s rules of engagement are also different that of a conventional conflict, and thus, cyber-warfare’s rules remain to be formalized. In addition, the common challenges faced, when developing these international standards, is the lack of focus around jurisdictional definition and authority, lack of scope definition, forensic complexities, culprit's identity establishment issues, and general lack of will toward forming international standards. The key to coming up with effective international standards lies in countries launching this initiative from a globally recognized and respected platform (e.g. UN), developing a consensus through policy planning, allocating resources for the initiative, decide mutually-agreed upon deliverables, assign investigative bureau (e.g. INTERPOL), nominate prosecuting body (e.g. ICJ), take joint ownership of this initiative on a continuing basis, and most importantly, maintain full compliance themselves with the international standards at all times.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 15 Moving forward, with the global paradigm shift (Ophardt, 2010, pp. 3-4) in the commission of state-committed (or state-sponsored) cyber-crimes and aggressive cyber- behaviour, global institutions (such as the United Nations, the International Court of Justice, and INTERPOL) have a major role to play to hold aggressive parties accountable for their actions, and to promote progress towards developing international standards, building consensus, and developing mechanisms to serve justice to Victim States (Glennon, 2013, pp. 569-570). Due to the dynamic nature of this issue, any solution will always be a work in progress as emerging challenges are addressed, and corresponding solutions appended into the framework.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 16 References Ashford, W. (February 13, 2015). Data Breaches up by 49% in 2014. ComputerWeekly.com. Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches -up-49-in-2014-exposing-more-than-a-billion-records Awan, I. (2014). Debating the term cyber-terrorism: Issues and problems. Internet Journal of Criminology. Retrieved from http://www.internetjournalofcriminology.com/Awan_ Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf Council of Europe. (2015). Standards: the convention and its Protocol. Retrieved from http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp Cyberwarfare. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberwarfare Cyberwarfare In the United States. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/ wiki/Cyberwarfare_in_the_United_States Defence IQ. (2010, May 26). CIA, US Military Step Up Cyber Space Security Strategies. Retrieved from http://www.defenceiq.com/defence-technology/articles/cia-us-military- step-up-cyber-space-security-strat/ Feldman, N. (2015). Brainy Quote. Retrieved from http://www.brainyquote.com/ quotes/keywords/cyber.html Glennon, M. (2013). The dark future of international cybersecurity regulation. Journal of National Security Law & Policy, 4, 563-570. Retrieved from http://jnslp.com/wp-c ontent/uploads/2013/04/The-Dark-Future-of-International-Cybersecurity-Regulation.pdf Hathaway, O., Crootof, R., Levitz, P., Proctor, H., Nowlan, E., Perdue, W., Spiegel, J. (2011). The Law of Cyber-Attack. Yale Law & Economics Research Paper No. 453, 100 (4), 1- 76. Retrieved from http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 17 IMPACT. (2015). Mission & Vision. Retrieved from http://www.impact- alliance.org/ aboutus/mission-&-vision.html InfoSec Institute. (2013). 2013 - The impact of cybercrime. Retrieved from http://resources.infosecinstitute.com/2013-impact-cybercrime/ INTERPOL. (2015). Cybercrime. Retrieved from http://www.interpol.int/ Crime-areas/ Cybercrime/Cybercrime ICJ. (2015). Jurisdiction. Retrieved from http://www.icj-cij.org/jurisdiction/index.php?p1=5 Kanuck, S. (2010). Sovereign discourse on cyber conflict under international law, Texas Law Review, 88, 1570-1597. Retrieved from https://www.law.upenn.edu/institutes/cerl/ conferences/cyberwar/papers/reading/Kanuck.pdf McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime- summary.pdf OAS. (2015). Cyber-security program. Retrieved fromhttps://www.sites.oas.org/ cyber/en/Pages/default.aspx Ophardt, J. (2010). Cyber warfare and the crime of aggressions: The need for individual accountability on tomorrow's battlefield. Duke Law & Technology Review, 9(2), 1-27. Retrieved from http://scholarship.law.duke.edu/dltr/vol9/iss1/2 Passeri, P. (2015, April 13). March 2015 Cyber Attacks Statistics. Retrieved from http://hackmageddon.com/category/security/cyber-attacks-statistics/ Schjolberg, S. (2007). Terrorism in Cyberspace - Myth or reality?. Retrieved from http://www.cybercrimelaw.net/documents/Cyberterrorism.pdf Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Tech
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 18 Republic. Retrieved from http://www.techrepublic.com/blog/it-security/what-makes- cybercrime-laws-so-difficult-to-enforce/ Stockton, P., Goldman, M., (2014). Prosecuting cyberterrorists: Applying traditional jurisdictional frameworks to a modern threat. Stanford Law & Policy Review, 25, 211- 268. Retrieved from https://journals.law.stanford.edu/sites/default/files/stanford-law- policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf Wegener, H. (2014). Regulating Cyber Behaviour: Some Initial Reflections on Codes of Conduct and Confidence-Building Measures. Retrieved from https://www.unibw.de/infosecur/ publications/individual_publications/wegener_regulating_cyber_behaviour_paper_2014
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 19 Appendix A Cyber-attack Representations Chart A – Distribution of Cyber-attack targets Chart B – Distribution of Cyber-attack techniques Chart C – Distribution of Cyber-attack (by industry) Chart D – Distribution of Cyber-attack (by Org.) Note: Above pie charts represent cyber-attack target distribution, cyber-attack techniques employed to infiltrate the target organizations, categorization of industries affected by these cyber-attacks, and types of organizations attacked. Source: http://hackmageddon.com/author/paulsparrows/
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 20 Appendix B Examples of recent incidents of nations' cyber warfare 2014 North Korea hacked SONY Pictures Entertainment The cyber-attack on Sony Pictures Entertainment by a state-sponsored group called the Guardians of Peace resulted in a canceled movie release (at least for a little while), leaked personal information, and apologies from Hollywood executives caught in embarrassing e-mail conversations. 2012 Iran (via proxy) attacks US energy interest and ally Forensic investigation revealed that virus (named Shamoon) was brought in on a USB drive and planted in the network by an authorized user. This compromised and disrupted more than 75% of networked computers (30,000) affecting world’s largest oil and gas producer’s production. 2010 US & Israel attack Iranian nuclear facility New York Times reported that the US along with Israel was responsible for Stuxnet computer virus that was used to destroy centrifuges in an Iranian nuclear facility in 2010. 2010 Indian-sponsored group hacks Pakistani websites A group calling itself the Indian Cyber Army hacked the websites belonging to the Pakistan Army and other government ministries to avenge Mumbai attacks. 2010 Britain cautioned against cyber threats from ‘hostile’ states Britain’s internal agency warned against cyber threats from hostile states and criminals. 2009 North Korea attacks South Korea & USA A series of coordinated denial of service attacks against major government, news media, and financial websites in South Korea and the United States. While many thought the attack was directed by North Korea, one researcher traced the attacks to the United Kingdom. 2007 Israel attacks Syria Israel carried out an airstrike on Syria dubbed Operation Orchard. U.S. industry and military sources speculated that the Israelis may have used cyber-warfare to allow their planes to pass undetected by radar into Syria. 2007 Russia attacks Estonia Estonia came under cyber-attack in the wake of relocation of the Bronze Soldier of Tallinn. The largest part of the attacks were coming from Russia and from official servers of the authorities of Russia. In the attack, ministries, banks, and media were targeted. This attack on Estonia, a seemingly small Baltic nation, was so effective because of how most of the nation is run online. 2006 Israel (via proxies) attacks Hezbollah Israel alleges that cyber-warfare was part of the conflict, where the Israel Defense Forces (IDF) intelligence estimates several countries in the Middle East used Russian hackers and scientists to operate on their behalf.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 21 Appendix C Cyber-attacks on various Nations (by category) Note. CC=Cybercrime, H= Hacktivism, CE= Cyber Espionage, CW=Cyber Warfare
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 22 Appendix D Estimated cost of cybercrime in US and Globally (As of November 2013)
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 23 Appendix E © 2015. Mansoor Faridi. All rights reserved. The above model is inspired to develop and implement international standards vis-à-vis aggressive cyber-behavior of a foreign state. The inspiration behind this approach is based on research materials produced by global organization, industry best practices, global frameworks, and international standards pertaining to quality assurance as follows: ISO 27000x, Capability Maturity Model Integration (CMMI) for Development Ver. 1.3, NIST, InfoSec Institute publications, ISACA publications, FCC publications, etc. The focus is on developing a mutually-agreed upon consensus and then on continuous process improvement of the deliverables as the solution matures and lessons are learned.

