This House would use targeted sanctions to respond to cyber-attacks

Cyber-attacks pose a distinct problem for international diplomacy in that they are difficult to prevent and difficult to respond to. Any kind of military response as the United States has threatened would be completely disproportionate against all but the very biggest of cyber-attacks (those that actually result in deaths),[1] diplomacy on the other hand is as good as no response, if the response is simply a tongue lashing then the benefits of cyber espionage will be far higher than the cost.

The only proportionate, and therefore just, response to a cyber-attack is sanctions. The sanctions can be used to impose a similar economic cost on the offending state as that caused by the cyber-attack. This would be just like the World Trade Organisation's dispute settlement rules. They allow for the imposition of trade sanctions to a similar value to the losses being experienced as a result of protectionist action, with the sanctions sometimes on differing sectors to those where there are unfair trade practices.[2] Alternatively sanctions could mean a proportionate Internet response; users from the offending nation could be prohibited from using Internet services, for example an attack by hackers on the US could result in people from that country being blocked from Google and other US internet services.

[1] Friedman, Benjamin H., Preble, Christopher A., ‘A Military Response to Cyberattacks Is Preposterous’, CATO Institute, 2 June 2011, http://www.cato.org/publications/commentary/military-response-cyberattacks-is-preposterous

[2] World Trade Organisation, ‘Understanding the WTO: Settling Disputes’, 2013, http://www.wto.org/english/thewto_e/whatis_e/tif_e/disp1_e.htm

How do we determine what is proportionate? If some valuable intellectual property, such as part of the designs for the US's latest fighter jet the F35, which were hacked in 2009.[1] Then what can be the response to this? Can it simply be the cost of developing this design? If so then what about the strategic loss the state has suffered, how can that be calculated in? So long as it is excluded state sanctioned cyber-attacks will not be deterred.

[1] Gorman, Siobhan, Cole, August, and Dreazen, Yochi, ‘Computer Spies Breach Fighter-Jen Project’, The Wall Street Journal, 21 April 2009, http://online.wsj.com/article/SB124027491029837401.html.html

The big advantage of sanctions is that they can be as finely targeted as needed. If the sanctioning country only knows which country the cyber attack originated from then they can be broad brush sanctions, but if there is knowledge of which group initiated the attack then the sanctions can be more specific. For example in the case of unit 61398 Of the Chinese People’s Liberation Army that Mandiant showed has been attacking US companies[1] the United States could target sanctions at the People's Liberation Army by tightening weapons bans. Alternatively if the hackers are private then banning the import of certain computer equipment into that country would be appropriate. If individuals are known then the sanctions can be even more targeted, for example by freezing any bank accounts held outside their own country as the US did against North Korea when it sanctioned Banco Delta Asia through which North Korea laundered money from criminal activities.[2]

[1] Mandiant, ‘Exposing One of China’s Cyber Espionage Units’, mandiant.com, February 2013, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

[2] Noland, Marcus, ‘Why Sanctions Can Hurt North Korea’, Council on Foreign Relations, 4 August 2010, http://www.cfr.org/north-korea/why-sanctions-can-hurt-north-korea/p22762

Sanctions cannot be very finely targeted and will always hit other groups as well as the cyber attackers. The chances of knowing specific individuals who were responsible are next to zero so those individuals cannot be targeted directly. This is the whole problem with cyber-attacks; they are very difficult to pin down. In the best case then sanctions are applied against the right target and happen to hit others as well; for example hackers are not the only new who want advanced computer equipment. At worst the sanctions will completely miss their target; it would be a major embarrassment for a country to impose sanctions for a cyber-attack only for it to later be discovered that the sanctions are against an innocent party through whom the attack had been routed.

At the moment the response to cyber-attacks has essentially been nothing. It is however clear that some response is needed as without a reaction there is no deterrence; the attacks will keep coming until something is done. The number of cyber-attacks and the sensitivity of the information stolen have been increasing over recent years and as more and more work is done online and more and more systems are connected to the Internet so cyber-attacks become more attractive. There needs to be a deterrent and the best deterrent is to make sure that such attacks are costly.

