Content uploaded by Michael Robinson
Author content
All content in this area was uploaded by Michael Robinson on Nov 08, 2017
Content may be subject to copyright.
Cyber Warfare: Issues and Challenges
Michael Robinsona,∗
, Kevin Jonesb, Helge Janickea
aDe Montfort University, Leicester, UK
bAirbus Group Innovations, Newport, UK
Abstract
The topic of cyber warfare is a vast one, with numerous sub topics receiving at-
tention from the research community. We first examine the most basic question
of what cyber warfare is, comparing existing definitions to find common ground
or disagreements. We discover that there is no widely adopted definition and
that the terms cyber war and cyber warfare are not well enough differentiated.
To address these issues, we present a definition model to help define both cyber
warfare and cyber war. The paper then identifies nine research challenges in
cyber warfare and analyses contemporary work carried out in each. We con-
clude by making suggestions on how the field may best be progressed by future
efforts.
Keywords: Cyber War, Cyber Warfare.
1. Introduction
Throughout history, mankind has waged war, seeking to further national
agendas in an ever changing international game of power. From the sword bat-
tles of the past to the unmanned drone strikes of today, this game of power
is constantly driven to shift and evolve by technology. The development of
armoured vehicles, aircraft, ships and the use of electronics and telecommuni-
cations have all expanded the battle space and introduced new and innovative
ways to gain an advantage over opponents. Just as the technological innovation
of flight triggered a race to dominate the skies, the emergence of cyberspace has
∗Corresponding author
Preprint submitted to Journal of Computers and Security March 18, 2015
opened up new strategic possibilities and threats, causing a scramble to secure10
a dominant position inside of it [1].
Increasing media coverage of cyber warfare [2, 3, 4] has only served to
heighten public awareness that cyberspace is becoming an arena of warfare.
Governments, too, are fully aware of the need to take action in response to
threats from cyberspace. US President Barack Obama has declared America’s
digital infrastructure a strategic national asset, and formed Cybercom: a divi-
sion inside the Pentagon whose stated task is to “perform full spectrum oper-
ations” [5]. Documents leaked from the National Security Agency in the US
also confirm that national security figures are seeking to establish offensive cy-
ber capability [6]. In the UK, government officials have warned of a lack of20
preparedness for cyber warfare and have announced new investments to bolster
defence, such as the National Cyber Security Programme [7]. NATO has also
been raising awareness, releasing the Tallinn Manual on the International Law
Applicable to Cyber Warfare [8] as an attempt to advise nations on how to
operate legally in this new war fighting domain. Looking at this evidence, it is
clear that cyber warfare is a topic of global concern.
Conflict and war in any form has the potential to touch every person, whether
as a combatant, relative of a combatant, civilian, business entity or nation state.
This makes research into cyber warfare both valuable and essential to solve the
growing number of issues raised by this new domain of war. Contemporary30
research into the topic is wide ranging, covering a number of sub topics ranging
from legal issues on lawful combatancy to attempts to precisely define what a
cyber weapon is. For anyone attempting to approach the field of cyber warfare,
there is a challenge in gathering an understanding of all issues involved, how
they relate to each other, what the current state of research is and where future
research is required.
We address this problem, by providing an analytical survey of the current
state of research into the area of cyber warfare. An analysis of the varying views
and research carried out to date provides a discussion from which significant
research areas can be identified and new research questions formulated.40
2
Section 2 of this paper presents and analyses the various definitions of cyber
war and warfare offered by the research community. Section 3 presents our
definition model, and demonstrates how it can be used to reach definitions of
not just cyber warfare, but any cyber situation. Section 4 then moves on to
identify research challenges in cyber warfare, providing analysis of the views
in each area. We then reach our conclusions and provide discussion on what
direction future efforts should seek to take in order to best address the issue of
cyber warfare.
1.1. Methodology
The identification of literature for analysis in this paper was based on a key-50
word search. These keywords were initially “Cyber War” and “Cyber Warfare”.
As subtopics such as cyber weapons and cyber deterrence were discovered, these
also became keywords for further searches. Searching for these keywords in aca-
demic databases [9] such as IEEExplore and the ACM Digital Library, an initial
set of relevant sources were located. Keeping in mind that cyber warfare is an in-
terdisciplinary subject, journals from other disciplines such as law, international
relations and defence were also searched for relevant sources. The keywords were
also entered into common internet search engines such as Google, allowing the
discovery of articles not indexed in digital libraries. To locate any sources that
our keyword searches missed, a snowballing methodology was used [10]. This60
methodology allowed the building of a reasonably complete picture of the cur-
rent research landscape, and the identification of seminal works in the area by
looking at citation frequencies. Although a systematic collection of literature
has been performed, research [11] has shown that relevant primary sources can
be missed during searches, and that multiple researchers working to the same
methodology will collect differing bodies of articles. Whilst this variation in
literature searching cannot be avoided, the effects of it can be mitigated by
providing this description of how the search process was performed.
3
1.1.1. Inclusion Criteria
The search process produced a significant number of results. To ensure that70
only relevant sources were included for review, articles discovered by the search
process were measured against a number of criteria. Each source had to meet
one or more of the following requirements:
•The source directly addresses at least one specific aspect of cyber war or
cyber warfare, such as ethics or deterrence.
•The source is not directly related to cyber war or cyber warfare, but
provides a definition of one or both.
The use of such criteria resulted in certain material including works on the
art and science of military conflict [12, 13, 14] not being included. Although
arguably relevant in helping to understand the wider debates of conflict and80
war, such works have been excluded to achieve the paper’s aim of providing a
concise introduction to the immediate challenges and issues facing research into
cyber warfare.
1.1.2. Ranking of Sources
Each collected source was evaluated against five criteria and scored against
it on a scale of one to three, with three being the best. The higher the overall
score, the higher the source was ranked on our list. Using this ranking system
allowed the prioritisation of sources. The criteria were as follows:
•Reputation - A source from a well respected organisation or author scores
higher than one from a lesser known entity.90
•Relevance - A measure of how the contents of the source relate to the topic
at hand.
•Originality - Sources that offer new arguments, raise new issues or attempt
to provide innovative solutions scored higher.
4
•Date of Publication - More recently published sources were given a higher
score than older ones.
•References - Sources which build upon, analyse or acknowledge previous
work score highly.
2. Finding clear definitions
The first logical step in removing confusion from the area of cyber warfare is100
to define the various terms used in literature. The paper will therefore begin by
analysing existing definitions offered by the research community. We consider
four relevant terms that need to be distinguished in this field: Information War-
fare, Cyberspace, Cyber Warfare and Cyber War. Often used interchangeably,
these terms lack clear and agreed upon definitions and are a good starting point
to better define the issue at hand.
2.1. Cyberspace
The most basic question to ask when examining cyber warfare is: What is
cyberspace? Daniel Kuehl [15] has examined this question. Kuehl collected
and analysed the various definitions offered by a selection of sources including110
academic authors, U.S. Department of Defense documents and even science
fiction. His analysis of existing definitions led him to conclude that cyberspace
is more than just computers and digital information, and that there are four
aspects of cyberspace that a definition should reflect:
•An operational space - People and organisations use cyberspace to act and
create effects, either solely in cyberspace or across into other domains.
•A natural domain - Cyberspace is a natural domain, made up of electro-
magnetic activity and entered using electronic technology.
•Information based - People enter cyberspace to create, store, modify, ex-
change and exploit information.120
5
•Interconnected networks - The existence of connections allowing electro-
magnetic activity to carry information.
To reflect these four aspects, Kuehl offers his own definition of cyberspace:
“A global domain within the information environment whose dis-
tinctive and unique character is framed by the use of electronics and
the electromagnetic spectrum to create, store, modify, exchange and
exploit information via interdependent and interconnected networks
using information-communication technologies.” [15]
The definition offered by Kuehl is a comprehensive one that accurately com-
municates the unique aspects of cyberspace. It is therefore the definition of130
cyberspace that this paper adopts.
2.2. Information warfare
The term “information warfare” has a long history. The earliest recorded
use of the term was by Thomas Rhona in 1976. Rhona defined information
warfare as:
“The strategic, operation, and tactical level competitions across the
spectrum of peace, crisis, crisis escalation, conflict, war, war termi-
nation, and reconstitution/restoration, waged between competitors,
adversaries or enemies using information means to achieve their ob-
jectives.” [16]140
Martin Libicki argued that Rhona’s definition was too broad, and stated
that trying to define information warfare was like “the effort of the blind men
to discover the nature of the elephant: the one who touched its leg called it a
tree, another who touched its tail called it a rope, and so on” [16]. Rather than
give a definition of information warfare, Libicki suggested that the term must
be broken down into smaller parts to become understandable and meaningful.
He therefore described seven forms of information warfare, shown in table 1.
6
Table 1: Libicki’s seven forms of information warfare [16]
Form Description
Command-and-control Attacks on command centres, or commanders themselves to dis-
rupt command effectiveness
Intelligence-based Increasing your own situational awareness while reducing your
opponent’s
Electronic Use of cryptography and degrading the physical basis for trans-
ferring information (e.g. radar jamming)
Psychological Use of information against the human mind. Propaganda to de-
moralise troops or influence civilian populations
Hacker Exploitation of viruses, logic bombs and trojan horses to attack
computer systems
Economic information Possessing and being in control of information leads to power
Cyber Information terrorism, semantic attack, simula-warfare, Gibson-
warfare
As can be seen by Libicki’s thoughts on information warfare, the term is
extremely broad. It can include denying battlefield commanders information,
keeping sensitive messages secret, spreading propaganda, traditional hacking150
and so on.
Dorothy Denning provides an alternative definition of information warfare,
stating that it “consists of offensive and defensive operations against information
resources of a win-lose nature [17]. From Denning’s perspective information
warfare can be seen as a game, played between defenders and attackers who
are in direct competition. Defenders perform defensive operations to protect
information in any form, seeking to maintain its confidentiality, integrity and
availability. Attackers perform offensive operations, seeking to damage that
confidentiality, integrity and availability. Denning [17] argues that information
warfare can occur in a number of domains such as crime, individual rights and160
national security. Similar to Libicki [16], the description of information warfare
offered by Denning is broad. Kopp [18] states that the aim of information
warfare is to: “corrupt, deny, degrade and exploit adversary information and
information systems and processes while protecting the confidentiality, integrity
7
and availability of one’s own information”.
Taking these definitions of information warfare, it is clear that the term can
be used to describe a very wide range of activities that include but also go
beyond cyber space. The question of whether cyber warfare is simply a form of
information warfare is unclear. To provide a better understanding of how cyber
warfare relates to information warfare, we examine and analyse definitions of170
cyber warfare offered by the research community.
2.3. Cyber warfare
The term cyber warfare is one that is used in mainstream media and as with
information warfare, there are many differing definitions. In 2001, Alford [19]
defined cyber warfare as:
“Any act intended to compel an opponent to fulfill our national
will, executed against the software controlling processes within an
opponents system.”
This definition from Alford reflects the view that cyber warfare is something
that states will engage in to advance a national agenda. It can be argued however180
that modern warfare does not always aim to advance such an agenda. Religious
beliefs and ideologies that are not tied to a national agenda can arguably be
the aim of modern warfare. It therefore seems unwise to confine a definition of
cyber warfare to having the purpose of advancing a national will.
Jeffrey Carr [20] offers another definition of cyber warfare:
“Cyber warfare is the art and science of fighting without fighting; of
defeating an opponent without spilling their blood.”
