Peek into Tallinn Manual - Analyzing Estonia, Georgia & Stuxnet Cyber Attacks against this background

The Tallinn manual (not an official document) was drafted by group of experts, and was a comprehensive effort undertaken by NATO Cooperative Cyber Defence - Centre of Excellence between 2009 and 2012 to interpret and bring clarity on international laws in the context of cyber operations. While the manual does not denote the views of NATO, but is the first respected re-statement of international law in cyber operation context. It defines a cyber-attack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects” and cyber operation that qualifies an ‘armed attack’ triggers the right of individual or collective self-defense (Schmitt, et al., 2013). The foundation is the effects or consequence that are caused by cyber operations as per the six criteria for evaluating cyber-attacks on any nation i.e. severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy (Schmitt, et al., 2013). The manual unanimously accepts applicability of the justification to engage in war (jus ad bellum) or acceptable wartime conduct as per International Humanitarian Law (jus in bello) to cyber operations with emphasis is on cyber-to-cyber operations, strictu sensu (Schmitt, et al., 2013). The Manual also brings out the major problem of ‘attribution’ associated in cyber-attacks. In this article, we have  restricted our discussion Tallinn manual and examined few defining case studies in history of major cyber-attacks.

Cyber Attack on Estonia

Post-cold war and Estonia having joined NATO in 2004, the government in Tallinn had implemented policies to minimize Russian influence on Estonian culture. The tension between ethnic Estonians and the Russian minority population grew. The cyber-attacks on Estonia began on 27th April 2007, targeting parliament, newspapers, and broadcasters after widespread disagreement about the relocation of the “Bronze Soldier of Tallinn”. The attacks included botnets, websites de-facement, mail servers and distributed denial of service (DDOS) attacks using “botnets”. These attacks faced the attribution problem. While, Estonian external affairs minister, Mr Urmas Paet accused Russia for the attacks, their defense minister could not provide of any credible evidence links. Further, EU and NATO technical experts were also unable to find reliable evidence of Moscow’s participation in the DDoS strikes (Herzog, 2011).

The attacks proved to be a successful, but cyber-attack attribution remained controversial. Estonian authorities made a formal request for investigative assistance under a Mutual Legal Assistance Treaty (MLAT). Moscow refused stating cyber investigative procedure is not covered under MLAT. Beizing (2011, Pg 55) simply brushed aside the matter as an internal Estonian security dilemma (Herzog, 2011). These cyber-attack brought to the forefront a lack of a coherent strategy within NATO on Estonia’s request to invoke Article 5. For the first time, in the history, an ally had requested assistance to defend its cyber digital infrastructure and it failed to get support. The allies understanding of cyber use of force or armed attack remained divided. The Estonians were left to fend for themselves (Scheherazade Rehman, 2013). Using Schmitt’s criteria, the cyber-attack on Estonia fell short of “use of force” for severity, had limited physical damage, lacked military character, attribution of State’s involvement. The attack did not resemble the “use of force” or justify NATO response as per rules of engagement. However, this incident catalyzed a global debate of need for international convention and treaties for allowing defensive and offensive actions, and put cyber-attacks on the warfare dialogue table.

Cyberwar against Georgia

The Internet infrastructure of Georgia was attacked by unknown "zombie" computers around the time that the country was in conflict with Russia in July 2008. Graffiti appeared on Georgian government websites. Subsequently, in August 2008, Georgian DNS were targeted and internet traffic was diverted or jammed by re-routing traffic through servers in Turkey and Russia. It was alleged that these servers were controlled by Russian hackers. While German network administrators were able to temporarily re-route some traffic directly through servers in Germany, the second wave of attack again diverted traffic to servers in Russia. Georgian had virtually no communications with rest of the world “bloodlessly” (Makris, 2011). The Georgia Foreign Ministry said "A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Foreign Affairs Ministry”, however, Moscow denied and said, "on the contrary, a number of internet sites belonging to the Russian media and official organizations have fallen victim to concerted hacker attacks" (Swaine, 2008). Many of the command and control servers used for the Georgian attack were based out of the United States and had come online just few weeks before the assault (Markoff, 2008). This raised questions about attribution of who orchestrated the coordinated attack, Russia or the United States. These cyber-attacks again fell below the threshold of an armed attack, leave alone the threshold of a prohibited use of force. The hacks were a nuisance and put political pressure on the Georgian government to retaliate, under the principles of necessity and proportionality. Probably, this was a case of spoofing by non-state actors, which remained un-attributable.

Stuxnet Worm Attack on Iranian Uranium enrichment plant

The Stuxnet worm attack was probably world's first instance of a sophisticated cyber-weapon attack targeting Iranian uranium enrichment plant at Natanz in 2010. It exploited Windows machines having four zero-day exploits, connected to Siemens programmable logic controller (PLC) in industrial control systems, controlling uranium enrichment. Ralph Langner, a prominent Stuxnet commentator, declared the attack being a “huge success” and “nearly as effective as a military strike” (Barzashka, 2013). Another school of investigators contested that the damage to the IR-1 centrifuges hardly impacted enrichment and weapons manufacturing momentum. In fact, the IAEA Deputy Director General Olli Heinonen commented that “Stuxnet could be one of the reasons for a drop in the number of centrifuges at Natanz, there is no evidence that it gained little traction” (Barzashka, 2013). Further, the consequences of the cyber operation from proportionality perspective did not lead to loss of life, injury, damage or destruction to be construed as armed cyber-attack. In fact Michael Schmitt (2013 Pg 75), is cited as saying the international group of experts of Tallinn Manual were unanimous that “…Stuxnet cyber weapon that destroyed Iranian centrifuges was an act of force, but they were divided on whether its effects were severe enough to constitute an armed attack” (Schmitt, et al., 2013). The Manual goes on to contest that the cyber weapon failed to bring in unanimity of it being armed attack among experts on various factors like immediacy, attribution.

Therefore, can a Cyber Attack ever be attributed ?

Authored by Kinshuk De

https://in.linkedin.com/in/kinshukde

Rate this article: 
Average: 3 (7 votes)
Article category: 
Keywords: