General security

Cyber Exploitation

Dimitar Kostadinov
February 25, 2013 by
Dimitar Kostadinov

Introduction

Over the past couple of years, cyber exploitation has established a reputation of something more than mere nuisance. The repercussions of these acts are often severe; ranging from a great economic loss to leaks of sensitive military information. As a result, there is a growing widespread concern about the solution to this problem.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

On the other hand, most of the people are not familiar with the details surrounding these events. For them, cyber exploitation or espionage may sound similar, if not the same, to cyber attacks. Notwithstanding how similar they might be, if you read this article, you will comprehend the significant distinction between them.

Definition of cyber espionage

There is no universally acknowledged definition of cyber espionage, but below are several quotes regarded as the most accurate and distinguished:

"The science of covertly capturing e-mail traffic, text messages, other electronic communications, and corporate data for the purpose of gathering national-security or commercial intelligence (Hersh, 2010)."

or

"The practice of spying or obtaining secrets from rivals or enemies for military, political, or business advantage. Advances in IT and the proliferation of tiny, embedded storage devices have added considerably to espionage dangers (Janczewski& Colarik, 2008, p. 25).

also

Cyber espionage, also known as "cyber exploitation, can be understood as "the use of actions and operations—perhaps over an extended period of time—to obtain information that would otherwise be kept confidential and is resident on or transiting through an adversary's computer systems or networks (Lin, 2010, p.63)."

The Tallinn Manual on the International Law Applicable to Cyber Warfare, non-binding opinion of an independent group of experts on the legal aspects of cyber threats provides a narrow definition of cyber espionage:

"Any act undertaken clandestinely or under false pretences that uses cyber capabilities to gather (or attempt to gather) information with the intention of communicating it to the opposing party to the conflict" (Tallinn Manual on the International Law Applicable to Cyber Warfare, 2012, p. 159).

"Clandestinely" means that the perpetrator attempts to hide his identity, while the "under false pretenses" phrase signifies that his intention is to present himself as a person entitled to certain rights and authorization to access the targeted information.

Apparently, all these definitions have common features, similarities, and prominent words or phrases which can reveal the image behind the obscurity of this term's meaning. Simply put, these acts are:

-between state nations, but they may include non-state actors

-consisting of information gathering through computer means

-not intending to cause death/injury or destruction/damage

-conducted secretly

-likely executed over lengthy periods of time

There are three main types of espionage:

  1. Economic/Industrial Espionage (e.g. "Operation Brunnhilde")
  2. Military Espionage (e.g. Albert T. Sombolay case)
  3. Political Espionage (e.g. the Watergate scandal)

Picking the right term

Defining espionage and using the word in accordance with its real meaning are two completely different things. Many people or even theorists tend to interchangeably use the words "cyber espionage", "cyber reconnaissance", and "cyber exploitation." Even though they might have some resemblance, these terms have different purpose and designate different activities.

A document by Dell Inc. from 2012 introduces the basic steps which a cyber attack has. The first one is reconnaissance and its primary aim is to find vulnerabilities in the targeted systems and/or networks. The next steps of cyber attack, as described in this document, are intrusion, which is the actual penetration in the enemy's network; malware insertion, referring to secretly planting the malicious code; and clean-up, whose purpose is to erase the evidence and traces of the attack. Consequently, the cyber reconnaissance here has an integral part of the cyber attack process as a whole and the role envisioned for it is only secondary to the main event (cyber attack).

The International Group of Experts responsible for creating the Tallinn Manual (2012: 159) asserts that "computer network exploitation (CNA) and cyber reconnaissance are not cyber espionage when conducted from outside enemy controlled territory." Hence, in order for a person to conduct cyber espionage, he has to be physically present in the territory of the state where the espionage takes place. However, since the most popular espionage-like activities in the computer world occur in incidents where it has been infiltrated from outside the borders, then we need to adopt a term that will encompass these events. For the purpose of this article, cyber exploitation is the term that is going to be used. Nonetheless, the reader should take a note of the fact that different scholars may interpret these terms otherwise.

Cyber Exploitation and Legislation

Does cyber exploitation violate international law?

The curt answer to this question is no, there is no international norm banning cyber exploitation. In addition, the Rule 66 of the Tallinn Manual states (2012, p. 158):

  1. "Cyber espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict."