In comparison to Alford’s [19], this definition avoids attempting to define the
motivation of the fighting parties. However, the suggestion that cyber warfare
will not spill blood must be questioned. A cyber attack on critical national190
infrastructure, such as the power grid may result in loss of life. Colarik and
8
Janczewski [21] agree with this point, arguing that cyber warfare cannot be
seen as bloodless.
Parks and Duggan [22] offer another definition:
“Cyberwarfare is a combination of computer network attack and
defense and special technical operations.”
This is a very broad definition of cyber warfare, which avoids the issue of who
is taking part and why. Due to this it is difficult to fault their definition, other
than it being potentially too broad. With regards to “special technical opera-
tions” [22], Parks and Duggan refer to a US Department of Defense document200
which describes what these operations involve.
Arquilla and Ronfeldt [23] do not define cyber warfare, but instead offer a
definition of cyberwar:
“Cyberwar refers to conducting, and preparing to conduct, military
operations according to information-related principles. It means dis-
rupting if not destroying the information and communications sys-
tems, broadly defined to include even military culture, on which an
adversary relies in order to know itself: who it is, where it is, what
it can do when, why it is fighting, which threats to counter first,
etc. It means trying to know all about an adversary while keeping210
it from knowing much about oneself. It means turning the balance
of information and knowledge in ones favor, especially if the balance
of forces is not. It means using knowledge so that less capital and
labor may have to be expended”
Arquilla and Ronfeldt see cyberwar as a battle for control over information
and communication flows, with the ultimate aim developing an advantage over
an opponent. In this respect, there are similarities with the ideas of information
warfare. The definition does however face the same challenge as Carr’s [20], in
that attacks intended to cause physical damage are not accounted for.
Another definition of cyber warfare is put forward by Cornish et al. [24]:220
9
“Cyber warfare can be a conflict between states, but it could also
involve non-state actors in various ways. In cyber warfare it is ex-
tremely difficult to direct precise and proportionate force; the target
could be military, industrial or civilian or it could be a server room
that hosts a wide variety of clients, with only one among them the
intended target.”
This definition raises the idea that non-state actors may be involved in cyber
warfare, an interesting idea that other definitions miss. The use of “can be”,
“could” and “various ways” make it a general definition that would benefit from
being more distinct. It also highlights that cyber warfare may be unpredictable230
and imprecise in its effects - an idea that is missing from other definitions.
Taddeo [25] defines cyber warfare as:
“The warfare grounded on certain uses of ICTs within an offensive
or defensive military strategy endorsed by a state and aiming at
the immediate disruption or control of the enemys resources, and
which is waged within the informational environment, with agents
and targets ranging both on the physical and non-physical domains
and whose level of violence may vary upon circumstances”
This definition gives a motivation: the immediate disruption or control of
enemy resources. The “immediate” aspect may be challenged however, since240
certain attacks may have a delayed effect, rather than an immediate one. The
suggestion that targets may be physical and non-physical is an interesting point
missing from other definitions, and represents cyber warfare having the potential
to inflict kinetic effects.
Agreeing with Taddeo’s [25] school of thought, Billo [26] defines cyber war-
fare as:
“Units organized along nation-state boundaries, in offensive and de-
fensive operations, using computers to attack other computers or
networks through electronic means.”
10
Here Billo is suggesting that attackers are organised along nation state250
boundaries. This appears to be a very traditional view of warfare in the cy-
ber domain. It is unclear on how Billo sees nation state boundaries. If they are
seen as the physical borders of a nation, then this is a weakness since combat-
ants in cyber warfare may be highly geographically dispersed across multiple
nations. If he means on cyber boundaries (i.e. at tier 1 internet backbones)
then this becomes more reasonable, but still places a locational limitation on
cyber warfare that may not exist.
Richard A. Clarke, special advisor on cyber security to US president Bush
(2001-2003), defines cyber war as:
“Actions by a nation state to penetrate another nation’s computers260
or networks for the purposes of causing damage or disruption” [27].
Similar to the definitions provided by Taddeo [25] and Billo [26], this is a
very nation state focussed definition.
The Oxford English Dictionary contains its own definition of cyber warfare,
stating that it is simply “another term for cyber war”. The definition given for
cyber war is: “The use of computer technology to disrupt the activities of a state
or organization, especially the deliberate attacking of communication systems
by another state or organization” [28]. As with the other definitions examined,
it can be argued that this definition is problematic. Firstly, it is unclear why the
emphasis on communications systems is necessary. Many systems can be at risk270
from cyber warfare, including critical national infrastructure such as the power
grid and transportation networks [29]. Secondly, the assertion that cyber war
and cyber warfare are synonymous can be challenged, since the dictionary itself
provides contradicting evidence. Rather than defining the well understood and
established term of warfare as another term for war, it defines it as “Engagement
in or the activities involved in war or conflict” [28]. This raises an important
question: If war and warfare have separate definitions that appear to make
sense, why has the Oxford Dictionary chosen to state that cyber warfare is
simply another word for cyber war?
11
2.4. Summary of existing cyber warfare definitions280
An examination of the literature has demonstrated that there is no widely
accepted definition of cyber warfare. Some researchers offer very broad def-
initions, which do tend to cover most imaginable cases of cyber warfare but
are potentially too broad. Others give very specific definitions, which are po-
tentially more useful but then fail to cover certain elements of what could be
considered cyber warfare. Definitions from other sources such as the Oxford
English Dictionary have also been shown to be problematic. With usage of the
term increasing in political and media circles [30] [31], the lack of a methodi-
cally reached definition is a problem that needs to be addressed. To resolve this
problem, we propose a definition model that is based on the identification of290
actors and intent.
3. The Actor and Intent Definition Model
The Actor and Intent Definition Model provides a methodical process from
which definitions of harmful events in cyber space can be reached. It is based
upon the idea that all hostile cyber situations can be broken down into two basic
concepts: An actor launching a cyber attack, with some kind of harmful intent.
To use these two concepts, it is first important to be clear on their meanings.
3.1. Cyber Attack
In our model, a cyber attack is the basic building block that is common to
all hostile cyber situations. We define a cyber attack as follows:300
Definition 1. Cyber Attack. An act in cyber space that could reasonably be
expected to cause harm.
Harm is defined in its broadest sense: economic, psychological, physical,
reputational, strategic and so on.
12
3.2. Intent
Once it has been established that an actor has launched a cyber attack, it is
necessary to determine the intent behind that attack. The fundamental question
to be asked here is: What was the purpose of the harm? Presented here are
some examples of non-cyber situations, along with the commonly associated
intent:310
Situation Common Intent
Warfare Achieving military objectives
Crime Personal gain through illegal means.
Bullying Causing psychological distress to another individual.
Espionage Obtaining political or military information covertly.
Terrorism Influence a nation’s policies through violence and fear.
3.3. Actor
The entity that carried out the cyber attack must also be considered along-
side the intent. Consideration of the actor improves the chances of coming to a
correct conclusion on their intent. If the actor is a state, a conclusion of warfare-
like intent would arguably be easier to reach than if the actor was an individual.
If the actor is a known terrorist group, conclusions of terrorism-like intent are
arguably more feasible. This cannot be a formulaic process however: it cannot
be said that an individual can never have warfare-like intents, or that a terrorist
group automatically has terrorism-like intents. Therefore, it is a human process320
of weighing up actor and intent to reach a subjective conclusion on how the
cyber event should be defined.
3.4. Reaching a definition of a cyber event
Having considered the actor and the intent, we can define a cyber situation
by comparing it to a non-cyber situation. For example, if a cyber attack was
launched by a nation state with the intent of achieving a military objective, this
cyber situation is defined as cyber warfare. If an individual launched a cyber
attack with the intent of causing psychological distress to another individual, it
can be concluded that cyber bullying has taken place. By following this method,
we can define almost any cyber situation, including cyber warfare.330
13
3.5. Reaching a definition of cyber warfare
By applying the actor and intent definition model, we reach the following
definition for cyber warfare:
Definition 2. Cyber Warfare. The use of cyber attacks with a warfare-like
intent.
3.6. Reaching a definition of cyber war
The reviewed literature also made reference to cyber war, with some sources
stating that it was a synonym with cyber warfare. It can be argued that this is
not the case. As stated, cyber warfare is an activity - the use of cyber attacks
with a warfare-like intent. Cyber war on the other hand is a state of being.340
An actor can be at war, but does not perform war - they perform warfare. We
therefore present a definition of cyber war:
Definition 3. Cyber War. Occurs when a nation state declares war, and where
only cyber warfare is used to fight that war.
The key to a situation being classed as a cyber war is that cyber warfare is
the only type of warfare used. If a kinetic attack is used during the war, such
as an air strike, the situation should not be classified as cyber war - it should
simply be seen as war where cyber warfare was used.
3.7. Example Scenarios
To test these definitions of cyber war and cyber warfare, it is useful to present350
a number of potential scenarios and see how they evaluate:
3.7.1. Country A vs Country B
Country A openly declares war against country B, and uses its military to
conduct coordinated cyber attacks. These attacks are aimed at country B’s
power grid, and are successful in causing disruption to the power supply. Power
plants go down and blackouts occur, leaving much of the nation without power.
14
Country A takes advantage of the blackout in country B to launch an air strike,
bombing an air base whilst situational awareness is impaired.
Examining the actor and intent, this scenario involves a nation state launch-
ing a cyber attack with the intent of achieving a military objective. This matches360
a warfare-like intent and the situation can initially be described as cyber warfare.
With the addition of a declaration of war however, the situation is upgraded to
cyber war. Once the air strike is carried out, a kinetic attack has been used.
This transforms the situation. Since cyber warfare is no longer the only type of
warfare being used, the situation cannot be called cyber war. The situation is
now best defined simply as war - one that uses both kinetic and cyber warfare.
3.7.2. Country C vs Country D
Country C detects a number of cyber attacks coming from country D. These
attacks intend to steal information from a large electronics manufacturer based
in country C and from country C’s commerce and trade ministry. There is370
no proof that these attacks are state sponsored, but coding in some analysed
malware suggests country D might be responsible. The attacks remain ongoing
for many years, but country C focuses on strengthening its cyber defences rather
than overtly confronting country D.
Many grey areas exist in this scenario, but the intent model can help to
define it by looking at the intent of the attacks. In this case, the attacks are
aimed at accessing information from industry and from the commerce and trade
ministry. The intent behind such attacks can be narrowed down to a handful
of possibilities. Financial gain is a possibility - the ability to sell trade secrets
on the black market, or use them in their own business. These are crime-like380
intents, suggesting that cyber crime is a potential candidate for this scenario.
Economic intent by a nation state is also a possibility. With access to confiden-
tial information from the trade ministry, and details of production at a large
electronics firm, a nation may be able to achieve an advantage in international
trade and commerce. This is an espionage-like intent, and makes cyber espi-
onage also a possible label for this situation. We can at the very minimum state
15
that this situation is a cyber attack - an act has occurred in cyber space that
could reasonably be expected to cause harm. As more evidence on the intent
and perpetrator emerge, the model can more firmly begin to categorise the at-
tack. This is a strength of the model, since the way it defines a situation can390
evolve and become more certain as more information on the attacker and their
intent becomes available.
