Over the weekend, the world learned that Iran arrested 30 people that it claims were part of CIA-funded spy networks targeting Iran. Also by its own admission, it seems that Iran was able to uncover the identities of the accused by hacking 29 websites allegedly related to those supposed spy networks.
In a blog post responding to this incident, “Iranian Military and Intelligence Op attacks U.S. Networks,” cybersecurity expert Jeffrey Carr has suggested that the hacking of one of these 29 sites “may qualify officially as a terrorist attack.” He writes,
One of the NGO’s targed [sic] by Iranian Intelligence in this operation was The Peoples Mujahedin of Iran. It’s website is hosted in Berkely, CA by LMI.net, so at least one of the networks attacked by the IRGC was on U.S. soil. This action on the part of Iran dramatically raises the stakes for the need to define where espionage ends and warfare begins. This may qualify officially as a terrorist attack because in 2007 the IRGC was listed as a terrorist organization, the very first official government agency to ever be added to that list.
Ironically enough, on the same weekend, another cybersecurity expert, James A. Lewis of the Center for Strategic and International Studies, published an essay titled, “The Cyber War Has Not Begun,” which is largely a response to the furor caused by a recent Washington Post op-ed written by former NSA director, former Director of National Intelligence, and current executive vice president at Booz Allen Hamilton, Mike McConnell. Lewis’ essay is a step in the direction of meeting Carr’s call for more work that seeks to “define where espionage ends and warfare begins.” In what follows, I use the typology of hostile acts in cyberspace outlined by Lewis to argue that the IRGC hacking incident does not constitute a “terrorist attack” as Carr has suggested.
Lewis’ Typology of Cyber Threats
Lewis has argued for the need to untangle the varying list of malicious acts in cyberspace that have come to be lumped under the category “cyber war.” In attempting to do so, he has identified four threats:
Economic espionage, where foreign governments, companies and citizens steal intellectual property and confidential business information from American companies (and of other developed nations). This probably happens on a daily basis, both as part of nationally directed collection programs and by individual efforts. The problem might be best thought of as a digital counterpart to the struggles over protecting intellectual property that has marked the growth of a globally connected economy.
Political and military espionage. Cyber espionage is an expansion of traditional efforts to collect information on an opponent’s intentions and military capabilities.
Cyber crime. Directed primarily against the financial system, these illegal acts seek to extract money rather than intellectual property.
Cyber war, where foreign militaries or other armed opponents attempt to damage or destroy U.S. military capabilities (including our informational advantage), critical infrastructure, or other civilian targets. Cyber attack is just another weapons system, similar to missiles that can be launched from a distance and strike rapidly at a target. Existing international laws of war can be applied without much strain to cyber warfare.
Additionally, he implicitly defines “cyber terrorism” as “acts that produce fear and terror to affect political change – produced by cyber attack.”
He has stated unequivocally that 1) “No nation has launched a cyber attack or cyber war against the United States” and 2) “for now we can find no example of terrorism…produced by cyber attack.” But was he proved wrong on the very weekend that he released this essay? Is IRGC hacking of a website hosted on a server located in the United States a “terrorist attack” as Carr has suggested? I will argue that it is not.
Analysis of IRGC Hacking
In response to a commenter on his post, who pointed out that the PMOI site did not appear to have been taken offline or altered in any way (i.e. had not been subjected to DDoS or defacing attacks) and therefore asked for more proof that the IRGC had actually targeted this site as Carr claimed, Carr advanced a hypothesis for how the Iranians may have “attacked” the site. He argued that because the main goal of the IRGC was the collection of information, they likely would have taken great pains not to disrupt access to the site or alter its content because they would not want to call attention to themselves. If it really is the case that the IRGC hacked the PMOI and other sites, and it really is the case that their primary goal was collection of information, then Carr’s hypothesis seems reasonable.
But if his hypothesis for how and why the IRGC carried out the operation as it did is correct, then it would seem to rule out the possibility that the “attack” on the PMOI and other sites is a “terrorist attack.” If the primary goal of the operation was the collection of information from back-end databases, then that would more clearly fall under Lewis’ definition of “cyber espionage” than it would “cyber war” or “cyber terror.” Surreptitiously breaking into servers and stealing information does not amount to a concerted effort to cause fear and terror for the purposes of affecting political change. Recent comments from British Air commodore Graham Wright, deputy director of the UK Office of Cyber Security, seem apropos in this case: “Most of what people refer to as ‘attacks’ are the exfiltration of data, which is theft or espionage. I haven’t seen any reports of attack. Everyone always reports an attack. In most cases it is not an attack, it’s theft and crime, it’s stealing data.”
Implications
Though I ultimately believe that Carr’s suggestion that this incident might constitute a “terrorist attack” is incorrect, I do agree that the incident and his response to it both point to “the need to define where espionage ends and warfare begins” in cyberspace. More generally, both point to a real need to take the debate over the definition of terms much more seriously.
For example, while scholars such as Dorothy Denning [1] and Michael Schmitt [2] have taken what we might call an “effects-based approach” to defining terms like “cyber war” and “cyber terror”–i.e. whether a cyber incident counts as war or terror is based primarily upon the effects of the incident and those effects should include physical damage or destruction, injury or death–Lewis’ typology seems to combine both effects and intentions. In the case of “cyber war,” he says that an attempt to damage or destroy military capabilities or civilian infrastructure could count as “cyber war.” Presumably, even if the attacker failed, the attempt alone would be enough to count as war. In the case of “cyber terror,” on the other hand, he implies that the incident must “produce fear and terror to affect political change,” implying that at least partial success (e.g. at least the production of fear and terror, if not actual political change), must be achieved. The slippage between his definitions is likely unintentional and is not important in and of itself. The significance is that it points to a nagging question still to be answered:
- Do we assess that a hostile act in cyberspace is an act of war or terror based primarily on the effects of the incident or on the intentions of the perpetrators of the incident?
Perhaps unintentionally, Carr complicates the matter further by implying that a cyber incident might be characterized as a “terrorist attack” not as a result of the incident’s impacts or the intentions of the perpetrator, but rather, based on the legal status of the perpetrator–i.e. if the perpetrator has the status of “terrorist” or “terrorist organization,” then the incident would be a “terrorist attack.” Thus, we are left with three potential bases for assessing whether cyber incidents count as a terrorist attack:
- Effects of the incident
- Intent of the perpetrator(s)
- Legal status of the perpetrator(s)
This is just one example of an area in which more work related to definition is needed.
As Lewis has argued, too often in our current discourse, “Pronouncements that we are in a cyber war or face cyber terror conflate problems and make effective response more difficult.” Tim Stevens of the blogs Ubiwar and Kings of War agrees, and writes,
words matter when it comes to describing risks and threats, and they frame the debates thus engendered. Crucially, of course, they help shape the responses of politicians and practitioners tackling the situations in which they find themselves.
In short, effective solutions to the problems that we face require us first and foremost to describe those problems as accurately as possible and to define our terms as precisely as possible. If we were tempted to avoid this admittedly tedious and difficult work in favor of just getting on with solving the problem, Carr’s response to the IRGC incident reminds us that we do so at our own peril.
References
[1] Denning, Dorothy E. (1999) ‘Activism, Hacktivism, and Cyberterrorism: the Internet as a Tool for
Influencing Foreign Policy’. (The Information Warfare Site); available from http://www.iwar.org.uk/cyberterror/resources/denning.htm, accessed 16 March 2010.
[2] Schmitt, Michael N. (1999) ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’, Columbia Journal of Transnational Law 37: 885-937.
Technorati Tags: cyberwar cyberterror Iran