Another flaw is the suggestion that citizens (“Americans,” Alperovitch put it) are fighting a war against a foreign sovereign. Espionage is not illegal under international law. There is no international law restricting espionage between sovereigns (nor do sovereigns want such a law).
“To be honest, the US government would not really be justified in denouncing [intel gathering], as it does the same thing,” wrote Dave Aitel, CEO of Immunity, in an Ars Technica editorial. Aitel hits on a critical point: the activity of breaking into a political party’s server is espionage, which is a crime under U.S. federal law (breaking into a computer is also a federal crime and a crime in most states). Acts of espionage that take place within a target country are illegal under that nation’s federal and/or local criminal laws, which means they are crimes within the state in which they take place.
A more accurate statement regarding the intrusion of the DNC would be: “Americans are investigating crimes by actors who appear to come from outside the U.S., be they state-sponsored or not.” And to be very honest, no IP address, MD5 hash, Windows Registry key, can tell you where someone is physically located in the world, let alone provide 100 percent confirmation that they are state-sponsored.
This is not the first time a sovereign government has put out information intended to sway an election in a foreign country. It may be accurate to say that the scope of the document release on Wikileaks is orders of magnitude larger than past efforts to affect elections. The size of the incident has some bearing, but does it rise to the level of an act of war?
Additional problems are the analogy to “hand-to-hand combat” and suggestion this is a fight on U.S. soil. It is true that a crime was committed, and that crime occurred in the form of an intrusion into a computer system that resides in the United States. But this is a crime, not a fight, not an act of war, even if the accessed computer is physically “on U.S. soil.” If the intruder is not inside the U.S., the location of the illegally accessed computer may provide venue for invoking criminal process, under the jurisdiction of the United States of America (either federally or more specifically, within the state in which the computer servers are located).
Software Equivalent to a Kinetic Weapon?
Such overly simplistic analogies use specific language as a frame to evoke self-defense aimed to garner support for a line of argument granting authority to the private sector to “strike back” against “attackers.” This self-defense frame is at best evidence of sloppy reasoning and at worst an attempt to fool the audience into buying into an aggressive and risky agenda of vigilantism or retribution.
This framing problematically equates crimes with “war,” and equates software with “weapons.” Aitel frequently blogs about “cyber weapons” and spoke about them at RSA 2012.
Aitel rejects Joseph Nye’s definition of “cyber war:” “hostile actions in cyberspace that have effects that amplify or are equivalent to major kinetic violence.”
In Aitel’s view, a “cyber weapon” is defined “more by an ‘organization’ than by ‘a technology,'” and “attacks ideology, it does not necessarily attack infrastructure.” He includes nation-states, religions, and corporations as things built on an ideology that can be attacked using “cyber weapons.” Aitel said “cyber weapons” attack the concept of copyright and organizations’ ability to protect themselves. Addressing copyright violations and organizational protection generally falls under civil and criminal laws rather than the laws of war.
This year, in his critique of Bellovin, Landau, Lin, Aitel asks, “Is Gauss a cyber weapon?” implicitly using an effects-based analysis to criticize their proposed “cyber weapon” definition, a “software-based IT artifact or tool that can cause destructive, damaging, or degrading efforts on the system or network against which it is directed” and later including data exfiltration in their examples.
Others, such as panelists Hughes, Singer, Painter and Kanuck in front of the House Government Affairs Committee hearing on “Digital Acts of War,” share the opinion that the capabilities used (i.e., the “software-based IT artifact or tool” should be evaluated by their effects on a case-by-case basis.
Next Page: Most Attribution Claims Would Not Stand Up In Court