Figure 1: Actor and Intent Definition Model
16
3.8. Advantages of the definition model
Figure 1 gives a visual representation of our definition model, and shows
the process of how definitions of cyber events can be reached. The model has
a number of advantages. Firstly, the model reflects the fact that international
events can not always be defined straightforwardly. An uprising in a state may
be labelled as terrorism by the state but as revolution by others. In February
of 2014 Russia announced its concern that the Ukraine had been taken over by
terrorists [32]. Months later in April, it is the Ukraine government claiming400
to be conducting anti-terror operations, to remove pro-Russian forces from the
country [33]. Clearly terms such as terrorism have a subjective element that a
strictly systematic methodology could not capture. Our model allows for this
human element by requiring the concept of intent to be considered. A second
advantage of our model is that it removes the need to invent a new definition
for every new cyber situation. Our model shows that this is unnecessary, since
we can simply take the existing definition of a more well understood kinetic
situation, and use it to define the cyber equivalent. For completeness, the
following gives some examples of this advantage.
3.9. Applying the model to cyber terrorism410
The FBI define terrorism as: “Violent acts or acts dangerous to human life
that violate federal or state law and appear to be intended (i) to intimidate
or coerce a civilian population; (ii) to influence the policy of a government by
intimidation or coercion; or (iii) to affect the conduct of a government by mass
destruction, assassination, or kidnapping” [34].
Taking this definition, we can define cyber terrorism by identifying who is
launching the cyber attack and the harmful intent behind it. The FBI definition
does not state a particular group, so it can be assumed that the who is any
person or organisation. Cyber terrorism can therefore be defined as:
“Cyber attacks where the intent is to intimidate or coerce a civilian420
population, influence the policy of a government by intimidation or
17
coercion, or affect the conduct of a government by mass destruction,
assassination or kidnapping.”
Using this definition, a cyber attack on a nuclear power plant with the intent
of causing mass destruction would be cyber terrorism. While assassination via
cyber means may sound extreme, it is possible to envisage an air defence system
being compromised by cyber means to target an aircraft it ordinarily would
not. Cyber kidnap may become an issue if fully automated vehicles become
commonplace. Quite simply, it would be nothing more than a cyber attack
with kidnapping-like intents. Whether the international community wishes to430
differentiate between terrorism and cyber terrorism is another matter that is
beyond the scope of this paper. They may see terrorism as terrorism, with the
method of delivery as insignificant. This paper simply uses cyber terrorism here
as evidence that our model can be used to define it.
3.10. Applying the model to cyber crime
Crime can have many intents in the kinetic world including financial gain,
revenge, or a hatred of another person. These intents do not change simply
because the delivery is via cyber attack, and therefore no new definitions are
required. If a cyber attack occurs, and the intent behind it matches a criminal
intent, then cyber crime has occurred.440
3.11. Summary of the Actor and Intent Model
In this section our actor and intent definition model was presented, which
addressed the previously identified problem of trying to define cyber warfare.
The model asserts that it is possible to reach a definition of any cyber situation
by examining who is doing a cyber attack and why. This was demonstrated
by reaching definitions of cyber warfare and cyber war. A number of scenarios
were presented, to demonstrate how the model could be extended to define other
cyber situations such as cyber terrorism.
18
4. Research Challenges in Cyber Warfare
With both cyber warfare and cyber war better defined, it is prudent to450
examine the current state of research in the area. This section identifies nine
topics that have presented challenges to the cyber warfare research community.
These are shown in figure 2.
Figure 2: Research Challenges in Cyber Warfare
4.1. Early Warning Systems
Early warning (EW) systems have long been a significant area in military
intelligence and provide the ability to detect when an adversary is undertaking
preparations to launch an attack and what that attack may consist of. In tra-
ditional kinetic warfare, EW systems are well established. Intelligence officers
study satellite imagery and listen to communications, looking for known indica-
tors of military mobilisation. In the cyber domain however, it is unclear what460
these indicators are or how they can be observed. This presents a problem when
trying to develop early warning systems for cyber warfare. The first challenge
in this area is to determine what a cyber early warning system should aim to
achieve. Golling and Stelte [35] address this question, by claiming that an EW
system must provide answers to the following:
•Is a Cyber War taking place right now/about to begin?
19
•Who is attacking?
•What is the target?
•What kind of attack methods are being used?
Looking at these questions, it can be argued that cyber warfare early warning470
has much the same goals as traditional early warning systems. But the problem
of what to look for to answer these questions still remains. The field of cyber
security has a tremendous amount of ongoing research into the area of attack
detection, but as the name suggests it is focussed on detecting attacks as they
happen, rather than providing an early warning of an impending attack.
Sharma et al. [36] have argued that a cyber early warning system must con-
sider more than just technical indicators. They state that many cyber attacks
are associated with social, political, economic and cultural conflicts, and that
to predict incoming cyber attacks these aspects must be considered. Moran [20]
agrees with this view and has suggested that there are four stages that occur480
before a politically motivated cyber attack, which can be used as indicators for
a cyber early warning system. These are shown in figure 3.
Figure 3: Moran’s five stages of politically motivated cyber attack [20]
Moran’s five stage model [20] combines political awareness with technical
awareness to form an early warning system. It does however have some weak-
nesses. Firstly, Moran admits that the first two steps, latent tensions and cyber
recon are not always necessary stages for a politically motivated cyber attack.
If the first two steps in figure 3 are removed, we are left with just a three
stage model: an initiating event, cyber mobilization and cyber attack. How-
ever, Moran [20] asserts that the most dangerous and sophisticated politically
motivated attacks will follow the full five stages, and that only unsophisticated490
20
politically motivated attacks will follow the shortened, three stage model. Sec-
ondly, the order of the stages should be challenged. Moran’s model [20] asserts
that tensions lead to recon, and that some initiating event then triggers a cyber
mobilisation, whereby “patriotic hackers are incited into action” [20]. According
to the model, these patriotic hackers then carry out the cyber attacks. It must
be argued that this surely cannot always be the timeline of events in a politically
motivated attack. It is possible to imagine a scenario whereby latent tensions
exist but no recon takes place until after the initiating event. This results in a
four stage model, with cyber recon placed after the initiating event. The useful-
ness of having stages presented in a fixed chronology is therefore brought into500
question. Despite these problems, Moran has presented some useful indicators
that can be used in future early warning system research.
Fuller [37] puts forth the argument that caution must be used when designing
early warning systems in the cyber domain. He describes how in 1998, the U.S.
introduced The Federal Intrusion Detection Network (FIDN) - a program to
centrally monitor internet traffic passing through critical infrastructure, looking
for anomalies in traffic that may alert to an impending attack. The network
was dismantled after its existence became publicly known, leading to objections
from civil liberties groups and privacy advocates. Clearly there is a need to
balance granularity of monitoring with public expectations of privacy, and this510
is a point that should remain in the minds of those designing future EW systems
for the cyber domain.
The challenge of creating a cyber warfare EW system has a significant
amount of overlap with other research areas. Cyber security topics such as
situational awareness, attack prediction, intrusion detection and network mon-
itoring are all active research areas that will have an impact on the future of
cyber warfare EW systems. But as Moran [20] and Sharma et al. [36] state, cy-
ber early warning cannot be approached from a purely technical perspective. An
effective early warning system for the cyber domain will require an awareness of
and significant input from other disciplines such as international relations and520
sociology.
21
4.2. Ethics of Cyber Warfare
As with any activity that has the potential to cause harm, cyber warfare
presents ethical challenges. In particular, nations need to know when it is
ethically justified to resort to cyber warfare and how to conduct such warfare
ethically. Taddeo [25] explains that traditional wars are guided by Just War
Theory (JWT) [25] - a number of well defined principles stating when a nation
is ethically justified to go to war, and how to remain ethical during one. Taddeo
argues that these principles are difficult to apply when it comes to cyber warfare,
and that these difficulties are worthy of further research.530
In particular the principle of last resort is contentious. The spirit of this
principle is that a bloody, harmful war should be avoided until all other avenues
have been exhausted. Taddeo argues that this principle does not apply to cyber
warfare, and that resorting to it early may be considered the ethical decision.
The reasoning behind this view is that a cyber war would have little or no
bloodshed. If this is the case, resorting to cyber war early would be ethically
justified, since if differences can be resolved in this bloodless manner, the need
for a more violent kinetic war can be avoided.
This view has a counter argument however, in that cyber warfare should
not automatically be considered less bloody than a kinetic war. Kinetic warfare540
can target specific military targets, and is guided by well established rules such
as the laws of armed conflict and the Geneva Protocols. Cyber warfare on the
other hand is currently much less regulated and decoupling military targets from
civilian ones can be more problematic. Cyber attacks on national infrastructure
could leave civilians without essential services such as power and food supplies,
causing indiscriminate suffering in civilian populations. It may also cause phys-
ical harm in the form of explosions at power plants, failings at water treatment
plants or interruptions to air traffic control systems. With this in mind, caution
must be used before stating that it is ethical to resort to cyber warfare early.
Taddeo attempts to address the challenge of cyber warfare ethics by putting550
forward three principles that form a “Just Cyber War”. These principles relate
to an idea of an “infosphere”. Taddeo defines this as “the environment in which
22
animate and inanimate, digital and analogue informational objects are morally
evaluated”.
1. Cyber war ought to be waged only against those entities that endanger or
disrupt the wellbeing of the Infosphere.
2. Cyber war ought to be waged to preserve the well-being of the Infosphere.
3. Cyber war ought not to be waged to promote the well-being of the Infos-
phere.
Point 1 represents the notion that cyber war is justified to eliminate negative560
influences on the well-being of the Infosphere. The next two points reflect the
view that cyber war should only be used to return the Infosphere to a status quo
after a negative influence, never to increase the well-being beyond its natural
state. Together, these points suggest that cyber war is ethically justified, as long
as it is to maintain the health of the Infosphere. There is a lack of guidance
about how this high level ethical view can be translated into practical scenarios.
Is it ethical to declare cyber war on a state if that state is suspected of developing
nuclear weapons? If another state censors all information about an artist, does
that mean cyber war against that state is justified? If so, it may cause an
escalation of tensions into kinetic war. The abstract nature of the Infosphere570
presents issues, and more work is needed to help answer these questions.
In comparison to Taddeo, Lin et al. [38] have taken a more practical approach
to the ethical questions of cyber warfare by identifying a number of key aspects
that need ethical consideration:
•Aggression: what kind of cyber attack counts as aggression worthy of a
military response?
•Discrimination: is it possible to be precise enough with cyber attacks that
collateral damage is kept minimal?
•Proportionality: What kind of responses are proportionate for particular
cyber attacks?580
23
•Attribution: The moral obligation to be correct in assigning blame for an
attack.
There is some identifiable overlap with these ethical challenges. Determin-
ing what kind of attack counts as aggression overlaps with legal discussion on
cyber warfare. Likewise, avoiding collateral damage and ensuring attacks are
proportional are also issues which have both ethical and legal aspects. The need
to correctly attribute an attack is not only morally required, but also required
to retaliate legally. The answers to these ethical questions may go hand in hand
with the drawing up of legal frameworks for cyber warfare.
A novel ethical aspect discussed by Lin at al. [38] is that of perfidy. The590
Geneva Protocol [39] defines perfidy as:
“Acts inviting the confidence of an adversary to lead him to believe
that he is entitled to, or is obliged to accord, protection under the
rules of international law applicable in armed conflict, with intent
to betray that confidence.”
In other words, perfidy is deception that abuses the trust placed in the
international laws of war. Examples of perfidy in kinetic warfare include im-
personating the Red Cross to move troops without fear of being attacked, or
the feigning of civilian, non-combatant status. Lin et al. [38] point out that
the cyber domain naturally offers methods of deception and trickery, and these600
need to be controlled by ethical guidelines so that perfidy is not committed.