Although cyber exploitation is not prohibited by international legal norms, it may still be proscribed in some cases:

  • When it violates the prohibition on the use of perfidy set forth in Article 37 Additional Protocol I
  • When performed by civilians – an act considered taking a "direct part in hostilities" (Article 51(3) Additional Protocol I and Article 1(3) Additional Protocol II) —rendering them subject to attack
  • When cyber exploitation violates the domestic law (Tallinn Manual, 2012: 159)

While under the conventional international law, the intelligence gathering activity, which is non-destructive and surreptitious, does not constitute violation, the states are given the right to prosecute exposed spies, as pursuant to Article 46 (1) of Additional Protocol I (1977):

"…any member of the armed forces of a Party to the conflict who falls into the power of an adverse Party while engaging in espionage shall not have the right to the status of prisoner of war and may be treated as a spy."

It should be noted, however, that if he "…gathers or attempts to gather information shall not be considering as engaging in espionage if, while so acting, he is in the uniform of his armed forces (Article 46 (2) Additional Protocol I)."

Hence, most likely, persistent violations of the "territorial integrity" of a state, expression mentioned in Article 2(4) of the UN Charter, may bring about sanctions if disclosed. Provided that domestic law has provisions incriminating acts of cyber exploitation, then the offended states may enforce the law, sentence the discovered spies and, at the same time, impose diplomatic sanctions upon the culpable states (Melnitzky, 2012).

Nevertheless, it still remains the question of why cyber espionage is not prohibited by the international community. This quote by Col. Hays Parks may will shed some light:

"Each nation endeavors to deny intelligence gathering within its territory through domestic laws…domestic laws are promulgated in such a way as to deny foreign intelligence collection efforts within a nation's territory without inhibiting that nation's efforts to collect intelligence about other nations. No serious proposal has ever been made within the international community to prohibit intelligence collection as a violation of international law because of the tacit acknowledgement by nations that it is important to all, and practiced by each." (Parks, 1990, p. 433-434)

Does cyber exploitation violate the prohibition on the use of force?

Under the current legal framework, cyber exploitation alone does not rise to use of force set out in Article 2(4) of the UN Charter. The international community predominates the opinion that cyber exploitation is the modern equivalent of the good old spying, which is usually not considered a use of force.

Thus, actions of spying on the other governments' computer systems, even though highly invasive, are not regarded as a use of force (Schmitt 2011: 576). In contrast to cyber espionage, cyber attacks may constitute a use of force because its consequences can resemble those seen in traditional warfare (Wortham, 2012: 655).

Is cyber exploitation equal to cyber attack?

Since we have already examined the definition of the term cyber exploitation, it would make sense if we do the same thing with the cyber attack notion. According to the most widespread definition, cyber attacks comprise "operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves (Joint Chiefs of Staff, 1998)."

Presumably, to perform actions which will "disrupt, deny, degrade, or destroy information" on the opponent's computer systems or networks, a person must do more than just inactively observe or collect data, even if that is executed in surreptitious manner. The wrongdoer must affect the normal functioning of the system, either by damaging, altering the existing system components, or inputting something new into them.

While these acts may be considered criminal under domestic legislation, they are not cyber attacks. In conclusion, mere cyber exploitation does not have the same status as a cyber attack, because the basic concept of cyber exploitation does not involve altering the current functioning of adversary's computer systems or networks (Hathaway et al., 2012). Moreover, the consequences of cyber attacks, according to most of the scholars, may resemble those immanent in conventional armed attacks, namely, death/injury to humans or destruction/damage of objects, but cyber exploitation does not entail such a grave aftermath.

In this regard Richard Clarke (2008) comments:

I think the Chinese government has been behind many, many attacks – penetrations. "Attacks" sounds like they're destroying something. They're penetrations; they're unauthorized penetrations. And what they're trying to do is espionage. They're engaged in massive espionage, not only in the U.S. government, in the U.S. private sector as well, but also around the world.

Another prominent difference between cyber exploitation and cyber attack is that the former is led by a motivation to discover and collect sensitive information rather than to inflict harm (Ophard, 2010).

Graphic Comparison: Cyber Attack vs. Cyber Exploitation

Cyber Attack Cyber Exploitation

Purpose disrupt, deny, degrade, or destroy information gather secret information

Approach direct (e.g. viruses, DDoS) clandestine (spyware)

Average Time Interval short long

Type of Personnel warfighters intelligence division

Legal Base jus ad bellum/jus in bello domestic law

The standpoint that the cyber exploitation does not correspond to the traditional understandings of espionage.

Some scholars opine that cyber exploitation should not be regarded similarly to the conventional espionage because of the fact that cyber exploitation activities can easily morph into such leading to cyber attack impact.

Software that appears merely to gather data may easily be transformed into a weapon once it has penetrated the opponent's system. In other words, spyware, at some point, can always be equipped with an activated "warhead" turning it into malicious code spreading harm (Melnitzky, 2012).

Since the cyber exploitation may swiftly shift into cyber attack, a targeted party of ongoing cyber attack/exploitation would have difficulties assessing which of both activities is happening. The problem further compounds because of the time constraints, and would not come as a surprise if the decision-maker misinterprets the severity of the threat (Wortham, 2012).