As these attacks are usually cross border (and in this debate we are only concerned with cross border attacks) then the only way to create a cost is through sanctions. These sanctions can either hit the assailant directly or else hit his government so encouraging them to crack down on hacking emanating from their country. It should be remembered that China argues that it does not launch cyber-attacks[1] meaning that any such attacks from China must duly be private. If this is the case then sanctions are the best way of prompting internal law enforcement. Sanctions therefore encourage all nations where there are cyber criminals to make sure they take such cyber-crime seriously. If they do not get their own cyber criminals under control then they may be affected by sanctions.

[1] China Daily, ‘China denies launching cyberattacks on US’, China.org.cn, 20 February 2013, http://www.china.org.cn/world/2013-02/20/content_28003282.htm

How can there ever be deterrence when the attacker believes they will not be caught, or that if they are the sanctions swill harm others not themselves? When the problem with preventing cyber-attacks is the difficulty of tracing the source[1] then deterrence becomes more and more difficult to apply. This is not like the Cold War where both superpowers could be certain that if they launched an attack there would be a devastating response. In this instance there is no certainly; the attacker believes they a, won't be caught, b, there will be no response and c, that the response won't affect them, and finally even if they are affected unless they are caught most times they will believe they will get away with it next time round.

[1] Greenemeier, Larry, ‘Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers’, Scientific American, 11 June 2011, http://www.scientificamerican.com/article.cfm?id=tracking-cyber-hackers

Cyber conflict favours the offence; when the defender is successful they gain nothing and impose no harm on the attacker who is free to try again elsewhere. The attackers are free to attack until they get past the defences somewhere.[1] That the attacks don’t risk lives helps to encourage an offensive mindset as makes it seem like there is no downside to attempting to dominate your opponent.[2] This means the only cyber response is to attack the attacker so that the same advantages apply.

The result is that cyber-attacks have a very real danger of long term tension or escalation. If one side is losing a conflict where both sides are attempting to steal the other's intellectual property (or the other has little to steal) the response may be something like the stuxnet attack that involves physical damage, this then would probably be considered an illegal use of force creating a thin line between a cyber-war and a real war.[3] When the cyber war involves physical damage as the US has warned there then may be a military response. Sanctions are a way to apply pressure without this risk of escalation into a military conflict.

[1] Lin, Herbert, ‘Escalation Dynamics and Conflict Termination in Cyberspace’, Strategic Studies Quarterly, Fall 2012, http://www.au.af.mil/au/ssq/2012/fall/lin.pdf p.51

[2] Rothkopf, David, ‘The Cool War’, Foreign Policy, 20 February 2013, http://www.foreignpolicy.com/articles/2013/02/20/the_cool_war_china_cyberwar

[3] Zetter, Kim, ‘Legal Experts: Stuxnet Attack on Iran Was Illegal ‘Act of Force’, Wired, 25 March 2013, http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/

An asymmetric response to cyber-attacks in the form of sanctions may prevent escalation, but they could also simply encourage a cyber-attacker to do more knowing that sanctions cannot stop cyber-attacks. Sanctions in the past have rarely changed policy; Sanctions against Cuba did not result in overthrowing Castro, sanctions have not changed North Korea or Iran’s policy towards nuclear weapons, so there is little reason that sanctions would stop cyber-attacks.[1] Instead the country being sanctioned will find a way around and quite possibly escalate themselves much as North Korea has upped the stakes whenever new sanctions are imposed, most recently by cancelling a hotline to the South.[2]

[1] Friedman, Lara, ‘Getting over the sanctions delusion’, Foreign Policy The Middle East Channel, 14 March 2010, http://mideast.foreignpolicy.com/posts/2010/03/15/getting_over_the_sanctions_delusion