Rowe [40] agrees with this view and puts forward an argument that hiding mal-
ware inside innocent looking code could be classed as perfidy, because it is using
legitimate, civilian activity to hide military intent. It can be argued that this
extends beyond just malware. Any cyber attack that attempts to hide amongst
civilian internet traffic or use a civilian to carry an infected USB drive could
be seen as perfidy. Just as soldiers should not hide amongst civilians, it can be
argued that cyber attacks should not hide amongst civilian activity.
There are counter arguments to these points however. Firstly it can be ar-
gued that hiding cyber attacks in civilian activity does not cause any significant610
24
level of harm to those civilians. The aim of the perfidy law is to ensure contin-
ued protection of civilian populations and non combatants [41]. If forces begin
to distrust these groups, protection may not be as forthcoming as it would ordi-
narily be. This is a valid concern in kinetic warfare, but in the cyber domain the
worries are less significant. If forces begin to distrust civilian internet traffic, it
may be subject to closer scrutiny by firewalls and intrusion detection systems.
In the worst cases, civilian internet traffic may be dropped completely by fire-
walls. This is an inconvenience to civilians but it is not as harmful as firing
upon or imprisoning civilians due to distrust in the kinetic world. Secondly, it
can be argued that perfidious-like cyber attacks are unavoidable in cyber war-620
fare. Cyber attacks must pass through the same infrastructure used by civilians,
without any special markings that designate that traffic or code as military.
NATO has published the Tallinn Manual [8], which provides some guidance
on perfidy in cyber warfare. The manual states that combatants are not obliged
to mark websites, IP addresses or other information technology facilities that
are used for military purposes. However, making such entities appear to have
civilian status with a view to deceiving the enemy in order to kill or injure is
perfidious. Secondly, it states that while concealing the origin of an attack is
not perfidious, inviting the enemy to conclude that the originator is a protected
person would count as perfidy. Finally, the manual concludes that conducting630
cyber attacks through civilian infrastructure does not automatically make them
perfidious - unless it is specifically protected infrastructure such as medical
systems. The Tallinn Manual is discussed in more detail in section 4.4.
Rowe [40] provides a military perspective on the ethics of cyber war. He
discusses issues such as ensuring civilians are made aware of what it may mean
to partake in a cyber war (becoming a legal combatant, for example) and tack-
les the question on if fighting wars remotely can be considered ethical. He
concludes by stating that cyber troops will not require physical courage, but
a moral courage to do what is right without much guidance from established
ethical guidelines. Dipert [42] agrees with this view, stating that cyber warfare640
“appears to be almost entirely unaddressed by the traditional morality and laws
25
of war” [42].
There are currently no widely agreed ethical guidelines for cyber warfare,
however researchers such as Taddeo have attempted to translate existing ethical
justifications into the cyber domain. Many questions still remain on the ethics
of cyber warfare and these have been raised by Lin, Allhoff and Rowe [38] [40].
The challenge of formulating ethical guidelines for cyber warfare is an important
one for the research community to overcome and is arguably the key to solving
other problems. For example, laws regarding the conduct of cyber warfare can-
not be put into place without first knowing what is and is not ethical conduct in650
this new domain. Once the ethics are agreed upon, the process of formulating
laws that enforce ethical behaviour can begin. As with early warning system
research, this is another topic that requires a multi-disciplinary approach, bring-
ing together both technical and ethical minds to discuss what is possible and
where ethical boundaries lie.
4.3. Conducting cyber warfare
When a new domain of war arises, there is an immediate challenge in de-
termining how to operate inside of it effectively. The arrival of air as a domain
of war was met with research on how its properties could be leveraged to most
effectively fight in it. The same process applies to the arrival of the cyber do-660
main. This research challenge is therefore concerned with addressing how to
conduct cyber warfare, and how properties of the cyber domain shape that con-
duct. Parks and Duggan [22] have examined the established principles of kinetic
warfare, as defined by the US Department of Defense. They then suggest eight
new principles that shape the conduct of cyber warfare. These new principles
are as follows:
1. Lack of Physical Limitations
2. Kinetic Effects
3. Stealth
26
4. Mutability and Inconsistency670
5. Identity and Privileges
6. Dual Use
7. Infrastructure Control
8. Information as Operational Environment
4.3.1. Lack of Physical Limitations
In kinetic warfare, navies must travel across oceans, and ground troops must
navigate terrain. This does not apply to cyber warfare and an attack can be
launched from anywhere with equal impact. This view has some counter argu-
ments however, since it can be argued that there are still some physical limita-
tions. Just as a navy must travel over a physical ocean, a cyber attack must680
travel over physical cables. The requirement of travel has not been removed, it
is just the speed of travel that has increased in comparison to kinetic forces. In
the case of delivering malware via USB, physical limitations also still apply in
getting the USB to the required USB port. Where a lack of physical limitations
is more convincing is in the production of cyber weapons. Traditional weapons
require both materials and time to produce - cyber weapons do not have these
same requirements, and can be replicated quickly and cheaply. Parks and Dug-
gan [22] give the example of the Low Orbit Ion Cannon, a cyber weapon which
was freely available to download online.
4.3.2. Kinetic Effects690
The aim of cyber warfare is to cause kinetic effects. This includes physical
damage or simply affecting the decision making process of an adversary. Any
attack which has no real world effect cannot be considered as cyber warfare.
This view can also be challenged. As our definition states, cyber warfare is the
use of cyber attacks with a warfare-like intent. It is not a requirement that the
cyber attack succeeds and has an effect, only that the intent behind launching
it was a warfare-like one. This view can be justified by examining some real
27
world scenarios. Country A launches a missile at country B with the intent to
destroy a military base, but the missile explodes before reaching its target. Is
the launching of this missile not warfare? Caution must be used in requiring700
kinetic effects to reach a conclusion of cyber warfare.
4.3.3. Stealth
Stealth in cyber warfare is different to stealth in kinetic warfare. Whilst
camouflage and anti-radar shielding make up traditional stealth, cyber stealth
is focused on hiding amongst legitimate traffic. This principle touches upon the
concept of perfidy that was raised in earlier ethical discussion by Rowe [40] in
section 4.2. The line between perfidy and stealth is currently an ambiguous
one in the cyber domain, since cyber stealth requires the use of civilian traffic:
there simply is no other form of camouflage other than pretending to be civilian
or enemy traffic. Although Parks and Duggan [22] argue that stealth in the710
kinetic and cyber domains are different, it can also be argued that there are
similarities. Both require observation of surroundings and actions to blend in to
those surroundings. For a kinetic soldier, this involves wearing colours similar to
the environment such as sand or grass. Similarly, someone in the cyber domain
would observe the traffic around them to also create a suitable camouflage. In
both domains, the goal is to not stand out amongst the environment. Therefore,
the stealth principle could be argued as being similar in both kinetic and cyber
warfare.
4.3.4. Mutability and Inconsistency
This principle reflects Parks and Duggan’s view that the cyber domain is720
unpredictable. While a bullet will fly a certain path in reality, a cyber attack
may never act the same way twice due to all the software and hardware factors
involved. This principle can be challenged, since it is debatable whether mu-
tability and inconsistency are unique to the cyber domain. In kinetic warfare,
small changes in air pressure, minor imperfections on individual bullets, and
human factors in aiming mean that a bullet never flies the exact same path
28
twice. This makes kinetic warfare inconsistent and mutable, and brings into
doubt the theory that cyber warfare is uniquely mutable and inconsistent.
4.3.5. Identity and Privileges
The primary goal of a cyber attacker is to assume the identity of someone730
who has the access required to cause harm. Exploits aim to achieve root access,
social engineering is designed to gather passwords for privileged users. This is
in contrast to traditional warfare, whereby assuming identities is not a part of
being able to conduct battle. It is difficult to argue against this point, since
gaining access to privileged accounts is a major aspect of cyber warfare. It does
however ignore some other aspects such as distributed denial of service attacks.
4.3.6. Dual Use
All cyber warfare tools are dual use, having both warfare and peaceful uses.
This is unlike kinetic warfare, whereby the tools are generally single use. This
principle has both strengths and weaknesses. As a strength, it identifies that740
cyber weapons are dual use. Even tools such as distributed denial of service
(DDoS) tools have a peaceful role in testing defences and improving the robust-
ness of systems. But the idea that dual use is unique to cyber warfare can be
challenged. The fact that a cyber weapon can be used to test a server’s robust-
ness is not unique to the cyber domain. In the kinetic world a new tank design
will be tested by firing kinetic weapons such as bullets and rocket propelled
grenades to test its robustness. Kinetic weapons can also be used for hunting,
for competitive sport and even for celebration, by firing into the air. Therefore,
it can be argued that the dual use principle is not unique to cyber weapons.
4.3.7. Infrastructure Control750
A significant part of cyber warfare is infrastructure control. Two groups
at war in cyber space will only control a limited number of systems: their
own computers and edge network devices. The rest of their traffic will pass
through equipment owned by third parties such as commercial ISPs and back-
bone providers. Parks and Duggan state that this leaves the groups exposed to
29
the weaknesses and wills of third parties, and that gaining direct control over
infrastructure will bring advantages. This principle has merit, since having di-
rect control over devices gives advantages to both defenders (better situational
awareness and the ability to block traffic) and attackers (large bot nets allow-
ing greater impact from attacks). However, it could also be argued that the760
principle is not unique to cyber warfare. Armies in kinetic wars will also seek
to control infrastructure. Bridges, harbours and air fields are all infrastructure
that kinetic forces may seek to secure from civilian control to better serve their
warfare needs.
4.3.8. Information as Operational Environment
In kinetic warfare the physical operating environment needs to be trans-
formed into information. In cyber warfare the operating environment is already
information, and no conversion from physical measurements to information takes
place. This principle is debatable however, since the network to be used in cy-
ber warfare is still made up of physically existing equipment, and the targets of770
attacks may be physical, such as power plants or factories. In this regard, some
physical measurements may require converting into information.
Looking at the principles offered by Parks and Duggan [22], it is clear that
more work is needed to better identify the features of the cyber domain that
will shape the conduct of cyber warfare. Lack of physical limitations in the
production of cyber weapons is the strongest factor identified so far, and will
affect who can possess weapons and how many can be produced. It can be
argued that there are unique cyber warfare principles that Parks and Duggan
have not identified:
•Fast Weapon Life Cycle: Kinetic weapons have a slow life cycle; re-780
search and development of new weapons requires tens of years, and pro-
duction requires time and materials. They remain a viable weapon for
many years. Cyber weapons have a much faster life cycle. Research and
development to find zero day exploits takes months rather than years
and replication is essentially free and instantaneous. However, a cyber
30
weapon’s period of viability is variable and always at risk. Vulnerabilities
that the cyber weapon relies on may be closed by vendors at any time.
Once used, the signature of the weapon can be added to detection sys-
tems and blocked. Gartzke agrees with this principle, stating that cyber
weapons have a “use and lose” aspect [43]. However, it can be argued790
that a cyber weapon’s effectiveness can be lost even without use. This
principle is visualised in figure 4.
•Non Volatility: Kinetic weapons are generally destroyed at the point of
impact and cannot be reused. Cyber weapons do not self destruct and
can be reverse engineered, as Stuxnet [44] proved. This means that extra
consideration must be made before launching a cyber weapon, since the
technology behind it has the potential to be reused by the target. This
principle may result in cyber weapons that include self destruct capabili-
ties.