In concordance with this belief, Tallinn Manuel states:

Certain acts of cyber espionage involve more than mere information-gathering activities and can cause damage to computer systems. Therefore, acts whose primary purpose is cyber espionage may sometimes amount to a cyber attack, in which case the Rules as to cyber attack apply (Chapter IV). (Tallinn Manual, 2012: 160)

In addition, the same scholars recommend that even if cyber exploitation cases do not rise to the level of an armed attack, they should still be prohibited by the international law (Wortham, 2012: 660).

Applying the effects-based approach

As the previous point expounds, the scope and severity of cyber exploitation pose the dilemma whether the traditional understanding of espionage is still valid. In attempting to solve it, Alexander Melnitzky (2012) suggests adopting the effects-based approach. At the heart of this technique is the concept that armed attacks, and consequently cyber attacks, are those events which could have been carried out in the past only through kinetic methods and means, resulting in death/injury or destruction/damage.

He further provides the reader with an example of how the American economy, mostly the intellectual property businesses, suffered to a great extent from the scourge of cyber exploitation, losing more than 1 trillion USD in 2008 alone. Previously, such unprecedented looting could have been achieved only through a military occupation and, with this being so, the prime requirement of the effects-based methodology is satisfied (Melnitzky, 2012).

Conclusion

Cyber exploitation is an act which has common features with a cyber attack. However, as it was reviewed, these events have significant differences and because of that, they cannot be treated likewise. The raising concerns with relation to cyber exploitation damage inflicted often by unknown culprits urge many security specialists to invoke the implementation of more decisive actions. Although this is perfectly understandable, it is not clear whether this"decisive actions" is in conformity with the existing legislation. The confusion comes from the fact that at the moment of a security breach, the person who needs to protect himself must decide whether the attacker acts aggressively or passively. Given the pressing circumstances and obscurity of the regulations and practices in such situations, frequently the decision-maker is left to make this tough judgement on his own.

Reference List

Clarke, R. (2008). Seven Questions: Richard Clarke on the Next Cyber Pearl Harbor. Retrieved on17/02/2013 from

http://www.foreignpolicy.com/articles/2008/04/01/seven_questions_richard_clarke_on_the_next_cyber_pearl_harbor

Dell Sonic WALL, Inc. (2012). Anatomy of a Cyber Attack. Retrieved on 17/02/2013 from http://partnerdirect.dell.com/sites/channel/Documents/SonicWALL-Anatomy-of-a-Cyber-Attack-Datasheet.pdf

ICRC (1977). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I). Retrieved on 17/02/2013 from http://www.icrc.org/IHL.nsf/FULL/470

ICRC (1977). Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of Non-International Armed Conflicts(Protocol II). Retrieved on 17/02/2013 fromhttp://www.icrc.org/ihl.nsf/full/475?opendocument

Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., Spiegel, J. (2012).

California Law Review, 100 (4), 817-886.

Hersh, S. (2010). The Online Threat: Should We Be Worried About a Cyber War? Retrieved on 17/03/2013 form

http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh?printable=true

Janczewski, L. & Colarik A. (Eds.). (2008). Cyber Warfare and Cyber Terrorism. Hershey, USA: IGI Global.

Joint Chiefs of Staff (1998).Joint Doctrine for Information Operations.Washington DC: Joint Publication.

Lin, H.(2010).Offensive Cyber Operations and the Use of Force. J. NAT'L SECURITYL. & POL'Y, 4, 63-86

Melnitzky, A. (2012). Defending America against Chinese cyber espionage through the use of active defenses. Cardozo J. Int'l & Comp. L., 20, 537-570.

Ophardt, J. A. (2010). Cyber Warfare and the Crime of Aggression: the Need for

Individual Accountability on Tomorrow's Battlefield, Duke L. & Tech. Rev,003.

Parks, H. (1990). The International Law of Intelligence Collection. I Moore J. et al. (Eds.),National Security Law (pp. 433-434).Carolina Academic Press: USA.

Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review, 56, 569-606.

The International Group of Experts at the Invitation of The NATO Cooperative Cyber Defence Centre of Excellence (2012). The Tallinn Manual on the International Law Applicable to Cyber Warfare. Retrieve on 17/02/2013 fromhttp://www.ccdcoe.org/249.html

United Nations (1945). United Nations Charter. Retrieved from http://www.un.org/en/documents/charter/

Wortham, A. (2012). Should Cyber Exploitation Ever Constitute a Demonstration of Hostile Intent That May Violate UN Charter Provisions Prohibiting the Threat or Use of Force? Federal Communications Law Journal, 64(3), 644-650.

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.