Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
Menu
Redazione RHC : 30 March 2023 17:06
Summary: 1. The cyber aggression on Albania.- 2. A legal analysis of cyber aggression.- 3. The problem of cyber malicious activities attribution.- 4. The role of private security companies in attribution: performing government-like tasks? – 5. Concluding remarks.
There has been a great talking about the Islamic Republic of Iran during last years, starting from the stall of the nuclear deal, till the terrible and bloody repression of Iranian people protesting the Ayatollahs’ regime. But few are the comments on the Iranian responsibility for the cyber-State attacks against Albania, a North Atlantic Treaty Organization (NATO) country.
The destructive cyber-attacks, launched on the 15th of July 2022 and in September 2022, were claimed on Telegram by two of the four groups of cyber criminals, HomeLand Justice and APT42, presumably acting from the Islamic Republic of Iran. They cyberattacked Albanian government digital services and websites to disrupt, destroy, and leak government data. Their aim was to extract intelligence data, steal intellectual property, and imped military activities, as reported in the NATO statement of 8th September 2022. Therefore, NATO and Albanian Government did not exclude “a possible collective response” towards Iran, applying Article 5 of the NATO Treaty on collective self-defense.
The digital forensic activity to attribute these attacks was conducted by Albania with the US Federal Bureau of Investigation (FBI), the US Cybersecurity and Infrastructure Security Agency (CISA), and two of the biggest private security companies, Mandiant and Microsoft. The latter affirmed with a “moderate confidence” that the attackers were acting in support of Tehran’s anti-dissident efforts because APT42 is an Iranian State-sponsored cyber group pursuing the Iranian governmental interests.
Probably, the reason of Iranian cyber-attacks can be traced in the presence in Albania of 3,000 members of the opposition People’s Mujahedeen of Iran (Mujahedeen-e-Khalq, MEK), which are hosted at the request of US Government and of the United Nations (UN). Teheran considers MEK a terrorist organization that, before the cyber-attacks, was planning to hold in Albania the ‘Free Iran World Summit’. The event was cancelled because of the cyber-attacks.
The latter have been defined by the Albanian Prime Minister, Mr. Edi Rama, a State cyber aggression orchestrated and sponsored by Iran through the engagement of cyber groups. Shocked by the stir of chaos and of insecurity in the country, the Albanian Government declared the Iranian embassy personnel persona non grata, obliging them to leave immediately the country. For the White House spokesman these attacks “set(s) a troubling precedent for cyberspace”.
The Albanian case highlights the importance of cybersecurity as a new paradigm of national and international security in the wider threat landscape of malicious activities conducted in cyberspace by States also through non-State actors. For instance, in May 2022 Costa Rica was the target of a massive ransomware of the Russian cybergang Conti. The Government had to declare the state of emergency because the criminal hackers accessed many government agencies working for essential services, plunging the country into chaos. Moreover, Member States of the European Union (EU), and especially Italy, have been targeted by cyber-criminal groups, probably acting from Russia. Hence, the decision of EU to develop the European Cyber Defense Policy to be better prepared for and respond to cyberattacks.
Specifically, criminal cyber gangs seem to have dual motivations: criminal motivation derived by economic profit and political motivations following the interests of States tolerating and sponsoring their malicious actions, despite their role of guarantors of the respect for international law.
Moreover, digital intrusion and disruption has become part of modern warfare, as demonstrated by the Russian Federation launch of massive cyberattacks against Ukrainian strategic infrastructures, short before the physical attack of February 2022. The same happened in 2014 during the Crimean war and, going back in time, in 2008 against Georgia and in 2007 against Estonia, only to cite a few.
These attacks pose urgent complex questions that will briefly be analyzed in this paper and be widely exposed in the next future. The questions deal with: the cyber operations State-sponsored that may be categorize as an aggression; the problems of digital forensic in the process of attribution of these operations; the quasi-governmental role played in technical attribution by the high-tech companies and the need for an international investigation framework respectful of public law values.
The debate whether the Albanian cyber-attack effectively consist of a State aggression (as defined by Albanian Prime Minister) should starts facing the longstanding lack of the notion of cyber-attack under Article 2(4) of the UN Charter. This norm prohibits the threat and the use of armed force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the UN.
The question is in which case a State-sponsored cyber operation may amount to this legal threshold and, more in depth, whether it is necessary that the attack brings injuries and physical damages, or whether it is sufficient the total or partial destruction or disruption of public and private Information and Communication Technology (ICT) systems.