[2] Branigan, Tania, ‘Expanded UN sanctions on North Korea prompt rage from Pyongyang’, guardian.co.uk, 8 March 2013, http://www.guardian.co.uk/world/2013/mar/08/north-korea-rages-un-sanctions

Cyber-attacks pose a distinct problem for international diplomacy in that they are difficult to prevent and difficult to respond to. Any kind of military response as the United States has threatened would be completely disproportionate against all but the very biggest of cyber-attacks (those that actually result in deaths),[1] diplomacy on the other hand is as good as no response, if the response is simply a tongue lashing then the benefits of cyber espionage will be far higher than the cost.

The only proportionate, and therefore just, response to a cyber-attack is sanctions. The sanctions can be used to impose a similar economic cost on the offending state as that caused by the cyber-attack. This would be just like the World Trade Organisation's dispute settlement rules. They allow for the imposition of trade sanctions to a similar value to the losses being experienced as a result of protectionist action, with the sanctions sometimes on differing sectors to those where there are unfair trade practices.[2] Alternatively sanctions could mean a proportionate Internet response; users from the offending nation could be prohibited from using Internet services, for example an attack by hackers on the US could result in people from that country being blocked from Google and other US internet services.

[1] Friedman, Benjamin H., Preble, Christopher A., ‘A Military Response to Cyberattacks Is Preposterous’, CATO Institute, 2 June 2011, http://www.cato.org/publications/commentary/military-response-cyberattacks-is-preposterous

[2] World Trade Organisation, ‘Understanding the WTO: Settling Disputes’, 2013, http://www.wto.org/english/thewto_e/whatis_e/tif_e/disp1_e.htm

How do we determine what is proportionate? If some valuable intellectual property, such as part of the designs for the US's latest fighter jet the F35, which were hacked in 2009.[1] Then what can be the response to this? Can it simply be the cost of developing this design? If so then what about the strategic loss the state has suffered, how can that be calculated in? So long as it is excluded state sanctioned cyber-attacks will not be deterred.

[1] Gorman, Siobhan, Cole, August, and Dreazen, Yochi, ‘Computer Spies Breach Fighter-Jen Project’, The Wall Street Journal, 21 April 2009, http://online.wsj.com/article/SB124027491029837401.html.html

The big advantage of sanctions is that they can be as finely targeted as needed. If the sanctioning country only knows which country the cyber attack originated from then they can be broad brush sanctions, but if there is knowledge of which group initiated the attack then the sanctions can be more specific. For example in the case of unit 61398 Of the Chinese People’s Liberation Army that Mandiant showed has been attacking US companies[1] the United States could target sanctions at the People's Liberation Army by tightening weapons bans. Alternatively if the hackers are private then banning the import of certain computer equipment into that country would be appropriate. If individuals are known then the sanctions can be even more targeted, for example by freezing any bank accounts held outside their own country as the US did against North Korea when it sanctioned Banco Delta Asia through which North Korea laundered money from criminal activities.[2]

[1] Mandiant, ‘Exposing One of China’s Cyber Espionage Units’, mandiant.com, February 2013, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

[2] Noland, Marcus, ‘Why Sanctions Can Hurt North Korea’, Council on Foreign Relations, 4 August 2010, http://www.cfr.org/north-korea/why-sanctions-can-hurt-north-korea/p22762

Sanctions cannot be very finely targeted and will always hit other groups as well as the cyber attackers. The chances of knowing specific individuals who were responsible are next to zero so those individuals cannot be targeted directly. This is the whole problem with cyber-attacks; they are very difficult to pin down. In the best case then sanctions are applied against the right target and happen to hit others as well; for example hackers are not the only new who want advanced computer equipment. At worst the sanctions will completely miss their target; it would be a major embarrassment for a country to impose sanctions for a cyber-attack only for it to later be discovered that the sanctions are against an innocent party through whom the attack had been routed.