More Related Content

PPTX
Online security – an assessment of the new
bysunnyjoshi88
 
PPTX
Confrance presntstation
byTechnical Advisor at Iraqi Government
 
PDF
Revisiting the state: why governments are interested in cybersecurity
byMaarten Van Horenbeeck
 
PDF
FINAL_Report
byJohn J. Walter
 
PPTX
Cyber Civil Defense - Risk Masters - Allan Cytryn
byBoston Global Forum
 
PDF
Cyber-enabled Information Operations -- Inglis 04 27-17 -- SASC
byDavid Sweigert
 
PPTX
Cyberwar and Geopolitics
bytnwac
 
PDF
R41674
byKROTOASA FOUNDATION
 
Online security – an assessment of the new
bysunnyjoshi88
 
Confrance presntstation
byTechnical Advisor at Iraqi Government
 
Revisiting the state: why governments are interested in cybersecurity
byMaarten Van Horenbeeck
 
FINAL_Report
byJohn J. Walter
 
Cyber Civil Defense - Risk Masters - Allan Cytryn
byBoston Global Forum
 
Cyber-enabled Information Operations -- Inglis 04 27-17 -- SASC
byDavid Sweigert
 
Cyberwar and Geopolitics
bytnwac
 
R41674
byKROTOASA FOUNDATION
 

What's hot

PPTX
BGF-UNESCO-at-UCLA conference - Madness - The dynamics of International Cyber...
byBoston Global Forum
 
PDF
Marriage of Cyber Security with Emergency Management -- Action Plan
byDavid Sweigert
 
DOCX
Seminar Paper Heller
byKyle Heller
 
PPTX
Cybersecurity Day for Parliament
byOxford Martin Centre, OII, and Computer Science at the University of Oxford
 
PDF
Keep in touch for cyber peace_20150212
byKunihiro Maeda
 
PPTX
Mike Alcorn presentation
bysvito
 
PDF
Message to White House to take Cyber Security seriously - from MIT
byDavid Sweigert
 
PDF
Concepts On Information Sharing And Interoperability Contestabile Final 03 0...
byjcontestabile
 
PDF
GDRR Opening Workshop - Network Connectivity and Implications for Systemic Ri...
byThe Statistical and Applied Mathematical Sciences Institute
 
PDF
Reliability not Reliance.
byGeorge Briggs
 
PDF
DEF CON 27 - Voting village - report defcon27 hires
byFelipe Prado
 
PDF
8th Milestones meeting: Cyber violence roundtable
byCenter for Innovative Public Health Research
 
PDF
1 s2.0-s0267364913000666-main
byUniversity of Malaya
 
PDF
Understanding Systemic Cyber Risk
byKirstjen Nielsen
 
PPTX
Presentation at COMPACT Project event in Riga - Disinformation, Media literac...
byOles Kulchytskyy
 
PDF
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
by- Mark - Fullbright
 
PDF
Censorship and Controversy
byVARUN KUMAR
 
PDF
Dni nato cyber panel via the intercept
byBaddddBoyyyy
 
PDF
Introduction to Censorship
byVARUN KUMAR
 
PDF
CSFI-Cyber_Conflict_Post_Exercise
byConnie Uthoff
 
BGF-UNESCO-at-UCLA conference - Madness - The dynamics of International Cyber...
byBoston Global Forum
 
Marriage of Cyber Security with Emergency Management -- Action Plan
byDavid Sweigert
 
Seminar Paper Heller
byKyle Heller
 
Cybersecurity Day for Parliament
byOxford Martin Centre, OII, and Computer Science at the University of Oxford
 