Figure 4: Weapon Life Cycles
Providing more insight into this area, Liles et al. [45] have also studied how800
kinetic warfare principles may be applied to cyber warfare. They examine the
31
nine principles of traditional warfare used by the US Army (shown in table 2),
and discuss the ease of applying them to cyber warfare.
Table 2: US Army principles of kinetic warfare [45]
Principle Description
Objective Every military act should have a clearly defined and attainable
objective
Offensive Seize, retain, and exploit the initiative
Mass Focus the effects of combat power at the decisive place and time
Economy of force Allocate minimum essential combat power to secondary efforts
Maneuver Place enemies into a disadvantageous position through the flexible
application of combat power
Unity of command Ensure unity of effort under one responsible commander
Security Never permit the enemy to acquire an unexpected advantage
Surprise Strike the enemy at a time or place or in a manner for which he
is unprepared
Simplicity Plans and orders should be clear and concise
Liles et al. argue that the objective principle can be applied to cyber warfare
without much work; those engaged in cyber warfare will have objectives, and
launch attacks to achieve those objectives. This idea of ob jective agrees with
our definition, since the pursuit of military objectives are warfare-like intents.
Examining the offensive principle, they find difficulty in applying it to cyber
warfare. They suggest that cyber space blurs the line between offense and
defence and that this principle therefore can’t be applied to cyber warfare.810
This perspective must be challenged however, since cyber defence teams run
red vs. blue exercises where the idea of offense and defence are well defined.
It can be argued that seizing the initiative is locating a zero day vulnerability
and exploiting it before the enemy does. Retaining the initiative translates to
constantly looking for new vulnerabilities, or installing back doors to ensure
multiple paths into a system. Exploiting the initiative refers to fully exploiting
the advantages gained by seizing and retaining the access.
Liles et al. look at mass and economy of force as one and find them chal-
lenging to apply to the cyber domain. Using an example of a DDoS attack,
32
they claim that the force behind it is not significant, even though the effect is820
great. In contrast, they claim the maneuver principle is easier to apply, since
operating in cyber space only makes maneuvering quicker. Rather than com-
mand large armies across vast terrain, maneuvering in the cyber domain can be
thought of as quick decision making, enabled by the use of computers. They
claim that unity of command is also easily applied: since IT improves command
and control in traditional warfare, being immersed into an environment of IT
(the cyber domain) boosts command and control. The view that command
and control will improve because the environment is entirely made up of IT
must be challenged however. The replacing of kinetic forces with cyber forces
may make unity of command more difficult, since attacks can be launched and830
counter launched in milliseconds, increasing the pace of warfare. Malware has
the potential to spread and not be easily recalled or directed elsewhere. To be
effective, automated defences will have to make decisions with no human input.
For these reasons, unity of command may be challenging in cyber warfare.
Regarding the security principle, they suggest that avoiding unexpected ad-
vantages in the cyber domain is difficult. Even if perfectly secure systems are
designed, an insider attack may still present an unexpected advantage for an
opponent. However, it can be argued that this principle can be adapted. In-
stead of aiming to never allow unexpected advantages for the enemy, it should
be translated to minimising the opportunity for and impact of unexpected ad-840
vantages. This modification allows for the fact that unexpected advantages will
arise as new vulnerabilities are discovered, but gives cyber defence teams the
aim of minimising the impact of those advantages.
To follow the surprise principle, Liles et al. argue that cyber attacks should
target systems where they are least expected. This is because these systems will
likely have the weakest protections and monitoring. In addition to Liles et al.’s
suggestion, it can also be argued that surprise includes using cyber weapons
that can remain stealthy. By using sleeper malware that hides in a system and
activities upon receiving a signal, the principle of surprise can be applied.
Applying simplicity to cyber warfare, they claim that there is nothing sim-850
33
pler than the one or zero of binary. While this is true, Liles et al. may have
misunderstood the intent behind this principle. Whether ones and zeros are
simple or not does not reflect the purpose of this principle, which is to ensure
plans and orders are simple enough to be carried out as intended. In the cyber
domain, this simplicity translates to giving clear orders such as securing root
access on a particular host.
Both Parks and Duggan [22] and Liles et al. [45] have attempted to identify
principles by which cyber warfare can be conducted, but both have encoun-
tered challenges. Weaknesses were identified in the suggested principles and the
arguments behind them.860
Laprise [46] has offered a different perspective into the area of conducting
cyber warfare by comparing it to naval warfare.
Figure 5: Laprise’s comparisons between maritime and cyber warfare [46]
Figure 5 shows five strategic principles, along with how each would be rep-
resented in both maritime and cyber warfare. Laprise states that all of the
principles have easily identifiable examples in the cyber domain, except for one:
decisive battle. Laprise finds difficulty in finding a cyber equivalent of a deci-
sive battle, since while operating systems may be wiped, there is no permanent
34
physical damage to the hardware and therefore cyber warfare alone cannot win
a war. This is in agreement with authors such as Gartzke [43], who argue
that cyber warfare must operate alongside kinetic warfare to have any decisive870
meaning. There are challenges to this view however, since there are imaginable
scenarios where cyber warfare could inflict a decisive blow. Continuing the mar-
itime theme, malware that can simultaneously disable weapon systems on all
battleships may be decisive enough to cause surrender. However, the argument
still remains that this disablement would likely be temporary in nature and only
decisive when followed up with kinetic warfare.
The topic of how to conduct cyber warfare and the principles that shape it
is a challenging one. Authors such as Parks and Duggan [22] have taken the
approach of trying to identify what the principles of cyber warfare may be. But
as has been demonstrated, their arguments often have counter points that bring880
the usefulness of the principles into question. Others such as Liles et al. [45] have
taken existing principles and attempted to translate them into the cyber domain,
but with limited success. Laprise [46] took another approach, attempting to
compare the better understood domain of sea and make comparisons with the
domain of cyber. It must be concluded that there is no satisfactory set of cyber
warfare principles currently available. It is unclear if future academic research
can address this gap, or if it is a problem that can only be addressed through
experience of cyber warfare. The first aircraft used in early air warfare did not
come with a set of air warfare principles, they were developed based on the
experiences of air warfare pioneers. In this regard, the emergence of true cyber890
warfare principles may rely on the experiences of cyber warfare pioneers.
4.4. Applying existing laws to Cyber War
With a long history of war, the world has seen the development of long stand-
ing and internationally accepted laws on how traditional kinetic war should be
carried out to remain legal [47]. With cyber warfare being sufficiently differ-
ent from kinetic warfare, attempts to apply the laws of armed conflict to cyber
warfare have presented a new research challenge. Questions on who is a legal
35
combatant, state neutrality and the protection of civilians all need to be an-
swered by this research area. The most comprehensive work on this topic comes
from NATO in the form of the Tallinn Manual [8]. Put together by an inter-900
national group of experts, the manual is not a lawfully binding document but
gives guidance on how existing laws of armed conflict apply to cyber war. It is
out of the scope of this paper to analyse all 95 rules from the document, but an
overview and some analysis on the overall approach of the manual can be given.
The structure of the Tallinn manual is shown in figure 6.
Figure 6: Overview of the structure of the Tallinn Manual
As an example of the manual’s approach, rule 43 addresses indiscriminate
means or methods. The rule states that:
36
“It is prohibited to employ means or methods of cyber warfare that
are indiscriminate by nature. Means or methods of cyber warfare
are indiscriminate when they cannot be: a) directed at a specific910
military objective or b) limited in their effects as required by the law
of armed conflict and consequently are of a nature to strike military
objectives and civilians or civilian objects without distinction.”
The manual explains the legal basis for this rule, citing Article 51(4)(b) and
(c) of the Additional Protocol I of the Geneva Conventions [39]. The group of
experts also give examples of what would and would not violate this rule. For
example, a piece of malware that could not be controlled and would harmfully
spread beyond its intended target would violate the rule. However, Stuxnet-
like malware which spreads into civilian systems but only attacks very specific
equipment would not violate the rule. This methodology of rule, basis and920
explanation is followed throughout the manual, making it easy to follow how
the group of experts developed each rule and the legal reasoning behind it.
Although the manual is detailed and arguably the best attempt yet to trans-
late the existing laws of armed conflict into the cyber domain, it does have weak-
nesses that need to be addressed. Firstly, the manual admits that to produce the
rules, only the military manuals from four countries have been used: Canada,
Germany, the United Kingdom and the United States. This means that the
manual may potentially be biased and influenced by western thinking of war and
conflict. Other organisations such as the Shanghai Cooperation Organisation
(SCO) have shown an interest in regulating cyber warfare and a collaborative930
effort between the SCO and NATO would arguably produce more globally ac-
ceptable results. Secondly, the group of experts encounter issues when trying to
translate terms such as the “use of force” into the cyber domain. Determining
when a “use of force” has occurred is of great importance, since it defines the
moment that a state has violated the UN Charter. Rule 11 attempts to define
the use of force in the cyber domain, but concludes that whether “force” is used
in a cyber attack is subjective and dependant on a Schmitt Analysis, as shown
37
in table 3. Even with the detailed and valuable work of the Tallinn manual, a
state coming under cyber attack still has no conclusive guidance on if the attack
is a use of force or not.940
Table 3: Schmitt Analysis [8]
Severity Attacks that cause physical damage or injury are more severe than
those that just disrupt operations, and are more likely to be seen
as a use of force
Immediacy A quick attack that leaves no time for a peaceful response is more
likely a use of force
Directness An attack which has a direct effect such as an explosion is more
likely to be seen as a use of force than one which has a more
indirect effect such as a slowing of the economy.
Invasiveness An attack which penetrates an important military system is more
likely a use of force than one which penetrates a small business
Measurability The more quantifiable the effects of an attack, the more likely it
is to be seen as a use of force
Presumptive Legality If there is no specific law against something, it is considered legal
and therefore not a use of force
A final significant issue with the manual is that the group of experts rarely
reach a unanimous agreement on how the laws should be applied in the cyber
domain. Many rules printed in the manual state that a certain number agreed
with aspect A, whilst another number disagreed. This highlights the difficulty
encountered in translating the existing laws, rather than a failing of the manual.
Michael Schmitt is an active researcher in the area of international law and
cyber warfare [48, 49, 50, 51] and was director of the International Group of
Experts involved in writing the Tallinn Manual. Schmitt [49] compared the
Tallinn manual against a speech by US State Department legal advisor Harold
Koh [52]. This speech was regarded as significant, since it set out the United950
States’ view on how laws applied to the cyber domain. Schmitt concludes that
in the majority of points, the Koh speech and Tallinn Manual are in agreement.
Both conclude that a cyber attack can be classed as a use of force in some
circumstances, both agree that states may act in self defence and so on.
38
Foltz [53] has studied Stuxnet [44] to help define what can class as a use of
force in cyber space. He concludes that in most respects, Stuxnet meets the
requirements to be classified as a use of force, but an obstacle to doing so is the
attribution problem. Without being able to attribute a particular attack to a
nation state, Foltz claims that uses of force in the cyber domain are difficult to
prove. He concludes that those involved in cyber warfare have to be prepared960
to operate in an ambiguous and contested legal environment until the domain
has matured.
