Schmitt Analysis

Last updated

Schmitt analysis is a legal framework developed in 1999 by Michael N. Schmitt, leading author of the Tallinn Manual, for deciding if a state's involvement in a cyber-attack constitutes a use of force. [1] Such a framework is important as part of international law's adaptation process to the growing threat of cyber-warfare. The characteristics of a cyber-attack can determine which legal regime will govern state behavior, and the Schmitt analysis is one of the most commonly used ways of analyzing those characteristics. [2] It can also be used as a basis for training professionals in the legal field to deal with cyberwarfare.

Contents

Motivations

As society becomes more dependent on computers for critical infrastructure, countries have become increasingly concerned with threats in cyberspace. The prevalence of computers and the pace of technological innovation has advanced civilization significantly but has left many vulnerabilities that can be exploited. Countries must be prepared to defend themselves and know how to respond accordingly to computer network attacks (CNAs). These unique attacks are different in many ways to the physical uses of force that happen in traditional warfare. Attackers can now remotely disable their targets simply through the transmission of data. CNAs also have a broad definition, and not every CNA enacted by one State upon another is sufficient reason for States to escalate into armed engagement.

Depending on if the CNA is treated as a use of force or not, the offending party would be judged based on either IHL or IHRL. And the jus ad bellum is the body of law that defines when it is reasonable for sovereign states to resort to use of force to defend their resources, people and interests. Article 51 of the UN Charter defines a situation where a sovereign state might employ use of force, and it states that:

"Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security."

A State has the autonomy to act in self-defense, but it needs proof that there is an imminent threat. It also needs to act according to the criteria of proportionality and necessity. The Schmitt analysis is a framework for evaluating a CNA, according to seven parameters, to determine if it constitutes a wrongful use of force, and for governments to decide on a valid course of action after being attacked. [3]

Historical background

The Estonian Cyber-attacks of 2007, targeting Estonia's Internet resources, appear to be the first cyber attacks to be used as a weapon in a political conflict. In Estonia there was tension between the citizens that wanted their country to be more independent and the Russian-Estonians. Because the attacks came from Russian addresses, the Russian government was accused of endorsing the attacks. [4] The UN Security Council did not react to the Estonian cyber-attacks. Afterwards, the threat of cyber-war between States seemed much more real and imminent. This event also highlighted the importance of international cooperation for the protection of cyberspace. It also brings to light the necessity for international legislation regarding what qualifies as appropriate government response to CNAs. [5] [6]

During the 2008 conflict between Georgian nationalists and South Ossetian separatists, many Georgian websites were subject to defacement and DDoS attacks. During this conflict a website named StopGeorgia.ru was put up and in it were links to potential targets for attacks, along with malicious software. Russian civilians could participate in the cyber-attacks, and there is the question of if this direct participation implies that they should not be considered civilians anymore.

In 2010 the Stuxnet worm that infected Natanz uranium enrichment facilities in Iran and is suspected to have destroyed up to a 1000 centrifuges was discovered, setting back Iran's nuclear program by several years. The Russian company Kaspersky said the virus could only have been deployed with nation-state support, and that it would lead to the creation of a new kind of arms race in the world. Considering the damage caused, along with the invasiveness, lack of clear legitimacy and the speculation that the worm was developed and deployed with help of U.S. government with possible Israeli or German assistance means Stuxnet could be seen as a use of force. Though it might not be seen as an unlawful use of force since the Iran nuclear activities targeted were illegal. For this reason the virus has been called a cyber-weapon, although the Iranian government did not claim it had been victim of a cyber-attack. The Iranian government's inaction might have implications for the development of legal norms regarding cyberspace, and a state's inaction is not addressed by the Schmitt framework. [2] [7]

CNA as a use of force

Schmitt's analysis is strongly tied to Article 2(4) of the UN Charter, which states that:

"All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."

Not every use of force falls within the scope of Article 2(4), only those that may threaten international peace. And the article does not specify armed force, and there is the question of if it can be read as any kind of force, even economic force such as through violative economic coercion. The idea is that any use of force not authorized within the Charter is wrongful. In practice though, it is necessary to have a degree of flexibility. There are situations, such as those of decolonization and humanitarian intervention, that a strict following of this rule might not aligned with community interests. And the law regarding use of force needs to adapt and evolve to new situations and circumstances, such as those of cyber-warfare. It would be difficult to classify every CNA as a use of force, considering for example that some might not even cause any direct physical damage. To make use of the established law that has dealt with armed forces, Schmitt proposed comparing the characteristics and consequences of CNAs. This goal of this case-by-case approach is to properly classify with CNAs fall into the category of use of force and which do not. [3]