Keep in touch for cyber peace_20150212
byKunihiro Maeda
 
Mike Alcorn presentation
bysvito
 
Message to White House to take Cyber Security seriously - from MIT
byDavid Sweigert
 
Concepts On Information Sharing And Interoperability Contestabile Final 03 0...
byjcontestabile
 
GDRR Opening Workshop - Network Connectivity and Implications for Systemic Ri...
byThe Statistical and Applied Mathematical Sciences Institute
 
Reliability not Reliance.
byGeorge Briggs
 
DEF CON 27 - Voting village - report defcon27 hires
byFelipe Prado
 
8th Milestones meeting: Cyber violence roundtable
byCenter for Innovative Public Health Research
 
1 s2.0-s0267364913000666-main
byUniversity of Malaya
 
Understanding Systemic Cyber Risk
byKirstjen Nielsen
 
Presentation at COMPACT Project event in Riga - Disinformation, Media literac...
byOles Kulchytskyy
 
The Federal Government's Track Record on Cybersecurity and Critical Infrastru...
by- Mark - Fullbright
 
Censorship and Controversy
byVARUN KUMAR
 
Dni nato cyber panel via the intercept
byBaddddBoyyyy
 
Introduction to Censorship
byVARUN KUMAR
 
CSFI-Cyber_Conflict_Post_Exercise
byConnie Uthoff
 

Viewers also liked

PPTX
Which is the right place for the property
bylee shin
 
PDF
Guide - Demonstrating Positive Elearning ROI
bySusan Canny
 
PPTX
03. Последствия Великой депрессии
byAnastasiyaF
 
PPTX
El estrés del comportamiento organizacional
byJulieth Gelvez
 
DOC
KD-CV
byKaustubh Datta
 
PDF
Plan gestion2011
byRosabell Orfelinda
 
PDF
Battle Of Theoi - Board Game Design & Marketing Presentation
byShriram Srinivasan
 
PPTX
Integrated facilities management_080816- masked
byNupur Srivastava
 
PPTX
Lizbeth q
byMrLopez13
 
PPS
Chasseurs+d'images
byGeorge Martin
 
PPTX
Title Card Appearance
byDIDI1998sdf
 
PPTX
06. Збліжэнне Вялікага княства Літоўскага з Польшчай
byAnastasiyaF
 
PPTX
BRN Symposium 03/06/06 Conclusions : The Microbiome in respiratory medicine
bybrnmomentum
 
PPTX
03. Беларусь у польска-савецкай вайне 1919-1920 гг.
byAnastasiyaF
 
DOC
RANJIT CV NEW
byranjit singh
 
PPTX
Banana
byTATThanaporn
 
Which is the right place for the property
bylee shin
 
Guide - Demonstrating Positive Elearning ROI
bySusan Canny
 
03. Последствия Великой депрессии
byAnastasiyaF
 
El estrés del comportamiento organizacional
byJulieth Gelvez
 
KD-CV
byKaustubh Datta
 
Plan gestion2011
byRosabell Orfelinda
 
Battle Of Theoi - Board Game Design & Marketing Presentation
byShriram Srinivasan
 
Integrated facilities management_080816- masked
byNupur Srivastava
 
Lizbeth q
byMrLopez13
 
Chasseurs+d'images
byGeorge Martin
 
Title Card Appearance
byDIDI1998sdf
 
06. Збліжэнне Вялікага княства Літоўскага з Польшчай
byAnastasiyaF
 
BRN Symposium 03/06/06 Conclusions : The Microbiome in respiratory medicine
bybrnmomentum
 
03. Беларусь у польска-савецкай вайне 1919-1920 гг.
byAnastasiyaF
 
RANJIT CV NEW
byranjit singh
 
Banana
byTATThanaporn
 

Similar to International Standards to Regulate Aggressive Cyber-behavior from a Foreign State_RR

PDF
Cyber-Terrorism A Wicked Problem - Academic Strive
byacademicstrivee
 
PPTX
final ppt book review understanding cyber laws.pptx
byssuser78645d
 
PPTX
DOC- 20250428-WA0014..pptx
byDeepShikha757230
 
PDF
An Internet of Governments
byRobbie Mitchell
 
PDF
Law and warfare in the cyber domain (for NSSP, AFP, NDCP)
byBenjamin Ang
 
DOCX
Cyber-Terrorism Finding a Common Starting Point By Je
byOllieShoresna
 
PDF
No Shortcuts Why States Struggle To Develop A Military Cyberforce Max Smeets
bytuvengsermi
 
PDF
VFAC REVIEW issue12_extract_2016
byCameron Brown
 
DOCX
The Legalities of CyberWarfare
byAdam Kinder
 
PPTX
Cyber Warfare - Jamie Reece Moore
byJamie Moore
 
PDF
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
bySnarky Security
 
PPTX
CYBER SECURITY.pptx
byAqiafKhattak
 
PDF
Global Security Challenges of the 21st Century: Workshop on Cyber Crimes
byMichelle Ribeiro
 
PDF
Crossing the Line: The Law of War and Cyber Engagement - A Symposium
byJonathan Meyer
 
PPTX
CYBERSECURITY AND DIGITAL POLICY (1).pptx
bydonnajeanfernandez00
 
PPTX
Trend of cyber terrorism in the present world.pptx
byBini R A
 
DOCX
Cyberpower and National SecurityRelated titles.docx
byaryan532920
 
PDF
Forecast cybersecurity regulation v3
byJoe Orlando
 
PPTX
I4ADA 2019 - Presentation Accountability & cyber security & cyber peace
byPaul van Heel
 
PDF
Cyberterror & ciberwarfare - SILVA JR., Nelmon J.
byAutônomo
 
Cyber-Terrorism A Wicked Problem - Academic Strive
byacademicstrivee
 
final ppt book review understanding cyber laws.pptx
byssuser78645d
 
DOC- 20250428-WA0014..pptx
byDeepShikha757230
 
An Internet of Governments
byRobbie Mitchell
 
Law and warfare in the cyber domain (for NSSP, AFP, NDCP)
byBenjamin Ang
 
Cyber-Terrorism Finding a Common Starting Point By Je
byOllieShoresna
 
No Shortcuts Why States Struggle To Develop A Military Cyberforce Max Smeets
bytuvengsermi
 