It is well known that cyber operations that harm, in a tangible or intangible way, software, hardware, or data can significantly damage and impact government systems, financial services, and Critical Infrastructures services such as electricity, water, food and medicine supply, medical services or transportation and security systems.
There is no international convention directly addressing computer networks attacks or referring to the use of ICTs in the context of international security, because these legal provisions are designed for conventional weapons of kinetic nature. Indeed, Critical Infrastructures (like electric and nuclear power plants, railways, airports) have been defined dual use targets whose destruction can indirectly cause injury to human beings and material damages, as the Stuxnet operation showed. They might also have cascading domestic, regional, and global effects of a great magnitude that are comparable to kinetic attacks, including the risk of violent escalation in cyberspace and can threaten international peace and security.
The problem is the lack of an international convention directly addressing computer networks attacks or referring to the use of ICTs in the context of international security, because the existing international treaties are designed only for conventional weapons of kinetic nature.
To fill this gap the UN Group of Governmental Experts in the field of Information and Telecommunications in the Context of International Security (UNGGE) and the UN Open-ended Working Group on Developments (OEWG) in their reports (2013, 2015 and 2021) recognize the applicability of international law principles and norms to State activities in cyber space, including the principle of the prohibition of the threat and the use of force. Moreover, the OEWG last Report was negotiated and endorsed by all UN States Members, giving a clear sign of the universal commitment to the UN Charter principles.
Both UN Groups propose voluntary, non-binding normative framework of responsible State behavior based on the ‘due diligence principle’ to strengthen international peace and security through building trust, confidence, and mutual international assurance in cyberspace. Also, the EU, in its strategy for a cybersecure digital transformation in a complex threat environment, has adhered to the UN norms and principles of responsible State behavior. Specifically, on this topic, a group of prominent scholars affirm that “in the cyber context, it is not the instrument of used to determines whether the use of force threshold has been crossed”, but rather “its scales and effects” as far as it is comparable to a non-cyber operation raising the level of a use of force” (Rule 69 of Tallinn Manual 2.0 on international law applicable to cyber operation). This rule follows the Nicaragua judgment of the International Court of Justice on the ‘scale and effects’ paradigm, that is helpful to distinguish acts that qualify as use of force from those that do not.
Therefore, the ‘Nicaragua approach’ can be applied in case where a State is arming (with malware) and training (for cyber operations) a group that is fighting against another State. In this case the supply and training should enable the group to conduct cyber operations that amount to the use of force, although it is very difficult to prove it for criminals in cyber space, also due to the invisible nature of cyber weapons.
In sum, it generally requires some degree of damage to physical objects or injury to human beings, but there is no common view among States. For instance, France, in its declaration on ‘International Law Applied to Operations in Cyberspace’ of 2019, affirms that it “does not rule out the possibility that a cyber operation without physical effects may also be characterized as a use of force. In the absence of physical damage, a cyber operation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target” .
On this topic it is useful to remember the advisory opinion of the International Court of Justice on Legality of the threat or use of nuclear weapons which stated that the prohibition of the use of force applies “regardless of the weapons employed”, and it is undeniable that computer viruses are cyber weapons.
Moreover, States hold the sovereign right to decide, on individual basis, whether they have been subjected to an armed attack that, depending on the extent of its intrusion and its effects, may violate the principles of sovereignty, of non-intervention or even the prohibition of the threat or the use of force.
In the light of what has been said up to now, and based on the technical attribution reported, it can be assumed that Albania has been target by a politically motivated cyberattacks, probably sponsored by Iran, that can be compared to an armed attack but that did not reach the threshold of an aggression. This position can be confirmed by the U.S. Cyber Command, operating with the Albanian Government, that reported that “a significant cyberattack” targeted Albania in 2022.
A similar problem was faced by Estonia in 2007 during the first suspected incident of a State-sponsored cyberattacks. It was conducted by a Kremlin-affiliated hacker group (Killnet) and it disrupted the vital computer systems of Estonia, caused a loss quantified at twenty-seven to forty million US dollars but did not create any physical damage, death, and destruction. The Estonian Prime Minister claimed the ‘heavy attack’ of the sovereign State, but he did not blame the Russian authorities directly, he just published a series of IP addresses originating from Russia. This attack was defined a cyber malicious operation politically motivated.
Indeed, despite the exponential increase of this type of attacks, actually there is no practical cases of a State aggression attributable to governmental ICT services disruption and to digital data destruction. For OEWG “cyber operations are a reality of today’s armed conflicts, and their use is likely to continue to grow in the future”. The problem is twofold: many States are developing ICT capabilities for military purposes and have formed active-duty cyber forces within their military structures and some non-State actors “have used military cyber capabilities in the context of contemporary armed conflicts, at times as stand-alone operations, at times in co-ordination with kinetic operations”.