Fanelli and Conti [54] have also used the Stuxnet scenario to examine if
international law can be applied to cyber attacks. In particular they attempt
to apply the principles of discrimination, distinction and proportionality. They
conclude that Stuxnet showed discrimination and distinction. While it propa-
gated to as many machines as possible, the primary payload was only launched
if it located a very specific target. The attack also showed proportion, since it
made small but effective changes to the operation of centrifuges, causing them
to fail safely with little to no collateral damage. This work therefore supports970
the view that international law can be applied to the cyber domain.
Rauscher and Korotkov [55] take an alternative approach by arguing that
the process of conversion needs to be made easier before it can be successful.
They present five recommendations that would make applying existing law to
the cyber domain easier:
•Detangling Protected Entities in Cyberspace: The separation of
civilian and military systems.
•Application of the Distinctive Geneva Emblem Concept in Cy-
berspace: Marking of protected zones, e.g. medical systems.
•Recognizing New Non-State Actor and Netizen Power Stature:980
Recognising that non state actors may be involved in cyber warfare.
•Consideration of the Geneva Protocol Principles for Cyber Weaponry:
A suggestion that cyber weapons need to be understood before laws can
39
be made.
•Examination of a Third, Other-Than-War Mode: Classifying cyber
warfare as something different, avoiding the need to adapt existing rules.
These recommendations are useful in that they present a novel approach
to applying existing law to cyber warfare. While other authors focus strictly
on how the laws translate, these recommendations suggest how this translation
could be made easier. Some of the ideas are difficult to achieve technically (such990
as having marked zones and detangling civilian and military systems), but they
offer a good basis for future research.
To summarise this research area, there is a challenge in applying the estab-
lished laws of armed conflict to cyber warfare. Aspects such as the use of force,
self-defense and ensuring attacks are discriminate are all issues that have led
to debate when it comes to applying them to the cyber domain. The Tallinn
Manual offers the most comprehensive guide yet on how the laws apply, but does
not solve all of the issues. The international group of experts could not reach a
definitive answer on when a cyber attack constitutes a use of force or when the
right to self-defense should be granted. As has been stated, a full examination1000
of the rules given by the Tallinn Manual is out of scope for this paper, but these
examples highlight the lack of legal guidance on how international law applies
to cyber warfare. As Foltz stated, nations should be prepared to conduct cy-
ber warfare under ambiguous guidelines and legal grey areas for the foreseeable
future.
4.5. Cyber Weapons
The topic of cyber weapons covers a range of challenges: defining what a
cyber weapon is, how they are different to traditional weapons, if it is possible
to control their production and use and so on. Arimatsu [56] has defined a
traditional weapon as “a device designed to kill, injure, or disable people, or to1010
damage or destroy property”. She argues that this definition is not suitable for
cyber weapons, since the purpose of a cyber weapon is often to cause an indirect
40
kinetic effect, that may or may not result in death, injury or damage. In other
words, cyber weapons such as a piece of malware may have the goal of simply en-
abling the collection of data or opening a backdoor for future attacks. Arimatsu
also rejects the idea that a cyber weapon could be defined by its potential to
inflict harm, stating that such a definition is too broad. She examines the idea
that a cyber weapon could be defined as malicious software that possesses an
offensive capability, but points out that this is not specific enough to allow legal
regulation, due to the dual use nature of tools and code. Arimatsu concludes1020
that to define cyber weapons, both capability and intent need to be examined
together. Therefore, a piece of malware or a tool only becomes a cyber weapon
when it has the capability to cause harm, and the person using it has a harmful
intent.
This definition addresses the dual use issue, and agrees with our definition
model that intent is a vital aspect in defining cyber terms. Evidence supporting
the need for intent can be found by examining comparable kinetic events: A
knife in the hands of a chef is a tool, but when the user of the knife gains harmful
intent, the tool becomes a weapon.
The issue of controlling cyber weapons is also a research challenge. Den-1030
ning [57] argues that with well established international controls over the pro-
duction and trade in kinetic weapons, it is only natural to investigate whether
the same controls should apply to cyber weapons. She concludes that regulat-
ing the production and trade of cyber weapons would have some advantages
including a reduction in the number of cyber attacks, sending a message that
cyber weapons are unacceptable and easing international tensions regarding cy-
ber attacks. Denning points out that creating cyber arms controls encounters a
number of obstacles however:
•Difficulty of enforcement
•Reaching international agreement1040
•Defining acceptable limits of activity
41
•Poor cost effectiveness of regulation
•Impact on free speech
•Reduced capacity for nations to retaliate
Arimatsu [56] has examined the potential for cyber arms control treaties in
detail. She describes how there are broadly four types of treaty:
•Limiting the number of specific weapons in the world
•Restricting the use of specific weapons
•Restricting the testing of specific weapons
•Restricting the development and acquisition of specific weapons1050
It can be argued that limiting the number of cyber weapons is not a realistic
prospect, since code can be replicated and copied in fractions of a second at a
tiny computational cost. Restricting the testing of cyber weapons is also a dif-
ficult task. Unlike a nuclear weapon, a cyber weapon can be tested on a private
network with no evidence of testing detectable by a third party. Restricting
the development and acquisition of cyber weapons is again not a feasible goal:
malicious code can be written from scratch or copied and sold to third parties.
Encryption techniques could also hide the transport of cyber weapons between
seller and buyer. Therefore, the only viable type of treaty is one that restricts
the use of specific cyber weapons. Nation states agreeing to such a treaty would1060
be prohibited from using certain types of cyber weapon, such as those which do
not discriminate between civilian and military targets.
Arimatsu points out that it is important to look at the overall goals of arms
treaties, to see if the same kind of goals can be achieved in the cyber domain.
She suggests that traditional arms control treaties have the following goals:
•Minimising disparities in arms levels between states to reduce instability
•Increasing predictability in relations between potentially hostile states
42
•Pre-empting the development of new weapons
•Decreasing global expenditure on arms to divert funds to economic and
social causes1070
•Fostering a non-hostile atmosphere
•Decreasing suffering and damage during armed conflict
The majority of these overarching goals are aimed at maintaining a balance
of power between nation states. Arimatsu notes that this is a valid goal when
such weapons are only affordable to states, but that when it comes to very
cheap cyber weapons which can be obtained by anyone (including non-state
actors), the notion of maintaining a balance of power in the cyber domain is
not a convincing one.
Arimatsu concludes that there are a number of other obstacles preventing the
creation of effective cyber arms control treaties. Firstly, she states that the pace1080
of technology is so great that any list of banned cyber weapons would be obsolete
within days. A ban list would have to describe effects and characteristics that
cyber weapons must or must not have, and would be general in nature. Secondly,
she is in agreement with Denning [57] that verifying compliance would be an
almost impossible task. Whilst hiding chemical weapons from inspectors is a
relatively difficult task, cyber weapons could be just a few bytes of data, stored
in the cloud and encrypted. Even if inspectors did find a banned tool or piece of
code, the dual use aspect means that without proven intent to use it for harm,
it is not a cyber weapon.
Rowe [40] identifies three specific challenges posed by cyber weapons:1090
•Collateral Damage
•Unpredictability
•Damage Assessment
He states that there are a number of reasons why cyber weapons may be
more prone to collateral damage than kinetic weapons. Firstly, he argues that
43
in the cyber domain, civilian and military targets are hard to distinguish. This
idea relates to the work discussed previously by Rauscher and Korotkov [55],
who proposed an attempt to de-tangle military and civilian systems. Secondly,
he suggests that the cyber domain presents a temptation to use civilian infras-
tructure as stepping stones. However, it can be argued that the use of civilian1100
infrastructure is more than a temptation: it is a necessity. This is because back-
bone providers that provide core connectivity to a nation are run by civilian
organisations. A third factor leading to collateral damage is uncontrollability.
Malware will be designed to spread automatically according to its coding, and
could spread beyond its intended target.
Rowe [40] claims that a second challenge is unpredictability: network, hard-
ware and software issues can alter the impact a cyber weapon has. Applying
a security patch or changing firewall rules could foil years of development on a
cyber weapon, or make it act in an unintended way, a problem not encountered
by kinetic weapons. This is a similar argument to that made earlier by Parks1110
and Duggan [22] that cyber warfare is unpredictable, and the same counter
argument applies. Kinetic weapons are not predictable either: soldiers can en-
counter weapon jams, and bombs can fail to detonate upon impact. It can be
counter argued that a more convincing concept is that of unpredictable impact.
Assuming a bomb is dropped on an air base, there are a finite range of impacts,
from destroying some aircraft to making the runway unusable. Launching a
cyber attack at that same air base has a wider potential range of impacts that
are more difficult to plan for. For example, malware placed into the control
tower may spread beyond the airbase to other control towers, both military and
civilian.1120
This problem of unpredictable impact is related to the third challenge: dam-
age assessment. In most cases, the damage from a bomb dropped by an aircraft
is relatively easy to assess, since it has an immediate kinetic effect that can be
observed. Damage from a cyber weapon is less easy to observe. If an attacker
launches a piece of autonomous malware, the effects are not immediately appar-
ent. The extent to which it has spread is challenging to measure. The victim
44
may also find it difficult to perform a damage assessment, since the effects may
be subtle, dispersed across many systems and designed to avoid detection. Rowe
highlights how negative effects of a cyber weapon such as a slowing down of a
device may persist for years after the conflict, analogous to the use of land mines1130
in kinetic warfare.
He concludes that future cyber weapons need to be controllable, in that the
attacker retains control over the weapon and is able to remotely disable it. Rowe
also argues that cyber weapons should contain a signature, which identifies the
attacking nation. He argues that this is to abide by international law stating
that all combatants must wear identifiable markings. This view is similar to
Rauscher and Korotkov’s view that protected zones should be marked. The
Tallinn Manual disagrees with this view however, stating that websites, IP ad-
dresses and other information technology facilities do not need to be marked.
It can be argued that the Tallinn Manual is correct on this debate. Trying to1140
bring the concept of identifying emblems to the cyber domain is a hugely chal-
lenging task with both organisational and technical issues. How would warfare
IP addresses be identified as such? Would a compromised system have to be
marked as military before being used as a stepping stone? With these questions
in mind, it becomes apparent there are many obstacles to overcome before such
a system would be useful.
Related to Rowe’s call for cyber weapons to be controllable, Tyugu [58]
has examined the challenge that automated malware and anti-malware systems
present. Automated malware will attempt to find the best targets and attack
vectors, whilst anti malware systems will increasingly act autonomously to de-1150
fend systems. According to Tyugu there are three dangerous situations that
automated malware and anti-malware systems may encounter:
•Misunderstanding of a command
•Misunderstanding of a situation
•Unexpected emotions
45
Misunderstanding of commands arises when the protocols used between au-
tomated agents are not verified well enough. Semantic problems of understand-
ing may arise between automated agents, which could lead to unsuitable ac-
tions being performed. Misunderstanding of a situation relates to the problem
whereby an event occurs and the automated malware or anti-malware reacts1160
in an undesirable way due to having an incorrect view of the situation. While
automated systems do not currently have emotions, they can prioritise actions
that are more urgent than others. These priorities may conflict or result in un-
desirable behaviour in response to a complex situation. A final threat raised by
Tyugu is the formation of unwanted coalitions between autonomous malware.
As an example, malware inside of a botnet may communicate with other nodes
and collectively decide the best way to achieve a goal. This kind of collective
decision making between multiple autonomous cyber weapons may lead to un-
desirable actions and a loss of control by human operators. It can be argued that
concern over automated cyber weapons is warranted. With cyber attacks able1170
to be delivered in milliseconds, the temptation to automate systems increases.