VFAC REVIEW issue12_extract_2016
byCameron Brown
 
The Legalities of CyberWarfare
byAdam Kinder
 
Cyber Warfare - Jamie Reece Moore
byJamie Moore
 
Why Great Powers Launch Destructive Cyber Operations and What to Do About It ...
bySnarky Security
 
CYBER SECURITY.pptx
byAqiafKhattak
 
Global Security Challenges of the 21st Century: Workshop on Cyber Crimes
byMichelle Ribeiro
 
Crossing the Line: The Law of War and Cyber Engagement - A Symposium
byJonathan Meyer
 
CYBERSECURITY AND DIGITAL POLICY (1).pptx
bydonnajeanfernandez00
 
Trend of cyber terrorism in the present world.pptx
byBini R A
 
Cyberpower and National SecurityRelated titles.docx
byaryan532920
 
Forecast cybersecurity regulation v3
byJoe Orlando
 
I4ADA 2019 - Presentation Accountability & cyber security & cyber peace
byPaul van Heel
 
Cyberterror & ciberwarfare - SILVA JR., Nelmon J.
byAutônomo
 

International Standards to Regulate Aggressive Cyber-behavior from a Foreign State_RR

  • 1.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State International Standards to Regulate Aggressive Cyber-behaviour from a Foreign State Mansoor Faridi Fort Hays State University May 10, 2015 Author Note Mansoor Faridi, Department of Informatics, Fort Hays State University. Mansoor Faridi is a graduate student at Fort Hays State University specializing in Information Assurance Management. He lives in Toronto, Canada where he manages the Compliance function for a major Canadian Financial Institution. This position paper is a deliverable for Public Policy, Law, and Ethics in Informatics (INT610) course. Correspondence concerning this paper should be addressed to Mansoor Faridi. Contact: [m_faridi@mail.fhsu.edu]
  • 2.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State ii Table of Contents Abstract .......................................................................................................................................1 Introduction ..................................................................................................................................2 Regulation of Foreign State’s Aggressive Cyber-behavior .........................................................3 Background ……………………………………………………………………………..3 Significance ……………………………………………………………………………..4 Present Frameworks Regulating Aggressive Cyber-behavior ......................................................5 Problem Definition ……………………………………………………………………...5 Current Status ...................................................................................................................6 Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior .......10 Challenges ......................................................................................................................10 Roadmap ........................................................................................................................12 Conclusion ................................................................................................................................14 References ..................................................................................................................................16 Appendices Appendix A – Cyber-attack representations Appendix B – Examples of recent incidents of nations' cyber warfare Appendix C – Cyber-attacks on various Nations (by category) Appendix D – Estimates cost of cybercrimes in U.S. and Globally Appendix E – Model to develop global standards regulating aggressive cyber-behavior
  • 3.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 1 Abstract Where technological advancements have improved our quality of life, it has also exposed us to previously unknown threat vectors, such as, aggressive cyber-behaviour from a foreign State. This significant issue has materialized in the form of huge financial losses (and otherwise), and disruption of critical service provision. The main reason behind this problem is owing to absence of international standards regulating foreign State’s aggressive cyber-behavior. The global community has failed to develop a united front to develop and implement effective solutions to tackle this issue proactively. Some global and regional organizations have developed frameworks that also fail to address this issue fully, as their scope is domestic, focussing on individuals’ cyber-behaviour (as opposed to State), and solutions are theoretical in nature with no provisions defining investigation and prosecution mechanism. Since the rules of engagement of modern cyber-warfare are different than conventional military conflict, therefore, nations need to take this distinction into consideration when approaching the issue. Another important aspect is codification of international standards including the definition of scope, jurisdiction, forensic procedures, resources, investigative and prosecution authorities. This difficult feat is possible with mutual cooperation, active involvement, and maintaining compliance (by member nations) with these international standards regulating foreign state’s aggressive cyber-behavior. Keywords: best practices, coe, continuous improvement, cyber-hacktivism, cyber-law, cyber- terrorism, cyber-warfare, impact, interpol, nato, jurisdiction, sovereign, united nations, wegener
  • 4.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 2 International Standards to Regulate Aggressive Cyber-behavior from a Foreign State Mansoor Faridi Fort Hays State University Introduction This position paper supports the argument that ‘there exists an imminent need to develop and implement international standards to regulate aggressive cyber-behavior from foreign State.’ First section provides background and significance of the issue, illustrates the magnitude of this problem with examples of sovereign nations attacking each other in cyber-space, concluding with estimates of financial losses incurred due to this aggressive cyber-behavior. Second section describes the issue in detail along with a description of frameworks developed by various global organizations to regulate cyber-behavior. However, all frameworks lack in scope (focus on regulating individuals’ cyber-behavior as opposed to that of the State), and intent (theoretical in nature without defining jurisdiction and prosecuting authorities). Third section lists and discusses major challenges hindering the development and implementation of the aforementioned global standards; it also provides some recommendations along with a roadmap to design, develop, and implement global standards. The section concludes by detailing an overall approach emphasizing collaborative engagement and launching of this initiative through globally recognized platforms, with respected world bodies supporting investigation and prosecution mechanisms. This position is based on an overall approach in a global context where centralized institutions are responsible for designing, developing, implementing, regulating, prosecuting, and enforcing international standards. The approach has been inspired by industry best practices and global standards and frameworks with a focus on continuous improvement to keep the standards agile, relevant, and up-to-date!