These types of malicious operations and the cyberwar in Ukraine by Russia demonstrate their capacity to initiate a kinetic conflict (or to develop parallel to it) and the importance of the respect of the principle of due diligence in cyber space.
The State targeted by cyberattacks can act in self-defense in accordance with Article 51 of the UN Charter and international law. Self-defense can be realized using three options: either it recurs to the military force, or to cyberweapons or to both launching a hybrid attack.
Lastly, in case of cyber malicious operation politically motivated, launched directly or through cyber criminals, the targeted State can act through diplomatic responses and countermeasures depending on the extent of the attack.
Actually, we observe also a new activity in cyberspace called ‘hunting forward’. It is a defensive cyber operation conducted by a team of cyber operators from the U.S. Cyber Command in partnership with the State victim of cyberattacks. In cybersecurity the operation called ‘hunting forward’ is “a proactive cyber defense activity, to observe and mitigate threats that are undetected on a network or system” in which the “HFO [hunting forward operation] teams do not mitigate threats on partner networks, but they enable their counterparts to pursue and address the threats found”. The question now is if it is a new type of ‘anticipatory self-defense’ in cyberspace especially in case it is activated against a State. It is worth noting that in the physical world States cannot act in preemptive self-defense because it is forbidden by international law.
The second issue to be examined in the Albanian cyberattacks deals with the tricky problem of their attribution because of the difficulty to understand quickly and accurately who launched and directed them. This process is essential because it forms the basis of legal determinations, and it underpins the international responsibility of its perpetrator. Without attribution there is no possibility to declare the perpetrator accountable.
Attribution is articulated in three distinct and intertwined aspects: factual or technical, legal, and political. Technical attribution is the process of forensic investigation of a malicious incident to origins it to a platform and to associate its tooling and infrastructure. The legal attribution is the determination of the author based on legal criteria to ascribe its legal consequences. Lastly, the political attribution is the task of the executive branch of the government, or of political institutions in general, to publicly declare the perpetrator, i.e., “naming-and-shaming”.
In cyberspace attribution is challenging because of the almost complete anonymity of the actor, of the multi-stage nature of cyberattacks, and of the indiscriminate and invisible nature of cyber tools. Attribution requires specific human and technical resources, lengthy time scales, and associated investigatory to avoid misattribution. It is worth noting that misattribution facilitate an escalatory reaction to an ICT incident, especially in case of ‘false flag’, and it can threaten international peace and security.
In the absence of international mandatory norms on State’ cyber activities, UNGGE and OEWG affirmed that international responsibility under customary international law is extended to the State’s use of ICTs. It means that it can be acknowledged responsibility for committing a malicious cyber operation directly or indirectly. In the last case State responsibility requires i) the use of proxies that act following its instruction or that are under its control (de facto agents), or ii) that the State acknowledged their act as its own, in accordance with Article 8, on the “Conduct directed or controlled by a State”, of the UN Draft of ‘Articles on Responsibility of States for Internationally Wrongful Acts’. As cited in the Nicaragua judgment, the legal standard for attribution requests an effective control of the State on group or individual committing (cyber) attacks that is very difficult to be proved in cyberspace.
The difficulty is due to the invisible nature of cyber weapons and to the vast array of tools that cyber criminals can use to conceal and disguise them and to impersonate other computing systems (IP spoofing) and to anonymize communication through layers of encryption (onion routing).
In case of impossibility to attribute online disruptions for technical and legal reasons to a State, a useful solution is to consider the violation of the ‘principle of due diligence’ in cyberspace. It imposes to the State i) to ensure that its territory and ICTs systems are not used by non-State actor for acts contrary to international, and ii) to take all necessary measures to prevent the attack and the causing of significant harm.
Although States have divergent positions on whether the principle of ‘due diligence’ is a voluntary norm or a principle of international law imposing obligations, the International Court of Justice in the Corfu Channel decision affirmed clearly that States are obliged to make their best efforts to prevent use of their territory, and of areas on which they exercise jurisdiction, of which they are aware or should have been aware, that causes, or may cause, significant harm to another State.
However, it is important to bear in mind that it is quite difficult to collect digital evidence to prove that a cyberattack originated in a specific place, from a specific hardware, via a specific IP address executing a State order, due to the anonymity permitted by cyberspace and because of the absence of evidentiary international standards and rules.