This damages the earlier discussed principle unity of command, and removes
the ability of a human operator to direct and if necessary, disable the cyber
weapon from causing further damage. This view is supported by Caton [59],
who states that automated cyber weapons remove human decision making and
could turn a bad situation into a catastrophic one.
In summary, the area of cyber weapons presents many research challenges.
Arimatsu and Denning have asked if cyber weapons can be subject to arms con-
trol, and both agreed that there are difficulties in applying traditional concepts
of arms control to the cyber domain. The issue of controllability is also an issue.1180
Automation of cyber weapons and cyber defenses will be a tempting prospect
for nations, but researchers such as Tyugu, Rowe and Caton have warned that
this automation needs to be balanced with control to avoid situations where
cyber weapons reach beyond the ultimate control of a human operator. As with
the other challenges presented in this paper, the challenge presented by cyber
weapons needs to be addressed by a multi-disciplinary approach. Computer
46
science, ethics, law and military input is required to assist in shaping the future
of cyber weapon use.
4.6. Attribution Problems
Attribution is defined by Wheeler and Larsen [60] as “determining the iden-1190
tity or location of an attacker or an attacker’s intermediary”. Authors such as
Wheeler and Larsen have argued that attribution is an essential element of cyber
warfare, claiming that: “As with conventional warfare, a good offense is often
the strongest defense. However, many offensive techniques, such as computer
network attack, legal action (e.g., arrests and lawsuits), and kinetic energy at-
tacks, can only be deployed if the source of the attack can be attributed with
high confidence” [60]. This view is supported by Dever and Dever, who state
that cyber defense models “rely heavily upon the advancement of technological
capability to assist with the ever vexing issue of attribution” [61]. Friesen [62]
agrees, stating that the inability to attribute a cyber attack stands in the way1200
of regulating cyber warfare.
However, the view that attribution is essential in cyber warfare is challenged
by other authors such as Hare [63]. He counter argues that lacking absolute
attribution of a cyber attack is not a barrier to a nation responding. Hare
suggests that the politics between nations is dynamic enough so that reasonable
suspicion of responsibility can be enough to initiate a retaliatory response. An
example given by Hare is of a nation aggressively lobbying for positions that
conflict with interests of the suspected attacker on the international stage. As
long as the suspected attacker realises that this hostile political positioning is
in response to the cyber attack, the victim has managed to effectively respond1210
to the attack without unequivocal attribution.
Looking at these arguments, it can be argued that the importance of attri-
bution is diminished but not eliminated in cyber warfare. While states may not
require absolute attribution to make a response, strong attribution will likely be
useful for arbitration on the international stage, in forums such as the United
Nations.
47
A major challenge in the area of attribution is that of prepositioning. Wheeler
and Larsen [60] present seventeen attribution techniques, but claim that they
require prepositioning of both trust and technology. Logs cannot be studied if
the technology to keep those logs was not prepositioned before the cyber attack1220
occurred. Similarly, network administrators cannot work together effectively to
find the source of an attack if the trust relationship between those administrators
and their organisations is not prepositioned. Setting up these trustful relation-
ships between organisations can be difficult: differing languages, conflicting laws
and commercial rivalry all introduce obstacles to forming prepositioned trust.
Wheeler and Larsen suggest that the obstacle of prepositioning both trust
and technology can be overcome by the adoption of industry standards. By
having access to a standardised set of tools that provide a legally agreed level of
attribution ability, the barrier of manually creating trust relationships between
organisations is removed, since the technology and trust would be prepositioned1230
by default.
Boebert [64] has challenged the view that having standards would end the
attribution problem, since technical attribution alone is not a useful legal tool.
An IP address cannot be held responsible for a cyber attack, and even if that
IP address is traced to a physical machine, the owner of said machine can claim
it was stolen, used by a visitor or taken over by malware and used remotely. He
therefore argues that technical attribution needs to be converted into human
attribution: proving that a human being performed action A at time B. To
do this, he suggests keystroke analysis could be used. It can be argued that
this solution is weak however, since using keystroke analysis for attribution1240
has problems. Firstly, the attack may not require “live” typing, so there are
no markers such as speed to measure against. Secondly, even if live typing was
used, logs would not be able to show the speed or the number of errors - only the
final command after enter was pressed. Thirdly, a suspect who has their typing
monitored as part of an investigation may intentionally alter their keystroke
behaviour.
The area of attribution is vast, and spans not just cyber warfare but also
48
other areas such as cyber crime. As stated earlier, there are many papers
from the research community that examine the technical aspects of how to
perform and improve attribution of cyber attacks in general [65] [66] [67], and1250
specifically for critical national infrastructure [68]. While attribution is clearly
very important in other areas such as cyber crime, it has been argued that it is of
lesser importance in cyber warfare because absolute attribution is not necessary
to elicit a retaliation. Others insist that ability to attribute attacks continues
to be a major challenge for cyber warfare. More research would be useful to not
only continue improving attribution methods, but to also reach conclusions on
just how necessary it is in cyber warfare.
4.7. Cyber Defence and Deterrence
This area of research is focused on two main questions: How does an entity
defend itself from cyber attacks, and how can it deter an aggressor from launch-1260
ing cyber attacks in the first place? As with attribution, these two questions not
only apply to cyber warfare, but also more broadly to all forms of cyber attack.
Saydjari [69] argues that a good cyber defence system requires six elements:
•Sensors and exploitation: The eyes and ears of a defence system, de-
tecting attempted attacks.
•Situational awareness: Converting sensed attacks into meaningful data
from which decisions can be made.
•Defensive mechanism: Technology that counters cyber threats. E.g.
antivirus software.
•Command and control: Making and executing defensive decisions quickly1270
and effectively.
•Strategies and tactics: Knowing which defensive actions are best, and
when a change in actions is beneficial.
•Science and engineering: An understanding of how to design and im-
prove defensive systems.
49
This is a comprehensive view of cyber defence, but it can be argued that a
seventh element is missing: cyber intelligence. Cyber intelligence would address
the element of learning from past attacks and incorporating lessons learnt into
each and every stage. For example, if a cyber attack does defeat a defence team
and cause damage, time needs to be spent working out which elements needs to1280
be hardened to prevent that attack in the future: Was it missed by the cyber
sensors and could they be hardened to prevent that happening again, or was it a
fault in the cyber strategies and tactics? Perhaps the sensors and strategy were
fine, but the actions were taken too slow, meaning that command and control
requires strengthening. The crucial element of early warning is also missing, as
was discussed in section 4.1.
Saydjari [69] states that there are a number of research challenges that re-
main unresolved in the area of cyber defence. He calls for more research on
a variety of topics including how to make trustworthy systems out of untrust-
worthy components, better intrusion detection technology, and better ways of1290
responding to distributed denial of service attacks. He concludes by putting
forward an argument for a national cyber defence capability in the US: A gov-
ernment led, concentrated national effort to gather the best minds and formulate
an effective cyber defence policy. Saydjari [70] argues that the national effort
will require the cooperation of a number of government agencies, an extensive
budget, and the support of the U.S. President.
Vazquez et al. [71] suggest an alternative approach, emphasising the impor-
tance of information sharing networks between organisations as an effective way
to bolster cyber defence. They examine why previous attempts at information
sharing networks have failed, and how to ensure they succeed in the future:1300
•Incentives and barriers to information sharing: Discuss expecta-
tions with participants - why is the sharing network needed? What will
be shared?
•Information value perception and collaborative risk management:
Ensuring that participants see value in the information shared and share
50
an appreciation of how that information impacts risk in their organisation.
•Improving data exchange: Formulating agreed paths of information
flow, to ensure information reaches relevant individuals in each organisa-
tion.
•Automation of sharing systems: Encouraging automation to speed1310
up the sharing of information and provide it in a standardised form.
O’Connell [72] provides another perspective on cyber defence, stating that
it can be improved through education on what she terms “good cyber hygiene”.
Rather than create complex defence systems as Saydjari [70] has suggested, or
rely on information sharing agreements between organisations as highlighted by
Vazquez et al [71], O’Connell argues that most cyber attacks can be prevented
by simply educating users of information technology so that they can avoid
assisting an attacker. This viewpoint has merit, since Stuxnet was given access
to its target via an employee inserting a USB drive into a control network [44]. It
can therefore be argued that educating people on security issues is a significant1320
part of cyber defence.
Richard A. Clarke, who was special advisor on cyber security to president
Bush (2001-2003) presents a view held by some private organisations that de-
fending from cyber warfare is a job that governments should be doing. He
provides an analogy, stating that asking private organisations to self defend
themselves from cyber warfare is like asking them to install their own anti air-
craft platforms at their businesses [27]. This view can be challenged however,
since there are significant differences between a kinetic defence and a cyber de-
fence. Defending from a kinetic attack such as an air strike requires hardware
that is restricted in sale and expensive. It is also a task that involves specific mil-1330
itary knowledge and expertise: What type of aircraft will likely attack? What
altitude will they be at, and what countermeasures do they have? These are
questions of a purely military nature that the military is best positioned to an-
swer. With cyber defence however, the same defences used to counter a criminal
51
cyber attack can be used to help counter cyber warfare. Therefore, it can be
argued that it is not unreasonable to ask private organisations and individuals
to take a role in defending themselves during cyber warfare. Counter arguments
to this point are that firstly, cyber warfare attacks may be so sophisticated that
standard defences are not sufficient. Secondly, asking civilians to take part in
defending from cyber warfare raises legal questions on combatancy.1340
The second aspect of this sub topic is that of deterrence. While cyber defence
is concerned with stopping attacks being successful, deterrence is concerned with
discouraging the aggressor from launching the attack in the first place. Libicki
defines cyber deterrence as “a capability in cyberspace to do unto others what
others may want to do unto us” [73]. In other words, cyber deterrence is ensuring
that adversaries know that if they launch a cyber attack, they will get a cyber
attack back. Libicki highlights how deterrence has been proven successful in the
past. Nuclear deterrence helped ensure that the cold war between the United
States and Soviet Union never escalated into a hot war [74]. But Libicki argues
that when it comes to cyber deterrence, there are some challenges to be resolved:1350
•Attribution: If the attacker believes they will not be traced, the threat
of retaliation is not a deterrence.
•Failure to recognise risks: The attacker may underestimate the cyber
ability of those they are attacking, or overestimate the security of their
own systems. If there is a failure to recognise the risk to their own assets,
the effect of cyber deterrence is low.
•Repeatability: Kinetic responses such as missile strikes can be used
repeatedly as required as retaliation for every attack. But cyber weapons
are more prone to being single use; once a zero day exploit is used, the
enemy has the opportunity to close the vulnerability. This threatens the1360
credibility of long term cyber deterrence.
•Setting thresholds: It is unclear what kind of action in cyber space
crosses the threshold to trigger a retaliatory response.
52
•Escalation: Retaliation in cyber space needs to be considered carefully
to avoid escalating conflict needlessly. This aspect is linked to the setting
of thresholds.
•Cyber dependence: If a nation has very little cyber infrastructure, the
effect cyber deterrence is low since they have little at risk. Clarke [27]
agrees that this is a major challenge facing cyber deterrence.