At the moment the response to cyber-attacks has essentially been nothing. It is however clear that some response is needed as without a reaction there is no deterrence; the attacks will keep coming until something is done. The number of cyber-attacks and the sensitivity of the information stolen have been increasing over recent years and as more and more work is done online and more and more systems are connected to the Internet so cyber-attacks become more attractive. There needs to be a deterrent and the best deterrent is to make sure that such attacks are costly.

As these attacks are usually cross border (and in this debate we are only concerned with cross border attacks) then the only way to create a cost is through sanctions. These sanctions can either hit the assailant directly or else hit his government so encouraging them to crack down on hacking emanating from their country. It should be remembered that China argues that it does not launch cyber-attacks[1] meaning that any such attacks from China must duly be private. If this is the case then sanctions are the best way of prompting internal law enforcement. Sanctions therefore encourage all nations where there are cyber criminals to make sure they take such cyber-crime seriously. If they do not get their own cyber criminals under control then they may be affected by sanctions.

[1] China Daily, ‘China denies launching cyberattacks on US’, China.org.cn, 20 February 2013, http://www.china.org.cn/world/2013-02/20/content_28003282.htm

How can there ever be deterrence when the attacker believes they will not be caught, or that if they are the sanctions swill harm others not themselves? When the problem with preventing cyber-attacks is the difficulty of tracing the source[1] then deterrence becomes more and more difficult to apply. This is not like the Cold War where both superpowers could be certain that if they launched an attack there would be a devastating response. In this instance there is no certainly; the attacker believes they a, won't be caught, b, there will be no response and c, that the response won't affect them, and finally even if they are affected unless they are caught most times they will believe they will get away with it next time round.

[1] Greenemeier, Larry, ‘Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers’, Scientific American, 11 June 2011, http://www.scientificamerican.com/article.cfm?id=tracking-cyber-hackers

Cyber conflict favours the offence; when the defender is successful they gain nothing and impose no harm on the attacker who is free to try again elsewhere. The attackers are free to attack until they get past the defences somewhere.[1] That the attacks don’t risk lives helps to encourage an offensive mindset as makes it seem like there is no downside to attempting to dominate your opponent.[2] This means the only cyber response is to attack the attacker so that the same advantages apply.

The result is that cyber-attacks have a very real danger of long term tension or escalation. If one side is losing a conflict where both sides are attempting to steal the other's intellectual property (or the other has little to steal) the response may be something like the stuxnet attack that involves physical damage, this then would probably be considered an illegal use of force creating a thin line between a cyber-war and a real war.[3] When the cyber war involves physical damage as the US has warned there then may be a military response. Sanctions are a way to apply pressure without this risk of escalation into a military conflict.

[1] Lin, Herbert, ‘Escalation Dynamics and Conflict Termination in Cyberspace’, Strategic Studies Quarterly, Fall 2012, http://www.au.af.mil/au/ssq/2012/fall/lin.pdf p.51

[2] Rothkopf, David, ‘The Cool War’, Foreign Policy, 20 February 2013, http://www.foreignpolicy.com/articles/2013/02/20/the_cool_war_china_cyberwar

[3] Zetter, Kim, ‘Legal Experts: Stuxnet Attack on Iran Was Illegal ‘Act of Force’, Wired, 25 March 2013, http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/

An asymmetric response to cyber-attacks in the form of sanctions may prevent escalation, but they could also simply encourage a cyber-attacker to do more knowing that sanctions cannot stop cyber-attacks. Sanctions in the past have rarely changed policy; Sanctions against Cuba did not result in overthrowing Castro, sanctions have not changed North Korea or Iran’s policy towards nuclear weapons, so there is little reason that sanctions would stop cyber-attacks.[1] Instead the country being sanctioned will find a way around and quite possibly escalate themselves much as North Korea has upped the stakes whenever new sanctions are imposed, most recently by cancelling a hotline to the South.[2]

