[This was originally published on attrition.org. This is a rebuttal piece to Cyber War – Fact from Fiction in the shadow of the Tallinn Manual (2012-09-14) by @wh1t3rabbit (Rafal Los).]
I was asked to provide comment on this blog piece because of my involvement with Josh Corman in presenting on the topic of Cyberwar (PPT) at BruCON in September, 2012. The 89 slides are deceptive at first, because they don’t really show how much material was consumed during the research for the presentation (reading presenter notes underneath will give a good idea though). Josh and I spent almost three months discussing the topic, reading a wide variety of opinions, and digesting lengthy papers on the topic. One of those resources was the Tallinn Manual. Seemingly out of nowhere, Rafal appeared to become an overnight expert on Cyberwar, asking half a dozen times on Twitter via his automated Tweet spam, “Are we engaged? Are we winning? … have you read the Tallinn Manual?“
Three days before the blog post, Rafal had not read the Tallinn manual himself. Asking this question in such a fashion is egotistical and misleading. This 215 page tome is not easily digested, especially for those who haven’t given serious thought to the topic of Cyberwar, or been involved in that domain to some degree. For our presentation, I read between 30 and 50% to understand the points relevant to our stance, and it took several passes along with extensive discussion with Corman to figure out the implications. Ultimately, we determined that the Tallinn definition of ‘Cyberwar’  was likely the best one out there, but still wasn’t perfect. On slide 51 we asked if it was the “least ambiguous definition”. I share this background because it speaks to my critique of Rafal Los’ blog on the topic. As we told BruCON and anyone else, Corman and I are far from experts on the topic; we just spent a lot of time thinking about the topic and had problems with the hype and the constant disconnects for analogies to kinetic warfare.
Cyber War – Fact from Fiction in the shadow of the Tallinn Manual
Wh1t3Rabbit| September 14, 2012
Earlier this week at InfoSec Nashville, Howard Schmidt did a fireside chat style keynote where he answered pre-vetted questions from another gentleman who was asking them. It was all relatively the same thing we’ve heard for a while now from Mr.. Schmidt, who is a long-time veteran of the school of hard-knocks security in the real world and government, until he brought up a conversation between him and another of his colleagues (I don’t recall who, but it doesn’t really matter) that basically had him disagreeing that (a) we were engaged in an (paraphrasing) “open cyber war” and (b) we (I assume he meant the ‘good guys’) were winning. Mr.. Schmidt said he did not believe we were engaged in a cyber war and that we definitely weren’t losing.
Hold the phone. Has he read the news lately? Maybe browsed the data breach archives?
Rafal’s last question here demonstrates fully that he doesn’t understand the topic of Cyberwar. He doesn’t seem to understand either “classic” ideas on Cyberwar (e.g. 1993 RAND paper by Arquilla & Ronfeldt) or more evolved thinking on the topic (e.g. 2009 RAND paper by Libicki). Trying to equate data breaches as cataloged by DatalossDB.org is absurd. While a handful of breaches certainly fall in that realm, I would argue it is less than 1%. Many of the breaches occur from a different motivation, that of profit. Many hundreds more are the equivalent of digital joyriders, attacking low hanging fruit and dumping their results on Pastebin. The question Rafal poses is a non sequitur in the discussion of Cyberwar.
A colleague of mine who is knowledgeable in these matters made some interesting comments to this. First, that by the only reasonable definition of such [the Tallinn Manual] we are not engaged in any cyber war. Therefore, if we’re not engaged in a cyber war, we cannot win or lose. Fair point… Moreover, he took exception to citing data breaches as evidence of cyber war.
I have spoken with the same colleague about the topic a decent amount, and I believe you are paraphrasing him incorrectly based on my discussions. The Tallinn definition is not the only reasonable definition, but it is certainly the least ambiguous, and shows more evolved thought than definitions prior.
I completely understand the point… so much so that I started digging through this 215 page behemoth of a document to try and understand what a cyber war defined by International Law and the UN is. Starting on page 18 in the Scope portion we see references to physical or kinetic force and starting on page 25 clear implications that the normal rules of violation of sovereignty (attacking another nation’s sovereignty) to cause damage certainly seems to quality – although as you can see in point 6 the International Group of Experts could not agree whether the placement of malware that cause no physical damage constitutes a violation of sovereignty. Reading on it becomes abundantly clear that two things are needed to call something a cyber war – a violation of sovereignty that causes physical damage, and/or the use of force. The rest of the manual is a page-turned that basically reads like a rule-book for when and how we can understand what the rules of cyber-space law are.
Yes, and make this absolutely clear. You thought data breaches equated to Cyberwar, until someone told you that was absurd. Then you found the most recent tome on Cyberwar and skimmed it, citing a few early pages to look knowledgeable. Yet you don’t appear to have reached page 92 where their precise definition of a cyber attack is spelled out. Note that the use of the term “cyber warfare” doesn’t seem to appear until page 96. 
It is abundantly clear to me that very few people who talk about “cyber war” (including yours truly) really understand what they’re saying – this document certainly educated me plenty, although I’m still far from an expert in the matter.