  • 5.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 3 Regulation of Foreign State’s Aggressive Cyber-behavior In my opinion, there is an imminent need to design, develop and implement robust, effective, and comprehensive international standards to regulate aggressive cyber-behavior instigated by a foreign nation state against another entity, such as another state, organization, person, etc. These standards should be supported by an international body (such as the United Nations, Interpol, etc.) to ensure its legal enforcement and effective implementation on a global scale. The sub-sections below describe the background and significance of this issue. Background In traditional warfare, strategic objectives are realized by executing offensive maneuvers. This cripples a nation by inflicting damage to its airfield, ports, roads, ordnance depot, defense and communication capabilities, etc. However, with technological advancements, the focus has shifted to a more sophisticated mode of warfare, which is equally lethal but entirely virtual [emphasis added] in nature (See Figure 1, Passeri, 2015). This is eloquently summed up by Noah Feldman (2015), Harvard Law professor, “Cyber- attacks … as a strategic matter … do not differ fundamentally from older tools of espionage and sabotage.” In fact, cyber-warfare is politically motivated hacking to conduct sabotage and cyber espionage (Cyberwarfare, 2015; See Appendix A, Chart A). The change in venue where the ‘war’ is being fought has led to a paradigm shift. This aggressive cyber-behavior is akin to cases of road-rage. Fortunately, we have traffic laws to deal with such menace; however, we do not have a holistic set of international standards regulate aggressive cyber-behavior from foreign State actors. This is defined as “attacks or series of attacks on critical information carried out by terrorists and instills fear by effects that are disruptive or destructive and has a political , religious and ideological motivation” (Schjolberg,
  • 6.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 4 2007, p. 2). Table 1 below illustrates recent examples of cyber-attacks instigated by sovereign nations on other nations and entities (See Appendix B for details; Cyberwarfare, 2015). Table 1 Instances of nations’ cyber-warfare Next sub-section highlights the gravity and impact of cyber-crimes supported by statistics, and signifies how cyber-crimes expose the vulnerabilities of our data and information, as it relates to its privacy, security, integrity, and availability. Significance Through cyber-warfare, nations (or proxy agents acting on their behalf) try to gain illegal access to data and information, in order to sabotage, conduct espionage, harm critical infrastructure, assets, and disrupt mission critical operations (Awan, 2010, p. 6); resulting in significant financial losses, tarnished reputations, and even leading to total financial collapse. According to the InfoSec Institute (2013), estimated total global losses owing to cyber- crimes ranged from $300 billion to $1 trillion (See Table 2, McAfee, 2013, p. 4); which equates to a noticeable percentage of 0.4% to 1.4% of the world’s GDP! (See Appendix D) The magnitude of this problem, signified by the troubling statistics, is sufficiently alarming to trigger immediate response by policy makers globally (Wegener, 2014, p.2). If an issue of such paramount importance is not proactively tackled and addressed by developing policies and standards, then it will put us at a disadvantage to effectively combat cyber- warfare/cyber-terrorism instigated by rogue nations. According to Passeri (2015), the most
  • 7.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 5 cyber-attacked countries are U.S., U.K., and Australia, respectively. However, in March 2015, U.S. was the subject of most cyber-hacktivism attacks worldwide (See Appendix C). In case of inaction, rogue states will continue to exhibit aggressive cyber-behavior, inflicting damage on other states without any threat of a retaliatory response; and the biggest loser in all this will be the general public, as they rely on their respective countries for provision of various services that are supported by critical infrastructure that is vulnerable to these threats. It is comforting to know that United States and United Nations have taken several steps in the right direction to address this issue head-on, which forms the topic of discussion in the next section. It is high time that a mechanism is established, as echoed by Leon Panetta (CIA Director, 2009 - 2011), “it was vital for the organization to be one step ahead of the game when it comes to challenges like cyber space security.” (Defence, 2010) Present Frameworks Regulating Aggressive Cyber-behavior Though the extent of losses is not fully quantified, however there is ample evidence available (See Appendix D) to estimate the extent of losses, and to determine major sources of threats emanating from certain rogue nations (See Appendix B) - what also remains unclear is the absence of repercussions (Hathaway et al., 2011, p. 52) in current international legal frameworks to deter nations from engaging in this aggressive cyber-behavior. The following sub- sections describe the problem, analyzing the frameworks by examining their shortcomings. Problem Definition Presently, comprehensive international standards do not exist, and some frameworks that do exist fail to address the issue of cyber-aggression perpetrated by a sovereign state, but rather by individuals. To date, satisfactory steps have not been taken to design and implement international standards effectively combatting foreign states’ aggressive cyber-behavior. Next
  • 8.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 6 sub-section describes various frameworks developed to date, and why they failed to regulate foreign state’s aggressive cyber-behavior. Current Status International standards are drafted by various entities based on the premise afforded by international laws. Presently, the international law of countermeasures does not define when a cyber-attack is unlawful, nor does it clearly differentiate between the instigator as an individual or a sovereign state. It simply provides that when a State commits an international law violation, an injured State may respond with a reciprocal act. In the cyber-attack context, injured State may employ active defenses as reciprocal countermeasures, in which injured State ceases obeying the same or a related obligation to the one the responsible State violated. The challenges to such a response is firstly to identify attacker’s identity, as it may not be a State but a proxy working on its behalf. Secondly, it is difficult to deploy countermeasures to only injure the actor that perpetuated the attack. For these reasons, the customary law of countermeasures offers only a partial answer to the problem of sovereign cyber-attacks (Kanuck, 2010, p. 1586; Hathaway et al., 2011, pp. 45-47). However, some mechanisms (listed below) have been developed to regulate aggressive cyber-behavior (Hathaway et al., 2011, p. 48) of individuals, which can be extended to sovereign states as well after revising their scope and modifying the overall intent.  The United Nations: Headquartered in Cyberjaya, Malaysia, the International Multilateral Partnership Against Cyber Threats (IMPACT) was created in 2008 (IMPACT, 2015) with United Nations support to serve as a politically neutral global platform that brings together governments of the world, industry and academia to enhance the global community’s capabilities in dealing with cyber threats. With a total of 152 member