The nuclear warfare analogy

Computer network attacks are, like weapons of mass destructions, asymmetric in nature. Since infrastructure such as power grids, transportation, and telecommunications are interlinked, an attack on one site might have a catastrophic domino effect. The destructive capabilities of cyber-attacks have been compared to the effects of nuclear radiation and the EMP effect of nuclear blasts. Small countries wanting to have an impact can take advantage of how cheap it is to launch a CNA. Nuclear weapons have also not been outlawed, but along other weapons of warfare, there is a need to be very careful about using or threatening to use these weapons and follow rules of proportionality, necessity, and humanity. Both nuclear weapons and information weapons do not distinguish between civilians and non-civilians. [8]

Analysis criteria

Seven criteria are used to evaluate the computer network attack. The analysis focuses predominantly on criteria that are dependent on the consequences of the CNA (and as such a cyber attack is considered a cyber attack only when there is injury, death and to objects and their functionality), [9] and so it is more useful for analyzing events after they have happened and not as they are being planned. This utilitarian focus is also predominant in the jus in bello, which strives for humanity while still allowing for in some cases a trade-off between military gains and civilian casualties, for example. The Schmitt analysis is also subjective, and depends heavily on context. It does not try to set measurements for where the boundaries where CNAs become uses of force, but instead tries to compare the characteristics of a particular CNA and characteristics of traditional uses of force. [1] [2] [10]

  1. Severity: This is the level of destruction caused by the attack. The scope, duration and intensity of the attack are taken into consideration. Defacing a public figure's website might be considered not a use of force, while disabling an online banking system or shutting off a nuclear plant's safety mechanisms might be.
  2. Immediacy: The speed of which the harm is done, where a more immediate attack leaves less room for dialogue and negotiation between the attacker and the target. For a State to act in self-defense, it should have irrefutable proof that the threat to the nation is immediate.
  3. Directness: A CNA might have unexpected consequences, and it can be difficult to predict the complete impact of a cyber-attack. This is how clear it is that the consequences are in fact consequences of the CNA and not of other events.
  4. Invasiveness: CNAs are normally less invasive than a movement of troops into a State's territory. If a cyber-attack affects the sovereignty of a state, then it is more likely to be considered a use of force.
  5. Measurability: This is how clear the exact consequences of the CNA are in terms of how much damage has been done. In armed coercion, the consequences tend to be very clear.
  6. Presumptive legitimacy: A State might employ a CNA as a method of defensive counter-attack. Self-defense is one of the exceptions to the prohibition of the application of violence. A state might also employ CNAs in a way that does not resemble armed coercion.
  7. Responsibility: The USDOD argues that if an attack from State A to State B is not sponsored by State A, then State B does not have the right to invade State A's nation, and should instead ask for it to intervene and stop the attack. But since attackers can route their data through remote locations, it may be difficult to attribute with certainty a CNA to the accused State, such as happened in Estonia in 2007.

A relevant factor when performing a Schmitt Analysis is to ask if the perpetrators of the attack attempted to act in accordance to the Law of Armed Conflict (LOAC). This might be the case of Stuxnet, which was designed to minimize collateral damage, and only spread beyond its intended target accidentally. This attempted can imply state involvement in the attack, since private individuals might not be so concerned with international law. And it also means that the attack is more likely to be characterized as a use of force, even if they do not cause actual damage.

Potential shortcomings

The main issue with using the Schmitt framework is that it requires attribution, the attacking nation must be held responsible for the attack. This does not seem to happen in most cases, as states carry their actions within cyberspace in a secretive fashion and do not claim responsibility. There is also the possibility that the state that has been attacked will not take action against the offenders, and will not accuse another state of unlawful action. Some also criticize the framework's adherence to Article 2(4)'s instrument-based paradigm and restrictive definition of unlawful use of force, and favor a more consequence-based framework.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cyber security, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Information warfare</span> Battlespace use and management of information and communication technology

Information warfare (IW) is a concept involving the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is. Information warfare may involve the collection of tactical information, assurance(s) that one's information is valid, spreading of propaganda or disinformation to demoralize or manipulate the enemy and the public, undermining the quality of the opposing force's information, and denial of information-collection opportunities to opposing forces. Information warfare is closely linked to psychological warfare.

<span class="mw-page-title-main">Deterrence theory</span> Military strategy during the Cold War with regard to the use of nuclear weapons

Deterrence theory refers to the scholarship and practice of how threats or limited force by one party can convince another party to refrain from initiating some other course of action. The topic gained increased prominence as a military strategy during the Cold War with regard to the use of nuclear weapons and is related to but distinct from the concept of mutual assured destruction, according to which a full-scale nuclear attack on a power with second-strike capability would devastate both parties. The central problem of deterrence revolves around how to credibly threaten military action or nuclear punishment on the adversary despite its costs to the deterrer.