Certainly glad you understand that, but I find it odd you choose to blog about it, and then Tweet what came off as a condescending question implying you were more versed on the subject than your peers. No Rafal, I was not the only one who observed that.
I know Mr. Schmidt is a very intelligent man so I kept listening for his rationale and what he cited was that in spite of all of the incidents that have transpired in recent times, businesses were still able to continue, the country was still operational in the cyber realm, and there weren’t any catastrophic events which I assume means the heavy loss of human life. Before I read through the Tallinn Manual I would have disagreed – now I can see he’s dead right. The reason is there hasn’t been ‘catastrophic damage’ done or a loss of life in the violation of United States sovereignty.
The thinking that even though hacks and breaches have clearly transpired on behalf of nation-states and non-attached hacker assets as well, they haven’t impacted us (the Sovereignty of the United States) significantly is what separates espionage, fraud and hacking from cyber war.
And this is still rather shallow thinking on the topic. You, and apparently Schmidt, have a fairly hard line definition of Cyberwar. Worse, your comments suggest that espionage/fraud/hacking are separate from Cyberwar, when in reality any of them can be a component of Cyberwar. They are not mutually exclusive.
What is interesting is all the “poking and prodding”, as Scot says, in which we have “un-named sources” being cited to attribute attacks such as Stuxnet to the US fanning international tensions. The case you’ve read of an oil company in the Middle East called Aramco which had near 30,000 computers bricked by a cyber-based attack is interesting but spoke to mainly financial loss, and as Scot points out had questionable impact and even more questionable sources… and little is known due to the information blackout on the case. This is clearly a very complicate geo-political issue, and maybe the prelude to something bigger, but alas again not cyber war.
Here you go again with absolutes. You simply cannot say that is “not cyber war”. It may be, and we do not see the bigger picture. This ties into your perception that Cyberwar must have physical damage. While it may, consider other wars that had non-destructive acts of aggression that led to war.
As I’ve learned – Cyber War has a necessary kinetic component resulting from the violation of Sovereignty and the eventual loss of life.
Here you make it clear you did not get to page 92, and did not digest the Tallinn definition of a cyber attack, which states that “damage to objects” qualifies. One piece of malware that causes a machine not to function qualifies. That means that Stuxnet certainly qualified as Cyberwar. Your hangup on loss of life is countered by their definition:
"A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects." -- Tallinn Manual on The International Law Applicable to Cyber Warfare . Michael N. Shmitt
This sentence is tricky (seriously), as you have to look at the use of ‘or’ in context. “A cyber attack .. injury or death .. OR .. damage or destruction.” The middle ‘or’ in the definition qualifies that injury or death to persons is explicitly not required.
As far as whether we’re winning or losing … the point is moot. If there’s no war, we’re not winning or losing. The problem is that it’s easy to get drawn into cyber war, I know I’ve fallen victim myself, mainly because there are few decent definitions of such an event. But if you dig deep, and look hard you’ll find experts that have defined there to be 2 key components of a cyber war – kinetic action, and the violation of sovereignty leading to a potential loss of life. We’ve seen the beginnings of this, and have certainly seen violations of sovereignty – but we’ve not seen both conditions met. Is it just a matter of time? My Magic 8 Ball is broken, so I don’t know.
For every definition you find saying one thing, you can find another saying the opposite, in regards to the requirement of kinetic elements or violation of sovereignty. I’d be curious what other experts you specifically refer to here, since you did not cite them by name or link to their work. The notion that “there’s no war, we’re not winning or losing” is very binary. One of the challenges of defining Cyberwar is all of the new elements that are involved, that weren’t for a classical definition of war. Computers, networks, autonomous software, and several other factors are the cause of contention for this debate; as they tend to muck up any clear definitions. I think that one could also easily argue that in war, both past and theoretical, it is possible to be involved in one with neither side having a winner.
Special thanks to Scot Terban, aka @Krypt3ia, for contributing to this piece and pointing out the Tallinn Manual.
I too am very thankful to Scot, not only for our discussions, but for pointing out this resource to you. I shudder to think of what you would have published without reading that or having someone challenge your notions of Cyberwar.
 The full title is the “Tallinn Manual on The International Law Applicable to Cyber Warfare”. Based on a search, the term “cyberwar” does not appear in it. Rather, they outline the points that make up “cyber warfare”, and use the term “cyber attack” to cover the action of attacking another in this domain. I say domain because one of Corman and my arguments was that Cyberwar is simply a domain of the conventional ‘war’. Slides 41 – 47 cover the aspect of defining war, generations of war, aspects of war, and domains. We posit that Cyberwar is a domain based on evidence, and/or can be consider in the context of the ‘Cold War’, where espionage was king. Interconnected networks certainly make it a prime space for espionage activity. As with many topics, I cannot cover all of my thoughts and arguments in a single blog post. Instead, watch our presentation from BruCON, along with Ed Skoudis’ from the same conference. There is at least one truth to this topic; it is not black and white, it is heavily debated in many circles.