  • 9.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 7 states, IMPACT coordinates its partners’ resources to fight cyber-crimes that go beyond political borders. IMPACT provides research and training services, policy planning, and cyber-intelligence gathering & sharing with its partners, however, it lacks any prosecution and/or enforcement authority. It can be concluded that at present, United Nations role vis-a-vis cyber-security remains largely limited to facilitating discussions and information sharing among member states, failing to address the issue at hand.  North Atlantic Treaty Organization (NATO): In 2008, a NATO summit prompted the creation of two new NATO divisions focused on cyber-attacks: the Cyber Defense Management Authority and the Cooperative Cyber Defense Centre of Excellence (Hathaway et al., 2011, pp. 50-51). The Cyber Defense Management Authority aims to centralize cyber-defense capabilities across NATO members. Due to lack of publicly available information, it is speculated that the Authority is believed to possess “real-time electronic monitoring capabilities for pinpointing threats and sharing critical cyber intelligence in real-time”, with the ultimate goal of becoming an operational war room for cyber-defense. The Cooperative Cyber Defense Centre of Excellence aspires to “advance the development of long-term NATO cyber defense doctrine and strategy.” In conflict with NATO's Article 5, member states do not feel compelled, and are not bound, to "assist” each other in case of a cyber-attack on any member state. NATO’s creation of these two divisions represents the recognition of the problem and a tangible step in the right direction; however, both divisions lack any prosecution and/or enforcement authority to deter aggressive cyber-behavior by a sovereign state.
  • 10.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 8  The Council of Europe: In 2001, the Council of Europe promulgated a common criminal policy aimed at the protection of society against cybercrime, through legislation and international cooperation (Council, 2015). The rules of this framework do not appear to apply to government actions, whether taken for law enforcement or national security purposes. Member states have implicitly ensured full cooperation during investigation and/or prosecution, however, the most developed international legal framework voids itself by ignoring ‘government actions’, and hence fails to serve as a deterrent.  The Organization of American States: The Organization of American States (OAS) aims to build and strengthen cyber-security capacity in the member states through technical assistance and training, policy roundtables, crisis management exercises, and the exchange of best practices related to information and communication technologies. In 2004, OAS approved the creation of a cyber-security program to build cyber security capacity in OAS member states, recognizing that the responsibility for securing cyberspace lies with a wide range of national and regional entities from the public and private sectors working on both policy and technical issues. The main objectives focus around developing threat identification and mitigation capabilities, timely communication to all member states, and strategic planning activities supported by all member states (OAS, 2015). Again, OAS’ cyber security program fails to formalize prosecution mechanism to criminalize and prosecute illegal/aggressive cyber-behavior from a sovereign state.  The Shanghai Cooperation Organization: In its Yekaterinburg Declaration of June 16, 2009, member states have recognized the significance of cyber-security issues but have
  • 11.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 9 not formalized any concrete actions. The absence of any framework and standards renders this initiative invalid when combating sovereign state’s cyber aggression.  INTERPOL: INTERPOL is committed to becoming a global coordination body on the detection and prevention of digital crimes through its INTERPOL Global Complex for Innovation (IGCI), currently being constructed in Singapore. This new center provides proactive research into new areas and latest training techniques, and coordinates operations in the field (INTERPOL, 2015). INTERPOL supports operations by local law enforcement agencies by providing subject matter expertise and forensic support. INTERPOL does not clearly spell out any frameworks, standards and/or mechanisms through which it can support successful prosecution of a rogue State in any world body, such as, the International court of Justice (ICJ, 2015). Therefore, despite their noble intentions, they have failed to address the issue at hand.  United States: The United States Cyber Command (USCYBERCOM) is a United States armed forces sub-unified command subordinate to United States Strategic Command. USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks, conduct full spectrum military cyberspace operations in order to enable actions in all domains, and ensure US/Allied freedom of action in cyberspace and deny the same to their adversaries (Cyberwar in the U.S., 2015). USCYBERCOM’s approach is clearly offensive in nature from a military perspective. Its main aim is to attack and cripple the enemy state's capability from launching any further cyber-attacks on the United States. This unilateral strategy is also missing the elements of design and implementation of international standards to regulate
  • 12.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 10 cyber-behavior, but rather to punish any cyber-aggression with an equally proportionate response. Other agencies, including the Federal Communications Commission (FCC), have also regulated various cyberspace aspects with a domestic scope, failing to define and address global jurisdiction and standards. In summary, the efforts described above by the respective organizations have been theoretical in nature - mostly focusing on research and development, policy planning, serving as centers of excellence, being a facilitator, etc. Aforementioned organizations have failed to establish a comprehensive legal framework and standards required for effective governance and regulation of foreign state’s aggressive cyber-behavior. Next section discusses the challenges in developing and implementing global standards that will deter foreign states’ aggressive cyber- behavior, along with a roadmap to design, develop and implement effective international standards that none of the above entities have developed thus far. Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior This section describes and explains major challenges behind developing and implementing global standards, along with a recommended roadmap to achieve this task. Challenges Following is a list of challenges hindering development and implementation of global standards (Shinder, 2011) to regulate aggressive cyber-behavior from a foreign state:  Lack of standards: At present, there are no local and/or global standards developed and implemented to regulate aggressive cyber-behavior of state actor.  Forensics: Due to sheer complexity and virtual nature of the crime, standards to collect, sanitize, and analyze forensic evidence, has not been determined.
  • 13.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 11  Establishing identity: Cyber-criminals operate under false identities which can be undetected, but there are no standards developed to identify the culprit accurately.  Jurisdictional issues: Traditional subjective doctrine does not hold as there are no clearly marked boundaries during the commission of cyber-crime, which crosses political boundaries. Nations can determine the exact location of Internet activity to a certain extent by assigning Internet Protocol (IP) addresses and Domain Name Server (DNS) addresses to computers that coincide with their physical addresses, but cyber-terrorists can easily evade this identification system by masking their origin. The Victim State may base their prosecution (before international courts) on the principle of universal jurisdiction, however, this has been contested by many jurists and one of its significant limitations is that cyber-terrorists cannot be prosecuted preventively. The potential Victim State must wait for the crime to occur, and then prosecute (Stockton & Goldman, 2014, pp. 231-250).  Compliance: There is no law or regulation forcing countries to comply with certain standards or best practices. Countries can operate aggressively in the cyber landscape without any threat of punitive actions. Some countries have even gained notoriety by providing safe haven to hackers who operate on their behalf. Thus far, nations have not displayed a collective will to tackle the aforementioned challenges in order to develop global standards that will deter rogue states from committing cyber-crimes against other nations. Next sub-section provides some practical approaches to develop and implement a mutually-agreed upon set of global standards.