[1] Friedman, Lara, ‘Getting over the sanctions delusion’, Foreign Policy The Middle East Channel, 14 March 2010, http://mideast.foreignpolicy.com/posts/2010/03/15/getting_over_the_sanctions_delusion

[2] Branigan, Tania, ‘Expanded UN sanctions on North Korea prompt rage from Pyongyang’, guardian.co.uk, 8 March 2013, http://www.guardian.co.uk/world/2013/mar/08/north-korea-rages-un-sanctions

When is it legitimate to use sanctions in response to an action? Any individual state (or group of states) can use sanctions against any other state. However for these sanctions to be effective they need to have broad based support. Sanctions by an individual country are unlikely to change the behaviour of an aggressor as they will be able to get around the sanctions. Moreover for any country that is a member of the WTO imposing sanctions may be considered illegal allowing the other country to counter them with similar measures.

The problem then is that there is no international response to hacking and it is unlikely there will be agreement on such a response. When countries like China deny that hacking comes from them are they likely to support the use of sanctions against such actions? Sanctions for much worse actions are often bogged down when they are attempted at the international level such as China and Russia vetoing sanctions against Syria in response to the violence there.[1]

[1] United Nations Security Council, ‘Security Council fails to adopt draft resolution on Syria that would have threatened sanctions, due to negative votes of China, Russian Federation’, un.org, SC/10714, 19 July 2012, https://www.un.org/News/Press/docs/2012/sc10714.doc.htm

This will clearly depend on the country engaging sanctions; sanctions from the US or EU will be much more significant than sanctions from the Philippines. Most countries however are a part of larger trade blocks; sanctions from the Philippines may not be much of a threat but sanctions from ASEAN would be much more compelling. Using such regional organisations can help nations get around the problems of agreement associated with broader UN sanctions. There have already been calls for groups such as ASEAN to work together against cyber attacks[1] and these groupings could be expanded to include other nations that agree with the policy on an ad hoc basis in much the same way as Japan is looking to join with ASEAN on such defence.[2]

[1] Minnick, Wendell, ‘Malaysia Calls for ASEAN ‘Master Plan’ to Fight Cyber Attacks’, Defense News, 3 June 2012, http://www.defensenews.com/article/20120603/DEFREG03/306030004/Malaysia-Calls-ASEAN-8216-Master-Plan-8217-Fight-Cyber-Attacks

[2] Westlake, Adam, ‘Japan pushes to form cyber-defense network with other ASEAN countries’, Japan Daily Press, 8 October 2012, http://japandailypress.com/japan-pushes-to-form-cyber-defense-network-with-other-asean-countries-0814818

The problem with sanctions is that they are almost always indiscriminate; Iran’s sanctions today are an example where the international community’s concerns are entirely with the government, over nuclear weapons, not the people yet the result has been a doubling in the price of staple foodstuffs and rapidly rising unemployment.[1]

This will equally be the case here. While sanctioners will try to target the sanctions the fact is there is nothing to target with sanctions that would not affect everyday lives. Hackers are ordinary people so clearly sanctions will affect others like themselves.  The most obvious reactions involve the internet but blocking access to internet services, or penalising ISP’s, or cutting off technology transfers, harm everyone else as much as hackers. Often this harm is in the form of simply making the internet less safe for people in that country because they will have to turn to pirated versions of software. IDC and Microsoft estimate the chances of being infected with malware when using pirated software at one in three[2] so it is no surprise that the Chinese government in October 2012 launched a campaign to have government and companies purchase legal software.[3]

[1] The Economist, ‘A red line and a reeling rial’, 6 October 2012, http://www.economist.com/node/21564229

[2] IDC, ‘White Paper: The Dangerous World of Counterfeit and Pirated Software’, Microsoft, March 2013, http://www.microsoft.com/en-us/news/download/presskits/antipiracy/docs/IDC030513.pdf p.3

[3] Xinhua, ‘Chinese gov’t says no to pirated software’, People’s Daily Online, 26 April 2013, http://english.peopledaily.com.cn/90882/8224829.html

The aim of sanctions does not have to be to directly affect the individuals doing the hacking, though in some cases this may be possible. Rather the aim is to change the attitude towards regulation and enforcement by the central government and possibly by the people as a whole. If the people of a country believe they are suffering as a result of the hackers in their midst they will be much more likely to demand their government make cracking down on such activities a priority.