All these critical issues limit the forensic capabilities, as clearly demonstrated in the Albanian case, where the technical evidence to declare ‘Iranian State sponsorship’ for the malicious use of ITCs by cybercriminals seems quite limited from the legal perspective, probably also due to security reasons.
Specifically, Microsoft declared “with high confidence” the Iranian responsibility based on evidence referring to the use of similar cyber tools by other cyber-Iranian criminals. For instance, the digital evidence “includes but is not limited to […] tools previously used by other known Iranian attackers”; it referred generally i) to targets consistent “with Iranian interests”, ii) to the use of wiper code that was previously used by a known Iranian actor, and iii) to the use of “the same digital certificate used to sign other tools used by Iranian actors” (italics added). Lastly “[T]he messaging, timing, and target selection of the cyberattacks bolstered [our] confidence that the attackers were acting on behalf of the Iranian government”.
Similarly, Mandiant “estimate(s) with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps’ Intelligence Organization based on targeting patterns that align with the organization’s operational mandates and priorities, which includes defending the [Iranian] regime against internal and external threats”.
The use of the term ‘confidence’ by the two private security companies in the technical attribution confirm the legal difficulties in attribution that cannot constitute a discretionary act. It is undeniable that to support a claim that a State has acted wrongfully, also for acts committed by non-State actor under its jurisdiction, legally requires credible evidence based on reliable factual elements, supplemented by circumstantial evidence and multiple sources.
Based on what has been said so far (and on open-source information) it is assumed that the Albanian cyber-attack was politically motivated and can be attributed to Iran for the lack of diligence for acts committed in its cyberspace, if not for its sponsorship.
The third issue in the Albanian case deals with the role of the two high-tech companies in the process of attribution. It shows the creation of a de facto system of ‘public-private relationships’ that on one side is necessary for the forensic analysis, because actually only high-tech private security companies possess the technologies to investigate that are needed by governments. On the other hand, this informal and complicated system of public-private relationships, that is characterized by the outsourcing of governmental functions to private actors, can undermine public law values, such as accountability, transparency, and fairness in the attribution procedure, whose respect is not legally required. These are public constraints that are usually applied to national intelligence systems, and from which are exempted private actors when they are performing de facto a quasi-government role on key cybersecurity issues.
The outcome is that they play the role of private-intelligence partnership without being held accountable of eventual mistake during the digital forensic activity. Hence, one should question about the legitimacy of private parties performing government-like actions, especially when discretionary policy choices can lead to misattribution especially in case of ‘false flag’, that is an operation designed to deflect attribution to an uninvolved party. Hence, we express the need of legal tools for remediation also in case of abuse of power.
These complexities require solutions to safeguard public law values and to secure privacy: a solution that can be enhanced realizing digital autonomy, although it requires time and great investments, and it is almost difficult to realize.
The complexity of the Albanian case reminds us of the universal relevance of sophisticated cyber threats and shows the urgent need to collectively address them and to develop evidentiary standards in international law. The lack of an international binding legal framework of responsible States’ behavior in cyberspace results in a grey area that some States exploit being aware that the target States are uncertain about how they could react under international law. In the next future there might be a change in the legal doctrine of jus ad bellum by States to face the shift from a kinetic battlefield to a cyber one also using cybercriminals.
Therefore, it is urgent a regulatory response at the international level by the OEWG, that has always been cautious because of the different States approaches on the topic. In the meantime, some solutions can be proposed to face technical, legal, and political complexities of the process of attribution assuming its pivotal role in the determination of international responsibility.
Specifically, States should avoid unilateral actions in case of cyberattacks that may escalate and endanger ‘international cyber peace and security’ and they should settle their disputes by peaceful means through consultation. To this end it will be useful that the UN and/or international regional organizations will: i) categorize cyberattacks and incidents that may amount to an aggression to differentiate them with other less grave, ii) institutionalize an international attribution mechanism, iii) introduce an ad hoc and common evidentiary regime with protocols for collecting and analyzing evidence, including the reversal of the burden of proof, and iv) standardize the methods of investigations to reduce concerns over the integrity of evidence.
These proposals can positively change the process of attribution because they aim to centralize this process at an international level; to limit the quasi-governmental role of private security companies and contribute to the creation of international investigation framework respectful of the principles of transparency and fairness.
Concluding, the Albanian case has been a wake-up call for the likely aggressive Iranian posture in cyberspace, also outside Middle East, but we must all be aware that cyber weapons race (by State and non-State actors) is a reality, and that international peace and security may be in danger also in cyberspace.
Redazione