  • 14.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 12 Roadmap Following suggested roadmap (Figure 1) can help with designing global standards to regulate aggressive cyber-behavior, along with recommendations to implement those standards. This roadmap is approached by keeping industry best practices and various program developm- ent methodologies in view, with a specific focus on continuous improvement (See Appendix E). Figure 1. Proposed model to develop and implement international standards vis-à-vis cyber-behavior  Consensus building: In this preliminary stage, states should recognize the need for mutual cooperation, recognize the issue that we are all confronted with, and with collective determination, work jointly in defining, developing, and implementing global standards to regulate foreign states’ aggressive cyber-behavior.  Global body creation: In this stage, all states must mutually agree to create a regulatory body with the power to enforce and prosecute aggressive cyber-behavior of a rogue nation. This should be formalized in policies, framework, and international standards.  Ownership: In this stage, states should develop internal policies and procedures to play an active role in the ‘global body’ and submit themselves to the decisions of this body. States should also allocating resources and maintain compliance at all times.
  • 15.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 13  Design & development of tools: In this stage, Global body should leverage best practices to design and develop tools. These tools will support proposed universal framework and international standards to regulate aggressive cyber-behavior from a foreign state.  Development of procedures and processes: In this stage, procedures and processes should be documented to operationalize international standards. The most important aspect of these documents will be to define the scope, prosecution authority, logistics, and functional & administrative ownership. Defining these aspects clearly should take away the ambiguity that surrounds forensics, identity issues, and jurisdictional issues.  Jurisdiction and logistics: Even though this has been touched upon in the last step, but the success of this exercise hinges on proper definition of jurisdiction and scope, therefore, it warrants a policy document clearly detailing matters regarding scope, jurisdiction, and enforcement mechanism. It should also define prosecution authorities (e.g. ICJ) and policing accountabilities (e.g. INTERPOL) for those jurisdictions (on a rotating basis), allocation of resources, and periodicity around periodic review of this critical document.  Monitor and control: In this stage, the overall monitoring and controlling aspects should be defined. All violations should be identified, logged, addressed; and reviewed on a periodic basis. These records will also enable investigators to perform analysis to determine recurring trends, anomalies and outliers. The Global body should publish reports highlighting topics of significant public interest and areas of concern.  Continuous improvement: In this crucial stage, the Global body will be in an excellent position to advance its Research and Development (R&D) interests by leveraging other member states and also serve as a Center of Excellence on matters relating to standards for cyber security issues, research, advisory, best practice sharing, etc. All of these
  • 16.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 14 activities will enable continuous improvement of this mode, and of the standards themselves. Conclusion This position paper is in support of the position that there lies an imminent need to develop and implement international standards to regulate aggressive cyber-behaviour of a foreign State. At the hand of rogue nations' aggressive cyber-activities, various countries have suffered enormous financial losses, with estimates ranging from $300 billion to $1 trillion. The significance and scope of this problem has been realized by various world bodies, resulting in varied responses. All proposed solutions have been theoretical, lacking concrete actions vis-a-vis defining global standards, jurisdiction, and prosecution mechanisms. Also, all of these solutions are geared toward regulating individual cyber-behavior within prescribed political boundaries, as opposed to regulating sovereign state’s aggressive cyber-behavior. Cyber-warfare’s rules of engagement are also different that of a conventional conflict, and thus, cyber-warfare’s rules remain to be formalized. In addition, the common challenges faced, when developing these international standards, is the lack of focus around jurisdictional definition and authority, lack of scope definition, forensic complexities, culprit's identity establishment issues, and general lack of will toward forming international standards. The key to coming up with effective international standards lies in countries launching this initiative from a globally recognized and respected platform (e.g. UN), developing a consensus through policy planning, allocating resources for the initiative, decide mutually-agreed upon deliverables, assign investigative bureau (e.g. INTERPOL), nominate prosecuting body (e.g. ICJ), take joint ownership of this initiative on a continuing basis, and most importantly, maintain full compliance themselves with the international standards at all times.
  • 17.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 15 Moving forward, with the global paradigm shift (Ophardt, 2010, pp. 3-4) in the commission of state-committed (or state-sponsored) cyber-crimes and aggressive cyber- behaviour, global institutions (such as the United Nations, the International Court of Justice, and INTERPOL) have a major role to play to hold aggressive parties accountable for their actions, and to promote progress towards developing international standards, building consensus, and developing mechanisms to serve justice to Victim States (Glennon, 2013, pp. 569-570). Due to the dynamic nature of this issue, any solution will always be a work in progress as emerging challenges are addressed, and corresponding solutions appended into the framework.