The problem with sanctions is that they almost never work so all they do is provide punishment and damage relations without ever resolving the issue. Numerous studies have shown that sanctions don’t actually change the policy of the country that is being sanctioned.[1] Robert Pape suggests that sanctions are only effective in achieving policy change about 5% of the time because states can take substantial economic punishment before they give up on anything that might be considered to be a national interest, and because states are good at shifting the burden of the sanctions onto opposition groups,[2] or else use the sanctions to rally domestic support against the outside actor.[3]

Instead there need to be renewed cooperation on cyber security. Fundamentally as with things like drug smuggling, and people trafficking this is an international problem that needs to be tackled by law enforcement authorities. To that end there needs to be more cooperation not more recriminations.[4]

[1] Lindsay, James M., ‘Trade Sanctions As Policy Instruments: A Re-Examination’, International Studies Quarterly, Vol.30, Issue 2, June 1986, pp.153-170, http://www.stanford.edu/class/ips216/Readings/lindsay_86.pdf, p.1 provides a list of some of them

[2] Pape, Robert A., ‘Why Economic Sanctions Do Not Work’, International Security, Vol. 22, Issue 2, Autumn 1997, pp.90-137, http://www.stanford.edu/class/ips216/Readings/pape_97%20(jstor).pdf p.106

[3] Snyder, Jack, Myths of Empire, Cornell University Press, 1991

[4] Dingli, Shen, ‘What Kerry Should Tell China’, Foreign Policy, 11 April 2013, http://www.foreignpolicy.com/articles/2013/04/11/what_kerry_should_tell_china

Cooperation is not a helpful alternative as it really means status quo when we can see that the status quo is not going to reduce cyber-attacks or bring recompense. Rather this is precisely what sanctions are needed for; to encourage states that harbour cyber criminals and hackers to use their law enforcement capabilities to crack down on such attacks.

Sanctions are typically used as a response to the actions of another state, not the actions of a private actor. Much cyber espionage is not carried out by government entities such as the army or intelligence services. It is also not encouraged by government regulation. Rather it is carried out by private actors whether this is criminal organisations or businesses seeking to undermine their rivals and learn their secrets this is usually with a financial motive (75% of data breaches)[1], or else by individuals motivated by nationalism and patriotism to attack those they see as their nation’s enemies. It is difficult to see how sanctions against the nation as a whole affect these groups and individuals. This is certainly the case in China where many such as the ‘China Eagle Union’ admit to hacking for nationalist reasons rather than being told by the government.[2]

A response such as sanctions are simply likely to breed more resentment that the other power is attempting to bully their nation. The hackers only possible response is then more hacking. For those sponsored by companies if their company is hit by sanctions it simply becomes all the more necessary to find methods of getting ahead to offset any harm by sanctions.

[1] Verizon RISK Team, ‘2013 Data Breach Investigations Report’, Verizon, 23 April 2013, http://www.verizonenterprise.com/DBIR/2013/ p.6

[2] Beech, Hannah, ‘China’s Red Hackers: The Tale of One Patriotic Cyberwarrior’, Time, 21 February 2013, http://world.time.com/2013/02/21/chinas-red-hackers-the-tale-of-one-patriotic-cyberwarrior/

Even taking it at face value that most of these hackers are independent actors not a part of a state policy there would still be solid reasoning behind sanctions. That most cyber-attacks have a financial motive implies that sanctions are the best response; as it is hitting them in an area that the attackers are clearly interested in. As for those who are attacking for ‘patriotic’ reasons if they are truly patriots they will stop when they see their efforts are really harming their country not helping it.