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, programming scripts can all be forms of internet terrorism. Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

Beginning on 27 April 2007, a series of cyberattacks targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn. Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred. Research has also shown that large conflicts took place to edit the English-language version of the Bronze Soldier's Wikipedia page.

There are many claims that the Central Intelligence Agency (CIA) has repeatedly intervened in the internal affairs of Iran, from the Mossadegh coup of 1953 to the present time. The CIA is said to have collaborated with the last Shah, Mohammad Reza Pahlavi. Its personnel may have been involved in the Iran-Contra affair of the 1980s. More recently in 2007-8 CIA operatives were claimed to be supporting the Sunni terrorist group Jundallah against Iran, but these claims were refuted by a later investigation.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

The Stars virus is a computer virus which infects computers running Microsoft Windows. It was named and discovered by Iranian authorities in April 2011. Iran claimed it was used as a tool to commit espionage. Western researchers came to believe it is probably the same thing as the Duqu virus, part of the Stuxnet attack on Iran.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Operation Olympic Games was a covert and still unacknowledged campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities likely by the United States and Israel. As reported, it is one of the first known uses of offensive cyber weapons. Started under the administration of George W. Bush in 2006, Olympic Games was accelerated under President Obama, who heeded Bush's advice to continue cyber attacks on the Iranian nuclear facility at Natanz. Bush believed that the strategy was the only way to prevent an Israeli conventional strike on Iranian nuclear facilities.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

The Tallinn Manual is an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare. Between 2009 and 2012, the Tallinn Manual was written at the invitation of the Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence by an international group of approximately twenty experts. In April 2013, the manual was published by Cambridge University Press.

The vulnerability of nuclear plants to deliberate attack is of concern in the area of nuclear safety and security. Nuclear power plants, civilian research reactors, certain naval fuel facilities, uranium enrichment plants, fuel fabrication plants, and even potentially uranium mines are vulnerable to attacks which could lead to widespread radioactive contamination. The attack threat is of several general types: commando-like ground-based attacks on equipment which if disabled could lead to a reactor core meltdown or widespread dispersal of radioactivity; external attacks such as an aircraft crash into a reactor complex, or cyber attacks.

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

<span class="mw-page-title-main">Global Commission on the Stability of Cyberspace</span> Commission developing diplomatic norms limiting cyber-offense

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.

References

  1. 1 2 Schmitt, Michael N., Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework (1999). Columbia Journal of Transnational Law, Vol. 37, 1998-99. Available at SSRN: https://ssrn.com/abstract=1603800
  2. 1 2 3 Stuxnet, Schmitt Analysis, and the cyber 'use-of-force' debate.." The Free Library. 2012 National Defense University 08 Dec. 2016 https://www.thefreelibrary.com/Stuxnet%2c+Schmitt+Analysis%2c+and+the+cyber+%22use-of-force%22+debate.-a0328945066
  3. 1 2 Schmitt, Michael N., Cyber Operations and the Jus in Bello: Key Issues (March 2, 2011). Naval War College International Law Studies, 2011. Available at SSRN: https://ssrn.com/abstract=1801176
  4. Schmidt, Andreas. "The estonian cyberattacks." The fierce domain–conflicts in cyberspace 2012 (1986): 1986-2012.
  5. Waxman, Matthew C., Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4) (March 16, 2011). Yale Journal of International Law, Vol. 36, 2011. Available at SSRN: https://ssrn.com/abstract=1674565 or https://dx.doi.org/10.2139/ssrn.1674565
  6. Papanastasiou, Afroditi, Application of International Law in Cyber Warfare Operations (September 8, 2010). Available at SSRN: https://ssrn.com/abstract=1673785 or https://dx.doi.org/10.2139/ssrn.1673785
  7. "Cyber attack 'targeted Iran': Malicious software discovered on systems around world could have been designed to target Bushehr reactor, experts say". Al Jazeera English . 2010-09-24. Archived from the original on 2012-07-08. Retrieved 2021-03-08.{{cite web}}: CS1 maint: unfit URL (link)
  8. Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, 27 Berkeley J. Int'l Law. 192 (2009). Available at: http://scholarship.law.berkeley.edu/bjil/vol27/iss1/7
  9. Vossen, Celine, Cyber Attacks Under the United Nations Charter. Critical Reflections on Consequentialist Reasoning. (August 11, 2014). Available at SSRN: https://ssrn.com/abstract=2594675 or https://dx.doi.org/10.2139/ssrn.2594675
  10. Michael, J.B.; Wingfield, T.C.; Wijesekera, D. (2003). "Measured responses to cyber attacks using Schmitt analysis: A case study of attack scenarios for a software-intensive system". Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003. pp. 622–626. CiteSeerX   10.1.1.111.4082 . doi:10.1109/CMPSAC.2003.1245406. ISBN   978-0-7695-2020-9. S2CID   23277767.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.