Most significantly, Libicki [73] argues that there is an underlying problem1370
with the whole concept of cyber deterrence. He states that while a nuclear de-
terrent threatened to cripple a nation, a cyber deterrent does not. He therefore
suggests that a cyber deterrent is only effective if it is not used, since using
it would show how weak the response was. This argument can be countered
however, since attacks on critical national infrastructure could cause immense
harm if conducted with enough skill and resources. It can also be argued that
traditional deterrence also had the same weakness: Although the superpowers
threatened mutually assured destruction, it was never guaranteed that a super-
power would actually carry out a retaliatory attack, or had enough weapons
to make it crippling. In this respect, it can be counter argued that perceived1380
threat rather than actual threat is what makes deterrence valuable, and that
this is not unique to cyber deterrence.
Alperovitch [75] is more convinced than Libicki [73] that cyber deterrence can
work. He agrees that attribution is a problem, but in agreement with Hare [63]
states that accurate attribution is not necessary, and that reasonable suspicion
is all that is needed. He claims that states should publicly declare “red lines”,
which when crossed will initiate a counter strike against all suspected attackers.
Recent events have shown that publicly declaring red lines can be a dangerous
act however. In 2013, US president Barack Obama announced that Syrian use
of chemical weapons was a red line that if crossed would provoke a reaction from1390
the United States. This may have been intended to act as a deterrent, but when
chemical weapons were used, America’s will and capability to act on that red
line was publicly tested [76]. With these announced red lines and some public
53
demonstrations of cyber attack capability, Alperovitch claims that deterrence
can play an effective role in cyber defence.
Sterner [77] agrees that the biggest problem facing cyber deterrence is know-
ing who attacked and finding suitable targets to retaliate against. He points out
that if the attacker is a non-state actor, retaliation may involve infringing the
sovereignty of a state, a step that has greater cost than benefit. While authors
such as Libicki [73] find the concept of cyber deterrence lacking, Sterner sug-1400
gests that it is simply looked at in the wrong way. He argues that deterrence is
too often seen in the nuclear sense, an all or nothing situation where a use of
force marks the failure of deterrence. But Sterner [77] suggests that in the cyber
domain, cyber attacks peak and trough at varying levels of intensity over a long
period. In this respect, Sterner puts forth the view that entities should use de-
terrence in a much more dynamic way, which he calls “active-deterrence”: using
combinations of threats and retaliatory attacks to best manage the situation and
influence events to best serve them. Sterner suggests that active deterrence may
be the best kind of deterrence for the cyber domain and that rather than being
the first and last line of defence, it should be seen as one measure in the bigger1410
picture. Education on cyber security, better cooperation between organisations
and improved technical security will all sit aside deterrence to form a complete
package of cyber defence.
Gartzke [43] argues that the concept of cyber deterrence is not at all con-
vincing. He agrees that cyber weapons have short periods of viability - what
he calls a “use and lose” aspect whereby the use of a cyber weapon reveals
the vulnerability, damaging its future effectiveness. He gives the example of a
state deterring attacks by threatening to shut down the attacker’s mobile phone
networks. Without proof of this ability, nations will be dubious of its actual
threat, yet if it was demonstrated, the vulnerability would be revealed and the1420
weapon would become obsolete. Again, it seems that perceived threat is what
makes deterrence valuable, but the difference highlighted by Gartzke is that
cyber weapons completely rely on imagined threat with no demonstrated threat
at all. This can be related to the idea of sleeper malware, whereby a state may
54
deter attacks by suggesting they already have malware inside another nation’s
infrastructure and could disrupt it at will.
A significant point to note is that the majority of research on cyber deter-
rence is centred on state versus state conflict. Authors such as Alperovitch [75]
and Sterner [77] acknowledge this, stating that more research is needed to de-
termine how cyber deterrence can be used against non state actors. Dogrul,1430
Aslan and Celik [78] have come closest to taking on the non state actor issue
by looking at how cyber defence and deterrence can be applied against cyber
terrorism. They begin by examining the motivation for terrorists to use cyber
attacks, citing the low cost, anonymity and lack of physical barriers. They con-
clude that there are two approaches to defending from non state actors. Firstly,
there is a legislative route. This involves the creation of a “robust, international
legal framework under the UN” [78] which will raise the risk of carrying out
an attack due to an international response rather than a response by just the
attacked state. Secondly, they argue that a military aspect is also needed. They
call for cyber defence teams to be created at organisations such as NATO, whose1440
powers include being able to perform counter cyber attacks against identified
non state aggressors. There are however weaknesses in this approach, in that
not all nations are members of NATO. If attacks originate from a non member
state, questions are raised on how effective a NATO cyber defence team could
be in acting as a deterrent. The attribution problem also still remains unsolved:
if the attackers feel they cannot be traced, a NATO cyber defence team will
present little deterrence.
The topic of cyber defence and deterrence is a complex one. Applying tra-
ditional principles appears to be difficult, since the aggressor can often remain
unknown. As stated by Hare [63], attribution may not always be necessary in1450
politics, but when it comes to cyber deterrence it is arguably essential because
the principle of deterrence relies on the attacker fearing retaliation. While de-
terrence has been a strong tool in traditional defence, it can be concluded that
in the cyber domain deterrence is best regarded as just one tool amongst many.
Other tools such as building cooperation between organisations and nations,
55
education and better security are key to creating a well rounded cyber defence,
alongside deterrence. In this respect, the concept of deterrence is perhaps best
seen as part of a “defence in depth” strategy.
4.8. Nation’s Perspectives
When considering cyber warfare, it is important to not only examine academia’s1460
approach. As the primary practitioners of warfare, understanding the ap-
proaches taken by nation states is a research challenge. A point that is clear
from the literature, is that nations are alert to the issue and are working to
formulate their individual approaches and doctrines. The United States De-
partment of Defense has publicly announced its recognition of cyberspace as an
operational domain in which it must organise, train and equip [79]. Joint Publi-
cation 3-13 [80] describes how the U.S. has placed cyberspace operations under
the umbrella term of information operations, which includes other aspects of
warfare such as electronic and psychological operations. In this regard, it can
be argued that the U.S. sees cyber warfare as just one tool amongst many that1470
can support a war.
Other nations have also been active in developing their own cyber warfare
doctrines [26]. The literature shows that there are both similarities and dif-
ferences in how various nations are approaching cyber warfare. Timothy L.
Thomas [81] has shown how the Chinese government has declared that both
the army and civilians must work together to secure the nation from cyber
attacks [81]. An almost identical encouragement towards both military and
civilian effort can be seen in the United States’ approach [79]. Similarities in
publicly declared doctrines are relatively easy to identify - a deeper challenge
facing researchers in this area is in identifying differences and the reasons behind1480
them. Thomas [81] argues that one such difference is the focus on cognitive at-
tacks in the cyber domain. He states that Russia in particular places cognitive
attacks at the centre of its cyber doctrine, aiming to understand the enemy’s
thought process and then presenting actions and apparent intentions that seek
to exploit that understanding, allowing the enemy commander to reach a deci-
56
sion favourable to Russia. He suggests that China also considers cognitive cyber
issues in its doctrine, but that such concepts are less central to US doctrine.
Billo [26] agrees with this view, stating that “The U.S tends to focus on the
computer network attack aspects of cyber warfare but Chinas cyber warfare
focuses more on psychological operations and denial and deception of military1490
data” [26]. Billo puts forward further differences in approaches between China
and the United States. He highlights how Chinese cyber warfare doctrine con-
tains references to Sun Tzu’s [13] principle of subduing an enemy without battle.
Thomas [81] has also made this observation, stating that the Chinese approach
to cyber warfare encourages pre-emption and the idea of maintaining dominance
inside the cyber domain. By doing so, China is aiming to subdue enemies in
cyber space without battle.
A further observation to make is that a nation’s fears over the cyber domain
show a link to previous negative events in that nation’s history. Billo [26] states
that Russia’s fear is that it will become engaged in a cyber arms race with1500
the United States that it cannot win, resembling the struggle faced during the
Cold War. Similarly, US Secretary of Defense Leon Panetta (2011-2013) has
expressed the United States’ concerns over being the victim of a digital Pearl
Harbor [82]. Looking at this evidence, it can be argued that events of the past
are shaping the direction of national cyber warfare doctrines today.
The amount of literature in this area is vast, but even a brief survey demon-
strates that nations are concerned about cyber warfare. As an issue of national
security, it must be noted that nations are unlikely to publicise the full truth
of their approaches and authors may be restrained in what material they are
permitted to publish. Further still, nations have an incentive to actively spread1510
disinformation regarding their strategies, capabilities and actions to avoid giv-
ing potential adversaries a knowledge advantage. With these issues in mind, the
task of identifying true approaches and activities of nation’s will always remain
a particularly challenging one for the research community.
57
4.9. Conceptualising Cyber Warfare
A final challenge to consider is that of conceptualising cyber warfare. While
many of the previously discussed topics are quite specific in their scope, this
topic is somewhat broad and attempts to present ways of thinking about cy-
ber warfare. One such example of this is Tibbs [83] presenting the conceptual
idea that cyber warfare can be seen as a game, with anyone using an internet1520
connected device being a player. Tibbs suggests that anyone can be a player
in the cyber game, but that states wield the most power. To aid in visualising
the cyber game, Tibbs presents a cyber game board, which shows the various
positions a player can take. This is shown in figure 7.
Figure 7: Tibbs’ Cyber Game Board [83]
One axis describes the type of power a player can exert, the other axis
represents where in the cyber domain this power is exerted. For example, if
coercive power is used upon the connection domain, this may result in physical
attacks on cables to cause denial of service to another player in the game. On
the opposite end of the scale, a player using cooperative power in the cognitive
58
domain may be sharing knowledge and understanding. According to Tibbs,1530
players are free to move around the game board, with the ultimate goal being
to gain an advantage over other players. This is a novel view of conflict in the
cyber domain and provides a well defined way to position various players and
view their approaches.
While authors such as Tibbs attempt to present different ways of looking
at the cyber domain, others such as Libicki [84] have argued that cyber should
not even be regarded as a domain. Libicki argues that traditional domains such
as air, sea, land and space are natural, whilst cyber is a man made creation.
Kuehl [15] disagrees with this view, stating that the cyber domain can be seen
as natural. In early warfare, the air existed but was not viewed as a domain of1540
war simply because there was no way to enter it. When looking at cyber, the
same argument can be made. The electromagnetic space has always existed, but
we have only recently found suitable vessels for operating inside of it. The US
Department of Defense also disagrees with Libicki, and asserts that there are five
warfighting domains, which includes cyberspace [85]. Ultimately, the debate on
whether cyberspace is or is not a warfighting domain is unlikely to be resolved
by academia, and it can be argued that it should not be. Militaries are the
experts of warfighting, and the decision to classify cyberspace as a warfighting
domain or not should arguably be left to them.
Another view on cyber warfare is that its role as the future of war is being1550
exaggerated beyond what is reasonable. Gartzke [43] supports this view, stating
that cyber warfare is only useful when it is used alongside traditional warfare.
He compares cyber warfare to the use of artillery: While clearly useful, it alone
cannot win wars and is just one tool of many that are needed to achieve mean-
ingful gains. Applying this view to our definitions, Gartzke implies that while
cyber warfare is useful, cyber war (a war fought only in the cyber domain) is
not a useful endeavour since cyber attacks alone cannot win a war. Rid [86]
also supports this position, stating that cyber war has never and will never take
place.
59
5. Conclusions and thoughts for the future1560
This paper has provided a survey of contemporary thought on the challenges
presented by cyber warfare. It began by looking at existing definitions of cyber
war and cyber warfare, and found two problems that needed resolving. Firstly,
it was found that there is no widely accepted definition of either cyber war
or