  • 18.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 16 References Ashford, W. (February 13, 2015). Data Breaches up by 49% in 2014. ComputerWeekly.com. Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches -up-49-in-2014-exposing-more-than-a-billion-records Awan, I. (2014). Debating the term cyber-terrorism: Issues and problems. Internet Journal of Criminology. Retrieved from http://www.internetjournalofcriminology.com/Awan_ Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf Council of Europe. (2015). Standards: the convention and its Protocol. Retrieved from http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp Cyberwarfare. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberwarfare Cyberwarfare In the United States. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/ wiki/Cyberwarfare_in_the_United_States Defence IQ. (2010, May 26). CIA, US Military Step Up Cyber Space Security Strategies. Retrieved from http://www.defenceiq.com/defence-technology/articles/cia-us-military- step-up-cyber-space-security-strat/ Feldman, N. (2015). Brainy Quote. Retrieved from http://www.brainyquote.com/ quotes/keywords/cyber.html Glennon, M. (2013). The dark future of international cybersecurity regulation. Journal of National Security Law & Policy, 4, 563-570. Retrieved from http://jnslp.com/wp-c ontent/uploads/2013/04/The-Dark-Future-of-International-Cybersecurity-Regulation.pdf Hathaway, O., Crootof, R., Levitz, P., Proctor, H., Nowlan, E., Perdue, W., Spiegel, J. (2011). The Law of Cyber-Attack. Yale Law & Economics Research Paper No. 453, 100 (4), 1- 76. Retrieved from http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf
  • 19.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 17 IMPACT. (2015). Mission & Vision. Retrieved from http://www.impact- alliance.org/ aboutus/mission-&-vision.html InfoSec Institute. (2013). 2013 - The impact of cybercrime. Retrieved from http://resources.infosecinstitute.com/2013-impact-cybercrime/ INTERPOL. (2015). Cybercrime. Retrieved from http://www.interpol.int/ Crime-areas/ Cybercrime/Cybercrime ICJ. (2015). Jurisdiction. Retrieved from http://www.icj-cij.org/jurisdiction/index.php?p1=5 Kanuck, S. (2010). Sovereign discourse on cyber conflict under international law, Texas Law Review, 88, 1570-1597. Retrieved from https://www.law.upenn.edu/institutes/cerl/ conferences/cyberwar/papers/reading/Kanuck.pdf McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from http://www.mcafee.com/ca/resources/reports/rp-economic-impact-cybercrime- summary.pdf OAS. (2015). Cyber-security program. Retrieved fromhttps://www.sites.oas.org/ cyber/en/Pages/default.aspx Ophardt, J. (2010). Cyber warfare and the crime of aggressions: The need for individual accountability on tomorrow's battlefield. Duke Law & Technology Review, 9(2), 1-27. Retrieved from http://scholarship.law.duke.edu/dltr/vol9/iss1/2 Passeri, P. (2015, April 13). March 2015 Cyber Attacks Statistics. Retrieved from http://hackmageddon.com/category/security/cyber-attacks-statistics/ Schjolberg, S. (2007). Terrorism in Cyberspace - Myth or reality?. Retrieved from http://www.cybercrimelaw.net/documents/Cyberterrorism.pdf Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Tech
  • 20.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 18 Republic. Retrieved from http://www.techrepublic.com/blog/it-security/what-makes- cybercrime-laws-so-difficult-to-enforce/ Stockton, P., Goldman, M., (2014). Prosecuting cyberterrorists: Applying traditional jurisdictional frameworks to a modern threat. Stanford Law & Policy Review, 25, 211- 268. Retrieved from https://journals.law.stanford.edu/sites/default/files/stanford-law- policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf Wegener, H. (2014). Regulating Cyber Behaviour: Some Initial Reflections on Codes of Conduct and Confidence-Building Measures. Retrieved from https://www.unibw.de/infosecur/ publications/individual_publications/wegener_regulating_cyber_behaviour_paper_2014
  • 21.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 19 Appendix A Cyber-attack Representations Chart A – Distribution of Cyber-attack targets Chart B – Distribution of Cyber-attack techniques Chart C – Distribution of Cyber-attack (by industry) Chart D – Distribution of Cyber-attack (by Org.) Note: Above pie charts represent cyber-attack target distribution, cyber-attack techniques employed to infiltrate the target organizations, categorization of industries affected by these cyber-attacks, and types of organizations attacked. Source: http://hackmageddon.com/author/paulsparrows/
  • 22.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 20 Appendix B Examples of recent incidents of nations' cyber warfare 2014 North Korea hacked SONY Pictures Entertainment The cyber-attack on Sony Pictures Entertainment by a state-sponsored group called the Guardians of Peace resulted in a canceled movie release (at least for a little while), leaked personal information, and apologies from Hollywood executives caught in embarrassing e-mail conversations. 2012 Iran (via proxy) attacks US energy interest and ally Forensic investigation revealed that virus (named Shamoon) was brought in on a USB drive and planted in the network by an authorized user. This compromised and disrupted more than 75% of networked computers (30,000) affecting world’s largest oil and gas producer’s production. 2010 US & Israel attack Iranian nuclear facility New York Times reported that the US along with Israel was responsible for Stuxnet computer virus that was used to destroy centrifuges in an Iranian nuclear facility in 2010. 2010 Indian-sponsored group hacks Pakistani websites A group calling itself the Indian Cyber Army hacked the websites belonging to the Pakistan Army and other government ministries to avenge Mumbai attacks. 2010 Britain cautioned against cyber threats from ‘hostile’ states Britain’s internal agency warned against cyber threats from hostile states and criminals. 2009 North Korea attacks South Korea & USA A series of coordinated denial of service attacks against major government, news media, and financial websites in South Korea and the United States. While many thought the attack was directed by North Korea, one researcher traced the attacks to the United Kingdom. 2007 Israel attacks Syria Israel carried out an airstrike on Syria dubbed Operation Orchard. U.S. industry and military sources speculated that the Israelis may have used cyber-warfare to allow their planes to pass undetected by radar into Syria. 2007 Russia attacks Estonia Estonia came under cyber-attack in the wake of relocation of the Bronze Soldier of Tallinn. The largest part of the attacks were coming from Russia and from official servers of the authorities of Russia. In the attack, ministries, banks, and media were targeted. This attack on Estonia, a seemingly small Baltic nation, was so effective because of how most of the nation is run online. 2006 Israel (via proxies) attacks Hezbollah Israel alleges that cyber-warfare was part of the conflict, where the Israel Defense Forces (IDF) intelligence estimates several countries in the Middle East used Russian hackers and scientists to operate on their behalf.
  • 23.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 21 Appendix C Cyber-attacks on various Nations (by category) Note. CC=Cybercrime, H= Hacktivism, CE= Cyber Espionage, CW=Cyber Warfare
  • 24.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 22 Appendix D Estimated cost of cybercrime in US and Globally (As of November 2013)
  • 25.
    International Standards toRegulate Aggressive Cyber-behavior from a Foreign State 23 Appendix E © 2015. Mansoor Faridi. All rights reserved. The above model is inspired to develop and implement international standards vis-à-vis aggressive cyber-behavior of a foreign state. The inspiration behind this approach is based on research materials produced by global organization, industry best practices, global frameworks, and international standards pertaining to quality assurance as follows: ISO 27000x, Capability Maturity Model Integration (CMMI) for Development Ver. 1.3, NIST, InfoSec Institute publications, ISACA publications, FCC publications, etc. The focus is on developing a mutually-agreed upon consensus and then on continuous process improvement of the deliverables as the solution matures and lessons are learned.